A take on the security news, week 45

Tue 04 November 2014

A take on the security news, week 45 / 2014. I summarize some of the news that I considered noteworthy related to information security this week.

The last three weeks have been to busy to keep updated on the security front, but this week I will try to do make it.

  • Monday

LastPass opensource commandline client

Some of the use cases of this new client involves changing server passwords on a regular basis. This might be useful, and I look forward to get time to play with it.

http://blog.lastpass.com/2014/10/open-sourced-lastpass-command-line.html

Bitlocker Keys May be Stored in OneDrive

http://technet.microsoft.com/en-us/library/dn306081.aspx

Making Facebook more secure by using Tor

Facebook is now offering access to their services through an onion address on the Tor network. The ownership of the onion address is "proven" by the fact that Facebook runs an SSL certificate on top of the service.

https://www.facebook.com/notes/protect-the-graph/making-connections-to-facebook-more-secure/1526085754298237

  • Tuesday

OpenBSD 5.6 replaces OpenSSL with LibreSSL

This is the first release of OpenBSD after the fork of OpenSSL into LibreSSL.

http://www.openbsd.org/56.html

TextSecure audits concludes with no significant problems

The app claims to provide secure instant message, and its protocol is a part of the Cyanogenmod firmware. The paper provide a complete description of TextSecure's cryptographic protocol and a thorough security analysis of TextSecure.

https://eprint.iacr.org/2014/904.pdf

  • Wednesday

Million of Drupal websites at risk due to SA-CORE-2014-005 SQL Injection

The release of version 7.32 was so critical that Drupal's maintainers state that if you didnt within the first 7 hours! of the release, you should assume that your site is compromised.

The reason of this statement is becuase of the numbers of automated attacks that started just after the patch was released. If your site is already compromised an update will not remove any installed backdoors.

https://www.drupal.org/PSA-2014-003

http://nakedsecurity.sophos.com/2014/10/30/millions-of-drupal-websites-at-risk-from-failure-to-patch/

  • Thursday

Wirelurker malware hits iOS and OS X

Wirelurker monitors any iOS devices that is connected to an infected OS X computer and install malware applications on the device even if it is not jailbroken.

To protect yourself you should:

- Keep your software up to date

- Not jail-break your device

- Not install untrusted software from third-party appstores

You can find more recommendation in the story below

https://www.paloaltonetworks.com/resources/research/unit42-wirelurker-a-new-era-in-ios-and-os-x-malware.html

https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf

Malicious iframe Injector Found in Adobe Flash File

Finding malware in Flash files is nothing new, but this one is quite the opposite. Here the swf file is not the piece of code that delivers the exploit but the one that generates it.

This is just an example of malware written in ActionScript and hidden inside a .swf. The lesson to take away is that you can use almost every scripting language to create nasty code. The malware itself is nothing special, calls a lot of javascripts and target MSIE users.

http://blog.sucuri.net/2014/11/malicious-injector-in-swf-adobe-flash-file.html

  • Friday

Apple revokes certificate from Wirelurker developer

The cryptographic certificate used by the Wirelurker malware is now revoked by Apple. The control and command server used by the malware is also taken down for now.

Again, the recomendation is: Dont install untrusted software

http://www.theregister.co.uk/2014/11/07/apple_moves_to_kill_off_wirelurker_malware/

EFF secure messaging scorecard

About 40 messaging clients are tested and scored on several security parametes and presented in a nice graphical table layout. The focus in this scorecard is secure and usable crypto.

Its a great piece of work that will benefit and help users find the most secure messaging services.

https://www.eff.org/de/secure-messaging-scorecard

GnuPG 2.1 released

The new version now supports Eliptic Curve Crypto (ECC) but the option is hidden by default due to the fact that there is no other OpenPGP implementation supporting ECC.

PGP-2 support is now removed and old data has to be reencrypted, or you have to keep and old version og GnuPG laying around for decrypting your old data.

Comments