December 23, 2024

Feedback Friday: Hackers Infiltrate White House Network – Industry Reactions

Posted on November 3, 2014 by in Security

Welcome back to Feedback Friday! An unclassified computer network at the White House was breached recently and the main suspects are hackers allegedly working for the Russian government.

Feedback Friday: White House Network Breached

The incident came to light earlier this week when an official said they had identified “activity of concern” on the unclassified network of the Executive Office of the President (EOP) while assessing recent threats. The official said the attackers didn’t cause any damage, but some White House users were temporarily disconnected from the network while the breach was dealt with.

Experts have pointed out that while the attackers breached an unclassified network, it doesn’t necessarily mean that they haven’t gained access to some useful data, even if it’s not classified. They have also outlined the methods and strategies used by both the attackers and the defenders in such a scenario.

And the Feedback Begins…

Amit Yoran, President at RSA:

“The breach underscores the constant siege of attacks on our government and businesses. Fortunately — by definition — information with grave or serious impact to national security is classified and would not be found on an unclassified network. That said, there is most likely information on unclassified networks that the White House would not like public or for 3rd party consumption.

As for the profile of the adversary, the White House uses the latest security technologies making them a very challenging target to breach. Top secret clearances are required for access to networks and personnel are continuously and rigorously vetted. As such — and acknowledging that until a thorough investigation is completed, speculation can be dangerous — a standard botnet or phishing malware is a less likely scenario than a focused adversary with time and expertise in developing customized exploits, malware and campaigns.”

Mark Orlando, director of cyber operations at Foreground Security. Orlando previously worked at the EOP where he led a contract team responsible for building and managing the EOP Security Operations Center under the Office of Administration:

“Sophisticated attackers constantly alter their approach so as to evade detection and they will eventually succeed. The best a defender can do in this case is to identify and respond to the attack as quickly and effectively as possible. It isn’t at all unusual for an attack like this one to be discovered only after a malicious email has been identified, analyzed, and distilled into indicators of compromise (subject lines, source addresses, file names, and related data elements) used to hunt for related messages or attacks that were initially missed. White House defenders routinely exchange this kind of data with analysts across the Federal Government to facilitate those retrospective investigations. That may have been how this compromise was discovered and that doesn’t amount to a ‘miss’.

While the media points to outages or delays in major services like email at the White House, this is also not an unusual side effect of proper containment and eradication of a threat like this one- especially if there are remote users involved. Incidents exactly like this one occur all over the Federal government and increasingly in the private sector as well; the only thing different about this attack that makes it more newsworthy than those other incidents is that it occurred at EOP.”

Tom Kellermann, Trend Micro chief cybersecurity officer and former commissioner on The Commission on Cyber Security for the 44th Presidency:

“Geopolitical tensions are now manifested through cyberattacks. The enemies of the state conduct tremendous reconnaissance on their targets granting them situational awareness as to our defenses in real time. This reality allows for elite patriotic hackers to bypass our defenses.”

Irene Abezgauz, VP Product Management, Quotium:

“Security, cyber or physical, relies heavily on risk management. With a large operation, it is difficult to secure everything on the same level, priority is often given to the more sensitive networks. In the case of the White House hack, the breached network was unclassified, meaning it probably has slightly different security measures than classified networks.

Government systems are prime targets for hackers. Even if the breached network is unclassified and no sensitive information was exposed, all government network breaches draw attention. In public opinion, attackers gaining access to government computer systems, no matter whether classified or not, reflects badly on the ability of the US to defend itself, especially when foreign nationals are suspected. In addition, availability and integrity must be maintained in systems that involve any kind of government decision making, more than in most other systems.

The bottom line is that high profile targets must maintain a high level of security on all networks. Hackers, private and state-funded, are continuously attempting attacks on these systems. Such attacks must be blocked in order to protect data within as well as assure the public of the ability of the government to protect its cyber systems.”

John Dickson, Principal at the Denim Group:

“Although initial reports emphasize the unclassified nature of the system and networks, security experts know that successful attacks against certain unclassified systems can, in fact, still be gravely serious. Given the fact this concerns perhaps the most high-visibility target in the world – the White House – and you potentially have a genuinely difficult situation.

