Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC Information Security News


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Popular News

18 hours ago Feds slap PayPal with $25 million fine over credit service

IT Toolbox Blogs View Synopsis+1
It?s sad to see this happen. It may have a negative effect on a good service. Feds slap PayPal with $25 million fine over credit service

14 hours ago DDoS attack downs University of London learning platform

The Register View Synopsis+1
A harsh lesson, now stand in corridor for four hours

The University of London Computer Centre fell victim to a cyber-attack on Thursday.

18 hours ago Cybercriminals Use SVG Files to Distribute Ransomware

SecurityWeek View Synopsis+1

Researchers at email and web security company AppRiver spotted a campaign in which malicious actors attempted to distribute a piece of ransomware with the aid of SVG files.

The attack starts with an email that appears to have a resume attached to it. The file is a ZIP archive containing an SVG file.

18 hours ago Think factory reset wipes your data from Android phones? Think again

ZDNet View Synopsis+1
Researchers have found that 500 milllion handsets may still leave users' personal details accessible even after a full factory reset.

Top News

3 hours ago eBay bug turns phishing email links into malware-stuffed booby prizes

The Register View Synopsis+1
Crims could smuggle nasties in files 'downloaded' from web souk

eBay is racing to fix a second serious security flaw that may allow criminals to spread malware through files seemingly hosted by the online tat bazaar.

3 hours ago Clinton received sensitive info on private email account

Yahoo Security View Synopsis+1

WASHINGTON (AP) - Former Secretary of State Hillary Rodham Clinton received information on her private email account about the deadly attack on U.S. diplomatic facilities in Benghazi that was later classified "secret" at the request of the FBI, according to documents released Friday, underscoring lingering questions about how responsibly she handled sensitive information on a home server.

11 minutes ago Better Virus Prevention & Discovery Part 3

IT Toolbox Blogs View Synopsis+1
Here are some tips on preventing and handling virus infections: ¦    Computer viruses must be considered a fact of life, like the flu or the common cold. Assume that at some point one or more disks, USB devices, files or apps will ...

1 day ago The Logjam (and Another) Vulnerability against Diffie-Hellman Key Exchange

Schneier blog View Synopsis+1

Logjam is a new attack against the Diffie-Hellman key-exchange protocol used in TLS. Basically:

The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. The attack is reminiscent of the FREAK attack, but is due to a flaw in the TLS protocol rather than an implementation vulnerability, and attacks a Diffie-Hellman key exchange rather than an RSA key exchange. The attack affects any server that supports DHE_EXPORT ciphers, and affects all modern web browsers. 8.4% of the Top 1 Million domains were initially vulnerable.

Here's the academic paper.

One of the problems with patching the vulnerability is that it breaks things:

On the plus side, the vulnerability has largely been patched thanks to consultation with tech companies like Google, and updates are available now or coming soon for Chrome, Firefox and other browsers. The bad news is that the fix rendered many sites unreachable, including the main website at the University of Michigan, which is home to many of the researchers that found the security hole.

This is a common problem with version downgrade attacks; patching them makes you incompatible with anyone who hasn't patched. And it's the vulnerability the media is focusing on.

Much more interesting is the other vulnerability that the researchers found:

Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve -- the most efficient algorithm for breaking a Diffie-Hellman connection -- is dependent only on this prime. After this first step, an attacker can quickly break individual connections.

The researchers believe the NSA has been using this attack:

We carried out this computation against the most common 512-bit prime used for TLS and demonstrate that the Logjam attack can be used to downgrade connections to 80% of TLS servers supporting DHE_EXPORT. We further estimate that an academic team can break a 768-bit prime and that a nation-state can break a 1024-bit prime. Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers. A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break.

Remember James Bamford's 2012 comment about the NSA's cryptanalytic capabilities:

According to another top official also involved with the program, the NSA made an enormous breakthrough several years ago in its ability to cryptanalyze, or break, unfathomably complex encryption systems employed by not only governments around the world but also many average computer users in the US. The upshot, according to this official: "Everybody's a target; everybody with communication is a target."

[...]

The breakthrough was enormous, says the former official, and soon afterward the agency pulled the shade down tight on the project, even within the intelligence community and Congress. "Only the chairman and vice chairman and the two staff directors of each intelligence committee were told about it," he says. The reason? "They were thinking that this computing breakthrough was going to give them the ability to crack current public encryption."

And remember Director of National Intelligence James Clapper's introduction to the 2013 "Black Budget":

Also, we are investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit internet traffic."

It's a reasonable guess that this is what both Bamford's source and Clapper are talking about. It's an attack that requires a lot of precomputation -- just the sort of thing a national intelligence agency would go for.

