Frost Bank, a subsidiary of Cullen/Frost Bankers, Inc., announced on Friday that it discovered the unauthorized access to images of checks stored electronically.
According to the company, it discovered last week that a third-party lockbox software program had been compromised, resulting in unauthorized users being able to view and copy images of checks stored electronically in the image archive. Frost Bank systems weren’t impacted in the incident, Frost says.
Customers can use lockbox services to send payments to a central post office box. The bank receives the payments and credits them directly to a business’s account.
The information that was accessed as part of the incident could be used to forge checks, the company says.
The company says it stopped the identified unauthorized access immediately after discovering it, and that it also launched an investigation into the matter. Frost says it is working with an unnamed cybersecurity firm to investigate the incident and that the law-enforcement authorities have been informed as well.
“At Frost, we care deeply about taking care of our customers and protecting their information, and we regret that this situation has occurred. We are working very hard to make things right,” Frost Chairman and CEO Phil Green said in a statement.
According to the company, the unauthorized access was limited to a software program serving around 470 commercial customers using the electronic lockbox. The fraction of impacted Frost customer base might experience forgeries on accounts or could be informed of compromised check images.
Related: Hybrid Bank Heists Net Millions in Cash for Criminals
Related: U.S. Banking Regulator Hit by 54 Breaches in 2015, 2016
Facebook shares plunged Monday following revelations that a firm working for Donald Trump’s presidential campaign harvested data on 50 million users, as analysts warned the social media giant’s business model could be at risk.
Calls for investigations came on both sides of the Atlantic after Facebook responded to the explosive reports of misuse of its data by suspending the account of Cambridge Analytica, a British communications firm hired by Trump’s 2016 campaign.
“This is a major breach that must be investigated. It’s clear these platforms can’t police themselves,” Democratic Senator Amy Klobuchar said on Twitter.
Expressing “serious concern regarding recent reports that data from millions of Americans was misused in order to influence voters,” Klobuchar and Republican Senator John Kennedy called for Facebook chief Mark Zuckerberg and other top executives to appear before Congress, along with the CEOs of Google and Twitter.
In Europe, officials voiced similar outrage.
Vera Jourova, European Commissioner for Justice, Consumers and Gender Equality, called the revelations “horrifying, if confirmed,” and vowed to address her concerns while travelling to the United States this week.
In Britain, parliamentary committee chair Damian Collins said both Cambridge Analytica and Facebook had questions to answer following what appears to be a giant data breach, carried out in an attempt to influence voters’ choices at the ballot box.
“We have repeatedly asked Facebook about how companies acquire and hold on to user data from their site, and in particular whether data had been taken from people without their consent,” Collins said in a statement.
“Their answers have consistently understated this risk, and have also been misleading to the committee.”
On Wall Street, Facebook shares skidded 7.7 percent in midday trade amid concerns about pressure for new regulations that could hurt its business model.
Brian Wieser at Pivotal Research said the revelations highlight “systemic problems at Facebook,” but that they won’t immediately impact Facebook revenues.
Still he said “risks are now enhanced” because of the potential for regulations on how Facebook uses data for advertising and monitoring users.
According to a joint investigation by The New York Times and Britain’s Observer, Cambridge Analytica was able to create psychological profiles on 50 million Facebook users through the use of a personality prediction app that was downloaded by 270,000 people, but also scooped up data from friends.
Cambridge Analytica said it was in touch with Facebook while denying any misuse of data.
Facebook on Friday suspended the firm, but pushed back against the claim of a major breach, suggesting misused data was limited to a far smaller group of users.
Jennifer Grygiel, a Syracuse University professor who studies social media, said the disclosures will increase pressure to regulate Facebook and other social media firms.
“Self-regulation is not working,” Grygiel said.
“I’m wondering how bad this needs to get before our regulators step in and hold these companies accountable.”
Grygiel said the breach stems from “thin” regulations that allowed Facebook and its partners to exploit data without oversight.
“They grew because of this,” she said. “This was not a mistake.”
Daniel Kreiss, a professor of media and communications at the University of North Carolina, said Facebook failed to live up to its responsibilities in handling targeted political ads as it expanded.
“The fact that Facebook seems to make no distinction between selling sneakers and selling a presidential platform is a deep problem,” Kreiss said.
Some analysts suggested the breach posed an existential crisis for Facebook because of how it gathers and uses data on its two billion members.
David Carroll, a media professor at the New School’s Parsons School of Design, said Facebook and others will soon be forced to live with new privacy rules such as those set to take effect in the European Union.
“Facebook and Google will have to ask users a lot more permission to track them,” Carroll said. “Most people are going to say no, so I think it’s going to have a huge impact on these companies.”
Carroll has filed a legal action in Britain calling on Cambridge Analytica to disclose what data was gathered and used on him.
“If I can get them to disclose my data or my personality score, it indicates every other American has the right to the same thing,” he said.
Another cybersecurity firm has independently confirmed some of the AMD processor vulnerabilities discovered by Israel-based CTS Labs, but the controversial disclosure has not had a significant impact on the value of the chip giant’s stock.
