Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC Information Security News

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Popular News

4 hours ago DDoS attack downs University of London learning platform

The Register View Synopsis+1
A harsh lesson, now stand in corridor for four hours

The University of London Computer Centre fell victim to a cyber-attack on Thursday.

7 hours ago Cybercriminals Use SVG Files to Distribute Ransomware

SecurityWeek View Synopsis+1

Researchers at email and web security company AppRiver spotted a campaign in which malicious actors attempted to distribute a piece of ransomware with the aid of SVG files.

The attack starts with an email that appears to have a resume attached to it. The file is a ZIP archive containing an SVG file.

7 hours ago Think factory reset wipes your data from Android phones? Think again

ZDNet View Synopsis+1
Researchers have found that 500 milllion handsets may still leave users' personal details accessible even after a full factory reset.

7 hours ago Feds slap PayPal with $25 million fine over credit service

IT Toolbox Blogs View Synopsis+1
It?s sad to see this happen. It may have a negative effect on a good service. Feds slap PayPal with $25 million fine over credit service

Top News

1 day ago Ransomware rescue kit released to combat criminal enterprise

ZDNet View Synopsis+1
A rescue kit designed for security professionals and system admins has been released to eradicate ransomware infections.

1 day ago The Logjam (and Another) Vulnerability against Diffie-Hellman Key Exchange

Schneier blog View Synopsis+1

Logjam is a new attack against the Diffie-Hellman key-exchange protocol used in TLS. Basically:

The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. The attack is reminiscent of the FREAK attack, but is due to a flaw in the TLS protocol rather than an implementation vulnerability, and attacks a Diffie-Hellman key exchange rather than an RSA key exchange. The attack affects any server that supports DHE_EXPORT ciphers, and affects all modern web browsers. 8.4% of the Top 1 Million domains were initially vulnerable.

Here's the academic paper.

One of the problems with patching the vulnerability is that it breaks things:

On the plus side, the vulnerability has largely been patched thanks to consultation with tech companies like Google, and updates are available now or coming soon for Chrome, Firefox and other browsers. The bad news is that the fix rendered many sites unreachable, including the main website at the University of Michigan, which is home to many of the researchers that found the security hole.

This is a common problem with version downgrade attacks; patching them makes you incompatible with anyone who hasn't patched. And it's the vulnerability the media is focusing on.

Much more interesting is the other vulnerability that the researchers found:

Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve -- the most efficient algorithm for breaking a Diffie-Hellman connection -- is dependent only on this prime. After this first step, an attacker can quickly break individual connections.

The researchers believe the NSA has been using this attack:

We carried out this computation against the most common 512-bit prime used for TLS and demonstrate that the Logjam attack can be used to downgrade connections to 80% of TLS servers supporting DHE_EXPORT. We further estimate that an academic team can break a 768-bit prime and that a nation-state can break a 1024-bit prime. Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers. A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break.

Remember James Bamford's 2012 comment about the NSA's cryptanalytic capabilities:

According to another top official also involved with the program, the NSA made an enormous breakthrough several years ago in its ability to cryptanalyze, or break, unfathomably complex encryption systems employed by not only governments around the world but also many average computer users in the US. The upshot, according to this official: "Everybody's a target; everybody with communication is a target."


The breakthrough was enormous, says the former official, and soon afterward the agency pulled the shade down tight on the project, even within the intelligence community and Congress. "Only the chairman and vice chairman and the two staff directors of each intelligence committee were told about it," he says. The reason? "They were thinking that this computing breakthrough was going to give them the ability to crack current public encryption."

And remember Director of National Intelligence James Clapper's introduction to the 2013 "Black Budget":

Also, we are investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit internet traffic."

It's a reasonable guess that this is what both Bamford's source and Clapper are talking about. It's an attack that requires a lot of precomputation -- just the sort of thing a national intelligence agency would go for.

