Linux Foundation to Host Let’s Encrypt, Project to Bring Free SSL Certs to Websites

An Internet where most websites use security certificates and encrypt data by default is no longer just a dream. A consortium of Internet and technology companies and organizations are banding together to make it easier for website owners to obtain and setup security certificates.

The Let’s Encrypt project is a free and automated security certificate authority which will simplify the process of obtaining a security certificate for websites, the Linux Foundation and the Internet Security Research Group said Thursday. It’s increasingly clear the only way to have reliable security online is to have every website be encrypted, served over Transport Layer Security (TLS), so that people’s information is protected from snoops, the Linux Foundation said. The goal is to make it easier for website owners to apply for and install a security certificate on their domains.

“Encryption should be the default for the web,” Josh Aas, executive director of ISRG, told SecurityWeek. Let’s Encrypt will help “increase TLS usage on the Web,” he said.

Data such as login credentials, financial information, browser cookies, and other types of sensitive or personal information travel from user computers to websites, or across multiple websites. All this information can easily be intercepted by eavesdroppers, but not if the Web application encrypts the information before sending it through the network. “A secure Internet benefits everyone,” Jim Zemlin, executive director at The Linux Foundation, told SecurityWeek.

Let’s Encrypt takes the world a step closer to a time when more websites would use a certificate and TLS would be the default across the Web, rather than the present where most sites do not even have a valid certificate, Aas said. The free and simple process should take no longer than a few minutes to complete.

Currently, it is difficult for website owners to obtain the certificate because the process may be too complicated or too expensive. Owners may also be overwhelmed with different types and not know which one to pick, Aas said. Let’s Encrypt automates the process so that certificates are issued automatically. Let’s Encrypt will also manage the certificate, so that if the certificate is nearing its expiration date, the system will handle renewals. There was no reason renewing a certificate had to remain a manual process. Let’s Encrypt will also handle installation and configuration on supported servers, which will likely handle most major server software, so that there will be no misconfigured certificates deployed on servers, Aas said.

Let’s Encrypt will be issuing Domain Validation certificates since this type of certificate can be automatically issued and managed, Aas said. Other types of certificates cannot be issued or managed automatically. Let’s Encrypt will also be focusing on elliptic curve cryptography—ECC—because it is the most effective at protecting online users today, he said.

Let’s Encrypt will be working closely with major hosting providers to offer TLS to all customers, following a model similar to what CloudFlare currently does for its customers, Aas said. Any CloudFlare customer has access to SSL certificates for their domains, for free. Let’s Encrypt will not be working directly with website owners, but act as the back-end for hosting providers interested in offering free DV certificates to their customers, Aas said. While individual will be able to get a certificate directly from Let’s Encrypt, the bulk of certificates will likely be issued through a major hosting provider.

“While the web has been a part of our lives for decades now, the data shared across networks is still at risk,” Zemlin said in a statement.

The Linux Foundation will host the Internet Security Research Group and Let’s Encrypt as a Linux Foundation Collaborative Project, which are independently funded software projects working on innovative programs which will have wide-ranging benefits and impact across industries, Zemlin said. The sponsor companies include Akamai, Cisco, Electronic Frontier Foundation, and Mozilla as founding Platinum members, IndenTrust as a Gold member, and Automattic (maker of WordPress) as the Silver member.

“By hosting this important encryption project in a neutral forum we can accelerate the work towards a free, automated and easy security certification process that benefits millions of people around the world,” Zemlin said in a statement.

Hosting in this context means the Linux Foundation will take on much of the business aspects of running Let’s Encrypt. The Linux Foundation provides the essential collaborative and organizational framework for projects, such as making sure there is money in the bank, hiring and providing benefits to employees, and even setting up a secure data center, so that members of the project can focus on actually building, Zemlin said.

“The Linux Foundation is in the business of supporting brilliant people working on innovative projects,” Zemlin said, noting hundreds of millions of dollars have been invested across various Collaborative Projects.

In this case, ISRG already has made its own arrangements for Let’s Encrypt infrastructure, Aas said, but was careful to note that ISRG is not dismissing the possibility of someday moving to Linux Foundation’s infrastructure.

