Top Ten Ways to Defend your Network against the Latest SSL Exploits

Top Ten Ways to Defend your Network against the Latest SSL Exploits

29 MAY 2014 | WHITE PAPER

Staying on top of the latest web exploits can be a challenge for Network Admins who are worried about simply keeping up with all the day-to-day management tasks required by a complex environment. This whitepaper details many of the most recent popular SSL-related exploits that your network is likely vulnerable to, along with simple steps you can immediately take to protect yourself.

Armed with the right tools and know how, Network and Security Admins can take the right steps to lock down their networks from viable dangers. The reality is that brute force attacks are not new, but remain a viable danger to your network – even if you are securing it by more traditional means.

This article details many of the most prevalent SSL exploits that your network could be vulnerable to, ranging from not using HSTS (HTTP Strict Transport Security) to the more theoretical BEAST (Browser Exploit Against SSL/TLS) attacks. Most importantly, this paper offers some simple steps you can take to protect your network now. A few of the ten defense techniques you will learn are:

Disabling TLS Compression to defeat CRIME
Using HttpOnly Cookies to defeat Cross-Site Scripting
Supporting Secure Renegotiation to defeat Man-in-the-Middle attacks
And 7 other valuable techniques to strengthen your network’s security

The paper

Advertisements

Outlook.com Android App Leaves Email Messages Exposed

Outlook.com Android App Leaves Email Messages Exposed

Researchers find Outlook.com emails unprotected by default on SD cards.
A Microsoft Outlook client app for Android devices stores, by default, email messages unencrypted on the device’s SD cards, researchers say.

Erik Cabetas, managing director of Include Security, says the Outlook.com mobile client, which was developed by third-party app firm Seven Networks, leaves email messages in the clear on the removable SD cards. “Anyone can grab that and walk away,” Cabetas says.

Android users must set up the device to encrypt the file system, something most consumers are likely unaware of, he says, noting that it’s not a feature that’s integrated with the Outlook.com service or app. “Users need to be aware so they can encrypt the file system of the SC card. Android has native tools to do that… but it’s a [multi-click] setting and most don’t know how to do that.”

Outlook.com does have a PIN feature, but it only protects the user interface to the app, not the stored data on the file system, he says. “I could lock my phone with the PIN, but if someone gets the SD card, they still have all the data.”

Other apps on the phone also could access the emails. “Any app on the phone can read that” information on the SD card. They don’t need special permission. Phones nowadays come with preinstalled apps on them that could grab those emails.”

Cabetas and his team contacted Microsoft’s Security Response Center about the security weakness in the app, but Cabetas says Microsoft’s response was that this was an issue with the device itself and outside the scope of the app and Microsoft’s own security model.

A Microsoft spokesperson provided this statement in response to a press inquiry about the research:

Microsoft is committed to protecting the security of your personal information. We use a variety of security technologies and procedures to help protect your personal information from unauthorized access, use, or disclosure. For people using the Outlook.com app for Android, applications run in sandboxes where the operating system protects customers’ data. Additionally, customers who wish to encrypt their email can go through their phone settings and encrypt the SD card data. Please see Microsoft’s online privacy policy for more information.

Include’s Cabetas says that, ideally, the app should alert users that it stores emails to the local file system. “As part of the app installation, it should alert the user that ‘We store emails to your local file system. Would you like to encrypt it? Yes or no.’ Even if a software vendor doesn’t feel directly responsible for worrying about the local file system encryption, at least it should inform the user.”

He recommends that users use full disk encryption for Android and SD card file systems, and the USB debugging (under the Developer Options setting) should be turned off.

Include says in a blog post that will be posted today:

Alternatively, Outlook.com for Android could use third-party addons (such as SQLcipher) to encrypt the SQLite database in tandem with transmitting the attachments as opaque binary blobs to ensure that the attachments can only be read by the Outlook.com app (perhaps using the JOBB tool). These methods would be useful for older devices (such as devices that run Android 4.0 and earlier) that do not support full disk encryption.

Kelly Jackson Higgins is Senior Editor at DarkReading.com.

Chinese Hacking Charges a Wakeup Call for Both China & US Businesses

Chinese Hacking Charges a Wakeup Call for Both China & US Businesses

Indictments open the door for more aggressive US litigation of intellectual property theft by China — but with possible costs to US businesses.
Call it a calculated risk: The US Department of Justice conducted an unprecedented naming and shaming yesterday of five members of an infamous Chinese military unit known for spying on US companies for intellectual property and other valuable commercial intelligence.

A day after pictures of the men (two in military uniform) were plastered on the FBI’s Most Wanted posters, the fallout already has begun. No one expects China to extradite the defendants to the US, to fess up to stealing corporate secrets from US firms to assist its state-owned businesses, or to promise to curtail that activity. The hope is that the aggressive US strategy of taking very public legal action against China’s cyberespionage activity at the least will send a chill among China’s advanced persistent threat operatives.

