Exploit This

Security News, Exploits, and Vulnerabilities.

Adobe, Microsoft Push Critical Security Fixes

Microsoft today issued 13 patch bundles to fix roughly four dozen security vulnerabilities in Windows and associated software. Separately, Adobe pushed updates to fix a slew of critical flaws in its Flash Player and Adobe Air software, as well as patches to fix holes in Adobe Reader and Acrobat. Three of the Microsoft patches earned the […]

How to mitigate 85% of threats with only four strategies

The Australian Signals Directorate Top35 list of mitigation strategies shows us that at least 85% of intrusions could have been mitigated by four mitigation strategies together. Kaspersky Lab has technological solutions to cover the most strategies from ASD’s list.

Who’s Scanning Your Network? (A: Everyone)

Not long ago I heard from a reader who wanted advice on how to stop someone from scanning his home network, or at least recommendations about to whom he should report the person doing the scanning. I couldn’t believe that people actually still cared about scanning, and I told him as much: These days there are countless entities — some benign and research-oriented, and some less benign — that are continuously mapping and cataloging virtually every devices that’s put online.

Deconstructing the 2014 Sally Beauty Breach

This week, nationwide beauty products chain Sally Beauty disclosed that, for the second time in a year, it was investigating reports that hackers had broken into its networks and stolen customer credit card data. That investigation is ongoing, but I recently had an opportunity to interview a former Sally Beauty IT technician who provided a first-hand look at how the first breach in 2014 breach went down.

IT threat evolution in Q1 2015

In the first quarter of 2015 Kaspersky Lab products detected a total of 2,2 bln malicious attacks and more than 93 mln unique malicious URLs. The story of the powerful Equation cyberespionage group was perhaps the most talked-about news story of Q1.

PayIvy Sells Your Online Accounts Via PayPal

Normally, if one wishes to buy stolen account credentials for paid online services like Netflix, Hulu, XBox Live or Spotify, the buyer needs to visit a cybercrime forum or drop into a dark Web marketplace that only accepts Bitcoin as payment. Increasingly, however, these accounts are showing up for sale at Payivy[dot]com, an open Web marketplace that happily accepts PayPal in exchange for a variety of stolen accounts.

Sally Beauty Card Breach, Part Deux?

For the second time in a year, nationwide beauty products chain Sally Beauty Holdings Inc. says it is investigating reports of unusual credit and debit card activity at some of its U.S. stores. Last week, KrebsOnSecurity began hearing from multiple financial institutions about a pattern of fraudulent charges on cards that were all recently used […]

Foiling Pump Skimmers With GPS

Credit and debit card skimmers secretly attached to gas pumps are an increasingly common scourge throughout the United States. But the tables can be turned when these fraud devices are discovered, as evidenced by one California police department that has eschewed costly and time-consuming stakeouts in favor of affixing GPS tracking devices to the skimmers and then waiting for thieves to come collect their bounty.

Harbortouch is Latest POS Vendor Breach

Last week, Allentown, Pa. based point-of-sale (POS) maker Harbortouch disclosed that a breach involving “a small number” of its restaurant and bar customers were impacted by malicious software that allowed thieves to siphon customer card data from affected merchants. KrebsOnSecurity has recently heard from a major U.S. card issuer that says the company is radically downplaying the scope of the breach, and that the compromise appears to have impacted more than 4,200 Harbortouch customers nationwide.

TA15-120A: Securing End-to-End Communications

Original release date: April 30, 2015

Systems Affected

Networked systems

Overview

Securing end-to-end communications plays an important role in protecting privacy and preventing some forms of man-in-the-middle (MITM) attacks. Recently, researchers described a MITM attack used to inject code, causing unsecured web browsers around the world to become unwitting participants in a distributed denial-of-service attack. That same code can be employed to deliver an exploit for a particular vulnerability or to take other arbitrary actions.

Description

A MITM attack occurs when a third party inserts itself between the communications of a client and a server. MITM attacks as a general class are not new. Classic MITM attacks (e.g., ARP Spoofing) focus on redirecting network communications. By definition, network infrastructure under attacker control is vulnerable to MITM. However, as technology evolves, new methods for performing MITM attacks evolve as well.

Currently, there is no single technology or configuration to prevent all MITM attacks. However, increasing the complexity with multiple layers of defense may raise the cost for the attacker. Increasing the attacker’s cost in time, effort, or money can be an effective deterrent to avoiding future network compromise.

