Security Roundup - 2017-03-30
Big news this week is Symantec’s miss-issue of 30K Extended Validation certificates, largely through third parties with privileged access. Extended Validation certificates are intended to require additional validation steps for further proof of ownership, and the lack of that compromises their advantage. This isn’t the first time that Symantec has mis-issued certificates, with Google recently requiring Symantec to submit ALL certificates to Certificate Transparency logs for auditing. After the most recent incident, however, Google has declared they will stop treating Symantec Extended Validation certificates as extended validation. Further, Google has suggested plans to stop trusting Symantec as an SSL certificate provider, phasing out support in Chrome to essentially delist said certificates. Symantec has posted a rebuttal, pointing out their usage of certificate transparency, and their championing of Certificate Authority Authorization. Regardless of the outcome, it appears that the end result will be more transparency and security for the internet as a whole.
Let’s Encrypt came under attack of actually providing transparency this week, since it points out that they have issues quite a number of SSL Certificates which could be used for phishing attacks, having issues ~15k certificates using the term ‘Paypal’ this quarter. Let’s Encrypt has pointed out since inception their belief that Certificate Authorities constitute poor watchdogs, with their primary aim to encrypt all web communications. Bleeping Computer points out that a number of these certificates have been flagged by safe browsing, which does indicate that other user protections are in play. While on the one hand these certificates are being issues, the fact that they are going through certificate transparency and being on the record is at least shedding more light on the issue.
Congress has voted to repeal FCC Privacy laws, but right before that the EFF posted some impacts of CyberSecurity. Particularly worrying to me is the concept of “Explicit Trusted Proxies”, which are designed to decrypt and inspect SSL communications, which we learned last week that the the US-CERT has said doing this type of traffic interception actually decreases overall security.
After yet another round of breaches, Troy Hunt has written an article on How To Handle a Breach Disclosure. Using Cloudpets as example, Troy points out that someone noticed their exposed Mongo database and attempted to contact them to remediate before the breach occurred. Troy points out that making it harder for someone to start a dialogue makes it easier for a company to be unaware of action in need of taking. He goes on to point out that once a breach is known, it is in the company’s best interest to disclose as soon as possible, to allow their users time to protect themselves, pointing out the rampant reuse of user passwords. He references the upcoming General Data Protection Regulation in Europe, where companies will be required to disclose breaches within 72 hours. The entire article is fairly interesting, containing a number of breach disclosure successes, as well as quite a few failures.
Many malware strains are starting to make use of a technique called Domain Fronting. This technique works by using a hosting provider essentially as a relay to some other communication like TOR. These providers include Amazon and Google’s Appspot in order to avoid block evasion/delisting.
For those that enjoy reading up on malware detection evasion Talos Intel shares some recent obfuscation methods by LokiBot.
Talos also details an NTP vulnerability they discovered in Cisco’s effort to test NTP implementations for security flaws.
Finally, BleepingComputer talks about GiftGhostBot, a botnet devoted to brute forcing gift card apis to discover gift cards with usable funds. On average, this botnet is apparently hitting some eCommerce sites with an average of 1.7 million requests per hour.