SSL.com Security Roundup – January 22, 2016

The Morris Worm This week marks 26 years since the conviction of Robert Tappan Morris for releasing the first widely-reported computer worm. The “Morris Worm” (or, in those simpler days, just the “Internet Worm”) was supposed to silently replicate across and map the 60000 or so hosts then making up the pre-WWW internet. Due to some … Continued

SSL.com’s Security Roundup – January 8, 2016

Happy birthday, David Bowie! Before there was, uh, whatever you kids are listening to, there was a kid from Brixton named David Robert Jones. He’s been in the music business for an eon or two – he started so long ago that he changed his name from Jones to Bowie to avoid confusion with one of … Continued

SSL.com’s Security Roundup – End of 2015 Edition

It’s the end of 2015, and SSL.com’s End-of-Year Security Roundup takes a quick trot past some of the most interesting, dire and memorable occurrences in the field of information security of the past year. We certainly hope everyone has a very secure 2016 – but check back with us every Friday in 2016 to find out who … Continued

Friday Security Roundup – December 18, 2015

Happy birthday, HTML 4.0! There were earlier versions of Tim Berners-Lee’s HyperText Markup Language dating back to 1993, and a lot of folks upstream who contributed concepts to what became HTML (from Vannavar Bush to Jorge Luis Borges) – but today marks exactly eighteen years since the specs were released for HTML 4.0. That version (well, … Continued

SSL_com_logo

The Morris Worm

This week marks 26 years since the conviction of Robert Tappan Morris for releasing the first widely-reported computer worm. The “Morris Worm” (or, in those simpler days, just the “Internet Worm”) was supposed to silently replicate across and map the 60000 or so hosts then making up the pre-WWW internet.
360px-Morris_Worm

Due to some poor design decisions, Morris’ brainchild became instead the internet’s first widespread denial of service attack. The event led to the first conviction under the Computer Fraud and Abuse Act, the creation of the Computer Emergency Response Team (CERT) – and, of course, folk songs.

One of the requirements for the Morris Worm to spread? Weak and easily guessable passwords. Good thing that’s no longer the case, right?

Storm Jonas got you snowed in? Throw a brick of punch cards on the fire and settle back for a quick review of the security issues SSL.com’s been following this week.

(more…)

SSL_com_logo

Happy birthday, David Bowie!

Before there was, uh, whatever you kids are listening to, there was a kid from Brixton named David Robert Jones. He’s been in the music business for an eon or two – he started so long ago that he changed his name from Jones to Bowie to avoid confusion with one of the Monkees. (No, you look it up – we’re not goin’ there.)
bowie_brixton_tenner

Before there was Bitcoin, there were other alternative currencies, mostly local affairs like BerkShares, Ithica Dollars, and the Brixton Pound – the latter of which put Mr. Bowie’s face on their tenner as a tribute to a local boy made good.

Connection with digital security? Minimal at best!

Excuse for the Security Roundup to salute “the best-dressed Briton in history“? Taken!

Here’s some of what we’ve been following this week at SSL.com – enjoy!

(more…)

SSL_com_logo

It’s the end of 2015, and SSL.com’s End-of-Year Security Roundup takes a quick trot past some of the most interesting, dire and memorable occurrences in the field of information security of the past year. We certainly hope everyone has a very secure 2016 – but check back with us every Friday in 2016 to find out who didn’t.

2015 SECURITY ROUNDUP

January


PUBLIC WI-FI NETWORKS REALLY ARE INSECURE – A PROOF OF CONCEPT:
 Swedish Pirate Party member sets up open (and insecure) wi-fi network at security/defence conference, collects reams of data from hundreds who connect to it.


February


INSURANCE COMPANY HACK – ANTHEM EDITION:
 Some 80 million records accessed.

KAPERSKY DETAILS EQUATION GROUP: Elite state-sponsored cybersnoops related to Stuxnet and Duqu teams profiled by security researchers.


March


INSURANCE COMPANY HACK – PREMERA EDITION:
Medical and financial information for 11 million customers stolen.


April


WHITE HOUSE EMAIL HACK:
Russian black-hats read (nonclassified) Presidential email.

BACKRONYM ATTACKS MYSQL: Defeats SSL protection on most widely used flavors of popular database.