On one hand, you have the issue of public confidence in our institutions of government. ‘If the attackers can compromise the White House, what else can the possibly get into?’ is a perfectly valid question from citizens who may not recognize the distinction between unclassified and classified systems. Also, sensitive information that is unclassified may traverse these systems and give attackers more context to allow them to put together a larger picture of what’s happening at the White House. Military folks call refer to this term as Operational Security, or OPSEC, and this is always a worry for those protecting the President, the White House, and the operations of the Executive Branch of government.

From a defensive standpoint, when you face a sophisticated attacker with substantial resources you have be constantly vigilant and assume certain systems will fail. It’s far too early to editorialize on theories of ‘what might have happened’ at the White House, but we always recommend a defense in depth approach to application and system design that ‘fails open,’ so that if an attacker compromises one type of defense, it doesn’t compromise the entire ecosystem.”

Ian Amit, Vice President at ZeroFOX:

“Much of the conversation surrounding the recent White House hack centers on the nature of the compromised network. The network is ‘unclassified,’ leading many people to believe the affected information is non-critical or innocuous. It’s important to note however that enough unclassified information, when aggregated and correlated, quickly becomes classified. Isolated data points might not mean much by themselves, but enough time spent passively listening to unclassified chatter can reveal some very sensitive intelligence.

So how much time was the hacker on the network? It’s difficult to tell. Security officials alerted on ‘suspicious activity.’ This phrase doesn’t give us much insight into how long the network was compromised. The hacker could have been active on the network for months without doing anything to sound the alarms. It’s one thing if a hacker is caught in the act of breaking in or stealing data. That kind of event information generally gives a clear indication of the attack timeline. Triggering on passive behavior makes this much more difficult.

With that said, it’s commendable that White House security officials are looking for behavioral cues rather than overt events to detect malicious activity. Soft indicators are much more difficult to detect and means the security officials are using some advanced tools to understand traffic on the network.”

Anup Ghosh, CEO of Invincea:

“The disclosure of breach from the White House this week was remarkable for its differences from a similar disclosure in 2012. It’s clear from recent press releases from security companies, that Russia is the New Black now. In fact, if you get hacked by the Chinese now, it’s almost embarrassing because they are considered less sophisticated than the Russians. So now, every breach seems to be attributed to Russians, though largely without any evidence.

A little more than two years ago in October 2012, the White House acknowledged a breach of its unclassified networks in the White House Military Office (which also manages the President’s nuclear ‘football’). The talking points at the time were: 1. Chinese threat, 2. Non-sophisticated attack method (spear-phish), 3. Unclassified network, so no harm. This week, the talking points are: 1. Russian government threat, 2. Sophisticated attack method (spear-phish), and 3. Deep concern over breach of unclassified network. The similarities between the two breaches are remarkable, but the reaction couldn’t be more different.

Before we indict the Russians for every breach now, it would be great to see some bar set for attribution to a particular group. It would also be great to not use “sophisticated” threat or Russians as a scape goat for not properly addressing spear-phishing threats with technology readily available off the shelf (and shipped with every Dell commercial device).”

Michael Sutton, VP of Security Reasearch for Zscaler:

“The breach of a compromised White House computer reported this week is simply the latest in ongoing and continual attacks on government networks. While such breaches periodically hit the headlines thanks to ‘unnamed sources’, it’s safe to assume that the general public only has visibility into the tip of the iceberg. White House officials admitted that this latest breach was discovered ‘in the course of assessing recent threats’, suggesting that following the trail of breadcrumbs for one attack led to another.

In September, there were reports of yet another successful attack, this one leveraging spear phishing and compromising a machine on an unclassified network and earlier this month, details of the Sandworm attacks emerged, which leveraged a then 0day Microsoft vulnerability to target NATO and EU government agencies. All of these recent attacks have been attributed to groups in Russia and it’s likely that they’re tied together. All Internet facing systems face constant attack, but the White House understandably presents a particularly attractive target.

While all G20 nations have advanced cyber warfare capabilities and conduct offensive operations, Russia and China have been particularly aggressive in recent years, often conducting bold campaigns that are sure to be uncovered at some point.”

