Another SSL Attack – But Don’t Panic

SSL and TLS, the security protocols that protect most of our banking and ecommerce transactions is a complicated beast – more so due to the the many options it offers.

ars technica in an article titled “Noose around Internet’s TLS system tightens with two new decryption attacks”, discussed a paper presented at Black Hat Asia that describes a new attack, dubbed the Bar Mitzvah attack (do researchers have contests to come up with strange names?) due the the fact that it has been around for 13 years.

As ars reports, RC4, named after cypto pioneer Ron Rivest of RSA, has been  known to be weak for years.  But weak is a relative term.  One attack, from 2013 required the attacker to see 17 billion encryptions of the same text to reveal SOME of the data in the encrypted stream.

Now researchers have improved that attack.  With only 67 million encryptions, they can recover passwords 50% of the time.

Now a new attack, presented at Black Hat Asia and dubbed the Bar Mitzvah attack, attackers need to sample around a billion encryptions to recover a credit card number.

RC4 is used by around 30 percent of internet TLS (Https) traffic.

As I said above, SSL and its newer cousin TLS have many options.  Some say too many options.  While these attacks don’t seem to present a huge problem if the first attack went from 17 billion encryptions to 67 million in a year, what will next year bring.

The simple solution – like we did for the FREAK attack earlier this year – is to disable known weak ciphers.  But this must be done on the server side for web sites to know they are secure and there is no way for the customer of a bank, for example, to easily know that the banks have disabled these older weaker protocols.  With the FREAK attack, one method of delivery would be for a user of a public WiFi router to be forced to use the weak protocols as a result of a man in the middle attack at that public WiFi access point.

This is why I recommend to NEVER do your banking over a hotel or coffee shop WiFi.  There is a new attack today against a very popular hotel WiFi system (see news here ) for which there is a patch.  However, the researchers who revealed the attack did not say, for security reasons, which hotels of which chains run that system and users have no way of knowing if the hotel has applied the patch.

All this means that IT shops need to spend more time and effort caring and feeding the security components of their server farms.


Facebooktwitterredditlinkedinmailby feather

EU-US Privacy Safe Harbor May Be In Jeopardy

Max Schrems, whom I have written about before (see post) is continuing his fight against Facebook.  He first took his battle to the Irish Data Protection Commissioner (DPC) since Facebook Europe is based in Ireland, but the DPC declined to take the case, because, it said, it had no legal requirement to do so (meaning this is a hot potato and I don’t want to be associated with it).

Schrems next took the case to the European Court Of Justice in Luxemburg where a decision is expected on June 24th.

The basic argument is that since the NSA, according to Snowden documents, can look at EU resident’s data, the Safe Harbor agreement written 15 years ago is a sham and does not protect EU citizens data that is stored in the U.S.  In general, U.S. companies don’t argue that they have not been able to stop the NSA from looking at their stuff and it appears, some companies may even have cooperated with the NSA, but the U.S. companies business model sort of require that they consolidate the data somewhere and moving U.S. data to Europe doesn’t work for them either.

IF, and it is a big if, the ECJ rules that the safe harbor agreement between the EU and US violates EU law, that will mean that companies like Facebook, Microsoft and Google (and probably hundreds or thousands of other companies)  who routinely take EU data and move it to the US will no longer have a safe harbor to move the data to the U.S. and would be subject to EU privacy lawsuits.  Since EU law is much stricter than U.S. law, U.S. companies do not want this to happen.   I assume they are planning for the worst in case.

The EU and US have negotiating a new agreement for years, but it doesn’t seem like it is making much progress.  IF the court rules the safe harbor provision violates EU law, everyone will get real motivated to come up with a new agreement very quickly, I suspect.

Next chapter comes out on June 24.


Facebooktwitterredditlinkedinmailby feather

Radio Shack Puts Its Customer Database Up For Sale

Remember when you bought that phone or USB cable at Radio shack and they asked for your name and email address?  CBS is reporting that Radio Shack listed that as an asset in their bankruptcy and has put it up for sale.

That means your name, address, phone number and purchase information is up for sale to the highest bidder.   That is, assuming the bankruptcy judge agrees.  They have agreed in the past with some stipulations.

That would be info on 117 million customers.

One rub – Radio Shack’s privacy policy says that they won’t sell or rent your personally identifiable information to anyone at any time.

AT&T is not happy because the current highest bidder is the company planning to buy half the stores and co-brand them with Sprint.  AT&T doesn’t want Sprint to have their customer list.

The AGs in Texas and New York aren’t happy either.

Unfortunately, federal bankruptcy law likely will trump these objections. If the judge says yes, there may be lawsuits.

One thing you can do is, when you go into a store and they ask for your information, say no.  With few exceptions (buying a cell phone, unfortunately, is one of them since they are extending you credit) you do not have to cough up your info.  It is fun to watch the clerk’s reaction when you say NO in response to the request for information.  It is clear that some stores do not train their staff for that answer.  Other stores just move along.  I have seen many clerks enter some information after I said no – garbage in, garbage out.

What Radio Shack is doing – selling customer data – is not that unusual.  It is just that they usually try to do it away from the street lights in a dark alley.  Radio Shack is doing it under the spotlight of the bankruptcy court.


