Cupid Fires Arrow at OpenSSL’s Heart

As if the discovery of the Heartbleed flaw weren’t enough woe for OpenSSL, more than half a dozen additional defects have been discovered in the code used to protect communication on the Web.

Among them is one dubbed “Cupid” by its discoverers. The flaw can be used to compromise enterprise networks.

Like Heartbleed, Cupid uses a malicious heartbeat packet to compromise a TLS connection. TLS, or Transport Layer Security, is used to secure communications on the Internet.

However, in Cupid’s case, that TLS connection is being made over EAP, which is used to establish a WiFi connection. EAP, or Extensible Authentication Protocol, is an authentication framework used on WiFi networks and for point-to-point connections such as virtual private networks, or VPNs.

“Cupid is heartbleed in different clothing,” Kevin Bocek, vice president of product marketing at Venafi, told TechNewsWorld.

Bugs Galore

Because Cupid can be used to attack VPN connections, it can be very dangerous to the enterprise, according to Bocek.

“What’s most scary to me is that it gives an attacker access to information at the corporate gateway,” he said. “It could potentially retrieve very valuable information, including the keys and certificates used to say any given VPN source is trusted, and user names and passwords.”

The discovery of Cupid came during a week whem the OpenSSL team announced seven vulnerabilities covering four versions of OpenSSL: 0.9.8, 1.0.0, 1.0.1 and 1.0.2.

The most serious of the vulnerabilities allows a man-in-the-middle attack to be mounted on a system.

“This vulnerability allows malicious intermediate nodes to intercept encrypted data and decrypt them while forcing SSL clients to use weak keys which are exposed to the malicious nodes,” according to Lepidum, the company that brought the flaw to the attention of the OpenSSL team.

While new vulnerabilities continue to be discovered in OpenSSL, old flaws won’t be fading away soon, Bocek warned. “We haven’t heard the last of Heartbleed. Cupid is an example of that.”

Advertising Threats

Mobile advertising can be not only annoying, but also dangerous. Ad networks can be used to infect mobile phones with malware, as well as siphon sensitive information from the devices.

“Some of the most significant risk factors affecting corporate employees and individual mobile users, such as data loss and PII collection, occur not by the application itself, but within mobile advertising libraries and other library components such as social media or analytic tools,” Ryan W. Smith of Mojave Networks, recently wrote in a company blog.

Mojave released these findings, based on its recent research:

  • Sixty-five percent of applications connect to an ad network where it’s almost impossible for users to decipher which ad network is tapping into their applications and data.
  • Each application alone typically has nine permission requests, and on average, five of those permissions are considered dangerous.
  • At least 78 percent of all applications downloaded by business users connect either to an ad network or to a social media or analytics API.

Not Just a Consumer Issue

Those numbers should raise concerns in the enterprise. They suggest that corporate data could be at risk on phones used both for business and personal use by employees.

Although the issue of apps scraping more data from a user’s phone than they need is usually framed as a consumer issue, it can spill over into the corporate world, acknowledged Elias Manousos, founder and CEO of RiskIQ and cochair of tohe Anti-Malvertising Work Group.

“These ad networks are using behavioral targeting to track consumers whether they’re working at a company or using their phone for personal use. They’re not differentiating between the two,” Manousos told TechNewsWorld.

“If you’re storing corporate information on the phone, and a company is not using its own containers to lock down that information and it’s made available to the apps on the device, then advertising could become a problem for your company,” he added.

Security pros should ensure that corporate information sent to employees’ phones be protected from access by applications on a device either through encryption or segregation, recommended Manousos.

Simplocker Strain

Ransomware has begun to appear in the mobile realm, but it’s been relatively unsophisticated. Recently, however, there have been signs that extortionists are ready to take their game up a notch.

Researchers at Eset have discovered a malware strain for Android phones that they’re calling “Simplocker.” The bad app will search for an SD card on a phone and encrypt all the data on the card. To get a key to decrypt the data, a user has to pay a ransom.

That technique is also used by Cryptolocker, a popular PC ransomware program. However, Simplocker uses a less sophisticated encryption scheme to do its nasty work.

At this point, the malware seems to be in the development stage. “We’re not seeing any reports of it in the wild yet,” Eset Security Researcher Lysa Myers told TechNewsWorld. “It’s probably a proof of concept.”

