SSL.com’s Friday Security Roundup – May 22, 2015

SSL.com’s Friday Security Roundup – May 22, 2015

SSL_com_logoHappy birthday William Sturgeon! This weeks’ Friday Security Roundup salutes the sadly neglected English inventor who came up with a little something you might have heard called the electromagnet. He also whipped up the first galvanometer, which led to (among other things) bar code scanners and the head positioning servos in your DVD-ROM drive. Think of William Sturgeon, next time you’re in the self-checkout line, popping in your favorite Dora the Explorer DVD – or using an electric motor.In his honor, SSL.com reviews some of the most electrifying (thank you, here all week) security issues that we’ve been following this week.

The Skeletal Hand of Export Controls on Encryption Reaches Out From the Grave…

Discovered and named: Logjam, yet another flaw that exploits weak, export-grade ciphersuites still present in present-day systems (see also: FREAK). Found by a team of security researchers including Microsoft, INRIA and Johns Hopkins security researcher Matthew Green, Logjam is a legacy of the Clinton-era “crypto wars” (so it depends on deadwood in the protocols – geddit?) Logjam can downgrade connections from the current standard 2048-bit key to as low as 512-bit levels and could then be (and evidence suggests, has already been) exploited by nation-state snoopers. Diabolical level up: Logjam not only weakens security on an exploited connection – it also tricks browsers into believing that safer, higher-grade encryption is being used.

Status: Ongoing. Web and mail server operators should follow the recommendations from the good folks at weakdh.org to disable archaic crypto and generate new, unique and strong keys. And maybe attempt to learn lessons from history?

…So Let’s Just Try That Again, Shall We?

Recommended, by the US Bureau of Industry and Security: Implementation of the Wassenaar Arrangement, which many security experts believe will criminalize legitimate research tools due to a very broad definition of “intrusion software.” The WA rules (as drawn up in December 2013 by the European Parliament) are apparently aimed at surveillance software vendors like FinFisher, whose products are widely seen as targeting human rights activists and other perceived enemies of the state. However, as one analyst from the Electronic Frontier Foundation put it, the rules are “open to troublesome interpretation” – the rules could affect both standard security measures like penetration testing and up-and-coming ones like bug bounty programs.

Status: Dismayed, we have to admit. Coming on the heels of post-Sony amendments proposed to the Computer Fraud and Abuse Act, many in the field believe that legitimate efforts to test, research and improve computer security could be fatally impeded by these initiatives – while doing little or nothing to stem actual exploits. (The comment period for WA implementation runs through July 20th – the BIS guidelines for comments are here, and you may add your two cents by going to this page and clicking the “Submit a Formal Comment” button.)

Overbroad Legislation is This Year’s Teal and Black, Apparently

Noted, by Australian online publication The Conversation: possible severely negative outcomes of that nations’ newly-minted Defence Trade Controls Act, including making it illegal to teach encryption in Australian schools and universities. As author Daniel Mathews points out, the law “potentially criminalises an enormous range of legitimate research and development activity”. Open source privacy tools, research software, computer security programs, even apps included in smartphones – all are definable as “goods considered important to national defence and security” and subject to control.

Status: See “dismayed,” above. The DTCA was actually passed in 2012, but enforcement has been put on hold until next year – hopefully saner heads will rework a law that, as presently configured, would only allow outdated, weak crypto – y’know, the kind exploited by FREAK and Logjam.

This Week’s Security Breaches, Part 1 – Date Night is OFF

Reported, by Britain’s Channel 4 News: Release of information from a database hack of the internet “dating” site AdultFriendFinder. Some 4 million members, including some with deleted accounts, now have their deeply personal information loose on the dark web. Some are apparently already receiving spam related to the compromise – and given that a survey yielded profiles using .gov email addresses, expect blackmail attempts to follow. Security expert Graham Cluley notes that even after the incident was widely reported, AFF’s site includes no notice of the breach for users (let alone mandatory password resets).

Status: None too surprised (and feeling a little unclean). The hack appears to have been first noted as long ago as April 13th on the Darknet-oriented Teksecurity blog (hat tip to Ars Technica for connecting the dots) and to be related to a dispute for back payment to the hacker/leaker. Remember, kids – only use adult dating sites who pay their bills on time.

This Week’s Security Breaches, Part 2 – Blue Cross, Black Hats

Fessed up to, by the health insurance company CareFirst BlueCross BlueShield : A June 2014 compromise involving 1.1 million users, including usernames, birth dates and email addresses. Affected users are getting two years of credit monitoring and a letter of apology – hey, still better than AdultFreindFinder’s (non-)reaction.

Status: We’ve been saving our weekly heavy sigh – might as well use it here. CareFirst at least is able to point out that the breach could’ve been worse – “hey, they got your username and email address, but not your SSN”. CareFirst also couches their announcement as resulting from due diligence on their part after a rash of attacks on other insurers. Given that the breach was only found after the fact, this is somewhat like checking the barn after the rustlers have been through and proudly reporting that, sure enough, looks like a horse was indeed stolen last summer – but at least they checked.

Because We Prefer To End on a More Upbeat Note…

Released, by security human Jada Cyrus: a free ransomware rescue kit, aiming to help victims of nasty malware like TeslaCrypt, CoinVault and similar delights which lock user files and demand ransom payments to return control. Included are a suite of ransomware removal and decryption tools, and also a set of straightforward steps to follow in case of infection, starting with: “never pay the ransom“.

Status: Positive – assuming this kit is maintained to keep up with the ongoing escalation of ransomware Cyrus’ kit could become a standard resource to address a thoroughly vexing issue. Let’s wish it well.


As always, there’s more afoot in the security universe than we have room for this week – we see we haven’t even mentioned the Symantec-reported Trojanized version of PuTTY, or the recent survey showing that two thirds of public sector workers wouldn’t report a data breach if it might make waves in their office, or even IRRITANT HORN, the newly revealed NSA plan to hack the Google app store (and first entry in our new guessing game, “NSA Project Name or World of Warcraft Artifact?“) – but check back next Friday for oh so much more.

As always, SSL.com sure appreciates your reading these words, and let us know your take on these issues.

And remember – a safer internet is a better internet.