What's New Most major companies have done little to fix vulnerabilities exploited by the Heartbleed bug, according to a study by security firm Venafi. Venafi finds that 97 percent of Global 2000 organizations remain vulnerable to Heartbleed because they have not replaced vulnerable keys or revoked and replaced digital certificates--measures that experts say are needed to fully protect the organization from Heartbleed. As FierceITSecurity reported, the Heartbleed bug enables a hacker to read the memory of systems "protected" by vulnerable versions of the OpenSSL software. "This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and user," explains Codenomincon, which uncovered the bug. Venafi warns that many IT security pros believe that applying a patch is enough to protect their firms from Heartbleed. "But if someone walks into your house through an open door and steals your house keys, you don't then rely on the same locks once you've closed the door. Organizations must find and replace all of their keys and certificates--all of them. Otherwise significant security gaps and open doors remain," the security firm warns. Of course, Venafi has an interest in promoting this remedy, since it provides services for firms to analyze the location of their keys and digital certificates and remediate any issues with them. Venafi's is not the first study to find that organizations have not taken adequate steps to protect themselves against Heartbleed. As FierceITSecurity reported last month, a survey by CloudPhysics finds that more than half of deployments of certain VMware products such as vCenter 5.5 server and ESXi v5.5 are still vulnerable to Heartbleed, even though VMware issued a Heartbleed patch in April. A July advisory from the Industrial Control Systems Cyber Emergency Response Team warns that critical industrial control systems made by Siemens remain vulnerable to Heartbleed. A hacker could use the bug to hijack a system or intentionally crash it, it warns. For more:
- check out the Venafi study
- read the ICS-CERT advisory Related Articles:
Is the Heartbleed bug still lurking behind your firewall?
Target breach, Heartbleed bug cause high anxiety among IT security pros
Heartbleed underscores need for open source bug bounties
Heartbleed bug could bleed millions of usernames, passwords Read more about: data theft
back to top
The Backoff malware, detailed in a US-CERT alert on Friday, has already infected point-of-sale, or POS, systems at 600 retailers, according to security firm Trustwave. Some of the 600 retailers are large retail chains, Karl Sigler--threat intelligence manager at Trustwave--tells TIME magazine. The Department of Homeland Security, which worked with Trustwave and other federal agencies in uncovering the Backoff malware, declined to comment on Sigler's estimate. As reported by FierceITSecurity, the Backoff malware is able to infect POS systems through remote desktop software used by retailers to enable remote workers to access their corporate networks. Once the cybercriminals find this software, they launch brute force attacks against their login feature, gain access to the networks, deploy the malware, steal customer payment data and hide the theft using encryption. All of the retailers identified as being infected with the malware are aware of the breach, says Trustwave. Backoff is just one of a number of POS malware attacks over the last few years, notes Jaime Blasco, labs director of security startup AlienVault. He says that most remote desktop software uses common usernames and passwords by default--which are often not changed by the retailers. "The lessons to learn from the latest retailer breaches are: don't expose critical systems such as POS devices to the Internet, especially if you are running Remote Desktop or similar. If for some reason you have to do it, try to create access lists so that only certain IP addresses can access those devices and use strong passwords or even two-factor authentication. Lock all the data and monitor all of your network traffic. Deploy detection technology to be able to look for suspicious traffic," Blasco writes in a statement emailed to FierceITSecurity. Eric Chiu, president and co-founder of cloud security firm HyTrust, agrees. "Companies need to shift their approach to security from an 'outside-in' mentality of perimeter-based security to an 'inside-out' model where they assume the bad guy is already on the network. Access controls, role-based monitoring and data encryption are critical requirements to protect critical systems from insider threats," Chiu says in a statement emailed to FierceITSecurity. For more:
- read the TIME article
- check out the US-CERT alert Related Articles:
Remote desktop software opens retailers' doors to POS malware
No quick fix for point-of-sale security
Infographic: Top 3 POS attack vectors Read more about: malware, Department of Homeland Security
back to top
In the latest HP Security Briefing, an expert from the company discusses Bitcoin and the real world security implications of cryptocurrency as a widely used mode of transaction. John Park, a senior security researcher at HP and author of the report, writes that with the increased adoption of Bitcoin--the current market capitalization of BTC is estimated at over $7.8 billion, with $2.2 million added every day--the average user needs to educate himself on how the system works. "In order to secure Bitcoin, we need to know what we need to protect--that is, where the value is held in the Bitcoin system--since the attacker will go where the value is stored," the report states. First on the list of value stores is a user's bitcoin wallet. Most often, cybercriminals will infiltrate a system using a backdoor Trojan and then abscond with the wallet key. While the process is similar to a "typical impersonation attack" there are few options for the victim to retrieve their cryptocurrency afterwards, unlike a traditional bank account. A situation known as a "51% attack"--which almost occurred earlier this year with mining pool GHash.IO--occurs when one entity owns a simple majority of all hashing power in the Bitcoin system. The entity conceivably has the power to block all transactions, undermining the authenticity of the market. While there's no danger of the entity stealing bitcoins from wallets, it can essentially nullify their use or cause a run on the value. With Bitcoin's hashrate mining system, another store of value is an operating computer itself. As we've discussed before, there exist several forms of malware that commandeer computing power in order to join a larger mining pool. Park writes that this kind of crime pays off as the perpetrator is not using his own electricity or systems to earn an extra couple of dollars. However, amid all the problems with Bitcoin, Park thinks cryptocurrency will continue to find a niche in an evolving digital market. "There are clearly a number of things that could go wrong with Bitcoin. The good news is that none of the issues we've listed are crippling flaws, and for the foreseeable future, we can reasonably expect the Bitcoin system to keep rolling along," he writes.
