Monthly Archives: April 2015

Microsoft addresses 26 vulnerabilities, some critical, on Patch Tuesday- 4-14-15

Microsoft addressed 26 vulnerabilities in 11 bulletins for its monthly Patch Tuesday release, and four of the bulletins are deemed critical.

In a Tuesday blog post, Wolfgang Kandek, CTO of Qualys, wrote that the critical Office bulletin should be the highest priority because it addresses five remote code execution vulnerabilities, including a zero-day bug.

“CVE-2015-1641 is that 0-day and is currently under limited attacks in the wild on Word 2010,” Kandek wrote. “It applies equally to Word 2007, 2012 and even to Word 2011 on the Mac. Microsoft rates it only “important” because the exploit requires the user to open a malicious file.”

Two other critical remote code execution vulnerabilities addressed in the Office bulletin are CVE-2015-1649 and CVE-2015-1651, which Kandek wrote are triggered in Office 2007 and Office 2010 by simply looking at an email in the Outlook preview pane.

Another critical bulletin addresses a vulnerability in the HTTP protocol stack – CVE-2015-1635 – that can enable remote code execution if an attacker sends a specially crafted HTTP request to an affected Windows system, according to a Tuesday release. Windows 7, Windows 8 and 8.1, Windows Server 2008 R2, and Windows Server 2012 and Windows Server 2012 R2 are affected.

“An attacker can use the vulnerability to run code on your IIS webserver under the IIS user account,” Kandek wrote, adding it is easy to execute. “The attacker would then use an exploit for second local vulnerability (EoP) to escalate privilege, become administrator and install permanent exploit code.”

The critical Internet Explorer bulletin – a cumulative security update for the browser – addresses 10 vulnerabilities, nine of which are critical, and the most severe of which can enable remote code execution, the release indicates.

“All versions of Internet Explorer from IE6 on Windows 2003 to IE11 on the latest Windows 8.1 are affected,” Kandek wrote. “The attacker needs the user to open a malicious webpage. Common ways to do so are sending links through email and gaining control of a website that the user habitually browses to.”

The final critical bulletin addresses a vulnerability – CVE-2015-1645 – that can allow for remote code execution if a user browses to a specially crafted website, opens a specially crafted file, or browses to a working directory containing a specially crafted Enhanced Metafile image file, the release indicated. Windows 7, Windows Vista, Windows Server 2003, and Windows Server 2008 and Windows Server 2008 R2 are affected.

The remaining bulletins address elevation of privilege, security feature bypass, information disclosure, and denial-of-service vulnerabilities – affecting SharePoint, .NET Framework and more – that are deemed important.

 

 

Via: scmagazine

Darwin Nuke vulnerability allows DoS in OS X 10.10 and iOS devices

A vulnerability, dubbed “Darwin Nuke,” can expose OS X 10.10 and iOS 8 devices to remotely activated denial of service attacks (DoS), research from Kaspersky Lab has revealed.

Discovered in 2014 in the kernel of the operating systems’ Darwin open source component, the vulnerability had the potential to damage devices and corporate networks, according to a Securelist blog post.

The vulnerability, which Apple has since patched, “is connected with the processing of an IP packet that has a specific size and invalid IP options.” A single incorrect network packet sent to the victim will crash the system, the blog post said.

While routers and firewalls “usually drop incorrect packets with invalid option sizes,” Kaspersky researchers “discovered several combinations of incorrect IP options that are able to pass through the Internet routers,” Anton Ivanov, senior malware analyst at Kaspersky Lab stated.

Via: scmagazine


Banking threat Emotet expands target list, evades two-factor auth

Kaspersky researchers have analyzed the latest updates to banking malware, called Emotet – which has primarily been used to target online banking customers throughout Europe through social engineering.

In a Thursday blog post, Kaspersky researcher Alexey Shulmin published a detailed analysis of the malware’s evolution, since its appearance last summer. In June 2014, Trend Micro discovered the threat and noted that it was spread via spam emails making the rounds in Germany. But, since then, Emotet has reportedly expanded to targeting clients of Swiss banks, as well as customers in Austria and other countries throughout Europe.