But that requirement also speaks to its limitations. The NSA isn't going to put this capability at collection points like Room 641A at AT&T's San Francisco office: the precomputation table is too big, and the sensitivity of the capability is too high. More likely, an analyst identifies a target through some other means, and then looks for data by that target in databases like XKEYSCORE. Then he sends whatever ciphertext he finds to the Cryptanalysis and Exploitation Services (CES) group, which decrypts it if it can using this and other techniques.

Ross Anderson wrote about this, presumably quoting Snowden:

As for crypto capabilities, a lot of stuff is decrypted automatically on ingest (e.g. using a "stolen cert", presumably a private key obtained through hacking). Else the analyst sends the ciphertext to CES and they either decrypt it or say they can't.

The analysts are instructed not to think about how this all works. This quote also applied to NSA employees:

Strict guidelines were laid down at the GCHQ complex in Cheltenham, Gloucestershire, on how to discuss projects relating to decryption. Analysts were instructed: "Do not ask about or speculate on sources or methods underpinning Bullrun."

Again, the NSA has put surveillance ahead of security. It never bothered to tell us that many of the "secure" encryption systems we were using were not secure. And we don't know what other national intelligence agencies independently discovered and used this attack.

The good news is now that we know reusing prime numbers is not a good idea, we can stop doing so.

1 day ago Ransomware rescue kit released to combat criminal enterprise

ZDNet View Synopsis+1
A rescue kit designed for security professionals and system admins has been released to eradicate ransomware infections.

1 day ago Logjam Vulnerability: 5 Key Issues

InfoRiskToday View Synopsis+1
Don't Rush to Fix 20-Year-Old Flaw, Experts SayWhile the "Logjam" vulnerability raises serious concerns, there's no need to rush related patches into place, according to several information security experts. Learn the key issues, and how organizations must respond

14 hours ago Insurers Increasing Reliance On Risk Management To Combat Emerging Risks And Digital Disruption

Forbes View Synopsis+1
Persistent low growth combined with low interest rates are constricting the traditional sources of revenue for the insurance industry, creating an urgent need to seek out new sources of revenue and accelerate innovation.The industry is threatened by disintermediation and needs new, digital business models that leverage existing brands and customer [...]

13 hours ago NEWS ALERT: AdultFriendFinder users' online dating info compromised

SC Magazine View Synopsis+1
Hackers might have accessed and posted the information of up to 4 millions AdultFriendFinder users.

13 hours ago Hacking Virginia State Trooper Cruisers

Dark Reading View Synopsis+1
Working group of federal agencies and private industry launched by the state of Virginia is studying car vulnerabilities and building tools to detect and protect against vehicle hacking and tampering.

12 hours ago Database of 4 million Adult Friend Finder users leaked for all to see

ArsTechnica View Synopsis+1
Casual dating service was breached more than a month ago.

8 hours ago CareFirst BlueCross BlueShield Breach (May 21, 2015)

SANS Newsbites View Synopsis+1

CareFirst BlueCross BlueShield has acknowledged that an attack on one of its databases compromised the personally identifiable information of 1.......

1 day ago Lenovo and the Terrible, Horrible, No Good, Very Bad Week

SANS Reading Room View Synopsis+1
For one week in February of 2015, the largest personal computer manufacturer in the world had a

1 day ago European carriers threaten net neutrality with ad blocking

TechRepublic View Synopsis+1
Mobile network operators in Europe are reportedly planning to strip out ads in order to coerce ad networks into giving the network operators a cut of the revenue. Here's how to protect your website.

Latest News

1 hour ago Adult dating site investigating breach of user data

Yahoo Security View Synopsis+1
The operator of a popular adult dating website said Friday it's investigating a data security breach following reports that hackers stole names, email addresses and information about the sexual orientation ...

1 hour ago Adult dating site investigating possible breach of user data

Yahoo Security View Synopsis+1
The operator of a popular adult dating website says it's investigating a potential security breach, following a report that hackers stole names, email addresses and information about the sexual preferences ...

1 hour ago 'The Google execs, the journalists, plus Brit and US spybosses in a cosy mansion confab'

The Register View Synopsis+1
Tinker, tailor, soldier, Silicon Valley wonks

A high-level private meeting between Silicon Valley execs, spies and others was held in the UK this month: on the agenda, the state of government surveillance, and what limits should be put on it.

4 hours ago Adult FriendFinder hack exposes MILLIONS of members

The Register View Synopsis+1
Users with a fetish for risky encounters in public spaces will be thrilled

Hackers have swiped and leaked the personal details and sexual preferences of 3.9 million users of hookup website Adult FriendFinder.

6 hours ago The Google execs, the journalists, plus Brit and US spybosses in a cosy mansion confab

The Register View Synopsis+1
Tinker, tailor, soldier, Silicon Valley wonks

A high-level private meeting between Silicon Valley execs, spies and others was held in the UK this month: on the agenda, the state of government surveillance, and what limits should be put on it.

