FREAK SSL Bug Forces Security Makers to Scramble for a Fix

On March 3, security researchers noted that an age-old SSL bug—in existence for more than 10 years—allows hackers under the right conditions to exploit a man-in-the-middle attack and gain access to potentially sensitive information.

FREAK (Factoring RSA-EXPORT Keys) SSL relies on outdated ‘export grade’ cryptography settings, which are still contained within some web server code today. According to Mikah Sargent of NewsyTech, approximately 12% of the world’s top 1 million websites are vulnerable to this flaw.

Initially, the bug was determined to affect secure web browsing via iOS, Android and OS X devices, but later in the week, Microsoft issued a security advisory confirming Windows users could also be affected.

History

In the 1990s, United States policy required that external communications avoid too strong a level of encryption. “Export” grade 512-bit cryptography—meaning more easily breakable than the 1024-bit US crypto—became a standard for external communication.

At the time, 512-bit cryptography was considered much more secure than it is today. In modern times, a hacker can potentially break a single 512-bit key in under a day. In fact, Johns Hopkins University cryptographer Matthew D. Green estimates this could be done in 7.5 hours, renting online CPU resources for about 100 USD.

What this means

The chances of being affected by this bug remain relatively slim. In order for a hacker to utilize FREAK, they would need to:

  1. Find a vulnerable web server that offers export-level encryption and re-uses the same encryption key for long amount of time
  2. Break the current encryption key (using CPU resources + time) before it is reset on the server
  3. Find vulnerable users connecting to the server

With these conditions met, a hacker could potentially execute a man-in-the-middle attack. For example, using unsecured Wi-Fi in a coffee shop, a hacker could intercept and decrypt all traffic between any client and the server, while remaining completely undetectable.

How to protect yourself

You can immediately check if your browser is vulnerable by visiting Tracking the FREAK Attack.

Apple and Google have announced that they will release OS fixes this week. In the meantime, zdnet.com has a detailed article on how to protect you immediately.

Share via email Share

MWC 2015 – That’s A Wrap!

Another Mobile World Congress (MWC) has come to a close. As we travel home from Barcelona and settle back into our normal routines, we can’t help but reflect on what was an exciting and packed four days at MWC.

At Intel Security, we discussed the future of mobile technology, top mobile trends for 2015, and even shared news of some of our great new mobile apps! Thanks to everyone who stopped by the booth, participated in one of our demos, or played our #LockItDown contest.

But the fun didn’t stop there! All of MWC was abuzz with news of the latest innovations from vendors across the globe. In case you weren’t able to keep track of all the news, we’ve made things easy by providing you with a recap of the top trends and news.

IMG_1462

The Future of Mobile Technology

In my previous blog, I predicted we’d see buzz around mobile payment systems, security apps and wearables at MWC. And boy, did those predictions turn out to be true!

This year, we saw a slew of smarter smartphones, a heavy push toward 5G mobile networks, and sleeker, more refined versions of existing technology.

Another non-surprise: the omnipresence of wearables. From smart watches and ‘invisibility glasses’ to virtual reality headsets and fitness bracelets designed for business executives, we saw it all. Pretty soon there will be a need for a wearables-only Fashion Week!

Vendors also cashed in on mobile payments, and it seems that existing payment systems now have some tough competition ahead. News of payment systems for Galaxy phones and Android devices surfaced, leaving us all curious to see how the mobile payment competition will play out. 

Mobile Security is Better Together

As noted in the McAfee Labs™ February 2015 Threats Report, mobile malware is on the rise, and this year at MWC, mobile vendors certainly stepped up their security game!

And as part of our own efforts to reduce that trend, we announced a joint effort with Samsung to provide built-in security software on the new Galaxy S6 and Galaxy S6 Edge devices.

Now, when you purchase a Galaxy S6 or S6 Edge device, it will come pre-loaded with McAfee VirusScan Mobile™, the anti-malware technology from Intel Security. This will provide users with a more secure online mobile experience.

We also announced an extended partnership with LG Electronics to help secure your personal data. McAfee® Mobile Security will be available on the LG Watch Urbane LTE so users can track, lock, and wipe their device in the event that it is stolen.

Finally, we discussed the steps we are taking to advance True Key™ by Intel Security. With new customers such as Brightstar Corp, Deutsche Telekom and Prestigio, we are taking True Key global and ensuring that all have access to its powerful identity management technology.

