Tag Let's Encrypt

InfoSec Week 1, 2019

Let's Encrypt recapitulated the last year in the operation of their ACME based certification authority, and summarized the challenges that they will work on in 2019.
They intend to deploy multi-perspective validation, checking multiple distinct Autonomous Systems for domain validation, preventing potential BGP hijacks. They also plan to run own Certificate Transparency (CT) log.

According to the consultant Nathan Ziehnert, "CenturyLink 50 hour outage at 15 datacenters across the US — impacting cloud, DSL, and 911 services was caused by a single network card sending bad packets."

Great blog by Artem Dinaburg, where he is resurrecting 30 years old fuzzing techniques from the famous research papers to run them on on the current Linux distro. Successfully.

An article by Wired about the fake murder for hire services on dark web and a freelance security researcher that took them down. As it turned out, some clients killed their targets themselves.

Multiple newspaper publishers in the US were hit by a ransomware attack, delaying their operations.

The European Union starts running bug bounties on Free and Open Source Software.

Foxit Readers' proof of concept exploit for the Use-After-Free vulnerability (CVE-2018-14442) was published on Github.

Attacker launched multiple servers that return an error message to the connected Electrum clients, which then turn them into a fake update prompt linking to a malware.

Adam Langley published blog about the zero-knowledge attestation when using FIDO based authentication. It could prevent a single-vendor policy some sites started to require.

Interesting blog post by Wouter Castryck on "CSIDH: post-quantum key exchange using isogeny-based group actions".

The security researcher Bruno Keith published a a proof of concept for a remote code execution vulnerability in Microsoft Edge browser (CVE-2018-8629).

If you are interested in older car hacking/tuning, check this article about overcoming the speed limitation on an old Japanese Subaru Impreza STi.

Jonathan “smuggler” Logan published study on the future of black markets and cryptoanarchy named "Dropgangs, or the future of darknet markets".

InfoSec Week 32, 2018

A Comcast security flaws exposed more than 26 millions of customers’ personal information. Basically, an attacker could spoof IP address using "X-forwarded-for" header on a Comcast login page and reveal the customer’s location.

According to the Check Point Research, more than 150k computers are infected with the new variant of Ramnit botnet named Black. Botnet install second stage malware with the proxy functionality.

Malware infected Apple chip maker Taiwan Semiconductor Manufacturing. All of their factories were shut down last week, but they had already recovered from the attack.

A flaw in the Linux kernel may cause a remote denial of service [CVE-2018-5390]. Attack require less than 2 Kbps of traffic.

GDPR and other cookie consent scripts are used to distribute malware.

Interesting blog on how criminals in Iran make money by creating Android malware apps.

Let's Encrypt root CA certificate is now trusted by all major root programs. They were dependent on a cross-signing on some systems, so this is great news!

There is a really effective new attack on WPA PSK (Pre-Shared Key) passwords. Attackers can ask Access Point for the data required for offline cracking, no client traffic sniffing is needed anymore.

Innovative new research on a software implementation hardening was published with the name "Chaff Bugs: Deterring Attackers by Making Software Buggier".
The idea is simple, introduce a large number of non-exploitable bugs in the program which makes the bug discovery and exploit creation significantly harder.

Researchers from the University of Milan published padding oracle attack against Telegram Passport.
Don't roll your own cryptography schemes if other people depend on it...

A Handshake is a new experimental peer-to-peer root DNS. They have published resolver source code and have test network up and running. Looks like really promising project.

InfoSec Week 4, 2018

Electron applications designed to run on Windows that register themselves as the default handler for a protocol, like Skype, Slack and others, are vulnerable to the remote code execution vulnerability.

Dutch intelligence service AIVD provided the FBI with important information regarding Russian interference with the American elections. They have following the Cozy Bear APT for years.

Good blog about the exploitation of the Intel Management Engine 11 vulnerabilities. Researchers Mark Ermolov and Maxim Goryachy were able to debug and analyse most of the Intel ME processes.

It's possible to bypass the Cloudflare protection by scanning internet for misconfigured customers' servers.

It is possible for an unauthenticated attacker in the LAN network to achieve remote code execution (CVE-2018-5999) in the AsusWRT router as the root user.

The Tinder dating application is not using encryption when accessing data on a backend server. Your naked photos could be seen by a waitress in a restaurant. The geeky one.

Oracle has released patches for ten vulnerabilities in VirtualBox, which allows guest to host virtual machine escape.

The guy was able to obtain TLS certificates from the Let's Encrypt certification authority for domains that he does not own, due to the TLS-SNI-01 challenge workflow in a cloud environment. Shared hosting providers like Heroku, AWS CloudFront affected.

Blog by Joanna Rutkowska on a future Qubes Air operating system architecture roadmap. They want to provide compartmentalized secure Qubes OS as a service.

There is a cryptographic analysis of the WireGuard protocol. WireGuard is a layer 3 replacement for the IPsec, OpenVPN solutions. Interesting project.

Nice introduction on how to fuzz TCP servers by Robert Swiecki.

InfoSec Week 2, 2018

New research has found a flaw in a group messaging part of a Signal protocol used by Signal, WhatsApp and Threema. It’s hardly exploitable, but the server (attacker) could be, in some theoretical scenario, able to silently join an encrypted group chat.

Janit0r, author of the mass internet scanning campaign known as Internet Chemotherapy, released two more blogs about the campaign. Interesting.

A tale about the npm package which crawled user entered credit card information from the websites. It is a work of fiction, but published few hours after dozens of npm packages stopped working due to missing dependencies... Scary.

HC7 Planetary Ransomware is probably the first known ransomware asking for Ethereum as a ransom payment. It's for Windows users only.

There is a hardwired network backdoor in the Western Digital MyCloud drives (user: mydlinkBRionyg, password: abc12345cba). Vendor probably patched it six months after reported.

Wi-Fi Protected Access III - WPA3 will be forced on a marked this year. Hopefully a lot of security enhancements to wi-fi protocol will be delivered by the WPA3-certified devices.

Let's Encrypt certification authority has temporarily disabled TLS-SNI-01 authorization challenge due to reported exploitation technique possible on a shared hosting infrastructure.

Google Cloud security engineers reported remote code execution vulnerability in the AMD Platform Security Processor.

Brian Krebs wrote a blog about the flourishing online markets with the stolen credentials.

VirusTotal has a new feature, a visualization tool for the relationship between files, URLs, domains and IP addresses.

A Meltdown vulnerability proof of concept for reading passwords out of Google Chrome browser.