May


NETNANNY PRACTICES POOR SECURITY HYGENE:
Multiple profound flaws revealed in widely-used “family monitoring” software.

UBER PRACTICES REAL-TIME ENCRYPTION: As in, remotely accessing and encrypting their data during a raid by Canadian taxmen.


June


OPM – THE HACK KEEPS ON GIVING:
4 million 11 million 20 million current and former employees (and accredited journalists) compromised. (Bonus points: First round of victim notification only completed in December.)

GERMAN PARLIAMENT NETWORK COMPROMISED: Solution: complete shutdown and rebuild of entire network.

KASPERSKY HACK: In wake of Equation group expose, “Duqu 2.0” compromises security researcher’s own systems.


July


HACKING TEAM HACK:
Well-known, generally reviled hackers-for-hire hoist on cyber-petard.


August


ICANN CREDENTIAL HACK:
Master domain name organization has user profiles, email addresses and more compromised.

WHALING FOR DOLLARS: Ubiquiti wires $46 million and change to offshore accounts due to faked executive emails.


September


PENTAGON FOOD COURT HACK:
Worker bank data compromised, nuclear codes and recipe database secure.

INSURANCE COMPANY HACK – BLUECROSS/BLUESHIELD EDITION: Records for 10 million customers compromised.


October:


CIA DIRECTOR’s EMAIL HACKED:
John Brennan’s AOL account compromised (repeatedly) by teenage hacker.


November


DELL PULLS SUPERFISH 2.0:
 Computer manufacturer pulls a Lenovo, slips bad SSL certificate onto multiple machines.


December


VTECH AND MATTEL MAKE VERY INSECURE TOYS:
Hello Barbie and electronic toys made by VTech prove to have deeply troubling security flaws.

JUNIPER BACKDOOR WEDGED OPEN: Parties unknown find and exploit an existing, intentional security hole in Juniper devices.


As always, we appreciate your reading these words, and hope you have a terrific new year. And remember what we truly believe here at SSL.com – a safer internet is a better internet.

SHA-1 – Heading For the Graveyard

As we’ve reported before, SHA_1’s demise has been certain for a decade – it was shown to be theoretically vulnerable to attack as early as 2005. Current plans drawn up by the CA/B Forum (the industry’s trade association) will halt creation of new SHA-1 certificates as of January 1, 2016 and deprecate all SHA-1 certificate use by January 1, 2017.

Recent studies now suggest that SHA-1 will be compromised much sooner – and more affordably – than previously thought. Google and other technology companies are thus considering moving up their retirement deadlines. (A draft CA/B Forum proposal to allow limited SHA-1 certificate issuance through the end of 2016 was also put to rest – security cognoscenti want SHA-1 off the board as soon as humanly possible.)

Google’s Accelerated Retirement Plan

Google plans a two step process. In the first stage (already underway) SHA-1 certificates encountered by Chrome are flagged with warning messages and display cues. The second – complete rejection of all SHA-1 certificates – may be brought forward six months, to July 1 2016.

Both Mozilla and Microsoft are also considering this accelerated deadline for their browsers, while CloudFlare and Facebook are setting up workarounds for the small percentage of their users who have no alternative to SHA-1 certificates.

Check back with SSL.com – we’ll keep you up to date as this story develops.

Happy birthday, HTML 4.0!

There were earlier versions of Tim Berners-Lee’s HyperText Markup Language dating back to 1993, and a lot of folks upstream who contributed concepts to what became HTML (from Vannavar Bush to Jorge Luis Borges) – but today marks exactly eighteen years since the specs were released for HTML 4.0.

The first web server
The first web server – yes, it IS a NeXT box. Good eye.

That version (well, the tweaked 4.01) is what the world wide web was built on, and everything we can do with and on the Internet today is only possible because HTML 4 proved robust, scalable and almost ridiculously extensible – and of course, because it can be secured by SSL/TLS.

Berners-Lee’s baby is still evolving, and the latest implementation (HTML5)  introduces both new abilities and new security issues, sometimes in the same feature –  but you can trust SSL.com to be here to help you navigate the evolving security landscape…and of course to report on what security issues we’ve been following this week.

Image: Robert Scoble, Wikimedia Commons


(more…)