Chinese hackers targeted Iranian government entities for months: Report

Read Time:32 Second

Chinese advanced persistent threat actor, Playful Taurus, targeted several Iranian government entities between July and December 2022, according to a Palo Alto Networks report

The Chinese threat actor also known as APT15, KeChang, NICKEL, BackdoorDiplomacy, and Vixen Panda, was observed attempting to connect government domains to malware infrastructure previously associated with the APT group, according to the report.

“Playful Taurus continues to evolve their tactics and their tooling. Recent upgrades to the Turian backdoor and new C2 infrastructure suggest that these actors continue to see success during their cyber espionage campaigns,” Palo Alto Networks said in a blog. 

To read this article in full, please click here

Read More

Security Analysis of Threema

Read Time:1 Minute, 32 Second

A group of Swiss researchers have published an impressive security analysis of Threema.

We provide an extensive cryptographic analysis of Threema, a Swiss-based encrypted messaging application with more than 10 million users and 7000 corporate customers. We present seven different attacks against the protocol in three different threat models. As one example, we present a cross-protocol attack which breaks authentication in Threema and which exploits the lack of proper key separation between different sub-protocols. As another, we demonstrate a compression-based side-channel attack that recovers users’ long-term private keys through observation of the size of Threema encrypted back-ups. We discuss remediations for our attacks and draw three wider lessons for developers of secure protocols.

From a news article:

Threema has more than 10 million users, which include the Swiss government, the Swiss army, German Chancellor Olaf Scholz, and other politicians in that country. Threema developers advertise it as a more secure alternative to Meta’s WhatsApp messenger. It’s among the top Android apps for a fee-based category in Switzerland, Germany, Austria, Canada, and Australia. The app uses a custom-designed encryption protocol in contravention of established cryptographic norms.

The company is performing the usual denials and deflections:

In a web post, Threema officials said the vulnerabilities applied to an old protocol that’s no longer in use. It also said the researchers were overselling their findings.

“While some of the findings presented in the paper may be interesting from a theoretical standpoint, none of them ever had any considerable real-world impact,” the post stated. “Most assume extensive and unrealistic prerequisites that would have far greater consequences than the respective finding itself.”

Left out of the statement is that the protocol the researchers analyzed is old because they disclosed the vulnerabilities to Threema, and Threema updated it.

Read More

Improve your AWS security posture, Step 3: Encrypt AWS data in transit and at rest

Read Time:4 Minute, 48 Second

In the first two blogs in this series, we discussed properly setting up IAM and avoiding direct internet access to AWS resources. In this blog, we’ll tackle encrypting AWS in transit and at rest.

Sometimes, despite all efforts to the contrary, data can be compromised.  This can occur due to data leakage through faulty apps or systems, by laptops or portable storage devices being lost, by malicious actors breaking through security defenses, by social engineering attacks, or by data being intercepted in man-in-the-middle attacks.  Fortunately, with adequate encryption measures in place, data exposures such as these can be nullified.  Simply put, when data is properly encrypted with industry approved algorithms, it can’t be deciphered.  The only way to make sense of encrypted data is by decrypting it with an encryption key that only trusted parties possess.  Let’s discuss how AWS makes it easy to encrypt data wherever it may be.

Encrypting data in transit

When you visit a website and see the small lock icon in the browser toolbar, it means that data being sent between your computer and the website host is secure.  If your data was intercepted by a malicious actor, they would not be able to decipher it since it is encrypted. 

Through an encryption process that is beyond the scope of this blog series, computers and website hosts negotiate the encryption algorithm and keys that are used during sessions.  Thus, since only the communicating computers and website hosts know the encryption keys in use, data is protected from prying eyes.  (Note: an exception to this statement is if the generation of encryption keys occurs over a publicly available Internet connection (e.g., coffee shop WiFi).  Cybercriminals could intercept this exchange of information and eavesdrop on your communication. That is why it is recommended to initiate a virtual private network (VPN) connection to a trusted provider before visiting websites when using a public Internet connection). 