To date, the banking malware has several modules used to target victims – a loader module, as well as ones allowing distributed denial-of-service (DDoS) attacks, spamming and modifying HTTPS traffic, Shulmin wrote. In addition, Emotet employs an Outlook “grabber” function (for stealing victims’ Microsoft Outlook address books and transferring the information to the criminals’ server) and also uses a legitimate program, called Mail PassView, to target email account data.

Mail PassView is used for recovering forgotten passwords and mail accounts, Shulmin wrote.

Particularly interesting capabilities of the new variant include its detection of virtual machines – an indication that researchers may be analyzing the malware.

“The trojan tries to contact [a list of command center] addresses if it detects that it is being run in a virtual machine,” Shulmin explained. “But none of the addresses correspond to the bot’s command centers, and the bot is therefore unsuccessful in trying to establish contact with them. This is probably done to confuse any investigators and give them the impression that the trojan command centers are dead.  A similar approach was used previously in the high-profile banking trojan Citadel.”

Emotet authors have also modified the malware so that can evade two-factor authentication measures put in place by banks. The trojan now uses web injects to display spurious alerts to victims’ during online banking sessions. The message asks the user to enter a Chip TAN or SMS TAN to carry out a “test transfer.” Instead, the “malicious script carries out a real transfer of money from the victim’s account to the account of a nominated person – the so-called ‘drop,’ and the user themselves confirms this transfer using the Chip TAN or SMS TAN,” Shulmin explained.

Despite the malware’s latest tricks, however, Shulmin noted that the malware “cannot function effectively without the participation of the users” given the attackers’ reliance on social engineering to complete their scams.

The researcher added that AV (capable of detecting the latest variants of the threat) should help to prevent resulting fraud in these malware attacks.

“And so the alertness and technical awareness of the user, together with the use of a modern anti-virus program can provide reliable protection against, not only Emotet, but other new banking threats working in a similar way,” Shulmin said.

 

Via: scmagazine

18-year-old SMB vulnerability resurfaces, dozens of vendors affected

New methods expand the attack surface to applications and software beyond Windows.

SPEAR, the research team at Cylance, has discovered new attack vectors for an 18-year-old vulnerability in Windows Server Message Block (SMB). The updated attack vector, called Redirect to SMB, impacts products from Microsoft, Apple, Adobe, Symantec, Box, Oracle, and more.

In 1997, Aaron Spangler discovered a bug in Internet Explorerthat allowed attackers to steal credentials by exploiting a feature in the SMB protocol.

SMB is a core component in Windows networking, and enabled by default in all versions of the Windows OS.

Microsoft provided workarounds and difficult-to-implement GPO options after the flaw was initially disclosed, but never fully addressed the underlying problem. As things stand now, unless default settings in Windows are changed, systems remain vulnerable to these types of attack.

An SMB attack is one where a victim is tricked into following a link that causes the browser to authenticate to a remote SMB server (e.g. file://x.x.x.x or \\x.x.x.x\), which results in the attacker obtaining credentials for the user that’s currently logged in. The credentials are hashed, but they can be recovered given enough time, usually a few hours in most cases thanks to GPU-based cracking.

The Redirect to SMB attack discovered by SPEAR follows the original concepts developed by Spangler, but now the attack can target all vulnerable HTTP/HTTPS requests, including those made by browsers as well as applications attempting to access resources on the Web.

For this updated method to work, attackers would use a Web server under their control, or gain access to network traffic (Man-in-the-Middle) and force the user to authenticate to a rogue server running SMB. For example, online, the attackers could use a 301 or 302 status code, directing the browser to a resource that starts withfile://.

“Abusing network share paths (UNC) to steal and relay Windows credentials has been well-known for almost 20 years,” said HD Moore, Chief Research Officer at Rapid7, in a statement to Salted Hash.

“These techniques are often used by professional attackers (legit or otherwise) to gain initial access to an organization and to escalate privileges once they are on the internal network. Microsoft has provided a number of mitigations that have made these attacks slightly less effective, but overall, it is a design issue that is not likely to be fixed for quite some time.”

Next: So what’s vulnerable?

