6.28.2016

Enable this Setting in Windows 10 to Secure your Computer from Macro-based Malware and Ransomware

secure-windows-computer
Do you deal with MS Word files on the daily basis? 

If yes, then are you aware that even opening a simple doc file could compromise your system?

It is a matter to think that the virus does not directly affect you, but it is you who let the virus carry out the attack by enabling deadly "Macros" to view the doc contents that are generally on eye-catching subjects like bank invoice.

How Macros are Crippling your System?

The concept of Macros dates back to 1990s. You must be familiar with this message: "Warning: This document contains macros."
 

A Macro is a series of commands and actions that help to automate some tasks. Microsoft Office programs support Macros written in Visual Basic for Applications (VBA), but they can also be used for malicious activities like installing malware.

Hackers are cleverly using this technique on the shade of social engineering by sending the malicious Macros through doc file or spreadsheet with an eye-catching subject in the mail to the corporate networks.

Once a user opens the malicious Word document, the doc file gets downloaded to its system. However, danger comes in when the user opens the file, and a popup window appears that states "Enable Editing" to view the content.
microsoft-office-macro-protected-view
Once the users click Enable Editing, the malicious file then begins to perform the notorious activities in the system such as to get embedded into other doc files to proliferate the attacking rate that results in crippling your system network.

All those actions would depend upon payload program defines inside the Macro.

Dridex and Locky are Warning Bells!!!

No other incidents could get you the clear picture on the potential threat of Macro viruses apart from Dridex Malware and Locky Ransomware. Both malware had made use of the malicious Macros to hijack systems. 

Over 20 Million Euro had been stolen from the UK banks with the Dridex Malware, which got triggered via a nasty macro virus. The infectious bar of Locky ransomware had also seen an exponential growth in a couple of hours.

How to Protect Yourself from Macro-based Malware?

 

Step 1: Configure Trusted Location

Since disabling Macros is not a feasible option, especially in an office environment where Macros are designed to simplify the complex task with automation.

So, if your organization relies on Macros, you can move files that use Macros into the company’s DMZ (Demilitarized Zone), also called Trusted Location.
 

To configure the trusted location, you can navigate via:
User Configuration/Administrative Templates/Microsoft Office XXX 20XX/Application Settings/Security/Trust Center/Trusted Locations
Once configured, the Macros that does not belong to the trusted location would not run in any way, beefing up your system’s security.

Step 2: Block Macros in Office Files that came from the Internet

Block-Macros-Office
Microsoft had recently unveiled a novel method by implementing a new tactical security feature to limit the Macro execution attack in MS Office 2016, ultimately preventing your system from hijacking.

The new feature is a group policy setting that lets enterprise administrators to disable macros from running in Office files that come from the Internet. 

The new setting is called, "Block macros from running in Office files from the Internet" and can be navigated through the group policy management editor under:
User configuration > Administrative templates > Microsoft Word 2016 > Word Options > Security > Trust Center
It can be configured for each Office application. 

By enabling this option, macros that come from the Internet are blocked from running even if you have 'enable all macros' in the Macros Settings. 
microsoft-office-macro-security
Moreover, instead of having the option to 'Enable Editing,' you'll receive a notification that macros are blocked from running, as the document comes from an Untrusted Source.

The only way to run that particular Office file is to save it to a trusted location, allowing macros to run.

6.17.2016

Hackers can easily breach into your smartphone and mobile network

SS7 has been in the network controlling wire-line and wireless calls since the mid 1980s and now we are talking about its vulnerabilities. A lot of people think we should only be focused of the evolution to LTE/EPC Diameter based networks however; the legacy SS7 protocol based networks serve the vast majority of wireless subscribers. Current indications are SS7 will be around for quite some time and as such any vulnerabilities should be addressed immediately. Before we can address these threats we must first understand them and how they are even possible given the longevity of the network and protocol. The topic of discussion in this post will be limited to those threats that are directly related to subscribers. Additional threats such as denial of service against networks elements such as Mobile Switching Centers will be discussed in subsequent posts.
 


