Hackers Have Figured Out How to Steal Millions from ATMs
GIZMODO by Adam Clark Estes April 3, 2014
Federal regulators just alerted banks across the country of a very dangerous new skill ATM hackers have picked up. They can trick ATMs into spitting out unlimited amounts of cash, regardless of the customer’s balance. Not only that, but also schedule the illicit withdrawals for holidays and weekends, when the ATMs are extra flush.
We’ve heard of crazy ATM hackers before, but this really takes the cake. It’s a triple threat, really. The ability to skirt around daily ATM withdrawal limits is bad enough, since the hackers isn’t limited to $500 or whatever the limit is on any single account. But the fact that the hackers can now extract more than what’s in a customers account combined with the scheduling method means that any given ATM theft could now be an all out heist. That’s why the Secret Service is calling this strategy Unlimited Operations.
Heists are exactly what’s happening, too. “A recent Unlimited Operations attack netted over $40 million in fraud using only 12 debit card accounts,” said the Federal Financial Institutions Examination Council in its alert to banks. The regulators believe that the hackers have actually been targeting bank employees with phishing scams in order to get their malware installed on the banks’ computer systems. The Los Angeles Times explains how it’s done:
Criminals use the malware to obtain employee login credentials and to determine how the institution accesses ATM control panels, often based online, that allow changes to be made in the amount of money customers may withdraw, geographic usage limits and how fraud reports are generated.
After hacking the control panel, criminals withdraw funds by using fraudulent cards they create with account information and personal identification numbers stolen through separate attacks, the regulators said. The PINs may be stolen by malicious software or scanning programs at merchant sales terminals or ATMs, or by hacking into computers.
It also doesn’t help that the recent Target breach put millions upon millions of card numbers out in the open, giving hackers even more fraudulent cards to work with.
For those that’ve been hit by one of these attacks, federal insurance will kick in, but it’s a huge pain in the ass for everyone. So in a twisted sort of way, these ATM hackers are inevitably taking your tax dollars. That mobile payments revolution everyone keeps talking about can’t come soon enough, can it? [LAT]
Heartbleed: routers and phones also at risk, says security expert
Manufacturers must patch routers, video conferencing software and desktop phones, as scale of software vulnerability continues to grow
The Guardian by Alex Hern April 14, 2014
Heartbleed, the software vulnerability in hundreds of thousands of web servers which laid their contents open to attackers, also affects consumer devices, security experts have warned.
Hardware including smartphones, routers and cable boxes are all potentially affected, posing the risk of anything from data theft to attackers seizing control of the vulnerable device.
“Network-connected devices often run a basic web server to let an administrator access online control panels,” says Philip Lieberman, president of security firm Lieberman Software. “In many cases, these servers are secured using OpenSSL and their software will need updating.
“However, this is unlikely to be a priority. The manufacturers of these devices will not release patches for the vast majority of their devices, and consumers will patch an insignificant number of devices.”
Some manufacturers have confirmed that their devices are not affected. Belkin says that its routers, as well as those of its Linksys subsidiary, are safe: one range does use OpenSSL, the software which contains the Heartbleed vulnerability, but uses a version which predates the flaw.
But others are not so lucky. Networking giant Cisco has confirmed that a number of its products are vulnerable, including desktop phones, video conferencing hardware and VPN software. It is investigating a further 83 products for potential vulnerabilities.
Neither Netgear nor BT returned requests for comment, and have not spoken publicly about whether or not their devices are vulnerable.
For affected devices, operators are slowly releasing patches, which must be downloaded and installed. But many users will not apply the updates, warns Lieberman.
“The list of compromised devices is huge,” he says. “Most of the devices are not going to be patched because their users do not know how to do it since they bought a router or firewall, not OpenSSL (as far as they are concerned).
“Many of the devices are from manufacturers that are no longer supporting the previously shipped devices as a matter of policy and business model,” he adds. “What do you expect in the way of support when you buy a device or embedded system for less than $100 and the company is making $10.00?”
As with affected websites, users should not change passwords until they are sure the vulnerability has been fixed. The best way to be certain is to wait for the affected company to specifically say it is time to change passwords: examples of companies who have done so include Tumblr, Flickr, IFTTT and Dogecoin service DogeAPI.
SSL keys stolen
One potential avenue of hope was blocked off on Friday, when online services company CloudFlare confirmed that four people had successfully stolen SSL certificates from an affected server.
SSL is the basis of security online, and is the protocol that leads to browsers displaying a padlock icon to show that a given website is secure. One of the attacks that the Heartbleed vulnerability allows is theft of the private key for SSL, allowing an attacker to decrypt intercepted messages or impersonate the site.
Cloudflare had previously written that “we have reason to believe… that it may in fact be impossible” to steal the keys from their servers, in contrast to claims made by the researchers who uncovered the flaw. But the company issued a challenge to the outside world to prove them wrong, and four separate researchers managed to steal the information over the next 48 hours.