Internet Explorer has been vulnerable to the direct attack for nearly two decades, but it’s also vulnerable to the Redirect to SMB attack. The WebBrowser object in .NET is also vulnerable.

“If the target is not using Internet Explorer, things get a bit trickier. My favorite way around this is to take a document from the organization’s web site, save it as HTML, add an image link to my SMB server, rename the .HTML as .DOC, and email it as a ‘typo correction’ or ‘sales inquiry’ to various staff. When the users open the .DOC file, Word realizes its HTML, and then renders it with Internet Explorer, triggering the outbound connection to the SMB server. If the organization allows VPN access, the stolen/cracked credentials can then be used to access the corporate network,” Moore explained.

URLMon.dll, used by Microsoft and developers to perform various operations on URLs such as downloading files, has four functions that are vulnerable to both the direct attack from 1997 and the newest SMB attack. A fifth function is also vulnerable to the direct attack, but under normal circumstances, it isn’t vulnerable to the Redirect to SMB attack.

“If the application making this request calls one of the affected URLMon APIs, the machine will then make an outbound SMB connection. This significantly increases the effectiveness of man-in-the-middle attacks, even if the user isn’t actively doing anything on the system,” Moore added.

“I did a quick test by enabling HTTP tracing on my laptop, rebooting, and logging in. Over 100 different HTTP requests were made during that process, over half of which were not protected by SSL, and could be used to force an outbound SMB connection by a malicious attacker able to man-in-the-middle my traffic. Just resuming my laptop in a Starbucks would be enough to trigger this issue, which is a significance increase in exposure compared to an attacker having to wait for either Internet Explorer to be used or an outbound SMB connection to be made automatically.”

SPEAR also discovered that XXE (XML External Entities), a feature supported by many XML parsers, could be abused to access a remote resource, which makes it vulnerable to Redirect to SMB.

Their report also includes a list of possible attack vectors that could be leveraged in a Redirect to SMB setting, including direct Man-in-the-Middle, ARP cache poisoning, browser injection, the image preview option in many chat applications, malicious documents, and DNS cache poisoning.

“In cases where you can’t control the user’s behavior (visiting a link or opening an email), you need to be able to control the actual network,” Moore said.

“The problem with this approach is it depends on the user’s machine doing somethingin order to trigger a SMB authentication. This could be accessing a file share, a printer, or another automated task that triggers a SMB connection. This can be time consuming, since you basically have to wait the user out, or get lucky with a share connection, in order to accomplish this attack through a man-in-the-middle. Unless the user opens Internet Explorer or makes a SMB connection directly, there is no guarantee this attack will be of much use.”

Next: What software / applications are affected?

Widely Used Applications:

  • Adobe Reader
  • Apple QuickTime
  • Apple Software Update (iTunes)

    Microsoft Applications:

  • Internet Explorer
  • Windows Media Player
  • Excel 2010
  • Microsoft Baseline Security Analyzer

    Antivirus:

  • Symantec’s Norton Security Scan
  • AVG Free
  • BitDefender Free
  • Comodo Antivirus

    Security Tools:

  • .NET Reflector
  • Maltego CE

    Team Tools:

  • Box Sync
  • TeamViewer

    Developer Tools:

  • Github for Windows
  • PyCharm
  • IntelliJ IDEA
  • PHP Storm
  • JDK 8u31’s installer

Mitigation:

“Any known vulnerable functions used by the software need to be replaced with functions that do not support cross protocol redirection…Access to SMB should be direct and filtered by the application. Disallowing any SMB requests outside of the local subnet, or at least requiring user verification, can limit the remote exploitation situations,” wrote Brian Wallace, the researcher who was in charge of this particular SPEAR project, in a paper on the topic.

“TCP port 139 and 445 should be blocked at the outbound firewall. If it is absolutely required that users access external SMB servers, access needs to be restricted as much as possible.”

The research paper also recommends the usage of strong passwords, which could help hinder cracking attempts. However, the advances in GPU-based password cracking has lowered the time needed to compute NTLMv2 hashes significantly. As such, the paper also recommends that administrators update their password policies over time to reflect the cost of hardware used to crack passwords.

