This document summarizes recent security news including vulnerabilities in Internet Explorer and a veterans website, a new "Bar-Mitzvah" attack against the RC4 encryption algorithm, and recommendations for protecting against the RC4 vulnerability. Specifically, it reports that hackers are targeting the US military with a zero-day IE exploit installed on a veterans site, describes how the RC4 attack works without man-in-the-middle techniques, and advises disabling RC4 in web applications, browsers, and TLS configurations.
2. DISCLAIMER
The information contained in this presentation
does not break any intellectual property,
nor does it provide detailed information that
may be in conflict with any laws.
4. Continued….
• Hackers are using a zero day vulnerability in Microsoft's
Internet Explorer (IE) web browser and targeting US military
personnels in an active attack campaign, dubbed as
'Operation Snowman'.
• FireEye Researchers have discovered that a U.S. veterans
website was compromised to serve a zero day exploit, known
as CVE-2014-0322, which typically involves the compromise of
a specific website in order to target a group of visitors known
to frequent it.
• FireEye identified drive-by-download attack which has altered
HTML code of the website and introduced JavaScript which
creates malicious iFrame.
5. Continued….
• Dropped files are digitally signed making it look like a legitimate
application and the vulnerability ultimately allowed them to bypass
address space layout randomization (ASLR) by accessing the
memory from Flash ActionScript.
• But the exploitation can be migrated if the user is browsing with a
different version of IE or has installed Microsoft’s Experience
Mitigation Toolkit (EMET).
• "Based on the overlaps and trade craft similarities, it is believed
that the actors behind the campaigns are associated with two
previously identified campaigns, Operation Deputy Dog and
Operation Ephermeral Hydra, which had previously targeted a
number of different industries," FireEye said.
• A Microsoft spokesperson confirmed - “Our initial investigation has
revealed that Internet Explorer 9 and Internet Explorer 10 are
affected".
6. BAR-MITZVAH ATTACK- An attack leverages a 13-year-old
weakness in the less secure Rivest Cipher 4 (RC4) encryption
algorithm
The most popular and widely used encryption scheme has
been found to be weaker with the disclosure of a new attack
that could allow attackers to steal credit card numbers,
passwords and other sensitive data from transmissions
protected by SSL (secure sockets layer) and TLS (transport
layer security) protocols.
7. Continued….
• The attack, dubbed "Bar-Mitzvah", can be carried out even
without conducting man-in-the-middle attack (MITM)
between the client and the server, as in the case of most of
the previous SSL hacks.
• Itsik Mantin, a researcher from security firm Imperva,
presented his findings in a research titled, "Attacking SSL
when using RC4" at the Black Hat Asia security conference
Thursday in Singapore.
• Bar Mitzvah attack actually exploits the "Invariance
Weakness," the weak key pattern used in RC4 keys that can
leak plain text data from the encrypted SSL/TLS traffic into
the cipher text under certain conditions, potentially
exposing account credentials, credit card data, or other
sensitive information to hackers.
8. HOW TO PROTECT YOURSELF?
• Web application admins should disable RC4 in
their applications’ TLS configurations.
• Web users (particularly power users) should
disable RC4 in their browser’s TLS
configuration.
• Browser providers should consider removing
RC4 from their TLS cipher lists.