A warning from SANS to end users against Heartbleed

The risk of Heartbleed client-side attacks and recommendations for end users is focused at the fourth briefing on the bug from the SANS Institute's Internet Storm Centre (ISC).

SANS is the most trusted and by far the largest source for information security training and security certification in the world. A range of individuals from auditors and network administrators, to chief information security officers are sharing the lessons they learn and are jointly finding solutions to the challenges they face. At the heart of SANS are the many security practitioners in varied global organizations from corporations to universities working together to help the entire information security community.

"A lot of the effort initially has been on servers, and servers are certainly at the most risk — not just web servers, but mail servers, and all of that good stuff as well. Everything that uses OpenSSL with an affected version is vulnerable, whether it's a client, whether it's a server — and of course as an end user, you're mostly concerned about the client part," said SANS presenter and ISC chief technology officer Johannes Ullrich.

Clients are indeed vulnerable, said Ullrich, but not the most popular ones. At the operating system level, Apple's OS X uses OpenSSL version 0.9.8, not the Heartbleed-vulnerable version 1.0.1, and Windows doesn't use OpenSSL at all — although there can be a risk from Windows application that have been statically compiled against OpenSSL libraries.

"It's unlikely that a normal, average home windows user has OpenSSL on their system," Ullrich said. "You're not going to run a web server on your home Windows machine." And Android devices are the main client-side risk, because it's the only major operating system that uses OpenSSL widely.

"The first message [for home and family users] is 'Do not patch.' This sounds counter-intuitive, and yes there may be software that people have installed that does use OpenSSL," he said. But for home users who've seen Heartbleed scare stories in the mainstream media, being caught by scams is the greater risk.

The second message is that, yes, changing passwords to online services is "probably a good idea", Ullrich said. "Even if if didn't get leaked, it's probably not going to break anything." And, because changing so many passwords is a pain, get a password manager.
"If you still have to remember all your passwords, and if you are able to do so, your passwords are too weak," he said.

Continue reading →

Call of Duty is not secure from Heartbleed

Heartbleed took Call of Duty: Black Ops II‘s blood out too, according to security researchers.
The Heartbleed security bug is a simple example of memory leakage through overflow vulnerability in the Heartbeat component of OpenSSL. Bits of memory in 64 kilobyte chunks may be extracted from the process’s memory. This could yield anything, including encryption keys, bits of traffic, credentials or session keys. The flaw is potentially among the most damaging ever to surface on the web but there's been little evidence that it has been widely exploited so far - leading some security experts to say it's been overblown.

However Ken Munro, a senior partner at Pen Test Partners, came across evidence of a real world) example of the vulnerability being exploited – in the popular online multiplayer game Call of Duty: Black Ops II. He logged in to shoot some enemies after a busy day of ethical hacking, only to see a series of messages suggesting a compromise had taken place.

"What we can surmise is that the CoD developers had connected to the Steam developer portal and either their session ID or, even worse, credentials had been stolen," Munro told El Reg.
"Fortunately whoever did this just decided to make it obvious; but imagine the damage that could have been caused by a malicious user. This is a prime game played (looking at Steam stats) by about 10,000 people a day. We could mess around with achievements, or even push a dodgy patch to cause a compromise of the all the players of the game!"

Chris Boyd, a malware intelligence analyst at anti-virus firm Malwarebytes, and a gaming security expert, agreed that Munro had uncovered circumstantial evidence of a compromise CoD while arguing that this might easily have been pulled off with another exploit.

"It's entirely possible the person responsible for the message didn't use Heartbleed to snag a login - they may have grabbed it by another means entirely, but decided to use the account to post a more general alert to the gaming community and devs at large," Boyd told El Reg. "In fact, this highlights the fact that we may see more compromises which have nothing to do with Heartbleed, but end up trading off the high profile of the threat.  This could lead to yet more confusion on the part of both developers and users of popular web services over the coming weeks."

Boyd agreed with Munro that the intention of the unknown perp was not malign.

"While it's difficult to say exactly what functionality the person responsible for compromising the game in this way had access to, it seems their intention was to warn rather than harm," Boyd said. "Anybody concerned about achievement tampering should know that it's easy enough for someone to do that themselves without an entire game needing to be compromised first. As for the possibility of malicious patches going out, PC updates are traditionally a little easier to get out than (say) the XBox Live network where all updates are put through rigorous testing before being given the green light."