“We want to build. We don’t want to have to worry about accounting, who is getting paid. I am not good at any of that, but Linux Foundation is,” Aas said, explaining why the relationship works for ISRG.

Let’s Encrypt is not trying to replace traditional certificate authorities. While the project will focus its efforts on getting free certificates out to website owners in a secure and open way, Aas sees the project as something working alongside CAs to get to a world where everyone is using encryption by default.

“The only reliable strategy for making sure that everyone’s private data and information is protected while in transit over the web is to encrypt everything, Aas in a statement.

Related: Why “Let’s Encrypt” Won’t Make the Internet More Trustworthy

Tags:

• Network Security
• NEWS & INDUSTRY
• Security Infrastructure

The PCI Security Standards Council announced on Thursday the availability of guidelines designed to help organizations develop tokenization products.

Tokenization is the process in which sensitive information, such as payment card data, is replaced with a randomly generated unique token or symbol. Tokenization products, which can be software applications, hardware devices or service offerings, can help merchants reduce the risk of having their customers’ financial information stolen by malicious actors.

“Tokenization is one way organizations can limit the locations of cardholder data (CHD). A smaller subset of systems to protect should improve the focus and overall security of those systems, and better security will lead to simpler compliance efforts,” explained PCI SSC Chief Technology Officer Troy Leach.

There are several challenges to implementing tokenization, but reliable solutions already exist and representatives of the merchant community believe this could be an efficient approach to preventing payment card fraud and identity theft.

The Tokenization Product Security Guidelines released by the PCI Council have been developed in collaboration with a dedicated industry taskforce. The report focuses on the generation of tokens, using and storing tokens, and the implementation of solutions that address potential attack vectors against each component. The document also contains a classification of tokens and their use cases.

The recommendations in the guidelines are addressed to tokenization solution and product vendors, tokenization product evaluators, and organizations that want to develop, acquire or use tokenization products and solutions.

“Minimizing the storage of card data is a critical next step in improving the security of payments. And tokenization does just that,” said PCI SSC General Manager Stephen Orfei. “At the Council, we are excited about the recent advancements in this space. Helping merchants take advantage of tokenization, point-to-point encryption (P2PE) and EMV chip technologies as part of a layered security approach in current and emerging payment channels has been a big focus at this week’s PCI Acquirer Forum.”

The PCI Council has pointed out that the guidelines are supplemental and they don’t supercede or replace any of the requirements detailed in the PCI Data Security Standard (PCI DSS).

PCI DSS 3.0, which focuses on security instead of compliance, went into effect on January 1. Version 3.1 of the PCI DSS, expected to be released this month, targets the SSL (Secure Sockets Layer) protocol. Organizations must ensure that they or their service providers don’t use the old protocol.

Last week, the PCI Council published new guidance to help organizations conduct penetration testing, which is considered a critical component of the PCI DSS.

The Tokenization Product Security Guidelines are available for download in PDF format.

Tags:

• NEWS & INDUSTRY
• Compliance

HyTrust, a provider of policy management and access control solutions for virtual and cloud environments, today announced that it has secured $ 33 million in new funding, including $ 8 million in venture debt and credit facilities.

According to the company, the new cash will be used to boost marketing, sales and product development initiatives, as well as expansion into international markets.  

HyTrust’s solutions enable the adoption of next-generation architectures through policy-based controls, visibility and data security, which helps enterprises more easily meet compliance mandates, improve application uptime, and securely take advantage of cloud-based capabilities.

The new investment is being led by AITV (Accelerate-IT Ventures). New investor Vanedge Capital also participated in the funding, while existing venture investors—Epic Ventures, Granite Ventures and Trident Capital—and strategic investors Cisco, Fortinet, Intel Corp. and VMware, also participated.

In addition to being backed by several venture firms and enterprise technology companies, HyTrust entered into a strategic investment and technology development agreement with In-Q-Tel (IQT), the not-for-profit venture capital arm of the CIA, back in July 2013.

Along with the $ 25 million equity investment from the syndicate, HyTrust expanded its relationship with banking partner City National Bank to fund up to $ 8 million in venture debt and credit facilities.  