In this discussion I will group these 8 threats into 4 broad categories so the impact to the subscriber and ultimately the network operator can be easily determined. These categories are:

Obtaining Subscriber Information
Eavesdropping on subscriber (SMS and calls – incoming and outgoing)
Financial theft
Disruption of subscriber service

This post is merely an overview of these eight threats, during the research for this post and the associated eBook “SS7 Vulnerabilities” I quickly found my mind wondering mind — I was able to take these threats and extend them and the knowledge gained and come up with many more.

Note: In my of experience with the SS7 protocol and network, I have never seen access to the network, technical protocol and network information, and protocol message generation capabilities as easy and inexpensive to obtain.
Obtaining Subscriber Information
The information gained in the threats associated with this category open the door to the remaining threats discussed in this post. Additionally, this information can be used by the attacker or sold on the open market as a source of revenue. There are two types of information gained in this category: the International Mobile Subscriber Identity (IMSI) and the location of the subscriber whether at home or roaming.

Vulnerability 1. Obtaining the Subscriber IMSI
The IMSI uniquely identifies a subscriber within the mobile network. Since the IMSI can lead to other threats it is not transmitted over the “Air Interface” rather a randomized Temporary Mobile Subscriber Identity (TMSI) is used over the air. However, if an attacker is able to obtain the TMSI over the air interface and has access to the SS7 network, all they have to do is use the SS7 protocol and ask what the IMSI is that is associated with the TMSI. Enough said about the TMSI and the air interface – we are going to focus on the SS7 protocol and messaging for this discussion. An attacker can use the SS7 Mobile Application Part (MAP) and its normal procedure for delivering a text message to a subscriber to obtain the IMSI. Once the attacker knows the IMSI, due to its format they also know the home country where subscriber resides and their home mobile network operator. All the attacker had to have is the telephone number of the target subscriber, access to the SS7 network, and a little knowledge about the target subscriber’s home SS7 network – all of which are readily available.

Vulnerability 2. Determining the subscribers location
There are at least two SS7 methods for determining a subscriber’s location within the global mobile network. The first utilizes a message and procedure known as Any Time Interrogation, which would return the subscribers location parameters. However a large number of network operators have stopped their equipment from responding to these messages. In the next procedure the attacker poses as a Fake Home Location Register and uses the normal MAP messages and procedures known as Provide Subscriber information. The information received from this process yields the Cell ID, the Mobile Country Code (MCC), Mobile Network Code (MNC) and the Location Area Code all related to the target subscribers current location.

Eavesdropping on subscriber calls (incoming and outgoing)
There are three vulnerabilities in this category that would allow the intruder to listen to or record a subscribers conversation on incoming/outgoing calls or to intercept and or modify incoming text messages to a target subscriber. Each of these attacks could be performed without the knowledge of the target subscriber. The initial information required by the intruder is the mobile telephone number of the target subscriber, some knowledge of the target subscriber’s home network, and access to an SS7 network. The remainder of the information required can be accessed from the network using the initial information. Also the attacker can be located anywhere in the world – they do not have to be part of the target subscribers network.

Vulnerability 3. Intercepting and monitoring an outgoing call
This is a multi-stage attack where the attacker poses as different mobile network elements to implementing different scenarios at each stage. This threat uses the Customized Applications for Mobile networks Enhanced Logic Application Part (CAP) protocol and logic that allows network operators to define services over and above the standard Global System for Mobile communications (GSM) and Universal Mobile Telecommunication Systems (UMTS) standard services. The CAMEL logic and network is based on the SS7 Intelligent Networks (IN) used in wire-line networks. In this threat the intruder has the outgoing call routed to their bridging/monitoring/recording system and then places a second call leg to the original callED party and subsequently bridges the two call legs together with the intruder being the “Man in the Middle”.

Vulnerability 4. Intercepting and monitoring an incoming call
This threat uses the SS7 MAP messaging and procedures for an everyday subscriber call forwarding feature, however, it is activated at the SS7 level without the target subscriber knowledge. This vulnerability like the one described in “Intercepting and monitoring an outgoing call” is a multi-staged attack. It also uses a bridging/monitoring/recording system to bridge two calls together. The intruder call forwards (at the SS7 MAP Message level) the target subscribers calls to their bridging/monitoring/recording system. The intruder then cancels call forwarding (at the SS7 MAP Message level) then places a second call leg to the original callED party. The intruder bridges the two call legs together with their bridging/monitoring/recording system all without the knowledge of either party involved in the call.

