’s Friday Security Roundup – June 19, 2015’s Friday Security Roundup – June 19, 2015

SSL_com_logoHappy birthday to Blaise Pascal and the FCC! This week’s Security Roundup tips its hat to the French mathematics pioneer and inventor who helped define what would later evolve into the scientific method, developed an early mechanical calculator and (as a side project) invented roulette. Today’s Federal Communications Commission is less honored perhaps than Pascal – no one’s named a programming language after the FCC (yet). However, loved or hated, the FCC has a tremendous impact on how information flows in our world, whether that’s defining Net Neutrality rules or slapping AT&T with a massive fine for playing a bit fast and loose (or rather slow and restricted) with the phrase “unlimited data“. is putting all our chips on black 22  and spinning the wheel – let’s see what security issues the ball lands on this week.

Full-Time HTTPS: Massive Upvote

Securing their traffic, though HTTPS-only connections: Reddit and Wikimedia. The “front page of the internet” reports this week that SSL-only viewing will be mandatory starting June 29th of this year. Meanwhile, Wikimedia announced the transition of all sites under their aegis to full-time encrypted connections “within a couple of weeks”. Both are also implementing HSTS, which helps prevent insecure connections. Meanwhile, perfectly adequate search provider Bing states they will begin encryption by defaultbeginning this summer“. All this is of course on the heels of last week’s call by the US CIO for HTTPS-only connections to .gov websites by the end of 2016.

Status: Thought we’d start with some good news this week, and kudos all around – more use of always-on HTTPS makes the internet a better place in general, and adoption of HSTS by Reddit and Wikimedia is better yet. Also of interest in the encrypt-it-all field:, a new open source social network featuring transparent algorithms, always-on HTTPS and the backing of activist group Anonymous.

LastPass Hacked

Compromised: “Account email addresses, password reminders, server per user salts, and authentication hashes” held by LastPass, the popular password manager. Although according to the company no master passwords were themselves stolen, they (and we) still suggest resetting these, as well as enabling two factor authentication for enhanced security.

Status: Well, LastPass is to be recognized for a quick response to an unfortunate event, but the sheer unwieldiness of maintaining multiple passwords in today’s environment is the root issue here. Cue the latest candidate to replace passwords – the Internet of Things, as represented by the Apple Watch.

“I just want to say one word to you, Benjamin. Just one word. Malware.”

Made, by black hats wielding malware: mad bank, according to a recent report from security firm Trustwave. The most startling and reported finding: cybercriminals can “expect to earn a breathtaking 1,425% return on investment (ROI) – or $84,000 in revenue – over 30 days.” Also worth noting is that 98 percent of applications tested had at least one vulnerability, while the most vulnerabilities found in one application was an astounding 747.

Status: Possible further proof that you chose the wrong career path, for those of a certain mindset – we of course prefer to note that full and correct implementation of SSL will help protect against many of the attacks Trustwave detailed in this report.

Support User Privacy, See Your Business Grow 600%

Expanded sixfold: The number of daily search requests processed by DuckDuckGo, scrappy contender in the search engine field. Notable is that this growth began only after the revelation of widespread NSA snooping, and that DDG very pointedly does not harvest search results, track locations or store search data in any way at all – they instead make pretty decent money through old-school methods like ad views and affiliate links.

Status: Privacy matters, and respecting privacy can even be a decent business model. Okay, so DuckDuckGo’s ten million queries a day may seem like a lot (and certainly it’s enough to generate a nice revenue stream) but they’re just a blip in a universe in which Google, Bing and Yahoo together have 90% market share. However, they are a fast growing and extremely well regarded alternative to the big three – and thus touted as an ideal target for buyout by Apple.

Winning Is a Habit. Success Is a Choice. Hacking Gets You a Visit From the Feds.

Opened, by the FBI : An investigation of the St. Louis Cardinals, for possibly hacking into the Houston Astro’s network. Compromised, per the New York Times, are “internal discussions about trades, proprietary statistics and scouting reports.” The owner of the Cardinals admitted that someone in his organization had committed “roguish behavior”, which sounds more like twirling one’s mustache while fencing with the queen’s guards than stealing personal data from an opposing team’s database and triggering a Federal investigation. The Gray Lady may be a mite off kilter about minor matters like WMD programs and whatnot, but given how the past couple of seasons have gone, their headline for this reportage was fair, full and accurate: “Of All Teams to Hack, Why the Astros?

Status: Note that the Astros are top of their division thus far this year without, as far as we know, hacking into their opponents databases. Well worth shelling some peanuts and following this as it unfolds, as it now appears that several separate compromises occurred as far back as 2012 –  “roguish” indeed.

Meanwhile, there’s all the stuff that we couldn’t quite fit into this week’s roundup, including this week’s OS X/iOS vulnerability, the latest details about the unfolding OPM hack (but we’ll be surveying that particular trainwreck in more depth next week), the Let’s Encrypt initiative finally announcing hard launch dates, how Chinese neer-do-wells are sniffing VPN and Tor traffic and oh so much more – but we’ll be back with more next week.

As ever, we appreciate your reading these words, and remind you – a safer internet is a better internet.