“HyTrust is perfectly positioned to meet the needs of a market in which so many organizations are building on cloud-based technologies to increase agility for their business,” said Brian Nugent, founding principal and general partner at AITV.  

Brian Nugent will join HyTrust’s board of directors, while AITV co-founder and general partner, Bill Malloy III, and Moe Kermani, a partner with Vanedge Capital, will join as board observers, the company said.  

“Our goal at HyTrust is to make security automated and policy-based to address the needs of private and hybrid cloud data centers, as well as provide complete visibility into what is happening in cloud environments,” said John De Santis, Chairman and CEO of HyTrust.

Tags:

Nigeria’s electoral commission admitted on Saturday that its website had been hacked, as the country’s crucial presidential and parliamentary elections were hit by technical problems.

“The INEC (Independent National Electoral Commission) website‎ was hacked this morning but we are trying to revive it,” the body’s deputy director of public affairs, Nick Dazang, told AFP.

“But nothing has been tampered with,” he added, without elaborating.

INEC has been under scrutiny for weeks about its preparations for the election, in particular over the use of biometric voter identity cards and new technology to cut down on electoral fraud.

Voters throughout Nigeria have complained about lengthy delays in authenticating their cards. President Goodluck Jonathan’s own card failed on the new system and he had to be accredited by hand.

The INEC website — inecnigeria.org — was allegedly targeted by the Nigerian Cyber Army. A message on the home page read: “Feel some shame Admin!! Security just an illusion.”

The site was later back online.

Tags:

• NEWS & INDUSTRY
• Cybercrime

A serious security hole affecting a popular Internet gateway device used in hotels and convention centers has been closed.

The vulnerability affects ANTlabs’ InnGate, which is designed for operating corporate visitor-based networks. According to security firm Cylance, the vulnerability can be exploited to allow an attacker to monitor or tamper with traffic to and from any hotel Wifi user’s connection and potentially gain access to a hotel’s property management system.

Cylance reports that 277 hotels, convention centers and data centers across 29 countries are affected. At its core, the vulnerability is due to a misconfigured rsync instance included in the InnGate firmware. If exploited, the attacker would have read/write access to the entire file system without authentication.

“CVE-2015-0932 gives an attacker full read and write access to the file system of an ANTLabs’ InnGate device,” explained Brian Wallace, senior researcher at Cylance, in a blog post. “Remote access is obtained through an unauthenticated rsync daemon running on TCP 873. Once the attacker has connected to the rsync daemon, they are then able to read and write to the file system of the Linux based operating system without restriction.”

“When an attacker gains full read and write access to a Linux file system, it’s trivial to then turn that into remote code execution,” he continued. “The attacker could upload a backdoored version of nearly any executable on the system and then gain execution control, or simply add an additional user with root level access and a password known to the attacker. Once full file system access is obtained, the endpoint is at the mercy of the attacker.”

If an attacker has compromised a vulnerable InnGate device at a hotel, obtained shell access via SSH and created an account for themselves with root access, they could run tcpdump and dump all network traffic going through the devices. This would allow an attacker to collect any plaintext communication sent through the gateway of the affected hotel or location, Wallace blogged.

“A slightly more sophisticated attacker could use a tool such as SSLStrip in order to attempt to downgrade the transport layer encryption in order to increase the amount of plaintext credentials gathered,” Wallace noted. “This attack gives the threat actor incredible leverage over their targets including making OpenSSL vulnerabilities easier to exploit.”

ANTlabs released a patch for the issue today. The vulnerable devices include:   

• IG 3100 model 3100, model 3101
• InnGate 3.00 E-Series, 3.01 E-Series, 3.02 E-Series, 3.10 E-Series
• InnGate 3.01 G-Series, 3.10 G-Series

Hotel networks offer a potentially attractive target for cyber-espionage groups. Last year, an advanced persistent threat (APT) group was discovered targeting Wifi networks at hotels in Asia. In addition, the FBI and the Internet Crime Complaint Center warned in 2012 that attackers were targeting travelers abroad through malicious pop-up windows when they established an Internet connection in their hotel rooms. 

