iStock_000020855515Small-300x225

This Week In Application Security: December 16-22, 2013

Dec 22, 2013 By Sarah Vonnegut

If we’re measuring it in cyber-drama, it’s certainly a holiday season to remember!  The past week saw what is potentially the most damaging data breach of 2013 with over 40 million Target customers at risk of credit fraud. On top of that, a major media site got hit for the third time in the same number of years, Israeli-security firm RSA had an NSA kind of week, and a report exposed a newly discovered type of side channel attack using just your computer sound to decrypt sensitive data.

 

Target Breach Leaves 40M Customers At Risk of Fraud

Target is officially having a nightmare before Christmas as news that hackers stole credit card data from America’s #2 retailer flooded the media this weekend. After Brian Krebs first reported on the breach last week that occurred between Black Friday, November 27th and December 15th, Target confessed that they’re working with an investigations team to uncover what happened that allowed hackers to steal over 40 million customer credit card details, including the number, expiration date and CVV data on the back of the card. The theft occurred through a flaw in over 40,000 Point of Sale machines in stores throughout the country.

The data swiftly made its way to the black market, where corporate card data can grab as high as $45 each and platinum card data can earn as much as $35.  The credit card details can be burned onto magnetic stripes on counterfeit credit cards that can then be used in-store or online.

To try to repair the PR damage done by a data breach of this size, Target bribed customers back into its stores with a 10% discount over the weekend, a great idea for luring out last-minute shoppers in need of Christmas gifts. Customers are advised to monitor their bank accounts for fraud and wait for further instructions from Target on how to receive free credit monitoring. Meanwhile, there is no indication of how the hackers accessed the data, who was involved in the breach, and what the cost of damage will be for Target.

Read more: Target’s Black Friday Breach Nightmare

NSA Allegedly Paid Security Firm RSA To Allow Backdoors In Its Products

Building on earlier allegations that RSA had used an intentionally flawed cryptographic standard in the software it sold to the NSA at their request, further details of the close-knit RSA-NSA relationship emerged this week. The new leak accuses the National Security Agency of shelling out $10 million to RSA in order for them to use encryption software in some of their computer products that could be easily cracked, according to Reuters.

The Dual EC DRBG random number generator algorithm used by RSA in some of its security software, including their popular BSafe Toolkit and Data Protection Manager, allowed the NSA to easily break the encrypted code. Dual EC DRBG was shown to be vulnerable since 2006, when security researcher Bruce Schneier showed that the algorithm could be used as an NSA backdoor.

As for their part in the debacle, RSA is vehemently denying the allegation of ‘backdoor bribery’. A spokesperson for the security firm stated that “RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any backdoors in our products.” Strangely enough, though, the company has advised their customers to discontinue the use of Dual EC DRBG and move to a different PRNG The news is quite a turnaround for the company, who in the 1990s fervently fought against plans to include a chip in computers that would have allowed the government to spy on people both domestic and foreign.

Read more: Exclusive: Secret contract tied NSA and security industry pioneer (via Rueters)

Three for Three: The Washington Post Hacked For 3rd Time In As Many Years

Last Wednesday, hackers made their way into The Washington Post’s servers, gaining access to the usernames and passwords of the paper’s employees, seemingly causing more confusion than actual calamity.

Officials don’t believe any customer or subscriber data was involved in the breach and no personal info other than the employee account data was taken, but the full extent is not yet known. Out of precaution, the paper is having its’ employees change their passwords and usernames “on the assumption that many or all of them have been compromised,” although no hard evidence of the hackers using the stolen info has come out. The intrusion went on for a few days at most, officials investigating the breach said.

The Washington Post, like many other popular media sites, is no stranger to hackings. This past August saw the website hacked by the Syrian Electronic Army as well as an email phishing attack aimed at stealing employee usernames and passwords. In late 2011, the Post’s servers were taken over by Chinese hackers, the group also believed to be responsible for this most recent breach.

Read More: Hackers Break Into Washington Post Servers (via The Washington Post)

Computer Scientists Prove That Decryption Using CPU Sounds Is Possible

Computer scientists in Israel published a paper this week describing a side channel attack in which malicious hackers could have the ability to extract full 4096-bit RSA decryption keys from laptops in under an hour simply by listening to the sounds made by the keys. Adi Shamir, whose last names first initial happens to be the ‘S’ in RSA, along with research colleagues Daniel Genkin and Eran Tromer published their findings nearly ten years after the three men first stumbled upon the possibility of gaining valuable hints about private encryption keys purely by sounds made by the computer.

It’s referred to as an Acoustic Cryptanalysis Key Extraction Attack. As a proof of concept, the researchers implemented a successful decryption of personal emails using GnuPG (Privacy Guard), a widely used free encryption software alternative to PGP that is compliant with OpenPGP protocol. The researchers then worked with GnuPG to create a patch for their newly discovered attack.

In simple terms, the Acoustic Cryptanalysis key extraction attack would rely on a microphone to ‘eavesdrop’ on another computer and recover private RSA keys, one by one. The key could then be used to read someone else’s emails and send digitally signed emails as if from the victim. This new technique comes just weeks after another group of white-hat hackers devised a way to make computer viruses jump through air as inaudible sound to affect other computers.

Read more: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis (Paper by Shamir, Genkin, and Tromer)

The following two tabs change content below.
Sarah is in charge of social media and an editor and writer for the content team at Checkmarx. Her team sheds light on lesser-known AppSec issues and strives to launch content that will inspire, excite and teach security professionals about staying ahead of the hackers in an increasingly insecure world.

Latest posts by Sarah Vonnegut (see all)

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.