Munro is sticking to his guns in suggesting Heartbleed is the most likely culprit.

"Timing-wise the most likely candidate is Heartbleed," Munro said, adding that Boyd is also right to say that "we only have the hacker’s claim - but that certainly doesn’t preclude it from being the truth."

Yet it is not sure whether it really is the HeartBleed or something else which has compromised Call of Duty: Black Ops II.

Continue reading →

Military Satellites Vulnerable to Hacking

Researchers warned that many of the satellites manufactured by some of the biggest government contractors are vulnerable to several exploits from which the satellite can be exploit and hacked to disrupt military operations.

It has uncovered that there are many vulnerabilities in software and ground-based satellites manufactured by British companies Cobham and Inmarsat says security consultancy.

The U.S based computer emergency response team warned about the vulnerabilities in January.

Many of the issues were in Broadband Global Area Network. BGAN is designed to provide internet and voice connectivity for remote teams. The affected Haris BGAN satellites terminals are also by military , including NATO for tactical radio communications.



The Cobham Aviator machines could be compromised to alter satellite communications, such as the Aircraft Communications Addressing and Reporting System (Acars), used by a plane.

ACARS is used to transmit vital informations such as fuel levels , it was usually used to track the movements of MH370 flight soon it disappeared. 

The manufacturers were warned about the vulnerabilities in which some of the vulnerabilities are claimed to be exploited with little technical ability , these flaws are present in the products from atleast two years.

 

Continue reading →

Hackers Targeted Carlson Hotel in Minnetonka

Carlson hotel in Minnetonka has launched its hotel's rewards point system called "Club Carlson Gold Points " , Recently hackers compromised into its security. According to the Hotel Officials , About $35,000 of the worth of rewards of 650 customers has been stolen by hackers.

The company noticed irregular transaction to a club members accounts 12 days ago. Company says that when they noticed the transactions , they immediately freeze the accounts.

All of the members who have been affected and have been contacted and their stolen rewards has been replaced. The company is urging the members which had access to Club Carlson's account to check their balance and change their passwords.

The accounts didn't contained any financial information , it only included the addresses of the members and their email addresses according to the company as they are saying. This case is still under investigation.

 

Continue reading →

OpenSSL bug hunt!!

A campaign has started to raise $250,000 for an OpenSSL bug – and its organizers hope it will help ensure the Heartbleed omnishambles is never repeated.

The campaign, spearheaded by computer security startup Bugcrowd, aims to raise the cash by 29 April: the money will be distributed as rewards to infosec bods who discover and report bugs in crucial crypto-library OpenSSL.

A pitch on crowdtilt.com explains:
“With many eyes and the right incentive all bugs are shallow. It's up to the Internet to come to the table and provide the incentive required to make sure wide-scale security exposures like Heartbleed don't happen again.
This Crowdtilt will fund a focused crowd-sourced security assessment on OpenSSL. 100% of the proceeds will be offered to security researchers. Any leftover funds will be passed on to the OpenSSL Software Foundation.
Anyone can sponsor at any amount. Sponsors will be credited as Defenders of the Internet, and sponsors who commit over $5,000 will be specially mentioned and thanked.
Together let’s make the Internet a safer place.”

Donations thus far stand at a modest $5,400, but the fund has only just opened. Even so, the fundraiser is working on what looks like a tight deadline.

Casey Ellis, chief exec of Bugcrowd, explained that the initiative was independent from OpenSSL.
"The [OpenSSL] developers are aware of our efforts but are also obviously quite busy at the moment, so it's fair to say that we are doing this independently," Ellis said.

Bug-bounty programs have become commonplace across the IT industry: the schemes reward researchers for reporting flaws to vendors, rather than hawking them through exploit brokers or vulnerability marketplaces.

Heartbleed is a serious flaw in the widely used OpenSSL: a programming blunder allows miscreants to silently read passwords, private crypto-keys and other sensitive data from the memory of vulnerable servers, PCs, phones, tablets and other devices.

