The Analysis of the Heartbleed - Essay Example

HeartBleed Threat Level Critical Recommended Action Quit using Open SSL Technical Details In order to figure out what Heartbleed does, we need to clarify what SSL and, by extension, OpenSSL are and then learn exactly what they do. SSL, this shorthand represents Secure Sockets Layer—It is a security standard that allows secure transmission of information to occur between you and a service without the risk of interception of vital information by a third party. OpenSSL is merely an open-source (i.e. non-profit) project updated and sustained by volunteers with the contribution of a well-informed community of programmers (Kerner 2014). The computer needs to communicate to a server so that the SSL can work. To achieve this, it sends out a “heartbeat.” This heartbeat is responsible for giving off a specific signal to a server to check whether that server is online. In case, the server is online, it transmits that signal straight back to the computer, letting us enjoy secure communications. Both the computer and the server send out heartbeats during regular intervals to ensure that both the user and the server i.e. the service aren’t offline (Kerner 2014). Heartbleed exploits this “heartbeat” by sending out, a kind of heartbeat signal to servers that is malicious in nature. That malicious heartbeat more or less tricks the server into sending a random amount of its memory to the user who sent the malicious heartbeat. A random collection of email addresses, usernames and passwords can be enclosed in that memory. Some of those records troublingly, could belong to the company running that server. This affords hackers with a method of infiltrating and exploiting information across the Internet. Solution: Install patches provided by the manufacturer Sources: KERNER, S.M., 2014. Heartbleed Saga Continues: Highlights of Vulnerabilitys First 30 Days. eWeek, , pp. 3-3. Subject: Shell Shock Threat Level Critical Recommended Action System Hardening, Vulnerability Scanning Technical Details The Shellshock issue is a sample of ACE (arbitrary code execution) vulnerability. Classically, ACE vulnerability attacks are carried out on running programs and entail an extremely advanced understanding of the internals of assembly language, code execution and memory layout—the kind of attack that calls for an expert, to be concise (Sampathkumar, Balasubramani 2014). The attacker employed an ACE vulnerability to run a program granting them an easy way of dominating the targeted machine. This is accomplished by means of running a "shell". A shell is a command-line where commands can be executed or entered. Solution The Shellshock vulnerability is a big concern since it eliminates the necessity for specialized knowledge and in turn offers a simple (unfortunately, very basic) means of taking control of another computer or even a web server to make it run code. Sources: SAMPATHKUMAR, R. and BALASUBRAMANI, S., 2014. Vulnerability Management for Cloud Computing - 2014: A Cloud Computing Security Essential. Summary 2 Subject: Malicious Code, USB virus, Bugzilla Threat Level Critical Recommended Action Password Reset, System Hardening, Vulnerability Scanning Technical Details The attack seemingly looked to have been triggered by a malicious computer code referred to as malware, according to people familiar with such matters. Some people suggested, a probable Russian or Eastern European connection with respect to the investigation suspect, judging by the planning of the attacks and the target bank. A person close to the investigation believed that hackers, perhaps, breached J.P. Morgans network initially via an employees personal computer. Once inside, then intruders aptly moved further into the banks systems. Employees frequently use software to intercept corporate networks from home by what are recognized as virtual private networks. Solution Every technology employee had their passwords reset and the implicated personnel had their accounts disabled, as per people accustomed to the banks response. It has been reported that, hundreds of employees amongst J.P. Morgans technology and cyber security teams have labored to inspect data on more than 90 servers that were compromised, since mid-August. A core team of roughly 20 J.P. Morgan employees headed by its chief operating officer, Matt Zames, supervised the organizations reply to the cyber-attack. USB A philosophical split among security researchers is evidenced by Caudill’s statement: There are those who opt to hide the flaws, they discover, beneath wraps so as to protect the public explicitly, and then there are others that rely on disseminating their software exploits considering it the most effective way to pressurize the industry to fix security flaws without delay. In an interview with Wired, Caudill said that even though this particular flaw had not been employed by hackers to date. He imagines that well-funded corporations, like the NSA, have already acquired the capability and might as well be using it. The device’s firmware controls its basic functionality and this is the location where the malware is stored (USB stick caused virus. 