Blog Archives

Link

Blackphone, a “secure” cellular phone was launched earlier this week. To be honest, I am a bit disappointed with this device, especially their choice to run an AOSP based ROM. Of course, the very notion of a ‘secure’ cellular phone is a misnomer. No matter how great their platform is, you’re always going to be carrying a portable tracking beacon.

Link

Robert Graham of Errata Security recently wrote in a blog post that over 300,000 hosts are still vulnerable to the OpenSSL heartbleed bug and posited that people had stopped even trying to patch.

While disconcerting, I imagine that a significant portion of the ~300k reported are embedded systems and that sysadmins are likely aware of the issue but effectively have their hands tied until their vendors submit a patch. Given that many consumer devices like DSL CPE’s are seldom updated, and many ISPs make the mistake of leaving remote administration open without even applying basic security hygeine practices like IP filtering to only their internal networks, I assume that these problems won’t be solved any time soon. Heck, there are still routers affected by the d-link hardcoded administrative password vulnerability that remain accessible.

Link

The US House of Representatives today passed an amendment that will see NSA programs designed to introduce backdoors are no longer funded. The bipartisan agreement, entitled ‘Massie-Lofgren’ was billed as an exciting development by the EFF, with Mark Rumold – the Foundation’s counsel stating that they “applaud the House for taking this important first step, and we look forward to other elected officials standing up for our right to privacy.” Many, including myself, have questioned as to whether the new bill will truly be effective in curtailing the NSA’s spying – at least on the domestic front. I suspect that it will be business as usual for the NSA and their associated contractors and affiliates.

Link

The security world sure moves fast! A website (http://truecrypt.ch/) has been created with a stated intent to continue maintaining the Truecrypt code, obviously starting with the last fully functioning code base of 7.1a. The site also has a mirror of the TC installers for various platforms. Whether this will amount to anything is anyone’s guess at this point in time.

Link

Amusingly, Apple appeared to have neglected to renew a certificate used for one of their software update servers, resulting in users being declined the ability to perform updates or install software from the Mac Store. The issue, which presumably began on May 24, 2014 (the original certificate’s expiration date) and was corrected soon after, but not before many took to the Internet to vent their frustration that one of the world’s biggest software companies could neglect to update their SSL certificates.

Link

Cloudflare Writes On The Deprecation Of RC4

The move away from RC4 to AES is a sensible pre-emptive action being taken by those in the industry. Cloudflare recently wrote a blog post detailing their rationale for removing RC4 as a supported cipher for modern browsers using TLS 1.1 or greater. I re-iterate that RC4 has not been demonstrably broken but it would appear only a matter of time.

Link

Wang Jing, a PhD student at a Singaporean university has discovered a vulnerability in OpenID and OAuth. While not earth shattering, with sites like Facebook relying on it to authenticate their users the impact of such a vulnerability could be non trivial.