That's bad, but it's no remote-code execution hole, admittedly; there have been worse flaws in other internet-facing software that allowed attackers to plant all sorts of nasties on systems.

 

Continue reading →

Pakistan Calls for founding of National Cyber Security Council

type='html'>

Pakistan’s Upper House this week began debating a new bill seeking to establish a National Cyber Security Council, an agency the nation feels is needed to keep NSA at bay

Senator Mushahid Hussain Sayed on Monday presented The Cyber Security Council Bill 2014 with the aim of creating a body to draft policy, guidelines and strategy on cyber security issues according to international best practices.

As well as working to counter emerging online threats, it will also try to facilitate better communication and information-sharing between government and private sectors. To help achieve this, members of the proposed council would apparently be drawn from both sectors.

Sayed said:
‘Given the clear and present danger of threat to Pakistan’s national security related to cyber warfare, as demonstrated by revelations of intrusion into privacy and spying by overseas intelligence networks, and given the context that cyber warfare is currently being weighed actively in the region where Pakistan is located, it is imperative that Pakistan take institutional steps to combat this threat’.

Pakistan’s security concerns, of course, are not limited to possible NSA spying. Hacktivists purportedly from the Islamic republic frequently trade online attacks with those from arch rival India, and occasionally further afield.

The latest Enemies of the Internet report from Reporters without Borders called out the Pakistan Telecommunication Authority (PTA) for its increasingly prolific attempts to blacklist URLs and filter web content.

While lawmakers in Islamabad talk about “major non-traditional, non-military threats the country is facing” from the likes of the US, they should also probably focus more scrutiny on their own government.

Who Got Hacked , copy rights

View the original article here

Continue reading →

Romanian Arrested for Attempting to Hack Presidency Site and for Stealing Credit Cards

Today 37 year old Romanian arrested for attempting to hack into presidency site in an effort for gaining access to a restricted information and for stealing 62,000 credit cards.

City News ( Report in Romanian ) reported that after the investigation they got to know that the person behind these attacks was Teodor Bors located in city of Cluj Napoca.


The Directorate for Investigating Organized Crime and Terrorism says that the hacker obtained the data for 62,000 payment cards which were from 2010 to March 2014.

The hacking operations were routed through servers in China and New Zealand. The involvement of the Russians in concerned , Romanian is believed to have only given access to bank accounts with large amount of money in it.

Bors is also said that he have sold the credit cards information about 3,500 to other individuals. The criminal have transferred the money through Western Union and Money Gram as blamed that he might have been transferred to his girlfriends bank account. The criminal might have converted the money into BitCoins.

After the investigation at suspect's home they found €153,000 and $41,000  , Bors was detained or 24-Hours and they kept on asking him questions.

Today the court will decide what they should do next.

Continue reading →

Before MORE Website's Heart start bleeding it’s Better to Encrypt the entire Internet

The Heartbleed bug crushed everyone’s faith in the secure web, but a world without the encryption software that Heartbleed exploited would be even worse. In fact, it’s time for the web to take a good hard look at a new idea: encryption everywhere.

Most major websites use either the SSL or TLS protocol to protect your password or credit card information as it travels between your browser and their servers. Whenever you see that a site is using HTTPS, as opposed to HTTP, you know that SSL/TLS is being used. But only a few sites — like Facebook and Gmail — actually use HTTPS to protect all of their traffic as opposed to just passwords and payment details.

Many security experts — including Google’s in-house search guru, Matt Cutts — think it’s time to bring this style of encryption to the entire web. That means secure connections to everything from your bank site to Wired.com to the online menu at your local pizza parlor.

Cutts runs Google’s web spam team. He helps the company tweak its search engine algorithms to prioritize certain sites over others. For example, the search engine prioritizes sites that load quickly, and penalizes sites that copy — or “scrape” — text from others.

If Cutts had his way, Google would prioritize sites that use HTTPS over those that don’t, he told blogger Barry Schwartz at a conference earlier this year. The change, if it were ever implemented, would likely spur an HTTPS stampede as web sites competed for better search rankings.
A Google spokesperson would only tell us that the company has nothing to announce at this time. So this change won’t happen overnight.


