Category Archives: Encryption

What You Should Know About the ‘KRACK’ WiFi Security Weakness

 

Researchers this week published information about a newfound, serious weakness in WPA2 — the security standard that protects all modern Wi-Fi networks. What follows is a short rundown on what exactly is at stake here, who’s most at-risk from this vulnerability, and what organizations and individuals can do about it.

Short for Wi-Fi Protected Access II, WPA2 is the security protocol used by most wireless networks today. Researchers have discovered and published a flaw in WPA2 that allows anyone to break this security model and steal data flowing between your wireless device and the targeted Wi-Fi network, such as passwords, chat messages and photos.

“The attack works against all modern protected Wi-Fi networks,” the researchers wrote of their exploit dubbed “KRACK,” short for “Key Reinstallation AttaCK.”

“Depending on the network configuration, it is also possible to inject and manipulate data,” the researchers continued. “For example, an attacker might be able to inject ransomware or other malware into websites. The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected.”

What that means is the vulnerability potentially impacts a wide range of devices including those running operating systems from Android, Apple, Linux, OpenBSD and Windows.

As scary as this attack sounds, there are several mitigating factors at work here. First off, this is not an attack that can be pulled off remotely: An attacker would have to be within range of the wireless signal between your device and a nearby wireless access point.

More importantly, most sensitive communications that might be intercepted these days, such as interactions with your financial institution or browsing email, are likely already protected end-to-end with Secure Sockets Layer (SSL) encryption that is separate from any encryption added by WPA2 — i.e., any connection in your browser that starts with “https://”.

Also, the public announcement about this security weakness was held for weeks in order to give Wi-Fi hardware vendors a chance to produce security updates. The Computer Emergency Readiness Team has a running list of hardware vendors that are known to be affected by this, as well as links to available advisories and patches.

“There is no evidence that the vulnerability has been exploited maliciously, and Wi-Fi Alliance has taken immediate steps to ensure users can continue to count on Wi-Fi to deliver strong security protections,” reads a statement published today by a Wi-Fi industry trade group. “This issue can be resolved through straightforward software updates, and the Wi-Fi industry, including major platform providers, has already started deploying patches to Wi-Fi users. Users can expect all their Wi-Fi devices, whether patched or unpatched, to continue working well together.”

Sounds great, but in practice a great many products on the CERT list are currently designated “unknown” as to whether they are vulnerable to this flaw. I would expect this list to be updated in the coming days and weeks as more information comes in.

Some readers have asked if MAC address filtering will protect against this attack. Every network-capable device has a hard-coded, unique “media access control” or MAC address, and most Wi-Fi routers have a feature that lets you only allow access to your network for specified MAC addresses.

However, because this attack compromises the WPA2 protocol that both your wireless devices and wireless access point use, MAC filtering is not a particularly effective deterrent against this attack. Also, MAC addresses can be spoofed fairly easily.

To my mind, those most at risk from this vulnerability are organizations that have not done a good job separating their wireless networks from their enterprise, wired networks.

I don’t see this becoming a major threat to most users unless and until we start seeing the availability of easy-to-use attack tools to exploit this flaw. Those tools may emerge sooner rather than later, so if you’re super concerned about this attack and updates are not yet available for your devices, perhaps the best approach in the short run is to connect any devices on your network to the router via an ethernet cable (assuming your device still has an ethernet port).

From reading the advisory on this flaw, it appears that the most recent versions of Windows and Apple’s iOS are either not vulnerable to this flaw or are only exposed in very specific circumstances. Android devices, on the other hand, are likely going to need some patching, and soon.

If you discover from browsing the CERT advisory that there is an update available or your computer, wireless device or access point, take care to read and understand the instructions on updating those devices before you update. Failing to do so with a wireless access point, for example can quickly leave you with an expensive, oversized paperweight.

Finally, consider browsing the Web with an extension or browser add-on like HTTPS Everywhere, which forces any site that supports https:// connections to encrypt your communications with the Web site — regardless of whether this is the default for that site.

The Russian Company That Is a Danger to Our Security

Eugene Kaspersky, the founder of Kaspersky Lab, is a graduate of the KGB’s elite cryptology institute and was a software engineer for Soviet military intelligence.

MADBURY, N.H. — The Kremlin hacked our presidential election, is waging a cyberwar against our NATO allies and is probing opportunities to use similar tactics against democracies worldwide. Why then are federal agencies, local and state governments and millions of Americans unwittingly inviting this threat into their cyber networks and secure spaces?

