ISIS Hacks, FREAK Attacks Test Vulnerability Awareness
The hacking of dozens of home pages by a group claiming to be ISIS and a newly discovered FREAK flaw emphasizes the need to protect against vulnerabilities, even in mobile banking channels.
Much attention recently revolved around the hacking of numerous North American websites, including one belonging to a Montana credit union. In the web attacks, invaders placed an ISIS flag banner on home pages. There is no indication that the individuals launching the hacks had any real connection to ISIS, but they did share two common elements—their use of the WordPress content management platform and the exploitation of a known vulnerability in a plug-in with an available patch.
While the name ISIS garnered headlines in the hack attack, it misdirected the attention. Lonny Brooks, manager of Security Services at Xamin, Inc., said, “It underscores the need for financial institutions to avoid the distraction of focusing on where attacks might come from and focus on the real issue: The financial institution's responsibility to investigate, identify and resolve their own technical weaknesses.”
That is the lesson learned by the $101 million Southwest Montana Community Federal Credit Union in Anaconda, Mont., a target in the recent hack.
Tom Dedman, CEO at the credit union, admitted, “The one thing we missed in this whole process was updates to the software that drives the website. That is really deep into the heart of Web development.”
Dedman asserted the credit union will make sure the software is updated going forward, and said he believed his institution did proper due diligence prior to the hacking.
“We have done vulnerability assessments or vulnerability penetration tests against the site and those passed,” he said. “But with this one software, it was a zero-day flaw or vulnerability they found that they exploited. I don't get or hadn't been getting the notifications on websites on zero-day vulnerabilities. I mean, geez, we don't think about that.”
A zero-day vulnerability is a software gap unknown to the vendor.
Financial institutions need to start making third-party vendors provide a list of all products including open source plug-ins that they incorporate while doing development, Jim Stickley, a cybersecurity expert and CEO of Stickley on Security, a security education firm in San Diego, suggested.
“The smaller financial institutions are not very good in patching and properly testing patches after installation,” Ondrej Krehel, founder/principal of LIFARS, a digital forensics and cybersecurity intelligence firm, said.
He said they frequently use an application that is running on top of the web server, such as WordPress, and recommended web application security programs utilize a layered approach. Only a few credit unions have adopted these tactics, however.
The ISIS hack also drew attention away from a recently discovered vulnerability called FREAK (Factoring Attack on RSA-Export Key). FREAK is a relic of the U.S. government's restriction on the export of strong encryption in the 1990s, which compelled developers to devise a system that could deliver strong encryption for U.S.-based users and weaker encryption for foreign users.
According to the website freakattack.com, this new vulnerability allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data. The number of actual attacks is unknown.
The vulnerability affects the Android, Apple Safari Web browsers that rely on OpenSSL to establish secure connections, and Microsoft's Secure Channel in all currently supported versions of Windows.
Apple, Google Android and Microsoft announced that updates to fix the FREAK attack should be available for all major browsers soon.
For credit unions, there are good and bad sides to the FREAK story. Carl Mazzanti, founder/and CEO of IT consulting firm eMazzanti Technologies, explained, “A lot of the credit unions cannot afford some of the technologies you would need to support mobile banking, so because of that, they might have less or no exposure,” Mazzanti said. “Those that are less vulnerable developed their mobile systems within the last five years and don't have a legacy system to support it. Older systems are more susceptible than newer systems. Those running platforms that have some sort of legacy back to the late 1990s are the ones with the largest exposure.”
The $2.4 billion Texas Dow Employees Credit Union of Lake Jackson, Texas, took a proactive approach when it comes to its members’ Internet safety by providing an update to keep members informed of the FREAK exploit.
The alert reads in part, “Internet researchers have discovered a new browser vulnerability you should know about. The exploit is called FREAK.”
The alert goes on to explain that for FREAK to affect members, both the browser and visited website must be vulnerable, and provides assurance that TDECU's servers are not vulnerable.
Paul O’Malley, vice president of e-commerce at TDECU, said the alert grew out of policy resulting from member concern over last year's much-publicized data breaches.
“Our goal here is to alert our members so they can be educated, and know that they need to pay attention to Internet security,” O’Malley explained. “We understand our members are not expected to be experts on these types of things.”
TDECU also maintains a very close relationship with its technology partners.
“Typically what will happen is, they will see something out in the blogosphere or we’ll see something, and we’ll immediately call each other and ask if we’ve heard about it and what we’re doing about it,” O’Malley said.
Maintaining members’ reassurance levels when it comes to cybersecurity is good business. O’Malley pointed out,
How does a credit union protect itself? “Update servers and devices with a patch for the vulnerability,” Mazzanti said.
That's the short answer; however, Mazzanti also pointed out new threats emerge every day, and organizations must develop a security-first mindset.
Brooks suggested, “Take charge of the process [technical workload] and take a look to see where and what is vulnerable in your environment. Compromise is a terrible ‘strategy’ for discovery.”