Facebooktwitterredditlinkedinmailby feather

Hacking, Sci-Fi Style

Researchers at David Ben Gurion University in Israel have demonstrated controlling a toy rocket launcher attached to an air gapped computer by another computer nearby (see article).

There are lots of limitations to this attack, but still it shows how a motivated attacker  like the NSA or its competitors, can suck data out of a computer if they want to.

This is likely not an attack we should worry about protecting our home or business computer from, still it is impressive.

Current limitations on the attack include that there have two be two computers within 15 inches of each other, with one being the air gapped one and the other being connected to the Internet.  This is not an uncommon situation in places like oil refineries or nuclear power plant control rooms.

Both computers need to be infected with the malware and the data rate is really slow – about 8 bits an hour.  The key to this is to send very small commands and very small responses.

The technique works by raising the temperature of one computer a little bit and having the other computer’s heat sensors detect it and then lower that temperature for 1s and 0s.

The technique does suggest that physically separating those two classes of computers in a high security environment is probably a good idea.

The same folks at Ben Gurion previously showed that they could take an infected video card and use the FM radio receiver in a mobile phone to transmit data from the PC to the phone.  This new attack, while having a much lower data rate, is bidirectional.

The article also talks about the NSA version of these techniques.  The basis for that is documents leaked by Edward Snowden and dated 2008, so things are probably way better by now.

Tailored Access Operations Division (TAO) of NSA is known for modifying hardware, although with software getting a lot better, that is likely becoming less important.  If you mess with the hardware, you have to get physically near by either the manufacturer or the attack target.  With software, you can do it from the other side of the globe.

One NSA technique, called Cottonmouth-1 , embeds a tiny tranmitter and receiver into a USB connector to both extract data and inject malware.  It can transmit to a suitcase sized controller up to 8 miles away.  Obviously, this could be detected by spectral analysis (watching for unexpected radio signals) or RF shielding, but that would likely only happen in an ultra secure government facility (hopefully like an embassy or military installation) but if you are hacking bad guys or businesses, it is highly unlikely that they would detect it.

If you are into James Bond-esque stuff, Bruce Schneier talks about Cottonmouth, Straitbizarre, Genie, Chimneypool and Howlermonkey, among other NSA goodies here.

Facebooktwitterredditlinkedinmailby feather

Hilton Honors Web Site Flaw Found and Fixed

I have to both harass and complement Hilton.

Until recently, Hilton was offering Honors members 1,000 points to change their passwords.

First the harassment:

A security staffer at BancSec figured out that you could hijack any other Honors account by guessing or knowing the account number and making a small change to the site’s HTML.

The hacker could then redeem points, change the password and do anything that the hacked user would be able to do.

This might indicate a lack of white hat hacking on Hilton’s part.

And now the complement part:

After being informed, Hilton immediately blocked password changes, effectively stopping, at least, the hijack part of this hack.  Hilton quickly fixed the flaw as well.

This hack, a cross site request forgery attack (see here), exposed some design flaws also.  For example, Hilton did not require you to enter your old password when you changed your password.   If they had, the attackers in this case would not have been able to hijack random accounts because they did not know any of the existing passwords.

Apparently, the 1,000 point reward was designed to speed up the migration from Hilton’s old 4 digit PIN login security to an 8 digit complex password.  The old 4 digit PIN security caused a large number of Hilton Honors accounts to be hijacked last year.  Users will be forced to select a password starting April 1st if they try logging on with their PIN.

Facebooktwitterredditlinkedinmailby feather

Target Agrees To $10 Million Fund For Breach Victims

UPDATE:  KARE11 in Minneapolis is reporting that if you include attorney’s fees and other costs, Target will be on the hook for around $25  million  (see article) and that payments could begin as early as April 30th.

NPR is reporting that Target has agreed to set up a $10 million fund for victims of last year’s credit card breach.  The agreement still has to be approved by the judge.  Individual victims could get up to $10,000.

The agreement says that Target will appoint a chief information security officer (I am surprised they don’t have one), create a formal information security program and train employees.  None of this is earth shaking.

What is earth shaking is that victims will be able to be reimbursed for:

  • unauthorized and unreimbursed credit card charges
  • Time spent addressing charges
  • Fees spent to hire someone to fix their credit report
  • Higher interest rates on accounts
  • Credit related costs like buying a credit report
  • costs to replace IDs like SSNs or phone numbers

Victims will have to provide a reasonable documentation.

Target is still having hard times after the breach, recently announcing it will close all 133 Target Canada stores laying off 17,000 employees.  Earlier this month they laid off another 1,700 employees and cancelled 1,400 open positions.

The reason why this agreement is important is that it sets a precedent that breached businesses are responsible for protecting information and are responsible for victim’s costs for dealing with the after effects of a breach.

For the most part, up until now, businesses said that they would offer you credit protection and besides that, all the other costs were your responsibility.  After all, the credit card companies and banks eventually credited your account, returned overdraft charges and such.

This precedent may also mean that businesses could be liable for the effects of other, non-credit card, stolen information.

What is not clear is how or if this affects other suits pending, such as the ones the banks have initiated to recoup their costs of replacing credit cards.


Facebooktwitterredditlinkedinmailby feather