Zach Lanier, Senior Security Researcher at Duo Security:

“U.S. government and defense networks are often the target of attackers — and the White House is without a doubt very high on that list, regardless of the breached network reportedly being ‘unclassified’. Everyone from hacktivists to foreign intelligence agencies have sought after access to these networks and systems, so this intrusion isn’t a huge surprise.” 

Carl Wright, General Manager of North America for TrapX Security:

“When it comes to our military, government and its supporting national defense industrial complex, the American public’s expectation is and should be significantly higher. The Senate Armed Services Committee (SASC) findings in September highlighted how nation-state actors were targeting contractors with relation to the federal government so it is to be expected that actual government bodies are also being targeted.

95 percent of the security market is signature based and thus will not detect a targeted zero-day. We must operate under the notion that networks are already compromised and focus defenses on monitoring lateral movements within data centers and private networks as that is how hackers escalate their attack and access. Unfortunately, existing security technologies focus from the outside in, trying to understand the entire world of cyber terrorists’ behaviors which inundate security teams with alerts and false-positives.

These breaches demonstrate how traditional security tools alone don’t do enough and both enterprises and government organizations need to constantly evaluate and improve their security posture to thwart today’s nation-states or crime syndicates whether foreign or domestic. With the United States President’s intranet being compromised, it truly shows the poor state of our national cyber defense capabilities.”

Nat Kausik, CEO at Bitglass:

“Organizations whose security models involve ‘trusted devices’ are naturally prone to breaches. Employees take their laptops on the go, get hacked at public WIFI networks, and come back to the office where the device is treated as trusted and allowed to connect to the network.

The compromised device enables the hacker to gain a broader and more permanent foothold inside the network. Government entities have long favored the ‘trusted devices’ model and are actually more prone to breaches than organizations that treat all user devices as suspect.”

Greg Martin, CTO at ThreatStream:

“It’s public knowledge that Russia has been very active in sponsored cyber espionage and attacks but have recently turned up the volume since both the Ukranian conflict and given the Snowden leaks which in my opinion have given Russian and China the open door to be even more bold in their offensive cyber programs.

Recent cyberattacks on retailers and financial institutions have been riddled with anti-US propaganda. This makes it increasingly difficult to pinpoint the backers as the activity is heavily blended threats between criminal actors, hack-tivist and state sponsored activity. As seen in the recent reports, Russia APT attacks have been prevalent in targeting U.S. interests including the financial sector.

ThreatStream believes organizations should accelerate their policy of sharing cyber threat information and look at how they currently leverage threat and adversary intelligence in their existing cyber defense strategies.”

Until Next Friday…Happy Happy Halloween and have a Great Weekend!

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Cash-out Crew Manager Sentenced to 21 Months in Prison

Posted on October 28, 2014 by in Security

A Massachusetts man has been sentenced to 21 months in prison for using information hacked from customer accounts at more than a dozen banks, brokerage firms, payroll processing companies and government agencies in a plot to steal $ 15 million.

Robert Dubuc, 41, of Malden, Mass., previously pleaded guilty to charge of wire fraud conspiracy and conspiracy to commit access device fraud and identity theft.

According to court documents, Dubuc and 50-year-old Oleg Pidtergerya of Brooklyn – who has also pleaded guilty – were asked by leaders of the conspiracy to participate in a “cash-out” scheme to help steal money from compromised bank accounts. Pidtergerya managed a cash-out crew in New York for the cyber-ring’s leaders while Dubuc controlled a cash-out crew in Massachusetts for the organization.

Authorities believe Oleksiy Sharapka, 34, of Kiev, Ukraine, directed the conspiracy with the help of Leonid Yanovitsky, 39, also of Kiev.

According to authorities, hackers gained unauthorized access to the bank accounts of customers of more than a dozen organizations ranging from Citibank to E-Trade to the U.S. Department of Defense. After obtaining access to the bank accounts, Sharapka and Yanovitsky allegedly diverted money to bank accounts and pre-paid debit cards they controlled. They then turned to the cash-out crews to withdraw the stolen funds, authorities said.