2010). Thus, its detection becomes very challenging and on top of that the malware can’t also be deleted by clearing the storage contents. Caudill, additionally exhibited how the malware can be used to conceal files and disable password-protected security features, secretly. Bugzilla August 1 witnessed the organization announcing that the email addresses of 76,000 users and the encrypted passwords of 4,000 users of the Mozilla Developer Network were vulnerably open for a 30 days’ time period following the storage of a database dump file on a publicly accessible server (McHale 2010). A new data security breach that has been disclosed on Wednesday is apparently comparable as it was also brought about due to leaving database dump files in an exposed location on a server for approximately three months beginning May 4th. According to Mark Côté, the Bugzilla project’s assistant lead; the files had been created during the migration of an experimental server for primary builds of the bug tracking software. Sources: USB stick caused virus. 2010. Nelson Mail, The. MCHALE, N., 2010. Managing Library IT Workflow with Bugzilla. Code4Lib Journal, (11), pp. 33-43. Summary 3 Subject: Sandworm, Mozilla, SSL Poodle Threat Level Critical Recommended Action Apply Compensatory Controls Technical Details Targets in the US and Europe are ostensibly being exploited in a limited number of attacks by a grave new vulnerability in the Windows operating system. The Microsoft Windows OLE Package Manager Remote Code Execution Vulnerability (CVE-2014-4114) lets attackers embed Object Linking and Embedding (OLE) files from external locations. The vulnerability can be manipulated to download and install malware on to the target’s computer. A cyber-espionage group known as Sandworm is apparently using the vulnerability to deliver Backdoor.Lancafdo.A (also recognized as the Black Energy back door) to targeted organizations (Frizell 2014). Mozilla An unverified, remote attacker can make use of this vulnerability in applications using the Cisco OpenH264 library to cause a denial of service condition or execute arbitrary code. This vulnerability is because of incorrect handling of input within encoded media files. Such an attacker could take advantage of this vulnerability to cause an application to unexpectedly terminate using the affected component or to put into effect an arbitrary code having privileges of the targeted application. SSL Poodle The SSL 3.0 vulnerability is the outcome of the manner in which large chunks of data are encrypted under a particular type of encryption algorithm while employing the SSL protocol. The POODLE attack exploits the protocol version negotiation feature built into SSL/TLS to compel the usage of SSL 3.0 and then influences this new vulnerability to decrypt choice content within the SSL session. The decryption is performed byte by byte and generates a great number of connections amongst the server and client (Kerner 2014). As the SSL 3.0 is an old encryption standard, therefore the POODLE attack manipulates the fact that when a secure connection attempt fails, servers retreat to older protocols such as the SSL 3.0. An attacker eliciting a connection failure is then able to coerce the use of SSL 3.0 and try to set off a new attack.  Solution Cisco has verified the presence of this vulnerability and thus released a software patch. The vulnerability was discovered by Oksana and duly reported to Cisco by HPs Zero Day Initiative. Sources FRIZELL, S., 2014. Microsoft Patches Computer Bug Linked to Russian Hackers. Time.com, , pp. 1-1. KERNER, S.M., 2014. POODLE Flaw Found in Legacy SSL 3.0 Encryption. eWeek, , pp. 1-1. Summary 4 Subject: FBI Director Statement, Google secure key, SSL Poodle Threat Level Critical Recommended Action Data validation required Technical Details FBI Director James Comey is evidently a likable guy but it might help if he actually understood encryption better than, suppose the editorial board of the Washington Post, if hes going to attack it. The editorial board of the aforementioned paper, in contrast, recently