The result of the challenge underscores that it’s not enough for a site vulnerable to Heartbleed to fix the server: it also needs to treat the SSL key as stolen, and issue a new one. Cloudflare described the possibility of a stolen key as “the disaster scenario, requiring virtually every service to reissue and revoke its SSL certificates. Note that simply reissuing certificates is not enough, you must revoke them as well.”
Since the news of Heartbleed broke on April 6, more than 10,000 sites have revoked and re-issued their certificates, giving some idea of the scale of the problem.
Heartbleed: 95% of detection tools ‘flawed’, claim researchers
Free web tools and not picking up the vulnerability, leaving consumer data exposed
The Guardian (UK) by Tom BrewsterApril 16, 2014
Some tools designed to detect the Heartbleed vulnerability are flawed and won’t detect the problem on affected websites, a cybersecurity consultancy has warned.
The Heartbleed flaw, which undermined the common security software for internet connections called OpenSSL, caused mass panic last week due to the ease with which it could be exploited to acquire passwords or encryption keys, potentially leaking sensitive personal data from popular consumer websites.
A deluge of tools then hit the internet promising to help people determine whether the web services they were using or hosting were affected. But 95% of the most popular ones are not reliable, according to London-based security consultancy and penetration testing firm Hut3.
“A lot of companies out there will be saying they’ve run the free web tool and they’re fine, when they’re not,” Hut3’s Edd Hardy told the Guardian. “There’s absolute panic. We’re getting calls late at night going ‘can you test everything’.”
Most of the tools checked by Hut3 rely on code designed to highlight the flaw created by developer Jared Stafford, which itself contained problematic bugs, said Hut3 penetration tester Adrian Hayter. These included tools created by major tech companies such as Intel-owned security firm McAfee and password management provider LastPass.
Hayter uncovered three problems with the Heartbleed checkers, which could lead to many cases of sites remaining vulnerable. One of the issues was to do with compatibility with different versions of SSL, the Secure Sockets Layer kind of web encryption affected by the Heartbleed flaw.
“The Heartbleed Checker is designed to work with common system configurations found in the wild,” said Raj Samani, CTO for Europe, the middle east and Asia at McAfee. “There have been reports of detection failure rates of around 2.8% due to these configurations. We were aware of the possibility and have provided a disclosure directly above our checker. We are continually reviewing and revising our code and technique.”
Joe Siegrist, CEO at LastPass, said: “Unlike all other tests, LastPass is not actually attempting to exploit the bug to test if it’s currently present – we’ve been unsure if that’s legal for a US entity to do.
“Our focus has been in ensuring people are updating/revoking their certificates, and that we’re reflecting what major organisations are saying about their exposure. Can you update or make a new certificate and keep the heartbleed bug in place? Sure, but that’s what all the other tests are for.”
“It is yet another symptom of the ‘hit the ground running’ approach that has characterised the response to this vulnerability,” said Rik Ferguson, vice president of security research at Trend Micro.
“The consequences are so widespread and the technology involved so arcane or invisible to the average user, that knee-jerk reactions and well-meaning advice have been offered up with little planning. From the initial Tumblr blog advising user to change all passwords everywhere ‘now’, before most of the vulnerable services would have been patched, to self-confessed ‘quick and dirty’ demonstration tools being incorporated into complete vulnerability scanning tools.”
“The key to success with protection and mitigation of Heartbleed is more haste, less speed – otherwise you may well be sitting in the comfortable haze of a false sense of security. Ignorance isn’t bliss, it’s dangerous.”
There are various versions of SSL and servers hosting websites can support some or all of them. If the server doesn’t support the version that the user machine selects, then it will respond by either dropping the connection or trying to use a different type of SSL which the server does support.
Herein lies the problem with the detection tools: in many of them, only one version, known as TLSv1.1, is checked. If the server being tested for Heartbleed doesn’t support TLSv1.1, it will either reject the connection or suggest another version. But the failed detectors do not check for another version and assume any server that does not provide a successful response is not vulnerable, said Hayter.
Similar problems lie in compatibility with “cipher suites”, the selections of algorithms used to set up a secure connection over the internet. “Once again, if the server does not support any of the cipher suites that the client sends, the connection will disconnect,” said Hayter.
Most of the tools he examined only told the server they supported about 51 cipher suites, when there are at least 318 cipher suites that could be used by a website. “Granted, most servers will support at least one of the ciphers in the list of 51, but there could be instances where a server does not support any of them, and in these cases, the server would respond with an error, which the scripts interpret as ‘not vulnerable’.”
The third bug was more simplistic: it meant that on slow internet connections some tools would stop working when processing the response of the server, as they would have a time limit. This would again interpret a server as not vulnerable, even if the partially downloaded response would have been enough to confirm the vulnerability, Hayter added.
Given the panic around Heartbleed, with many prematurely being told to change passwords for all web services, even before those sites had been fixed, the latest findings will do nothing to appease the confusion. Hut3 has created its own tool which it believes could help alleviate some of the pain.
Tor anonymity network to shrink as a result of Heartbleed flaw
PC WORLD by Lucian Constantin April 17, 2014
The Tor Project has flagged 380 Tor relays vulnerable to the critical Heartbleed flaw to be rejected from the Tor anonymity network, reducing the network’s entry and exit capacity.
