Click on any headline below to jump to its summary and external news source.
Co-brandable versions (focusing on TLS & SSL, financial impacts, and miscellaneous news) are available to our Certified Partners as an .MP4 for marketing purposes or as an .M4A for podcast usage.
If you have any corrections or suggestions, please contact us.
A United Arab Emirates security vendor named DarkMatter has asked Mozilla to whitelist their certificates in Firefox's certificate store. However, following a Reuters report linking the vendor to a cyber espionage program, Mozilla and others (including the Electronic Frontier Foundation) are questioning whether whitelisting DarkMatter would enable them to quietly intercept traffic in some Linux systems. DarkMatter has a clean record as a certificate authority and has denied conducting a secret hacking operation code named Project Raven—the latter of which reportedly had contracted former US intelligence officials to spy on human rights activists, journalists, and governmental officials. The CEO of DarkMatter, Karim Sabbagh, even put it in writing: “We have never, nor will we ever, operate or manage non-defensive cyber activities against any nationality.” Selena Deckelmann, a senior director of engineering at Mozilla, countered “We don’t currently have technical evidence of misuse (by DarkMatter) but the reporting is strong evidence that misuse is likely to occur in the future if it hasn’t already.” This is new consideration territory for Mozilla, who’s been pretty active in driving security improvements for Firefox lately, but previously has relied solely on technical qualifications when deciding to whitelist a CA or not.
During the discussion on Mozilla’s dev.security.policy board about the inclusion of the UAE-based DarkMatter CA (see above), it was revealed that DarkMatter’s 64-bit serial numbers in its certificates had entropy too low to be compliant with CA/Browser Forum requirements—effectively making those numbers 63-bit, and that’s one order of magnitude too low to be compliant. Participants and observers of the discussion quickly turned that spotlight on their own certificates and realized that the scope of the deficiency included their CAs, too. As a result, it’s estimated that a million or more active certificates, some issued by big tech names like Google, Apple, and GoDaddy, may need to be replaced. The certificates affected were using the free PKI CA software package, named EJBCA and maintained by the Swedish company PrimeKey Solutions AB. (DigiCert partners and customers, take solace that this matter does not impact any certificates available via DigiCert’s various brands; hence, our brands’ certificates do not require reissuance.)
BITS, a technology policy division of the Financial Services Roundtable that represents more than a majority of the top 150 US-based financial services companies, had a problem with the deprecation of the RSA key exchange in TLS 1.3. According to BITS, that deprecation would challenge their constituents’ ability to decrypt TLS traffic for operational necessities, like application health monitoring, intrusion detection, malware detection, and compliance audits. In response, late last year, the European Telecommunications Standards Institute (ETSI) released a Middlebox Security Protocol specification—Profile for Enterprise Network and Data Centre Access Control—which allows passive decryption of TLS sessions. They called it Enterprise TLS (or eTLS), and it purported to be compatible with any TLS 1.3 compliant client. Alas, the Electronic Frontier Foundation (EFF) didn’t like the similarity of eTLS’ name to TLS itself and pointed-out that eTLS disables important security measures in TLS 1.3. According to eTLS broke “forward secrecy, which means that a compromised Diffie-Hellman private key can be used to decrypt all future and past eTLS sessions that have been encrypted with the same key.” The developers of eTLS have since agreed to rename eTLS to just “ETS” in its next public version.
In the middle of February, Kevin Backhouse of software engineering analytics and code exploration provider Semmle discovered a critical denial-of-service vulnerability in Fizz, which is Facebook’s open source implementation of TLS 1.3. Because the vulnerability causes an infinite loop in Fizz and renders the service unavailable for other users, it’s considered a Denial of Service vulnerability which, if exploited, could allow an attacker to take down any Fizz-reliant infrastructure. This is particularly concerning to Facebook, since Fizz is used on most of their internal and external infrastructure and the vulnerability is "relatively easy to trigger" for unauthenticated remote attackers, according to Mr. Backhouse. Facebook issued a patch making its web services no longer vulnerable and issued Semmle a US$10,000 bug bounty. Semmle turned around and donated the bounty to Techtonica, which partners with tech companies to provide free tech training, living stipends, and job placement to women and non-binary gendered adults in need in the San Francisco Bay Area. Seeing this, Facebook doubled the bounty amount, providing a total donation to Techtonica of $20,000. But the charity doesn’t stop there: Semmle matched the original $10,000 bounty with a sidelong donation to Community Servings, a not-for-profit food & nutrition program providing services to individuals & families living with critical & chronic illnesses.
