November 2019 Security Roundup

 

Welcome to November 2019’s edition of SSL.com’s Security Roundup, where we present a selection of the month’s developments in SSL/TLS, digital certificates, and network security! In this edition, we’ll be covering:

TPM-FAIL

 

Sirgiu Gatlan at Bleeping Computer reports that a research team from the Worcester Polytechnic Institute, the University of Lübeck, and the University of California, San Diego has uncovered two vulnerabilities in Intel firmware-based TPM (fTPM) and STMicroelectronics’ TPM (Trusted Platform Module) chips.

These vulnerabilities, dubbed TPM-FAIL by the researchers, allow attackers to recover stored private cryptographic keys. On the TPM-FAIL website, the researchers state that:

We discovered timing leakage on Intel firmware-based TPM (fTPM) as well as in STMicroelectronics’ TPM chip. Both exhibit secret-dependent execution times during cryptographic signature generation. While the key should remain safely inside the TPM hardware, we show how this information allows an attacker to recover 256-bit private keys from digital signature schemes based on elliptic curves.

The attacks demonstrated are practical, as the researchers also claim that

A local adversary can recover the ECDSA key from Intel fTPM in 4-20 minutes depending on the access level. We even show that these attacks can be performed remotely on fast networks, by recovering the authentication key of a virtual private network (VPN) server in 5 hours.

Gatlan notes that “The vulnerable Intel fTPM… is used by the vast majority of computer manufacturers, including but not limited to Dell, HP, and Lenovo,” and is “also widely used by Intel Internet of Things (IoT) Platform family of products used in industry, healthcare, smart cities, and connected vehicles.”

Intel has issued a patch to their fTPM firmware to fix the TPM-FAIL vulnerabilities, and STMicroelectronics has issued a TPM-FAIL resistant TPM chip.

SSL.com’s takeaway: Anyone with your private keys can steal your identity. It is very likely that you own at least one device affected by these vulnerabilities – check with your device manufacturer for firmware upgrades.

Delegated Credentials for TLS

 

On November 1, Cloudflare announced support for Delegated Credentials for TLS, a new cryptographic protocol developed in collaboration with Facebook and Mozilla. Delegated credentials are intended to ease SSL/TLS deployment across multiple global endpoints, such as in a content delivery network (CDN). According to Cloudflare, a delegated credential is:

a short-lasting key that the certificate’s owner has delegated for use in TLS. They work like a power of attorney: your server authorizes our server to terminate TLS for a limited time. When a browser that supports this protocol connects to our edge servers we can show it this “power of attorney”, instead of needing to reach back to a customer’s server to get it to authorize the TLS connection. This reduces latency and improves performance and reliability.

Because delegated credentials are periodically pushed to the CDN’s edge servers before the previous credential expires, the system avoids the latency that is associated with pull-based protocols like Keyless SSL. You can read Facebook’s and Mozilla’s announcements about delegated credentials here and here, respectively, and get full details from the IETF draft of the specification.

SSL.com’s takeaway: We are interested in any development that facilitates the secure and efficient global implementation of SSL/TLS, and will be watching this technology closely as it develops.

IPv4 Addresses Running Out

 

RIPE (Europe’s regional internet registry) announced on November 25 that they have no more IPv4 addresses left

we made our final /22 IPv4 allocation from the last remaining addresses in our available pool. We have now run out of IPv4 addresses.

RIPE says that even though they are out of IPv4 addresses, they will continue to recover more in the future “from organisations that have gone out of business or are closed, or from networks that return addresses they no longer need,” and will dole them out to Local Internet Registries (LIRs) via a waiting list.

SSL.com’s takeaway: IPv6 uses 128-bit addresses, compared to IPv4’s 32 bits, resulting in 7.9×1028 times as many possible addresses as IPv4. We agree with RIPE that “without wide-scale IPv6 deployment, we risk heading into a future where the growth of our Internet is unnecessarily limited.”

Multiple Domain Name Registrars Breached

 

Steve Dent at Engadget reports that Web.com and it’s subsidiaries NetworkSolutions.com and Register.com were breached by attackers in late August 2019.

According to Web.com, the breach involved a “limited number of its computer systems,” that “no credit card data was compromised,” and that they do not believe that stored, encrypted passwords are vulnerable (but that customers should change them). However, the attackers may have been able to collect contact details such as “name, address, phone numbers, email addresses, and information about the services that we offer to a given account holder.”

Dent notes that the compromise of a domain name register has potentially dire consequences:

For instance, hackers once compromised the domain name registrar of a Brazilian bank and redirected users to lookalike sites that stole their credentials and installed malware. “If your DNS is under the control of cybercriminals, you’re basically screwed,” Kaspersky’s Dmitry Bestuzhev told Wired about the incident.

SSL.com’s takeaway: If you might have been affected by this breach, check your DNS records and change your password.
Thank you for visiting SSL.com, where we believe a safer Internet is a better Internet! You can contact us by email at Support@SSL.com, call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page.