Home Tags Bank of America

Tag: Bank of America

Two members of ATM skimming ring plead guilty to bank fraud

A total of 13 charged in PNC and Bank of America card-cloning scheme.

VXers gift their mates an Android bank-raiding app’s source code

It needs admin privileges, but we know there's a pool of stupid out there waiting to be p0wned Source code for an Android banking app has been published online, spurring fears it could prompt a wave of malicious apps. The code has is being injected into otherwise legitimate apps and shared as APK installation files or on third party app stores, notorious as harbours for malicious apps. Users will need to grant the app, "Android.BankBot.149.origin", extensive permissions including administrator access in order for it to be able to steal data. If users, many of whom allow software to do almost anything, allow the software to run it can can siphon banking credentials from the likes of Bank of America, PayPal, and Google Play.

Credentials from the likes of Facebook, Viber, Youtube, WhatsApp, Uber, Snapchat, WeChat,Instagram and Twitter will also be sucked up and sent to unknown parties . Antivirus firm Dr Web says says the app is standard fare in terms of malicious Android apps but is unusual in that the code has been offered up for free, something that will likely result in the creation of more malicious apps. "When an SMS message arrives, the trojan turns off all sounds and vibrations, sends the message content to the cybercriminals, and attempts to delete the original messages from the list of incoming SMS," Dr Web researchers wrote. "As a result, a user could miss not only bank notifications about the unplanned transactions but also other incoming messages. "In general, the [capabilities] of this trojan are quite standard for modern Android bankers, however, as cybercriminals created it with publicly available information, one can anticipate that many trojans similar to it will appear." Harvested device data is shipped to attackers' command and control servers and appears on adminstrator panels from where the application can be controlled. The app can also steal all phone contacts, track user location, and create phishing dialogues. ® Sponsored: Want to know more about Privileged Access Management? Visit The Register's hub

Better authentication: Go get 'em, FIDO

Only a handful of industry associations accomplish what they set out to do.
In the security realm, I’ve always been a huge fan of the Trusted Computing Group.
It’s one of the few vendor organizations that truly makes computers more secure in a holistic manner. The Fast Identity Online (FIDO) Alliance is another group with lots of vendor participation that’s making headway in computer security.

Formed in 2012, FIDO focuses on strong authentication, moving the online world past less secure password logons and emphasizing safer browsers and security devices when accessing websites, web services, and cloud offerings.
Its mission statement includes the words “open standards,” “interoperable,” and “scalable” — and the organization is actually doing it.

Better, FIDO wants to do this in a way that’s so easy, users actually want to use the methods and devices. All FIDO authentication methods use public/private key cryptography, which makes them highly resistant to credential phishing and man-in-the-middle attacks.

Currently, FIDO has two authentication-specification mechanisms: Universal Authentication Framework (UAF), a “passwordless” method, and Universal Second Factor (U2F), a two-factor authentication (2FA) method.

The last method may involve a password, which can be noncomplex, because the additional factor ensures the overall strength.

FIDO authentication must be supported by your device or browser, along with the authenticating site or service. With UAF, the user registers their device with the participating site or service and chooses to implement an authentication factor, such as PIN or biometric ID. When connecting to the site or service, or conducting a transaction that requires strong authentication, the device performs local authentication (verifying the PIN or biometric identity) and passes along the success or failure to the remote site or service. With U2F, an additional security device (a cellphone, USB dongle, or so on) is used as the second factor after the password or PIN has been provided. The public/private key cryptography used behind the scenes is very reminiscent of TLS negotiations.

Both the server and the client have a private/public key pair, and they only share the public key with each other to facilitate authentication over a protected transmission method. The web server’s public key is used to send randomly created “challenge” information back and forth between the server and client.

The client’s private key never leaves the client device and can be used only when the user physically interacts with the device. FIDO authentication goes much further than traditional TLS.
It links “registered” devices to their users and those devices to the eventual websites or services.