AWS provides a convenient service to encrypt data in transit called Amazon Certificate Manager (ACM).  Per AWS, ACM “handles the complexity of creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys that protect your AWS websites and applications.”  What Is AWS Certificate Manager? – AWS Certificate Manager (amazon.com).  These X.509 certificates can be used with AWS ELBs, CloudFront, and Amazon API Gateway.  Consequently, all Internet bound traffic to and from these resources will be secure.

Furthermore, AWS can encrypt data in transit using X.509 certificates to AWS managed resources like S3 buckets.  However, to enable this feature policies may need to be updated to restrict HTTP and only permit HTTPS connectivity.  To see an example of how AWS S3 can enforce HTTPS connections, click here: Enforce TLS 1.2 or higher for Amazon S3 buckets

Now that we know how to encrypt data in transit, let’s move on to our final topic of discussion – encrypting data at rest. 

Encrypting data at rest

One of the easiest and most impactful security measures AWS has to offer is encrypting data at rest.  Literally, with a few clicks of the mouse, every major AWS service that stores data can be encrypted with default encryption keys that are owned and maintained by AWS.  The service used to perform these actions is called AWS Key Management Service (AWS KMS). 

Thus, if for some reason your data was exposed to the world, it would be illegible without the encryption key that only AWS can access on your behalf.  A quick Google search on the Internet will reveal that the amount of time used to crack a common AES-256 encryption key would take modern computers trillions of years – even with the world’s fastest supercomputers. 

If laws, regulations, or corporate policy require you to manage your own encryption keys, AWS has other options.  Through KMS, AWS customers can import their own key material for AWS to use for encryption on their behalf.  If customers do not want AWS to have any access to their encryption keys, AWS also offers hardware security modules (HSMs).  These can be provisioned and used like a utility with an hourly cost. 

AWS HSMs are certified as FIPS 140-2 compliant.  For those unfamiliar with this designation, it refers to rigorous testing to meet government approved security standards.  To learn more about AWS KMS click here: Key Usage — AWS Key Management Service — Amazon Web Services.  To learn more about AWS HSM, click here: Security HSM | AWS CloudHSM | Amazon Web Services

As such, considering the multitude of options and ease of use to encrypt data at rest, there simply is not an excuse to not encrypt data wherever it is stored. 

Tying everything together

In this article, we have discussed three easy steps every business or governmental entity can pursue to dramatically improve their AWS security posture.  As a recap, these steps are to 1) set up and use IAM properly, 2) avoid direct Internet access to vulnerable AWS resources, and 3) encrypt data in transit or at rest.  It goes without saying that these steps are not exhaustive.  They are merely the steps that this author believes to be the most impactful. 

Many other security mechanisms exist that AWS customers can pursue.  For more advanced AWS security help, you are encouraged to engage AT&T’s cybersecurity consulting division for support.  We are ready, willing, and able to help you with your AWS cybersecurity needs.  To get more information about AT&T cybersecurity consulting, please click here: Cybersecurity Consulting Services | AT&T Business (att.com)

Thank you for taking the time to read this blog series.  I sincerely hope you found it informative and useful. 

References:

AWS – https://aws.amazon.com

A Cloud Guru – https://acloudguru.com

Read More

CVE-2015-10071

Read Time:21 Second

A vulnerability was found in gitter-badger ezpublish-modern-legacy. It has been rated as problematic. This issue affects some unknown processing of the file kernel/user/forgotpassword.php. The manipulation leads to weak password recovery. Upgrading to version 1.0 is able to address this issue. The name of the patch is 5908d5ee65fec61ce0e321d586530461a210bf2a. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-218951.

Read More

CVE-2015-10070

Read Time:17 Second

A vulnerability was found in copperwall Twiddit. It has been rated as critical. This issue affects some unknown processing of the file index.php. The manipulation leads to sql injection. The name of the patch is 2203d4ce9810bdaccece5c48ff4888658a01acfc. It is recommended to apply a patch to fix this issue. The identifier VDB-218897 was assigned to this vulnerability.

Read More