SSL.com’s Friday Security Roundup – March 27, 2015

 

From deep in the heart of Texas  (or rather it’s petroleum-blacked crust) it’s the Friday Security Roundup!  SSL.com presents a quick trot through security issues that we’ve been following this week:

Hotel Router a Little TOO Welcoming

Discovered, by Justin W. Clarke of the security firm Cylance: Hundreds of wi-fi routers which allow root access to anyone with minimal skillz and a Linux manual open to the “rsync” chapter. Ability to read all network traffic? Access to vulnerable guest computers? Backdoor access to a hotel chain’s property management software? Check, check and check.

Status: Patch rolled out, but we’d still suggest using HTTPS-only connections and maybe a VPN to make sure the best surprise is NO surprise.

Wait – First Define “Cyber”

Sparking discussion, an interesting article on the Christian Science Monitor’s Passcode security blog: There is “a lack of consensus of what exactly should be considered a ‘cyberincident'”.

Status: You have to set out your terms – the San Bruno pipeline explosion killed eight people and was traced ultimately to issues while replacing a UPS. Cyberincident or industrial accident? The lines are getting blurred – and should get only more interesting soon, when the Internet of Things brings us the hackable fridge. (We suggest you secure it all.)

Mazel Tov!

Revealed, by Itsik Mantin, director of security research with Imperva: another exploit taking advantage of backwards compatibility (warning: link is to a PDF file). Similar to how POODLE downgraded connections to the vulnerable SSL 3.0 protocol, the long-in-the-tooth RC4 cipher is still supported in many browsers and servers, and can be  targeted by the “Bar Mitzvah” attack (so called because the issue’s been known about for thirteen years).

Status: RC4 has been in harness since the second Clinton administration (and is slated for deprecation in the next iteration of TLS). Microsoft and many others have been disabling RC4 in their products and you should consider this option on your servers for maximum security.

Chain of Trust, Meet Chain of Fail

1) January, 2015. A gentleman in Finland, perhaps with too much time on his hands,  discovers that his Windows Live mail service (which uses the live.fi URL) allows him to make an alias for hostmaster@live.fi. So he does.

2) As a lark/proof of concept, he uses this email address to apply for a domain-validated certificate for the URL live.fi (equivalent to live.com here in Murica) from a major certificate authority.

3) The certificate gets issued straightaway – no muss, no fuss.

4) Man (possibly saying “Mitä helvettiä?“) informs the Finnish version of the FCC – no resolution.

5 through n) Man notifies the Redmond folks, several times. He receives no reply.

n+1) March 2015. Someone at Microsoft apparently returns from vacation, checks email, smacks forehead, and freezes our Finnish friend’s live.fi account (also, his Lumia phone and his XBox account).

Oh, and they issue a warning about the “bogus” live.fi certificate, too.

Bonus points: Same thing happened in Belgium with live.be (h/t to the good folks at the Security Now podcast).

Status: Much more a slipup on Microsoft’s part then elsewhere, and note that this was for a domain validated cert, not an extended validation (“green bar”) version. Still, the certificate authority structure depends on a chain of trust and we deplore anything that threatens that. Maybe reserve a couple-three email addresses?

Root Certificate Shenanigans – What, There’s More?

Sadly, yes  – but we’ll let our esteemed colleague K. Paul Mallach lay out the Case of the False Google Certificates next week – action that sprawls from China to Egypt to Mountain View, CA! And yes, Virginia – there’s certificate pinning involved!


As ever, let us know what you think, and thanks for reading!