Weekly Security Wrap-up

A lot has happened in the security industry in the past week or so. A devastating new vulnerability known as DROWN. As seems to be typical of recent style, this revolves around legacy support, namely SSLv2 which was deprecated years ago and should never have even be supported. We’ve seen similar ‘legacy fallback’ type attack vectors before, like MD5 signature collisions being used to generate false certificates, a worm written for Cisco routers that used the IPSEC security setting of ‘NULL’ (no kidding; a protocol designed for a secure tunnel has an option to disable all crypto) and the list just goes on and on.

Nevertheless people still haven’t learned their lesson about legacy technology and its dangers. Mozilla made the brave step this week to set out a solid timeframe to phase out SHA1 certificates, which are no longer regarded as robust or secure in the wake of the fact that collisons have been found. Nevertheless enterprise users will take their time to upgrade their systems and, ultimately, customer data will leak as a result of their ineptitude (e.g. Target’s mobile app exposing personal information via JSON with no authentication).

Poor design is everywhere. It’s partially the result of bad engineering, but more importantly it is a result of languages which allow programmers to be lax – a perfect example would be PHP.

In other interesting news a new twist on cryptolocker that actually targets websites, defacing them and encrypting their files and replacing the index.html/.php/.shtml file with one containing a notice advising them to deposit a specified amount of bitcoin to retrieve the AES key to decrypt the data. We’ve seen cryptolocker target personal computers and the data contained therein, but this new targeting of websites is novel.

The Apple v FBI struggle continues, and it appears likely that Apple will prevail. Apple has every reason not to comply with their directives as it would fundamentally erode trust in their software if users knew there was a government backdoor, even if this backdoor simply eliminated the lockout period between incorrect keycode attempts. Perhaps if the FBI had handled the evidence correctly the whole situation could have been avoided. They now admit that a tech reset the phone’s Apple ID, triggering this whole sorry sequence of events.

I’ve taken a hiatus from bringing you guys up to date security news for quite some time, but now have the time and inclination to begin updating this blog more regularly, so please feel free to visit regularly and engage in conversation. I do not moderate, except where the content is spam or just blatant abuse.

I’m also now routinely signing my posts using GNUPG. To verify my posts, simply view the source and cut and paste the portion between the &lt!-- beginsig --> and <-- endsig --> including those headers and run it through gpg. My key (ID 0xD07C3352) is available from the MIT key servers or from this site (see top menu).

Version: GnuPG v1 (FreeBSD)