A Week in the News: More Trouble for OpenSSL

Some interesting stories in the news this week, including a coordinated botnet takedown, late-breaking trouble for the already damaged OpenSSL encryption library, some broadly encouraging but also problematic crypto news from Google’s mass stores of data, and yesterday marks the one year anniversary of the Edward Snowden affair.

week-compressor

Gameover

U.S. and E.U. law enforcement performed a coordinated takedown of the Gameover botnet. A botnet is a network of malware infected computers that work together to serve some generally malicious purpose. In the case of Gameover, that purpose was to distribute the Zeus trojan, which in turn would perform a wire fraud scheme that involves stealing financial credentials from infected users’ computers and then sending money from the victims’ accounts to those controlled by the attackers. However, Gameover has recently been used to distribute the notorious Cryptolocker ransomware as well.

Taking down a botnet requires that law enforcement – sometimes in concert with private companies – wrest control of the server handling the malware activity, known as a command and control server (C&C). Taking over a botnet, for what it’s worth, is sometimes referred to as sinkholing. Many successful botnets have gone down in this way. In reaction to that, criminals have moved toward more resilient peer-to-peer botnet infrastructure. What this essentially means is that the C&C is shared across an unknown number of machines within the botnet itself.

In basic terms, taking down a peer-to-peer botnet requires that law enforcement monitor and come to understand its communication infrastructure. Once they have a grasp on how the botnet communicates, they can move to replicate that structure and sinkhole the botnet. Once they control the botnet, they can cease its operations.

For a wonderful explanation of how the Gameover takedown affects you, read this explainer by David Emm of Kaspersky Lab’s Global Research and Analysis Team.

OpenSSL

This new OpenSSL flaw is a serious one, though it is not as serious, and does not affect nearly as many systems as did Heartbleed.

Still reeling from Heartbleed, news broke yesterday of yet another serious vulnerability in an encryption implementation service that is used by vast swaths of the Internet. This new OpenSSL flaw is a serious one, though it is not as serious, and does not affect nearly as many systems as did Heartbleed. Encryption, by the way, is that math stuff that keeps the things you do, say, and store online and on your computer secure. If that incredibly simplistic explanation doesn’t do it for you, then read up on this explanation of hashing and you’ll have a better idea of how this all works.

At any rate, the new vulnerability is remotely exploitable, meaning an attacker can take advantage of it to launch attacks against unsuspecting users from the comfort of their own home (or anywhere else with an Internet connection). Upon successfully exploiting the vulnerability, the attacker could intercept and decrypt traffic between vulnerable clients and servers.

The attack isn’t all that simple to perform (and in fact an attacker probably couldn’t exploit it from the comfort of his or her own home, but I wanted to explain the term ‘remotely exploitable’). The attacker would need to establish a man-in-the-middle position on his target. A man-in-the-middle attack is just what it sounds like: an attacker puts himself or his tools in between the user and a valuable resource, such as a banking website or email account. The easiest way to do this is to monitor traffic flowing out of an unsecured Wi-Fi network, of which there are many available to nearly all of us on a daily basis. There are also a score of other ways to perform such an attach, which you can read about in that last little link up there.

Researchers who have looked at the vulnerable piece of code say that it appears to have existed, nearly unchanged, in the OpenSSL source since 1998.

End-to-End

Google published some really cool data yesterday about the amount of Gmail traffic that is encrypted in transit, as in, after it leaves Google’s systems. The search giant found that some 69 percent of outbound email from Gmail is encrypted and 48 percent of mail inbound to Gmail is encrypted. This is a massive increase over previous years.

Google encrypts all of the data on its servers, so these findings are a reflection of how well other services are encrypting Gmail communications after it leaves Google’s control. I am being intentionally somewhat vague about this because we have a series of articles planned that will look into what parts of the world are doing better at encrypting data in transit and what parts of the world aren’t doing such a great job. Stay tuned for that in the next week or so.

Google also announced that it has developed a tool that will encrypt all data leaving its Chrome browser, which should help to solve some of the problems referenced above. We are interested to see how that works. And, again, stay tuned for some articles about that moving forward as well.

Reset the Net

June 5, as we noted in our monthly security news podcast was the date set for the Reset the Net initiative. The initiative, which was not coincidentally planned for the one year anniversary of the very first Edward Snowden-NSA spying revelations, aims to fight back against government surveillance by putting strong security and privacy tools in the hands of everyday internet users.
You can find some easy to use tools for nearly any operating system you are likely to use here. Take them for a spin and let us know what you think in the comments section below.

 

  • Pin It