Both Sharapka and Yanovitsky are under indictment in the United States and remain at large, according to the U.S. Department of Justice.

In addition to the prison term, Judge Sheridan sentenced Dubuc to serve three years of supervised release and pay restitution in the amount of $ 338,685. Sentencing for Pidtergerya is scheduled for Dec. 22.

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed

WordPress is the Most Attacked CMS: Report

Posted on October 12, 2014 by in Security

Data security firm Imperva released its fifth annual Web Application Attack report (WAAR) this week, a study designed track the latest trends and cyber threats facing web applications.

The report, which is based on the analysis of 99 applications over a period of nine months (August 1, 2013 – April 30, 2014), determined that WordPress is the most targeted content management system (CMS). In fact, WordPress websites were attacked 24.1% more than sites running on all other CMS platforms combined.

“WordPress has been in the headlines, in the past couple of years, both because of its popularity, and because of the amount of vulnerabilities found in its application and exposed by hackers. We believe that popularity and a hacker’s focus go hand-in-hand. When an application or a platform becomes popular, hackers realize that the ROI from hacking into these platforms or applications will be fruitful, so they spend more time researching and exploiting these applications, either to steal data from them, or to use the hacked systems as zombies in a botnet,” the report reads. 

This year’s WAAR also makes a comparison between attacks targeting PHP and .NET applications. It turns out that PHP apps suffer almost three times more cross-site scripting (XSS) attacks than ASP applications, and nearly two times more directory traversal attacks. On the other hand, Imperva has determined that ASP applications suffer twice as many SQL injection attacks than PHP applications.

When it comes to websites, unsurprisingly, ones that have login functionality and implicitly store consumer-specific information are the most targeted.

Nearly half of all the attacks observed by Imperva during the nine month period targeted the retail sector, followed at a distance by financial institutions which accounted for 10% of all Web application attacks.

Compared to the previous period reviewed by the company (June 1, 2012 – November 30, 2012), attacks have been 44% longer. A 10% increase was also observed in SQL injection attacks, and a 24% increase in remote file inclusion (RFI) attacks.

As far as attack sources are concerned, Imperva found that the United States generates most of the Web application attack traffic.

“In our educated opinion, based on years of analyzing attack data and origins, we propose that attackers from other countries are using U.S. hosts to attack, based on those hosts being geographically closer to targets,” the report reads.

“While this may be overwhelming, we believe that there is more to this picture. Attacks originating in the U.S. may indicate other things such as TOR exit nodes, Botnet infected machines, etc., and so this information needs to be looked at in proportion. What it potentially teaches us is the quality of targets. It makes sense for an attacker to execute the attack as close to the target as possible, to remain undetected or to maximize the available bandwidth of the attack.”

Attackers are increasingly leveraging cloud and infrastructure-as-a-service (IaaS) hosted applications and servers. Imperva has found that 20% of all known vulnerability exploitation attempts and 10% of all SQL injection attempts originated in Amazon Web Services (AWS) source IPs.

The complete Web Application Attack report from Imperva is available here.

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Dropbox Got Up to 249 National Security Requests in First Half of 2014

Posted on September 12, 2014 by in Security

Dropbox released another transparency report on Thursday and announced that moving forward, it will do so every six months in an effort to keep the public informed of its interactions with authorities.

Bart Volkmer, a lawyer with the company, revealed in a blog post that Dropbox had received 268 request for user information from law enforcement agencies between January and June of this year. In addition, while he hasn’t specified an exact number due to restrictions, the Dropbox representative said there had been 0-249 national security requests.

The company received a total of 120 search warrants and provided content (files stored in users’ accounts) and non-content (subscriber information) in 103 cases. In response to 109 subpoenas, the company hasn’t provided law enforcement with any content, but it has produced subscriber details in 89 cases. While many of the requests came from the United States, the report shows that there have been a total of 37 requests from agencies in other countries.

Volkmer has pointed out that while these numbers are small considering that the company has 300 million customers, Dropbox only complies with such requests if all legal requirements are satisfied. He claims cases in which agencies request too much information or haven’t followed proper procedures are “pushed back.”