But that requirement also speaks to its limitations. The NSA isn't going to put this capability at collection points like Room 641A at AT&T's San Francisco office: the precomputation table is too big, and the sensitivity of the capability is too high. More likely, an analyst identifies a target through some other means, and then looks for data by that target in databases like XKEYSCORE. Then he sends whatever ciphertext he finds to the Cryptanalysis and Exploitation Services (CES) group, which decrypts it if it can using this and other techniques.

Ross Anderson wrote about this, presumably quoting Snowden:

As for crypto capabilities, a lot of stuff is decrypted automatically on ingest (e.g. using a "stolen cert", presumably a private key obtained through hacking). Else the analyst sends the ciphertext to CES and they either decrypt it or say they can't.

The analysts are instructed not to think about how this all works. This quote also applied to NSA employees:

Strict guidelines were laid down at the GCHQ complex in Cheltenham, Gloucestershire, on how to discuss projects relating to decryption. Analysts were instructed: "Do not ask about or speculate on sources or methods underpinning Bullrun."

Again, the NSA has put surveillance ahead of security. It never bothered to tell us that many of the "secure" encryption systems we were using were not secure. And we don't know what other national intelligence agencies independently discovered and used this attack.

The good news is now that we know reusing prime numbers is not a good idea, we can stop doing so.

1 day ago Logjam Vulnerability: 5 Key Issues

InfoRiskToday View Synopsis+1
Don't Rush to Fix 20-Year-Old Flaw, Experts SayWhile the "Logjam" vulnerability raises serious concerns, there's no need to rush related patches into place, according to several information security experts. Learn the key issues, and how organizations must respond

6 hours ago Do this now: Secure your adult dating profiles - a major site was just hacked

Yahoo Security View Synopsis+1
In case you happen to have one or multiple adult dating website profiles, you might consider securing them right away, as one of the world's largest such websites has been hit by hackers. The attackers managed to steal highly sensitive personal data for four million users, leaking them online in spreadsheet format. DON'T MISS: Key iPhone 6s specs seemingly detailed in new report According to Channel 4, the dating site in question is Adult FriendFinder which has more than 63 million global users. In addition to usual personal data including usernames, email addresses, dates of birth and addresses, the stolen data also contains more sensitive information regarding the user's sexual orientation and preferences, and whether they're looking for extramarital affairs

3 hours ago Insurers Increasing Reliance On Risk Management To Combat Emerging Risks And Digital Disruption

Forbes View Synopsis+1
Persistent low growth combined with low interest rates are constricting the traditional sources of revenue for the insurance industry, creating an urgent need to seek out new sources of revenue and accelerate innovation.The industry is threatened by disintermediation and needs new, digital business models that leverage existing brands and customer [...]

3 hours ago NEWS ALERT: AdultFriendFinder users' online dating info compromised

SC Magazine View Synopsis+1
Hackers might have accessed and posted the information of up to 4 millions AdultFriendFinder users.

3 hours ago Hacking Virginia State Trooper Cruisers

Dark Reading View Synopsis+1
Working group of federal agencies and private industry launched by the state of Virginia is studying car vulnerabilities and building tools to detect and protect against vehicle hacking and tampering.

2 hours ago Database of 4 million Adult Friend Finder users leaked for all to see

ArsTechnica View Synopsis+1
Casual dating service was breached more than a month ago.

1 day ago Lenovo and the Terrible, Horrible, No Good, Very Bad Week

SANS Reading Room View Synopsis+1
For one week in February of 2015, the largest personal computer manufacturer in the world had a

22 hours ago European carriers threaten net neutrality with ad blocking

TechRepublic View Synopsis+1
Mobile network operators in Europe are reportedly planning to strip out ads in order to coerce ad networks into giving the network operators a cut of the revenue. Here's how to protect your website.

1 day ago New Critical Encryption Bug Affects Thousands of Sites

WIRED View Synopsis+1

A critical vulnerability has been uncovered by security researchers.