Microsoft has announced that customers running Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1, Windows Server 2008 Service Pack 2, and other versions of Windows Server Update Service will no longer receive Windows OS updates unless they install SHA-2 code-signing support on their devices by July 2019. This is in an effort by Microsoft to phase out use of SHA-1 code signing support of Windows OS updates. “Due to weaknesses in the SHA-1 algorithm and to align to industry standards, Microsoft will only sign Windows updates using the more secure SHA-2 algorithm exclusively” after July 19: “Any devices without SHA-2 support will not be offered Windows updates after July 2019.” Although Windows currently uses both the SHA-1 and SHA-2 hash algorithms for authentication of its updates—systems that currently support SHA-1 will be upgraded to support SHA-2 over the next several months. Since 2014, SHA-2 has been available for Windows 7 and Windows Server 2008 R2; in 2016, Microsoft would no longer allow SHA-1 for code-signing and certificates, followed by discontinuation of SHA-1 in Internet Explorer and Edge. Fellow tech giants Facebook, Google, and Mozilla are also moving away from SHA-1.
According to a recent report from Zscaler, use of TLS- and SSL-encrypted traffic by hackers continues to increase. Hackers, particularly phishers, are using TLS or SSL as a standard practice now, in order to mask their attacks from security filters. In the last 6 months of 2018, Zscaler blocked 1.7 billion advanced threats hidden in SSL and TLS traffic, averaging 283 million per month; about 10% of those were phishing attempts, representing four-fold increase from 2017. These facts, found in Zscaler’s recent Cloud Security Insights Threat Report, roughly align with a recent report by Trend Micro, who blocked 269 million phishing URLs in 2018—over 2 ½ times what was blocked in 2017. Zscaler’s Chief Technology Officer, Amit Sinha, was enthusiastic about the increased use of legitimate traffic being encrypted by default, but he warned of its challenge to information security teams: “With a high percentage of threats now delivered with SSL encryption, and over 80% of internet traffic now encrypted, enterprises are blind to over half of malware sent to their employees.” Zscaler’s vice president of security research, Deepen Desai added, “criminals can conduct their nefarious activity within the confines of the SSL environment, leaving most e-commerce sites unaware of the activity.”
Back to top
There is a long-held stereotype that hackers are hoodie-clad lone wolves, sitting in front of overly bright monitors while they really should be looking for a job. However, hacking might be the job, and employment in hacking is likely already not what we expect. Cybercrime is an industry, and it’s becoming increasingly organized and professional – to the point that criminals have begun competing with traditional employers for cyber talent. According to Emilio Iasiello at TechNative, cybercrime employers offer annual salaries to woo IS professionals – some salaries upwards to US$1M, eclipsing what they could earn at legal employers. And thanks to the demand for off-the-shelf, ready-made malware, developers in the cybercrime space can now spend time on profitability instead of also having to deploy their wares. A 2018 report found that 12% of cybersecurity professionals worldwide have seriously entertained the idea of going criminal, as a separate 46% believe it would be easy to go there without being busted. According to Mr. Iasiello, "economic necessity, personal philosophy, and intellectual challenge may ultimately encourage more numbers to walk that thin line, keeping the greater cybercrime industry on forefront and the rest of the cyber security industry to keep pushing that boulder up the hill. “
Argentinian Santiago Lopez is just 19 years old, but this self-taught hacker has become SO good at finding flaws in software and online services that he’s reported nearly 1,670 unique bugs, making him a millionaire from the bug bounties he’s earned in those three years of white-hat hacking. Working now as a full-time hacker, he’s found bugs for Twitter, WordPress, and Verizon Media Company and now earns about 40 times the average salary of a software engineer in Buenos Aires. Having steadily hacked his way into the 84th percentile for hacking impact, Mr. Lopez is just as proud of his accomplishments as of the differences he’s made in security. Marten Mickos, the CEO of white hat hacker association HackerOne, explains that Mr. Lopez has in turn become a hero of many: “Santiago is a role model for hundreds of thousands of aspiring hackers around the world. The hacker community is the most powerful defense we have against cybercrime. This is a fantastic milestone for Santiago but still much greater are the improvements in security that companies have achieved and keep achieving thanks to Santiago’s relentless work.”