That threat is posed by antivirus and security software products created by Kaspersky Lab, a Moscow-based company with extensive ties to Russian intelligence. To close this alarming national security vulnerability, I am advancing bipartisan legislation to prohibit the federal government from using Kaspersky Lab software.

Kaspersky Lab insists that it has “no inappropriate ties with any government.” The company’s products, which are readily available at big-box American retailers, have more than 400 million users around the globe. And it provides security services to major government agencies, including the Department of State, the National Institutes of Health and, reportedly, the Department of Defense.

But at a public hearing of the Senate Intelligence Committee in May, six top intelligence officials, including the heads of the F.B.I., C.I.A. and National Security Agency, were asked if they would be comfortable with Kaspersky Lab software on their agencies’ computers. Each answered with an unequivocal no. I cannot disclose the classified assessments that prompted the intelligence chiefs’ response. But it is unacceptable to ignore questions about Kaspersky Lab because the answers are shielded in classified materials. Fortunately, there is ample publicly available information to help Americans understand the reasons Congress has serious doubts about the company.

The firm’s billionaire founder, Eugene Kaspersky, graduated from the elite cryptology institute of the K.G.B., the Soviet Union’s main intelligence service, and was a software engineer for Soviet military intelligence. He vehemently dismisses concerns that his company assists Russia’s intelligence agencies with cyberespionage and claims that he is the target of Cold War-style conspiracy theories. But Kaspersky Lab has committed missteps that reveal the true nature of its work with Russia’s Federal Security Service, or F.S.B., a successor to the K.G.B.

Bloomberg recently reported on emails from October 2009 in which Mr. Kaspersky directs his staff to work on a secret project “per a big request on the Lubyanka side,” a reference to the F.S.B.’s Moscow offices. The McClatchy news service uncovered records of the official certification of Kaspersky Lab by Russian military intelligence, which experts in this field call “persuasive public evidence” of the company’s links to the Russian government.

The challenge to United States national security grew last year when the company launched a proprietary operating system designed for electrical grids, pipelines, telecommunications networks and other critical infrastructure. The Defense Intelligence Agency recently warned American companies that this software could enable Russian government hackers to shut down critical systems.

Beyond the evidence of direct links between Mr. Kaspersky and the Russian government, we cannot ignore the indirect links inherent in doing business in the Russia of President Vladimir Putin, where oligarchs and tycoons have no choice but to cooperate with the Kremlin. Steve Hall, former C.I.A. station chief in Moscow, told a reporter: “These guys’ families, their well-being, everything they have is in Russia.” He added that he had no doubt that Kaspersky Lab “could be, if it’s not already, under the control of Putin.”

The technical attributes of antivirus software amplify the dangers from Kaspersky Lab. Mr. Kaspersky might be correct when he says that his antivirus software does not contain a “backdoor”: code that deliberately allows access to vulnerable information.

But a backdoor is not necessary. When a user installs Kaspersky Lab software, the company gets an all-access pass to every corner of a user’s computer network, including all applications, files and emails. And because Kaspersky’s servers are in Russia, sensitive United States data is constantly cycled through a hostile country. Under Russian laws and according to Kaspersky Lab’s certification by the F.S.B., the company is required to assist the spy agency in its operations, and the F.S.B. can assign agency officers to work at the company. Russian law requires telecommunications service providers such as Kaspersky Lab to install communications interception equipment that allows the F.S.B. to monitor all of a company’s data transmissions.

The Senate Armed Services Committee in June adopted my measure to prohibit the Department of Defense from using Kaspersky Lab software, to limit fallout from what they fear is already a huge breach of national security data. When broad defense legislation comes before the Senate in the weeks ahead, they hope to amend it to ban Kaspersky software from all of the federal government.

Americans were outraged by Russia’s interference in our presidential election, but a wider threat is Russia’s doctrine of hybrid warfare, which includes cybersabotage of critical American infrastructure from nuclear plants to electrical grids. Kaspersky Lab, with an active presence in millions of computer systems in the United States, is capable of playing a powerful role in such an assault. It’s time to put a stop to this threat to our national security.
You do your own research and then decide if you would want Kaspersky software on your PC in your home.

 

Latest Ransomware Hackers Didn’t Make WannaCry’s Mistakes: PETYA

PETYA RANSOMWARE

The latest sweeping ransomware assault bares some similarity to the WannaCry crisis that struck seven weeks ago. Both spread quickly, and both hit high-profile targets like large multinational companies and critical infrastructure providers. But while WannaCry’s many design flaws caused it to flame out after a few days, this latest ransomware threat doesn’t make the same mistakes.

