This Week in SSL – Zero Day Windows Exploit, Chinese Hack iCloud, and Details on the JPMorgan Hack

Here is this week’s roundup of interesting news articles about SSL and network security.

Microsoft warns of Windows zero-day; hackers serve exploits in PowerPoint files

As reported by ComputerWorld’s Gregg Keizer, Microsoft issued a warning this week that hackers are using a zero day exploit to send infected PowerPoint documents as email attachments. The vulnerability affects every version of Windows and allows attackers to seize control of the infected PCs. The advisory issued by Microsoft includes a “one-click” tool that will protect against the bug until a patch can be developed.

This bug is similar to another exploit patched last week in the MS14-060 update. “According to researchers at iSight Partners, the flaw fixed by MS14-060 had been used by a Russian hacker crew to target Ukrainian government agencies, NATO, Western European government agencies and companies in the telecommunications and energy sectors, since at least December 2013. iSight slapped the moniker ‘Sandworm’ on the cyber-spy gang. While iSight got the credit for finding the OLE vulnerability Microsoft patched last week, a trio of Google security engineers and a pair from McAfee Security reported the latest bug.”

Chinese Hackers May Have Attacked Apple’s iCloud

According to this Reuters article by Jim Finkle, Gerry Shih, and Ben Blanchard, the Chinese government is suspected of infiltrating Apple’s iCloud to spy on or access the data of Chinese users of the service. “Using what is called a ‘man-in-the-middle’ (MITM) attack, the hackers interposed their own website between users and Apple’s iCloud server, intercepting data and potentially gaining access to passwords, iMessages, photos and contacts, Greatfire.org wrote in its blog post. Greatfire.org, a group that conducts research on Chinese Internet censorship, alleged government involvement in the attack, saying it resembled previous attacks on Google Inc., Yahoo Inc. and Microsoft Corp’s Hotmail.”

The Chinese government denies the allegation, claiming that it does not engage in illicit hacking activities, and is itself a target to cyber-attacks. Greatfire.org not only disputes this fact, but further alleges that this particular attack would have been difficult without the complicity of China Telecom since the attack appeared to originate from “deep within the Chinese domestic Internet backbone”.

Hackers Ran Loose Inside JPMorgan for 2 Months before Getting Caught

Gerry Smith of the Huffington Post reports on news that hackers had access to the JPMorgan Chase computer system for 2 months before being discovered. Smith opines that this is a sign that many companies are not only ill-equipped to stop intrusions, but are equally bad at discovering they have been compromised once it happens. JPMorgan isn’t alone. Smith says, “Hackers resided on the computers of Neiman Marcus for five months, Home Depot for five months, arts and crafts store Michaels for eight months and Goodwill, the thrift store, for a year and a half.”

The article discusses the fact that hacks often takes weeks or months to accomplish. An attacker generally needs to spend some time rooting around inside a network to understand how it is laid out and how to exploit the systems. Aleksandr Yampolskiy, CEO of SecurityScorecard is quoted as saying, “…the biggest reason that hackers go unnoticed is that security teams are often overwhelmed with data. Companies will spend millions of dollars on sophisticated intrusion detection systems and vulnerability scanners that set off numerous alarms, many of which aren’t serious. A security engineer at a company with 4,000 employees might get an alert every time an employee visits a suspicious website on the network, for example.”

Carmakers ignore hacking risk, security expert says

Right now, network security in increasingly smart cars is an “afterthought” according to Chris Valasek, of security consulting firm IOActive. Emily Chung of CBC News reports on a keynote speech by Valasek at the SecTor IT security conference in Toronto this week. Research was presented that discussed the numerous vulnerabilities that are appearing in new automobiles, from thieves being able to disable security systems and unlocking or starting cars, to hackers tampering with the brakes or other critical systems in the cars.

The interconnected networks in the vehicles are full of potential vulnerabilities. Chung writes that “Researchers have shown that such messages can be sent via other systems in the car that don’t directly control the car, such as its Bluetooth connections, remote keyless entry or infotainment systems. Those could, in turn, be used to indirectly hijack the car’s control systems. The challenge is that the insecure messaging systems found in cars are generally standardized and required by law for purposes such as emissions testing, Valasek said. He’s also concerned that car manufacturers lack a system for distributing security patches or upgrades to cars, other than sending customers a letter by mail and asking them to drive to a shop for service.”

Who knows? Maybe someday both cup holders and SSL Certificates will come standard on new cars.

Staples Is Latest Retailer Hit by Hackers

Staples reported on Tuesday that their network was hacked, with the loss of customer credit and debit card information. Nicole Perlroth of the New York Times explains, “In each case, criminals scanned for tools that typically allow employees and vendors to work remotely, then used those tools to install malware on retailers’ systems. That malware, in turn, fed back customers’ payment details to the hackers’ computer servers. The same group of criminals in Eastern Europe is believed to be behind the earlier attacks, according to several people with knowledge of the results of forensics investigations who spoke on the condition of anonymity because of nondisclosure agreements.”

“This latest breach demonstrates that criminal hacking organizations have much better collaboration and information sharing practices than our major retailers,” said John Gunn, a vice president at Vasco Data Security. “In the past, mega-breaches were isolated events, but now, with well-developed secondary markets for hacking tools and techniques, multiple hacking organizations can execute similar attacks simultaneously or in rapid succession.”

Officials warn 500 million financial records hacked

Erin Kelly of USA Today reports that Federal officials announced on Monday that hackers have now stolen over 500 million financial records over the past 12 months. The U.S. financial sector is one of the most targeted in the world, with staggering statistics that illustrate the problem. Roughly 110 million Americans, around 50% of U.S. adults, have had personal data exposed in the past year. Around 80% of victims in the business community don’t even know they have been hacked until informed by investigators, vendors, or customers. “We’re in a day when a person can commit about 15,000 bank robberies sitting in their basement,” says Robert Anderson of the FBI’s Criminal Cyber Response and Services Branch.

The FBI reports, “About 35% of the thefts were from website breaches, 22% were from cyberespionage, 14% occurred at the point of sale when someone bought something at a retail store, and 9% came when someone swiped a credit or debit card…”

According to Joseph Demarest of the FBI’s cyberdivision, “You’re going to be hacked. Have a plan.”