CTS Labs last week published a brief description of 13 allegedly critical vulnerabilities and backdoors found in EPYC and Ryzen processors from AMD. The company says the flaws can be exploited for arbitrary code execution, bypassing security features (e.g. Windows Defender Credential Guard, Secure Boot), stealing data, helping malware become resilient against security products, and damaging hardware.
The flaws have been dubbed MASTERKEY, RYZENFALL, FALLOUT and CHIMERA, and exploiting them requires elevated privileges to the targeted machine — physical access is not required. The security firm will not disclose technical details any time soon in order to prevent abuse.
CTS Labs, which no one heard of until last week, came under fire shortly after its disclosure for giving AMD only a 24-hour notice before going public with its findings, and for apparently attempting to short AMD stock. The company later made some clarifications regarding the flaws and its disclosure method.
While initially many doubted CTS Labs’ claims due to the lack of technical information, an increasing number of independent researchers have confirmed that the vulnerabilities do in fact exist. Nevertheless, there are still many industry professionals who believe their severity has been greatly exaggerated.
Trail of Bits was the first to independently review the findings. The company, which has been paid for its services, has confirmed that the proof-of-concept (PoC) exploits developed by CTS Labs work as intended, but believes that there is “no immediate risk of exploitation of these vulnerabilities for most users.”
“Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities. This level of effort is beyond the reach of most attackers,” Trail of Bits said in a blog post.
On Monday, Check Point also confirmed two of the RYZENFALL vulnerabilities following its own review. The security firm says it does not have any relationship with CTS Labs and it has not received any payment for its services. It also noted that it does not agree with the way CTS disclosed its findings, describing it as “very irresponsible.”
“In our opinion the original CTS Labs report might have been problematically phrased in a way that misrepresented the threat model and impact that the RYZENFALL-1 and RYZENFALL-3 vulnerabilities present,” Check Point said in a blog post. “However, problematic phrasing aside, after inspecting the technical details of the above, we can indeed verify that these are valid vulnerabilities and the risks they pose should be taken under consideration.”
Alex Ionescu, a reputable researcher and Windows security expert, also confirmed the findings and warned that “admin-level access and persistence are legitimate threats in multi-tenant IaaS and even things such as VTL0/1 (Credential Guard) when firmware and chipset trust boundaries are broken.”
AMD is investigating the claims, but it has yet to make any statement regarding the impact of the flaws.
Less than an hour after CTS Labs released its report, a controversial company named Viceroy Research published what it described as an “obituary” in hopes of leveraging the findings to short AMD stock. Since CTS’s report also included a disclaimer noting that the company had a financial interest, many assumed the two were working together to short AMD.
While CTS has avoided answering questions regarding its financial interests, Viceroy representatives told Vice’s Motherboard that the company obtained the report describing the vulnerabilities from an “anonymous tipster” and claimed to have no connection to the security firm.
Viceroy’s attempt has had an insignificant impact on AMD stock and experts doubt the situation will change. This is not actually surprising considering that Intel was hit the hardest by Meltdown and Spectre — critical vulnerabilities disclosed by reputable researchers — and still the impact on the company’s stock has been only minor and temporary.
Recovering Encrypted Firefox Passwords via Brute Force Attacks is Easy, Developer Says
Firefox does a poor job at securing stored passwords even if the user has set up a master password, a software developer claims.
According to Wladimir Palant, author of the popular Adblock Plus extension, the password manager in Firefox and Thunderbird needs some major improvements in terms of security. The manager can spill out passwords in less than a minute, he says.
The issue, Palant claims, resides in the manner in which the manager converts a password into an encryption key. The operation is performed by the sftkdb_passwordToKey() function, which applies SHA-1 hashing to a string consisting of a random salt and the actual master password.
In the current implementation, the SHA-1 function has a very low iteration count of 1, meaning that it falls way behind what’s considered a minimum value in practice, namely 10,000. In fact, an iteration count of at least 1,000 was considered “modest” decades ago.
Because of that, recovering encrypted passwords via brute force attacks is not difficult at all, Palant says. In fact, he underlines that graphics processing units (GPUs) are great at calculating SHA-1 hashes. With some of them capable of calculating billions of SHA-1 hashes per second, it would not take more than a minute to crack the passwords encrypted and stored in Firefox.
This NSS bug was first reported about nine years ago, but remains unpatched. And it wouldn’t even be that difficult to address the issue, the developer says.
“NSS library implements PBKDF2 algorithm which would slow down bruteforcing attacks considerably if used with at least 100,000 iterations. Of course, it would be nice to see NSS implement a more resilient algorithm like Argon2 but that’s wishful thinking seeing a fundamental bug that didn’t find an owner in nine years,” Palant notes.
Robert Relyea, who has worked for over 20 years on NSS, notes that, while the iteration count could be increased, it would not affect the security of old databases, which would remain readable. Only changing the master password (even to the same password) for them would also increase the iteration count.
The issue was thought resolved in PKCS #12, but it wasn’t fixed for the NSS database password (Firefox Master Password) too. Thus, Relyea reopened the bug, so it could be properly addressed.
