Information Security News
Adobe is going to release eight security updates for Adobe Acrobat and Reader for Windows and Macintosh next Tuesday, October 13, 2015. A list of the updates is available here.
Attackers are infecting a widely used virtual private network product sold by Cisco Systems to install backdoors that collect user names and passwords used to log in to corporate networks, security researchers said.
A researcher from security firm Volexity told Ars that he's aware of about a dozen attacks successfully infecting Cisco's Clientless SSL VPN, but he said he suspects the total number of hacks is higher. The attacks appear to be carried out by multiple parties using at least two separate entry points. Once the backdoor is in place, it may operate unnoticed for months as it collects credentials that employees enter as they log in to company networks.
The Clientless SSL VPN is a virtual private network product that works with Cisco's Adaptive Security Appliance. Once users have authenticated themselves, the Web-based VPN allows employees to access internal webpages and internal file shares plus launch plug-ins that allow them to connect to other internal resources through telnet, SSH, or similar network protocols.
by Sean Gallagher
A study of the information security measures at civilian nuclear energy facilities around the world found a wide range of problems at many facilities that could leave them vulnerable to attacks on industrial control systems—potentially causing interruptions in electrical power or even damage to the reactors themselves. The study, undertaken by Caroline Baylon, David Livingstone, and Roger Brunt of the UK international affairs think tank Chatham House, found that many nuclear power plants' systems were "insecure by design" and vulnerable to attacks that could have wide-ranging impacts in the physical world—including the disruption of the electrical power grid and the release of "significant quantities of ionizing radiation." It would not require an attack with the sophistication of Stuxnet to do significant damage, the researchers suggested, based on the poor security present at many plants and the track record of incidents already caused by software.
The researchers found that many nuclear power plant systems were not "air gapped" from the Internet and that they had virtual private network access that operators were "sometimes unaware of." And in facilities that did have physical partitioning from the Internet, those measures could be circumvented with a flash drive or other portable media introduced into their onsite network—something that would be entirely too simple given the security posture of many civilian nuclear operators. The use of personal devices on plant networks and other gaps in security could easily introduce malware into nuclear plants' networks, the researchers warned.
The security strategies of many operators examined in the report were "reactive rather than proactive," the Chatham House researchers noted, meaning that there was little in the way of monitoring of systems for anomalies that might warn of a cyber-attack on a facility. An attack could be well underway before it was detected. And because of poor training around information security, the people responsible for operating the plants would likely not know what to do.
That problem is heightened by what the researchers characterized as a "communication breakdown" between IT security professionals and the plant operations staff, and a simple lack of awareness among plant operations people about the potential dangers of cyber-attacks. Cultural differences between IT and nuclear engineering culture cause friction at some facilities, in fact—making it difficult for IT and security staff to get across the problem with the poor security practices in the plants.
SHA1, one of the Internet's most crucial cryptographic algorithms, is so weak to a newly refined attack that it may be broken by real-world hackers in the next three months, an international team of researchers warned Thursday.
SHA1 has long been considered theoretically broken, and all major browsers had already planned to stop accepting SHA1-based signatures starting in January 2017. Now, researchers with Centrum Wiskunde & Informatica in the Netherlands, Inria in France, and Nanyang Technological University in Singapore have released a paper that argues real-world attacks that compromise the algorithm will be possible well before the cut-off date. The results of real-world forgeries could be catastrophic since the researchers estimate SHA1 now underpins more than 28 percent of existing digital certificates.
SHA1 is what's known as a cryptographic hash function. Like all hash functions, it takes a collection of text, computer code, or other message input and generates a long string of letters and numbers that serve as a cryptographic fingerprint for that message. Even a tiny change, such as the addition or deletion of a single comma in a 5,000-word e-mail, will cause a vastly different hash to be produced. Like all fingerprints, the resulting hash is useful only as long as it's unique. The moment two different message inputs produce the same hash, the so-called collision can open the door to signature forgeries that can be disastrous for the security of banking transactions, software downloads, and website communications.