A Lithuanian man recently pleaded guilty to a three-year spree of scamming both Facebook and Google out of US$123 million. Knowing that a legitimate hardware manufacturer named Quanta Computer supplied Facebook and Google with data center equipment, Evaldas Rimasauskas registered a Latvian company with the same name, except that there is no Latvian location for Quanta. That was his secret he kept as he next created fraudulent invoices and contracts to trick both Google and Facebook into wiring him millions of dollars at a time. His ruse was so effective that Facebook lost approximately US$100 million and Google lost $23 million to the scams. After his guilty plea in a New York state court, Mr. Rimasauskas faces up to 30 years in prison.
Back to top
We’ve all heard that Quantum computers will be able to effortlessly and instantly break today’s strongest encryption, which currently protects sensitive data in transit and at rest worldwide. Speaking recently at IBM’s Think 2019 event in San Francisco, IBM Research director Arvind Krishna warned that "Anyone that wants to make sure that their data is protected for longer than 10 years should move to alternate forms of encryption now.” We here at DigiCert echoed these concerns at our 2019 Security Summit, held just a couple weeks before IBM’s event and at which we announced our developments in Post Quantum Cryptography (PQC) technology. Likewise, the National Institute of Standards and Technology (NIST) has spoken in alignment, predicting that within the next 2 decades, the world will see sufficiently large quantum computers able to break essentially all public key schemes currently in use. While NIST’s prediction is rosier than IBM’s and ours, they all speak to the inevitability of the threats which Quantum computing pose to today’s cryptographic methods. As NIST describes it, “Historically, it has taken almost two decades to deploy our modern public key cryptography infrastructure. Therefore, regardless of whether we can estimate the exact time of the arrival of the quantum computing era, we must begin now to prepare our information security systems to be able to resist quantum computing.” That need for Quantum resistance have sparked innovation leading to the concept of building PQC solutions in advance of that looming eventuality.
As Quantum cryptography applies principles of quantum mechanics towards encryption, companies and governments worldwide are racing to build the first usable quantum computer. Quantum computers are commercially available today, but are far from their eventual ability to solve thousands of problems at the same processing speed and the same processing power as current systems take to process one problem at a time. According to William Hurley, a senior member of IEEE and founder/CEO of American quantum computing company Strangeworks, the theories about Quantum computing’s capabilities “have advanced farther than the hardware… However, we shouldn’t wait for the hardware to motivate the switch to post-quantum cryptography.” There is just as much fear that Quantum computing will be able to quickly and easily break all the encryption varieties in use now as there is fear that a country or organization might reach that level of Quantum computing ability without any other country or organization finding out. And that so-called first-usable will have profound advantages and abilities. However, it’s not all doom and competitive gloom.
The laws of quantum physics might just come to the rescue, via Quantum key distribution (QKD), which is a method of sending encryption keys using special behaviors of subatomic particles which could be completely unhackable. Effectively, such a form of QKD is where a system where photons are sent one at a time through a fiberoptic line. If those are intercepted, according to the principles of quantum physics, the polarization of the photons will change, indicating to the recipient that the message is no longer secure. While the sending and receiving hardware is expensive and slow, the networks to support them are already here. China is already ahead of other nations with QKD dedicated pipes connecting major Chinese cities, but networks already exist in Europe and the USA since QKD systems can utilize some existing high-speed fiber optic pipes. But that’s just the land-based approach: satellite-based QKD uses the principle of entanglement (referred-to by Einstein as “spooky action at a distance”), where two particles become entangled such that they have the same state. If one of these particles is sent to someone else, the recipient will receive a particle which is guaranteed to be the same state as its twin; while the state of the two particles is identical, it’s also random, which effectively means it’s a key pair of theoretically non-recalculable random digits.
