This post examines some of the more popular articles on the web this week discussing SSL and network security.
As reported last week, Google and Apple have decided to begin allowing their smartphone users to encrypt all of their data, making it inaccessible to anyone who doesn’t have the passwords, including law enforcement officials. Bloomberg’s Del Quentin Wilber reports that U.S. law enforcement are extremely unhappy with the decision. “This is a very bad idea,” said Cathy Lanier, chief of the Washington Metropolitan Police Department, in an interview. Smartphone communication is “going to be the preferred method of the pedophile and the criminal. We are going to lose a lot of investigative opportunities.” The article points out that while the decision was likely prompted by revelations around NSA spying, local law enforcement will feel the dramatic effect of this change. “It’s a significant issue for law enforcement,” James Soiles, a deputy chief of operations at the Drug Enforcement Administration said. “As long as we are doing it with court orders, there shouldn’t be any reason to keep us from it. We want to attack command-and-control structures of drug organizations, and to do that we have to be able to exploit their communication devices.”
The infamous Kevin Mitnick, known for his exploits as a black hat hacker which landed him in jail, is back in the news with a new company selling zero day exploits. Andy Greenberg of Wired reports that Mitnick’s new security consulting firm is called Mitnick’s Absolute Zero Day Exploit Exchange. The company is a clearinghouse of zero day exploits. With prices starting at $100,000, these exploits are discovered by undisclosed researchers/hackers and in turn sold by Mitnick’s firm to anonymous buyers. “When we have a client that wants a zero-day vulnerability for whatever reason, we don’t ask, and in fact they wouldn’t tell us,” Mitnick told WIRED. “Researchers find them, they sell them to us for X, we sell them to clients for Y and make the margin in between.” The legality of the exchange is in some question, although Mitnick has done little to hide his business model. “It’s like an Amazon wish list of exploits,” says Mitnick.
In this video, CNNMoney’s Jose Pagliery breaks down the Shellshock vulnerability (The so-called “Bash Bug”) and explains which devices could be affected. “Imagine that a smart, interconnected light bulb in your house starts acting up all on its own. There’s a slight chance that could be a new Internet bug at work…it could start affecting smart home devices and much, much more.” He gives a quick overview of how it works, and if you might be vulnerable.
As reported in a number of news articles, a pair of security researchers has released details about how to infect USBs with undetectable malware. Adam Clark Estes of Gizmodo reports on how Karsten Nohl and Jakob Lell originally discovered the “BadUSB” attack but declined to make the details public for fear of its use by hackers. Researchers Adam Caudill and Brandon Wilson have been able to roughly duplicate the exploit and uploaded the code to GitHub in hopes of spurring manufacturers to do something about the vulnerability. “The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got,” Caudill told the audience of a hacker conference last week. “This was largely inspired by the fact that [Nohl and Lell] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it.” The concern is that Nohl said at the Black Hat conference in July that he feels that BadUSB is “unfixable”.
An article in Fast Company by Matthew Braga makes the case for ubiquitous HTTPS. He hashes over (no pun intended) the basics of SSL and why HTTPS everywhere is safer for everyone. Braga says, “Yet, beyond some of the Internet’s bigger players, there are still a number of factors that have been holding more widespread HTTPS adoption back. Some websites don’t realize that the mere act of visiting their website might be sensitive, or that a user’s connection can be hijacked along the way, and thus don’t see a reason to encrypt. Others aren’t savvy enough to implement HTTPS themselves. Ad networks, many of which still serve ads over plaintext HTTP, are often cited by news websites as a reason they’ve been slow to encrypt. ‘Aligning many parties with certificates so that errors are not thrown to users isn’t trivial,’ wrote Scott Cunningham, vice president of technology and ad operations at the Interactive Advertising Bureau in an email. ‘The effort, and cost of that effort, is primarily why it hasn’t occurred.’
As reported last week, Firefox and Chrome both recently issued updates fixing the BERserk SSL bug. This eWeek article by Sean Michael Kerner reviews the flaw and the advisory put out by Intel Security. Intel Security General Manager Mike Fey is quoted to say, “Given that certificates can be forged for any domain, this issue raises serious concerns around integrity and confidentiality as we traverse what we perceive to be secure websites.” Kerner reports that, “…both Google Chrome and Mozilla Firefox have excellent updating mechanisms for their respective users. As such, I would suspect that the vast majority of Chrome and Firefox users right now are not at risk from the BERserk vulnerability as their respective browsers have likely already been updated. However, that doesn’t mean that all those users were not at risk prior to Sept. 24, though there is no public indication at this point that the BERserk flaw has ever been exploited.”