Financial theft
Vulnerability 5. Intercepting a subscribers SMS (Text) Messages
The premise for this attack is — the intruder will pose as an MSC/VLR and send MAP-Update-Location (UL) Request message directly to the subscribers HLR. Upon completion of this procedure SMS messages will be sent to the intruder acting as a Fake MSC serving the target subscriber. This attack can be used to obtain target subscribers passwords, reset passwords and once the passwords are reset the intruder has Carte Blanche to the target subscribers accounts.

Vulnerability 6. Manipulating USSD Request
Unstructured Supplementary Service Data (USSD) is currently being used for mobile prepaid, online banking and other financially sensitive applications. Fraud linked to USSD can cause severe financial impacts to subscribers, network operators, financial institutions and many others. In this multi-staged attack the intruder first poses as a Short Message Service Center (SMSC) to obtain the Global Title Address (GTT) of the target subscribers Home Location Register (HLR), the IMSI of the target subscriber and the current serving Mobile Switching Center (MSC). In the next stage the intruder poses as an MSC acting on behalf of the target subscriber and requests the subscriber current account balance. After receipt of the account information the intruder poses as the MSC acting on behalf of the subscriber and requests a transfer of funds from the target subscribers account to the intruders account. Normally an SMS message is sent to the subscriber indicating the transfer however if this attack is coupled with “Vulnerability 5. Intercepting a subscribers SMS (Text) Messages” then the SMS never reaches the target subscriber.

Disruption of subscriber service
The two vulnerabilities described in this section can be used to interrupt service to any subscriber or to activate or change billing, thus enabling fraudulent calls to be made from the mobile station. Either of these scenarios can cause a significant financial impact on the mobile network operator. One for pure fraud and the other for subscriber churn due to a perceived lack of service.

Vulnerability 7. Disruption of subscriber availability
In this attack the intruder will pose as an MSC/VLR and send MAP-Update-Location (UL) Request message directly to the subscribers HLR. Once the Update Location procedures are complete the Subscriber will not be able to receive incoming messages or calls until they move to another MSC/VLR or reboot the phone or place an outgoing call. These procedures are part of the normal mobility management when the subscriber moves to a new area served by different MSC. The intruder spoofs the network into believing that they are the new MSC.

Vulnerability 8. Manipulating a subscribers profile in the Visitor Location Register (VLR)
Any time an intruder has access to the subscriber identity (MSIDN, IMSI) the address of the serving (MSC/VLR) and the format of the subscriber profile they can alter billing routing allowing:

Disruption of the subscriber service
The use of the subscriber’s mobile station to make fraudulent calls.
In this attack, the intruder poses as an HLR and sends a fraudulent subscriber profile to the serving MSC/VLR invoking intruder desired services. These services can include:

Bypassing billing services
Turning on or off call forwarding
Barring calls to the target subscriber
And many, many more

Conclusion
As you can see by the examples provided in this blog – vulnerabilities and fraud within the SS7 protocol and network is a very serious issue. Some might say, “Let’s change the protocol and network” — that cannot happen for many reasons as discussed. The solution to these protocol and network issues is to place a security firewall into the network. This firewall should include the policies required to address the current defined threats and be easily modified to address future threats, as they are found. In order to accomplish these tasks the SS7 signaling firewall should have real-time monitoring capabilities to help detect defined and future threats.

6.16.2016

BadTunnel: a vulnerability all Windows users need to patch

A security researcher has uncovered a serious vulnerability that affects every version of Microsoft’s Windows operating system from Windows 95 to Windows 10.
 


The vulnerability could give attackers a way to set up man-in-the-middle attacks against victims by getting them to click on a link, open a Microsoft Office document or plug in a USB drive.

In an interview with Dark Reading, Yang Yu, who earned a whopping $50,000 bug bounty for the discovery he’s nicknamed BadTunnel, described the impact in grandiose terms:

This vulnerability has a massive security impact – probably the widest impact in the history of Windows. Microsoft released a fix for the vulnerability on Tuesday in security bulletin MS16-077. Users of unsupported Windows versions such as Windows XP should disable NetBIOS over TCP/IP.