Mobile World Congress may have gone by in a flash, but the innovations coming out of it are sure to be long-lasting. Let’s get back to the drawing board and put our mobile minds to work so we can aim higher and achieve even more next year, at MWC 2016!

As always, for the latest updates on mobile security, make sure to follow @IntelSec_Home on Twitter and Like us on Facebook.

lianne-caetano

Dyre Targets More Websites

The Dyre Trojan has expanded its attack vectors, aiming to harvest sensitive data from an expanding list of targeted websites.

Previously, Dyre had been known to seek out banking credentials as its primary targets, but ThreatTrack Security Labs researchers recently discovered multiple new types of domains, which have become part of Dyre’s standard target index.

While Dyre has added more file hosting and email domains to its attack list — pretty standard fodder for redistributing itself via malware — it has now appended a few new types of domains, including popular job hunting, file hosting, tax services, online retail and Internet Service Provider (ISP) websites.

Labs researchers used Wireshark to monitor Dyre’s TCP connections.

TCP snapshot of Dyre sending the contents of an HTTPS connection to Dyre’s server

The Labs team was then able to acquire configuration data from an active infection. Click here for the configuration file they pulled.

Based on experience in the field and initial investigations into these new targets, our Labs team has compiled the following list of potential reasons for attack:

FILE HOSTING

Could be used to register new sites and modify existing ones. Likely used for hosting malware.

  • iweb.com
  • lunarpages.com
  • networksolutions.com
  • godaddy.com
  • hostgator.com
  • bluehost.com
  • enom.com

JOB HUNTING

Gathering identity information, campaign templates or targets.

  • glassdoor.com
  • monster.com
  • indeed.com
  • simplyhired.com
  • careerbuilder.com

E-COMMERCE

Acquiring hardware and user information.

  • newegg.com
  • sellerportal.newegg.com

GENERAL INFORMATION

Site records for targeting, templates and other attacks.

  • accurint.com
  • thomsonreuters.com
  • stamps.com

CORPORATE MAILING

Can aid in email distribution of malware or other attacks.

  • mailchimp.com
  • mandrillapp.com

INTERNET SERVICE PROVIDERS

Enterprise account information used for further targeting or templates, data gathering, access corporate data and similar purposes.

  • wireless.att.com
  • smb.att.com
  • businessdirect.att.com
  • verizonenterprise.com
  • verizon.com

INCOME TAX SERVICES

Personal income and account information, due to the nearing proximity of tax season.

  • turbotax.com
  • intuit.com
  • hrblock.com

Defend Yourself Against Dyre

End users should be reminded not to open attachments without regard for security. Dyre is often triggered via infected .zip files (containing Upatre) and .pdf attachment exploits.

For help educating users, reference Users Beware: 10 Security Tips to Share with Your Users.

Disclaimer

The information presented in this post may contain names and images associated with real companies. There is no evidence that any of the sites mentioned have been compromised. Users with computers infected with Dyre may be at risk of having their personal information stolen when visiting these sites. 

Credit: Matthew Mesa, Malware Researcher, ThreatTrack Security Labs

Share via email Share

ThreatTrack Security Labs
About Author

ThreatTrack Security Labs is the power behind the malware analysis, detection and remediation technologies developed by ThreatTrack Security. From facilities in the United States and the Philippines, our team of cybersecurity professionals, malware researchers, engineers and software developers work around the clock to discover and combat Advanced Persistent Threats, targeted attacks, Zero-days and other sophisticated malware. The company develops advanced cybersecurity solutions that Expose, Analyze and Eliminate the latest malicious threats, including its ThreatSecure advanced threat detection and remediation platform, ThreatAnalyzer malware behavioral analysis sandbox, ThreatIQ real-time threat intelligence service, and VIPRE business antivirus endpoint protection. Learn more about ThreatTrack Security.

Security From the Handset to the Base Station

Time to wind down the Barcelona adventure, and onto Milan now!  This week we have announced some remarkable partnerships within the mobile industry ranging from the biggest handset OEMs, infrastructure providers and mobile network operators.

These deep relationships have been established in almost every corner of the mobile ecosystem and we’re all agreed on one thing: we need to change our approach to mobile security or risk stifling one of the most disruptive and enabling technologies of the modern age.

To kick things off, we were very proud to finally announce our partnership with Samsung. The all new Samsung Galaxy S6 will have the award-winning McAfee Mobile Security (MMS) pre-installed without any additional cost to the consumer. By adding this to the device, Samsung is providing an extra level of assurance to the user that their privacy will be protected and that their security online is prioritised.

