Top Ten Ways to Defend your Network against the Latest SSL Exploits

Top Ten Ways to Defend your Network against the Latest SSL Exploits

29 MAY 2014 | WHITE PAPER

Staying on top of the latest web exploits can be a challenge for Network Admins who are worried about simply keeping up with all the day-to-day management tasks required by a complex environment. This whitepaper details many of the most recent popular SSL-related exploits that your network is likely vulnerable to, along with simple steps you can immediately take to protect yourself.

Armed with the right tools and know how, Network and Security Admins can take the right steps to lock down their networks from viable dangers. The reality is that brute force attacks are not new, but remain a viable danger to your network – even if you are securing it by more traditional means.

This article details many of the most prevalent SSL exploits that your network could be vulnerable to, ranging from not using HSTS (HTTP Strict Transport Security) to the more theoretical BEAST (Browser Exploit Against SSL/TLS) attacks. Most importantly, this paper offers some simple steps you can take to protect your network now. A few of the ten defense techniques you will learn are:

Disabling TLS Compression to defeat CRIME
Using HttpOnly Cookies to defeat Cross-Site Scripting
Supporting Secure Renegotiation to defeat Man-in-the-Middle attacks
And 7 other valuable techniques to strengthen your network’s security

The paper

Records of up to 25,000 Homeland Security staff hacked in cyber-attack

Records of up to 25,000 Homeland Security staff hacked in cyber-attack

Associated Press in Washington
theguardian.com, Friday 22 August 2014 20.48 EDT

Anonymous official says number could be even greater as department warns employees to check bank accounts

The internal records of as many as 25,000 employees of America’s Department of Homeland Security (DHS) were exposed during a recent computer hack at a federal contractor that handles security clearances, an agency official said on Friday.

The official, speaking anonymously, said the number of victims could be greater. The incident is under active federal criminal investigation.

The department was informing employees whose files were exposed in the hacking against contractor USIS and warning them to monitor their financial accounts.

Earlier this month, USIS acknowledged the break-in, saying its internal cybersecurity team had detected what appeared to be an intrusion with “all the markings of a state-sponsored attack”.

Neither USIS nor government officials have speculated on the identity of the foreign government.

USIS, once known as US Investigations Services, has been under criticism in Congress in recent months for its performance in conducting background checks on National Security Agency systems analyst Edward Snowden and on Aaron Alexis, a military contractor employee who shot 12 people dead in Washington in September 2013.

Private contractors perform background checks on more than two-thirds of the 4.9 million government workers with security clearances, and USIS handles nearly half of that number.

It is not clear when the hacking took place, but DHS notified all its employees internally on 6 Aug.

At that point, DHS issued “stop-work orders” preventing further information flows to USIS until the agency was confident the company could safeguard its records.

At the same time, the Office of Personnel Management (OPM) temporarily halted all USIS background check fieldwork “out of an abundance of caution,” spokeswoman Jackie Koszczuk said.

Officials would not say whether workers from other government agencies were at risk. DHS will provide workers affected by the intrusion with credit monitoring.

The risk to as many as 25,000 DHS workers was first reported on Friday by Reuters.

A cybersecurity expert, Rick Dakin, said the possibility that other federal departments could be affected depends on whether the DHS records were “segmented, or walled off, from other federal agencies’ files inside USIS.

“The big question is what degree of segmentation was already in place so that other agencies weren’t equally compromised,” said Dakin, chief executive of Coalfire, a major IT audit and compliance firm.

Revealed: How governments can take control of smartphones

Revealed: How governments can take control of smartphones

“Our latest research has identified mobile modules that work on all well-known mobile platforms, including as Android and iOS”

RT.com
June 25, 2014

‘Legal malware’ produced by the Italian firm Hacking Team can take total control of your mobile phone. That’s according to Russian security firm Kaspersky Lab and University of Toronto’s Citizen Lab(which also obtained a user manual).

Operating since 2001, the Milan-based Hacking Team employs over 50 people and offers clients the ability to “take control of your targets and monitor them regardless of encryption and mobility,” while “keeping an eye on all your targets and manage them remotely, all from a single screen.”

It’s the first time Remote Control Systems (RCS) malware has been positively linked with mobile phones and it opens up a new privacy threat potential to mobile phone users.

“Our latest research has identified mobile modules that work on all well-known mobile platforms, including as Android and iOS,” wrote Kaspersky researcher Sergey Golovanov.

“These modules are installed using infectors – special executables for either Windows or Macs that run on already infected computers. They translate into complete control over the environment in and near a victim’s computer. Secretly activating the microphone and taking regular camera shots provides constant surveillance of the target – which is much more powerful than traditional cloak and dagger operations.”