The nuts and bolts of how the vulnerability works haven’t been revealed but it has been described as a technique for NetBIOS-spoofing across networks that bypasses firewalls and NAT (Network Address Translation) devices.

In other words, it can expose you to attackers who aren’t on your network, and your firewalls won’t save you, unless you block UDP on port 137 between your network and the internet.

According to Yu, it relies on a chain of elements including “a transport layer protocol, an application layer protocol, a few specific usage of application protocol by the operating system, and several protocol implementations used by firewalls and NAT devices.”

Microsoft’s bulletin appears to break the final link in the chain by fixing a vulnerability in WPAD (Web Proxy Autodiscovery Protocol) that was first reported in 2007.

WPAD is a way for computers to discover web browser configuration files automatically by searching specific addresses on a computer’s local network. An attacker who could find a way to occupy one of those addresses, or to change the addresses being searched, could supply their own configuration files and instruct the victim’s browser to route traffic through a man-in-the-middle attack.

Until BadTunnel, the attacker had to gain access to a victim’s network (or rely on opportunistic domain name collisions) which made it a difficult trick to pull off.

Yu plans to reveal the full gory details of BadTunnel in a presentation at the upcoming BlackHat conference:

This presentation will introduce a new threat model. Based on this threat model, we found a flaw in the Windows system. It affects all Windows released in the last two decades, including Windows 10. It also has a very wide range of attacks surface. The attack can be performed on all versions of Internet Explorer, Edge, Microsoft Office, many third-party software, USB flash drives, and even Web server. When this flaw is triggered, YOU ARE BEING WATCHED.

5.23.2016

Cash stolen from 15K ATMs in Japan in coordinated attack

As many as 100 people are believed to have taken part in a heist of nearly $13 million (USD) from cash machines in Japan, according to The Guardian.


Between 5 a.m. and 8 a.m. on the morning of May 15, thousands of withdrawals were made at 15,000 convenience stores using phony credit cards – with purloined account data from a bank in South Africa. Each culprit in the coordinated action withdrew 100,000 yen – the maximum that the cash machines allow – in Tokyo and other regions.

Because cards issued in a foreign country were used, as well as on a day when the banks were closed, the perpetrators had enough time to flee the country, authorities believe. None have been apprehended.

The Japanese police have contacted South African authorities, through Interpol, to determine how the miscreants might have acquired the credit card information.

"ATM fraud remains a leading cause of losses for banks, and this will likely increase in the U.S. as the shift to EMV cards at retail drives fraud to other channels, such as the ATM," John Gunn, vice president of communications at VASCO Data Security, said in a statement emailed to SCMagazine.com. "We are already seeing large banks moving to integrate ATM security measures into their mobile banking app. It is easy for fraudsters to buy stolen cards to make unauthorized withdrawals, but it's nearly impossible to commit theft if they must also have the intended victim's mobile phone physically at the ATM machine at the same time."

Gunn predicted that banks will in the future leverage customers' mobile phones to reduce fraud across all channels.
 

4.03.2016

Ransomware and Recent Variants

Systems Affected

Networked Systems

Overview

In early 2016, destructive ransomware variants such as Locky and Samas were observed infecting computers belonging to individuals and businesses, which included healthcare facilities and hospitals worldwide. Ransomware is a type of malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it.
The United States Department of Homeland Security (DHS), in collaboration with Canadian Cyber Incident Response Centre (CCIRC), is releasing this Alert to provide further information on ransomware, specifically its main characteristics, its prevalence, variants that may be proliferating, and how users can prevent and mitigate against ransomware.

Description

WHAT IS RANSOMWARE?

Ransomware is a type of malware that infects computer systems, restricting users’ access to the infected systems. Ransomware variants have been observed for several years and often attempt to extort money from victims by displaying an on-screen alert. Typically, these alerts state that the user’s systems have been locked or that the user’s files have been encrypted. Users are told that unless a ransom is paid, access will not be restored. The ransom demanded from individuals varies greatly but is frequently $200–$400 dollars and must be paid in virtual currency, such as Bitcoin.
Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.
Crypto ransomware, a malware variant that encrypts files, is spread through similar methods and has also been spread through social media, such as Web-based instant messaging applications. Additionally, newer methods of ransomware infection have been observed. For example, vulnerable Web servers have been exploited as an entry point to gain access into an organization’s network.