The report also shows that the rate of data requests from governments remains steady. An interesting aspect is that agencies keep asking Dropbox not to notify targeted users. However, customers are notified as per the company’s policies, except for cases where there’s a valid court order. A total of 42 users were notified when the file sharing service was presented with search warrants, and 47 individuals were informed in the case of subpoenas.

There haven’t been any requests from governments targeting Dropbox for Business accounts, the company said.

“We’ll push for greater openness, better laws, and more protections for your information. A bill currently in Congress would do just that by reining in bulk data collection by the US government and allowing online services to be more transparent about the government data requests they receive,” Volkmer said. “Another would make it clear that government agencies must get a warrant supported by probable cause before they may demand the contents of user communications. We’ll continue to lend our support for these bills and for real surveillance reform around the world.”

While many companies publish transparency reports to keep the public informed of requests from governments, interesting details can also emerge from court documents. A perfect example are a series of recently unsealed documents showing that US authorities threatened to fine Yahoo $ 250,000 a day if it failed to comply with PRISM, the notorious surveillance program whose existence was brought to light last year by former NSA contractor Edward Snowden.

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Bush-era Memos: President Can Wiretap Americans at all Times

Posted on September 7, 2014 by in Security

WASHINGTON – The US Justice Department has released two memos detailing the Bush administration’s legal justification for monitoring the phone calls and emails of Americans without a warrant.

The documents, released late Friday, relate to a secret program dubbed Stellar Wind that began after the September 11, 2001 attacks.

It allowed the National Security Agency to obtain communications data within the United States when at least one party was a suspected Al-Qaeda or Al-Qaeda affiliate member, and at least one party in the communication was located overseas.

“Even in peacetime, absent congressional action, the president has inherent constitutional authority … to order warrantless foreign intelligence surveillance,” then-assistant attorney general Jack Goldsmith said in a heavily redacted 108-page memo dated May 6, 2004.

“We believe that Stellar Wind comes squarely within the commander in chief’s authority to conduct the campaign against Al-Qaeda as part of the current armed conflict and that congressional efforts to prohibit the president’s efforts to intercept enemy communications through Stellar Wind would be an unconstitutional encroachment on the commander in chief’s power.”

The document was obtained by the American Civil Liberties Union rights group through a Freedom of Information Act lawsuit.

Goldsmith at the time also headed the Justice Department’s Office of Legal Counsel under then-attorney general John Ashcroft and then-deputy attorney general James Comey, who now heads the FBI.

According to Goldsmith, Congress’s authorization for the use of force passed shortly after 9/11 provided “express authority” for Stellar Wind.

“In authorizing ‘all necessary and appropriate force,’ the authorization necessarily included the use of signals intelligence capabilities (wiretapping), which are a critical, and traditional, tool for finding the enemy so that destructive force can be brought to bear on him,” Goldsmith wrote.

He suggested that the congressional approval granted the president authority that “overrides the limitations” of the Foreign Intelligence Surveillance Act (FISA), a law requiring a court order to monitor the communications of any American or person on US soil.

The second memo, dated July 16, 2004, pointed to a Supreme Court decision handed down just over two weeks earlier as providing additional justification for Stellar Wind.

Goldsmith noted that five of the Supreme Court justices agreed that the detention of US citizen Yaser Esam Hamdi, who was captured while fighting in Afghanistan, was authorized because it was a “fundamental” and “accepted” incident of waging war.

“Because the interception of enemy communications for intelligence purposes is also a fundamental and long-accepted incident of war, the Congressional Authorization likewise provides authority for Stellar Wind targeted content,” he added.

The program was brought under FISA court supervision in 2007, six years into its existence. Its was first revealed by The New York Times in 2005.

© AFP 2013


SecurityWeek RSS Feed

Former HHS Cybersecurity Director Convicted on Child Porn Charges

Posted on August 27, 2014 by in Security

Following a four-day trial, a federal jury in Nebraska convicted the former acting director of cybersecurity at the United States Department of Health and Human Services (HHS) for his involvement in a child pornography enterprise, the Department of Justice announced on Tuesday.

