SSL.com’s Friday Security Roundup – May 22, 2015
The Skeletal Hand of Export Controls on Encryption Reaches Out From the Grave…
Discovered and named: Logjam, yet another flaw that exploits weak, export-grade ciphersuites still present in present-day systems (see also: FREAK). Found by a team of security researchers including Microsoft, INRIA and Johns Hopkins security researcher Matthew Green, Logjam is a legacy of the Clinton-era “crypto wars” (so it depends on deadwood in the protocols – geddit?) Logjam can downgrade connections from the current standard 2048-bit key to as low as 512-bit levels and could then be (and evidence suggests, has already been) exploited by nation-state snoopers. Diabolical level up: Logjam not only weakens security on an exploited connection – it also tricks browsers into believing that safer, higher-grade encryption is being used.
…So Let’s Just Try That Again, Shall We?
Recommended, by the US Bureau of Industry and Security: Implementation of the Wassenaar Arrangement, which many security experts believe will criminalize legitimate research tools due to a very broad definition of “intrusion software.” The WA rules (as drawn up in December 2013 by the European Parliament) are apparently aimed at surveillance software vendors like FinFisher, whose products are widely seen as targeting human rights activists and other perceived enemies of the state. However, as one analyst from the Electronic Frontier Foundation put it, the rules are “open to troublesome interpretation” – the rules could affect both standard security measures like penetration testing and up-and-coming ones like bug bounty programs.
Overbroad Legislation is This Year’s Teal and Black, Apparently
Noted, by Australian online publication The Conversation: possible severely negative outcomes of that nations’ newly-minted Defence Trade Controls Act, including making it illegal to teach encryption in Australian schools and universities. As author Daniel Mathews points out, the law “potentially criminalises an enormous range of legitimate research and development activity”. Open source privacy tools, research software, computer security programs, even apps included in smartphones – all are definable as “goods considered important to national defence and security” and subject to control.
This Week’s Security Breaches, Part 1 – Date Night is OFF
Reported, by Britain’s Channel 4 News: Release of information from a database hack of the internet “dating” site AdultFriendFinder. Some 4 million members, including some with deleted accounts, now have their deeply personal information loose on the dark web. Some are apparently already receiving spam related to the compromise – and given that a survey yielded profiles using .gov email addresses, expect blackmail attempts to follow. Security expert Graham Cluley notes that even after the incident was widely reported, AFF’s site includes no notice of the breach for users (let alone mandatory password resets).
This Week’s Security Breaches, Part 2 – Blue Cross, Black Hats
Fessed up to, by the health insurance company CareFirst BlueCross BlueShield : A June 2014 compromise involving 1.1 million users, including usernames, birth dates and email addresses. Affected users are getting two years of credit monitoring and a letter of apology – hey, still better than AdultFreindFinder’s (non-)reaction.
Because We Prefer To End on a More Upbeat Note…
Released, by security human Jada Cyrus: a free ransomware rescue kit, aiming to help victims of nasty malware like TeslaCrypt, CoinVault and similar delights which lock user files and demand ransom payments to return control. Included are a suite of ransomware removal and decryption tools, and also a set of straightforward steps to follow in case of infection, starting with: “never pay the ransom“.
As always, there’s more afoot in the security universe than we have room for this week – we see we haven’t even mentioned the Symantec-reported Trojanized version of PuTTY, or the recent survey showing that two thirds of public sector workers wouldn’t report a data breach if it might make waves in their office, or even IRRITANT HORN, the newly revealed NSA plan to hack the Google app store (and first entry in our new guessing game, “NSA Project Name or World of Warcraft Artifact?“) – but check back next Friday for oh so much more.
As always, SSL.com sure appreciates your reading these words, and let us know your take on these issues.
And remember – a safer internet is a better internet.