Canadian Point of Sale company data breech

     The point of sale company Lightspeed has suffered a data breech, the email above was posted on twitter by Australian security expert Troy Hunt which was sent by Lightspeed to its customers. The hackers had gained access to systems related to its retail offering. Lightspeed confirmed the attackers accessed a central database containing information on sales, products, and customers. The database included encrypted passwords, electronic signatures, and API keys. Eventhough the database was accessed by hackers Lightspeed said there was no evidence that information was stolen.

      The company said that passwords created after January of 2015 where the safest having been stored with advanced encryption technology. They also said that the system that the hackers had accessed did not hold any private information such as credit card numbers. The company has informed customers that a third party security firm had been hired to investigate and that it’s systems should be only accessible by authorized users.

http://www.securityweek.com/pos-vendor-lightspeed-suffers-data-breach

  • Gavin Millikan

Smart Watch Security Threats

As with any piece of new technology, the introduction of smart watches come with new threats to security. A recent study was conducted on these watches and to no ones surprise, many vulnerabilities were found. A few of the vulnerabilities listed include, a lack of transport encryption, lack of user authentication, privacy problems, and firmware problems. It was also found that communications were easy to interfere with and intercept. This means that as of right now, if sensitive data is being transmitted over the watches, anyone could get a hold of it.

Experts recommend to protect sensitive information with strong passwords and to make sure you are controlling your communications to avoid middle man attacks. Another suggestion they make is to manage your transport layer security settings and make sure they are in good shape for protecting you. The biggest concern however seems to be the vulnerabilities of the apps rather than the watch itself. Previously there have been attacks on apps for the iPhone and such so the experts say it wouldn’t be surprising to see attacks on the smart watch apps.

The bottom line is to approach these new smart watch products with care and to focus more on the security of the apps than the watch itself. Additionally, as time goes on, more apps for increased security will be released. Apple has already released several since the release of their Apple Watch.

-Thomas Coburn

Pay Up or Give Up: How to Deal with Ransomware

ransomwarehttp://www.superantispyware.com/blog/2013/08/all-you-need-to-know-about-ransomware/

Boston, MA – At this year’s Boston Cyber Security Summit, one FBI agent announced some surprising advice when dealing with ransomware. “To be honest, we often advise people just to pay the ransom”, said Joseph Bonavolonta, an assistant special agent in charge of the FBI’s Cyber and Counterintelligence Program in the Boston office. “The ransomware is that good”, he said. Ransomware is used by malicious attackers by encrypting a computer’s files and then holds the key needed to unlock them for a specified value typically ranging from $200 to $10000. Ransomware attacks often use strains like CryptoLocker and CryptoWall which are so difficult to crack that it is cheaper to pay the ransom them to hire a professional to come and fix the computer.

The FBI has stated by regularly backing up your system, these sort of criminal threats would be ineffective. Between April 2014 and June 2015, the FBI’s Internet Crime Complaint Center reported it received almost 1000 CryptoWall complaints and that the victims together lost more than $18 million. Also, according to the Cyber Threat Alliance, the criminals behind CryptoWall have earned about $325 million.

In order for businesses to deal with the mass increase of ransomware, the FBI gives the option of revert to back-up systems, contact a security professional, or pay. Many of the businesses have been going to the FBI for advice and assistance on defeating the malware and getting their data back, but even the FBI admits that ransomware is “pretty good”, meaning they can’t always help due to the strength of the malware. “Law enforcement traditionally has struggled to chase down cybercriminals who use ransomware”, says Marco Balduzzi who researches the dark Web. He mentions that the attackers are often paid in bitcoin which is difficult to trace. Then they convert the bitcoin to other virtual currencies which make it nearly impossible to track back to the criminal.

The FBI saying the best way to deal with ransomware is simply to pay off the ransom is a surprise that leads to the fact that hackers have established a new and complex method of gaining the money they want while the general public’s awareness of these attacks have decreased, perhaps during a time where people should be most aware of cyber threats.

