Hotel Router a Little TOO Welcoming
Discovered, by Justin W. Clarke of the security firm Cylance: Hundreds of wi-fi routers which allow root access to anyone with minimal skillz and a Linux manual open to the “rsync” chapter. Ability to read all network traffic? Access to vulnerable guest computers? Backdoor access to a hotel chain’s property management software? Check, check and check.
Wait – First Define “Cyber”
Sparking discussion, an interesting article on the Christian Science Monitor’s Passcode security blog: There is “a lack of consensus of what exactly should be considered a ‘cyberincident'”.
Revealed, by Itsik Mantin, director of security research with Imperva: another exploit taking advantage of backwards compatibility (warning: link is to a PDF file). Similar to how POODLE downgraded connections to the vulnerable SSL 3.0 protocol, the long-in-the-tooth RC4 cipher is still supported in many browsers and servers, and can be targeted by the “Bar Mitzvah” attack (so called because the issue’s been known about for thirteen years).
Chain of Trust, Meet Chain of Fail
1) January, 2015. A gentleman in Finland, perhaps with too much time on his hands, discovers that his Windows Live mail service (which uses the live.fi URL) allows him to make an alias for email@example.com. So he does.
2) As a lark/proof of concept, he uses this email address to apply for a domain-validated certificate for the URL live.fi (equivalent to live.com here in Murica) from a major certificate authority.
3) The certificate gets issued straightaway – no muss, no fuss.
4) Man (possibly saying “Mitä helvettiä?“) informs the Finnish version of the FCC – no resolution.
5 through n) Man notifies the Redmond folks, several times. He receives no reply.
n+1) March 2015. Someone at Microsoft apparently returns from vacation, checks email, smacks forehead, and freezes our Finnish friend’s live.fi account (also, his Lumia phone and his XBox account).
Oh, and they issue a warning about the “bogus” live.fi certificate, too.
Bonus points: Same thing happened in Belgium with live.be (h/t to the good folks at the Security Now podcast).
Root Certificate Shenanigans – What, There’s More?
Sadly, yes – but we’ll let our esteemed colleague K. Paul Mallach lay out the Case of the False Google Certificates next week – action that sprawls from China to Egypt to Mountain View, CA! And yes, Virginia – there’s certificate pinning involved!
As ever, let us know what you think, and thanks for reading!