Security Roundup - 2017-07-06

Scott Helme has been analyzing various internet security mechanisms over the last several years. His latest focus is TLS security, and he provides a great writeup on ‘Why TLS Revocation is Broken’. From why Certificate Revocation Lists (CRLs) are too cumbersome and Online Certificate Status Protocol (OCSP) is better for revocation, but worse for privacy, Scott covers the current problem and highlights a number of new options that can further mitigate man in the middle attacks against TLS communications.

Let’s Encrypt hits another milestone by having reached 100 MILLION generated SSL certificates. Given that Let’s Encrypt has only been in operation for a year and a half, this is a remarkable achievement. In that same time period, HTTPS adoption has increased 18% (essentially 1% every month!) to reach 58%, no doubt at least partially due to Let’s Encrypt’s free service. They have also announced they will start issuing wildcard certificates in the new year, citing it as a much requested feature, and their hope that it will help drive adoption of TLS closer to the 100% goal.

The end of this quarter actually saw a large amplification attack on Cloudflare’s infrastructure, crossing 100Gbps and lasting 38 minutes. SSDP is used for discovery of UPnP devices, and allows the query for ‘all’ devices. Since SSDP happens over UDP, the return address can be forged, allowing an attacker to make queries and redirect responses to their victim. We’ve previously covered a number of problems with UPnP, and this is just one more example of why it should be disabled. Cloudflare provides a number of other recommendations to eliminate/reduce the efficacy of these attacks.

A security researcher recently aided in making packages served from node package manager (npm) more secure. The researcher was able to access enough accounts to be able to hijack 14% of all packages, some of which are in use by millions of users. The majority of these accounts were not brute forced, but used involved password reuse from other accounts that were available in one of the many leaks in the last year (check your passwords!), by users publishing these passwords in their packages accidentally or accidentally uploaded to places like Github. 17% of accounts were brute forced, using embarrassingly bad password lists (one password was literally “password”). NPM has tightened password policies, as well as monitoring password based endpoints, and is working to roll out even more security improvements intended to increase account security and mitigate risk.

This week celebrated the 50th anniversary of the ATM. We’ve previously shared stories on ATMs and skimmers, and this week Brian Krebs gives us an update on the current state of ATM skimmer technology.

For those that love to dive into malware breakdowns, Palo Alto Networks provides one on OceanLotus. OceanLotus is a Mac backdoor and interesting for a few reasons, including a custom binary communication protocol with its C2s.

Finally, researchers have published a paper detailing information leak in libgcrypt’s implementation of RSA-1024 keys, resulting in excessive information leaking and allowing researchers to reconstruct the key in use. At time of writing, the library has issued a patch, and many linux providers have provided updates and/or other layers of protection.

Written on July 6, 2017