The post New Critical Encryption Bug Affects Thousands of Sites appeared first on WIRED.

Latest News

21 minutes ago 3 new iOS 9 features were just revealed in a huge new leak

Yahoo Security View Synopsis+1
9to5Mac's Mark Gurman has been all over iOS 9 leaks this week and he's back with a new report today that outlines more features the new software will deliver. In the preface to his article, Gurman makes clear that this is not going to be the most exciting iOS release. In fact, he says that Apple is putting most of its work into adding stability improvements for the platform, which went through several less-than-stellar releases with iOS 7 and iOS 8. That said, he did highlight three features we can expect to see at WWDC this year. DON'T MISS: Former Android diehard "˜never looking back' after switch to iPhone 6 - find out why The first feature is something called Rootless

32 minutes ago How to Fulfill Business Potential of Android Phones

IT Toolbox Blogs View Synopsis+1
The smartphone has been the most popular tech device for a couple of years now. Although tablets also have their loyal audience, they still don't have the same cult of followers as smartphones do.

48 minutes ago Stopping Data Breaches: Whose Job Is It Anyway?

Forbes View Synopsis+1
To prevent the continuing loss of money, reputation, and customers, companies must make stopping cybercrime a team sort, internally and externally. Collaboration is the essence of preventing data breaches and responding to them effectively.

48 minutes ago Nigerian man sentenced to 3 years for phishing scam targeting gov't workers

SC Magazine View Synopsis+1
A Nigerian man was sentenced to three years in prison for his role in a phishing scheme targeting U.S. government employees.

51 minutes ago Factory reset memory wipe FAILS in 500 MEEELLION Android phones

The Register View Synopsis+1
Cambridge boffins recovered crypto keys, plus Google and Facebook tokens

Cambridge University boffins Laurent Simon and Ross Anderson say half a billion Android phones could have data recovered and Google accounts compromised thanks to flaws in the default wiping feature.

1 hour ago House lawmakers' information accessed in CareFirst BlueCross BlueShield breach

SC Magazine View Synopsis+1
House lawmakers might have had some of their personal data compromised in the confirmed CareFirst BlueCross BlueShield data breach earlier this week.

1 hour ago Method identified to generate unlimited Starbucks gift card funds

SC Magazine View Synopsis+1
A hacker with security firm Sakurity identified a way to generate unlimited funds on Starbucks gift cards, and proved that it worked.

1 hour ago Account Recovery Security Questions Not Very Secure

Dark Reading View Synopsis+1
An analysis of millions of answers to security questions show many are predictable and easily guessable, says Google.

1 hour ago Nordic Countries an Attractive Target for APT Groups, Cybercriminals: FireEye

SecurityWeek View Synopsis+1

FireEye has released a report detailing the cyber threats targeting various sectors in Europe's Nordic countries.

Government transparency, innovations in fields like renewable energy and healthcare, and rich natural resources make Denmark, Finland, Iceland, Norway, and Sweden a tempting target for malicious actors, the security firm said.

1 hour ago GDS to handle Govt payments? What could possibly go wrong?

The Register View Synopsis+1
New Cabinet Office Minister lavishes fulsome praise on Maude's fiasco

Be afraid. The previous government's "elite digital team" which so brilliantly borked most of Whitehall's websites, and that failed to meet its own targets, may be put in charge of handling real money: your money.

1 hour ago NSA Planned Hack of Google App Store

SecurityWeek View Synopsis+1

The US National Security Agency developed plans to hack into data links to app stores operated by Google and Samsung to plant spyware on smartphones, a media report said Thursday.

The online news site The Intercept said US intelligence developed the plan with allies in Britain, Canada, New Zealand and Australia, a group known as the "Five Eyes" alliance.

2 hours ago 500 Million Google Phones Fail To Wipe Data On Reset, Claim Cambridge Researchers

Forbes View Synopsis+1
Google and its manufacturing partners have failed to protect users data on factory reset, according to research from Cambridge University. The academics were able to access all kinds of communications from devices, from the likes of Samsung and HTC, that were supposed to have been wiped.