Generally, encryption and digital certificates provide an effective safeguard against MITM attacks, assuring both the confidentiality and integrity of communications. As a result, modern MITM attacks have focused on taking advantage of weaknesses in the cryptographic infrastructure (e.g., certificate authorities (CAs), web browser certificate stores) or the encryption algorithms and protocols themselves.

Impact

MITM attacks are critical because of the wide range of potential impacts—these include the exposure of sensitive information, modification of trusted data, and injection of data.

Solution

Employing multiple network and browser protection methods forces an attacker to develop different tactics, techniques, and procedures to circumvent the new security configuration.

US-CERT recommends reviewing the following mitigations to reduce vulnerability to MITM attacks:

Update Transport Layer Security and Secure Socket Layer (TLS/SSL)

US-CERT recommends upgrading TLS to 1.1 or higher and ensuring TLS 1.0 and SSL 1, 2, 3.x are disabled, unless required. TLS 1.0 clients can fall back to version 3.0 of the SSL protocol, which is vulnerable to a padding oracle attack when Cypher-Block Chaining mode is used. This method is commonly referred to as the “POODLE” (Padding Oracle on Downgraded Legacy Encryption) attack. Vulnerable TLS implementations can be updated by applying the patch provided by the vendor. Vendor information is available in the National Vulnerability Database (NVD) entry for CVE-2014-3566 [1] or in CERT Vulnerability Note VU#577193 [2]. See US-CERT TA14-290A [3] for additional information on this vulnerability.

Utilize Certificate Pinning

Certificate pinning [4] is a method of associating X.509 certificate and its public key to a specific CA or root. Typically, certificates are validated by checking a verifiable chain of trust back to a trusted root certificate. Certificate pinning bypasses this validation process and allows the user to trust “this certificate only” or “trust only certificates signed by this certificate.” Please use the following resources to configure your browser for certificate pinning:

Microsoft Certificate Trust

The Microsoft Enhanced Mitigation Experience Toolkit (EMET) 5.2 employs a feature named “Certificate Trust” for SSL/TLS certificate pinning. This feature is intended to detect and stop MITM attacks that leverage Public Key Infrastructure. [5]

To use the Certificate Trust, you must provide a list of websites you want to protect and certificate pinning rules applicable to those websites. In order to do this, work with the Certificate Trust Configuration feature of the graphical application or use the Configuration Wizard to automatically configure EMET with the recommended settings. [6] Also, ensure period defaults are updated through patching.

Browser Certificate Pinning

Google Chrome and Mozilla Firefox, among others, perform certificate pinning. They conduct a variation of certificate pinning using the HTTP Strict Transport Security (HSTS), which pre-loads a specific set of public key hashes into the HSTS configuration, limiting valid certificates to only those with the specified indicated public key. Chrome uses HTTPS pins for most Google properties. It uses whitelisted public keys which include keys from Verisign, Google Internet Authority, Equifax, and GeoTrust. Thus, Chrome will not accept certificates for Google properties from other CAs.

Firefox 32 on desktop and later (Firefox 34 and later on Android) has the ability to use certificate pinning. It also has the ability to enforce built-in pinsets (mapping of public keys) information to domains. Firefox will pin all sites that Chrome already does, pin their own sites after audit and cleansing, and pin other popular sites that are already in good standing. Please visit this site on How to Use Pinning [7] and for more information.

Implement DNS-based Authentication of Named Entities (DANE)

DANE is a protocol that allows certificates (X.509) commonly used for TLS. DANE is bound to DNS which uses Domain Name System Security Extensions (DNSSEC). A working group in the Internet Engineering Task Force of DANE developed a new type of DNS record that allows a domain itself to sign statements about which entities are authorized to represent it. [8]

Google Chrome does not use DANE but uses an add-on [9] for support. Mozilla Firefox also uses an add-on [10] to check the existence and validity of DNSSEC.

Use Network Notary Servers

Network notary servers aim to improve the security of communications between computers and websites by enabling browsers to verify website authenticity without relying on CAs. CAs are often considered a security risk because they can be compromised. [11] As a result, browsers can deem fraudulent sites trustworthy and are left vulnerable to MITM attacks.

Each network notary server, or group of servers, is public and can be operated by public/private organizations or individuals. These servers regularly monitor websites and build a history of each site’s certificate data over time. When a browser equipped with a network notary add-on communicates with a website and obtains its certificate information, a user-designated network notary server supplies the browser with historical certificate data for that site. If certificate information provided by the website is inconsistent with the notary’s historical data, a MITM attack could be at play. [12]

References

Revision History

  • April 30, 2015: Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.

%d bloggers like this: