A take on the security news, week 45
The last three weeks have been to busy to keep updated on the security front, but this week I will try to do make it.
- Monday
LastPass opensource commandline client
Some of the use cases of this new client involves changing server passwords on a regular basis. This might be useful, and I look forward to get time to play with it.
http://blog.lastpass.com/2014/10/open-sourced-lastpass-command-line.html
Bitlocker Keys May be Stored in OneDrive
http://technet.microsoft.com/en-us/library/dn306081.aspx
Making Facebook more secure by using Tor
Facebook is now offering access to their services through an onion address on the Tor network. The ownership of the onion address is "proven" by the fact that Facebook runs an SSL certificate on top of the service.
- Tuesday
OpenBSD 5.6 replaces OpenSSL with LibreSSL
This is the first release of OpenBSD after the fork of OpenSSL into LibreSSL.
http://www.openbsd.org/56.html
TextSecure audits concludes with no significant problems
The app claims to provide secure instant message, and its protocol is a part of the Cyanogenmod firmware. The paper provide a complete description of TextSecure's cryptographic protocol and a thorough security analysis of TextSecure.
https://eprint.iacr.org/2014/904.pdf
- Wednesday
Million of Drupal websites at risk due to SA-CORE-2014-005 SQL Injection
The release of version 7.32 was so critical that Drupal's maintainers state that if you didnt within the first 7 hours! of the release, you should assume that your site is compromised.
The reason of this statement is becuase of the numbers of automated attacks that started just after the patch was released. If your site is already compromised an update will not remove any installed backdoors.
https://www.drupal.org/PSA-2014-003
- Thursday
Wirelurker malware hits iOS and OS X
Wirelurker monitors any iOS devices that is connected to an infected OS X computer and install malware applications on the device even if it is not jailbroken.
To protect yourself you should:
- Keep your software up to date
- Not jail-break your device
- Not install untrusted software from third-party appstores
You can find more recommendation in the story below
Malicious iframe Injector Found in Adobe Flash File
Finding malware in Flash files is nothing new, but this one is quite the opposite. Here the swf file is not the piece of code that delivers the exploit but the one that generates it.
This is just an example of malware written in ActionScript and hidden inside a .swf. The lesson to take away is that you can use almost every scripting language to create nasty code. The malware itself is nothing special, calls a lot of javascripts and target MSIE users.
http://blog.sucuri.net/2014/11/malicious-injector-in-swf-adobe-flash-file.html
- Friday
Apple revokes certificate from Wirelurker developer
The cryptographic certificate used by the Wirelurker malware is now revoked by Apple. The control and command server used by the malware is also taken down for now.
Again, the recomendation is: Dont install untrusted software
http://www.theregister.co.uk/2014/11/07/apple_moves_to_kill_off_wirelurker_malware/
EFF secure messaging scorecard
About 40 messaging clients are tested and scored on several security parametes and presented in a nice graphical table layout. The focus in this scorecard is secure and usable crypto.
Its a great piece of work that will benefit and help users find the most secure messaging services.
https://www.eff.org/de/secure-messaging-scorecard
GnuPG 2.1 released
The new version now supports Eliptic Curve Crypto (ECC) but the option is hidden by default due to the fact that there is no other OpenPGP implementation supporting ECC.
PGP-2 support is now removed and old data has to be reencrypted, or you have to keep and old version og GnuPG laying around for decrypting your old data.