“They had a similar process when Cryptolocker first started,” she added. “They had early attempts that were less sophisticated, and as they discovered it was something that was effective, they put more effort into it, making it robust.”

Breach Diary

  • June 3. Google rolls out alpha version of End-to-End, an extension for its Chrome browser for encrypting Gmail messages.
  • June 4. America Express begins notifying 76,608 California residents that their credit card information was posted to the Internet in March by a Ukranian branch of the hacktivist collective Anonymous. Information included account number, card expiration date, effective date, and the four digit code printed on the front of a card.
  • June 4. UK Queen Elizabeth proposes law creating life sentence for anyone convicted of a cyberattack that results in loss of life, serious illness or inury or serious damage to national security.
  • June 4. U.S. Senate Judiciary committee subcommittee hold hearing on bill banning mobile spying apps in order to protect victims of domestic violence.
  • June 5. Cisco reports increased traffic in RIG exploit kit, which contains a ransomware component called Cryptowall. Since April, the company says, it’s blocked requests from the kit to 90 domains, or 17 percent of its Cloud Web Security customers.
  • June 5. Motherboard reports that hacker “Sabu” helped Anonymous attack Brazililan government and corporate websites in 2012 while working as an informant for the FBI.
  • June 5. Vodaphone releases 40,000 word report on government surveillance of its networks. Secret wires were found in all 29 countries in which the company does business that allow government agencies to listen to conversations on the carrier’s network.
  • June 5. AT&T announces plan to test allowing payment card companies to use geolocation services in cell phones to curb fraud.
  • June 6. Debian security team releases patch to address flaw in Linux kernel. Vulnerability creates risk attacker with local access can perform unauthorized actions on a system.
  • June 6. European Union ministers agree to require companies based outside the EU to comply with the organization’s privacy rules. No consensus has been achieved on how to enforce that edict.

Upcoming Security Events

  • June 10. Get Your Ducks in a Row. 1 p.m. ET. Webinar on Phase 2 HIPAA audits sponsored by IDexperts. Free with registration.
  • June 14. B-SidesCT. Quinnipiac University-York Hill Campus, Rocky Top Student Center, 305 Sherman Ave, Hamden, Conn. Fee: NA.
  • June 18. Cyber Security Brainstorm. Newseum, Washington, D.C. Registration: Government, free; through June 17, US$495; June 18, $595.
  • June 19. Appsec: Overview, Deep Dive, and Trends. 2 p.m. ET. Blackhat webinar. Free with registration.
  • June 20-21. Suits and Spooks New York City. Dream Downtown hotel, 355 West 16th St., New York City. Registration: Before May 6, $299; after May 6, $549.
  • June 21. B-Sides Charlotte. Sheraton Charlotte Airport Hotel, 3315 Scot Futrell Dr., Charlotte, NC. Free.
  • June 21-30. SANS Fire. Hilton Baltimore, 401 W. Pratt St., Baltimore. Courses: by April 30, $1,249-$4,695; by May 14, $1,249-$4,845; after May 14, $1,249-$5,095.
  • June 24. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • June 27-28. B-Sides Manchester (UK). Reynold Building, Manchester University (M1 7JA). Free.
  • July 12. B-Sides Detroit. COBO Center, 1 Washington Blvd., Detroit. Free.
  • July 19. B-Sides Cleveland. B side Liquor Lounge & The Grog Shop, 2785 Euclid Heights Blvd., Cleveland Heights, Ohio. Free.
  • Aug. 2-7. Black Hat USA. Mandalay Bay, Las Vegas. Registration: through June 2, $1,795; through July 26, $2,195; after July 26, $2,595.
  • Aug. 7-10. Defcon 22. Rio Hotel & Casino, Las Vegas. Registration: $220.
  • Sept. 17-19. International Association of Privacy Professionals and Cloud Security Alliance Joint Conference. San Jose Convention Center, San Jose, Calif. Sept. 18. Cyber Security Summit. The Hilton Hotel, New York City. Registration: $250; government, $50.
  • Sept. 29-Oct. 2. ISC2 Security Congress 2014. Georgia World Congress Center, Atlanta. Registration: through Aug. 29, member or government, $895; non-member, $1,150. After Aug. 29, member and government, $995; non-member, $1,250.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Malware

Technewsworld Channels