As expected, China has strongly denied the charges, which cite specific incidents of cybertheft from major US corporations by the five defendants: Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui of Unit 61398 of the Third Department of China’s People’s Liberation Army in Shanghai. Chinese officials confronted the US ambassador to China, Max Baucus, about the indictment and warned that it would have consequences. Today officials released data from the nation’s CERT that they say shows US botnet servers controlling 1.18 million host machines in China.

“This is the first salvo in a tit-for-tat that is going to go on. China is going to retaliate,” says Timothy Ryan, a managing director with Kroll Advisory Solutions’ cyber investigations practice and a former FBI official who headed its cybersquad.

That may mean an escalation of targeted hacking, experts say. But retaliatory hacking could backfire on China, which is now under criminal scrutiny by the US and could face further exposure and indictments of its hackers. Robert Anderson, executive assistant director of the FBI, said yesterday that criminal charges for such activity by China or other nations would be “the new normal,” and that the indictment opens the floodgates for other charges.

“The United States has chosen the old stick and carrot approach — rewards and punishments — when it comes to conducting cyber diplomacy with China. What we are seeing now with the announcement yesterday is the stick, a shot across the bow, and it should be taken seriously by the Chinese. In the past few weeks, the US was primarily using the carrot as an incentive,” says Franz-Stefan Gady, senior fellow with the EastWest Institute. “It is now China’s turn to remove some of the veils covering its activities in cyberspace in order to de-escalate tensions.”

Though China quit the new China-US working group on cyber security yesterday in protest of the latest developments, Gady says China isn’t likely to make any moves to derail the recent military dialogue between US Secretary of Defense Chuck Hagel and General Chang Wanquan.

Also, Gady doesn’t expect the indictment controversy to hurt the US-China anti-spam collaboration effort, which the EastWest Institute helped establish in February 2011. “I do think that cooperation on the technical level will continue unhindered. The great thing, but also the downside, of tech-tech cooperation is that it is inherently apolitical and not subject to temporary political ill winds.”

It is highly unlikely that the five indicted members of Unit 61398 will ever be tried for these crimes, but they now have some significant travel restrictions. “If they have kids in school in other countries,” the members won’t necessarily be free to travel there, says Michael Quinn, associate managing director with Kroll’s Cyber Investigations Practice and a former FBI supervisory special agent in the Cyber Division. “If they want to see their kid graduate” from a US college, “they may not travel there now, because they’re going to get arrested.” They also could be taken into custody “if they are IDed outside the country somewhere friendly to the US.”

Quinn says the indictment handed down yesterday had been in the works for a long time. “What we saw yesterday was the outcome of a very long process.”

And experts say there are plenty more in the pipeline.

The indictment also may have some unintended consequences for the victim organizations named in the case, which include Alcoa, US Steel, and Westinghouse. “It could go from the criminal realm to the civil realm,” Ryan says. “Now that these very persistent breaches were made public, you’re going to have shareholders asking you: What did you do? When did you know it? How many times were you breached? Was this in the prospectus?”

Kristen Verderame, CEO of Pondera International, says the DOJ move should be a wakeup call for US companies doing business in China and with Chinese companies. “It will open the eyes of US companies to the dangers. If you are doing joint ventures, you need to have your cyber security [strategy] up front and be very careful” sharing information electronically, for example. “If you deal with China, you have to do so with your eyes open.”

That level of scrutiny could make it more difficult for China to steal intellectual property from its corporate US partners without the threat of exposure by US law enforcement, experts say. China culturally is loath to such public embarrassment, they say.

“The US is looking to get some sort of agreement from China… that moderates their behavior,” Ryan says. “I don’t think anyone would fault China for spying to protect its political and economic security… but you can’t have it both ways. You can’t be a capitalist nation but use a state-sponsored apparatus to create this uneven playing field. That’s no different than China subsidizing all exports so no one [from other countries] can compete in China.”

This new pressure on China to dial back its cyberspying for commercial profit is unlikely to yield major results anytime soon. “I wouldn’t think these allegations will stop the Chinese in stealing trade secrets, as I’m sure they will change their TTPs [tactics, techniques, and procedures] and will likely start looking for a mole or any internal leaks,” says John Pirc, CTO of NSS Labs and a former CIA agent.

By Kelly Jackson Higgins
Senior Editor at DarkReading.com.

Remove Malware Using These 8 Free Tools!

20140518-110421.jpg

Remove Malware Using These 8 Free Tools!

Malware is a menace, and it’s gaining prominence with each day.

Tuesday, May 13, 2014: Hackers today are not only becoming increasingly successful in finding new ways to break into computers, but achieving a one hundred per cent success rate at the same time. Cybersecurity firms are witnessing a rampant multiplication of cyberattacks categories that now range from malware and spyware to highly sophisticated breaches directed towards large businesses/enterprises. Today we bring you a list of 8 free tools to get rid of malware.