Ta-da: Quantum keys enabling symmetric encryption, which can be sent over traditional channels. Here, too, China is ahead, having launched a Quantum satellite years ago, but like land-based QKD, the price and speed of the specialized processing equipment for sending, receiving, encoding, and decoding is far from where it needs to be in order to secure critical and sensitive communications.
And those aren’t the only challenges, since QKD would either require direct connections between sender and receiver across 60ish (or fewer) miles or require the use of relays and repeaters, which are already seen as the weak points in the chain where Quantum-savvy hackers could observe the Quantum keys as they pass by. Moreover, QKD networks must need route messages, requiring routers and hubs that, in turn, will add more points of vulnerability. Clearly, there are many technologies to create, problems to resolve, and opportunities to seize, which explains the decade or decades it’ll take for the whole new ecosystem to mature to usability and stability.
Any mobile phone user can quickly deduce that 3G networks preceded 4G networks, and now 5G networks are soon coming whose speeds are expected to be considerably faster than we’ve experienced. Yet, there’s already concern about the security risks posed by 5G usage, but not because the security standards aren’t in place yet (they are) nor because those standards aren’t strong enough (they are). Rather, 5G is expected to connect what we now call the IoT (including self-driving cars and personal medical technology), and that’s a considerably larger threat surface than the one covered merely by mobile phones. Since the IoT represents a huge leap in connected devices, there’ll be a corresponding leap in traffic and resulting worries that the system won’t be as fast as it could be. A team of scientists at the University of Bristol has come forward with a solution to secure 5G services without compromising speed – and the solution embeds quantum cryptography into 5G networks. Professor Reza Nejabati leads the university’s high-performance networks research group, described their capabilities which “empower network operators to leverage the flexibility and programmability offered by virtualization technology in order to create new types of internet services, while taking advantages of transmission at the speed of light and also securing the system using quantum technology.” The University of Bristol research findings were presented at the Optical Fibre Communication Conference in San Diego, California in early March, and can be downloaded from one of the links below…
Back to top
Nearly a decade ago, a marketing campaign of ours focused on the ways that Extended Validation SSL certificates and our circle-checkmark SSL seal could help eCommerce sites avoid the dreaded funnel-clogging abandonment of shopping carts. Since then, a WordPress plugin named Abandoned Cart for WooCommerce has also worked towards preventing that problem by helping site admins analyze and possibly recover sales otherwise lost to abandoned carts. However, in March, hackers began targeting websites running unpatched versions of the plugin, with the goal of exploiting a cross-site scripting (XSS) vulnerability found in both the paid and free versions Abandoned Cart for WooCommerce 5.1.3. In particular, the vulnerability allows installation of two separate backdoors to compromise the site where the plugin is used. Mikey Veenstra of WordPress firewall provider Defiant said that his organization had detected 5,251 accesses to a bit.ly link associated with the triggering of the first of the two backdoors; while that number is suspected to be much larger than the true number of active infections, it’s probably quite lower than the number of infections which have not yet been triggered. Users of the plugin are urged to update at least to version 5.2.0, which added sanitization checks for checkout field capture for guest users. Alas, that upgrade doesn’t solve the entire problem, as it doesn’t resolve the second backdoor, designed to quietly spring into action if the first backdoor is discovered and resolved. All associated databases should be reviewed for possible injections, as should be the site’s and databases’ administrator accounts; any unauthorized admin accounts should be removed. Zooming out for a moment, please recall the several stories we’ve covered before regarding the necessity for keeping WordPress and its plugins, themes and extensions updated instead of installed and forgotten.
