SSL.com’s Friday Security Roundup – November 27, 2015

SSL_com_logoHappy Black Friday! Today’s Security Roundup coincides with a great American tradition – which therefore of course involves marketing, rampant consumerism and is rooted in mob action if not outright criminal activity. Readers worldwide might instead want to remember Ada Lovelace, who passed away on this date in 1852.

Widely held to be the first computer programmer, Lovelace was also the first debugger, the first to see the boundless possibilities computers could (and have) allow, and most definitely the first developer to hear aAda_Lovelace_Chalon_portrait_smaller version of “we’re still waiting on the hardware“.

(Ada was also the only legitimate child of the poet Lord Byron, and her mom steered her down a proto-STEM path partly to combat what she suspected were Byronic mental and/or moral issues. Useful proof to keep in mind around the holiday – all families have kooky issues, it’s not just yours.)

So remember Ada Lovelace while you knock together that dark-meat-and-stuffing sandwich, power up your personal Analytical Engine and take a look at some of the security issues that SSL.com’s  been following this week.


SUPERFISH 2.0, CONTINUED

Added to the target list, by Microsoft Defender: Dell’s recently discovered and self-inflicted security threat. Defender (and other Microsoft security products) have been updated to find and remove both the wildly insecure root certificate Dell installed on several of its machines (a dire practice which we reported on earlier) and the pernicious Dell plugin that would keep reinstalling the cert even after manual removal.

Other potentially dangerous Dell root certs have since been noted (starting in the very first comment to Dell’s official response, actually) and we will definitely monitor this story and report updates on the SSL.com blog going forward.

Status: Kudos to the folks from Redmond for making the solution to this exploit so easy that even Windows users can use it. (Full disclosure: this snark was itself written on a Windows box.) However, we strongly deplore ANY move to breaking a user’s crypto, especially when it’s not related to security. Serving ads (like Lenovo) or creating a backdoor for online support (like Dell) are not sufficient reasons to sell your customers compromised products. It’s a disturbing trend and one we’ll report on as events develop.

LENOVO TRIES TO AVOIDS SECURITY SPOTLIGHT – GETS CAUGHT IN DELL ALBEDO

Patched, by Lenovo: Two vulnerabilities in their System Update utility which could escalate regular users to full admin access, with all the potential for mayhem that entails. Lenovo has of course been in the news lately, with many a reference to their Superfish malware debacle earlier this year, thanks to massive reportage of Dell’s similarly awful eDellRoot unpleasantness (and see entry above).

Status: Attempted stealth update – rejected! Lenovo quietly rolled out this update a couple of weeks ago and was no doubt hoping to avoid scrutiny. Unfortunately for Lenovo, Superfish is now the go-to reference for all similar, own-goal root certificate compromises. (So maybe there is such a thing as bad publicity…)

MORE INTERNET OF INSECURE THINGS NEWS

Discovered, by security researchers SEC Consult: A plethora of embedded devices which reuse and include duplicate private keys. This is extremely poor practice, since any key cracked or discovered in one device allows black hats, bored kids and whonot to exploit all other devices using that same key. Back in March we noted the reuse of a single very weak key in some 28,000 routers, but this report blasts past that figure. In once case a single SSL certificate hardcoded into firmware was found in more than 480,000 devices. SEC Consult’s report is an excellent, detailed look at what is exposed and how – vendors, firmware designers, developers, and even ISPs all contribute their portion to the problem, and it all adds up to the Internet of Things being, as of this writing, woefully insecure.

Status: High marks to SEC Consult for this research, very low marks to the poor form displayed by the vendors and providers cited. IoT is at once both a brave frontier of convenience and possibility and a Wild West rife with poorly thought out design, worse implementation, and multiple competing standards. Another reason we’re conducting our own in-depth look at the state of IoT security here at SSL.com – watch for more details soon.

As always, we appreciate your reading these words, and hope you have a terrific weekend. And remember what we truly believe here at SSL.com – a safer internet is a better internet.

Image: Wikimedia Commons