MMS has also been chosen by LG to protect its range of smartphones and wearables devices. Specifically, LG wants to secure the personal data of its customers using Android smartphones and its webOS smartwatches.

Our identities, personal information and even body data has never been more accessible to us, but it has also never been more at risk of being stolen. LG wanted to strengthen the trust that it has built up with its customers and MMS will play a key part in this as they download new apps, shop online, browse social networks and use their devices for banking or payments.

You may have seen the launch of True Key™ by Intel Security earlier this year at CES. True Key is changing the way the world logs in and with this app, you are the password, using multiple things unique to you like your facial features, a fingerprint or devices that you own. You can forget about having to remember all those passwords, plus it helps to keep your digital life private.

We think True Key is pretty cool. And it turns out we’re not the only ones! German mobile operator Deutsche Telekom will be one of the first carriers to offer True Key to its subscribers in Europe. They will get one of the most secure password and identity management solutions on the market.

Added to this, leading Russian OEM, Prestigio, will be one of the first mobile device manufacturers to launch the True Key application across EMEA. It is going to make the app available across all of its Android tablets and smartphones by the end of this year. This is a significant commitment by Prestigio to help its customers stay secure and a real differentiator for those consumers looking for cutting edge security.

Last but by no means least, we also announced a new collaboration with infrastructure provider, Ericsson. Intel Security SIEM and NGFW technology will be directly integrated into 4G infrastructure to protect users and carriers. We’re actually demonstrating the technology here in Barcelona so visit us in the Intel booth, Hall 3, Stand 3D30 to check it out. Large scale attacks on critical national infrastructure like telecoms networks pose a serious threat. By building security in at the infrastructure layer however, Ericsson extends a new level of trust and security to the operators themselves.

From the handset to the base station, mobile’s biggest players are changing their view on security. We’re so proud to have developed real partnerships like these and we’re excited to see where it will go next.

The post Security From the Handset to the Base Station appeared first on McAfee Blogs.

MWC 2015: All About the Apps

Mobile World Congress (MWC) is officially underway in beautiful Barcelona! One thing we can already tell from day one of MWC? This year, it’s all about the apps.

And with that, we are excited to announce three of the latest mobile apps from Intel Security, as seen on display at MWC this week. Read on to learn more about each one.

Intel Security Battery Optimizer

Tired of looking at your smartphone midday only to see the battery is completely drained? We can relate!

The Intel Security Battery Optimizer is an energy saving Android app that provides you with accurate battery usage allowing you to manipulate and extend the battery life of your mobile device. Battery life is displayed down to the minute so you can more effectively track usage and identify which apps are draining your battery the most.

Another unique feature of Battery Optimizer is that it extends call time on a low battery device. For example, if you’re on a call and have less than 20 minutes of life left, it will prompt you with an alert. The alert then provides you with the option to extend the length of a call by shutting off other, non-core apps that are draining battery life in the background.

Intel Security File Protect

In today’s highly connected world, consumers are carrying their personal lives on their devices. So how can they ensure this sensitive information stays protected? Here’s where Intel Security File Protect comes in.

File Protect is an Android privacy app that provides reliable encrypted protection for sensitive information across all of your devices and favorite cloud storage services. By linking File Protect to your preferred cloud storage provider, you can rest assured that your data is safely encrypted in the cloud.

Want to snap safe photos on the go? File Protect can handle that as well! Switch to the “Secure Snap” mode and all of the photos you capture will be automatically encrypted and sent to File Protect for storage.

True Key™ by Intel Security

True Key™ by Intel Security is an easier and safer way to unlock your digital world. You can access your apps and websites without the hassle of having to remember, create or type in multiple passwords – with the True Key app, you are the password.

Log in using things that are unique to you, such as your facial features—the distance between your eyes and nose, a fingerprint, or even a device you own. From there, True Key helps make your current passwords stronger with it’s password generator, remembers them and instantly logs you in, so you don’t have to.

True Key is currently available through a limited release and will be generally available later in the year. You can request early access at www.truekey.com to join the waitlist.

Don’t miss the chance to see each of these apps in person, during demos at the Intel booth in Hall 3, Stand #3D30 this week at Mobile World Congress. And if you need more incentive to visit the stand, swing by to learn how you could get a free, 1-year premium subscription of True Key!

Stay tuned for more Mobile World Congress updates from Intel Security by following @IntelSec_Home on Twitter, Liking our page on Facebook, and checking back here on the blog.

lianne-caetano