A take on the security news, week 34
This is my first attempt on a semi-weekly summary of what happened in the security news the past week. I hope it will be of use to others than me, and comments are welcome in the comment form or via twitter (mbmedianorge).
1: Theft of 4.5 million pasient journals by hackers
Hackers stole name, adressesses and ssn's from 4.5 million patients from Community Health Systems Inc (CHS), a big hospital chain in the U.S. Medical and financaial information was not compromised according to CHS.
This news was in the media from 18.08, but the attacks were done earlier this year.
This is the first attack where the heartbleed bug is known to be the initial attack vector.
2: Microsoft Windows store full of fake applications
Howtogeek finds fake paid versions of free software in the Windows store. The problem is so big that they headline it as "The Windows Store is a Cesspool of Scams". Some of the software that is scammed is VLC, Adobe Flash Player, Firefox, Picasa, Spotify, Blender 3D, and the list goes on. All of these applications are free (as in beer) applications.
How do this relate to security?
First, the applications are scams, and second, it shows the lack of control of applications that are added to the Windows store. Without some sort of control, how can we know that the software is relatively secure?
3: PHP 5.3 end of life
This one belongs to week 33, but I want to include it neverthless since this is my first occurence of what I hope can be a weekly update.
PHP 5.3 went into unsupported status (eol) with version 5.3.29 14.august 2014.
PHP is a very popular server-side scripting langugage that runs many of the dynamic websites on the Internet. Its important to keep your code up to date with the latest and greatest security patches.
If you still running on 5.3.xx, its time to upgrade to PHP 5.4.32 or 5.5.16
4: Scanning the Internet reveals too many unprotected VNC servers
Internet wide searches on port 5900 (default VNC port) reveals many servers wideopen. Remember to put a password on your vnc server (google: set vnc password) and you will probably find a way to do it on your OS.
VNC is a popular system that allow graphical desktop sharing over the Internet (and other networks). The graphical part of this means that the hackers can view the compromised VNC servers like any regular tv channel, see example screenshots in the linked articke below.
The protocol (RFB) that runs VNC is considered an unsecure protocol, and its recommended to set a password (at least 8 characters) on your VNC server. Be aware that some systems also have an upper-limit of 8 characters on the password length.
Connection should also be tunneled through SSH or some other encryption mechanism.
5: Google Chrome begins the process of deprecating SHA-1 within TLS certificates
Its now proposed changes in how Chromium should handle certificates using SHA-1:
The following changes to Chromium's handling of SHA-1 are proposed:
- All SHA-1-using certificates that are valid AFTER 2017/1/1 are treated insecure, but without an interstitial. That is, they will receive a degraded UI indicator, but users will NOT be directed to click through an error page.
- Additionally, the mixed content blocker will be taught to treat these as mixed content, which WILL require a user action to interact with.
- All SHA-1-using certificates that are valid AFTER 2016/1/1 are treated as insecure, but without an interstitial. They will receive a degraded UI indicator, but will NOT be treated as mixed content
The motivation to start the work now is to get a smoother transition away from SHA-1 than what the case was with MD5.
Certificate Authoritys have been warned by this transition since Februar this year.
There is three ways to deal with this process:
- Immediately transition to SHA-256. Users running Windows XP versions older than SP2 already are vulnerable to significant security risks, and should at least update to a modern version of XP (Microsoft Genuine checks are no longer required for XP security updates, so all users have this available).
- Transition to a SHA-1 certificate that is not valid longer than 2015/12/31, recognizing that eventually it will be necessary to transition to SHA-256.
- (less than ideal) Transition to a SHA-1 certificate that is not valid longer than 2016/12/31, recognizing that Chrome users will see a degraded UI.