Timothy DeFoggi, aged 56, is the sixth individual to be convicted as a result of an FBI investigation dubbed “Operation Torpedo,” which has targeted three child pornography websites. The former director has been convicted on three charges: accessing a computer with intent to view child pornography, engaging in a child exploitation enterprise, and conspiracy to advertise and distribute child pornography.

DeFoggi, who will be sentenced on November 7, 2014, is said to have signed up for a membership on an illegal website on March 2, 2012, and was an active member until authorities took down the site in December of the same year. In addition to accessing and soliciting illegal content from other members of the website, investigators said the man also exchanged private messages with other users, expressing interest in raping and murdering children.

The website on which DeFoggi registered an account was one of the three Tor-based pedophile sites owned and operated by 31-year-old Aaron McGrath, of Bellevue, Nebraska, who has been sentenced to 20 years in prison.

Documents obtained by Wired show that the FBI tracked down McGrath after his IP address was provided to the agency by the Dutch national police’s high tech crime unit, which in August 2011 started cracking down on pedo websites.

Operation Torpedo has been controversial because the FBI didn’t immediately arrest McGrath. Instead, they monitored him for a year, time during which they planted malware on the illegal websites in an effort to identify members. The drive-by download method, which the FBI calls a “network investigative technique,” has helped the agency track down the IP addresses, MACs and hostnames of at least 25 individuals, with 14 of them facing trial.

The malware, designed only to identify the computers that had visited the illegal websites, was planted based on search warrants signed by a federal judge, who also allowed the agency to delay notifying the targeted individuals for a period of 30 days. Since some of the suspects learned only well after the 30-day period about the use of malware to identify them, defense lawyers asked the court to throw out the evidence, a motion rejected by the judge.

 Christopher Soghoian of the American Civil Liberties Union (ACLU) has pointed out that while the use of malware might seem justified in the case of Operation Torpedo, because it’s unlikely for innocent people to be prosecuted, the technique could prove problematic in other cases, such as campaigns targeting terrorists, whose online resources might be accessed for research purposes by individuals who have nothing to do with terrorism.

 

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Secret Documents Say NSA Had Broad Scope, Scant Oversight: Report

Posted on July 1, 2014 by in Security

WASHINGTON – The US National Security Agency has been authorized to intercept information “concerning” all but four countries worldwide, top-secret documents say, according to The Washington Post.

“The United States has long had broad no-spying arrangements with those four countries – Britain, Canada, Australia and New Zealand,” the Post reported Monday.

Yet “a classified 2010 legal certification and other documents indicate the NSA has been given a far more elastic authority than previously known, one that allows it to intercept through US companies not just the communications of its overseas targets but any communications about its targets as well.”

The certification – approved by the Foreign Intelligence Surveillance Court and included among a set of documents leaked by former NSA contractor Edward Snowden — says 193 countries are “of valid interest for US intelligence.”

The certification also let the agency gather intelligence about entities such as the World Bank, the International Monetary Fund, European Union and the International Atomic Energy Agency, the report said.

“These documents show both the potential scope of the government’s surveillance activities and the exceedingly modest role the court plays in overseeing them,” Jameel Jaffer, deputy legal director for the American Civil Liberties Union who had the documents described to him, told the Post.

The report stresses the NSA did not necessarily target nearly all countries but had authorization to do so.

It should come as cold comfort to Germany which was outraged by revelations last year that the NSA eavesdropped on Chancellor Angela Merkel’s mobile phone, as well as about wider US surveillance programs of Internet and phone communications.

Germany’s parliament is investigating the extent of spying by the US National Security Agency and its partners on German citizens and politicians, and whether German intelligence aided its activities.

The privacy issue is a particularly sensitive one in formerly divided Germany.

Ties between Washington and Europe more broadly, as well as other nations such as Brazil, have been strained since the revelations, despite assurances from US President Barack Obama that he is ending spy taps on friendly world leaders.

The Obama administration has insisted the NSA needs tools to be able to thwart terror attacks not just against the United States, but also its allies.

Snowden, a 30-year-old former NSA contractor was granted temporary asylum by Russia last August after shaking the American intelligence establishment to its core with a series of devastating leaks on mass surveillance in the US and around the world.