Andrew McKenzie

Sources

http://www.sfchronicle.com/business/article/When-it-comes-to-ransomware-take-precautions-or-6601854.php

How the NSA broke trillions of encrypted connections

As technology has become more interconnected as we have advanced over the years security has become a major issue and many people have pushed companies and developers into ensuring and using encryption and other techniques to guarantee people’s data is safe and secure and only accessible by the people that own it. Diffie-Hellman Key Exchange is a method of generating a shared private key with which two computers can use to secure a previous insecure channel. The Diffie-Hellman Key Exchange method is used by many different protocols to encrypt the traffic like VPN, SSH, HTTPS. To break a key for something like this, which is normally 1024 bits, it can take up to a year and cost millions of dollars, the NSA doesn’t have the money or time to continually crack these keys instead they have just enough time to crack only two. The flaw in the Diffie-Hellman encryption that the NSA discovered that there are two commonly used primes that are used to calculate the 1024-bit key. NSA cracked one key and was able to decrypt two thirds of VPN connections and a quarter of all SSH server globally. The other key they generate allowed them the eavesdrop on about 18% of the top million HTTPS websites. The attack is effective only on IPsec and a fair amount of SSH but not all, PGP and iMessage are immune to this attack. There is also other information backing up this theory of the NSA cracking the two keys, in the files that Edward Snowden leaked there was claims that showed the agency being able to monitor encrypted VPN connections. The research team that discovered this recommend that websites move to 2048-bit Diffie-Hellman keys, but 3072-bit would be needed to be really impervious to this attack and SSH users upgrade to the latest OpenSSH which uses Elliptic-Curve Diffie-Hellman Key Exchange.

Source:

http://arstechnica.com/security/2015/10/how-the-nsa-can-break-trillions-of-encrypted-web-and-vpn-connections/

http://www.techworm.net/2015/10/nsa-break-encrypted-web-vpn-connections-cryptographic-mistake.html

http://thehackernews.com/2015/10/nsa-crack-encryption.html

https://www.lawfareblog.com/nsa-and-weak-dh

By Peter Carenzo

An Upcoming Threat To Encryption

The weakness to all encryption, to all security, is time.  What if the time that it took to crack an encryption was drastically cut down.  Quantum computers may be more than a decade away, but they not just may, but will, exponentially cut down the time it takes to crack an encryption.  This week there is going to be a computer security convention at Schloss Dagstuhl–Leibniz Center for Informatics in Wadern, Germany concentrating on quantum-resistant replacements the currently used encryption.  This convention is only one of the many convention that have recently been held or are about to be held.  Examples of other conventions include the workshop NIST, the US National Institute of Standards and Technology, in April, and the IQC team up with the European Telecommunications Standards Institute in October.  The NSA also revealed that it has plans to upgrade to quantum resistant protocols.  The Dutch Intelligence services also pointed out the threat of people/corporations/governments intercepting and storing information now to decrypt when the quantum computers are complete.

One of the most used encryptions as of now is called RSA encryption.  This is one of the encryptions that will be rendered obsolete when quantum computers are used.  “PQCRYPTO, a European consortium of quantum-cryptography researchers in academia and industry, released a preliminary report on 7 September recommending cryptographic techniques that are resistant to quantum computers.”  PQCRYPTO gave recommendations for four different types of encryption, symmetric encryption, symmetric authentication, public-key encryption, and public-key signatures.  A symmetric encryption is “the oldest and best-known technique. A secret key, which can be a number, a word, or just a string of random letters, is applied to the text of a message to change the content in a particular way. This might be as simple as shifting each letter by a number of places in the alphabet. As long as both sender and recipient know the secret key, they can encrypt and decrypt all messages that use this key.”1  For symmetric encryption, PQCRYPTO recommends AES-256, and Salsa20 with a 256-bit key.3  Symmetric authentication is when “the user shares a unique, secret key (usually embedded in a hard token) with an authentication server. The user is authenticated by sending to the authentication server his/her username together with a randomly generated message (the challenge) encrypted by the secret key. If the server can match the received encrypted message (the response) using its share secret key, the user is authenticated.”2  For Symmetric authentication, PQCRYPTO recommends GCM using a 96- bit nonce and a 128-bit authenticator, and Poly1305.3  Public-key encryption, also known as asymmetric-key encryption, is when “there are two related keys–a key pair. A public key is made freely available to anyone who might want to send you a message. A second, private key is kept secret, so that only you know it.   Any message (text, binary files, or documents) that are encrypted by using the public key can only be decrypted by applying the same algorithm, but by using the matching private key. Any message that is encrypted by using the private key can only be decrypted by using the matching public key.”1  For public-key encryption, PQCRYPTO recommends McEliece with binary Goppa codes using length n = 6960, dimension k = 5413 and adding t = 119 errors.  For public-key signatures, PQCRYPTO recommends XMSS, and SPHINCS-256.3

Sources:

http://www.nature.com/news/online-security-braces-for-quantum-revolution-1.18332

1: https://support.microsoft.com/en-us/kb/246071

2: http://www.e-authentication.gov.hk/en/professional/skey.htm

3: http://pqcrypto.eu.org/docs/initial-recommendations.pdf

By Eric Weitzman