The decision has already been implemented on a Tor directory authority—a server that maintains a list of Tor relays—controlled by Roger Dingledine, the Tor Project leader, and is likely to be followed by other directory authority operators.
The 380 relays flagged for rejection are trusted entry relays, also known as guards, and exit relays. As a result, the immediate impact of this decision would be a 12 percent reduction in the network’s guard and exit capacity, Dingledine said Wednesday in an email sent to the tor-relays mailing list.
Traffic from clients typically flows through the Tor network in three hops. The first hop is through a guard relay and the final hop, before the traffic is returned on the Internet to reach its intended destination, is through an exit relay.
Twelve percent might not sound like much, but guard and exit relays play an important role on the network and are not easy to replace. Many relays are run by volunteers, but they need to be trusted and need to have enough bandwidth at their disposal to handle traffic from multiple clients.
“I thought for a while about taking away their Valid flag rather than rejecting them outright, but this way they’ll get notices in their logs,” Dingledine said.
Tardy patches seem to be the reason
It seems that the ban might be permanent. Dingledine said that he wouldn’t want those relays back on the Tor network even if they upgraded their versions of OpenSSL because their operators didn’t patch the flaw in a timely manner.
The Heartbleed vulnerability was announced on Apr. 7 and affects versions 1.0.1 through 1.0.1f of OpenSSL, a library that implements the TLS (Transport Layer Security) encrypted communication protocol and which is used by many operating systems, web servers, browsers and other desktop and mobile applications.
The flaw allows attackers to extract information from the memory of an application that relies on OpenSSL for TLS communications, whether that application acts as a client or a server.
Both the Tor client and relay software is potentially vulnerable if the OpenSSL library is not updated on the underlying OS.
“Tor relays and bridges could maybe be made to leak their medium-term onion keys (rotated once a week), or their long-term relay identity keys,” Dingledine wrote in a blog post last week after the Heartbleed flaw was announced.
“An attacker who has your relay identity key, has your onion key, and can intercept traffic flows to your IP address can impersonate your relay (but remember that Tor’s multi-hop design means that attacking just one relay in the client’s path is not very useful). In any case, best practice would be to update your OpenSSL package, discard all the files in keys/ in your DataDirectory, and restart your Tor to generate new keys.”
In addition to the 380 guard and exit relays that have been banned already there are over 1,000 other relays that are also vulnerable and should be added to the rejection list at some point soon, Dingledine said.
US government releases draft cybersecurity framework
NIST comes out with its proposed cybersecurity standards, which outlines how private companies can protect themselves against hacks, cyberattacks, and security breaches.
C/NET News by Dara Kerr October 22, 2013
The National Institute of Standards and Technology released its draft cybersecurity framework for private companies and infrastructure networks on Tuesday. These standards are part of an executive order that President Obama proposed in February.
The aim of NIST’s framework (PDF) is to create guidelines that companies can use to beef up their networks and guard against hackers and cybersecurity threats. Adopting this framework would be voluntary for companies. NIST is a non-regulatory agency within the Department of Commerce.
The framework was written with the involvement of roughly 3,000 industry and academic experts, according to Reuters. It outlines ways that companies could protect their networks and act fast if and when they experience security breaches.
“The framework provides a common language for expressing, understanding, and managing cybersecurity risk, both internally and externally,” reads the draft standards. “The framework can be used to help identify and prioritize actions for reducing cybersecurity risk and is a tool for aligning policy, business, and technological approaches to managing that risk.”
Obama’s executive order in February was part of a government effort to get cybersecurity legislation in place, but the bill was put on hold after the National Security Agency’s surveillance program was revealed.
Some of the components in Obama’s order included: expanding “real time sharing of cyber threat information” to companies that operate critical infrastructure, asking NIST to devise cybersecurity standards, and proposing a “review of existing cybersecurity regulation.”
Critical infrastructure networks, banks, and private companies have increasingly been hit by cyberattacks over the past couple of years. For example, weeks after the former head of Homeland Security, Janet Napolitano, announced that she believed a “cyber 9/11” could happen “imminently” — crippling the country’s power grid, water infrastructure, and transportation networks — hackers hit the US Department of Energy. While no data was compromised, it did show that hackers were able to breach the computer system.
In May, Congress released a survey that claimed power utilities in the U.S. are under “daily” cyberattacks. Of about 160 utilities interviewed for the survey, more than a dozen reported “daily,” “constant,” or “frequent” attempted cyberattacks on their computer systems. While the data in the survey sounded alarming, none of the utilities reported any damage to their facilities or actual breaches of their systems — but rather attempts to hack their networks.
While companies are well aware that they need to secure their networks, many are wary of signing onto this voluntary framework. According to Reuters, some companies are worried that the standards could turn into requirements.
In an effort to get companies to adopt the framework, the government has been offering a slew of incentives, including cybersecurity insurance, priority consideration for grants, and streamlined regulations. These proposed incentives are a preliminary step for the government’s cybersecurity policy and have not yet been finalized.
NIST will now take public comments for 45 days and plans to issue the final cybersecurity framework in February 2014.