Traditional TLS only guarantees server authentication to the client. One authentication device can be linked to many (or all) websites and services.

A nice graphical overview of the FIDO authentication process can be found here. Google Security Keys Google recently touted the success of its physical, FIDO-enabled “Security Keys” in a new whitepaper.

Google’s Security Keys are supported in the Chrome browser (using JavaScript APIs) and by Google’s online services. Several vendors make the physical, tamperproof Security Keys.

The versions touted in the paper are small, USB-enabled dongles with touch-sensitive capacitors that act as the second factor.

Each dongle has a unique device ID, which is registered to the user on each participating website.

The public cryptography is Elliptical Curve Cryptography (ECC), with 256-bit keys (aka ECDSA_P256) and SHA-256 for signing. Google tested its Security Keys by giving them to more than 50,000 employees and made them an option for Google online service customers.

Google’s results? Zero successful phishing, faster authentication, and lower support costs—can’t beat that.

The only negative was the one-time purchase cost of the devices, although Google says consumers should be able to buy Security Key devices for as little as $6 each.

That’s not bad for greater peace of mind. FIDO updates FIDO recently announced the 1.1 version of its specification.
It includes support for Bluetooth Low Energy, smartcards, and near-field communications (NFC).

FIDO authentication can already be used by more than 1.5 billion user accounts, including through Dropbox, GitHub, PayPal, Bank of America, NTT DoCoMo, and Salesforce.
Six of the top 10 mobile handset vendors already support FIDO, at least on some devices; mobile wallet vendors say they will participate as well. The 2.0 version of the FIDO specification is already in the works.

FIDO 2.0 is partitioned into two parts: the Web Authentication Spec, which is now in the W3C Web Authentication working group; and the remaining parts, including remote device authentication—which should allow you, for example, to unlock your workstation with your cellphone. Reducing the use of stolen credentials takes a big bite out of online crime.
I can only hope that the web continues to adopt the FIDO authentication standards as fast as possible.

After years of previous attempts at similar initiatives, this one looks posed for broad success.

US commission whistles to FIDO: Help end ID-based hacks by 2021

No breaches should result from compromised identities, say gov bods A White House commission on improving cybersecurity has come up with a list of recommendations for US president-elect Donald Trump’s administration – including a target for no big hacks to involve identity-based compromises. The US Commission on Enhancing National Cybersecurity has identified 16 key recommendations on security and growing the digital economy. The report (pdf, 100 pages) lays out an ambitious goal that by 2021 there should be no major breaches in which identity – especially the use of passwords – is the primary vector of attack. This goal will require the development and broad adoption of improved identity authentication technologies. The commission name-checked the Fast IDentity Online (FIDO) Alliance as an organisation that can help in achieving this goal: “Other important work that must be undertaken to overcome identity authentication challenges includes the development of open-source standards and specifications like those developed by the Fast IDentity Online (FIDO) Alliance,” it said. In a blog post, the FIDO Alliance outlined how the US government achieve its goal to move beyond passwords. Brett McDowell, executive director of the FIDO Alliance, said: “Through continued partnership between industry and government – and by following the Commission’s recommendations around identity and authentication – I am confident the new US administration, with the help of global consortia like the FIDO Alliance, can make meaningful progress toward that five-year goal of eliminating identity-related data breaches.” “The commission has recognized that solving the password problem and closing off identity as an easily exploited vector of attack is a clear priority,” he added. The FIDO Alliance has more than 250 members including device manufacturers, banks, payment card networks, several governments and dozens of security and biometrics vendors.
Its main goal is to push simpler, stronger authentication. FIDO’s work includes drafting specifications for simpler, stronger authentication experiences that reduce reliance on passwords and protect people from phishing and the misuse of login credentials exposed as the result of data breaches. Microsoft, Google, PayPal and the Bank of America are all part of the alliance. Last month the UK government unveiled a national cybersecurity strategy that similarly charted a course towards moving beyonds passwords for online authentication, as previously reported. “A common theme in both countries has been the need to balance security with usability, privacy and interoperability,” FIDO’s McDowell concluded. George Avetisov, chief exec and co-founder of biometric technology firm HYPR, agreed that authentication needs to be at the top of the list of the new President's actions to improve overall cybersecurity. The rapid adoption of technologies like "selfie pay" have shown that there is an urgent need to shift away from passwords and over to “easy to use” identity solutions, he added. PKWARE CTO Joe Sturonas noted the absence of much description about encryption in the lengthy report. “It’s notable that the word encryption appears only twice across the 100 pages of the commission on enhancing national cybersecurity," Sturonas said. "For a paper that talks specifically about the NIST cybersecurity Framework and IoT (there are 52 mentions of IoT), it seems as though encryption should have come up a little more. "For an Administration that presided over the OPM breach, it might stand to reason that encryption of sensitive data might have taken a more prominent role in the recommendations for the next Administration.