Originally identified as Petya, a ransomware that first started circulating in 2016, the current attack now appears to be a Petya offshoot, with added refinements such as stronger encryption. Some researchers call this new iteration “NotPetya” or “GoldenEye,” while others still refer to it as Petya. Regardless of the name, it has already hit 2,000 targets, seizing the systems of high-profile victims like Danish shipping giant Maersk, US pharmaceutical company Merck, and multiple private and public institutions in Ukraine.

And while it owes its rapid spread in part to EternalBlue, the same stolen NSA exploit WannaCry leveraged, it lacks several of the traits that made WannaCry—which turned out to be an unfinished North Korean project gone awry—easier to stop.

WannaBreak

“The quality of the code improves from iteration to iteration—this GoldenEye ransomware is pretty solid,” says Bogdan Botezatu, a researcher at the security firm Bitdefender. “We don’t get to catch a break.”

The most important WannaCry pitfall that this current round sidesteps? A kill switch that allowed researchers to neuter the ransomware around the world and drastically reduce the spread. The mechanism was a low-quality, possibly unfinished feature meant to help the ransomware avoid analysis. It backfired spectacularly. So far, GoldenEye shows no signs of containing such a glaring error.

Additionally, WannaCry spread between networks across the internet like a worm, relying almost entirely on EternalBlue to get in and hitting systems that hadn’t yet downloaded Microsoft’s patch for that vulnerability. This new ransomware also targets devices that somehow still aren’t secured against EternalBlue, but can deploy other infection options as well. For example, the attackers seem to be spreading the ransomware through the software update feature of a Ukrainian program called MeDoc, and possibly through Microsoft Word documents laced with malicious macros.

Along with exploiting EternalBlue to gain access when possible, the ransomware can also leverage an additional Shadow Brokers-leaked NSA exploit known as EternalRomance (patched by Microsoft in March) for  remote access. And some researchers have also found unconfirmed evidence that the ransomware may take advantage of yet another tool published by the ShadowBrokers, known as EsteemAudit, that specifically targets computers running Windows XP and Windows Server 2003. Microsoft patched that vulnerability two weeks ago as part of its unprecedented effort to secure its old, unsupported operating systems against leaked NSA exploits.

Once inside the network, the ransomware steals administrative credentials, giving it control over powerful system management tools like Windows PsExec and Windows Management Instrumentation.

“If a system with enough administrative privileges is compromised, it will simply instruct all other PCs it has access to run the malware as well,” says Fabian Wosar, a security researcher at the defense firm Emsisoft, which specializes in malware and ransomware. “That is why a lot of system administrators are freaking out right now.”

Smarts, Not Scale

Because GoldenEye appears to take a more targeted approach to infection, rather than barreling around the internet, it has so far resulted in fewer infections: it has affected 2,000 targets versus the hundreds of thousands that WannaCry hit. But don’t read that as a weakness necessarily. WannaCry’s ability to spread over the internet led to out-of-control infections, and its creators were ill-equipped to handle that volume of potential payments.

In fact, WannaCry hackers proved incapable of tracking payments whatsoever. Attackers had victims send ransoms to one of four set bitcoin addresses, instead of assigning each target a unique address. This made incoming payments difficult to track, and left it to the criminals to figure out which victims (among hundreds of thousands) had paid and should be sent a decryption key.

Payment happens to be GoldenEye’s current weakness as well, though not due to WannaCry-level incompetence. It relies on manual payment validation, meaning that when victims pay the ransom they must email proof of payment to an email address, after which hackers send a decryption key. Not only does a manual system make it harder for attackers to get paid, it can reduce victim faith that paying the ransom will result in decryption.

Also? The hackers’ email provider, Posteo, pulled the plug on their account, making payment confirmation pretty much impossible.

No Easy Fix

This latest round of ransomware appears to be here to stay. The diversity of delivery options means that no single patch can necessarily provide complete protection against it. Still, administrators can take some steps to protect their systems. Analysts agree that while patches don’t solve everything in this situation, they are still crucially important and do offer real defense. “Very, very important to patch,” says MalwareHunter, a researcher with the MalwareHunterTeam analysis group.

Researchers also note that the ransomware runs on boot, meaning that if you can disrupt a system before Windows boots, or if you encounter a “Check Disk” message, you can avoid having your files encrypted by quickly powering down.

Additionally, for the current variant of ransomware, administrators can stop the spread within a network from the Windows Management Instrumentation by blocking the file C:\Windows\perfc.dat from running.

“The problem is, patching is only one method of defense,” says David Kennedy, CEO of threat detection firm Binary Defense. “Credential harvesting and using that for lateral movement was the big impact in this situation.”