argued against "backdoors" in technology, and for a mystical "golden key" -- as if the two were somehow dissimilar. On point, just two days ago, Comey had wrongly insisted on a “60 Minutes” interview that the FBI can by no means read one’s email without a court order. This was undeniably false and Comey had to acknowledge that at the Brookings event when called on it. But if needed a "clarification” for that, it looks like he ought to have done much more clarifying then. Google Key Verification offered by Google Accounts lends a formidable yet additional layer of protection to the service. Upon enabling it, you’re asked for a verification code sent to your phone in conjunction to your password, to ensure that it’s actually you signing in from an unfamiliar gadget. Hackers usually work remotely, so this second security aspect makes it difficult for a hacker who has your password to access your account, simply because they don’t have access to your phone. SSL Poodle Concept wise, the vulnerability is quite alike the 2011 BEAST exploit. In order to make the most of POODLE, the attacker must not only be skilled at injecting malicious JavaScript into the victims browser but also be capable of monitoring and maneuvering encrypted network traffic on the wire. This one is complicated as far as MITM attacks go but uncomplicated in execution when compared to BEAST. It’s because the former doesnt require any special browser plugins. If interested in learning the details, the short paper or Adam Langleys blog post can be a big help (Kerner 2014). Solution When using Chrome and Security Key to sign into your Google Account, you can be certain that the cryptographic signature can’t be phished. Seeing that more browsers and websites are getting involved, security-sensitive consumers can expect to maintain a single Security Key that functions anywhere FIDO U2F is supported (Kerner 2014). If interested in learning the details, the short paper or Adam Langleys blog post can be a big help Sources KERNER, S.M., 2014. Google Locks Down Passwords With Security Key Technology. eWeek, , pp. 4-4. KERNER, S.M., 2014. Apple Patches OS X Mavericks for POODLE SSL Flaw. eWeek, , pp. 3-3. Summary 5 Subject: Verizon Cookie, CurrentCm, Spritz Threat Level Critical Recommended Action Technical Details Verizon Cookie This header distinctively classifies users to the websites they visit, just like a cookie. Verizon has added the header at the network level i.e. between the servers through which the user interacts and the users device. Differing from a cookie, the header is attached to a data plan so that whoever browses the web by means of a hotspot or shares a computer using cellular data, finds the same X-UIDH header as each and every one that uses a hotspot or computer. This indicates that advertisers may perhaps develop a profile that divulges private browsing activity offhandedly to friends, family and even coworkers through targeted advertising (Cronan 2014). CurrentC CurrentC had planned partners; retailers like CVS and Rite-Aid. According to a report from MacRumors and a memo procured from SlashGear, those businesses have now long withdrawn their unofficial support for Apple Pay through their present NFC readers. This insinuates that they’ve set up select deals with MCX to employ CurrentC as their mobile payment preference. As John Gruber has pointed out, the issue with the CurrentC system is that it’s geared more towards resolving the fee problems of the retailers ‘credit card rather than the consumers’ payment friction nuisances. Users have to first open their phone, select CurrentC, initiate the scanner, scan the code from the cashier and then also wait for the transaction to be verified. That somewhat presents more friction than the convenience of simply paying with a credit card and it’s indeed harder than a quick Touch ID verification and press of Apple Pay (Rash 2014). Spritz S is an 8-bit permutation which can theoretically be of any size. This is fine for analysis but practically its a 256-element array. i and j are the two pointers that RC4 has into the array, Spritz adds a third: k. The parameter w is basically a constant. Its always 1 in RC4 however it can be any odd number in Spritz (odd means its at all times relatively prime to 256). In both ciphers, i leisurely walk around the array whereas j -- or j and k -- spring around wildly. Both undergo a singular swap of two elements in the array. They both generate an output byte, z, which is a function of all the former parameters. In Spritz, the previous z is a component of the calculation of the current z (Meeker 