’s Friday Security Roundup – May 15, 2015


SSL_com_logoIt’s May 15th – which as you no doubt already know is both the 45th anniversary of the selection of the first two female generals in the U. S. Army and the 94th anniversary of the Winnipeg General Strike. (Both of these historical turning points should be taught in schools – if only to allow for some pretty fun dioramas.) brings you the Friday Security Roundup – because whether you decide to take to the streets or rise to command, we believe knowledge is power,

Gotta Have an Acronym, Part One: The VENOM Virtual Machine Issue

Reported, by security research team CrowdStrike: VENOM, which exploits a legacy vulnerability in VMs (floppy drive support, of all things) to potentially seize control of a virtual machine’s software container, break out to attack other containers on the same server, and even (depending on the environment) capture vital information server- and/or network-wide. Legacy issues are always tricky to fix and even to assess for potential impact (Y2K may have been a famously wet squib, but we are expecting great things from the 2038 bug).

Status: Not yet seen in the wild (as far as we know) and a patch is already in place.  What’s most interesting here to us is the wide range of opinion on VENOM’s severity, from overhyped (“It’s no HEARTBLEED!”) to massive (“Bigger than HEARTBLEED!”) to one security expert noting that VENOM is “a perfect bug for the NSA.” No matter what, if you work in a virtual environment, it’s a good idea to contact your provider and ask how they’re addressing VENOM. (If they have no idea what you’re talking about you might consider changing providers.)

Gotta Have an Acronym, Part Two: The BACKRONYM MySQL Issue

Identified (and very consciously hyped) by security firm Duo Labs: BACKRONYM, an exploit which could can “silently negotiate away” SSL/TLS protection by manipulating connection settings on older versions of MySQL. This would allow bad apples to collect data sent in the clear but thought to be encrypted – generally considered a Very Bad Thing.

Status: Fixed, as of MySQL 5.7.3 – unfortunately, due to the turning-the-supertanker effect when older software is widely used, the majority of MySQL instances out there are 5.5/5.6. The good folks at Oracle provide methods to mitigate BACKRONYM in older installations while noting these “were unfortunately not referenced in the advisory,”  no doubt while suppressing a heavy, heavy sigh.

And about that advisory…we totally salute the Duo Labs meta-commentary on How We Handle Security Issues Circa Now – particularly how a catchy acronym and a breathless tone of impending doom has become de rigueur for security alerts. However, we had to re-read their press release a couple times to make sure this was a report of an actual issue and not an elaborate prank – a condition which hereby names the PRANK Effect (for Press Release Assessment Needed, ‘K?)

(Also, your haiku lacks a kigo, guys – see us after class.)

So There IS Such a Thing As Oversharing Wedding Photos – We Thought It Was Just Us

Disclosed, by security log Privacy Log: A design flaw (to put it as kindly as possible) on the website of Artisan State, a publisher (primarily of wedding keepsake books) that allowed pretty much anyone to access any photograph uploaded to the site…of which there are some eight million or so as of this date.

Status: Fixed, but as Privacy Log notes not completely fixed until the issue was publicly disclosed. Security experts like Bruce Schneier come down on the side of disclosure (and we tend to agree) but this can be a risky strategy, since the powers that be may react very negatively to such disclosures. (Note: Privacy Log reports that they held off disclosure for two months to allow Artisan State to correct the issue.) Schneier notes that software vulnerabilities are usually treated as a public relations issue instead of a security problem – his solution: “make the PR problem more acute“. Seems to have worked here.

Creepy Spyware Vendors Need Full Disk Encryption, too

Uploaded to the dark web: Information apparently lifted from the database of mSpy, makers of absolutely-non-creepy software designed to secretly track and record cellphone activity. According to investigative reporter Brian Krebs, the information includes “a huge trove of data apparently stolen from the company’s servers…exposing countless emails, text messages, payment and location data“. The most disturbing point here is that the information was itself almost certainly collected without the consent or knowledge of the phone users themselves, and Krebs is steadfast (and we think utterly correct) in disclosing the compromise but not promulgating the information revealed.

Status: Creeped out, natch – mSpy got a shoutout in a recent NPR story as software much favored by stalkers and domestic abusers. mSpy itself has not replied to requests for information from Krebs as of this writing (although the comments of his original post include apparent transcripts from chat sessions with mSpy L1 support).

And  as with NetNanny when they had their own little security fail the other week, if what you’re selling is such super-secret spy stuff, you should really be encrypting the disks on your servers.

“Brazilian Botnet” Isn’t In the Urban Dictionary. Yet.

Possessed, by hacker or hackers unknown : Some tens of thousands of poorly-secured routers to form a mighty botnet. Reported by security firm Incapsula, who chose not to give the exploit a catchy acronym, the ‘net infects mostly routers in Brazil and Thailand, though command and control appears to come largely from locations in China and the US. This botnet is self-replicating – each infected device runs shell scripts to seek out and take over other similar devices (SkyNet, next three exits?) The good news: Only routers using default factory settings (wide-open ports, default username/password combos) are vulnerable. The bad news: The vast majority of routers turn out to be using those settings.

Status: Our default reaction (yet another heavy sigh) when reporting on poor default security. Let’s just state it once more, and clearly: leaving a vulnerable internet-connected device open to remote access with default username/password combos is, in 2015, the equivalent of painting the words “KEY UNDER MAT” across the front door of your house.

As always, there’s more afoot in the security universe than we can cram into one roundup – we see we haven’t even  touched on APT 17‘s shenanigans on Microsoft’s Technet, or mentioned why Penn State shut down internet access campus-wide, or even Jamie Oliver’s latest serving of WordPress malware (third in a series!) – but do check back with us next Friday for more. As always, we appreciate your reading these words, and remember – a safer internet is a better internet.