Weekly Security Wrap-up

A lot has happened in the security industry in the past week or so. A devastating new vulnerability known as DROWN. As seems to be typical of recent style, this revolves around legacy support, namely SSLv2 which was deprecated years ago and should never have even be supported. We’ve seen similar ‘legacy fallback’ type attack vectors before, like MD5 signature collisions being used to generate false certificates, a worm written for Cisco routers that used the IPSEC security setting of ‘NULL’ (no kidding; a protocol designed for a secure tunnel has an option to disable all crypto) and the list just goes on and on.

Nevertheless people still haven’t learned their lesson about legacy technology and its dangers. Mozilla made the brave step this week to set out a solid timeframe to phase out SHA1 certificates, which are no longer regarded as robust or secure in the wake of the fact that collisons have been found. Nevertheless enterprise users will take their time to upgrade their systems and, ultimately, customer data will leak as a result of their ineptitude (e.g. Target’s mobile app exposing personal information via JSON with no authentication).

Poor design is everywhere. It’s partially the result of bad engineering, but more importantly it is a result of languages which allow programmers to be lax – a perfect example would be PHP.

In other interesting news a new twist on cryptolocker that actually targets websites, defacing them and encrypting their files and replacing the index.html/.php/.shtml file with one containing a notice advising them to deposit a specified amount of bitcoin to retrieve the AES key to decrypt the data. We’ve seen cryptolocker target personal computers and the data contained therein, but this new targeting of websites is novel.

The Apple v FBI struggle continues, and it appears likely that Apple will prevail. Apple has every reason not to comply with their directives as it would fundamentally erode trust in their software if users knew there was a government backdoor, even if this backdoor simply eliminated the lockout period between incorrect keycode attempts. Perhaps if the FBI had handled the evidence correctly the whole situation could have been avoided. They now admit that a tech reset the phone’s Apple ID, triggering this whole sorry sequence of events.

I’ve taken a hiatus from bringing you guys up to date security news for quite some time, but now have the time and inclination to begin updating this blog more regularly, so please feel free to visit regularly and engage in conversation. I do not moderate, except where the content is spam or just blatant abuse.

I’m also now routinely signing my posts using GNUPG. To verify my posts, simply view the source and cut and paste the portion between the &lt!-- beginsig --> and <-- endsig --> including those headers and run it through gpg. My key (ID 0xD07C3352) is available from the MIT key servers or from this site (see top menu).

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1 (FreeBSD)

iQIcBAABAgAGBQJW18DKAAoJEN9TVwXQfDNSJlcP/3z1fg1hm3+vvQ/gGpOR+tSB
BrTZexKbZ7gEtxKvVxvQC0ljko/h5TYY+rQKgO75fszZroTk6YjGy/or4B/5uIGX
ZjZWRPYdukfeW6x8cdPSUeZuhZjCvJRsgBcwYZDlrFEvuogZ1T7TS7VVDR7BPBeE
wGbHUQ2ZSRxarHPxgkv6n9NyGYGNo2fzowlq0O9fa5155ReMdiV9SNRh76WZeelf
XqeIQhVsKuO0b3T3ZidxN7PWrxx9BWzKsZTpAdpqVHGTGErXim+awDQHdbQRIklt
+G20gozty0X+V62VwJo3q2Zwmi+dnEWUAvBP+Co08CFjPLhnrgjMXQMmqUngnZxi
G+Gz/m0EOvit2LmtHEqMsJssqU1pqNf9KTpPcMWIS/CHfd2aKmPgn+0vF3yJqrYM
9NGdu3c+XlcavgD2z1HlAba6n/fVbwOA64ks+1DANkT7HCUzG9r+h8Ti2cUVlSey
eMrrQ9jwhb2osnZXK7rCAe9bJFPp6d0eJg6pO5FMu6Ud64U+c5frKDoyLu8fCdlc
vSaAoG9jjvHRLzY3MFt/B7stUtgnYh6jmqojTuPINllhxdFrhanlfZBSthcARIsL
RZ4dVHonJk3e2ynQZFQY2r+y5vB4AcjJ91JxnJh6rG6O+FMiECJblgUccQqgHcad
J9DB+5deBWqNb0PwV4w8
=Nfbt
-----END PGP SIGNATURE-----
Advertisements

One thought on “Weekly Security Wrap-up

  1. —–BEGIN PGP MESSAGE—–
    Version: GnuPG v2

    hQIMA0M2UFMk3wi8AQ//WH1U/HitePoo4qrQdqwk9TWSOt+9TE8kpa41ixSyVKTG
    8rLtOs3oa34U6sv09Ucm8F0eTJC3HnWTRynTVpKEC3XaHEujcfRsTRF+LPgUZIqo
    18pDNJw4EBUpdkF0NYNfDtk8FFDJlM4/RwvOMJePvwhMONZV+Tycz5MN5TR1Gngb
    +IXy4CbKiKq7xunkg7C57eq+6QkFpZbv5IUdlkKpAZUkvQAc8GQAcdcGKJaZcCQn
    pLIM+kOi68O8cGc7hRbIxxEFP+GFWiuN6GKKineMVEhGr8JnoFBvMu1/298HImvG
    hTT6Z3L/L0/COsD6BacVJTj9Ho8B2bpL8bl61IOBfnJDo2cujtL/qcrtq3mPNle9
    zvP2t2qKjnKNbs8M/OCDLcTr3M52MqIkQ9byMgBiVpPK6sqwI265tZgMWRQyXT1S
    uPVjcrh3z5ASuk3JLzcLCl1KFcVZZ+TssMGaudayuWXHNmGJvbDY7qdI5xyQDFtM
    jEmoOwODyDEktWo2/4SBbsT7+Uszmw22M4H8svnk2z9Z1z+yakjEwwYhhhog4fHw
    vNd98Q0vxCh6tlulx5tgY71xorsvwUnUAvKiz+c6M+5J5BLLpYTRWYoPD3snEsMa
    MHhcO8FQY5A9eI4lDCWWevDVyJq2E82SjBQMYWozkZm8dVqtbfyByZlouvY+Cl7S
    wJcBdC5uXkQZur+P6XJPa5CnNW+Z+cD0+6oTmVEYEwSDy/SDn7jR2JKb+tYksC5k
    GCEv/1ekFLdt3p+egns1SEX0bNjRwiT2GnmXTKQUGNaYYSleOvIwm74W3kQ+xJdN
    JL3a8xYsF7gAdc45LMtUBFbF6W0ZLscpMW42Tu2brhOalPpfM/qZox5MWZUCHIbk
    zlZ0QYvuQUcbL+UwmJ1OYBeKsl9bd+PiT+bWXilm3ylQq8omyhegyTLrEYSOlYBH
    RX7PH3KK1CvpDkNkPwLf5Ym8vII3uta1xYWcxzKrnn56f2BgIdOXMcmAJ7iv7A9a
    3kOlTE1hxZKXBB7gTr7F8zQumxCB2NU6/qe8jzbekhZ9WplKtDD1CrKPY6Tu6dLN
    t274QVovRPA3FJUClnEju8kUiPPndgyL50rDp6Bdr/clfWpnHT5nmxHYsi8o41k3
    +KmIzu2jw19+
    =Pdck
    —–END PGP MESSAGE—–

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s