The Dispute Against Total SSL

But if HTTPS is so great, then why don’t all websites use it already? There are several disadvantages to using HTTPS everywhere, the World Wide Web Consortium’s HTTPS expert Yves Lafon told us in 2011.

The first is the increased cost. You have to purchase TLS certificates from one of several certificate authorities, which can cost anything from $10 dollars per year to about $1,000 dollars a year, depending on the type of certificate you purchase and the level of identity verification it provides. Another issue is that HTTPS increases server resource consumption and can slow sites down. But Marlinspike and Butler say the costs and resource overhead are actually greatly overestimated.

An issue for smaller sites is that it’s historically been hard to set up unique certificates on sites that use cheap shared hosting. Also, sites that used content delivery networks — or CDNs — to speed up their responsiveness also frequently faced challenges when implementing SSL. Both of these issues have been largely resolved today, though the costs, performance and complexity varies from host to host.

But even if the entire web isn’t ready to switch completely to HTTPS, there are plenty of reasons that more sites should start using HTTPS by default — especially sites that provide public information and software. And given how far we’ve already come since the days of FireSheep, we can expect HTTPS to continue to continue to spread, even if Google doesn’t start prioritizing sites that use it.

Continue reading →

Heartbleed snatched CloudFlare Crypto Keys!

Private crypto keys are accessible to Heartbleed hackers, new data shows. Cloudflare published preliminary findings that seemed to indicate that it would be difficult, if not impossible, to use Heartbleed to get the vital key that essentially unlocks the secure sockets layer padlock in millions of browsers. To be extra-sure, Cloudflare launched “The Heartbleed Challenge” to see how other people exploiting Heartbleed might fare. The company set up an nginx server running a Heartbleed-vulnerable version of OpenSSL and invited the Internet at large to steal its private key.
Four people have been able to see server keys and certificates in a test.


The results are a strong indication that merely updating servers to a version of OpenSSL that's not vulnerable to Heartbleed isn't enough. Because Heartbleed exploits don't by default show up in server logs, there's no way for sites that were vulnerable to rule out the possibility the private certificate key was plucked out of memory by hackers. Anyone possessing the private key can use it to host an impostor site that is virtually impossible for most end users to detect. Anyone visiting the bogus site would see the same https prefix and padlock icon accompanying the site's authentic server.

The demonstration that it's possible to extract private SSL certificates means that out of an abundance of caution, administrators of sites that used vulnerable versions of OpenSSL should revoke and replace old certificates with new ones as soon as possible. Given the huge number of sites affected, the revelation could create problems.

"The bad news is that discovery changes our recommendation from: reissue and revoke as a medium priority to reissue and revoke as a high priority," Matt Prince, CEO of CloudFlare wrote in an e-mail to Ars. "We've accelerated our own reissuance and revocation process."

Cloudflare had originally reasoned that, at least on the Linux-based platform it uses, a server's certificate and private keys are usually stored in the server's memory early on after booting up, and because servers are not booted up frequently, it would be difficult to find a situation in which the block of memory that Heartbleed can be used to access (which can be up to 64Kb of information) would contain a server's private keys.

The process of revoking and reissuing certificates is unwieldy and slow even without half of the Internet trying to do the same process at the same time. “If every site revoked its certificates, it would impose a significant burden and performance penalty on the Internet,” wrote CloudFlare in a Friday blog post. “At CloudFlare-scale the reissuance and revocation process could break the Certificate Authority infrastructure.”

The company said that for its customers running on CloudFlare infrastructure, it has already begun the process of reissuing and revoking SSL certificates in stages, and expects to be done with the process sometime next week.