According to Cisco’s 2019 Data Privacy Benchmark Study that surveyed 3,200 global security and privacy professionals in 18 countries across major industries about their organizations’ privacy practices, organizations that invested in maturing their data privacy practices are now seeing material business benefits from these investments, including shorter sales delays and fewer/less-costly data breaches. In particular, organizations that invested in data privacy to meet the European Union’s GDPR deadline in May 2018 have since experienced an average of 3.4 weeks of delay due to privacy concerns in selling to existing customers, compared to 3.9 weeks on average and 5.4 weeks for the least GDPR-ready organizations. GDPR-ready organizations also realized lower incidences of data breaches, fewer records, and lower financial losses from security incidents, and shorter system downtimes, too. What’s more, 75% of respondents cited that they are realizing multiple broader benefits from their privacy investments, which include greater agility and innovation resulting from having appropriate data controls, gaining competitive advantage, and improved operational efficiency from having data organized and catalogued.
Back to top
Most of the time, news of the strange is funny or at least ironic, but some stories, like this one, are purely ewww-inducing. This story might make you shake your head – thrice. Security researcher Victor Gevers discovered a publicly exposed database filled with highly sensitive personal details of 1.8M Chinese women, including their names, addresses, age, phone numbers, location, government ID numbers, and marital status. As if those two things (the public accessibility of the database and the scope of the data details) weren’t bad enough, the third element was the creepiest: the database was named “BreedReady.” While it is possible that something was lost in translation in that name, it is also possible – if not suspected by many because of the word choice – that the database is an element of some capability to find or select a female mate of child-bearing age; while the average age of women in the database was 32, one cringe-worthy data record listed a female of just 15 years old. The name “could be a poor translation of Chinese terms to describe whether a woman has children or is of child-bearing age” according to the UK-based newspaper The Guardian, but it’s still a mystery why such a database existed, much less left out in the open. Since its discovery, the database was subsequently taken down by its owner.
People worldwide are aware of China’s unique centralization of internet control, but Russia seems to be playing catchup in controlling negative news as Moscow lawmakers are pushing “Sovereign Internet” legislation designed to selectively isolate Russian cyberspace. The law would create a single command post from which authorities can manage and even freeze the flow of information across Russia’s slice of the internet. Given similar-in-spirit action to disallow criticism of the government, this sudden leapfrog towards control is like a “hold my beer” moment in contrast to China’s gradually built so-called Great Firewall.
While Russian President Putin explains the action as a defensive response to US President Trump’s new cyber strategy (which includes invocation of hack-back capability and permits offensive measures against designated adversaries), security experts, industry insiders and some officials believe Russia’s move is all about the ability to maintain or cut internet service in places and times of unrest or resistance. …and stifling the ability to share on social media or share smartphone videos, especially by minority cultures or in occupied geographies, does make a lot of sense when laid alongside decreased ability to criticize the government. Andrei Soldatov, author of “The Red Web: The Kremlin’s Wars on the Internet” and co-founder of a site tracking Russian security services, explains that “this law isn’t about foreign threats, or banning Facebook and Google, which Russia can already do legally… It’s about being able to cut off certain types of traffic in certain areas during times of civil unrest.” On the contrary, claims President Putin, who insists that the whole idea is to ensure that the RUnet, as Russia’s domestic internet is known, would stay online should the USA try to isolate Russia digitally. Putin told media executives inside the Kremlin last month that he doubted the U.S. would do such a thing, but the threat is nevertheless real enough that Russia must prepare. Rongbin Han, a professor of international affairs at the University of Georgia in the U.S. who studies the Great Firewall of China, said all major countries are extending their sovereignty into cyberspace for one very good reason—new threats are emerging all the time. According to the Professor, “Russia is moving in a similar direction as China… You don’t necessarily need to shut down the entire internet to quash political dissent. It’s smarter just to filter online content.”
The details of the new law indicate that, under it, authorities would have an easier time monitoring and disrupting scores of apps and message groups that are currently classified as illegal, like the Telegram messaging app and platform. However, according to Artem Kozlyuk, the founder of the Russian Roskomsvoboda group which campaigns against online restrictions, if Russia is truly afraid of getting kicked off the web by the U.S. then it’s playing into America’s hands by trying to centralize a distributed system. That would both make the RUnet easier to attack. “It’s like closing your airspace,” he explained.