© AFP 2013


SecurityWeek RSS Feed

Consumers Ready for Internet of Things, But Fear Data Privacy and Security Implications: Survey

Posted on June 23, 2014 by in Security

Security vendor Fortinet released a survey that shows homeowners want to embrace the Internet of Things (IoT), but are worried about privacy and security.

In a survey of 1,801 homeowners, Fortinet found that 61 percent of U.S. respondents believe the connected house – a home where appliances and home electronics are seamlessly connected to the Internet – is “extremely likely” to become a reality during the next five years. Eighty-four percent of homeowners in China felt that way.

But the excitement over the prospect is tempered by security concerns. A majority of respondents (69 percent) globally said they were extremely or somewhat concerned a connected appliance could result in data breach of sensitive information. Among U.S. homeowners, the figure was 68 percent. When asked how they would feel if a connected device in their home was secretly or anonymously collecting information about them and sharing it with third-parties, 62 percent said they would feel “completely violated and extremely angry to the point where I would take action.” The strongest responses came from South Africa, Malaysia and the U.S., with the U.S. coming in at 67 percent.

Fifty-seven percent of respondents in the U.S. also agreed with the statement that “privacy is important to me, and I do not trust how this type of data may be used.”

“The Internet of Things promises many benefits to end-users, but also presents grave security and data privacy challenges,” said John Maddison, vice president of marketing at Fortinet , in a statement. “Crossing these hurdles will require clever application of various security technologies, including remote connection authentication, virtual private networks between end-users and their connected homes, malware and botnet protection, and application security − applied on premises, in the cloud and as an integrated solution by device manufacturers.”

Many of respondents said they felt they should have access to any data collected by a connected home appliance. Sixty-six percent said that only themselves or others whom they have given permission should have access to this information. In the U.S., the number was 70 percent, with about a quarter also stating they thought the device manufacturer or their Internet Service Provider (ISP) should have access to the collected data as well.

Forty-two percent said the government should regulate collected data, while 11 percent said regulation should be enforced by an independent, non-governmental organization. In the United States, only 34 percent of respondents felt the government should regulate collected data.

Still, the respondents felt the device manufacturers should be primarily responsible for securing the device if a vulnerability is found. Forty-eight percent of all those surveyed agreed that the manufacturer is responsible for updating and patching their technology. However, almost 31 percent responded that it was the responsibility of the homeowner to keep the device up to date.  

“The battle for the Internet of Things has just begun,” Maddison said. “According to industry research firm IDC, the IoT market is expected to hit $ 7.1 trillion by 2020. The ultimate winners of the IoT connected home will come down to those vendors who can provide a balance of security and privacy vis-à-vis price and functionality.”

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed

Attackers Exploit Heartbleed Flaw to Bypass Two-factor Authentication, Hijack User Sessions: Mandiant

Posted on April 19, 2014 by in Security

Attackers Exploit Heartbleed Vulnerability to Circumvent Multi-factor Authentication on VPNs and Hijack Active User Sessions

After details of the critical “Heartbleed” vulnerability in OpenSSL emerged earlier this month, which enables attackers to steal sensitive data typically protected by TLS encryption, there has been widespread concern among system administrators, network security teams, software developers and essentially anyone with any technical connection to the Internet.

In short, the Heartbleed vulnerability allows attackers to repeatedly access 64K blocks of memory by sending a specially crafted packet to a server running a vulnerable version of OpenSSL. Because an attacker can’t specify what kind of data to obtain from the computer’s memory or reliably get the same kind of information each time, the attack depends on luck and timing.

Originally, one of the key concerns about the vulnerability was if an attacker could obtain the private SSL Keys from a server by exploiting Heartbleed. As it turns out, through an experiment setup by CloudFlare, several researchers independently retrieved the private keys from the intentionally-vulnerable NGINX server using the Heartbleed exploit. 

Now, according to researchers at Mandiant, now a unit of FireEye, an attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions. 

“Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users,” Mandiant’s Christopher Glyer explained in a blog post. “With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated. The attack bypassed both the organization’s multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software.”

