Welcome to the January edition of SSL.com’s security roundup! The first month of 2021 has been pretty action-packed, news-wise. And that includes news about digital security and encryption flaws, so we rounded up a few new year’s stories for you:
NSA Issues Enterprise Encrypted DNS Recommendations
This month, the National Security Agency issued new recommendations [PDF link] concerning DNS over HTTPS (DoH) in enterprise environments. As we’ve mentioned before, DoH prevents eavesdropping on DNS queries and responses, which have historically been sent as plaintext.
Implementing DoH presents special challenges for enterprise networks. The NSA’s news release about the recommendations state that:
Even if not formally adopted by the enterprise, newer browsers and other software may try to use encrypted DNS anyway and bypass the enterprise’s traditional DNS-based defenses… While good for ensuring privacy in home networks, DoH can present risks to enterprise networks if it isn’t appropriately implemented.
…
NSA recommends that an enterprise network’s DNS traffic, encrypted or not, be sent only to the designated enterprise DNS resolver. This ensures proper use of essential enterprise security controls, facilitates access to local network resources, and protects internal network information. All other DNS resolvers should be disabled and blocked.
The document also warns that DoH is “not a panacea” and urges administrators to remain vigilant against a false sense of security: “DoH does not guarantee protection from cyber threat actors and their ability to see where a client is going on the web.” The agency also notes that, if not implemented with care, DoH may interfere with companies’ own security-related traffic inspection.
Apple Removes Firewall Bypass “Feature” in macOS
Remember way back in November when Apple made the unpopular choice to allow its own apps to bypass firewalls and other third-party applications? Well, this year, Apple has decided to not to do that anymore. As reported by Ravie Lakshmanan for The Hacker News, the issue first raised eyebrows in the fall, after the release of Big Sur, and provoked warnings that the choice “was ripe for abuse… it could be leveraged by an attacker to exfiltrate sensitive data by piggybacking it on to legitimate Apple apps included on the list and then bypass firewalls and security software.” The article quotes Patrick Wardle, a principal security researcher with Jamf, about the backtrack by Apple: “After lots of bad press and lots of feedback/bug reports to Apple from developers such as myself, it seems wiser (more security conscious) minds at Cupertino prevailed.”
Adobe Flash Is Finally Over
Like our browsers have been warning us forever, Adobe Flash is over. Or, as Simon Sharwood’s very dramatic headline proclaims over at The Register, “That’s it. It’s over. It’s really over. From today, Adobe Flash Player no longer works. We’re free. We can just leave… Post-Flashpocalypse, we stumble outside, hoping no one ever creates software as insecure as that ever again.” As of January 12, 2021, anyone that tries to access content in Adobe’s Flash Player will see a “death notice” that leads to an “end of life general information page” where, “Adobe strongly recommends all users immediately uninstall Flash Player to help protect their systems.”
As the Register article eulogizes Flash, the software was an invaluable tool for decades until its insecurity became too much to bear:
In 2005, Adobe, which by then had well and truly figured out that online content was going to be rather bigger than desktop publishing, acquired Macromedia in part to get its hands on Flash.
Doing so helped Adobe to cement its role as the de facto standard for creative tools. But Adobe also got an increasing security burden because Flash was not well built. Hackers noticed the plugin was the Swiss cheese of computer security – full of holes – and exploited the software mercilessly to infect victims around the planet with malware.
After years of assaults, and the rise of alternatives, Adobe announced the demise of Flash in July 2017, saying support will be dropped on December 31, 2020.
And now the company has made good on that promise, with a “logic bomb” in recent versions of Flash Player that have prevented the code from rendering content since January 12. Even with the ample warning, the death of Flash did cause some problems. Significantly, and weirdly, the city of Dalian in Northern China was running its railroad system with Flash. It was down for 20 hours before it got running again on a pirated version.
MalwareBytes Hit by SolarWinds Hackers
In December 2020, the SolarWinds attack made big headlines, when hackers were able to use its software distribution system to infect customer networks. This month, the security firm Malwarebytes revealed it was compromised by the same group, which compromised at least a dozen US government agencies and private companies. According to an article by Dan Goodin in Ars Technica, investigators have found that the hackers had access to some internal company emails and “no evidence of unauthorized access or compromise in any Malwarebytes production environments.” However, that doesn’t mean that the attack was inconsequential. From the article:
“In our particular instance, the threat actor added a self-signed certificate with credentials to the service principal account,” Malwarebytes researcher Marcin Kleczynski wrote. “From there, they can authenticate using the key and make API calls to request emails via MSGraph.”
Last week, email management provider Mimecast also said that hackers compromised a digital certificate it issued and used it to target select customers who use it to encrypt data they sent and received through the company’s cloud-based service. While Mimecast didn’t say the certificate compromise was related to the ongoing attack, the similarities make it likely that the two attacks are related.
According to the article, the Malwarebytes breach is the fourth time a company has revealed it was targeted by the nation-state sponsored hackers responsible for the SolarWinds incident. In addition, a number of government agencies, which reportedly include the Departments of Defense, Justice, Treasury and the National Institutes of Health, were also targeted by the agents.