Considering how a lack of encryption of data itself has been a major point of vulnerability in every recent breach that has occurred, it is concerning that the commission on enhancing national cybersecurity has not emphasized encryption in their recommendations,” he added. Open-source standards and specifications developed by the Fast Identity Online (FIDO) Alliance will allow for the best and most secure available experience online experience, according to HYPR. ® Sponsored: Flash enters the mainstream.
Visit The Register's storage hub

Zeus Variant Floki Bot Targets PoS Data

Researchers have observed an uptick in attacks using the banking malware Floki Bot against U.S., Canadian and Brazilian banks, and insurance firms. Floki Bot, which uses code from the once notorious Zeus banking Trojan, has evolved and unlike its predecessor, is targeting point-of-sale systems via aggressive spear phishing campaigns and the RIG exploit kit. Cisco Talos and Flashpoint security researchers coordinated the release of reports on Floki Bot on Wednesday.

Both firms warn the malware is quickly gaining popularity within Dark Web criminal forums. “Floki Bot is currently being actively bought and sold on several darknet markets,” wrote Cisco Talos in its report released Wednesday. “It will likely continue to be seen in the wild as cybercriminals continue to attempt to leverage it to attack systems in an aim to monetize their efforts.” This most recent version of Floki Bot, spotted in September, is based on the Zeus 2.0.8.9 source code released in 2011.

There have been several incarnations of Floki Bot since then, however this most recent version is being developed, marketed and sold by a shrewd hacker that goes by the same name as the malware. “This actor is remarkable for a number of reasons, in particular their presence in a number of top-tier underground communities across a range of languages (Portuguese, English and Russian),” wrote Vitali Kremez, senior intelligence analyst at Flashpoint in a report also released Wednesday. Kremez believes Flokibot’s native language is Portuguese and that the hacker is based in Brazil. Typical infections stem from spear phishing attacks where victims are enticed to enable malicious macros in Microsoft Word documents sent as email attachments. Once enabled, the macro retrieves the Floki Bot malware, according to Kremez. “Once the malware is executed, it attempts to inject malicious code into ‘explorer.exe’ – the Microsoft Windows file manager,” according to Talos’ technical analysis of the inject sequence of the Floki Bot malware code. “If it is unable to open ‘explorer.exe’, it will then inject into ‘svchost.exe’.” The injection is a PE file (bot32). “The sample we analyzed is hardcoded to only pass the address of the ‘bot32’ resource to the injected payload,” Cisco Talos wrote. “At every stage, the malware uses hashing to obfuscate module and function names used in dynamic library resolution.” According to Flashpoint researchers Floki Bot differs significantly from the Zeus that was distributed in mass spam campaigns. Zeus also did not include PoS scraping functionality and was absent of any antivirus obfuscation techniques discovered in Floki Bot in November. “While the malware originates from the well-known Zeus 2.0.8.9 source code, Floki Bot adds a hooking method to grab track data from memory thereby extending the malware operations beyond regular banking Trojan functionality, making it more potent and versatile,” Kremez wrote. Other distinctions between Floki Bot and Zeus include Floki Bot availability on the Dark Web selling for $1,000.