“While the DarkHotel campaign was clearly carried out by an advanced threat actor with a large number of resources, CVE-2015-0932 is a very simple vulnerability with devastating impact,” Wallace wrote. “The severity of this issue is escalated by how little sophistication is required for an attacker to exploit it.”

Tags:

• NEWS & INDUSTRY
• Vulnerabilities

When Florida police got a call from a man who said he shot four people at rapper Lil Wayne’s house this month, they responded as they are trained to.

Heavily armed, flanked in body armor and accompanied by sniffer dogs, officers surrounded the Miami mansion after the alleged shooter told the 911 dispatch: “I’m killing whoever else I see…”

But police found no shooter at the house, and no victims. Lil Wayne was not there either.

The rapper was the target of a “swatting” prank, a phenomenon gaining popularity in the United States and creating public safety risks and budget strains for law enforcement.

The stunt — a modern-day and much more serious version of a prank call — involves a call to emergency services claiming a crisis.

When police arrive, the alarmed victim is often greeted by angry bangs at the door from screaming officers with cocked guns.

Special weapons and tactics (SWAT) units are usually dispatched — which the term swatting comes from — because they are trained to deal with serious emergencies swatters typically falsely report, such as hostage taking, mass shootings, bomb threats and domestic violence.

Following the false alarm at Lil Wayne’s mansion, Miami police said on Twitter: “Unfortunately this appears to be a ‘Swatting’ call. No victims /no injuries /no subject at 94 LaGorce.”

Police are obliged to respond to emergency calls, but say such pranks are a waste of resources.

“Fortunately in terms of no one hurt yes. Unfortunate in the waste of resources for a hoax that we have to treat seriously,” Miami Police tweeted.

Lil Wayne is not the only celebrity swatting victim.

Famous Hollywood prankster, Ashton Kutcher, host of the hoax show “Punk’d,” has been swatted, along with Justin Bieber, Rihanna, P. Diddy, Justin Timberlake, Tom Cruise and Miley Cyrus.

Swatters have also hit politicians, journalists and schools.

Live-stream swatting

The phenomenon of swatting was first reported to the Federal Bureau of Investigation in 2008, and has steadily gained popularity since.

Officials estimate about 400 swattings occur every year, but many no longer report incidents to prevent copycat acts and to avoid giving swatters publicity.

The hoax is popular in the online gaming community, where swatters target online rivals who are live-streaming a game. When police arrive, the stunt is broadcast in real-time.

Swatting videos show victims at their computers when they are interrupted by loud bangs at the door followed by heavily armed police storming their homes.

Perpetrators target online rivals and access their addresses by hacking their computers.

Police consider the act a dangerous crime, and say swatting is a serious public safety issue.

“The swatting practice is extremely dangerous and places first responders and citizens in harm’s way,” the FBI said in a statement.

“It is a serious crime, and one that has potentially dangerous consequences.”

Beyond being a waste of resources, police say swatting creates major risks.

Some hapless victims were carrying objects that could be mistaken for a weapon. Others grabbed a real gun, mistaking law enforcement for intruders

Police are at risk too — in one incident an officer was injured in a car accident while responding to a swatting hoax.

“It’s only a matter of time before somebody gets seriously injured as a result of one of these incidents,” the FBI said.

Seeking tough laws

But tracking perpetrators is tough, as callers use software to disguise the call origin or place the calls from untraceable Internet sites.

Though there is no federal swatting legislation in place, punishment can be tough for swatters who are caught.

In 2009, 19-year-old Matthew Weigman was sentenced to 11 years in prison for orchestrating several swattings. The blind phone hacker who was a member of a swatting ring had been making the fake calls to police for five years.

Some politicians are pushing for tougher laws to deal with the crime.

California Congressman Ted Lieu introduced legislation in his state that was adopted in 2014, forcing convicted swatters to pay for costs related to fake calls, which can be as much as $ 10,000.

Lieu, himself a victim of swatting, said the bill protects the public and prevents police resources from being wasted.

Despite moves to strengthen punishments, the phenomenon continues to gain momentum, both on US soil and abroad.

