’s Friday Security Roundup – June 26th, 2015

SSL_com_logoHappy birthday Maurice Wilkes! In this weeks’ Friday Security Roundup, we follow our nascent tradition of saluting figures who may be forgotten but who made our world what it is today. Wilkes, for instance, was the postwar computer scientist who developed the first usable stored program computer, invented macros and subroutines, and with his Titan computer system implemented concepts like controlled access by specific users and/or programs and password encryption – both adopted by later projects like UNIX and so ubiquitous today that it’s easy to forget they haven’t been around forever. They had to be thought up and designed by someone, however – and that someone was Maurice Wilkes.

No password required here, though – kick back whilst reviews some of the security issues that we’ve been following this week

Internet of Things That Travel 85 Miles Per Hour

Surveyed, by the Economist : The state of “the scary world of the computerized car” – with an emphasis on the parlous state and “distressingly easy” hackability of modern, increasingly networked vehicles. They cite the best research in the field, including a whitepaper from security researcher IOActive Labs, which show how very many attack surfaces are available for exploitation.Conspiracy theorists will have plenty of fodder here – the single-car accident that killed journalist Michael Hastings in 2013 was widely viewed as deeply suspicious by the tinfoil-headgear set. This was reinforced by the real-time hacking demo DARPA performed on a vehicle for CBS’ 60 Minutes last February, showing just how straightforward taking control of everything on a modern vehicle (up to and including the brakes and throttle) could be.

Status: In play – and yes, the lawsuits have started. All the security issues the onrushing IoT presents are only multiplied in automotive networks – this is why recommends our own personal car of choice, the 1989 Corolla. (Hey – 82 horses under the hood and impossible to hack.)

Recommendation for SSLv3:  Stake Through Heart, Bury Under Crossroads

Issued (PDF) by the Internet Engineering Task Force: A Request For Comments that finally and utterly deprecates the SSL 3.0 protocol. This is due to multiple vulnerabilities that SSLv3 and its close relative TLS 1.0 present. The IETF’s call only codifies what that all major browser and server software vendors have already done (some later than others, of course) and reflects the withdrawal of SSLv3/TLS1.0 support by major players including PayPal and (by June 30, 2016) the PCI Council.

Status: We’ll miss you, SSL 3.0 – you had a good run. You will of course live on in our hearts, in the use of “SSL” as the generic term for online crypto and our own corporate name.

Not Normally What We Assign to That Particular Acronym

Built, by Israeli reseachers: the Portable Instrument for Trace Acquisition, or PITA. Assembled from off-the-shelf parts, PITA is an unassuming little device (small enough to insert into the eponymous flatbread) employing Van Eck phreaking to steal data by reading radio signals leaked by the target computer. Although tested against keys stored by the PGP fork GnuPG in this instance, the same techniques could be theoretically used to lift other cryptographic keys – including the ones used in Bitcoin wallets. As the researchers (from Tel Aviv University and Israel’s Technion research institute) explain in their resarch paper (PDF) PITA is very much a proof of concept (with a range is less than two feet) but may be upgradable to pull secret data from much further away.

Status: PITA snooping aside, suggests you send back any unsolicited sandwich placed suspiciously close to your laptop – this is probably good gastronomic as well as security policy .

‘Security’ – I Do Not Think It Means What You Think It Means, Cisco

Issued, by megavendor Cisco; an advisory of a very serious security issue in a vast but unknown number of their appliances. Implicated are all Web Security Virtual Appliances, Email Security Virtual Appliances, and Content Security Management Virtual Appliances. The problems here: inclusion of a default SSH key in firmware which gives an intruder complete root control of targeted devices, and a privilege escalation vulnerability which can give admin access to remote attackers. As noted by Tod Beardsley from security firm Rapid7, with access to one of the affected devices (usually via a LAN) all that’s required is to”extract the key, and then go to town”.

Status: Patched, but we blame ourselves – our primer on securing SSH does not, we find, mention that using duplicate SSH keys is a Bad Idea. Of course, use of ANY duplicate key is ALWAYS a bad idea (though certainly something we’ve seen before) but bundling it in a huge number of devices with the word ‘security’ right there on the label? C’mon, Cisco.

In the grand, long-lost American tradition of taking long summer vacations’s Security Roundup is taking the next month off – but rest assured that we’ll be back in four weeks with more!

As always, we appreciate your reading these words, and please let us know your take on these issues. Remember – a safer internet is a better internet.