Microsoft Windows Hit By New Zero-Day Attack

October 22, 2014 – 5:40 AM

Microsoft has disclosed that a new zero-day vulnerability is present in Windows, and is exploited via Microsoft Office files. According to Microsoft Security Advistory 3010060, the vulnerability is present in all supported versions of Windows except Windows Server 2003.

The vulnerability (designated as CVE-2014-6352) is triggered by an attacker sending a specially crafted Microsoft Office file to the user. Currently, attacks using PowerPoint files are known to exist, but all Office file types can be used to carry out this attack.

The specially crafted files contain a malicious Object Linking and Embedding (OLE) object. This technology is used to share data between various applications; it is in this component of Windows where this vulnerability may be found. Exploiting it allows for malicious code to run with the privileges of the user. To get administrator access, a separate exploit must be used. In addition, under default settings a User Access Control popup is displayed, which may alert the user that something unusual is going on.

Currently, Microsoft has not indicated whether a patch to solve this issue will be sent outside of the regular Patch Tuesday cycle. Until more definitive information becomes available, we advise users to be careful about opening Office documents that they have been sent, particularly if they come from parties that have not sent you documents beforehand. The Microsoft bulletin also includes several workarounds and temporary fixes, including settings for users of the Enhanced Mitigation Experience Toolkit (EMET) utility.

Source:
http://blog.trendmicro.com/trendlabs-security-intelligence/microsoft-windows-hit-by-new-zero-day-attack/

Officials warn 500 million financial records hacked

October 21, 2014 – 5:58 PM

Federal officials warned companies Monday that hackers have stolen more than 500 million financial records over the past 12 months, essentially breaking into banks without ever entering a building.

“We’re in a day when a person can commit about 15,000 bank robberies sitting in their basement,” said Robert Anderson, executive assistant director of the FBI’s Criminal Cyber Response and Services Branch.

The U.S. financial sector is one of the most targeted in the world, FBI and Secret Service officials told business leaders at a cybersecurity event organized by the Financial Services Roundtable. The event came in the wake of mass hacking attacks against Target, Home Depot, JPMorgan Chase and other financial institutions.

“You’re going to be hacked,” Joseph Demarest, assistant director of the FBI’s cyberdivision, told the business leaders. “Have a plan.”

Source:
http://www.usatoday.com/story/news/politics/2014/10/20/secret-service-fbi-hack-cybersecuurity/17615029/

Strengthening 2-Step Verification with Security Key

October 21, 2014 – 5:17 PM

2-Step Verification offers a strong extra layer of protection for Google Accounts. Once enabled, you’re asked for a verification code from your phone in addition to your password, to prove that it’s really you signing in from an unfamiliar device. Hackers usually work from afar, so this second factor makes it much harder for a hacker who has your password to access your account, since they don’t have your phone.

Today we’re adding even stronger protection for particularly security-sensitive individuals. Security Key is a physical USB second factor that only works after verifying the login site is truly a Google website, not a fake site pretending to be Google. Rather than typing a code, just insert Security Key into your computer’s USB port and tap it when prompted in Chrome. When you sign into your Google Account using Chrome and Security Key, you can be sure that the cryptographic signature cannot be phished.

Security Key and Chrome incorporate the open Universal 2nd Factor (U2F) protocol from the FIDO Alliance, so other websites with account login systems can get FIDO U2F working in Chrome today. It’s our hope that other browsers will add FIDO U2F support, too. As more sites and browsers come onboard, security-sensitive users can carry a single Security Key that works everywhere FIDO U2F is supported.

Source:
http://googleonlinesecurity.blogspot.com/2014/10/strengthening-2-step-verification-with.html

Banks: Credit Card Breach at Staples Stores

October 20, 2014 – 8:35 PM

Multiple banks say they have identified a pattern of credit and debit card fraud suggesting that several Staples Inc. office supply locations in the Northeastern United States are currently dealing with a data breach. Staples says it is investigating “a potential issue” and has contacted law enforcement.

According to more than a half-dozen sources at banks operating on the East Coast, it appears likely that fraudsters have succeeded in stealing customer card data from some subset of Staples locations, including seven Staples stores in Pennsylvania, at least three in New York City, and another in New Jersey.

Framingham, Mass.-based Staples has more than 1,800 stores nationwide, but so far the banks contacted by this reporter have traced a pattern of fraudulent transactions on a group of cards that had all previously been used at a small number of Staples locations in the Northeast.

The fraudulent charges occurred at other (non-Staples) businesses, such as supermarkets and other big-box retailers. This suggests that the cash registers in at least some Staples locations may have fallen victim to card-stealing malware that lets thieves create counterfeit copies of cards that customers swipe at compromised payment terminals.

Source:
http://krebsonsecurity.com/2014/10/banks-credit-card-breach-at-staples-stores/

This POODLE bites: exploiting the SSL 3.0 fallback

October 14, 2014 – 7:45 PM

Today we are publishing details of a vulnerability in the design of SSL version 3.0. This vulnerability allows the plaintext of secure connections to be calculated by a network attacker. I discovered this issue in collaboration with Thai Duong and Krzysztof Kotowicz (also Googlers).

SSL 3.0 is nearly 15 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.

Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.

Google Chrome and our servers have supported TLS_FALLBACK_SCSV since February and thus we have good evidence that it can be used without compatibility problems. Additionally, Google Chrome will begin testing changes today that disable the fallback to SSL 3.0. This change will break some sites and those sites will need to be updated quickly.

In the coming months, we hope to remove support for SSL 3.0 completely from our client products.

Source:
http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html