Security Roundup - 2016-05-04

One engineer recently found ‘Shellshock’ style user agent strings in his log files. After investigation, he realized that an attacker was using someone’s unsecured log files as a blind drop for scanning results.

Apparently, a few years ago, someone set up a project to try and find common factors in RSA PGP keys. Last year, they started processing keys from the public keyserver dataset. To date, they have found over 200 broken keys and 2000 keys with suspicious characteristics, including keys from Apple, Product Security, Nasa, and The Pirate Party. These keys contain things like non-prime factors and shared factors, where if you take 2 keys with one known shared factor, you can figure out the second (and thus generate a private key). This could either be due to poor sources of entropy or deliberately crippled PGP implementations.

The Verge has a good article on why fingerprints are not good for authentication. Among other things: The government has a giant database of fingerprints (mine have been scanned when traveling back and forth from Canada), and thus are leak-able. Unlike passwords, changing fingerprints (and other biometrics) is pretty hard and we leave our fingerprints everywhere. If anything, biometrics are more akin to a username then they are to a password.

Some security researchers recently realized that Slack API tokens were checked in to Github repositories. They quickly realized they could gain access to a lot of sensitive information, including passwords. Slack has indicated they are now scanning Github and revoking found tokens, similar to what other services like Amazon currently do.

In a follow up on the recent story of how quickly people plug in random USB keys, Infosecurity Magazine has an article on how the American Dental Association accidentally spread malware via USB keys they had manufactured.

After 100 breaches, Have I Been Pwned has had breach data submitted by the breached company, rather than finding the data online. A similar service, Pwnedlist, has recently had a major security vulnerability communicated to them, and has decided to shut down their public site.

Written on May 4, 2016