The US Department of Defense (DOD) Defense Information Systems Agency (DISA) is nearing completion of tested technology which will reduce smartphone users' reliance on passwords or certain 2FA methods. By leveraging existing sensors and technologies typically used by gaming apps, DISA would enable phones to identify you based on how you walk, how you grip the phone, or the way you move fingers across the touch screen. The DISA is reportedly working with computer chipmakers and smartphone developers to make the technology commercially available as early as 2020. The system is currently in testing on 50 phones at the DOD, which swears that the idea was to develop something for commercial use, and not solely defense or clandestine use—as GPS and the internet itself eventually turned out to be. Anyway, the DISA wouldn’t name the companies it’s working with, but indicated that the technology will most likely become available in the majority of US handsets. Once you get past the creepiness factor of a device knowing who you are based beyond typical biometrics, it’s pretty nifty to imagine the possibility of no one being able to unlock your device if lost, stolen or left unattended—and a locked device is a secured and private device.
Back to top
Researchers with NexusGuard report that both the number and the average size of distributed denial of service (DDoS) attacks decreased significantly in the fourth quarter of 2018. The decreases seem to correlate with recent crackdowns by the United States Federal Bureau of Investigation on DDoS-for-hire services (also known as Booter services), resulting in the takedown of 15 internet domains offering Booter services, including critical-boot.com, ragebooter.com, downthem.org and quantumstress.net. According to the NexusGuard report, “The FBI’s highly effective crackdown not only suppressed the number of total attacks YoY, but also the average and maximum attack sizes, decreasing both by 85.36 percent and 23.91 percent, respectively.” To temper those expectations, we must understand that regardless of the type of DDoS attack or any future law enforcement crackdown, DDoS attacks can only continue due to human error and vulnerabilities in connected products. “The root cause of botnets stems from hardware/software vulnerabilities and human ignorance or negligence that leave the door open for malware to enter and take control,” researchers said. “Patching all vulnerabilities and raising security awareness across all levels of users, in theory, is a way out. “
Israel has launched the world’s first national cyber hotline. The Computer Emergency Response Centre (CERT) as it’s properly named is now where Israeli businesses and individuals can report suspected hacking and to receive solutions in real-time. By dialing 119, a caller will be connected to CERT which looks like an office version of NASA Mission Control. Still in its first few months of operation, the hotline has received around 100 calls daily, which are handled mostly by veterans of military computing units. Most callers are reportedly victims of cyber-criminals, but interestingly about 15% were by white-hat hackers. Of course, there are those who just want to test the system in some way, as under 1% of calls turned out to be hoaxes. For legitimate calls, CERT has additional capabilities, such as a chat room which connects the technology officers working for major Israeli firm for discreet information sharing, should a report indicate an epidemic of sorts or a data breach. CERT can also dispatch experts to affected computer users within just a few hours' notice. The hotline’s director, Lavy Shtokhamer, describes CERT’s role as mitigation of cyber-attack and damage “as quickly as possible, to learn about the threats, and to spread the knowledge where relevant.” In a hot-button country as Israel, located in a historically contested geography, “a cyber-attack may not be limited only to property or financial damage. It can also threaten lives."
Microsoft tips for protecting yourself online
Sometimes, it seems like the bad guys are always winning, what with data breaches, identity theft, and digital threats recurring in headlines worldwide. But that’s not entirely true. As we predicted in our 2018 year-ending threat briefing, individuals’ awareness and action seems to be growing—and there’s action all around to support that. Knowing that undertaking consistent and regular security habits go a long way in the average technology user’s world, Microsoft has released the 24th edition of its annual Security Intelligence Report, which includes insights and recommendations against the most common (and most recent) cybersecurity threats and malware trends. Stating that “meaningful risk reduction requires a security approach that includes prevention and detection and response”, Microsoft’s report makes several recommendations about security hygiene, access control, security awareness, and having backup plans—and backups.
Back to top