Last week, French television host Enora Malagre was a victim of swatting when a man called police claiming he stabbed her and threatened to shoot at police.

Tags:

• NEWS & INDUSTRY
• Tracking & Law Enforcement
• Cybercrime

Yoast has released a new version of its popular Google Analytics plugin for WordPress to address a persistent cross-site scripting (XSS) vulnerability that could have been exploited to execute arbitrary code.

Google Analytics by Yoast has been downloaded nearly 7 million times. The application allows WordPress administrators to monitor website traffic by connecting the plugin to their Google Analytics account.

The vulnerability was identified by Jouko Pynnonen, the CEO of Finland-based IT company Klikki Oy. Earlier this month, the expert reported identifying several vulnerabilities in the WPML premium WordPress plugin.

According to the researcher, an attacker can leverage a flaw in Google Analytics by Yoast to store arbitrary code in a targeted administrator’s WordPress dashboard. The code is executed as soon as the administrator opens the plugin’s settings panel.

The attack involves two security bugs. First, there is an access control flaw that allows an unauthenticated attacker to connect the plugin installed on the targeted website to his own Google Analytics account by overwriting existing OAuth2 credentials.

The second stage of the attack relies on the fact that the plugin renders an HTML dropdown menu based on data from Google Analytics. Because this data is not sanitized, an attacker can enter malicious code in the Google Analytics account and it gets executed when the targeted administrator views the plugin’s settings panel.

“Under default WordPress configuration, a malicious user can exploit this flaw to execute arbitrary server-side PHP code via the plugin or theme editors,” Pynnonen said in an advisory. “Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target site.”

The security issues have been addressed with the release of Google Analytics by Yoast version 5.3.3. The update also fixes a flaw that allowed administrators to launch XSS attacks against other administrators. This vulnerability was publicly disclosed back in February by Kaustubh G. Padwad and Rohit Kumar.

This isn’t the first time someone finds a vulnerability in a plugin from Yoast. Last week, UK-based researcher Ryan Dewhurst uncovered a blind SQL injection vulnerability in WordPress SEO by Yoast.

Tags:

• NEWS & INDUSTRY
• Vulnerabilities

HP has released software updates to address several vulnerabilities affecting ArcSight Enterprise Security Manager (ESM) and ArcSight Logger, products that are part of the company’s enterprise security portfolio.

An advisory published by the CERT Coordination Center at Carnegie Mellon University on Tuesday shows that a total of five security holes have been uncovered by Poland-based security researcher Julian Horoszkiewicz in the two HP ArcSight products.

One of the vulnerabilities affecting ArcSight Logger can be exploited by a remote, authenticated attacker to upload arbitrary files to the affected system. A malicious actor might be able to execute scripts on the server with the application’s privileges. Uploading arbitrary files is possible because the product’s configuration import feature does not sanitize file names, CERT said.

Another Logger issue can be exploited by an authenticated attacker to modify sources and parsers. The weakness exists because all users are allowed to access certain configuration features, such as input, search, and content management.

Horoszkiewicz has also found that the XML parser in Logger’s content import section is vulnerable to XML External Entity Injection attacks. A malicious actor could leverage the bug to execute arbitrary scripts on the server.

The HP ArcSight vulnerabilities identified by the researcher are a cross-site scripting (XSS) flaw that could allow an attacker to disrupt or modify rules and resources on the system, and a cross-site request forgery (CSRF) that can be exploited to modify data on the system. Since these types of vulnerabilities are exploited by tricking the victim into clicking on a maliciously crafted link, the extent of the damage that an attacker can cause depends on the privileges of the targeted user.

HP says the vulnerabilities impact ArcSight ESM prior to version 6.8c, and ArcSight Logger prior to version 6.0P1.

CERT’s advisory shows that CVE identifiers are pending for each of the flaws. However, HP’s own advisory reveals that an identifier, CVE-2014-7885, has been assigned to multiple vulnerabilities in HP ArcSight ESM, and a second identifier, CVE-2014-7884, has been assigned to multiple flaws in HP ArcSight Logger.

