This is a weekly digest of security news and events from around the world. Excerpts from news items are presented and web links are provided for further information.
Threats and vulnerabilities
4 flaws hit HTTP/2 protocol that could allow hackers to disrupt servers
Zero day protection
CheckPoint launches real-time zero day browser protection
Top story
Hackers steal bitcoins worth millions in attack on exchange
Oracle hack
Data breach: Oracle’s Micros
payment systems hacked
4 flaws hit HTTP/2 protocol that could
allow hackers to disrupt servers
If you think that theHTTP/2 protocolis more secure than the standard HTTP (Hypertext Transfer Protocol), then you might be wrong, as it took researchers just four months to discover four flaws in the HTTP/2 protocol.
HTTP/2 was launched properly just in May last year after Google bundled itsSPDY projectinto HTTP/2 in February in an effort to speed up the loading of web pages as well as the browsing experience of the online users.
Now, security researchers from data center security vendor Imperva today at Black Hat conference revealeddetails on at least four high- profile vulnerabilities in HTTP/2 – a major revision of the HTTP network protocol that the today’s web is based on.
The vulnerabilities allow attackers to slow web servers by flooding them with innocent looking messages that carry a payload of gigabytes of data, putting the servers into infinite loops and even causing them to crash.
The HTTP/2 protocol can be divided into three layers:
• The transmission layer that includes streams, frames and flow control
• The HPACK binary encoding and compression protocol
• The semantic layer – an enhanced version of HTTP/1.1 enriched with server-push
capabilities.
The researchers took an in-depth look at HTTP/2 server implementations from Apache, Microsoft, NGINX, Jetty, and nghttp2 and discovered exploitable flaws in all major HTTP/2
implementations, including two that are similar to well-known and widely exploited bugs in
HTTP/1.x.
The four key vulnerabilities found in HTTP/2 include:
1. Slow Read (CVE-2016-1546)
This attack is identical to the well-known Slowloris DDoS (distributed denial-of-service) attack that major credit card processors experienced in 2010.
The Slow Read attack calls on a malicious client to read responses very slowly.
The Slow Read attacks were well-studied in the HTTP/1.x ecosystem and they are still alive in the application layer of HTTP/2 implementations.
"The Imperva Defence Centre identified variants of this vulnerability across most popular web servers, including Apache, IIS, Jetty, NGINX and nghttp2,"
says Imperva.
2. HPACK Bomb (CVE-2016-1544, CVE-2016- 2525)
3. Dependency Cycle Attack (CVE-2015-8659)
This attack leverages the flow control mechanisms that HTTP/2 uses for network optimization.
A bad intent client can use specially crafted requests to prompt a dependency cycle, thus forcing the server into an infinite loop.
The flaw could allow an attacker to causeDenial of Service (DoS)or even run arbitrary code on a vulnerable system.
HPACK Bomb is a compression layer attack that resembles a zip bomb attack or a 'decompression bomb'.
HPACK is used to reduce the size of packet headers. Basically, the sender can tell the receiver the maximum size of the header compression table used to decode the headers.
In this attack, a potential hacker creates small and innocent-looking messages that actually unpack into gigabytes of data on the server, thereby consuming all the server memory resources and effectively slowing down or crashing targeted systems.
Imperva created a header that was 4KB size -- the same size as the entire compression table. Then on the same connection, it opened up new streams with each stream that referred to the initial header as many times as possible (up to 16K of header references).
After sending 14 such streams, the connection consumed 896MB of server memory after
decompression, which crashed the server, Imperva researchers explain.
4. Stream Multiplexing Abuse (CVE-2016-0150) The attack allows an attacker to exploit
vulnerabilities in the way servers implement the stream multiplexing functionality in order to crash the server. This attack eventually results in a denial of service (DoS) to legitimate users.
All the four vulnerabilities have already been fixed in HTTP/2, which is currently being used by some 85 Million websites, or around 9 percent of all websites, on the Internet, according to W3Techs.
