Security Roundup - 2017-09-29

Posted on  by and

Another year, another DerbyCon. And less than a week later, videos are already up!

Adobe PSIRT publishes their private GPG key. Sometimes you get overzealous with copy and paste, and bad things happen. This is one of those times. Adobe’s PSIRT has since published a new public key for contacting them. The article also laments the state of secure email, and the fact that the PGP creator can’t use encrypted mail on his iPhone.

NIST is looking for post-quantum computing Cryptography. High levels of research around quantum computing is helping drive conversations about what cryptography needs to look like in the future when today’s implementations could be trivially brute-forced. Announced candidate suites have now been listed.

Google makes moves to secure more of the web. HTTPS Strict Transport Security is a mechanism by which you instruct the browser to force upgrade to SSL for certain sites. While this is generally for domains and subdomains, Google has made steps to expand the scope by adding domain suffixes they control to the list, effectively stating that all content for .google, .foo and .dev must be encrypted, though sure to be rolled out to all 45 of the TLDs they control.

Car tracing data leaks online. Demonstrating that data leaks from the oddest places, records from a car tracing service has been leaked online. The archive contains vehicle identification numbers, emails, passwords and more. Additionally, all the tracking data is also accessible, meaning these users movements were available over 120 days.

ShadowPad shows increased danger of supply chain attacks. How off the tails of the CCleaner incident, Kaspersky software has identified a similar malicious payload injected into workstation management software from NetSarang. Malware authors continue to bank on legitimate apps being trusted, and abusing that trust to trojan horse in their own software. In this case, their reward proved all the greater given the tool abused happens to be able to execute commands on remote machines within the network.

Patterns are less secure than PINs when it comes to security. A new study shows that it’s easier for people to remember patterns, rather than digits when shoulder-surfing. What it fails to mention is that there is an inherent complexity reduction when using patterns- you need to move to an adjoining segment of the screen which isolates you from options that are available via PIN. For example, if you are required to keep your finger on the touchscreen, from the number ‘1’, you can’t get to 3, 6, 7, 8, 9, and 0, all of which are available when using a PIN.

New Broadcom exploit allow for Remote Code Execution. On the heels of Broadpwn, there’s a new attack for Broadcom chipsets. The subsystem that allows for rapid access point switching on the Broadcom chip does not check the bounds of the write, which allows for an out-of-bounds write, and possible remote code execution. A working example for iOS 10.3 for the iPhone 7 hardware is attached to the article.

conferences cryptography exploits leaks ransomware