The Zeus variant called GameOver, on the other hand, was only distributed to a close circle of criminal gangs and sold for $15,000 in its prime, Kremez said. “Floki Bot is currently being used by 10 cyber-criminal gangs,” Kremez said. “GameOver Zeus, in its heyday, was used by only five exclusive gangs.” In 2007, Zeus malware earned notoriety for compromising nearly 75,000 websites owned by the likes of ABC, Bank of America and Oracle.
In 2013, the Zeus code was used to construct Citadel malware, known for its cunning ability to steal personal, banking and financial information.

Denmark-based Heimdal Security reported in April that Zeus code had been re-purposed to create the variant Atmos malware, which went on to target banks in France.

Atmos can either scrape data from its target computer or simply hide out and collect user credentials. Another interesting distinction between ZeuS and Floki Bot is the presence of Tor network support in the source code.

Talos says the Tor support code is non-functional and “appears to be under development and could not be activated in the samples.” Both Cisco and Flashpoint warn that those behind Floki Bot have worked hard to lower the technical bar needed for cyber criminals to use the tool. “The time required to attain a high level of skill and sophistication has been continuously reduced.  As criminals share information to defeat protections, we should be sharing it as well with our community to defeat threats,” Flashpoint wrote.

New Financial System Analysis & Resilience Center Formed

Associated with Financial Services ISAC (FS-ISAC), the new FSARC works more closely with government partners for deeper threat analysis and systemic defense of financial sector. In tandem with its long-standing intelligence-sharing organization, the American financial services industry has formed an organization working on its strategic, systemic cyber-defense and resilience.

The formation of this new Financial Systems Analysis and Resilience Center (FSARC) was announced by the Financial Services Information Sharing and Analysis Center (FS-ISAC), today.   FSARC is the brainchild of eight large banks that are members of FS-ISAC - Bank of America, BNY Mellon, Citigroup, Goldman Sachs, JPMorgan Chase, Morgan Stanley, State Street, and Wells Fargo.

Through FSARC, large banks will have "closer collaboration" with government partners in the FBI, Department of Homeland Security, and US Department of Treasury.  While FS-ISAC continues to be focused on distributing timely information about active threats, FSARC will take a longer view -- performing deeper analysis to create long-term strategies to address systemic risks across financial products and practices. As Andrew Hoerner, FS-ISAC vice president of communications explains, "FS-ISAC is focused on real-time threat intelligence sharing for incident response and prevention.

FSARC is focused on proactive analysis at a meta level to identify and analyze threats and risks across the sector and come up with solutions to prevent emerging threats and risks." FSARC will use the same "circle of trust" membership model used by FS-ISAC. Bank of America’s Siobhan MacDermott and JPMorgan’s Greg Rattray will serve as interim Co-Presidents "until the center reaches full operational capability."  The formation of FSARC comes on the heels of (but not in response to) US bank regulators' releasing draft rules for cybersecurity that would require financial services organizations to (among other things) recover from any cyberattack within two hours, and finance leaders at a G7 meeting pushing a global financial cybersecurity framework.   Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

A Job In Security Leads To Job Security

Developers who focus on secure development skills find themselves in high demand. Developers who choose to augment their knowledge with secure development skills will find themselves in the most in-demand career field as the growth in cyberattacks forces organizations and governments to strengthen their cyber war chests with more advanced tools, increased budgets, and larger teams. A quick glance at the astronomical budgets that governments and Fortune 100 companies are allocating toward cybersecurity provides a glimpse into the extreme challenges organizations face because of the increase in cyberattack sophistication and volume.  J.P. Morgan has increased its 2016 cybersecurity budget to $500 million, up from $250 million in 2015, and its general counsel for intellectual property and data protection says that the company "still feels challenged" by cyberattacks.