All of which provides cold comfort for those already impacted. And based on how many companies ignored the EternalBlue patch, even after the WannaCry threat, it may not end up slowing down the current outbreak at all.

First place to start make sure your systems have the latest patches and updates !!!

Android Banking Trojans Now Include Ransomware

The newest generation of banking Trojans is now equipped with ransomware, creating a hybrid malware. The primary function of banking Trojans is still to collect login credentials for banking portals and instant messaging applications. However, with the addition of ransomware, cybercriminals are increasing the odds that they collect on every device that has been infected.

Mobile Banking Trojans

If you own a smartphone, it’s very likely you also have a bank card. Since banks use mobile phone numbers for authorization, it makes sense for cybercriminals to penetrate this channel of communication to execute payments and transfers from your account. Banking Trojans are the most prominent mobile threat, constituting over 95% of mobile malware. Over 98% of mobile banking Trojan attacks target Android devices, which should also come as no surprise, as Android is the most popular platform for mobile devices.

How do cybercriminals infiltrate Android devices with banking Trojans? Trojans are less dangerous than viruses because they require action on the user’s end, however, through social engineering, cybercriminals lure users into performing such actions. Trojans can mimic applications and prompt the user to run an important update or activate a bonus level for your favorite game. Exploits are also able to run the malware automatically, once the user accidently executes the malicious file. Once the malware is installed, there are three major methods that banking Trojans employ:

  • Hiding Text Messages: Malware on phones hides incoming SMS from banks and then sends them to cybercriminals who then proceed to transfer money to their accounts.
  • Small Cash Movements: Cybercriminals will occasionally transfer relevantly small amounts of money to fraudulent accounts from an infected user’s account, hoping it won’t be noticed so that they can continue to do so.
  • App Mirroring: Malware mimics a bank’s mobile application and gathers login credentials on the infected device. Once the credentials are gathered, cybercriminals are able to perform the two actions above.
Banking Trojans with Ransomware

Not all users who have been infected with an Android banking Trojan use banking applications, which is where the ransomware features come into play. The ransomware essentially acts as a backup plan for cybercriminals to increase their chances of extracting some form of payment from their victims.

Android.SmsSpy, Fanta SDK, and Svpeng are the first banking trojans to add ransomware-like features to their malware; locking user’s screen with a random PIN. This feature is to keep users busy while cybercriminals initiate fraudulent transactions. While the user is trying to figure out how to unlock their phone, hackers hope the victim will be too busy to see the text or email alerts they receive for large or fraudulent transactions that take place on their bank account. This gives cybercriminals hours, or even days, to transfer the stolen money to different bank accounts and withdraw the money from ATMs. By the time it’s discovered, police will be unable to identify the criminals as the money has likely been transferred through several fake bank accounts before being cashed out.

Faketoken and Tordow 2.0

Faketoken and Tordow 2.0 are the first to fully implement ransomware into their banking Trojans. Faketoken’s primary function is to generate fake login screens for more than 2,000 financial applications in order to steal login credentials. Creators of Faketoken have now added the capability to encrypt user files stored on the phone’s SD card. Once the relevant command is received, the Trojan compiles a list of files located on the device and encrypts them.

Tordow 2.0 can make phone calls, control text messages, download and install programs, steal login credentials, access contacts, visit web pages, manipulate banking data, remove security software, reboot devices, rename files, encrypt files, and act as ransomware. To date, Tordow 2.0 has infected 16,000 devices in 27 countries with most of them located in Russia, Ukraine, Germany, and Thailand.

Once infected with the ransomware feature, victims will see something similar to the image below appear on their screens.

With the fully integrated ransomware feature, cybercriminals are targeting the least technical savvy users possible. If you think about it, encrypting files on a mobile device is essentially pointless. The point of ransomware is to encrypt files on a device and demand a ransom to get the decryption key. However, many files stored on mobile devices are backed up by cloud services. Therefore, users who have been infected could easily wipe their phone clean and download all their files from the cloud service they use. If they haven’t backed up for awhile, data may be lost, but it typically wouldn’t be anything of great value.

Outlook

It’s still very early in the development stages of banking Trojans being paired with ransomware. Thus, the encryption of files is likely to have the same purpose of locking users’ screens which is to give cybercriminals time to perform fraudulent transfers before users can figure out how to restore their mobile phones.

We recommend that Android users only install applications from the official Google Play store and should make sure that their phones don’t allow the installation of applications from unknown sources. Lastly, it’s a good idea to read user reviews and only download highly rated applications.