4 flaws hit HTTP/2 protocol that could
allow hackers to disrupt servers
Our perspective
It is obvious that new technology brings new risks. It is just a matter of time until new vulnerabilities are found and exploited. Like any new technology, HTTP/2 also suffers from new extended attack surfaces for attackers to target. Hence, it is recommended that server administrators of an organisation use it with additional layers of security.
Source:
http://thehackernews.com/2016/08/http2- protocol-security.html
You can get more details of Imperva’s research in a report[PDF] dubbed "HTTP/2: In-depth analysis of the top four flaws of the next generation web protocol."
Here's what Imperva co-founder and chief technology officer Amichai Shulman says:
"The general web performance improvements and specific enhancements for mobile applications introduced in HTTP/2 are a potential boon for internet users. However, releasing a large amount of new code into the wild in a short time creates an excellent opportunity for attackers."
"While it is disturbing to see known HTTP 1.x threats introduced in HTTP/2, it’s hardly surprising. As with all new technology, it is important for businesses to perform due diligence and implement safeguards to harden the extended attack surface and protect critical business and consumer data from ever-evolving cyber threats."
The vulnerabilities took advantage of HTTP/2 features that were meant to reduce bandwidth use and round trips while speeding up the loading time of websites.
According to Imperva researchers, by
implementing a web application firewall (WAF) with virtual patching capabilities can help enterprises to prevent their critical data and applications from cyber attack while introducing HTTP/2.
Here's what Imperva co-founder and chief technology officer Amichai Shulman says:
The risks associated with data breaches continue to grow, impacting a variety of industries, tech firms, and social networking platforms. In the past few months, over 1 Billion credentials were
dumped online as a result of mega breaches in popular social networks.
Now, Oracle is the latest in the list.
Oracle has confirmed that its MICROS division – which is one of the world's top three point-of-sale (POS) services the company acquired in 2014 – has suffered a security breach.
Hackers had infected hundreds of computers at Oracle's point-of-sale division, infiltrated the support portal used by customers, and potentially accessed sales registers all over the world.
The software giant came to know about the data breach after its staff discovered malicious code on the MICROS customer support portal and certain legacy MICROS systems. Hackers likely installed malware on the troubleshooting portal in order to capture customers' credentials as they logged in.
These usernames and passwords can then be used to access their accounts and remotely control their MICROS point-of-sales terminals.
In a brief letter sent to MICROS customers, Oracle told businesses to change their MICROS account passwords for the MICROS online support site – particularly passwords that are used by MICROS staff to control on-site payment terminals remotely.
"Oracle Security has detected and addressed malicious code in certain legacy MICROS systems," said the company. "Oracle's Corporate network and other cloud and service offerings were not impacted by this code."
"Payment card data is encrypted both at rest and in transit in the MICROS hosted environment…
Consistent with standard security remediation protocols, Oracle [requires] MICROS customers to change the passwords for all MICROS accounts.“
Citing unknown sources, security news site
KrebsOnSecurity,reportedthat the attack possibly came from a Russian crime gang,
dubbed Carbanak Gang, that has been accused of stealing more than $1 Billion from banks and retailer stores in past hacks.
The scope of the data breach is still unknown, but anonymous sources familiar with the breach have told Krebs that the hack may have affected up to 700 systems.
Since customers payment data is encrypted both at rest and in transit, Oracle said that this
information is not at risk.
Oracle acquired MICROS in 2014 in a $5 Billion acquisition deal. Currently, MICROS devices are deployed at over 330,000 point-of-sale terminals (or cash registers) at food and beverage outlets, retail stores, and hotels across 180 countries.
The software giant is still investigating the security breach at its payment terminal division.
Over the past few years, the security breach has hit POS terminals – or "cash registers" – operated by a large number of retailers, food chains, hotels, and other types of merchants. Two of the best- known victims to be hit by POS malware areTargetandHome Depot.
POS terminals have emerged as the favorite target for cybercriminal gangs because when it comes to the cheap and easy way to siphon the vast number of payment cards, breaching a single retailer's internal network could allow criminals to collect Millions of valid payment card numbers in a relatively short amount of time.
