Attention Banks: Customer Confidence is in Your Hands!

Not long ago, the FFIEC released a statement aiming to give the heads up about the ever-so-popular use of Distributed Denial of Service attacks against financial institutions. The fact that for the first time a financial governing body is addressing cyber security in such a manner, is an indication of the growing risks and concerns over the rising number and frequency of cyberattacks.

The one particularly popular and devastating type of attack – Distributed Denial of Service or DDoS – was extensively explained in the NCCIC’s DDoS Quick Guide and is the reason behind the release of the FFIEC statement. With the financial sector increasingly dependent on technology, a somewhat moderate DDoS attack can lead to dire consequences. In the banking sector, it all comes down to preserving customer confidence in the institution and the sense of safety customers perceive when they are to entrust somebody with their money. Service outages during a DDoS attack, caused by the lack of preparedness, can lead to an immense decline in the confidence in a particular bank. Follows the downward spiral of revenue losses, declining liquidity and low capital adequacy.

Intentionally harming an institution’s reputation that result in material losses, is not the only damage a DDoS attack can do. Often the aim is to directly access and steal assets. How? A DDoS attack does not steal anything, you might say. It is accomplished by deploying the DDoS as a “smoke screen”, hiding ensuing intrusion attempts in an institution’s network. By flooding a server or the channel to it, the hacker not only severs public but also administrator access. When the attacker has grabbed an authentic customer’s credentials, they can easily transfer money out of the bank. All of this is done while the whole IT department is busy fighting the DDoS attack and discovers the assailant’s true purpose only when it’s too late to counteract effectively.

Vistnet is a battle-tested veteran in DDoS mitigation, thus is experienced, knowledgeable and skilled in fending off attackers and protecting an institution’s infrastructure, even under the most severe and complex attack vectors. Unlike other vendors, when things get strained, we do not null route a customer, so we can protect others on the network. Readily available burst capacity is at your disposal at all times with the sole purpose to do just the opposite: no null routing occurs – we just take the load off when you are bombarded with tremendous amounts of traffic. Our customers do not have to upgrade their plan with us due to the size of the attack. Nice isn’t it? You can rest assured that all of your services will remain available to your customers, no matter the type or size of the DDoS attack.

As people start to appreciate the real dangers DDoS poses to businesses and even more to financial institutions, as customers they may want you to show them a good reason to place their confidence in you. Do not take matters lightly. Professional teams with real expertise and technology is what’s needed to provide protection and mitigate attacks. We provide you with critically needed protection so you can live through even the most severe of DDoS attacks, without you even realizing one has occurred.

Stay Tuned For More Trouble With SSL

After the notorious Heartbleed vulnerability was found, researchers and programmers worldwide are turning their heads to the OpenSSL encryption library source code. The numerous close examinations conducted by specialists in the field, revealed that OpenSSL is far from perfect and that there are more unexpected weak points to be discovered in the future. The first one to come after Heartbleed is the new SSL/TLS vulnerability.

In essence, this is a typical man-in-the-middle attack, where the attacker is able to intercept and decrypt information exchanged between the client and the server. The attacker can also modify or inject his own traffic. This vulnerability is exploited by using a carefully crafted handshake, which in turn can force the use of weak keying material, thus enabling the attack. The vulnerability affects servers running OpenSSL 1.0.1 and 1.0.2-beta1. Users of earlier versions of the OpenSSL library are not vulnerable to this type of man-in-the-middle attack, but are advised to upgrade as a precaution. What raises concern is that clients are vulnerable in all versions of OpenSSL, but the attack can be performed only between a vulnerable client and server. Although the attacker must be in a man-in-the-middle position, this can be easily achieved when an untrusted network is used.

We at Vistnet, would like to inform our clients that the version of OpenSSL we have been using on our servers has been 0.9.8y, which is not vulnerable to this exploit as a server. As our service interacts both as server and client with our customers, we have upgraded to 1.0.1h that is not vulnerable either as a server, nor as a client. Communication between our servers and clients has been secure and no customer information was ever exposed. However, communication between us and those of our clients, whose backends have been running any of the vulnerable versions of OpenSSL, has been exposed and susceptible to attacks. We strongly advise all of our clients to upgrade their OpenSSL libraries to the newest corresponding version.

The imperfections of the OpenSSL source code have led us to the conclusion that there may be many more vulnerabilities to be found in the future. As we always like to be on the safe side, we have designed our infrastructure in such a way that implementation of patches and upgrades can be done as soon as possible. OpenSSL has been updated throughout all of our points of presence in mere minutes after the SSL/TLS vulnerability was publicly announced. We strive to present our customers with the best service, this is why we spare no expense in maintaining a safe, up-to-date infrastructure.

Heartbleed Bug Exploits SSL

Recently a serious Bug has been discovered that exploits a vulnerability in the OpenSSL cryptographic software library. The Bug poses a great threat to internet security as a whole because it allows an attacker to access chunks of memory on a server, thus gaining access to valuable information. The bug is called Heartbleed and has left large amounts of user data and private keys exposed on servers using the vulnerable OpenSSL versions.

Let us shed some light on what is OpenSSL library and how it’s used. OpenSSL is a software library for Windows and Linux operating systems that is used for the encryption of data used in different web services such as email, HTTP, FTP, etc. For that purpose a SSL certificate and RSA public and private keys are issued. The public key is given to the client when a session is established and is used to encrypt data. The private key is kept on a server and its purpose is to decrypt all the transferred data. If someone was to take hold of the RSA private key, it will allow them to decrypt communication between the client and the server. When a malicious actor is eavesdropping on that communication, having the private key will enable them to decrypt all the exchanged data, which may include user names and passwords, credit card information and other private information. Not only that but they will also be able to decrypt data encrypted with the same key collected prior to obtaining the key.

The Heartbleed allows you to do just that. It exploits a vulnerability in the OpenSSL’s implementation of the TLS/DTLS extension (RFC6520). The effect is that when abused it leads to the leak of chunks of memory containing data transferred between the client and the server. The pieces of memory are 64k in size which is not much, but there is no limit to the number of times the memory can be accessed. The bug is abused by sending a malformed heartbeat request to the server in order to cause an unverified response. Exploiting the Heartbleed bug can lead to exposure of user information when enough 64k pieces of memory are accessed. One of the worst case scenarios will be the retrieval of the RSA private key itself, which in turn can lead to the aforementioned decryption of all communication between the client and the server. The versions of the cryptographic library that are vulnerable to the Heartbleed bug are OpenSSL 1.01 through 1.01f and OpenSSL 1.0.2-beta. There has been a release of the OpenSSL 1.0.1g library which is intended to fix the bug.

We would like to inform you that there is absolutely no reason for concern as we at Vistnet use a version of the OpenSSL library which is in no way vulnerable to, or affected by the Heartbleed bug. All the user information and SSL certificates and private keys are safely kept on Vistnet’s servers and are secured from all data breaches, whatever they may be.

The Heartbleed bug has been around for a while and it leaves no traces when exploited. This is why it is unknown how much data has been accessed on vulnerable servers. All service providers using a version of the OpenSSL library susceptible to the exploit are strongly advised to reissue the SSL certificates and key pairs used for their secure communication and advise all of their users to change their passwords. An even better practice would be to force a password change for all users on next login, where this is possible. There is no need whatsoever for Vistnet’s users to change their passwords, because as we mentioned, Vistnet uses a version of the OpenSSL library that is not vulnerable to the Heartbleed bug.