20140625-164404-60244101.jpg
Image from citizenlab.org

Police can install the spy malware directly into the phone if there is direct access to the device, or if the owner of the phone connects to an already infected computer, according to Wired.

Various softwares can also lure users to download targeted fake apps.

Once inside an iPhone, for instance, it can access and activate all of the following: control of Wi-Fi, GPS, GPRS, recording voice, e-mail, SMS, MMS, listing files, cookies, visited URLs, cached web pages, address book, call history, notes, calendar, clipboard, list of apps, SIM change, live microphone, camera shots, support chats, WhatsApp, Skype, and Viber.

20140625-164453-60293182.jpg
Image from citizenlab.org

While the malware can be spotted by some of the more sophisticated anti-virus software, it takes special measures to avoid detection – such as “scouting” a victim before installation, “obfuscating”its presence, and removing traces of its activity.

Hacking Team has maintained that its products are used for lawful governmental interceptions, adding that it does not sell items to countries blacklisted by NATO or repressive regimes.

Wired reported that there have been cases where the spying apps were used in illegal ways in Turkey, Morocco, and Saudi Arabia.

Citizen Lab discovered spying malware hiding in a legitimate news app for Qatif Today, an Arabic-language news and information service that reports on events in Saudi Arabia’s eastern Qatif region. It also argued that circumstantial evidence pointed to Saudi Arabia’s government using the spying malware against Shia protesters in the area.

“This type of exceptionally invasive toolkit, once a costly boutique capability deployed by intelligence communities and militaries, is now available to all but a handful of governments. An unstated assumption is that customers that can pay for these tools will use them correctly, and primarily for strictly overseen, legal purposes. As our research has shown, however, by dramatically lowering the entry cost on invasive and hard-to-trace monitoring, the equipment lowers the cost of targeting political threats for those with access to Hacking Team and Gamma Group toolkits,” Citizen Lab said in its report.

20140625-164550-60350694.jpg
Map showing the countries of the current HackingTeam servers’ locations (Image from securelist.com)

Hacking Team controls the spying malware remotely via command-and-control servers. Kaspersky has discovered more than 350 such servers in more than 40 countries. A total of 64 servers were found in the US – more than in any other country. Kazakhstan came in second, with a total of 49 servers found. Thirty-five were found in Ecuador and 32 in the UK.

How to create strong passwords

How to create strong passwords June 4, 2014 By: Marta López

20140608-140501-50701206.jpg

Quite honestly, you can never be told enough about strengthening your passwords and their security! Of course, that is my opinion.

We have often said that having strong passwords can save you a lot of headaches when it comes to protecting your digital life.

Today we are going to offer you a few tips on how to make a password that will make things a bit more difficult for those malicious individuals who want to take control of your email or social network accounts or any other online services you use.

How to create strong passwords
Use numbersInclude letters as wellCombine upper and lower caseAdd symbols such as: @, #, ? or %Where possible, it should be a minimum of eight characters long. The longer it is, the more difficult it will be to guessNever use a sequence of numbers or letters: 123456, 987654, abc123Don’t use a sequence of adjacent keyboard letters either: qwer123; asd987Ideally, your passwords shouldn’t be something directly related to you. Don’t use your name or date of birth

Things you shouldn’t do with your password
Use the same password for different services, social networks, online banking, etc. If you always use the same one, if someone gets hold of it, they will have access to your entire digital world.Write it down somewhere: mobile phone, address book, etc. Neither should you leave it next to your computer!Leave it stored in browser histories. Even though it’s more hassle, it’s better to enter your password manually whenever you visit a site.

What you should do with your passwords
* There are many tools available on the Internet to check their strength.

* Change them from time to time.

* Use a password manager like the one in Panda Global Protection 2014. This way, you will only have to remember one password and, as you don’t have to memorize all of them, you can set different, more complex passwords for each service.

Outlook.com Android App Leaves Email Messages Exposed

Outlook.com Android App Leaves Email Messages Exposed

Researchers find Outlook.com emails unprotected by default on SD cards.
A Microsoft Outlook client app for Android devices stores, by default, email messages unencrypted on the device’s SD cards, researchers say.

Erik Cabetas, managing director of Include Security, says the Outlook.com mobile client, which was developed by third-party app firm Seven Networks, leaves email messages in the clear on the removable SD cards. “Anyone can grab that and walk away,” Cabetas says.

Android users must set up the device to encrypt the file system, something most consumers are likely unaware of, he says, noting that it’s not a feature that’s integrated with the Outlook.com service or app. “Users need to be aware so they can encrypt the file system of the SC card. Android has native tools to do that… but it’s a [multi-click] setting and most don’t know how to do that.”

