“Quis custodiet ipsos nannies?”
Issued, by the good folks at CERT : A warning that popular and not-at-all-creepy family monitoring software NetNanny has profound security flaws. CERT notes that all installations of this program share a single security certificate (very bad) and also store the private key for the certificate in plaintext and is trivial to obtain (almost unimaginably bad).
Security Backdoors Considered Harmful, Also Mathematically Impossible
Noted, by many, many security observers and professionals: The impossibility of creating “back door access” for “good guys” only as requested by law enforcement operatives at recent Congressional hearings. Some in Congress seem to understand the issue, like Rep. Ted Lieu (who states: “Creating a technological backdoor just for good guys is technologically stupid.”) On his blog, Lieu’s fellow Stanford CS alum and ace security researcher Jonathan Meyer lays out (in masterful detail) exactly why, apart from the considerable moral, social, legal and economic issues involved, cryptographic backdoors will not work.
“Sorry, the Subaru Forester has been sold – taking down the Craigslist ad now.”
Revealed, via a briefing given to “senior American officials”: The successful hacking of the White House’s computer system last October, with State Department systems thrown in for good measure. Only unclassified systems were compromised, but this still gave access to a trove of sensitive information, including “email archives of people inside the White House, and perhaps some outside, with whom Mr. Obama regularly communicated,” and disrupted State Department email systems during the nuclear talks with Iran in November. Russian hackers are suspected, though cards are being kept close to vest.
Never Can Say Goodbye – But You Probably Should
Open for business, open to attack: Government computer systems in the United Kingdom, vast numbers of which which still use Windows XP (including 35,000 or so in the Metropolitan Police Department). As noted by UK tech site v3.co.uk: “The government has not renewed its £5.5m Windows XP support deal with Microsoft despite thousands of computers across Whitehall still running the ancient software, leaving them wide open to cyber attacks.”
21st Century Browsers Adopting 21st Century Security
Stepping up to the plate: Both Google and Mozilla, with positive decisions made by each this week to increase security in their products. The Mozilla folks (after another one of those “robust discussions” they specialize in) plans to phase out non-secure HTTP in future versions of Firefox, meaning “new features will be available only to secure websites” and insecure features will be gradually removed. Meanwhile, Google has just introduced Password Alert, a free Chrome extension designed to alert users to bogus attempts to capture Google account login info. (Fun fact: according to Google, 2 percent of messages to Gmail are phishing attempts).
Please Do Not Ignore Your Certificate Renewal Notice, Pt. XXXVII
Temporarily throwing warning signs : Instagram’s website, due to their SSL certificate expiring on April 30th. Kudos to Instagram for fixing the issue quickly (and it never affected mobile apps at all) – and this can happen to anybody, including the London Metropolitan Police crime reporting site and Google.