Information Security News
by Sean Gallagher
Over a week after the revelation of a fatal flaw in the most recent versions of the OpenSSL cryptographic library—the encryption at the heart of much of the Internet’s security—a large number of systems associated with the Tor anonymizing network remain unpatched and vulnerable to attack. To protect the security of the network, the Tor Project flagged relay servers still susceptible to the Heartbleed bug for rejection, meaning they would not be allowed to pass traffic to the core of the network.
The Heartbleed bug, which allows attackers to retrieve bits of memory from the encryption engine, still affects about 10 percent of the relays and gateways that allow users to connect to the network, which could expose the encryption keys and even the IP addresses of users.
In a blog post on April 7, the Tor Project alerted users of the bug, which affected the Tor client, relay, and bridge software; Tor’s “Hidden Service” darknet Web services; and even its internal directory servers. The Orbot client for Android was also vulnerable. The Tor Project team has been moving to provide patches for all of the components, and most of the core network was quickly secured.
Mission-critical satellite communications relied on by Western militaries and international aeronautics and maritime systems are susceptible to interception, tampering, or blocking by attackers who exploit easy-to-find backdoors, software bugs, and similar high-risk vulnerabilities, a researcher warned Thursday.
Ground-, sea-, and air-based satellite terminals from a broad spectrum of manufacturers—including Iridium, Cobham, Hughes, Harris, and Thuraya—can be hijacked by adversaries who send them booby-trapped SMS text messages and use other techniques, according to a 25-page white paper published by penetration testing firm IOActive. Once a malicious hacker has remotely gained control of the devices, which are used to communicate with satellites orbiting in space, the adversary can completely disrupt mission-critical satellite communications (SATCOM). Other malicious actions include reporting false emergencies or misleading geographic locations of ships, planes, or ground crews; suppressing reports of actual emergencies; or obtaining the coordinates of devices and other potentially confidential information.
"If one of these affected devices can be compromised, the entire SATCOM infrastructure could be at risk," Ruben Santamarta, IOActive's principal security consultant, wrote. "Ships, aircraft, military personnel, emergency services, media services, and industrial facilities (oil rigs, gas pipelines, water treatment plants, wind turbines, substations, etc.) could all be impacted by these vulnerabilities."
I received this week a very valuable e-mail from the DNP Technical Committee Chair, Mr. Adrew West, who pointed an excellent observation and it's the very slow adoption of DNP3 Secure Authentication Version 5, which is the latest security enhancement for the DNP3 protocol. I want to talk today about this standard and the advantages of adopting it into your DNP3 SCADA system.
This standard has two specific objectives:
This standard minimize the following risks:
The following diagram shows the implementation architecture for this standard:
|DNP Application Layer|
|DNP Secure Authentication|
|DNP Transport Function|
|DNP Data Link Layer|
|Serial||Internet Protocol Suite|
As seen, an additional level before application layer is added, providing the new security features.Unfortunately, there are two specific reasons that is preventing this standard for being widely deployed in the world:
Cybersecurity is not still mature in the ICS industry and has a long way to go. Information Security Professionals working with the ICS world has a really big challenge: We need to demonstrate that Information Security Controls like this standard will have a return of investment to the company and the risk of not having them, if operating a critical infrastructure to a Country, could be catastrophic and impacts incalculable. This standard works, won't put at risk any ICS facility and we all have a responsability of ensuring its implementation to our companies.
Pro2col Announces Its Presence at InfoSec and an Exclusive Distribution Deal ...
PR.com (press release)
Leading independent file transfer specialists Pro2col who will be exhibiting at InfoSec, is also pleased to announce an exclusive agreement with Thru to distribute their file transfer solution in the UK and Ireland. London, United Kingdom, April 16 ...
Developers at Internet services company Netcraft have released a browser extension that makes it easy for Web surfers to know if the site they're visiting is vulnerable to the catastrophic Heartbleed vulnerability.
The extension works on the Chrome, Firefox, and Opera browsers. It's available here, and you can read Netcraft's description of it here. Once installed, it provides a bleeding heart icon and warning sign when users visit a site that remains susceptible to one or more of the risks posed by Heartbleed, the extremely critical bug that allows attackers to pluck sensitive data from the memory of vulnerable servers. Exposed data most often seems to include usernames and passwords, but it can also include taxpayer identification numbers and even the private encryption keys that are a website's crown jewels.
The Netcraft extension will alert users if an OpenSSL-powered site has yet to install an update that's immune to Heartbleed exploits. It also lets people know if sites that have updated OpenSSL are still using an HTTPS encryption certificate that has yet to be changed since OpenSSL was updated. That latter alert is crucial, since possession of a private encryption key makes it possible for attackers to impersonate HTTPS-protected sites with malicious sites that are almost impossible for most end users to detect. Out of an abundance of caution, all sites that were vulnerable to Heartbleed should assume their keys are now in the hands of malicious attackers.
Posted by InfoSec News on Apr 17http://arstechnica.com/security/2014/04/confirmed-nasty-heartbleed-bug-exposes-openvpn-private-keys-too/
Posted by InfoSec News on Apr 17http://www.bloomberg.com/news/2014-04-17/u-s-agent-lures-romanian-hackers-in-subway-data-heist.html
Posted by InfoSec News on Apr 17http://www.infosecnews.org/host-unknown-presents-im-a-c-i-double-s-p-cissp-parody/
Posted by InfoSec News on Apr 17http://www.zdnet.com/top-chinese-hacking-team-reveals-members-identities-7000028388/
Posted by InfoSec News on Apr 17http://www.newrepublic.com/article/117389/ftc-gains-control-cybersecurity-measures-after-wyndham-hotels-case