The Morris Worm This week marks 26 years since the conviction of Robert Tappan Morris for releasing the first widely-reported computer worm. The “Morris Worm” (or, in those simpler days, just the “Internet Worm”) was supposed to silently replicate across and map the 60000 or so hosts then making up the pre-WWW internet. Due to some … Continued
Happy birthday, David Bowie! Before there was, uh, whatever you kids are listening to, there was a kid from Brixton named David Robert Jones. He’s been in the music business for an eon or two – he started so long ago that he changed his name from Jones to Bowie to avoid confusion with one of … Continued
It’s the end of 2015, and SSL.com’s End-of-Year Security Roundup takes a quick trot past some of the most interesting, dire and memorable occurrences in the field of information security of the past year. We certainly hope everyone has a very secure 2016 – but check back with us every Friday in 2016 to find out who … Continued
Google plans to retire SHA-1 certificates – and it may be sooner than anticipated.
Happy birthday, HTML 4.0! There were earlier versions of Tim Berners-Lee’s HyperText Markup Language dating back to 1993, and a lot of folks upstream who contributed concepts to what became HTML (from Vannavar Bush to Jorge Luis Borges) – but today marks exactly eighteen years since the specs were released for HTML 4.0. That version (well, … Continued
2015 SECURITY ROUNDUP
PUBLIC WI-FI NETWORKS REALLY ARE INSECURE – A PROOF OF CONCEPT: Swedish Pirate Party member sets up open (and insecure) wi-fi network at security/defence conference, collects reams of data from hundreds who connect to it.
INSURANCE COMPANY HACK – ANTHEM EDITION: Some 80 million records accessed.
KAPERSKY DETAILS EQUATION GROUP: Elite state-sponsored cybersnoops related to Stuxnet and Duqu teams profiled by security researchers.
INSURANCE COMPANY HACK – PREMERA EDITION: Medical and financial information for 11 million customers stolen.
WHITE HOUSE EMAIL HACK: Russian black-hats read (nonclassified) Presidential email.
BACKRONYM ATTACKS MYSQL: Defeats SSL protection on most widely used flavors of popular database.
NETNANNY PRACTICES POOR SECURITY HYGENE: Multiple profound flaws revealed in widely-used “family monitoring” software.
UBER PRACTICES REAL-TIME ENCRYPTION: As in, remotely accessing and encrypting their data during a raid by Canadian taxmen.
OPM – THE HACK KEEPS ON GIVING:
4 million 11 million 20 million current and former employees (and accredited journalists) compromised. (Bonus points: First round of victim notification only completed in December.)
GERMAN PARLIAMENT NETWORK COMPROMISED: Solution: complete shutdown and rebuild of entire network.
KASPERSKY HACK: In wake of Equation group expose, “Duqu 2.0” compromises security researcher’s own systems.
HACKING TEAM HACK: Well-known, generally reviled hackers-for-hire hoist on cyber-petard.
ICANN CREDENTIAL HACK: Master domain name organization has user profiles, email addresses and more compromised.
WHALING FOR DOLLARS: Ubiquiti wires $46 million and change to offshore accounts due to faked executive emails.
PENTAGON FOOD COURT HACK: Worker bank data compromised, nuclear codes and recipe database secure.
INSURANCE COMPANY HACK – BLUECROSS/BLUESHIELD EDITION: Records for 10 million customers compromised.
CIA DIRECTOR’s EMAIL HACKED: John Brennan’s AOL account compromised (repeatedly) by teenage hacker.
DELL PULLS SUPERFISH 2.0: Computer manufacturer pulls a Lenovo, slips bad SSL certificate onto multiple machines.
VTECH AND MATTEL MAKE VERY INSECURE TOYS: Hello Barbie and electronic toys made by VTech prove to have deeply troubling security flaws.
JUNIPER BACKDOOR WEDGED OPEN: Parties unknown find and exploit an existing, intentional security hole in Juniper devices.
As always, we appreciate your reading these words, and hope you have a terrific new year. And remember what we truly believe here at SSL.com – a safer internet is a better internet.
SHA-1 – Heading For the Graveyard
As we’ve reported before, SHA_1’s demise has been certain for a decade – it was shown to be theoretically vulnerable to attack as early as 2005. Current plans drawn up by the CA/B Forum (the industry’s trade association) will halt creation of new SHA-1 certificates as of January 1, 2016 and deprecate all SHA-1 certificate use by January 1, 2017.
Recent studies now suggest that SHA-1 will be compromised much sooner – and more affordably – than previously thought. Google and other technology companies are thus considering moving up their retirement deadlines. (A draft CA/B Forum proposal to allow limited SHA-1 certificate issuance through the end of 2016 was also put to rest – security cognoscenti want SHA-1 off the board as soon as humanly possible.)
Google’s Accelerated Retirement Plan
Google plans a two step process. In the first stage (already underway) SHA-1 certificates encountered by Chrome are flagged with warning messages and display cues. The second – complete rejection of all SHA-1 certificates – may be brought forward six months, to July 1 2016.
Both Mozilla and Microsoft are also considering this accelerated deadline for their browsers, while CloudFlare and Facebook are setting up workarounds for the small percentage of their users who have no alternative to SHA-1 certificates.
Check back with SSL.com – we’ll keep you up to date as this story develops.