Continue reading →

FireEye Report Analyzes Zero-day Attacks of 2013

 
FireEye, a network and security analyst agency, has published a report in which it analyzes the 2013 0days exploits along with context around the threat these vulnerabilities pose to the corporate enterprise.The report also suggests preventive and remedial measures against 0day attacks. 
The report writes that 0day exploits today are causing incredible loss to corporate industry. These exploit facilitates advanced attack against relatively out-dated security measures and cyber defense put up by organisations. 
Last year's Council on Foreign Relations and the U.S. Department of Labor were attacked exploiting 0days , FireEye said. FireEye further says that Looking beyond just blocking these vulnerabilities, FireEye forensics experts found that watering-hole attacks targeting specific audiences and industries are a rapidly rising trend in the attack space. 
 FireEyes said that during the first half of 2013, Java was common target for 0day attacks. However, in second half of the year, IE sustained increased 0day attacks. In 2013, FireEye analyzed 767,318 unique Command and Control (CnC) communications, or more than one per minute; and 22,509,176 total CnC communications, or more than one every 1.5 seconds on average. 
FireEye's latest report provides advice on how networks, incident response, and application management should be approached to deal with today's advanced, unknown threats, and recommends that enterprises take the certain actions.

 

Continue reading →

Connecticut under cyber attack , Hackers shutdown power grid station

Security challenges are constantly evolving and "becoming more sophisticated and nefarious" and the ability of utilities to detect and stop penetration must constantly improve, the Public Utilities Regulatory Authority said in its report to Gov. Dannel P. Malloy, report about the hack of Connecticut.

Electric, natural gas and major water companies and regional distribution systems in Connecticut have been penetrated by hackers and other cyber attackers, but defenses have prevented interruption.
The report, required as part of legislation enacted last year, said the region's Massachusetts-based grid operator, ISO-New England, has "more sophisticated" cyber defenses than utilities do.

"ISO-NE is constantly being probed, as are all of New England's utilities, many of which have been compromised or penetrated in the past," the report said. "ISO-NE's strength, therefore, depends on both its own cyber defense capabilities and those of each of the utilities with which it works."
The report did not identify the utilities that were compromised or say how. ISO said in a statement that it wouldn't elaborate publicly on security details.

Weaker utilities in the region need to be monitored because failure in one utility could affect the resilience of the region's system, the report said.

Referring to what utilities and water companies can do to protect against threats from workers inside their companies, the report said personnel security requires a balance "between prudence and overkill.".

Regulators said a traditional reliance on employees with no criminal background is inadequate. "Terrorists, hackers and spies rarely have damaging, discoverable police records," the report said.
The report warned that compromise could come from employees with ideological or other personal identifications that "motivate disruptive behavior." And it said it's virtually impossible to thoroughly vet all employees with potential contact to operations, including maintenance, food services and other vendors.

Regulators compared the two destructive storms of 2011 and Superstorm Sandy in 2012, both of which knocked out power to much of Connecticut, with cyber-attacks that threaten utilities' reliability and resilience.

Regulators hinted at higher costs to beef up security. The possibility of cyber-attacks raises the issue of "appropriateness of cost for cyber defense," the report said.

 

Continue reading →

Researchers got Rewarded by $10,000 for Reporting XXE Vulnerability in Google

A critical bug XXE vulnerability has been found by researchers which let researchers access the internal files of Google's production servers. Sounds surprising but it has been really found by hackers which let hackers read any internal files.

As shown, the vulnerability was in Google Toolbar Button Gallery. Team of Researchers found a bug when they noticed that google allows users to customize their toolbars with adding new buttons. For developers its easy to make their own new buttons by uploading XML files containing Meta Data for styling.

This vulnerability can be called as "XML External Entity(XXE)" or "XML Injection". The researchers crafted there own buttons, by uploading it they gained access to internal files of Google Production server like they managed to read "/etc/passwd" and "/etc/hosts".

The team of researchers reported the vulnerability to Google  as we all know , Google is having a famous bug bounty program, When they reported XXE vulnerability to Google so they rewarded the researchers which $10,000 for identifying bug in search engine's feature.

 

Continue reading →

Mozilla Named Chris Beard as Its Interim CEO

Mozilla announced Chris Beard as its new interim former chief marketing officer replacing Brendan Eich as he resigned last April. Bread has also taken the place of Eich on Mozilla corporation board.

Brendan Eich , The former CEO and creator of JavaScript , He was forced to leave the job after 11 days of his job as it was revealed that he donated to a campaign to ban same-sex marriage.

"We began exploring the idea of Chris joining the board of directors some months ago,"  says the executive chair-women Mitchell Baker on company's blog.