2014). Solution Sources CRONAN, B., 2014. Verizon Wireless tracking 100 million users with undetectable supercookie. Christian Science Monitor, , pp. N.PAG-N.PAG. RASH, W., 2014. CurrentC System Attacked Soon After Some Merchants Block Apple Pay. eWeek, , pp. 1-1. MEEKER, K., 2014. Spritz. Boise Weekly, 22(51), pp. 21-21. Summary 6 Subject: AVG, Facebook TOR, Flash Redirect, current, MAC OS Root Pipe Threat Level Critical Recommended Action Technical Details AVG A very portentous forecast made by Yuval Ben Itzhak was that a “thief outside the door” could have power over devices like laptops or smart televisions, from outside a target’s home burglarizing them without even destroying their windowpane. In the upcoming years, the exposure of technology that uses voice instructions is likely to become significant concern as the linked home devices and smart watches are raising their reputation and the technology becomes common. According to Yuval’s warning, the upcoming time signifies that the hackers have used the evidence or utilize speech command instructions to evade security system. But this terrifying truth is in the vicinity as security explorers have by now deal with deception, Siri into teasing them avoiding the lock monitor on an I Phone and post Face book messages, call records, sent text messages and fire off electronic messages. Facebook TOR Facebook has produced a connection that will let users access it from the Tor systems, in a proposal to react to continuing privacy apprehension post- PRISM. According to an Engineer for security infrastructure, Ale, in the service, registering it as a means by which can guard their information from cyber attackers and circumstances (Datko 2014). Accordingly, Facebook’s onion lectured to present a way to get to Facebook through Tor without trailing the encoded fortification offered by the Tor cloud”, he referred. Flash Redirect Various conciliated websites, together with a Caaegie Mellon sphere, emerges to be connected with a movement that conveys users to take advantage of stuff holding pages. According to senior security researcher at Malwarebyte labs, Jerome Segura, an Adobe Flash based forward lettering was infused in numerous of the influenced sites as in July. Once the Flash application was encrypted on the pointed pages, the users were forwarded to a gyratory list of sub domains, which were scheduled by attackers who could easily thrust aside the URLs and concealed their attacks. CurrentC It’s undeniably worse news for Current C that its syndicate has been attacked before it was even commenced but at least the financial data was not revealed. “The Current C application was not effected itself”, according to a MCX spokesperson. Unconstitutional third parties acquired the email addresses of some of our Current C pilot program contestants and entities that had shown interest in the application. Many of these email addresses are fake accounts and used for checking intention only. MAC OS Root Pipe Installation of the malevolent software or other dangerous alterations could be made by the hackers, once they have oppressed, without the requirement of any password. The attackers could easily get access to the user’s insightful data like password or bank account details or even the entire computer could be formatted by the attacker which could erase all important information from the device. Kvarnhammar has also presented a video to enlighten his preliminary discussion. Summary 7 Subject: MS14-066, Transparency of the Certificate, Rooter Vulnerability Threat Level Critical Recommended Action Technical Details MS14-066 MS14-066 has not been Microsoft’s best susceptible publication. The early notice lost the vital information (like the effect of the certificate bypass vulnerability). Till now, an overall 3 weaknesses are being talked about in concurrence with MS14-066, while the report only lists one CVE number. The reason by which the bug was released has also caused puzzlement, with some Microsoft journal listing exterior discovery (but private expose) and others indicative of internal leak (Trend Micro Raises Awareness about Microsoft Windows SChannel Vulnerability. 2014, Trend Micro Raises Awareness about Microsoft Windows SChannel Vulnerability. 