Ransomware Incidents at Health Organizations are now Classified as a Data Breach

Healthcare_Breach

According to new guidelines issued by the United States Department of Health and Human Services (HHS), ransomware incidents in HIPAA regulated organizations are now classified as a data breach. HIPAA is the Health Insurance Portability and Accountability Act, that must be followed by any health care provider who transmits health information in electronic form. In America, with the use of electronic medical records, this means just about every health care provider.

To most security professionals, this is an unusual approach, as a data breach has previously indicated the exfiltration of data by an attacker. In fact, the Code of Federal Regulations defines a breach as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted . . .”

Although there have been rumors of ransomware that steals data, there is still no proof of any such ransomware in the wild.

The HHS has codified a breach as the following:

“A breach has occurred because the Electronic Protected Health Information (ePHI) encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information). . .”

In a parenthetical statement, the HHS has memorialized the act of encrypting data as “control” of the information. I would hope that this new classification will have many scratching their heads, wondering, “If I have good backups, then the control is mitigated.” (Failure to protect data is also a violation of HIPAA rules.)

In fairness to the Department of Health and Human Services, the new guidelines also allow an organization to demonstrate that there is a “low probability that the Protected Health information has been compromised,” however, the 4-step risk assessment is geared more towards a general malware outbreak, rather than a ransomware event.

Ransomware simply does not work the way the authors of the new HHS guidelines have implied. Even in a targeted attack, the ransomware authors are not seeking to use any of the data that is encrypted; they are after the value of the target getting back in operation. In random ransomware events, the attacker simply fires up the spam-generating engine and hope for some bites on their phishing lures.

Ransomware is a lucrative business. One strain has been reported to cost victims over $18 million in one year. Ransomware criminals do not have to waste their time trying to fence stolen data.

The greatest concern with this new breach classification is that it can spread to other regulations, and eventually find its way into the general practice of corporate risk officers.

Nothing could be more wasteful of a security team’s time than explaining that no data was stolen every time a piece of ransomware is detected.

Of course, the best protections against ransomware remain the same:

  • A layered defense;
  • Good backups that are stored offline and regularly tested;
  • Security awareness training for all staff;
  • Access controls;
  • Vulnerability assessments and penetration testing (including hunt team exercises);
  • Maintaining a patch management strategy.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor.

Police Want to 3D Print a Dead Man’s Fingers to Unlock His Phone

Finger_Print

Asking Apple to help break an iPhone is so three months ago. Police have a new, and higher-tech idea: 3D print the fingers of a dead man and use those fingerprints to unlock the phone instead.

Michigan State University professor Anil Jain—who has been assigned six U.S. patents on fingerprint recognition—told Fusion that police showed up at his lab to ask for help in catching a murderer in an ongoing investigation. They had scans of the victim’s fingerprints from a previous arrest and thought that unlocking his phone (the make and model weren’t divulged) might provide clues as to who killed him.

Jain and his PhD student Sunpreet Arora have already printed all 10 digits using the scans and coated them in a layer of metallic particles to mimic how conducive skin is and make it easier to read. The final 3D-printed fingers aren’t finished, but they’ll be ready for police to try out in a matter of weeks.

It’s possible that the whole move will be futile because many phones that use biometric data require a PIN to be entered if it hasn’t been used in two days. If that’s the case, fingerprint won’t unlock anything.

The legality of this move is still up in the air, but the case is further proof that fingerprints, while cool, are not really the safest way of securing our private data.

Not that it matters for a dead man, but in 2014 a judge ruled that suspects can be required to unlock a phone with a fingerprint.  While the Fifth Amendment protects the right to avoid self-incrimination and makes it illegal to force someone to give out a passcode, biometric indicators like fingerprints are not covered by the Fifth Amendment, according to the ruling.

Maybe it’s time to go back to a 6-8 digit PIN.

Weak Passwords Pose Cybersecurity Risk for Campus Networks

Passwords
Colleges and universities already present prime targets for hackers, and easily guessable passwords make the problem worse.

Using a weak password is the equivalent of laying out the welcome mat for hackers, but that hasn’t stopped some users from prioritizing convenience over password strength.

A SplashData analysis of 2 million passwords found that “123456” and “password” once again topped of the list of the most popular passwords in 2015. Other frequently used passwords included “12345678,” “qwerty” and “12345.”

Easy to type and just as easy to guess, these risky passwords are especially problematic for colleges and universities, which not only have a large number of users accessing the network but also represent enticing targets for cybercriminals.

Higher ed IT professionals can help protect users’ personally identifiable information and researchers’ intellectual property by teaching faculty, staff and students the importance of strong passwords and passphrases.