The victim was an organization located in the United States, a FireEye spokesperson told SecurityWeek.

According to Mandiant, the following evidence proved the attacker had stolen legitimate user session tokens:

1. A malicious IP address triggered thousands of IDS alerts for the Heartbleed vulnerability destined for the victim organization’s SSL VPN.

2. The VPN logs showed active VPN connections of multiple users rapidly changing back and forth, “flip flopping”, between the malicious IP address and the user’s original IP address. In several cases the “flip flopping” activity lasted for multiple hours.

3. The timestamps associated with the IP address changes were often within one to two seconds of each other.

4. The legitimate IP addresses accessing the VPN were geographically distant from malicious IP address and belonged to different service providers.

5. The timestamps for the VPN log anomalies could be correlated with the IDS alerts associated with the Heartbleed bug.

After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said.

Additional details and remediation advice are available from Mandiant.

The vulnerability is “catastrophic” for SSL and Internet security, Bruce Schneier, a well-known cryptologist and CTO of Co3 Systems, previously told SecurityWeek. “On the scale of 1 to 10, this is an 11.”

While it’s perfectly possible there are even more serious flaws in TLS lurking undiscovered, Heatbleed is quite possibly the worst one to date. Calling Heartbleed a “ginormous issue” would be a conservative assessment, Schneier said.

It’s very likely governments around the world used Heartbleed to exploit whatever server they could and grab whatever they could get as soon as they heard about the vulnerability, Schneier suggested. “Because why would you not?”

The NSA has denied a report claiming it was aware of and even exploited Heartbleed to gather critical intelligence.

“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report,” an NSA spokeswoman said.

Earlier this week, Canadian police arrested and charged a 19-year-old man for stealing the data of 900 Canadian taxpayers’ data through an attack that exploited the Heartbleed bug.

Managing Editor, SecurityWeek.

Previous Columns by Mike Lennon:


SecurityWeek RSS Feed

US ‘Restrained’ in Cyber Operations – Pentagon Chief

Posted on March 28, 2014 by in Security

WASHINGTON – The United States will show “restraint” in cyber operations outside of US government networks, Secretary of Defense Chuck Hagel said Friday, urging other countries to do the same.

Hagel, speaking at the National Security Agency (NSA) headquarters at Fort Meade, Maryland, said that the Pentagon “does not seek to ‘militarize’ cyberspace.”

Instead, Hagel said that the US government “is promoting the very qualities of the Internet — integrity, reliability, and openness — that have made it a catalyst for freedom and prosperity in the United States, and around the world.”

Overview of PentagonThe remarks came at the retirement ceremony for outgoing NSA chief, General Keith Alexander.

The Pentagon “will maintain an approach of restraint to any cyber operations outside the US government networks. We are urging other nations to do the same,” Hagel said.

He also said that the United States “will continue to take steps to be open and transparent about our cyber capabilities” with Americans, US allies, “and even competitors.”

The idea is to “use the minimal amount of force possible” in cyber operations, a senior defense official told reporters, speaking on condition of anonymity.

This would take place only when it would “either prevent conflict, de-escalate conflict or allow us to use the minimal amount of force,” the official said.

“That is not always the approach that other nations in the world use,” the official said. Although he emphasized that there was “a clear difference” between espionage and cyber operations, restraint is also applicable “for espionage and communications intelligence” at both the NSA and Cyber Command, the official said.

“We think very carefully about the things we do outside of our own network,” the official said. The budget for the Pentagon’s Cyber Command for fiscal 2015 is $ 5.1 billion. The Command must have 6,000 soldiers by 2016.

Alexander’s successor is a US Navy officer, Vice Admiral Michael Rogers, who will take over as both head of the NSA and Cyber Command.

Hagel is set to begin next week a tour of Asia with a stop in China, where cyberspying will be a hot topic following a report in The New York Times and Germany’s Der Spiegel that the NSA had secretly tapped Chinese telecoms giant Huawei for years.

The NSA had access to Huawei’s email archive, communications between top company officials, and even the secret source code of some of its products, according to the reports based on information provided by fugitive former NSA contractor Edward Snowden.

© AFP 2013


SecurityWeek RSS Feed