“The oclHashcat website includes benchmarks for NetNTLMv2 using 8 x AMD R9 290X GPUs (each retails for about $300 to $700). It shows that with roughly $3000 worth of these GPUs, an attacker could make 6.496 billion guesses per second,” Wallace wrote.

“That means during a simple brute-force attack, an attacker would be able to guess every 8 character password consisting of letters (upper and lower case) and numbers in less than 9.5 hours. Given that password renewal policies are often required once a quarter; this gives the attackers a large amount of time to use those passwords.”

A copy of the full report from Cylance is available here.

“The RedirectToSMB attack is not an earth-shattering vulnerability, but it does demonstrate a novel approach to attacking passive client systems through a man-in-the-middle attack. On the surface, this attack doesn’t look like anything new at first, but it significantly increases the exploitability of Windows laptop and tablet users that connect to open WiFi networks. In terms of mitigations, all of the normal advice for preventing outbound SMB authentication applies,” Moore said.

Last year, Rapid7 worked with Microsoft and Palo Alto Networks to come up with specific guidance for protecting service accounts, Moore said that many of those would apply to this issue as well. A copy of their recommendations is available here.

Via: csoonline


Half of ‘Game of Thrones’ Season 5 Episodes Leaked Online

Four upcoming episodes of the fifth season of the popular television show ‘Game of Thrones’ have been leaked online.

Copies of the episodes first appeared on torrent websites between 9:00 pm and 10:00 pm EDT on Saturday, according to Variety. As of 5:00 pm EDT on Sunday, the episodes had been downloaded approximately 1.7 million times.

At first, the leak prompted fears that HBO had been hacked, which would have recalled last year’s Sony breach in which hackers stole and subsequently leaked intellectual property from Sony Pictures online.

But HBO has since set the record straight.

“Sadly, it seems the leaked four episodes of the upcoming season of ‘Game of Thrones’ originated from within a group approved by HBO to receive them,” the company said in a statement. “We’re actively assessing how this breach occurred.”

The confirmed leaks appear to have originated from a “screener,” or a disc of upcoming episodes that was sent to people for review prior to the episodes being released to the general public.

“These screeners are watermarked and require a legal agreement not to share the material,” explains Ken Westin, Senior Security Analyst at Tripwire. “However, these watermarks can be found and blurred so they cannot be identified when movies are then leaked.”

The digital watermark on the leaked ‘Game of Thrones’ screener has been blurred. Additionally, whereas HBO usually airs the episodes in 720p or 1080p, the leaked episodes are in 480p, or quality which is suitable for standard and not HD television.

“In many respects the same risks that a movie may go through mirrors that of customer data or other forms of intellectual property, where multiple parties may use the data and it can be passed around and accessed by many different parties,” Westin goes on to note.

News of this leak follows a study from anti-piracy solutions provider Irdeto that names‘Game of Thrones’ as the world’s most pirated show.

 

Via: tripwire

One-Man PoS Malware Operation Captures 22,000 Credit Card Details in Brazil

Trendmicro has been able to identify a new point-of-sale (PoS) malware family that has affected more than 100 victim organizations in Brazil. We have dubbed this new malware family as “FighterPOS”. (This name is derived from BRFighter, the tool used by the author to create this new threat.) This one-man operation has been able to steal more than 22,000 unique credit card numbers.

Its creator appears to have had a long history in carding, payment scams, and malware creation; in addition we believe that this malware author acted independently and without any accomplices or associates. FighterPOS is not cheap. It is currently priced at 18 bitcoins (currently worth around US$5,250). However, its control panel is well-designed and it supports a wide variety of features that may be useful to attackers.

This blog post outlines the behavior of FighterPOS, with more technical details available in our paper entitled FighterPOS: The Anatomy and Operation of a New POS Malware Campaign.

Purchasing

At first glance, the advertisement is not particularly unusual. What piqued our interest was the professional nature of the ad and the malware’s supported features.