 "He’s been actively involved with Mozilla since before we shipped Firefox 1.0, he’s guided and directed many of our innovative projects, and his vision and sense of Mozilla is equal to anyone’s. I have relied on his judgement and advice for nearly a decade. This is an excellent time for Chris to bring his understanding of Mozilla to the Board." Mitchell Baker continued

While the Beard is only interim CEO , the board still searches for someone to take place of Eich on permanent basis. Brendan Eich was promoted to chief executive on 24 March. Mozilla had to face criticism as Eich donated $1,000 to a campaign to ban same-sex marriage. 

Ten days later , Eich resigned.

Continue reading →

What Experts Say on Possible Cyber Attacks

Experts say the keyboard can create more disastrous results than a bomb or natural disaster. Cyber attacks what many fear are the new face of terrorism.
In April 2011, tornadoes hit Alabama hard, wiping the power supply to millions of homes for days. Could the results of that natural disaster be recreated by man in the form of a cyber attack?
For those in the industry of preventing cyber attacks, it's a continuing game of cat and a click of a mouse. For the Tennessee Valley, the heart of power generation lies with TVA and nuclear power from Browns Ferry.
Rob Arnold heads up the team of trained professionals who oversee cyber security operations for TVA. Right away, Arnold put even the chance of a cyber induced nuclear meltdown to rest.
"It's not theoretically possible for an individual at home on his laptop to control our plant centrifuges," said Arnold, Enterprise Cyber Security Manager.
That's because none of the reactors are connected to the internet - their controls are hard wired into the facility. That's not to say organized crime hasn't tried other avenues.
TVA officials recognize cyber hits to its business network in the form of "commercial grade mal-ware or recreational espionage," where hackers try to tap into the computers that control TVA's administrative functions, or internal emails, and customer information. That includes "phishing attacks," where hackers literally fish for information a little bit at a time.
So years ago, TVA separated their business network from their control systems that operate equipment to give hackers less ability to take down all of TVA at once.
"TVA recognizes the threat to our cyber security," said Arnold. "We are a high valued target because we are a federal corporation, we're a government entity, and we understand those threats."
An eye opener came on April 27th 2011, where tornadoes caused the worst damage TVA had seen in 40 years.
"That event showed us our weaknesses," said Arnold. "Some of the lessons learned is we had to do some of the same things with our information technology as well and put redundant paths, redundant communications whether it be satellite, whether it be microwave communications because we lost a lot of those capabilities at that time."
However, with all that protection in place for outsiders, what about those on the inside? For example, internal sabotage. The same people who know to fix problems at TVA know how to create them, too.
"Without a doubt, the possibility exists," said Arnold. "We do background investigations, pre-employment on individuals, we do clearance checks."
Officials at TVA seem to be more worried about a "hybrid attack," where a cyber attack and a physical attack like on a substation happen at the same time.
Last year, crooks skipped the web and went straight for a California power grid by opening fire on an electrical substation, knocking out 17 giant transformers and power to millions of customers.
TVA has never seen that kind of attack, but industry leaders believe if it was copied across the nation, it could take down the U.S. electric grid.
Industrial Cyber Expert Bryan Singer said hackers aren't always in it to create the biggest splash; sometimes it's just about creating a nuisance and costing a company millions of dollars.
However, if a company invests in protection up front, it will pay off later.
"We'll always be somewhat behind on the latest attack trend, yes," said Singer. "However, there's not been a single attack trend I've seen that a well-designed, robust system architecture can't prevent against."
Local industry leaders are starting to share ideas. The Cyber Huntsville organization pulls experts in the field together to collaborate and raise the level of awareness in the cyber community and educate younger minds in the process.

                                                                                                                                               

Continue reading →

Hacker Transfer $1.7 million From School Fund

Social Engineering is a part of hacking technique which is easily be done. U.K.'s St. Aldhelm's Academy loses $1.7 Million when they receive a Phishing Email – a Spoo email from their bank which asked for the bank account details. 

The finance staff didn’t check for its authentication and gave all the details in reply to that e-mail. They even didn’t recognize it’s fake until they loss more than 1 million.

These were the funds taken as a loan from Department for Education's Education Funding Agency for the building. The school is now paying it back without even using it in right place for what actually they taken for.

The school has placed a report and police is still investigating.

Continue reading →