Security Roundup - 2017-10-20

Posted on  by , and

Security Awareness Month Continues. And WeLiveSecurity is doing twitter based Q&A sessions every Thursday. You can read their expanded answers so far here and here.

Cryptography is hard, doing it right is even harder. All of us have to deal with cryptographic algorithms every day, they are used to secure our most private information like bank accounts and social security. We rely blindly on these algorithms sure that, to become a standard, they had to pass a huge amount of controls and tests. This week an important weakness has been discovered inside in a widely used library developed by Infineon. The flaw affected the prime generation algorithm for RSA keys when they are generated for many smartcards and embedded devices and makes the keys prone to factorization, and severely reducing the amount of time it would take to break them.

Yubikey promptly released a blog post communicating that they are working to resolve the issue and that they are replacing all the defective cards/keys while Github revoked all the public keys that have being found vulnerable stating “The above key was determined to be insecurely generated, possibly due to recently vulnerability in some hardware based SSH key generation and storage technology. We have removed it from your account to ensure that it cannot be used by any malicious users.”

As soon as this news propagated online a gold rush to identify weak keys kicked off. We strongly suggest everyone audit their keys and replace as needed (or be paranoid and rotate them all).

WiFi WPA2 vulnerabilities. Update your access points! A design flaw in the WPA2 (and WPA, but you shouldn’t be using that anyhow) protocol named KRACK has led to the ability to manipulate the handshake that sets up shared secrets between a client and access point (supplicant and authenticator in the RFC). These shared secrets are the basis for the math that keeps wireless connections secure.

DHS mandates stronger online security. This week, the DHS set out mandates for both improved email security measures, via the DMARC specification, as well as for all government agencies to use HTTPS for all .gov websites. The later, seems like it would really be able to enforce if the government forces the .gov TLD to be part of the HSTS preloading list, meaning that all sites MUST use HTTPS or fail to work for users.

More Malicious Chrome Extensions. Google has been busy of late, with multiple instances of malicious chrome extensions requiring cleanup. Google has now announced some new upcoming features designed to address this increase in abuse.

Bug Bountry Programs Recommended. The US Deputy Attorney General has recommended that companies use bug bounty programs, citing the success of the DoDs program for identifying and remediating vulnerabilities. But make sure you run your bug bounty properly! Cybellum writes up some of the perils of miss-managing your bug bounty program, where you need to make sure it is more than a PR stunt, or risk alienating the security researchers you are trying to attract.

Security Concerns In The Lowest (Common Denominator) Places. CSVs are the common lowest common denominator for sharing various forms of data, and all of us probably interact with variations of them on a regular basis. But have you thought about the potential dangers of loading in a CSV to a Google Sheet or Excel? This security researcher goes over some things which are possible with CSV injection attacks.

Malware and Bad Opsec. BleepingComputer gives us an interesting tale where a malware author’s real identity is discovered due to said author’s bad operational security. In an effort to sell some of his goods, the author had used his personal account, later pointing out that he was the author, linking both identities.

bugbounties encryption internetofthings malware opsec