1.Ad-Aware

Anti-spyware and anti-virus program developed by Lavasoft that detects and removes malware, spyware and adware on a user’s computer.

2.Emsisoft Emergency Kit

The Emsisoft Emergency Kit contains a collection of programs that can be used without software installation to scan for malware and clean infected computers.

3.Norman Malware Cleaner

This simple and user friendly tool not only detects malicious software but also removes them from your computer. By downloading and running the program it will clean an infected system completely.

4.SUPERAntiSpyware

Shareware which can detect and remove spyware, adware, trojan horses, rogue security software, computer worms, rootkits, parasites and other potentially harmful software applications. Although it can detect malware, SUPERAntiSpyware is not designed to replace antivirus software.

5.Spybot

Spybot Search & Destroy is a set of tools for finding and removing malicious software. The immunisation feature preemptively protects the browser against threats. System scans and file scans detect spyware and other malicious software and eradicates it.

6.Combofix

Executable software, intended for users with advanced computer skills to run it only on occasions where a regular antivirus would not detect certain malware, or where an antivirus cannot update or otherwise function.

7.Microsoft Security Scanner

Free downloadable security tool that provides on-demand scanning and helps remove viruses, spyware, and other malicious software. It works with your existing antivirus software.

8.Malwarebytes Anti-Malware

Made by Malwarebytes Corporation, it was first released in January 2008 and is available in a free version, which scans for and removes malware when started manually.

Saurabh Singh, EFYTIMES News Network

The Heartbleed Hit List

The Heartbleed Hit List: The Passwords You Need to Change Right Now

20140410-150906.jpg

An encryption flaw called the Heartbleed bug is already being called one of the biggest security threats the Internet has ever seen. The bug has affected many popular websites and services — ones you might use every day, like Gmail and Facebook — and could have quietly exposed your sensitive account information (such as passwords and credit card numbers) over the past two years.

But it hasn’t always been clear which sites have been affected. Mashable reached out some of the most popular social, email, banking and commerce sites on the web. We’ve rounded up their responses below.

SEE ALSO: How to Protect Yourself From the Heartbleed Bug

Some Internet companies that were vulnerable to the bug have already updated their servers with a security patch to fix the issue. This means you’ll need to go in and change your passwords immediately for these sites. Even that is no guarantee that your information wasn’t already compromised, but there’s also no indication that hackers knew about the exploit before this week. The companies that are advising customers to change their passwords are doing so as a precautionary measure.

Although changing your password regularly is always good practice, if a site or service hasn’t yet patched the problem, your information will still be vulnerable.

Also, if you reused the same password on multiple sites, and one of those sites was vulnerable, you’ll need to change the password everywhere. It’s not a good idea to use the same password across multiple sites, anyway.

We’ll keep updating the list as new information comes in.

Social Networks Affected

New variant of Zorenium Bot can infect iOS devices

20140324-193300.jpg

by paganinip on March 22nd, 2014

Security analysts at SenceCy which are monitoring the advancement of a new Zorenium Bot discovered that it is able to infect also iOS devices.
Security analysts at SenceCy are monitoring the evolution for the Zorenium Bot, a new and unknown malware which has been advertised in the underground since January 2014.

This is the third article in two days of cyber criminal activities against mobile industry, demonstrating the high interest of cybercrime in the exploitation of so powerful and widespread platforms.

Zorenium Bot seems to be an ongoing project, the authors provided new updates this month, probably the most important improvement announced is the ability to infect Apple iOS devices. Apple iOS devices based on version from 5 up to 7 could be infected by the Zorenium Bot, exactly like Linux and Windows based machines.

20140324-193533.jpg

The cost for the entry-level Zorenium bot is 350 GBP, the price grows up to over 5000GBP if the botnet includes advanced features like the support of P2P communication to C&C, or i2p C&C.

The authors of Zorenium Bot have updated the rootkit to TDL4 (Alureon), a very common rootkit that has been around for several years used in numerous large botnets. Recent versions TDL4 has different advanced capabilities, including the ability to bypass some Windows code-signing requirements.

The security analysts consider the Zorenium Bot very insidious because it still goes undetected by most AV companies.

The Zorenium Bot is an extremely versatile malware, it could be used for surveillance activities thanks formgrabbing and remote monitoring features, for financial frauds thanks the implementation of features of banking Trojan, to run DDoS, instructed as Bot-killing agent, to mine Bitcoin.

Zorenium has been advertised on Pastebin, the full release notes for the latest version of Zorenium bot provided detailed information on malware functionalities.

According to the developers Zorenium bot is still in beta mode, future release could include more features that can make the botnet more resilient.

Pierluigi Paganini

(Security Affairs – Zorenium bot, cybercrime)
Original article>