Threats and Threats and Top story vulnerabilities vulnerabilities

PwC Weekly Security Report

This is a weekly digest of security news and events from around the world. Excerpts from news items are presented and web links are provided for further information.

Malware Windows spreads malware

Threats and vulnerabilities Internet users urged to change passwords after

Threats and vulnerabilities ’s reveals vulnerability in Internet Explorer and Edge

Top story Crypto specialists break SHA-1 security standard Threats and Threats and Top story Malware vulnerabilities vulnerabilities

Windows botnet spreads Mirai malware

Security researchers from Kaspersky Lab are currently investigating the first Windows-based spreader for the Mirai malware, something that can have huge implications for companies that invested heavily in IoT.

The spreader was apparently built by someone with "more advanced skills" than those that had created the original Mirai malware. This, Kaspersky Lab says, has "worrying implications for the future use and targets of Mirai-based attacks."

It is richer and more robust than the original Mirai codebase, even though many of its components are "several years old." Its spreading capabilities are limited, as it can only deliver from an infected Windows host to a vulnerable -powered IoT device. Even that -- if it can brute-force a remote telnet.

It was also said that the author is likely Chinese- speaking, more experienced, but probably new to Mirai.

"The appearance of a Mirai crossover between the Linux platform and the Windows platform is a real concern, as is the arrival on the scene of more experienced developers. The release of the for the banking Trojan in 2011 brought years of problems for the online community -- and the release of the Mirai IoT bot source code in 2016 will do the same for the Internet. More experienced attackers, bringing increasingly sophisticated skills and techniques, are starting to leverage freely available Mirai code. A Windows botnet spreading IoT Mirai bots turns a corner and enables the spread of Mirai to newly available devices and networks that were previously unavailable to Mirai operators. This is only the beginning," says Kurt Baumgartner, principal security researcher, Kaspersky Lab.

Source: https://betanews.com/2017/02/23/windows -botnet-spreads-mirai-malware Threat and Threats and Malware Top story vulnerabilities vulnerabilities

Internet users urged to change passwords after Cloudbleed

Multiple high-profile apps including Uber and FitBit The researchers said the impact of the vulnerability have been leaking customer data for months due to is potentially wide-reaching due to the massive the Cloudbleed vulnerability discovered by Google customer base of . researchers last week. “I didn't realise how much of the internet was sitting The bug in the source code of internet services behind a Cloudflare CDN until this incident,” the company Cloudflare caused sensitive data to be researcher said. cached by search engines, potentially allowing to pose as legitimate customers. The The Google team said that Cloudflare has responded compromised data includes private messages and to the issue promptly but advises users to change authentication cookies. their passwords and switch to two-factor authentication where possible. “We've discovered (and purged) cached pages that contain private messages from well-known services, “With the haemorrhaging from Cloudbleed first PII from major sites that use Cloudflare, and even reported on Friday, new data from Skyhigh plaintext API requests from a popular password Networks indicates the wounds to IT are manager that were sent over http,” said a cyber- widespread,” commented Kaushik Narayan, CTO of security researcher from Google’s Project Zero team. cloud access security broker Skyhigh Networks. “The examples we're finding are so bad, I cancelled “After analysing more than 30 million enterprise some weekend plans to go into the office on Sunday users across the globe, Skyhigh found 99.7 per cent to help build some tools to clean-up.” of companies have at least one employee that used a Cloudbleed vulnerable cloud application.” Threat and Threats and Malware Top story vulnerabilities vulnerabilities

Internet users urged to change passwords after Cloudbleed

Even though few enterprise-ready cloud services were themselves affected – fewer than four per cent – there’s a very long list of potential consumer- focused services that may have been vulnerable to credential loss, Skyhigh Networks said.

Cloudbleed got its name after the vulnerability in the Open SSL cryptographic software library, discovered in 2014. The researchers said Cloudbleed could be potentially as serious as Heartbleed, which affected millions of websites, enabling hackers to gain access to sensitive user data.

According to Gizmodo, Cloudbleed is a result of a coding error affecting a single character in Cloudflare’s code.