Data breach: Oracle’s Micros payment systems hacked
Source:
http://thehackernews.com/2016/08/oracle -payment-hack.html
Our perspective
The Oracle MICROS data breach shows that supply chain and point of sale (POS) systems continue to be popular avenues for cyberattacks. As a standard remediation protocol for security breaches, MICROS customers are advised to change the passwords for their accounts, as suggested by Oracle.
The most common way for malware to get onto a PC is via files downloaded from the web. According to Exploits at the Endpoint: SANS 2016 Threat Landscape Study, 41 percent of people suffered their worst security events from drive by downloads and 80 percent suffered phishing attacks.
Threat protection specialistCheckPointis launching a new anti-malware and anti-phishing extension for web browsers to address this growth in web-based malware and social engineering attacks.
SandBlast Agent for Browsers is an extension for Internet Explorer and Chrome (a Firefox version will be coming later) which stops zero day web- based malware, phishing and social-engineering attacks from reaching users' PCs via the browser.
It has a small footprint and can be used
standalone, or as part of the SandBlast suite for gateways and endpoints.
"As cyberattacks are growing in their complexity and frequency, enterprises are increasingly at risk of falling victim to a wide range of browser-based attacks," says Nathan Shuchami, head of advanced threat prevention, Check Point.
"Existing technologies ask users to wait for content to be evaluated, or require multiple, intrusive software installations on every system.
SandBlast Agent for Browsers brings the highest level of protection to users in a simple browser plug-in that blocks unknown and zero-day malware delivered via web downloads, while quickly delivering safe content within seconds".
It offers real-time protection from advanced malware, along with delivery of safe documents and content to users. Dynamic analysis blocks both unknown and zero-day phishing attacks that target user credentials.
The extension for Internet Explorer and Chrome installs in minutes and operates with minimal overhead. CheckPoint claims it offers the highest malware catch rate in the industry, using advanced cloud sandboxing with CPU-level detection. You can find more information about SandBlast Agent for Browsers on theCheckPoint website.
Source:
http://betanews.com/2016/08/02/checkpo int-real-time-zero-day-protection/
Hackers have stolen bitcoins worth about $65 million after attacking a major digital currency exchange.
The exchange, Bitfinex, responded by halting trading, deposits and withdrawals, prompting a plunge in the Bitcoin price.
"We are investigating the breach to determine what happened, but we know that some of our users have had their bitcoins stolen," the company said in a blog post on Wednesday.
The hackers made off with 119,756 bitcoins, said Zane Tackett, Bitfinex's director of community and product development, in an email to CNNMoney.
That's the equivalent of more than $65 million at current prices.
The Hong Kong exchange said it has reported the hacking to law enforcement. It gave no
information about how the attack happened, or who may have been responsible.
Tackett told CNNMoney that Bitfinex is working with authorities and specialist companies to track the stolen bitcoins. It's also aiming to get its platform up and running again so that users can see if their accounts were hit.
The price of Bitcoin tumbled more than 20%
following the news, before recovering some of its losses.
The security breach brought back memories of Mt.
Gox, a leading Bitcoin exchange that stopped investors from withdrawing money in 2014, blaming the disruption on technical issues and cyber attacks. It later filed for bankruptcy.
Bitfinex is one of the biggest Bitcoin exchanges in the world. It had the highest volume of dollar- denominated transactions over the past 30 days, according to the website Bitcoin Charts.
Hackers steal bitcoins worth millions in attack on exchange
Source:
http://money.cnn.com/2016/08/03/techno logy/bitcoin-exchange-bitfinex-
hacked/index.html
For any queries, please contact:
Sivarama Krishnan
[email protected] Amol Bhat
© 2016 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, “PwC” refers to
PricewaterhouseCoopers Private Limited (a limited liability company in India having Corporate Identity Number or CIN : U74140WB1983PTC036093), which is a member firm of PricewaterhouseCoopers International Limited (PwCIL), each member firm of which is a separate legal entity.
AG/August2016-7107
