Security Roundup - 2018-01-11

Processors continue to receive security scrutiny. On the heels of Meltdown and Spectre, another CPU related security vulnerability in AMD’s Trusted Platform Module in their Secure Processor. The vulnerability would allow a crafty attacker to be able to execute code inside the processor, potentially accessing any secrets contained therein. This is similar to a vulnerability discovered last year in Intel’s Management Engine, which is also intended to manage secrets. Given the recent discoveries, expect security researchers to continue shining lights on the hardware that we use every day.

Vulnerability Rediscovery. Did you know that 4 separate researchers independently discovered Spectre and Meltdown? It is a remarkable story of convergence, and security researcher Bruce Schnier even wrote a paper on ‘Taking Stock: Estimating Vulnerability Rediscovery’ last year. The question some researchers are asking is, if they all discovered it around the same time, how likely is it that someone else found it earlier and didn’t disclose it?

Github to expand security monitoring. Github has acquired the people behind Appcanary, a service that monitors software dependencies and server packages for vulnerabilities. At Github, they will be working on expanding Github’s security tooling, like their vulnerability management program.

The breaches that did not happen in 2017. In a more positive outlook, HackerOne reviews bug bounty programs in 2017, pointing out that tens of thousands of security vulnerabilities were identified and remediated using these programs.

I’m Harvesting Sensitive Information From Your Site. While people freak out about hardware level vulnerabilities, others theorize about how to actually steal sensitive information, such as this somewhat sarcastic take on how to steal sensitive information from sites. Involving creating a helpful library with some obfuscated malicious code, and then selectively sending data back to a server. How many organizations would actually detect this? Given similar types of attacks via Chrome plugins, or Wordpress plugins, an attack like this actually could realistically live for a long time.

Extended Validation Collisions. Extended validation for SSL Certs, the process by which you certify you are a valid organization, and get some additional stuff for your certificate apparently has a problem in Organizational Collisions. The security researcher even went through the process of setting up a corporation to leverage this, suggesting that this may be possible for the low, low price of $177 dollars.

Written on January 11, 2018