Mozilla is also working on a new password manager component for Firefox. Dubbed Lockbox and available as an extension, it might not solve the issue either, Palant says, pointing out that it relies on Firefox Accounts, which could prevent wide adoption.
Even if this issue still exists in Firefox, setting up a master password for Firefox’ manager is still better than using none. Of course, using a password manager that isn’t impacted by such bugs is even better, although cracking firms would say that the security of such tools is debatable.
Related: Overall Security of Password Managers Debatable, Cracking Firm Says
Related: Firefox 63 to Distrust All Symantec Root Certificates
Aviation, as part of the transportation sector, falls within the critical infrastructure. While it may not have the same security issues as ICS/SCADA-based manufacturing and utilities, it has certain conceptual similarities; including, for example, a vital operational technology infrastructure with increasing internet connectivity, and the associated cyber risks.
It also has one major difference — the close physical proximity of its own customers. Catastrophic failure in the aviation industry has a more immediate and dramatic effect on customers — and for this reason alone, a trusted brand image is an essential and fragile part of success in the aviation industry. Without customer trust, customers will not fly with a particular airline.
Historically, aviation security has primarily focused on physical safety, and has become highly efficient in this area. But in recent years, the customization of new aircraft to provide newer and unique passenger experiences — such as the latest in internet-connected in-flight entertainment systems — has added a new cyber risk.
Matthieu Gualino, deputy director of the International Civil Aviation Organization Aviation Security Training Center, described the three current areas of cyber risk as flight control (the critical systems needed to fly the aircraft — high impact, low likelihood); the operational cabin (systems used to operate and maintain aircraft — medium impact, medium likelihood); and passengers (systems with direct passenger interaction — low impact, high likelihood).
The problem today is that aviation security is experienced in operational technology, security and safety; but less experienced in the rapidly evolving world of cyber security. To help counter this risk, Finland’s F-Secure has launched its new Aviation Cyber Security Services to help secure not just aircraft, but the entire aviation industry: aircraft, infrastructure, data, and — most importantly to F-Secure — reputation. Customers are unlikely to fly with companies they do not trust; and successful cyber-attacks rapidly eliminate customer trust and confidence; even, suggests F-Secure, a minor breach of something like an in-flight entertainment system.
“Off-the-shelf communication technologies are finding their way into aircraft, which makes security much more complicated than in the past,” said Hugo Teso, head of aviation cybersecurity services at F-Secure and a former pilot. “Because these off-the-shelf technologies weren’t necessarily created to meet the rigorous safety requirements of airlines, the aviation industry is making cyber security a top priority. But they need a partner that understands both cyber security and the details of airline operations, because it’s an industry where those details make a big difference.”
The new service integrates security assessments of avionics, ground systems and data links, vulnerability scanners, security monitoring, incident response services, and specialized cyber security training for staff.
The primary problem is not unknown to the security industry — the need to protect safety-critical systems from less significant but more exposed and vulnerable systems (such as those with an internet connection). “A key protection measure is separating systems into different ‘trust domains’,” explains F-Secure’s head of Hardware Security Andrea Barisani, “and then controlling how systems in different domains can interact with one another. This prevents security issues in one domain, like a Wi-Fi service accessible to passengers, from affecting safety-critical systems, like aircraft controls or air to ground datalinks.”
Data diodes are typically used for this type of system segmentation, because they provide unidirectional data flows where complete bidirectional isolation is not possible. “It is essential for any data diode to be implemented in a manner that allows no attack, parsing errors or ambiguities, failures to affect their correct operation,” Barisani told SecurityWeek. “Our team is routinely involved in testing data diode security to provide assurance on their operation, improve their design and fix any issues well before their certification.”
Learn More at SecurityWeek’s ICS Cyber Security Conference
Diodes are part of the separation of the vulnerable passenger facilities from the critical flight operations. “In-flight entertainment and connectivity (IFE/IFC) are two of the most exposed systems in modern aircraft,” explained Teso. “Facing directly the passengers, those systems are a major cyber security concern to any operator as any incident would have important brand damage for them. Not to safety though. Due to the way aircraft are designed, built and upgraded any incident involving or originating in the cabin of the airplane will be isolated from the most critical, and safety related, systems.”
F-Secure is keen not to promote its new service with the ‘fear factor’. The aviation industry already does an excellent job at maintaining the safety of its flights. The new cyber risk is currently primarily against aviation’s brand reputation, and the threat of a cyber hijack taking over an aircraft in flight, is, suggests Teso, more likely in the movies than in reality.
But that doesn’t mean it can be dismissed or forever ignored, or even limited to civil aviation. The aviation industry, including both civil and military aircraft, shares a common core of technologies, although the threat model differs between the two. Nevertheless, commented Teso, “F-Secure aviation cyber security services is not limited to any specific part of the aviation industry. If it’s part of Aviation, our services have it covered.”
Related: Hacking Threatens Airline Safety: Aviation Chiefs
Related: Poland Eyes Cybersecurity in Skies
Related: Proposed Cyber AIR Act Would Force Cybersecurity Standards for Aircraft
Related: The Ever-evolving Cyber Threat to Planes
Learn More at SecurityWeek’s ICS Cyber Security Conference