SSL.com’s Friday Security Roundup – June 5, 2015

SSL_com_logoIn this weeks’ Friday Security Roundup, we note the second anniversary of the initial news articles based on the Edward Snowden disclosures, published in British paper the Guardian and variously met with statements from “a serious setback for Western intelligence” to “Good news! You’re not paranoid!“) It’s also the 14th anniversary of Tropical Storm Allison, which dropped some 40 inches of rain on SSL.com’s home port of Houston. Massive data breaches and the start of hurricane season always remind us that a good disaster recovery plan should be part of your security infrastructure to make sure that your customers, your employees and your business can weather any storm. But enough looking into the past – let’s review some of the security issues we’ve been following this week at SSL.com, shall we?


Fun Fact: Edward Snowden Has Already Created More Jobs Than the Keystone Pipeline Ever Would

Reported, by ProPublica and the New York Times: Memos outlining the secret expansion of the National Security Agency’s warrantless surveillance program in 2012. As the Gray Lady states, the N.S.A was authorized secretly by the Justice Department “to target Internet addresses, malware, and other ‘cybersignatures’ associated with foreign governments, and it has pushed to remove limits on that power.” (The question as to what “associated” can mean in this context is left rather blank.) In a related note, Vice News has released documents that only cloud the waters as to how many items Snowden actually obtained. The range has run from 200,000 to 1.7 million – the briefing points obtained by Vice under the Freedom of Information Act give the number as “over 900,000”. The part we particularly applaud (and that no one else seems to be playing up) is how this issue has helped fight unemployment, as the FOIA docs note that between 200 and 250 people from the Department of Defense work to “triage, analyze, and assess DoD impacts related to the Snowden compromise”.

Status: Feeling more informed, if not precisely more cheerful. (And security tip to sysadmins: don’t share your login credentials, ‘kay?) Regardless of your take on Snowden himself, the constant release of information resulting from his actions is definitely illuminating the universe in which agencies like the NSA operate. President Obama himself called for an “open debate” about transparency in cybersecurity last February in a speech at Stanford University, and both SSL.com and Mr. Snowden himself certainly encourage this debate as well.


Recommended Response to Hola: Adios

Discovered, by the forthrightly-named “Adios-Hola” team: Significant issues with the popular free Virtual Private Network provider Hola, which counts some 47 million users. Their “peer-to-peer VPN” setup is wildly insecure – it allows user activity to be tracked, lets other Hola users send traffic across any other user’s connection and allows a user to open and run any program on any other Hola user’s computer. This is all Really Bad Stuff, but the icing on the cake is that Hola’s sister business Luminati sells access to the Hola network, for any purpose whatsoever – if that makes Luminati sound like a botnet that’s because it functionally IS one (and was used as such in a recent DDOS attack on the popular imageboard 8chan).

Status: Recommending you uninstall Hola immediately. Hola’s setup definitely sets our sketchiness detectors a-tingling, and the folks fromAdios lay out their case clearly. Of course, any peer-to-peer software introduces a severe security risk –  readers old enough to have used Napster will likely remember browsing around in the system folders of complete strangers. The difference here is that Napster was sixteen years ago , built by a college student, and (arguably) all about the music, man. Hola’s issues are as bad or worse as any Napster exhibited and, as the Adios team put it, these massive security holes means Hola is “either grossly incompetent, or simply doesn’t care about the security of their users.” Poor form.


U.S. Government To Provide Free Credit Monitoring to 4 Million Lucky Employees! (There’s a Catch)

Stolen from the U.S. Office of Personnel Management, by “Chinese hackers”: Personnel and security clearance information for some 4 million federal workers. The breach apparently began in December 2014 but was not detected until April of this year. Sad, sad bonus points: The intrusion detection system the hackers apparently evaded is named EINSTEIN.

Status: We declare this the heavy, heavy sigh-worthy item this week. As Reuters cogently notes, the information compromised in this event includes exactly the kind of sensitive personal details that any foreign intelligence agency would normally work years to obtain, on a retail basis, for individual employees – but laid out via this hack for wholesale review.


John McAfee Sighted, Speaks, Makes Considerable Sense

Delivered, at the 2015 Infosec Conference, by security maven John McAfee: A keynote speech on privacy. McAfee – best known for his early association with antivirus software and his exploration of Central American legal systems – has spoken out about smartphone apps that spy on users previously at DefCon 2014. This time around he decried governmental attempts to weaken protection (“By putting backdoors in the software, we have given hackers the access we are trying to prevent.”) McAfee also again addressed the possible malign side effects of allowing software from obscure sources to run on one’s phone, mentioning Bible-reading apps specifically – “almost every one of them wants access to your emails or SMS messages, to access the camera and the microphone. What does it need that access for?”

 Status: Nice to hear from Mr. McAfee, actually. However troubled his personal arc might’ve been, we appreciate anyone who can deliver lines like “Can you live in a society that is more paranoid than I’m supposed to be?” and mean it – and in any event he’s not saying anything we aren’t also hearing in less dramatic but no less accurate form from Apple’s Tim Cook.


We see we haven’t mentioned the latest firmware exploits that can root your Mac, or the recent list of 22 router models and the vulnerabilities they come with (no extra charge!), or the adoption of PGP by Facebook and support of OpenSSH by Microsoft, measures that pull each ever closer to late-2oth-century security standards…but never fear, we’ll be back with more next week, we promise.

As always, we appreciate your reading these words, and please let us know your take on these issues. Remember – SSL.com believes that a safer

internet is a better internet.