2014). Transparency of the Certificate This intends to diminish the trouble of misused certificates by presenting, publicly reviewable, append only, unfrosted logs of all issued certificates. They are open to all for inspection so that anyone can look out for the accuracy verification of each log and to examine when new certificates are added to it. The ‘misuse’ is not avoided by the logs themselves, but they make sure that concerned parties (particularly certificate holders) can identify such miss issuance. Rooter Vulnerability “Linksys is known of the malware called ‘The Moon’, which has influenced selected order, Linksys E-Series routers and select older wireless-N access points and routers”, said Karen Sohl, director of Global communications at Belk in, in an email, Sunday. “The utilization to bypass the admin certification used by the worm only works when the Remote Management Access feature is facilitated. Linksys ship these products with the Remote Management Access feature turned off by default.” (Trend Micro Raises Awareness about Microsoft Windows SChannel Vulnerability. 2014, Trend Micro Raises Awareness about Microsoft Windows SChannel Vulnerability. 2014) Linksys shared an article on its website along with directions on how to install the latest firmware version and put out of action the Remote Management on influenced devices. This explanation might not be convenient for router supervisor who is required to manage devices organized in remote locations, but till now it emerges to be the only official alleviation strategy proposed by the dealer. Solution It should be noted that this is a broad system, but in this deed we only refers its use for public TLS server certificate issued by public certificate authorities. Sources Trend Micro Raises Awareness about Microsoft Windows SChannel Vulnerability. 2014. ThomasNet News, , pp. 1. Summary 8 Subject: DirtBox, Firefox Forget, Let’s Encrypt Threat Level Critical Recommended Action Technical Details DirtBox In order to impersonate a particular supplier, these dirtboxes are complicated enough. For example, if a drug trader under inspection uses Verizon, then the device make believed to be a Verizon cell tower and links to all the mover’s subscribers in the locality. One’s a target is identified (at which points, links to other people’s phones are down), the box can locate his position within 3meters and down to a particular room. Quite often, planes loaded with these boxes are arranged by it would not have been revealed by the WSJs (the whole country’s population is being covered by their flying range), but according to them Cessnas fly out on regular basis to target a handful of criminals per flight. Firefox Forget After limited time duration, Forget feature leads to clear the browser history. To use that, one should click on Menu and Customize, drag and drop Forget button onto the toolbar, this is all needed once only and does not need to be upgraded from V33.0.3, as it gets updated automatically, then exit the Customize window. This Forget key comes up with the option to clear the browsing history for the last 24hours, 2 hours or last 5minutes.According to Mozilla, if one forgets to open Private browsing window in Firefox browser, then forget button could be constructive. Let’s Encrypt The key values behind Let’s Encrypt are: Free: - An authenticated certificate for the domain holder is available freely without any cost. Automatic:-The whole renewal occurs automatically in the surroundings along with the whole conspirator procedure for certificates without any trouble during the server’s local installation. Secure: - In order to implement the latest security methodologies and performances, let’s encrypt will serve efficiently. Transparent: - An open inspection could be done by any of the user who needs to investigate the issuance and revocation of certificates. Open: - The programmed issuance and renewal procedure will be an open standard and will be open source as much of the software as doable. Cooperative:- Let’s encrypt is a combined attempt to assist the entire society, afar from the control of one organization much like the underlying internet protocol themselves. Summary 9 Subject: Regin Malware Threat Level Critical Recommended Action Technical Details Regin Malware Regin is known as an superior piece of malware, it has been utilized in systematic spying promotion against a range of international targets since at least 2008.Regin could be consider as a composite piece of malware whose infrastructure shows a scale of technical skill hardly ever observed. It offers its users with a controlling work forum for group observation and has been utilized in spying purpose against lawful organizations, architectural operators, businesses, researchers and private entities. Its development might take months if not years to accomplish and its producers have gone extra miles to wrap its path. Its abilities and the level of resources behind Regin show that it’s one of the primary