WEEKLY SECURITY BRIEF: July 14 2015

secmat1

WEEKLY SECURITY BRIEF: July 14 2015

UPDATES: Microsoft Patch Tuesday: Critical Updates for RDP and Explorer

There are urgent fixes required for Internet Explorer, as one more zero day is added to the growing pile of fallout from the Hacking Team hack. This flaw is being actively exploited by hackers, so IE users need to get the patch on ASAP. And there are equally urgent fixes to apply for RDP Remote Desktop Protocol, Office and Windows because of active exploits in play. Other fixes address issues of remote code exploitation and elevation of privilege.

THE BIG STORY: Get the Flash Outta Here!
flashOr better yet – how many zero days can you release in a week? Seriously, the time has come and the time is now to get rid of Adobe Flash Player. After Hacking Team got hacked a week ago Sunday, some of the spillage included several zero day vulnerabilities they had been sitting on. And while Flash seems to be a manufacturing plant of flaws that was no excuse. Hackers have been lying in wait for the good stuff to emerge. When it did, they were ready and jumped all over it. Exploits are booming. If we thought we had problems with folks clicking on stuff they shouldn’t before this, it’s going to be malware-palooza if Flash remains enabled. Mozilla was first to take direct response, and Firefox has blacklisted Flash Player. Who’s next?

Java Zero Day

Adding to all the fun is a zero day for Java, due to an unpatched flaw by Oracle. Note that this is the first Java exploit to be reported in almost 2 years. And users cannot downgrade to earlier versions which aren’t susceptible because of the way Oracle does things. A cybercrime group, out of Russia? Pawn Storm, has been using this nifty little flaw in their attacks on various nation-states and governments & armed forces. Yes, like in “War Games”. The recommendation by security experts is to disable java in browsers for now until it’s patched, especially given the triple-header of Flash zero days on hand.

Oh Windows XP Users … ripwinxp

With all this talk of zero days, folks still using Win XP have not been getting any security patches since April 2014. Just imagine. Today, support for Microsoft’s Malicious Software Removal Tool and updates officially ends. There will be no more. But there are still approximately 180 million users out there, which amounts to 12% of all Windows users. Be warned: an anti-virus product isn’t going to fix Windows vulnerabilities and flaws. If the saying holds true that you get what you pay for, then expect that you will pay for not upgrading to a patchable, safer version of Windows.
And let’s not forget Windows Server 2003. End of Life is also today.

https://grahamcluley.com/2015/07/anti-virus-updates/

The OpenSSL Patch or Much Ado about Nothing

Given all the advance hype leading to this mysterious flaw and its urgent patch, I am happy to report that this issue is not another HeartBleed or worse. Infact, only newer versions of OpenSSL are affected.
Apparently, any application that verifies certificates, including SSL and TLS, could be compromised by this problem: OpenSSL tried to find an alternative certificate chain if its first try to build a chain fails. If an error occurs during the implementation of this logic, an attacker would be able to cause certain checks to be bypassed on untrusted certificates. They would then be able to forge a trusted certificate and then set up Man in the Middle attacks. BUT this won’t have a widespread impact as most web browsers currently do not use OpenSSL and not affected. OpenSSL 1.0.2b/1.0.2c users are urged to upgrade to 1.0.2d, whereas those with OpenSSL 1.0.1n/1.0.1o should upgrade to 1.0.1p.

A New Threat in Corporate Espionage takes Wing

A corporate espionage group dubbed “Butterfly” has been raiding a varied selection of civilian firms for valuable intellectual property. Companies run the gamut from tech, legal, pharmaceuticals, commodities. Most are listed in the Fortune 200 and are publicly traded. Those attacked include multi-billion firms like Microsoft and Facebook.
What sets this group apart from other cybercrime gangs is that they are very well resourced, utilize customized malware tools and zero days, and are not going after credit card or customer data. They were first identified in 2013, then seemingly went undercover, but were actually operating without detection, hitting 49 companies in 20 countries. They track their prey to favoured online “watering holes” – sites visited frequently by people within the target company. Vigilance, anti-virus and intrusion detection systems are as this group is disciplined, and increasing their attacks.

TeslaCrypt/CryptoWall

TeslaCrypt is the newest variant of ransomware, having made its dubious debut in Feb 2015. It likes to target computer game files, like saves and profiles. And has become a chameleon, taking on new identities eg TeslaCrypt, AlphaCrypt and now pretending to be CryptoWall, with a variety of file extensions to match: .ecc, .ezz, exx.teslacrypt
The latest version differs in its enhanced encryption. Bad news for victims because at this time it is impossible to decrypt files hit by TeslaCrypt. And it now uses an HTML page and not a GUI. The methodology: a victim visits an infected website; malicious code uses vulnerabilities in the browser – plugins like Adobe Flash – to install target malware in the system. The best safeguard is backing up data daily, and stored away from systems that could become infected.
https://securelist.com/blog/research/71371/teslacrypt-2-0-disguised-as-cryptowall/?utm_source=dlvr.it&utm_medium=twitter

Thanks for reading! 

Putting a Price Tag on Trust: The Home Depot Data Breach

homedepot

In a year of huge data breaches, The Home Depot security breach is proving to be the biggest yet. Upwards of 60 million users in both Canada and the United States could be affected. Yet, Home Depot took too long to officially confirm the news once the story broke, and when they did, the damage was already done. Now, they are facing a lawsuit which will become precedent-setting because how do you put a price tag on trust?

Welcome to the pitfalls of retail responsibility in the age of data insecurity. No matter how businesses may try to spin them, data breaches mean trouble somewhere down the line, and given the money to be made they aren’t going away. Cybercrime is booming beyond anyone’s expectations. Hackers halfway around the globe are constantly upping the game in their quest for information to sell on the black market. That information happens to be a digital summation of our lives: where we live, what we’re worth, who we are. Those little plastic cards that run our lives can also ruin them in one stroke.

The technical details of how cybercriminals lift card numbers, usercodes, and passwords have been well documented over the past year. Infact, the US Department of Homeland Security issued a security advisory in late August warning businesses of the threat of Point of Sale or POS malware, in particular one called “Backoff”  that stole information from credit cards (http://t.co/WiOpgp6c6M). It all comes down to a little piece of equipment we use every day. POS card readers are where we shop, eat, buy gas, withdraw money. And the scary truth is how easily they are tampered with. Crime rings buy or extort their way into fixing the actual hardware to mine data. Cybercriminals have figured out a less obvious route using remote access to command and control the devices so they transmit the data without detection. It’s enough to make anyone paranoid.

pii

Instead of being scared into action, however, businesses seem to have pulled the ostrich hiding its head routine, hoping it would all go away.  But it hasn’t gone away, and the lag time has only afforded the hackers more time to perfect their skills while we struggle to catch up.  A full week passed before The Home Depot officially confirmed the real extent of the breach. The scope of those potentially caught in the net of hackers is still being determined, with 60 million users a conservative estimate.

So just how do you tell 60 million users that their credit card data and other valuable personal information has just been released to the global criminal black market? There is no good way to spin that much bad news, not following recent announcements that Target, UPS, Supervalu Grocery stores,several major US banks, and Dairy Queen had also been breached. Brian Krebs had revealed the hack attack on Target.  On September 2, he broke the news on his website, KrebsOnSecurity, that “a massive batch of stolen credit and debit card information went on sale.” At the outset of the data breach, Home Depot shared dropped. Per an article in The Globe and Mail (trib.al/e8RZclg) , shares in trading fell 3.4%. Now, they face a class-action lawsuit.

The reported costs of a data breach vary, but according to Alcott HR Group, is starts at $5 million for one incident, and another source claims that has now doubled.  But the real loss is in what we cannot truly measure, and that is the very heart of retail business. How do you put a price tag trust, consumer confidence and lost customers?  Taking responsibility for your POS devices means taking the necessary actions to safeguard your customers. The rest of retail is about to learn an invaluable lesson at Home Depot’s considerable expense.