Outlook.com does have a PIN feature, but it only protects the user interface to the app, not the stored data on the file system, he says. “I could lock my phone with the PIN, but if someone gets the SD card, they still have all the data.”

Other apps on the phone also could access the emails. “Any app on the phone can read that” information on the SD card. They don’t need special permission. Phones nowadays come with preinstalled apps on them that could grab those emails.”

Cabetas and his team contacted Microsoft’s Security Response Center about the security weakness in the app, but Cabetas says Microsoft’s response was that this was an issue with the device itself and outside the scope of the app and Microsoft’s own security model.

A Microsoft spokesperson provided this statement in response to a press inquiry about the research:

Microsoft is committed to protecting the security of your personal information. We use a variety of security technologies and procedures to help protect your personal information from unauthorized access, use, or disclosure. For people using the Outlook.com app for Android, applications run in sandboxes where the operating system protects customers’ data. Additionally, customers who wish to encrypt their email can go through their phone settings and encrypt the SD card data. Please see Microsoft’s online privacy policy for more information.

Include’s Cabetas says that, ideally, the app should alert users that it stores emails to the local file system. “As part of the app installation, it should alert the user that ‘We store emails to your local file system. Would you like to encrypt it? Yes or no.’ Even if a software vendor doesn’t feel directly responsible for worrying about the local file system encryption, at least it should inform the user.”

He recommends that users use full disk encryption for Android and SD card file systems, and the USB debugging (under the Developer Options setting) should be turned off.

Include says in a blog post that will be posted today:

Alternatively, Outlook.com for Android could use third-party addons (such as SQLcipher) to encrypt the SQLite database in tandem with transmitting the attachments as opaque binary blobs to ensure that the attachments can only be read by the Outlook.com app (perhaps using the JOBB tool). These methods would be useful for older devices (such as devices that run Android 4.0 and earlier) that do not support full disk encryption.

Kelly Jackson Higgins is Senior Editor at DarkReading.com.

Chinese Hacking Charges a Wakeup Call for Both China & US Businesses

Chinese Hacking Charges a Wakeup Call for Both China & US Businesses

Indictments open the door for more aggressive US litigation of intellectual property theft by China — but with possible costs to US businesses.
Call it a calculated risk: The US Department of Justice conducted an unprecedented naming and shaming yesterday of five members of an infamous Chinese military unit known for spying on US companies for intellectual property and other valuable commercial intelligence.

A day after pictures of the men (two in military uniform) were plastered on the FBI’s Most Wanted posters, the fallout already has begun. No one expects China to extradite the defendants to the US, to fess up to stealing corporate secrets from US firms to assist its state-owned businesses, or to promise to curtail that activity. The hope is that the aggressive US strategy of taking very public legal action against China’s cyberespionage activity at the least will send a chill among China’s advanced persistent threat operatives.

As expected, China has strongly denied the charges, which cite specific incidents of cybertheft from major US corporations by the five defendants: Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui of Unit 61398 of the Third Department of China’s People’s Liberation Army in Shanghai. Chinese officials confronted the US ambassador to China, Max Baucus, about the indictment and warned that it would have consequences. Today officials released data from the nation’s CERT that they say shows US botnet servers controlling 1.18 million host machines in China.

“This is the first salvo in a tit-for-tat that is going to go on. China is going to retaliate,” says Timothy Ryan, a managing director with Kroll Advisory Solutions’ cyber investigations practice and a former FBI official who headed its cybersquad.

That may mean an escalation of targeted hacking, experts say. But retaliatory hacking could backfire on China, which is now under criminal scrutiny by the US and could face further exposure and indictments of its hackers. Robert Anderson, executive assistant director of the FBI, said yesterday that criminal charges for such activity by China or other nations would be “the new normal,” and that the indictment opens the floodgates for other charges.

“The United States has chosen the old stick and carrot approach — rewards and punishments — when it comes to conducting cyber diplomacy with China. What we are seeing now with the announcement yesterday is the stick, a shot across the bow, and it should be taken seriously by the Chinese. In the past few weeks, the US was primarily using the carrot as an incentive,” says Franz-Stefan Gady, senior fellow with the EastWest Institute. “It is now China’s turn to remove some of the veils covering its activities in cyberspace in order to de-escalate tensions.”

Though China quit the new China-US working group on cyber security yesterday in protest of the latest developments, Gady says China isn’t likely to make any moves to derail the recent military dialogue between US Secretary of Defense Chuck Hagel and General Chang Wanquan.