Horoszkiewicz has uploaded a proof-of-concept for the ArcSight Logger file upload vulnerability to Offensive Security’s Exploit Database. The researcher said he had sent a vulnerability report to HP in late August 2014, and new versions containing the fix were released on January 21, 2015.

Tags:

• NEWS & INDUSTRY
• Vulnerabilities

Online payments group PayPal announced Tuesday it was acquiring Israeli cybersecurity firm CyActive and establishing a new security hub in Israel.

The terms of the deal were not announced, but some reports this week said PayPal, which is being spun off by online giant eBay, was paying $ 60 million for CyActive.

“Our goal is to extend our global security leadership, and bolster our efforts in predictive threat detection and prevention,” said PayPal chief technology officer James Barrese in a blog post.

“The acquisition of CyActive will bring great talent and immediately add ‘future-proof’ technology to PayPal’s world-class security platform. With CyActive, we’ll have even more ways to proactively predict and prevent security threats from ever affecting our customers.”

The move comes with the finance sector increasingly under attack from hackers. In recent months, major companies have disclosed data breaches affecting tens of millions of customers, with credit card or financial information leaked in some cases.

CyActive, which launched in 2013, specializes in “predictive cybersecurity,” or heading off online attacks before they happen.

The company’s website claims it has “an unprecedented ability to automatically forecast the future of malware evolution, based on bio-inspired algorithms and a deep understanding of the black hats’ hacking process.”

Online retail giant eBay unveiled plans last September to spin off PayPal, aiming to help the unit compete better in the fast-moving online payments segment.

According to eBay, PayPal facilitates one in every six dollars spent online today.

And PayPal has moved into mobile payments with the acquisition of the payment processing group Braintree, boosting its own mobile platform called OneTouch.

Tags:

• NEWS & INDUSTRY
• Management & Strategy

The CIA plans to radically overhaul operations, ramping up its capability to deal with cyber threats while boosting integration between departments via a network of new units.

Central Intelligence Agency director John Brennan outlined the proposed changes to the agency in a message to staff on Friday described as a “Blueprint for the Future” covering four key areas.

Brennan said the US espionage agency would set up a new “Directorate of Digital Innovation” to reflect the rapidly evolving cyber landscape.

“We must place our activities and operations in the digital domain at the very center of all our mission endeavors,” Brennan wrote.

“To that end, we will establish a senior position to oversee the acceleration of digital and cyber integration across all of our mission areas.”

The changes reflect the increasing emphasis on cybersecurity by the United States after a series of high-profile digital breaches in recent years, such as the Sony Pictures hack blamed on North Korea.

Director of National Intelligence James Clapper last month told lawmakers that foreign cyberattacks represented a bigger threat to national security than terrorism.

US media reports said Brennan’s sweeping changes would affect thousands of employees at the agency.

‘Bold steps’

A centerpiece of the overhaul would be the establishment of 10 new “Mission Centers” aimed at enhancing integration between departments.

“Never has the need for the full and unfettered integration of our capabilities been greater,” Brennan said in his message. “We must take some bold steps toward more integrated, coherent and accountable mission execution.”

Analysts said the introduction of Mission Centers was intended to eliminate divisions between traditional departments covering the Middle East, Africa and other regions.

Several media reports said the new units would be modeled on the CIA’s Counterterrorism Center, which grew exponentially in the years after the September 11, 2001 attacks on US soil.

The new centers will “bring the full range of operational, analytic, support, technical and digital personnel and capabilities to bear on the nation’s most pressing security issues,” Brennan said.

Each new center would be led by an assistant director who would be accountable for overall mission accomplishment in the field or geographic region assigned to their unit.

According to The Wall Street Journal, the overhaul follows an exhaustive review led by senior CIA veterans that identified several “pain points.”

“One of the things we’re trying to do here is to think about the agency operating in a way so that there are less of those… frictions that build up over time, and to have a more streamlined, a more efficient agency so we can, frankly, produce more, do a better job in some of the areas where we need to do better,” Brennan was quoted by the Journal as saying.

Tags:

• Cyberwarfare
• NEWS & INDUSTRY