Figure 1. Advertisement selling FighterPOS

The control panel and malware is currently being sold for 18.3823 BTCs, or roughly US$5,250. While this may seem expensive, the opportunity to make that money back is relatively easy. The buyer could potentially resell each credit card received right away, or use it at a later time. If the buyer wants an additional executable and panel instance, the author charges an additional US$800.


Figure 2. FighterPOS Control Panel

The author, who went by the username cardexpertdev, clearly stated in the ad that the executable is not fully undetectable (FUD), stating that the individual will need to use a crypting service to ensure the malware is undetectable by antivirus scanners. This is common when PoS malware is created, and crypting services are traditionally required to bypass many defensive security controls.

FighterPOS was not the only product related to credit card fraud that cardexpertdev was selling. He was also selling credit card numbers, EMV chip recorders, and other similar fraud-related products and tools to other cybercriminals.

Victimology

Data obtained from the C&C servers indicate that FighterPOS has infected approximately 113 PoS terminals, more than 90% of which were found in Brazil. Evidence of system infection in other countries, including the United States, Mexico, Italy, and the United Kingdom was also found.


Figure 3. Distribution of FighterPOS-affected machines

Together, the infected systems have sent 22,112 unique credit card dumps for a single month (late February to early April) to the FighterPOS operator. Many of the victims of FighterPOS are users of Linx MicroVix or Linx POS systems – both popular software suites in Brazil.

FighterPOS Functionality

The functionality of FighterPOS is similar to other PoS malware families we’ve seen in the past. It is capable of collecting credit card track 1, track 2, and CVV codes. The malware also contains a RAM scraping functionality, commonly seen in many PoS malware families. Additionally, its keylogger functionality allows the attacker to log all keystrokes on the infected terminal. The code for the RAM scraping functionality is similar to that found in NewPosThings.

Two malware samples that gained our attention were IE.exe (MD5 hash: 55fb03ce9b698d30d946018455ca2809, detected as TSPY_POSFIGHT.SM) and IEx.exe (MD5 hash: 55fb03ce9b698d30d946018455ca2809), which both connect to the C&C server located at hxxp://ctclubedeluta.org/.

Both of the samples are written in Visual Basic 6. Although Visual Basic 6 is considered outdated and antiquated, applications written in this language still work, even on fully patched systems.

One may ask why a “new” PoS malware family is built on such an old platform as Visual Basic. We believe that this is because FighterPOS code is not entirely new. Instead, the vnLoader malware (designed for botnets) was modified to add PoS-specific features. It retains its botnet-oriented capabilities, which include:

  • Malware auto-update
  • File download and execution
  • Sending out credit card data
  • Sending out keylogged data
  • Layer 7 or layer 4 DDoS attacks

The DDoS capability effectively turns this POS family into a very flexible and attractive tool for prospective buyers.

Conclusion

FighterPOS is a full-featured piece of malware, carefully developed using strong encryption. It supports multiple ways to talk with its C&C infrastructure. Its keylogging capabilities allow for DDoS attacks and gaining full control of victim machines. We currently estimate that each infected machine sends back ten new credit card numbers to the attackers.

We are continually evaluating this threat, and are still performing research not only on the malware family, but also the C&C infrastructure.

Indicators of Compromise

The SHA1 hashes of the FighterPOS samples we’ve seen are as follows:

  • 361b6fe6f602a771956e6a075d3c3b78 – TSPY_POSFIGHT.SM
  • 55fb03ce9b698d30d946018455ca2809 – TSPY_POSFIGHT.SM
  • af15827d802c01d1e972325277f87f0d – TSPY_POSFIGHT.SM
  • b99cab211df20e6045564b857c594b71 – TSPY_POSFIGHT.SM
  • e647b892e3af16db24110d0e61a394c8 – TSPY_POSFIGHT.SM

We have seen the following C&C servers and sites in use:

  • 69.195.77.74
  • ctclubedeluta.org
  • msr2006.biz
  • sitefmonitor.com

 

 

 

via: trendmicro

Playing it Safe with Online Gaming

Online gaming has become an enormous worldwide industry estimated to be worth more than $15 billion annually. Among the most popular of online games is what’s known as Massively Multiplayer Online (MMO). Played over a computer network, these games support hundreds or thousands of players simultaneously. Gamers playing MMOs do so using either a computer or one of the newer gaming consoles, such as Xbox 360, Nintendo Wii, or PlayStation 3.

