Tag: SSL

Get Ready for PCI-DSS version 3.2

PCI Council released in the December 2015 bulletin, extending the deadline for Secure Sockets Layer (SSL)/early Transport Layer Security (TLS) migration. Recently, the PCI Council announced it would publish a new version of the PCI Data Security Standard (PCI DSS) in early 2016 to include the revised migration dates and address changes in the threat and payment acceptance landscape.

PCI Council’s Chief Technology Officer Troy Leach talks on what to expect with the release of PCI DSS 3.2 and how organizations can start planning for it now.

Excerpt taken from the PCI Perspective Blog:

When will PCI DSS version 3.2 be released?

Troy Leach:
  The Council will publish the revision in the first half of 2016 – we are aiming for the March/April timeframe. We will keep stakeholders informed as we move closer to that date.

Based on what you’re saying, there is no expectation of a PCI DSS release in November 2016?

Troy Leach:
That’s correct. We are not planning any additional releases of PCI DSS during 2016. The version 3.2 release in the first half of 2016 replaces the expected fourth quarter 2016 release.

What changes are expected?

Troy Leach:
When making changes to the standard, in addition to market feedback, we look closely at the threat landscape, and specifically what we are seeing in breach forensics reports as the trending attacks causing compromises. With this in mind, for 3.2 we are evaluating additional multi-factor authentication for administrators within a Cardholder Data Environment (CDE); incorporating some of the Designated Entities Supplemental Validation (DESV) criteria for service providers; clarifying masking criteria for primary account numbers (PAN) when displayed; and including the updated migration dates for SSL/early TLS that were published in December 2015.

How long will organizations have to move over to PCI DSS 3.2?

Troy Leach:
As usual, there will be a transition period, and we will keep everyone informed as we approach publication. Version 3.2 will become effective as soon as it’s published, and version 3.1 will be retired three months later to allow organizations to complete PCI DSS v3.1 assessments already under way. Keep in mind, though, that new requirements always have a sunrise date prior to them being effective. This allows organizations to plan accordingly prior to validating to new PCI DSS requirements. The new requirements will be considered best practices for a sunrise period to be determined based on the release date.

As a reminder, the SSL/early TLS updates in PCI DSS v3.2 are those made public in December. Organizations can and should already be addressing this issue, starting with reviewing the Bulletin on Migrating from SSL and Early TLS  now for more information on where to begin with migration and taking advantage of the guidance and resources outlined.

FREAK Vulnerability on Windows

freak

As we do our penetration testing, we have to continue to get updated on some of the latest issues affecting systems out there. SSL seems to get the mother of all shares of vulnerability, with Heartbleed and then POODLE, and now, FREAK.

FREAK is found in detail at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204, which is basically a MiTM attack exploiting weak 512-bit keys. It affects OpenSSL, and upgrading to v1.0.2 fixes the flaw.

Basically, if you have weak cipher suites supported or SSL/TLS RSA-Export less than 512-bits, then get rid of it.

Resolution: We have always advocated to remove weak ciphers. Nobody really understood why, but now there is a vulnerability to include in our report.

If you need some assistance in vulnerability assessment, penetration testing or security audit to cover FREAK and other vulnerabilities, drop us an email at avantedge@pkfmalaysia.com and we’ll get a team to you.

A writeup on the recent FREAK vulnerability.

Hundreds of millions of Windows PC users are vulnerable to attacks exploiting the recently uncovered “Freak” security vulnerability, which was initially believed to only threaten mobile devices and Mac computers, Microsoft Corp warned.

News of the vulnerability surfaced on Tuesday when a group of nine security experts disclosed that ubiquitous Internet encryption technology could make devices running Apple Inc’s iOS and Mac operating systems, along with Google Inc’s Android browser vulnerable to cyber attacks.

Microsoft released a security advisory on Thursday warning customers that their PCs were also vulnerable to the “Freak” vulnerability.

The weakness could allow attacks on PCs that connect with Web servers configured to use encryption technology intentionally weakened to comply with U.S. government regulations banning exports of the strongest encryption.

If hackers are successful, they could spy on communications as well as infect PCs with malicious software, the researchers who uncovered the threat said on Tuesday.

The Washington Post on Tuesday reported that whitehouse.gov and fbi.gov were among the sites vulnerable to these attacks, but that the government had secured them. (wapo.st/18KaxIA)

Security experts said the vulnerability was relatively difficult to exploit because hackers would need to use hours of computer time to crack the encryption before launching an attack.

“I don’t think this is a terribly big issue, but only because you have to have many ducks in a row,” said Ivan Ristic, director of engineering for cybersecurity firm Qualys Inc.

That includes finding a vulnerable web server, breaking the key, finding a vulnerable PC or mobile device, then gaining access to that device.

Microsoft advised system administrators to employ a workaround to disable settings on Windows servers that allow use of the weaker encryption. It said it was investigating the threat and had not yet developed a security update that would automatically protect Windows PC users from the threat.

Apple said it had developed a software update to address the vulnerability, which would be pushed out to customers next week.

Google said it had also developed a patch, which it provided to partners that make and distribute Android devices.

“Freak” stands for Factoring RSA-EXPORT Keys.

– Source from Reuters

© 2024 PKF AvantEdge

Up ↑