Source: https://eandt.theiet.org/content/articles/20 17/02/internet-users-advised-to-change- passwords-after-cloudbleed-vulnerability- discovered/

Our perspective Cloudflare Inc. handles traffic for many popular services, including Uber and Fitbit. It also helps customers to protect and defend themselves from denial-of-service attacks and configure SSL encryption for their websites. It is quite possible for an attacker to have access to private web data along with encryption keys, if the password is compromised. After studying the vulnerabilities and the impact of the exploit, all readers are strongly advised to change their password quickly to avoid any security risks. Threats and Threats and Malware Top story vulnerabilities vulnerabilities

Google’s Project Zero reveals vulnerability in Internet Explorer and Microsoft Edge

Google's Project Zero has exposed another security Source: flaw in Microsoft software — this time in Internet http://www.windowscentral.com/googles- Explorer and Microsoft Edge. As reported by The project-zero-reveals-vulnerability-internet- Register, the flaw was first disclosed to Microsoft on explorer-and-edge November 25, but has now gone public after exceeding Project Zero's 90-day disclosure deadline without a patch. Our perspective The bug in question could allow a website to crash The newly disclosed zero-day vulnerability, the browser and execute code with just 17 lines of which creates a type confusion flaw, affects HTML. If you're into the nitty-gritty technical Microsoft Edge and Internet Explorer on fully details of the issue, you can dive into the full patched systems and can potentially allow explanation of the flaw at Project Zero's post. remote attackers to execute arbitrary code on the underlying system. We understand that This isn't the first time Google has publicly outed a researchers have confirmed the flaw in Microsoft software without a patch being unavailability of exploits. However, it is quite issued. Most recently, the two software giants butted possible for attackers to use PoC details to heads in late 2016 after Google disclosed a bug in develop working exploits which may Windows just days after alerting Microsoft. suddenly surface in the wild. Organisations Similarly, January of 2015 saw Google publish a that have developed custom software with Windows 8.1 vulnerability just days before a patch inherent vulnerabilities may be more was set to go live. susceptible to this exploit as a door may exist for attackers to deploy this exploit. Given that It's not clear when or how quickly Microsoft might a fix has not been provided in the latest issue a fix for this particular flaw. The company patches, all Windows administrators are curiously delayed its usual monthly round of fixes advised to assess the criticality of the risk and for February, noting that they'll arrive with March's apply patches for this vulnerability as soon as Patch Tuesday on March 14. However, the company they become available. did issue a fix for a critical Adobe Flash bug just days later, so there's a chance we could see a security fix outside of the usual monthly schedule. Threats and Threats and Malware vulnerabilities vulnerabilities Top story

Crypto specialists break SHA-1 security standard

Researchers at the Dutch research institute CWI and Google have broken the SHA-1 internet security standard, which is widely used for digital signatures and file integrity verification, including secure credit card transactions.

According to CWI cryptanalyst Marc Stevens: “Many applications still use SHA-1, although it was officially deprecated by NIST in 2011 after exposed weaknesses since 2005. Our result proves the deprecation by a large part of the industry has been too slow and that migration to safer standards should happen as soon as possible.”

The team says it broke SHA-1 using a collision attack. Google’s Elie Bursztein added: “Finding the collision in practice took a lot of effort, both in building the cryptanalytic attack and in its large scale execution. It required more than 9.2 x 1018 SHA1 computations that took 6500 years of CPU computation and 100 years of GPU computations. We used the same infrastructure that powers many Google AI projects, including Alpha Go and Google Photo, as well as Google Cloud.”

Stevens said that, to defend against SHA-1 collision attacks, systems must migrate to SHA-2 or SHA-3. In the case of HTTPS, this process began in 2015 and, this year, browsers will mark SHA-1 based certificates as insecure. Source: http://www.newelectronics.co.uk/electroni cs-news/sha-1-security-standard- broken/151987/ About PwC

At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 countries with more than 2,23,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com

In India, PwC has offices in these cities: Ahmedabad, Bengaluru, Chennai, Delhi NCR, Hyderabad, Kolkata, Mumbai and Pune. For more information about PwC India's service offerings, visit www.pwc.com/in

PwC refers to the PwC International network and/or one or more of its member firms, each of which is a separate, independent and distinct legal entity. Please see www.pwc.com/structure for further details.

©2017 PwC. All rights reserved

For any queries, please contact:

Sivarama Krishnan [email protected]

Amol Bhat [email protected]

All images in this presentation are protected by copyright, trademark, patent, trade secret and other intellectual property laws and treaties. Any unauthorised use of these images may violate such laws and shall be punishable under appropriate laws. Our sharing of this presentation along with such protected images with you does not authorise you to copy, republish, frame, link to, download, transmit, modify, adapt, create derivative works based on, rent, lease, loan, sell, assign, distribute, display, perform, license, sub- license or reverse engineer the images. In addition, you should desist from employing any data mining, robots or similar data and/or image gathering and extraction methods in connection with the presentation.

© 2017 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers Private Limited (a limited liability company in India having Corporate Identity Number or CIN : U74140WB1983PTC036093), which is a member firm of PricewaterhouseCoopers International Limited (PwCIL), each member firm of which is a separate legal entity.

MB/March2017-8840