del.icio.us
blinklist
digg
Facebook
Furl
ma.gnolia
Newsvine
Pownce
reddit
StumbleUpon
Technorati
Twitter
We finally have the answer to how the Target network was physically breached, and it just might make you face-palm.
Plus some urgent Adobe news, the NSA ORCHESTRA program, and a big batch of your questions and our answers.
All that and a heck of a lot more, on this week’s TechSNAP!
Thanks to:
Direct Download:HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds:HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed |
— Show Notes: —
Security Protocols and Evidence
- Researchers at Cambridge propose a new way of thinking about security protocols, designing in to them the facilities required to generate proper evidence to be used in court for dispute resolution
- The goal of the research is to highlight the types of design considerations that should be put into cryptocurrency systems like bitcoin and other payment systems like electronic banking and mobile payment apps
- The research uses EMV (Chip&Pin) as an example and shows how it does not currently provide the evidence required for proper dispute resolution
- The paper outlines 5 design considerations:
- Principle 1: Retention and disclosure.
- Protocols designed for evidence should allow all protocol data and the keys needed to authenticate them to be publicly disclosed, together with full documentation and a chain of custody
- Principle 2: Test and debug evidential functionality.
- When a protocol is designed for use in evidence, the designers should also specify, test and debug the procedures to be followed by police officers, defence lawyers and expert witnesses
- Principle 3: Open description of TCB (trusted computing base)
- Systems designed to produce evidence must have an open specification, including a concept of operations, a threat model, a security policy, a reference implementation and protection profiles for the evaluation of other implementations
- Principle 4: Failure-evidentness.
- Transaction systems designed to produce evidence must be failure-evident. Thus they must not be designed so that any defeat of the system entails the defeat of the evidence mechanism
- Principle 5: Governance of forensic procedures
- The forensic procedures for investigating disputed payments must be repeatable and be reviewed regularly by independent experts appointed by the regulator. They must have access to all security breach notifications and vulnerability disclosures
- The paper then goes on to describe ways these principles could be applied to the existing EMV system to improve its security and dispute resolution facilities
Target Hackers Broke in Via HVAC Company
- Last week, Target told reporters at The Wall Street Journal and Reuters that the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor.
- Sources now tell KrebsOnSecurity that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers.
- Sources close to the investigation said the attackers first broke into the retailer’s network on Nov. 15, 2013 using network credentials stolen from Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of refrigeration and HVAC systems.
- The HVAC company president confirmed that the U.S. Secret Service visited his company’s offices in connection with the Target investigation
- It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network.
- According to a cybersecurity expert at a large retailer who asked not to be named because he did not have permission to speak on the record, it is common for large retail operations to have a team that routinely monitors energy consumption and temperatures in stores to save on costs (particularly at night) and to alert store managers if temperatures in the stores fluctuate outside of an acceptable range that could prevent customers from shopping at the store.
- Sources said that between Nov. 15 and Nov. 28 (Thanksgiving and the day before Black Friday), the attackers succeeded in uploading their card-stealing malicious software to a small number of cash registers within Target stores.
- Those same sources said the attackers used this time to test that their point-of-sale malware was working as designed.
- While some reports on the Target breach said the stolen card data was offloaded via FTP communications to a location in Russia.
- Sources close to the case say much of the purloined financial information was transmitted to several “drop” locations.
- These were essentially compromised computers in the United States and elsewhere that were used to house the stolen data and that could be safely accessed by the suspected perpetrators in Eastern Europe and Russia.
- These compromised hosts serve as cut-outs, after the stolen data is copied from them by the attacker, the logs can be erased to break the trail of evidence
Adobe announces emergency patch for Flash Player, flaw being exploited in the wild
- Adobe has issues an emergency security advisory for all versions of Flash Player
- Adobe released 12.0.0.44 for Windows and Mac, and 11.2.202.336 for Linux and FreeBSD
- Bundled versions for Chrome (12.0.0.41) and Internet Explorer (12.0.0.38) were also updated to 12.0.0.44
- “These updates resolve an integer underflow vulnerability that could be exploited to execute arbitrary code on the affected system (CVE-2014-0497).”
- Researchers Alexander Polyakov and Anton Ivanov of Kaspersky Lab discovered an exploit for the vulnerability being used in the wild and reported it to Adobe
- Adobe has released no further details about the ongoing attack
- Researcher’s Post
- “During the past months we have been busy analysing yet another sophisticated cyberespionage operation which has been going on at least since 2007, infecting victims in 27 countries. We deemed this operation “The Mask” for reasons to be explained later”
- “The “Mask” is leveraging high-end exploits, an extremely sophisticated malware which includes a bootkit and rootkit, Mac and Linux versions and a customized attack against Kaspersky products. This is putting them above Duqu in terms of sophistication, making it one of the most advanced threats at the moment”
- “Most interesting, the authors appears to be native in yet another language which has been observed very rarely in APT attacks.“
- The language in question appears to be Korean
- Kaspersky Labs have released more technical details about the exploit
- Additional Coverage
Feedback:
Round Up:
- Gates Spends Entire First Day Back in Office Trying to Install Windows 8.1
- Why the USA doesn’t have Chip&Pin yet
- Skype ads in rotation have been compromised
- 2014 will be the year of encryption and the summer of Key Management
- CBS screws up Superbowl security
- Finnish hacker decodes GPS signal in youtube video of helicopter tracking a police chase
- Mass hack attack on Yahoo Mail accounts prompts password reset
- FBI is looking for a vendor to sell it a constant stream of malware, appears to not understand researches collect and share these for free
- British intelligence used DDoS tactics against Anonymous, Snowden documents show
- NSA operation ORCHESTRA – a ficticious NSA briefing, Closing key-note of FOSDEM 2014