2 hours ago Cyber Threat Analysis: A Call for Clarity

Dark Reading View Synopsis+1
The general public deserves less hyperbole and more straight talk

2 hours ago New relay selection fix for Tor to spoil spooks' fun (eventually)

The Register View Synopsis+1
Quick, before Skynet takes control of the Five Eyes

Research by American and Israeli academics has lead to the development of Astoria, a new Tor client specifically designed to spoil spooks' traffic analysis of the surveillance-dodging network.

3 hours ago Wikipedia Disturbed Over Fresh China Censorship

Forbes View Synopsis+1
China's Great Firewall is blocking the Chinese version of Wikipedia. Whilst the Wikimedia Foundation says it's anti-censorship, regardless of country, activists at the Great Fire say the company can do a lot more to help fight for freedom of speech in China.

3 hours ago Flawed Android Factory Reset Allows Recovery of Sensitive Data: Researchers

SecurityWeek View Synopsis+1

Passwords and Multimedia Files Can Be Recovered From Hundreds of Millions of Android Phones

Researchers at the University of Cambridge have conducted a detailed analysis of the "Factory Reset" feature in Android devices and determined that it's not as effective as it should be.

4 hours ago Zero Day Weekly: Wassenaar considered harmful, car hacking, bad news for AdultFriendFinder

ZDNet View Synopsis+1
A collection of notable security news items for the week ending May 22, 2015. Covers enterprise, controversies, application and mobile security, malware, reports and more.

5 hours ago A major feature from Android M and the next-gen Nexus phone has leaked

Yahoo Security View Synopsis+1
Google has already unwillingly confirmed that it's going to unveil Android M at its I/O 2015 conference next week, and a few reports now claim to have knowledge of one of the major features that are going to be available to Android M users in the near future. DON'T MISS: Key iPhone 6s specs seemingly detailed in new report According to independent reports from BuzzFeed and ArsTechnica, Android M might be finally getting native support for fingerprint authentication. "The new functionality will allow users to log in to all of the supported applications on their Android devices without entering a password," BuzzFeed has learned from its sources. Other details about the fingerprint functionality or Android M have not been shared.

6 hours ago "‹Google, Samsung get closer to giving passwords the finger with FIDO certification

ZDNet View Synopsis+1
The FIDO alliance has certified 31 products and services under two protocols which aim to do away with the need for passwords.

6 hours ago Why the Current Section 215 Reform Debate Doesn't Matter Much

Schneier blog View Synopsis+1

The ACLU's Chris Soghoian explains (time 25:52-30:55) why the current debate over Section 215 of the Patriot Act is just a minor facet of a large and complex bulk collection program by the FBI and the NSA.

There were 180 orders authorized last year by the FISA Court under Section 215 -- 180 orders issued by this court. Only five of those orders relate to the telephony metadata program. There are 175 orders about completely separate things. In six weeks, Congress will either reauthorize this statute or let it expire, and we're having a debate -- to the extent we're even having a debate -- but the debate that's taking place is focused on five of the 180, and there's no debate at all about the other 175 orders.

Now, Senator Wyden has said there are other bulk collection programs targeted at Americans that the public would be shocked to learn about. We don't know, for example, how the government collects records from Internet providers. We don't know how they get bulk metadata from tech companies about Americans. We don't know how the American government gets calling card records.

If we take General Hayden at face value -- and I think you're an honest guy -- if the purpose of the 215 program is to identify people who are calling Yemen and Pakistan and Somalia, where one end is in the United States, your average Somali-American is not calling Somalia from their land line phone or their cell phone for the simple reason that AT&T will charge them $7.00 a minute in long distance fees. The way that people in the diaspora call home -- the way that people in the Somali or Yemeni community call their family and friends back home -- they walk into convenience stores and they buy prepaid calling cards. That is how regular people make international long distance calls.