The gaming industry’s popularity has been increasing year-after-year. 20 million Xbox Live players alone have spent more than 17 billion hours gaming.[1] World of Warcraft, one of the most popular Role Playing Games (RPG) reached 12 million subscribers in November 2011[2]. But you should know that the games you, your friends and/or children are playing may be exposing you to payments fraud or identity theft. Where there is money, there are criminals, and they’re after gamers’ credit card details, personal identifying information (PII), and even virtual world loot, which can be sold for real-world currency via auction sites.

According to iovation, an online fraud prevention technology company, “organized crime in online gaming is a serious and growing problem. Entire businesses have closed due to attacks by cyber criminals, while others not managing chargebacks properly have lost their ability to offer popular payment methods. Fraudsters hijack player accounts, purchase virtual currency using stolen credit cards, sell gaming assets on third-party sites, and create programs that run spam in chat channels from hundreds of fake accounts – all hurting the gaming brand’s reputation and business profits.”

Hijacked accounts have become all too common. How do they get access to your username and password?  Some are doing so using social engineering, scammers are able coax information out of live support employees of gaming and game system companies.  Because accounts contain credit card numbers, home and email addresses and other PII, gamers exposed to this type of fraud are at great risk of fraud and identity theft.

Another methodology used by fraudsters to obtain access to your account credentials is malware. According to Chris Boyd, Sunbelt Software, ” the development of serious malware and social engineering threats in the world of online gaming has made the environment as risky as other parts of the net. These threats are not being taken seriously enough by either gamers or the industry itself.”[3]

Unscrupulous players are also launching denial-of-service attacks against online gaming rivals, making the gaming network unavailable for use. These gamers can rent botnets to launch a denial-of-service attack against foes in games such as Halo 3 or Gears of War.[4]

Fraudsters also use phishing Trojans designed to steal login credentials of gamers. In 2009 Chinese authorities shut down a crime ring convicted of creating and distributing Trojans targeting players. It is estimated that this particular crime ring stole login credentials from upwards of 5 million gamers and sold them online for a profit estimated to be $4.4 Million.

Your information can also be exposed by data breach. Mid-last year Sony had not one, but two data breaches. The first exposed the PII of 70 million people worldwide. The second affected 25 million individuals who are members of Sony Entertainment. Data breaches are yet another type of security risk associated with online gaming. “The incidents became even more unsettling in light of the fact that many of the affected gamers were kids, teens, and tweens—among the most appealing targets to identity thieves.”[5]

What can you do to help protect yourself and your family?  The following suggested tips could lessen your exposure to fraud associated with online gaming:

Mapstr Is A Nifty Little App To Keep Track Of Your Favorite Places


Meet Mapstr, a hybrid map and note taking app that lets you easily bookmark your favorite restaurants, bars and more. It reminds me of the old Del.icio.us, but this time it’s for places.

There are already many ways to keep track of places. You can create address book entries, add bookmarks into Google Maps or just create a new note on your phone. But these options are all clunky in some way.

Google Maps bookmarks are just stars on a map — they don’t tell you much. It’s hard to know if you bookmarked a place because a friend lives there, because you liked this coffee shop or because you want to try it. As far as I know, you can’t add notes to your bookmarks in Google Maps.

And of course, notes are hard to search and make you switch back and forth between your favorite note taking app and Google Maps. Chances are it will be quicker to do a quick Google search rather than scroll through your notes.

Mapstr takes a different approach. When you open the app, you are presented with a full screen map. After that, nearly everything happens here, because the best way to bookmark your favorite places is on a map.

Then, you can tag your places with descriptive keywords (restaurant, sushi, cocktails, etc.) and personal keywords (favorite, to try, etc.). And of course, you can add notes to remember what cocktail to order. The true power behind Mapstr is that the more places you add, the more relevant it becomes. You can filter by keyword and find the perfect place in very little time.