Bank of America CEO Brian Moynihan has said that when it comes to cybersecurity, there are no budget constraints.

At the federal level, President Obama has increased cybersecurity spending to $19 billion in 2017, up from $14 billion in 2016. But even with massive budgets being earmarked to protect against cyberattacks, it's difficult for organizations to fill all their open cybersecurity positions.
In 2015, more than 200,000 cybersecurity job positions went unfilled, a shortfall that is on track to increase to 1.5 million by 2019, according to Symantec CEO Michael Brown. For developers passionate about securing code and willing to invest the time needed to add security to their IT skills, when it comes to career advancement, there are many opportunities.  How Can Developers Choose "Secure Development"?At the top of the pyramid when it comes to cybersecurity certifications is the Certified Information Systems Security Professional (CISSP); however, it requires years of prior experience in information security.  For developers looking to boost their secure development knowledge by attaining a security certification, an ideal place to start your research is "10 Security Certifications To Boost Your Career" in order to find the certification that matches your goals and current qualifications.  When it comes to pinpointing which pathway best suits your cybersecurity career goals, there are numerous routes to take.  Developers who have a passion for policy enforcement, incident response, auditing, or user awareness and are interested in providing a security perspective on third-party products can head in the direction of enterprise IT security. Compliance-minded developers with experience developing applications with PCI-DSS, MISRA, FIPS, and other policy certifications can find roles available as security or compliance consultants, or as internal or external auditors.  Other routes include jobs in wireless security, network security, cryptography, risk management, identity architects, and many others.

According to the U.S.

Department of Labor, the most sought-after job titles in cybersecurity include security engineer, security analyst, information security analyst, network security engineer, and information technology security analyst.  5 Top Security Careers, Job Descriptions & SalariesHigher salaries are the most obvious benefit for developers who decide to enhance their cybersecurity knowledge and move into secure development roles. Roles in cybersecurity can pay up to 9% more on average than IT jobs outside of the security realm. Note: Salary statistics taken from PayScale, job description information from Cyber Degrees. Security EngineerSecurity engineers build and maintain IT security solutions within organizations.

They perform vulnerability testing, risk analyses, and security assessments while creating innovative ways to solve existing production security issues. Requirements: Degree in computer scienceMedian Salary: $88,777  Security AnalystSecurity analysts are in charge of the detection and prevention of cyberthreats against an organization through an ongoing analysis of the company's IT infrastructure.

Tasks include the planning and implementation of security measures and controls, data maintenance and the monitoring of security assets, in-house security awareness training, and more. Requirements: Between one and five years of cybersecurity experience is needed.Median Salary: $66,787 Penetration TesterPenetration testers are legal hackers who help organizations find security threats in applications, networks, and systems.

They're also known as pentesters.

They test applications by simulating cyberattacks that have been found in the wild. Requirements: Unlike other cybersecurity, many openings for pentesters don't require a degree; however, your abilities will be under constant scrutiny, so some formal education is recommended. Median Salary: $77,774 Security ConsultantSecurity consultants design and implement innovative security solutions.
Since security consultants are relied upon by numerous different departments to guide and implement long-term cybersecurity strategy, extensive industry experience is required.

