’s Friday Security Roundup – May 1, 2015


Happy May Day! (“Red root?” “Green root?” Just don’t get fooled by a fake root.) It’s the International Workers’ Day edition of the Friday Security Roundup, where reviews some of the security issues that we’ve been following this week.

“Quis custodiet ipsos nannies?”

Issued, by the good folks at CERT : A warning that popular and not-at-all-creepy family monitoring software NetNanny has profound security flaws. CERT notes that all installations of this program share a single security certificate (very bad) and also store the private key for the certificate in plaintext and is trivial to obtain (almost unimaginably bad).

: Aghast. Systems like NetNanny and some antivirus programs basically perform an ongoing man-in-the-middle attack in order to function – this is a questionable design model at the best of times, and if done poorly or thoughtlessly allows for wildly awful outcomes like SuperFish. Best suggested workaround by CERT: uninstall NetNanny.

Security Backdoors Considered Harmful, Also Mathematically Impossible

Noted, by many, many security observers and professionals: The impossibility of creating “back door access” for “good guys” only as requested by law enforcement operatives at recent Congressional hearings. Some in Congress seem to understand the issue, like Rep. Ted Lieu (who states: “Creating a technological backdoor just for good guys is technologically stupid.”) On his blog, Lieu’s fellow Stanford CS alum and ace security researcher Jonathan Meyer lays out (in masterful detail) exactly why, apart from the considerable moral, social, legal and economic issues involved, cryptographic backdoors will not work.

: Gravitating towards the adults in the discussion. Math trumps wishes, as security guru Bruce Schneier told The Register: “I can’t create mathematics that works differently in the presence of a particular legal piece of paper. Math just doesn’t work that way.” Perhaps we should recall the last effort by the US government to delimit encryption in the 1990s, which led to widespread mistrust of US products abroad, (eventually) to our pal the FREAK vulnerability – and whatever happened to the Clipper chip?

“Sorry, the Subaru Forester has been sold – taking down the Craigslist ad now.”

Revealed, via a briefing given to “senior American officials”: The successful hacking of the White House’s computer system last October, with State Department systems thrown in for good measure. Only unclassified systems were compromised, but this still gave access to a trove of sensitive information, including “email archives of people inside the White House, and perhaps some outside, with whom Mr. Obama regularly communicated,” and disrupted State Department email systems during the nuclear talks with Iran in November. Russian hackers are suspected, though cards are being kept close to vest.

: Reminded that anybody can be hacked. (Also, have you ever maybe considered full disk encryption for your archives, guys? Just thinking out loud here.).

Never Can Say Goodbye – But You Probably Should

Open for business, open to attack: Government computer systems in the United Kingdom, vast numbers of which which still use Windows XP (including 35,000 or so in the Metropolitan Police Department). As noted by UK tech site “The government has not renewed its £5.5m Windows XP support deal with Microsoft despite thousands of computers across Whitehall still running the ancient software, leaving them wide open to cyber attacks.”

: Feeling the pain – XP is probably the only OS Microsoft ever released with something resembling a fan base (c.f. Service Pack 4) – but Microsoft killed official XP support for normal humans back in 2014, and the UK’s service contract was long known to be ending in April 2015. Institutional change is awfully difficult, but c’mon –  the only folks still clinging to XP are the UK Government, the guys running Fukushima, most ATMs…and 16.94  percent of the internet?

21st Century Browsers Adopting 21st Century Security

Stepping up to the plate: Both Google and Mozilla, with positive decisions made by each this week to increase security in their products. The Mozilla folks (after another one of those “robust discussions” they specialize in) plans to phase out non-secure HTTP in future versions of Firefox, meaning “new features will be available only to secure websites” and insecure features will be gradually removed. Meanwhile, Google has just introduced Password Alert, a free Chrome extension designed to alert users to bogus attempts to capture Google account login info. (Fun fact: according to Google, 2 percent of messages to Gmail are phishing attempts).

: Applauded. Sure, we’re biased – but we agree with Mozilla that SSL/TLS is now a mature-enough technology (and the background threat is now high enough) that browsers shouldn’t treat security as an option. Google’s fix, while more focused , helps address a massive threat vector for millions of their users. In both cases, the overriding idea is to make security woven seamlessly into the browser’s functionality. We concur.

Please Do Not Ignore Your Certificate Renewal Notice, Pt. XXXVII

Temporarily throwing warning signs : Instagram’s website, due to their SSL certificate expiring on April 30th. Kudos to Instagram for fixing the issue quickly (and it never affected mobile apps at all) – and this can happen to anybody, including the London Metropolitan Police crime reporting site and Google.

: customers can customize their account to send up to five expiration notices on whatever schedule they require. Just sayin’.