Also, Gady doesn’t expect the indictment controversy to hurt the US-China anti-spam collaboration effort, which the EastWest Institute helped establish in February 2011. “I do think that cooperation on the technical level will continue unhindered. The great thing, but also the downside, of tech-tech cooperation is that it is inherently apolitical and not subject to temporary political ill winds.”

It is highly unlikely that the five indicted members of Unit 61398 will ever be tried for these crimes, but they now have some significant travel restrictions. “If they have kids in school in other countries,” the members won’t necessarily be free to travel there, says Michael Quinn, associate managing director with Kroll’s Cyber Investigations Practice and a former FBI supervisory special agent in the Cyber Division. “If they want to see their kid graduate” from a US college, “they may not travel there now, because they’re going to get arrested.” They also could be taken into custody “if they are IDed outside the country somewhere friendly to the US.”

Quinn says the indictment handed down yesterday had been in the works for a long time. “What we saw yesterday was the outcome of a very long process.”

And experts say there are plenty more in the pipeline.

The indictment also may have some unintended consequences for the victim organizations named in the case, which include Alcoa, US Steel, and Westinghouse. “It could go from the criminal realm to the civil realm,” Ryan says. “Now that these very persistent breaches were made public, you’re going to have shareholders asking you: What did you do? When did you know it? How many times were you breached? Was this in the prospectus?”

Kristen Verderame, CEO of Pondera International, says the DOJ move should be a wakeup call for US companies doing business in China and with Chinese companies. “It will open the eyes of US companies to the dangers. If you are doing joint ventures, you need to have your cyber security [strategy] up front and be very careful” sharing information electronically, for example. “If you deal with China, you have to do so with your eyes open.”

That level of scrutiny could make it more difficult for China to steal intellectual property from its corporate US partners without the threat of exposure by US law enforcement, experts say. China culturally is loath to such public embarrassment, they say.

“The US is looking to get some sort of agreement from China… that moderates their behavior,” Ryan says. “I don’t think anyone would fault China for spying to protect its political and economic security… but you can’t have it both ways. You can’t be a capitalist nation but use a state-sponsored apparatus to create this uneven playing field. That’s no different than China subsidizing all exports so no one [from other countries] can compete in China.”

This new pressure on China to dial back its cyberspying for commercial profit is unlikely to yield major results anytime soon. “I wouldn’t think these allegations will stop the Chinese in stealing trade secrets, as I’m sure they will change their TTPs [tactics, techniques, and procedures] and will likely start looking for a mole or any internal leaks,” says John Pirc, CTO of NSS Labs and a former CIA agent.

By Kelly Jackson Higgins
Senior Editor at DarkReading.com.

Remove Malware Using These 8 Free Tools!

20140518-110421.jpg

Remove Malware Using These 8 Free Tools!

Malware is a menace, and it’s gaining prominence with each day.

Tuesday, May 13, 2014: Hackers today are not only becoming increasingly successful in finding new ways to break into computers, but achieving a one hundred per cent success rate at the same time. Cybersecurity firms are witnessing a rampant multiplication of cyberattacks categories that now range from malware and spyware to highly sophisticated breaches directed towards large businesses/enterprises. Today we bring you a list of 8 free tools to get rid of malware.

1.Ad-Aware

Anti-spyware and anti-virus program developed by Lavasoft that detects and removes malware, spyware and adware on a user’s computer.

2.Emsisoft Emergency Kit

The Emsisoft Emergency Kit contains a collection of programs that can be used without software installation to scan for malware and clean infected computers.

3.Norman Malware Cleaner

This simple and user friendly tool not only detects malicious software but also removes them from your computer. By downloading and running the program it will clean an infected system completely.

4.SUPERAntiSpyware

Shareware which can detect and remove spyware, adware, trojan horses, rogue security software, computer worms, rootkits, parasites and other potentially harmful software applications. Although it can detect malware, SUPERAntiSpyware is not designed to replace antivirus software.

5.Spybot

Spybot Search & Destroy is a set of tools for finding and removing malicious software. The immunisation feature preemptively protects the browser against threats. System scans and file scans detect spyware and other malicious software and eradicates it.

6.Combofix

Executable software, intended for users with advanced computer skills to run it only on occasions where a regular antivirus would not detect certain malware, or where an antivirus cannot update or otherwise function.

7.Microsoft Security Scanner

Free downloadable security tool that provides on-demand scanning and helps remove viruses, spyware, and other malicious software. It works with your existing antivirus software.

8.Malwarebytes Anti-Malware

Made by Malwarebytes Corporation, it was first released in January 2008 and is available in a free version, which scans for and removes malware when started manually.

Saurabh Singh, EFYTIMES News Network