6 hours ago Friday Squid Blogging: Giant Squid Washes Up in New Zealand

Schneier blog View Synopsis+1

The latest one.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

8 hours ago Hospitals in at least 3 states affected by employee data breach

SC Magazine View Synopsis+1
Thousands of hospital patients in at least three states may have had their personal information compromised after MML data breach.

8 hours ago Manhattan Project for Cybersecurity R&D

InfoRiskToday View Synopsis+1
Citing as inspiration the Manhattan Project, in which the United States developed the atomic bomb during World War II, Sam Visner is leading an effort to get cybersecurity researchers to collaborate in developing new ways to defend cyberspace.

8 hours ago Export License for Zero-Days (May 21, 2015)

SANS Newsbites View Synopsis+1

The US Department of Commerce has proposed changes to the Wassenaar Agreement, seeking to impose more stringent rules for the export of zero-day exploits to entities outside the country.......

8 hours ago Medical Device Security Guidance for Developers (May 21, 2015)

SANS Newsbites View Synopsis+1

A paper titled "Building Code for Medical Device Software Security," offers guidance for developers.......

8 hours ago Thousands of Bellevue Hospital Center patients notified of data breach

SC Magazine View Synopsis+1
Roughly 3,300 patients have been notified that their personal information was included in a spreadsheet that was improperly emailed to an unauthorized recipient.

8 hours ago Study: 86 percent of websites contain at least one 'serious' vulnerability

SC Magazine View Synopsis+1
WhiteHat Security's "2015 Website Security Statistics Report" looks at vulnerabilities in websites and the amount of time it took to patch them.

9 hours ago Government ECM: Enhance Efficiency, Gain Control and Save Money with ECM

IT Toolbox Blogs View Synopsis+1

Government agencies are responsible for managing public records and record systems, while at the same time, maintaining ironclad information security to allow access to public information. What if it were possible for you to turn your existing system into an efficient, money saving system? Securing your information, decreasing manual processes and increasing your efficiency are principal reasons

9 hours ago FBI admits it didn't crack any major cases with Patriot Act powers

ZDNet View Synopsis+1
That was despite increasing its dragnet order count by more than two-fold.

9 hours ago Emerson Patches SQL Injection Vulnerability in ICS Product

SecurityWeek View Synopsis+1

Emerson's Process Management group has released a software update to address a SQL injection vulnerability in the Emerson AMS Device Manager product.

10 hours ago Proxemic sensing

IT Toolbox Blogs View Synopsis+1
Proxemic sensing is the technical term for sensing the proximity of people. While this can mean simply that a display lights up when you go near it, proxemic sensing can also interact with any mobile devices that you carry.

10 hours ago N VS G Router: What Is the Difference?

IT Toolbox Blogs View Synopsis+1
This post looks at the differences between the N and G routers.

10 hours ago Google: Account Recovery Security Questions Not Very Secure

Dark Reading View Synopsis+1
An analysis of millions of answers to security questions show many are predictable and easily guessable, says Google.

10 hours ago USPS Tracking Queries to Its Package Tracking Website

Schneier blog View Synopsis+1

A man was arrested for drug dealing based on the IP address he used while querying the USPS package tracking website.

10 hours ago 3 new iOS 9 features were just revealed in a huge new leak

Yahoo Security View Synopsis+1
9to5Mac's Mark Gurman has been all over iOS 9 leaks this week and he's back with a new report today that outlines more features the new software will deliver. In the preface to his article, Gurman makes clear that this is not going to be the most exciting iOS release. In fact, he says that Apple is putting most of its work into adding stability improvements for the platform, which went through several less-than-stellar releases with iOS 7 and iOS 8. That said, he did highlight three features we can expect to see at WWDC this year. DON'T MISS: Former Android diehard "˜never looking back' after switch to iPhone 6 - find out why The first feature is something called Rootless

11 hours ago Stopping Data Breaches: Whose Job Is It Anyway?

Forbes View Synopsis+1
To prevent the continuing loss of money, reputation, and customers, companies must make stopping cybercrime a team sort, internally and externally. Collaboration is the essence of preventing data breaches and responding to them effectively.

11 hours ago Account Recovery Security Questions Not Very Secure

Dark Reading View Synopsis+1
An analysis of millions of answers to security questions show many are predictable and easily guessable, says Google.

11 hours ago Nordic Countries an Attractive Target for APT Groups, Cybercriminals: FireEye

SecurityWeek View Synopsis+1

FireEye has released a report detailing the cyber threats targeting various sectors in Europe's Nordic countries.

Government transparency, innovations in fields like renewable energy and healthcare, and rich natural resources make Denmark, Finland, Iceland, Norway, and Sweden a tempting target for malicious actors, the security firm said.