For developers who are new to security, starting as a pentester or security analyst is recommended, although after proving themselves in other security roles for between three to five years, and understanding the industry inside out, aspiring security analysts could find themselves relevant for this role. Requirements: A degree in computer science and between three and five years of experience in cybersecurity are needed. Median Salary: $80,763 Incident ResponderIncident responders, also known as CSIRT engineers, or intrusion analysts, investigate and limit the damage from cyberattacks that have occurred while working closely with the security team to prevent further attacks from taking place.
Incident responders monitor their organization's networks and systems for threats while performing audits, risk analysis, and malware assessments. Requirements: Like pentesters, incident responders don't necessarily have to have a specific degree, although a cybersecurity certification or specialization is helpful.Median Salary: Around $60,000 Don't WaitWhile security analysts and security engineers must have a degree and extensive experience, there are options for developers who want to turn their security passions into a profession in roles such as incident responders and pentesters, with less-intensive requirements.
If you're a developer, don't wait — start working on enhancing your career in cybersecurity now. Related Content: Paul is an application security community specialist at Checkmarx, responsible for writing, editing, and managing the social media community. With a background in mobile applications, Paul brings a passion for creativity to investigating the trends, news and security issues ...
View Full Bio More Insights

Why It's Always Cyber Hunting Season (& What To Do About...

To stop today's most capable and persistent adversaries, security organizations must rely less on tools and more on human analysis. Today’s cyber threats are attacking networks, disrupting businesses, and covertly stealing intellectual property that can only be found through one proven method: proactively hunting for them.

Too many organizations rely on automated tools or "magic bullet" security technologies that detect threats using known signatures, rules or malware "sandboxing" concepts – but this is not enough to stop the most capable attackers who cause significant damage and data loss. There are close to 400 new threats every minute in the United States alone, 70 percent of which go undetected, according to Sarbjit Nahal, head of thematic investing at Bank of America.
It’s time for companies to hunt for the threat, rather than react to cybersecurity events. While many organizations, particularly those in highly regulated industries, have been wary of allowing too many cyber personnel into their systems to monitor or detect attacks, the reality is the enemy is often already inside.
If malicious code is dormant or threat actors already have legitimate remote access, they can lie unseen within the enterprise for months. Financial firms, for example, take an average of 98 days to detect a data breach, according to the Ponemon Institute.

The length of time that a threat is able to remain in the system after compromise but before containment, referred to as "dwell time," is a critical metric for enterprise security teams and their senior leadership. In fact, we need to change our thinking from measuring security based on quantitative measurements of alerts or rules and signatures to a qualitative approach comprised of three key metrics: Time to Identification or time it takes to identify a compromise; Time of exposure, which measures how long vulnerabilities have been left in the open to attack; Dwell time, the most important of all three. These measurements are quantifiable metrics that chief information security officers (CISOs) should be concerned about and tracking. To reduce time to identification, time of exposure and dwell time, security teams must transition to a more proactive approach by implementing methodologies that "hunt" for attackers, their behaviors and anomalies inside enterprise event sources with a clear understanding of the business’s mission.

These cyber hunters, both machines and humans, search a network environment for suspicious behavior based on advanced analytics, custom content and tools, contextualized threat intelligence, and visibility from monitoring software.

Then, after the hunters detect the threats, they can reverse engineer the malware and conduct sophisticated forensic analysis to understand how it arrived on each host, its capabilities, both observed and dormant, and the damage or exposure it caused.

Finally, hunters work with IT and security teams to contain the threat. The Hunt for Cyber Hunting TalentMonitoring and remediation tools fail time and again to detect threats deemed critical or high, which include persistent attacks from experienced actors, such as nation states. Only human analysts with the assistance of sophisticated tools can recognize, respond and contain today’s adversaries.

For example, during a recent assessment of a Fortune 500 hedge fund, our hunters found code lurking inside the system that had been there for 10 months in only twelve minutes.
Similarly, a healthcare provider found malware embedded in its systems for 14 months that had been exfiltrating data from the network. Well-known industry tools failed to catch it, but hunters identified the infection almost immediately.   When discussing where to find the expertise necessary to perform hunting, there is an industry-wide mantra that the talent pool is shallow and organizations can’t find or afford the experts they need.

This isn’t surprising as many young adults are still unaware of the career opportunities in cybersecurity.

