Security Roundup - 2017-12-28

34C3 in full swing. The 34th Chaos Communication Conference is in full swing. You can check the schedule for the remaining days, or to check out the recordings that are already available. Hackaday has a writeup of some interesting talks they have attended, the more interesting one so far being ‘Squeezing a key through a carry bit’ where one spelunker leveraged a bug in a crypto implementation to extract an entire private key one bit at a time.

Hack The World results. HackerOne has announced this year’s results to their Hack The World hackathon. This year 700+ bug bounty hunters submitted enough vulnerabilities to clear just over $750K in bounties.

Breaking HSTS and HKPK in modern browsers. HTTP Strict Transport Security (HTST) and HTTP Public Key Pinning (HPKP) are modern security functions for browsers. Security researchers recently published ways to abuse how browsers use these, to prevent protections, including mitigating protections at all or even rendering the browser unusable.

Ad trackers caught stealing usernames. At least two ad trackers were caught using hidden forms to harvest usernames from sites they were deployed on. Being able to harvest usernames would allow them to build a bigger profile and match users more reliably across sites, but also creates a bigger trove of information to steal, as well as could be used to harvest passwords.

Credit card theft targets smaller chains. Follow Brian Krebs story of a new batch of credit cards being stolen and tracking them back to impacted businesses. One of the targets happens to be a small restaurant chain in Texas, which Krebs tracked down before the company was aware of the credit card fraud, meaning that the cards were sold well before consumers could take any action.

TLS version negotiation delaying TLS 1.3. TLS 1.3 unexpectedly had new drafts at the end of this year, when the expectation was that the spec was essentially finalized. The cause? Problems in TLS version negotiation, where a sizable portion of servers (including network inspection devices) failed in unexpected ways when clients attempted to negotiate. This is, in essence, the same problem that hampered TLS 1.2s rollout, and the cause of the Poodle downgrade attack. The newer TLS 1.3 drafts have implementation details to avoid doing security downgrades (as was the solution for TLS 1.2), but the fact that this has been repeated has already caused organizations to start thinking about better ways to do TLS negotiation (or at least identifying problems well in advance).

Lastpass Authenticator app contained surprise security bypass. A security researcher published their discovery that accessing certain activities directly in Lastpass’ Authenticator app would allow someone to bypass pin/fingerprint protection. The app has been fixed since the public disclosure.

AppSec Radar. In tech, some companies use a ‘technology radar’ to track what technologies their engineers should adopt, be trialing, or stop using. One new project is experimenting on doing the same with an organizations applications, factoring in security concerns.

Written on December 28, 2017