WHY IS IT SO EFFECTIVE?

The authors of ransomware instill fear and panic into their victims, causing them to click on a link or pay a ransom, and users systems can become infected with additional malware. Ransomware displays intimidating messages similar to those below:
  • “Your computer has been infected with a virus. Click here to resolve the issue.”
  • “Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”
  • “All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”

PROLIFERATION OF VARIANTS

In 2012, Symantec, using data from a command and control (C2) server of 5,700 computers compromised in one day, estimated that approximately 2.9 percent of those compromised users paid the ransom. With an average ransom of $200, this meant malicious actors profited $33,600 per day, or $394,400 per month, from a single C2 server. These rough estimates demonstrate how profitable ransomware can be for malicious actors.
This financial success has likely led to a proliferation of ransomware variants. In 2013, more destructive and lucrative ransomware variants were introduced, including Xorist, CryptorBit, and CryptoLocker. Some variants encrypt not just the files on the infected device, but also the contents of shared or networked drives. These variants are considered destructive because they encrypt users’ and organizations’ files, and render them useless until criminals receive a ransom.
In early 2016, a destructive ransomware variant, Locky, was observed infecting computers belonging to healthcare facilities and hospitals in the United States, New Zealand, and Germany. It propagates through spam emails that include malicious Microsoft Office documents or compressed attachments (e.g., .rar, .zip). The malicious attachments contain macros or JavaScript files to download Ransomware-Locky files.
Samas, another variant of destructive ransomware, was used to compromise the networks of healthcare facilities in 2016. Unlike Locky, Samas propagates through vulnerable Web servers. After the Web server was compromised, uploaded Ransomware-Samas files were used to infect the organization’s networks.

LINKS TO OTHER TYPES OF MALWARE

Systems infected with ransomware are also often infected with other malware. In the case of CryptoLocker, a user typically becomes infected by opening a malicious attachment from an email. This malicious attachment contains Upatre, a downloader, which infects the user with GameOver Zeus. GameOver Zeus is a variant of the Zeus Trojan that steals banking information and is also used to steal other types of data. Once a system is infected with GameOver Zeus, Upatre will also download CryptoLocker. Finally, CryptoLocker encrypts files on the infected system, and requests that a ransom be paid.
The close ties between ransomware and other types of malware were demonstrated through the recent botnet disruption operation against GameOver Zeus, which also proved effective against CryptoLocker. In June 2014, an international law enforcement operation successfully weakened the infrastructure of both GameOver Zeus and CryptoLocker.

Impact

Ransomware not only targets home users; businesses can also become infected with ransomware, leading to negative consequences, including
  • temporary or permanent loss of sensitive or proprietary information,
  • disruption to regular operations,
  • financial losses incurred to restore systems and files, and
  • potential harm to an organization’s reputation.
Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.

Solution

Infections can be devastating to an individual or organization, and recovery can be a difficult process that may require the services of a reputable data recovery specialist.
US-CERT recommends that users and administrators take the following preventive measures to protect their computer networks from ransomware infection:
  • Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
  • Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
  • Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
  • Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.
  • Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
  • Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams. Follow safe practices when browsing the Web. See Good Security Habits and Safeguarding Your Data for additional details.
  • Do not follow unsolicited Web links in emails. Refer to the US-CERT Security Tip on Avoiding Social Engineering and Phishing Attacks for more information.
Individuals or organizations are discouraged from paying the ransom, as this does not guarantee files will be released. Report instances of fraud to the FBI at the Internet Crime Complaint Center.

References

Revisions


  • March 31, 2016: Initial Publication

1.29.2016

Java browser plugin to be sent to death row in September

Oracle has announced that the days of the Java browser plugin are numbered, with its deprecation set for the upcoming Java Development Kit 9 release and its removal slated for a future release.

Java

The reasoning behind the move has been laid at the feet of browser makers choosing to move away from plugins.

"With modern browser vendors working to restrict and reduce plugin support in their products, developers of applications that rely on the Java browser plugin need to consider alternative options such as migrating from Java Applets (which rely on a browser plugin) to the plugin-free Java Web Start technology," the company said in a blog post on Wednesday.