According to a survey conducted last fall by Raytheon and the National CyberSecurity Alliance, 46% of young adults ages 18-26 said that cybersecurity programs and activities were not available to them in school and 79% said they have never spoken to a practicing cybersecurity professional. The majority of young adults entering the workforce today are unprepared for cyber careers, so organizations must implement intensive training about how to detect threats and how to respond.

For threat hunting to be effective it requires both employee training and education, as well as machine learning capabilities to identify anomalies or unusual behavior rather than simple detection of a known threat like malware. One of the main points that many organizations are missing from their cyber defense strategies is effective lateral movement detection and mitigation of bad actors already within their network. Proactive threat hunting fills this need. The security industry needs to make a commitment to train and mentor the next generation of cyber hunters through mandatory hands-on classroom learning, mentoring, and online courses.

This process starts with university partnerships and a willingness to identify candidates in unconventional places.

Cyber hunting requires great talent, but aptitude and attitude, combined with effective training can trump industry veterans who often must unlearn poor or outdated practices.   Organizational leaders used to view security operations as a compliance checkbox and a reactive task. Reactive systems that recognize known threats do not detect the most damaging adversaries, who can only be caught by hunting for behaviors and stealthy attackers that a lot of times look like normal users or systems. Organizations must shift strategy to rely less on tools and more on talent. Related Content:   David Amsler is founder of Foreground Security, which was recently acquired by Raytheon Company.

Given his level of expertise and knowledge, Amsler has taught more than 350 information security courses to top government organizations, including the Internal Revenue Service, ...
View Full Bio More Insights

New attack steals SSNs, e-mail addresses, and more from HTTPS pages

Enlarge / A demo planned for Wednesday will show how an ad hosted on nytimes.com could attack other HTTPS-protected sites.Vanhoef, Van Goethem reader comments 26 Share this story The HTTPS cryptographic scheme protecting millions of websites is vulnerable to a newly revived attack that exposes encrypted e-mail addresses, social security numbers, and other sensitive data even when attackers don't have the ability to monitor a targeted end user's Internet connection. The exploit is notable because it doesn't require a man-in-the-middle position.
Instead, an end user need only encounter an innocuous-looking JavaScript file hidden in an Web advertisement or hosted directly on a webpage.

The malicious code can then query a variety of pages protected by the secure sockets layer or transport layer security protocols and measure the precise file sizes of the encrypted data they transmit.

As its name suggests, the HEIST technique—short for HTTP Encrypted Information can be Stolen Through TCP-Windows—works by exploiting the way HTTPS responses are delivered over the transmission control protocol, one of the Internet's most basic building blocks. Once attackers know the size of an encrypted response, they are free to use one of two previously devised exploits to ferret out the plaintext contained inside it.

Both the BREACH and the CRIME exploits are able to decrypt payloads by manipulating the file compression that sites use to make pages load more quickly. HEIST will be demonstrated for the first time on Wednesday at the Black Hat security conference in Las Vegas. "HEIST makes a number of attacks much easier to execute," Tom Van Goethem, one of the researchers who devised the technique, told Ars. "Before, the attacker needed to be in a Man-in-the-Middle position to perform attacks such as CRIME and BREACH. Now, by simply visiting a website owned by a malicious party, you are placing your online security at risk." Using HEIST in combination with BREACH allows attackers to pluck out and decrypt e-mail addresses, social security numbers, and other small pieces of data included in an encrypted response.

BREACH achieves this feat by including intelligent guesses—say, @gmail.com, in the case of an e-mail address—in an HTTPS request that gets echoed in the response.