For more:
- read the report from HP
Related Articles:
Bitcoin brings extortion to the digital age
Scams that take over smartphones for cryptocurrency mining just not worth it
Doomsday scenario '51% attack' threatens Bitcoin stability Read more about: Bitcoin, cryptocurrency
back to top
Java continues to be the most exploited programming language by attackers, according to the Cisco Midyear Security Report released on Tuesday. Java exploits rose to 93 percent of all indicators of compromise in May of this year; up from a previous high of 91 percent in November of last year. An indicator of compromise is a forensic artifact or remnant of an intrusion that can be identified on a host or network. "Java continues to be the frontrunner for web exploitation," Levi Gundert, technical lead at Cisco, tells FierceITSecurity. "Because so many applications use Java, and because so many organizations run Java and embed it in the browser, it is a wide attack surface for threat actors to leverage," he adds. After examining 16 large multinational organizations, Cisco found that nearly 70 percent of their networks were identified as issuing domain name system (DNS) queries for dynamic DNS domains. This shows evidence of networks misused or compromised with botnets using dynamic DNS to alter their IP address to avoid detection or blacklisting. "The best way for malware to communicate with a command and control server is to use a dynamic DNS service because if the server gets taken down, they can stand up a new server with a new IP address and instantly change where that domain points to," Gundert tells FierceITSecurity. "There is an extremely high correlation between malicious activity and specific dynamic DNS subdomains," he adds. The Cisco report also finds an "unusual uptick" in malware within vertical markets. Media and publishing was the top vertical for web malware encounters, experiencing four times the median number of encounters in the first half of 2014, followed by pharmaceuticals and chemicals in second, and aviation in third. "Analyzing and understanding weaknesses within the security chain rests largely upon the ability of individual organizations, and industry, to create awareness about cyber risk at the most senior levels," says John Stewart, chief security officer at Cisco, in a statement. For more:
- see Cisco's release Related Articles:
FBI crackdown has not lessened enthusiasm for Blackshares RAT blackmail toolkit
Spotlight: Software vulnerability disclosures on the rise, says Microsoft
Spotlight: Oracle plugs more than 100 security holes Read more about: Java, network security
back to top
Personal information on tens of thousands of Mozilla developers was posted on a public server for 30 days, Mozilla admits in a blog post. The personal information included email addresses of 76,000 developers and encrypted passwords of 4,000 developers, according to a blog by Stormy Peters, director of developer relations, and Joe Stevenson, operations security manager, with Mozilla, maker of the Firefox browser. Mozilla explains that a data sanitization process for the database of the Mozilla Developer Network, or MDN, site failed, resulting in the disclosure. A Mozilla developer discovered the breach last month. "The encrypted passwords were salted hashes and they by themselves cannot be used to authenticate with the MDN website today. Still, it is possible that some MDN users could have reused their original MDN passwords on other non-Mozilla websites or authentication systems," the blog warns. "For those that had both email and encrypted passwords disclosed, we recommended that they change any similar passwords they may be using." Mozilla is investigating the "process and principles" it uses to reduce the likelihood of a repeat of this breach of confidential developer information. Of course, the blog made the obligatory apology following a data breach of this sort. "We are known for our commitment to privacy and security, and we are deeply sorry for any inconvenience or concern this incident may cause you." Commitment, in this case, does not equal execution. For more:
- read the Mozilla blog Related Articles:
Chinese behind major breach at Canada's National Research Council
Can the FTC sue companies over lax IT security?
Data breaches, security bugs bad news for IT security pros, good news for PKI vendors Read more about: personal information, Encrypted Passwords
back to top
| 
I'm donning my Black Hat this week. I hope to hear at least a few of the talks, assuming they haven't been pulled from the agenda by the time I show up at the meeting room.
No comments:
Post a Comment
Keep a civil tongue.