Browser makers have been looking to retire the use of the Netscape Plugin API over recent years, with users needing to click to use NPAPI plugins in Firefox, and Chrome having removed support for NPAPI altogether.

"The rise of web usage on mobile device browsers, typically without support for plugins, increasingly led browser makers to want to restrict and remove standards-based plugin support from their products, as they tried to unify the set of features available across desktop and mobile versions," Oracle said in a whitepaper [PDF] on the change. "The Oracle JRE can only support applets on browsers for as long as browser vendors provide the requisite cross-browser standards-based plugin API (eg NPAPI) support.

"Without a cross-browser API, Oracle would only be able to offer a subset of the required functionality, different from one browser to the next, impacting both application developers and users."

During its life, the Java plugin has been a common vector to install malware or otherwise attack users.

Sources:

http://www.zdnet.com/article/java-browser-plugin-to-be-sent-to-death-row-in-september/

https://blogs.oracle.com/java-platform-group/entry/moving_to_a_plugin_free 

 

9.08.2015

TLS Implementations Vulnerable to RSA Key Leaks

A number of TLS software implementations contain vulnerabilities that allow hackers with minimal computational expense to learn RSA keys.
 
 
Florian Weimer, a researcher with Red Hat, last week published a paper called “Factoring RSA Keys With TLS Perfect Forward Secrecy” that demonstrated vulnerabilities in a number of devices, including a popular Citrix load balancer and others from Hillstone Networks, Nortel, Viprinet and others.

The TLS implementations in these products, Weimer said, lack proper hardening to defend against what is known as the Lenstra attack against the Chinese Remainder Theorem, also known as RSA-CRT.

“If a fault happened during the computation of a signature (using the RSA-CRT optimization), an attacker might be able to recover the private key from the signature (an “RSA-CRT key leak”). At the time, use of cryptography on the Internet was uncommon, and even ten years later, most TLS (or HTTPS) connections were immune to this problem by design because they did not use RSA signatures,” Weimer wrote of the Lenstra attacks. “This changed gradually, when forward secrecy for TLS was recommended and introduced by many web sites.”

Lenstra is described as a side-channel attack, and Weimer said that the RSA algorithm itself is safe against this attack and that the weakness is strictly in the various implementations that are not hardened.

“We saw several RSA-CRT key leaks, where we should not have observed any at all,” he wrote, adding that implementations in OpenSSL and NSS were hardened, for example, and that Oracle patched OpenJDK in CVE-2015-0478 after working with Weimer. All browser PKI certs where leaks were observed, have been replaced and revoked, he added.

Hackers can use this offline attack relatively inexpensively compared to other cryptographic attacks, he wrote. Grabbing a private crypto key, however, is extremely dangerous to the data and communication the TLS encryption is supposed to be protecting. An attacker, Weimer said, would already have to be on the network via a man-in-the-middle attack or server compromise to pull off this type of secondary attack and ultimately impersonate the server in question.

“Either the client making the TLS handshake can see this leak, or a passive observer capturing network traffic,” Weimer wrote. “The key leak also enables decryption of connections which do not use forward secrecy, without the need for a man-in-the-middle attack.”

Attacks, meanwhile, are difficult to spot since they’re conducted offline. An intrusion detection system, Weimer said, could spot a key leak if it is configured to check all TLS handshakes.

“For the key leaks we have observed, we do not think there is a way for remote attackers to produce key leaks at will, in the sense that an attacker could manipulate the server over the network in such a way that the probability of a key leak in a particular TLS handshake increases,” Weimer said. “The only thing the attacker can do is to capture as many handshakes as possible, perhaps by initiating many such handshakes themselves.”

Forward secrecy is being implemented in many critical systems. With forward secrecy, a new crypto key is generated for every session, meaning that if a hacker is able to intercept many sessions, he would not be able to crack them all someday if he figured out one key—just one session. Disabling forward secrecy, he said, is not a wise strategy.

“Disabling forward secrecy would enable passive observers of past key leaks to decrypt future TLS sessions, from passively captured network traffic, without having to redirect client connections,” Weimer wrote. “This means that disabling forward secrecy generally makes things worse. (Disabling forward secrecy and replacing the server certificate with a new one would work, though.)”
 
Vulnerability details and research paper: