SSL.com’s Friday Security Roundup – April 17, 2015

 

From the 13th happiest city in the country* – it’s the Friday Security Roundup, wherein SSL.com presents some security issues that we’ve been following this week.

You’re Really Only Safe If Your Employees Never Open Their Email

fishin_lure

Estimated as 91%, by Trend Micro: The number of security breaches that begin with a phishing or spear-phishing email. SSL.com is here to protect your traffic, and any number of anti-malware programs can try to flag malicious attachments from your mail – however, social engineering has been with us since before the Trojan War and is still darned hard to guard against.

Status: Human nature is hard to lock down, and your network is vulnerable as long as Bob in Accounts Receivable is willing to open what he thinks is a car crash compilation set to “Yakety Sax”. Teach security to your people and keep your recovery disks close at hand.

Netflix Moving Pix to HTTPS

Announced, by the media-streaming giant: An initiative to encrypt all content delivered to you, including and most interestingly the video stream itself, over the next year. This will necessarily require some innovative design on both the software and hardware end of things, and which we will look at in greater detail in an upcoming article. Content deliverers have historically used encryption methods only to fence in their own content (and generally pretty terrible methods, too, as this link shows – it’s NSFW, if you squint) so Netflix taking this nontrivial step to secure content is very welcome indeed.

Status: Applauded, with stomps and whistles. Netflix is not just an industry leader but has a demonstrably wide-ranging impact on everything including choice of baby names, so this move to SSL/TLS might help the already tidal surge towards a fully-encrypted internet.

Vote Early and Often – Then Hack the Machine, Just to Be Sure

Decertified, By the Virginia Board of Elections: the Advanced Voting Systems WINVote electronic voting system, after an audit found a slew of issues that you wouldn’t let stand in your grandmother’s computer, let alone a device supposedly designed to insure a free and fair vote. What kind of issues? Administrator access via the password “admin”. Always-on Wi-Fi, “secured” by massively obsolete WEP encryption. An OS unpatched since perhaps 2004. And what’s this USB port for over here?

Status: Frankly, dismayed. We try to be trusting of authority and stuff, but the folks responsible for purchasing and retaining these machines were at the very best interpretation eye-bulgingly ignorant. WEP has been DOA since at least 2011, and a cursory search would show that Pennsylvania kicked the exact same machines to the curb seven years ago due to exactly these issues.


Better Late Than Never, We Guess

Disabled in Internet Explorer 11, by Microsoft: SSL 3.0, the protocol exploited in last winter’s POODLE unpleasantness. To be fair, the folks from Redmond did disable default SSL 3.0 fallback (the vector for POODLE attack) – in February.

Status: Applauded, though maybe via a golf clap – since Google disabled SSL 3.0 in Chrome 40 (January 2015) and Mozilla did the same in Firefox 34 (December 2014). And of course the good folks at Opera were ahead of the game, taking SSL 3.0 out of the picture in October 2014. (Opera. It’s another browser. Really, you might give it a try.)


As always, we appreciate your reading these words, and let us know what you think.

*Overall grade – per Gallup-Healthways, Houston is 4th for “purpose”, 36th for “social”, and who are we to argue?