With TLS 1.0 and TLS 1.1 considered vulnerable to various types of attacks, including BEAST, CRIME and POODLE, Mozilla last month announced plans to disable them in its popular browser and allow only connections made using TLS 1.2 and TLS 1.3.
The move should have no impact on websites that support TLS 1.2 and up, but will result in an error message being displayed when the newer protocol iterations are not supported. An override button on the error page will provide users with the option to fallback to TLS 1.0 or TLS 1.1.
The deprecation of older TLS iterations was initially announced a couple of years ago, but some website administrators have yet to upgrade to newer versions of the protocol. The change introduced in Firefox 74 is expected to encourage them to improve the security of their sites and users
Apple has unveiled a policy for Safari at the CA/Browser forum that it will not trust any website certificates valid for more than 398 days. This will flow on to all iOS and macOS devices and that this starts on September 1, 2020. This is aimed at improving website security by making site developers are using certificates with up to date cryptographic standards.
Clearly the improved security is going to have some draw backs such as increasing the frequency of certificate deployment will increase the workload for IT staff. The suggestion is that companies need to look to automation to manage certificates and compliance.
I recently discovered a very good TED presentation by James Lyne, it is definitely a goodie. In his presentation, “Everyday cybercrime – and what you can do about it” https://www.ted.com/talks/james_lyne_everyday_cybercrime_and_what_you_can_do_about_it he provides an excellent introduction into internet security. His entertaining style fits well with the content and the 17 minute presentation covers key material. This should be on everyone’s play list as he debunks common myths about cybercrime. A Sophos page with some helpful followup tips can be found over at https://sophos.com/wifi with the emphasis wifi services.
I came across the SANS Security Awareness Tip of The Day recently. It includes a daily tip that explains how people can better protect themselves in a digital world with suggestions on what your social media privacy setting should be to guidance on technology rules for visiting children.
So why not add it to your bookmarks or your RSS reader
Dan Geer is a voice in the IT Security world that should be listened to, and he has co-authored a short but intense article in the IEEE S&P Cleartext column that addresses the reality of the rapidly-changing threats that we all face.
“Stand Your Ground” has a few key messages, which I’ll try to summarise :-
- Minimise the number of targets; stop adding new services without effective defences, remove old services. Use the savings to fund better security for what remains.
- Distrust the internal network; distrust any service that is not continually verified. Defend against outbound traffic as well as inbound traffic.
- Do not assume perfection is possible; plan for failure modes that reduce services sensibly. Reduce the time-to-repair with automation instead of extending the mean-time-between-failure.
For more reading and a less technical take on these ideas, here’s another article about Dan’s thoughts from Ben Tomhave, a GRC (Governance, Risk & Compliance) consultant.
In an article from Wired thieves allegedly stole half a million Australian credit card numbers. The raid on an unnamed business in Australia used keystroke logging software on POS terminals then transferred the information back to Eastern Europe. The POS terminals had default passwords and stored transaction data insecurely. They were accessed using an unsecured Microsoft Remote Desktop connection. But the notable quote is
“The network was setup by some local suppliers who didn’t understand IT security,” Det. Sup. Marden told the magazine. “It was a disaster waiting to happen.”
As is often the case in many incidents, most of the layers of defence were turned off, left with default values, or just were not considered necessary. Had any one of the following been in place this particular incident could have been averted: changed the vendors default password, forced access to the terminals via a VPN, AV software on the workstations, IDS on outward network traffic, logging and monitoring of authentication services. Lastly, had the Aussie business performed an independent information security audit these would have been identified and the costly compromise could have been avoided.
I’ve just picked up a nice new entry on the “Falsehoods [people] believe about [topic]” meme … this one is “Falsehoods programmers believe about networks” and comes from Errata Security, a very good resource.
Here’s the top 5 :-
- Data on the network cannot be altered.
- Encrypted data on the network cannot be altered.
- Data cannot be accidentally corrupted, because TCP has checksums and Ethernet has CRCs
- If it’s inside my perimeter firewall, that means I have total control over it
- If it doesn’t return an error, then send() sent all the data that was asked of it.
A small list at the end is “Falsehoods network administrators believe about networks” …
- There is no IPv6 on my network
- NAT automatically blocks all inbound attacks
- We know all the devices attached to our network at any given time
This joins the two well-known “Falsehoods programmers believe about …”; Time and Names, their top entries are …
- There are always 24 hours in a day.
- Months have either 30 or 31 days.
- Years have 365 days.
- February is always 28 days long.
- Any 24-hour period will always begin and end in the same day (or week, or month).
- People have exactly one canonical full name.
- People have exactly one full name which they go by.
- People’s names fit within a certain defined amount of space.
- People’s names do not change.
- People’s names change, but only at a certain enumerated set of events.
- People’s names are written in ASCII.
- People’s names are written in any single character set.
- People’s names are all mapped in Unicode code points.
- People’s names are case sensitive.
- People’s names are case insensitive.
I was delighted by a recent post on the SANS web site from Johannes B. Ullrich. In his article he lists 5 documents that deal with hardening OSX. For those that don’t know, hardening is the process is securing a computer by reducing the vulnerable attack surface. I was only aware of the Apple documentation and not the others. Ullrich notes that the Apple documents do not cover OS X Lion (10.7). This is disappointing as I would have thought that Apple would have been more proactive given their increasing market share.
Anyway the list included below and anyone exposing an Apple to the internet is advised to check the documents to make sure that they have enabled sufficient sheilding to withstand probes and attacks.
Apple, NSA Guide, Mac Shadows, University of Texas, Center for Internet Security
Screenshot of the takedown notice on megaupload.com
Update: Megaupload lawyers report that user data may be destroyed by the end of this week (30 Jan – 5 Feb 2012)
This isn’t a post about copyright infringement. This is a post about backing up your data.
Popular file-sharing site Megaupload was shut down on 19 January 2012, and it’s owners arrested. Of course, all the servers have been seized as evidence, and therefore all uploaded content, including non-infringing files that are not under investigation, is unavailable indefinitely.
Understandably, people whose only copies of important files were on Megaupload are slightly miffed.
- Always keep backups of important files
- Cloud storage can fail
- You are always responsible for your data.
Spideroak and Wuala offer secure storage (you hold the only copies of the encryption keys), and the free storage space is enough for most people if you prioritize important files.
Disclaimer: I use Spideroak (the free version) and I’m very happy with it. I’m not endorsing them, just informing you that they exist. I have not used Wuala, but their security mechanism appears to be very similar.
For those interested in confirming or checking the secure configuration of their operating systems the National Security Agency (NSA) have some hardening documents available. These cover Apple Mac, Microsoft Windows and Linux operating systems. Generally, hardening is a process that reduces the attack surface or the number of vulnerabilities exposed to attackers. Often this is achieved through disabling unused services, uninstalling unused software, and removing unnecessary user accounts and is considered an essential step in maintaining a trusted computing environment.