Because the compression used by just about every website works by eliminating repetitions of text strings, correct guesses result in no appreciable increase in data size while incorrect guesses cause the response to grow larger. HTTP compression is based on the Deflate algorithm, which shortens data streams by storing only the first instance of a repeating string such as “value=” inside an HTML document and using space-saving pointers each time it's repeated.
In general, the more repetitions of identical strings found in a data stream, the more potential there is for compression to reduce the overall size. To determine the size of an HTTPS-protected response, the attacker uses an oracle technique that returns what amounts to a yes-or-no response to each guess. When a request containing "value=" results in the same data size, the attacker knows that string is inside the encrypted response and then tries to modify the guess to include the next character, say "value=0".
If that guess results in a larger file size, the attacker knows it's wrong and will try "value=1", "value-=2", and so on until the new guess similarly results in a response that shows no increase in file size.

The attacker then tries to guess the next character and repeats the process until the entire token has been recovered. Coming to a Web drive-by near you? Until now, this BREACH-style exploit required the attacker to be able to actively manipulate the traffic passing between the Web server and end user.

A HEIST-enabled BREACH exploit removes that limitation.
It does this by using TCP characteristics as a quasi cryptographic side channel to measure the size of an HTTPS response.

TCP divides large transmissions into smaller fixed-sized chunks called frames and further groups frames inside what are called TCP windows, which are sent one at a time.

TCP sends a new window only after receiving confirmation that frames from the previous window were received by the end user. HEIST is able to count the number of frames and windows sent by interacting with a set of newly approved APIs, one called Resource Timing and another called Fetch.
In the process, they allow a piece of JavaScript to determine the exact size of an HTTPS response.

The malicious HEIST code then works in tandem with BREACH to ferret pieces of plaintext out of the encrypted response by adding thousands of guesses to requests and analyzing the size of each resulting response. Van Goethem and fellow researcher Mathy Vanhoef have already disclosed their findings to researchers at both Google and Microsoft.

That means Wednesday's demonstration isn't likely to catch them by surprise.
Still, when asked how practical the attack is against Gmail, Bank of America, and other real-world sites, Van Goethem gave the following answer: If I would take my time, and write exploits for a number of websites, then visiting a malicious site (it even doesn't have to be a malicious one, there could also happen to be a malicious JavaScript file on there; there are numerous of possibilities for that to happen), could cause a lot of havoc. Probably the most damage could be dealt out by exploiting BREACH, as it allows the attacker to read out CSRF tokens.

Depending on the functionality offered by the website, it could be that by knowing the CSRF token the attacker could simply take over the complete account of the victim. I haven't inspected the requests and responses of every website in detail, but as a user one should expect the worst.

An attacker only has to find a single endpoint that contains a secret token and reflects part of the request in the response to extract this token.

As I mentioned, knowing this token is typically enough to compromise the user's account. Van Goethem said the only mitigation he knows of is to disable the third-party cookies, since responses sent by the HTTPS site are no longer associated with the victim.

At the moment, most Web browsers by default enable the receipt of third-party cookies, and some online services don't work unless third-party cookies are allowed. Wednesday's demo will show how a malicious ad displayed on The New York Times website is able to painstakingly measure the size of an encrypted response sent by a fictitious third-party site they dubbed targetwebsite.com (see the image below).
It will go on to show how that information can be used to infer the characters contained in a security token designed to prevent cross-site request forgery attacks (see the image at the top of this post).Enlarge It's too early to know if HEIST combined with BREACH will be exploited against real people visiting real HTTPS-protected websites.
Van Goethem said that as sites improve their defenses against cross-site scripting (XSS), SQL injection, and cross-site request forgery attacks, there's a good chance HEIST will become a more attractive exploit. While there's no indication that BREACH has ever been exploited in the wild, the new convenience offered by HEIST may change that. "Regardless of the typical security measures taken by websites, most of them will remain vulnerable to BREACH (the attack has been around for three years, and nothing has been done to mitigate it—most likely because it's far from trivial to do so)," he wrote in an e-mail. "Combined with the fact that the only requirement for HEIST is that a victim simply has to visit a (malicious) website, we consider it likely that attacks such as BREACH over HEIST will become the easiest way to compromise accounts." Listing image by Acid the Meme Machine.