So the 215 program that has been disclosed publicly, the 215 program that is being debated publicly, is about records to major carriers like AT&T and Verizon. We have not had a debate about surveillance requests, bulk orders to calling card companies, to Skype, to voice over Internet protocol companies. Now, if NSA isn't collecting those records, they're not doing their job. I actually think that that's where the most useful data is. But why are we having this debate about these records that don't contain a lot of calls to Somalia when we should be having a debate about the records that do contain calls to Somalia and do contain records of e-mails and instant messages and searches and people posting inflammatory videos to YouTube?

Certainly the government is collecting that data, but we don't know how they're doing it, we don't know at what scale they're doing it, and we don't know with which authority they're doing it. And I think it is a farce to say that we're having a debate about the surveillance authority when really, we're just debating this very narrow usage of the statute.

Further underscoring this point, yesterday the Department of Justice's Office of the Inspector General released a redacted version of its internal audit of the FBI's use of Section 215: "A Review of the FBI's Use of Section 215 Orders: Assessment of Progress in Implementing Recommendations and Examination of Use in 2007 through 2009," following the reports of the statute's use from 2002-2005 and 2006. (Remember that the FBI and the NSA are inexorably connected here. The order to Verizon was from the FBI, requiring it to turn data over to the NSA.)

Details about legal justifications are all in the report (see here for an important point about minimization), but detailed data on exactly what the FBI is collecting -- whether targeted or bulk -- is left out. We read that the FBI demanded "customer information" (p. 36), "medical and educational records" (p. 39) "account information and electronic communications transactional records" (p. 41), "information regarding other cyber activity" (p. 42). Some of this was undoubtedly targeted against individuals; some of it was undoubtedly bulk.

I believe bulk collection is discussed in detail in Chapter VI. The chapter title is redacted, as well as the introduction (p. 46). Section A is "Bulk Telephony Metadata." Section B (pp. 59-63) is completely redacted, including the section title. There's a summary in the Introduction (p. 3): "In Section VI, we update the information about the uses of Section 215 authority described [redacted word] Classified Appendices to our last report. These appendices described the FBI's use of Section 215 authority on behalf of the NSA to obtain bulk collections of telephony metadata [long redacted clause]." Sounds like a comprehensive discussion of bulk collection under Section 215.

What's in there? As Soghoian says, certainly other communications systems like prepaid calling cards, Skype, text messaging systems, and e-mails. Search history and browser logs? Financial transactions? The "medical and educational records" mentioned above? Probably all of them -- and the data is in the report, redacated (p. 29) -- but there's nothing public.

The problem is that those are the pages Congress should be debating, and not the telephony metadata program exposed by Snowden.

6 hours ago Audi will enhance Chinese connected-car services with Baidu

Yahoo Security View Synopsis+1

Germany's Audi will enhance connected-car services in China to meet growing demand for driver-assistance systems and driverless technology in the world's largest auto market. Volkswagen's flagship luxury brand said on Friday it will jointly develop navigation map data, positioning algorithms and point-of-interest functions with China's web services provider Baidu. Chinese Internet companies and auto makers have been quick to team up to start developing partly self-driving and Internet-connected cars, following a path already trodden by U.S. tech giants Google Inc and Apple Inc. "We are now taking our next big step in China," Chief Executive Rupert Stadler said at the carmaker's annual shareholder meeting in Neckarsulm, Germany.

7 hours ago Yet another security hole affects millions of routers

IT Toolbox Blogs View Synopsis+1
Not sure what, if anything we can do about this, but here it is. Critical vulnerability in NetUSB driver exposes millions of routers to hacking

10 hours ago Opal card data handed over to NSW Police, Immigration

ZDNet View Synopsis+1
Transport for New South Wales has confirmed that in just six months, NSW Police has made 166 requests for data on the Opal travel card.