Contrarily to Foursquare or Yelp, Mapstr isn’t a social app. You won’t find any comments by other users, you won’t share your location with others. Using Mapstr simply feels like annotating an old-fashioned paper map.

 

Another option that I like is: http://www.travellerspoint.com/

Travellerspoint offers users a diverse travel resource that covers many destinations all over the globe. The website links too many travel blogs as well as travel guides and other resources.

Users can browse a list of exotic and intriguing destinations, ranging from locations in Africa and Asia to South America, the Middle East and the Caribbean.

A built in website search allows the user to seek out information on a specific region or city as well.

Along with text content, the site also maintains a vast library of color images taken at various locations.

Interactive tools allow the user to build a map of their next trip that includes blog entries and photos attached to various destinations. Other features include hotel and airfare listings, travel insurance, packing lists, trip planning guides, wiki travel guide and the ability to start a travel blog.

 

 

Via: techcrunch, travellerspoint

Mozilla Adds Opportunistic Encryption for Firefox Browser

The developers of the Mozilla Firefox browser have moved one step closer to an Internet that encrypts all the world’s traffic with a new feature called Opportunistic Encryption (OE), which can cryptographically protect connections even when servers don’t support the HTTPS protocol.

The feature is included in the just-released Firefox 37.

“Opportunistic encryption is meant to improve the transport properties of legacy HTTP resources that would otherwise be carried in clear text,” Patrick McManus, platform engineer at Mozilla, told eWEEK. “Any transport layer security (TLS) certificate, including self-signed ones, may be used with opportunistic encryption because it does not enforce authentication. Servers must run either HTTP/2 or SPDY/3.1.”

Security researchers said that Mozilla is on the right track. “Opportunistic encryption is not a ‘better’ solution than (TLS), but this standard removes almost all barriers to encrypting web traffic,” said Terence Spies, CTO at HP Security Voltage, in an email. “It doesn’t resist attackers that can actively alter traffic, but keeps data private from attackers that are passively recording the contents of network connections.”

So, if site administrators can enable encryption with a simple configuration switch, it moves the web toward an internet where data is encrypted by default.

“It doesn’t solve every security problem, but raises the default security level from unprotected to privacy-protected,” Spies said.

Franklyn Jones, CMO of Spikes Security, added that it’s merely a first step in a broader effort.

“All web traffic should be encrypted, from the internal client to the destination web site.  Google has long been a proponent of this,” he said. “However, cyber-criminals also know how to insert malware into encrypted SSL connections.  So for that reason, it will be increasingly important that IT security teams adopt appropriate policies for decrypting and inspecting SSL traffic before it is delivered to the endpoint device.”

 

 

Via: infosecurity-magazine

AT&T Hands Over $25 Million to Settle Data Breach Complaint

AT&T has agreed to pay a $25 million penalty in a settlement with federal regulators after data breaches in several Latin American call centers exposed the personal information of nearly 280,000 U.S. customers.

In a complaint released Wednesday, Federal Communications Commission (FCC) officials stated call center contractors in Mexico, Colombia and the Philippines collected sensitive account information from subscribers, including Social Security numbers, between November 2013 to April 2014.

According to the FCC, most customers affected were Spanish-speaking U.S. residents.

The FCC’s investigation revealed that three call center employees in Mexico accessed more than 68,000 accounts without proper authorization in order for the third-parties to submit hundreds of thousands of unlock requests through AT&T’s online portal.

Furthermore, the agency discovered that approximately 40 company employees based in Colombia and the Philippines also accessed over 211,000 customer accounts with the same malicious intentions.

“As the nation’s expert agency on communications networks, the Commission cannot—and will not—stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud,” said FCC Chairman Tom Wheeler in a press release.

Meanwhile, AT&T said in a statement:

“While any misuse of customer information is serious, we have no reason to believe that the information was used for identity theft or financial fraud against our customers.” 

The telecom giant agreed to notify all impacted customers and offer free credit monitoring services for one year. In addition, the company plans to bolster its security practices and consented to filing regular compliance reports to the FCC.

The $25 million settlement comes as the agency’s largest privacy and data-security enforcement action to date.

 

 

Via: tripwire