cyber intelligence tools used by a nation (Olson 2014). We can refer Regin as a multi-level threat and each level is hidden and encoded, with the exemption of first level. Execution of the first level initiates with a domino chain of decoding and loading of each consequent level for a total of 5 levels. Little information is provided by each individual level on the entire package. In order to scrutinize and comprehend the threat deeply one should able to acquire all five levels. An advanced procedure used by Regin, facilitates it to load customized features to the object. The multi-level loading structure is similar to that observed in the Duqu/Stuxnet family of risks; this moderate approach has been observed in other complicated malware families such as Flamer and Weevil (The Mask) (Olson 2014). In short, Regin is a highly complicated threat which has been utilized in systematic information assortment or intelligence accumulating movements. The improvement and operation of this malware would have needed a considerable investment of time and resources, pointing that a nation is accountable for that .Against targets, its design makes it highly suitable for persistent, long term surveillance systems. Sources OLSON, P., 2014. Meet Regin, The Sophisticated Malware That Spies On Telco Networks. Forbes.com, , pp. 1-1. Summary 10 Subject: TOR, Firefox Threat Level Critical Recommended Action Technical Details TOR According to the explanation by the security advisor, the bad players were leveraging a vital defect in Tor to adjust the protocol narrative in order to execute a traffic affirmation attack and infused a special code into the protocol subtitle used by the attackers to evaluate definite metrics from impart to de- anonymize users. The report by the advisors entails that 115 cruel fast non-exit relays (6.4% of whole Tor network) were engaged in the attack, both the ends were being actively monitored by the servers of a Tor version 50.7.0.0/16 or 204.45.0.0/16 and bad players were using them trying to de-anonymize Tor users who stay and run professed unknown services. The mean relays attached the Tor network on January 30th 2014 and experts at Tor Project erased them from the network on July 4th 2014. Firefox Until now, we could only get access to the various wicked websites, now the Safe Browsing service monitors downloaded file too. You could be now guarded from more malware by comparing files you download against different malicious files with the latest version of Firefox( as of July22) and keep blocking them from effecting your computer with this version. Solution Even more wicked downloads on windows will be guarded by the next version of Firefox (released in September). Firefox will verify the signature as you download an application file. If it’s signed, then it’ll match the sign with a list of known protected publishers. If the sign is not recognized by the list as “safe” or as “malware”, Firefox then refers to the Google Safe Browsing service if the software comes to be safe by sending it some of the download’s metadata. We must know that if the publisher is not known well only then this online check will be performed in Firefox on windows. As most of the software is secure and signed, so this final test won’t be there for all time. References KERNER, S.M., 2014. Heartbleed Saga Continues: Highlights of Vulnerabilitys First 30 Days. eWeek, , pp. 3-3. SAMPATHKUMAR, R. and BALASUBRAMANI, S., 2014. Vulnerability Management for Cloud Computing - 2014: A Cloud Computing Security Essential. USB stick caused virus. 2010. Nelson Mail, The. MCHALE, N., 2010. Managing Library IT Workflow with Bugzilla. Code4Lib Journal, (11), pp. 33-43. FRIZELL, S., 2014. Microsoft Patches Computer Bug Linked to Russian Hackers. Time.com, , pp. 1-1. KERNER, S.M., 2014. POODLE Flaw Found in Legacy SSL 3.0 Encryption. eWeek, , pp. 1-1. KERNER, S.M., 2014. Google Locks Down Passwords With Security Key Technology. eWeek, , pp. 4-4. KERNER, S.M., 2014. Apple Patches OS X Mavericks for POODLE SSL Flaw. eWeek, , pp. 3-3. CRONAN, B., 2014. Verizon Wireless tracking 100 million users with undetectable supercookie. Christian Science Monitor, , pp. N.PAG-N.PAG. RASH, W., 2014. CurrentC System Attacked Soon After Some Merchants Block Apple Pay. eWeek, , pp. 1-1. MEEKER, K., 2014. Spritz. Boise Weekly, 22(51), pp. 21-21. DATKO, J., 2014. BeagleBone for Secret Agents. Trend Micro Raises Awareness about Microsoft Windows SChannel Vulnerability. 2014. ThomasNet News, , pp. 1. OLSON, P., 2014. Meet Regin, The Sophisticated Malware That Spies On Telco Networks. Forbes.com, , pp. 1-1. Read More