Due to changes in browser requirements, QuoVadis will change to 397 day maximum validity for public TLS/SSL on August 27, 2020 at 23:59 UTC. 397 days equates to one year validity plus limited time to accommodate early renewals. After the change, the new policies will be automatically available for provisioning.

• This change affects all CAs industry-wide. It applies to Business SSL (OV), EV, and Qualified Web Authentication certificates.
• Two-year certificates issued before the August 27 changeover will continue to work in browsers.
• This change does not affect other certificate types including code signing, document signing, client, S/MIME certificates, or private TLS/SSL.

The Mozilla Foundation have advised of a  bug (Bug 1565780) in the use of stored passwords.

August 14, 2019; CVE-2019-11733: Stored passwords in ‘Saved Logins’ can be copied without master password entry

When a master password is set, it is required to be entered before stored passwords can be accessed in the ‘Saved Logins’ dialog. It was found that locally stored passwords can be copied to the clipboard thorough the ‘copy password’ context menu item without first entering the master password, allowing for potential theft of stored passwords.

Many people using recent versions of ssh are now seeing SHA256 fingerprints by default when connecting to a new server, and finding it difficult to verify the fingerprint because the server itself doesn’t seem to have the right versions to tell you!

For example, here’s the client trying to connect …

$ ssh galathilion
The authenticity of host 'galathilion (10.30.64.220)' can't be established.
RSA key fingerprint is SHA256:8DpA4frlTxKnZ5GJXkORq8QQlLn4eCx4nZf51g55vYc.

The correct thing to do here is to check this fingerprint, by connecting to the target server over something that isn’t ssh. Then you run the ssh-keygen command to see the fingerprint …

# ssh-keygen -lf /etc/ssh/ssh_host_rsa_key
2048 d3:c6:fa:83:03:f4:ed:44:a4:3e:80:e1:b1:7b:ca:42 /etc/ssh/ssh_host_rsa_key.pub (RSA)

But that’s the wrong format – the MD5 version of the fingerprint, not the SHA256 version. That’s probably because the server version of the openssh tools doesn’t support SHA256 at all. And you can’t work out what the SHA256 fingerprint will be if all you have is the MD5 fingerprint data.

No problem; you can just ask your client ssh to display the server’s fingerprint using the old MD5 presentation :-

$ ssh -o FingerprintHash=md5 galathilion
The authenticity of host 'galathilion (10.30.64.220)' can't be established.
RSA key fingerprint is MD5:d3:c6:fa:83:03:f4:ed:44:a4:3e:80:e1:b1:7b:ca:42.

So that works a treat, and you can validate the connection. Regardless of the scheme used to present the fingerprint to you, it’s the same server public key, so validating the MD5 presentation is the same as validating the SHA256 version.

As an alternative, you can use standard command-line tools to generate the SHA256 fingerprint on the server itself, even though openssh doesn’t do that for you.

# cat /etc/ssh/ssh_host_rsa_key.pub \
  | awk '{print $2}' | base64 -d | sha256sum -b \
  | awk '{print $1}' | xxd -r -p | base64
8DpA4frlTxKnZ5GJXkORq8QQlLn4eCx4nZf51g55vYc=

That mouthful produces the same output as the openssh tool.

Here’s a worked-through example of how this command chain works. I can reproduce the original machine’s data here, because this is a public key. Remember to carefully check what data you are publishing online!

# cat /etc/ssh/ssh_host_rsa_key.pub
 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA3R3I0dJxyg61jKuAqY3wJ/gwHzzEVg73sVqqJnzzEGWEkpjEYsIBk1NWh/Ur2q9CnR1KPk8Av22fNgeQay6dm9FcGK7TImiD3ZZfZjfHPzwkcoXyQPuJHW9pT8rlktkihdpTNJqlHHibVUz481AntmptypGqPKdg22EjvjrHk5Q4Op/ahZjgkSoFPphH1gWZcCC2xSPi/mk6nu9DF4Jyr1dJq+hJMPuvQ10ozOpzhemUKD9dGoXIh9g78/+M9Y8/naOW+UxZAy8BGrcpjM27sLHU0K+qxLRFw36Xlgur2+lEiSVt0F2iPpbAiJug3hUQTx2K3gkMG36auVsgrWvK9Q==

This file has a single line, with two (or three) values space-separated. The second field is the Base64 representation of the public key itself, which we’re extracting using awk '{print $2}' (although we could have done this with other commands, such as cut -d' ' -f2). Once we have that field, we convert it from Base64 back into raw binary with base64 -d. Then we pass the binary key through sha256sum, which will produce two fields, a hex-encoded fingerprint and the filename (which is just ‘-‘ for standard input), and through awk again to select just the first field. xxd is used to convert the hex-encoded data back to binary again, and finally base64 gives us the same encoding that the openssh tools present.

Why bother with all that? Well, remember that the requirement to verify a server’s ssh fingerprint should not be carried out over ssh itself. I get my servers to write their ssh fingerprints into the /etc/issue file, and this is displayed on the server console by default along with the login prompt. So I can always validate the ssh keys using something that isn’t ssh …

Denial of Service (DoS) attacks are situations where an IT system is deliberately overwhelmed to a point where normal activity is no longer possible. A DoS attack usually comes from a single source. Where the attack comes from many sources we call this a Distributed DoS, or DDoS.

DDoS traffic is usually sent from many computers from around the world. These computers will have been hijacked and grouped together into a botnet which are then controlled by the bad player. These computers usually have been compromised because security patches have not been applied.

For some time InfoSec people have been wondering what impact the Internet of Things (IoT) will have on things like DDoS. The IoT generally refers to all those everyday objects that can now connect to the Internet. Think CCTV, toys, nappies, cars, door bells etc.

At the KiwiCon conference last year in Wellington, and at other conferences,  some of the presentations talk about the security of various IoT devices. Some of the findings were

• Certain brands of car immobilisers could be activated by other people by attacking the website where the device was registered. This was particularly concerning for those vehicles that could have the fuel system shut down. Imagine suddenly running out of fuel while in the middle lane of a motorway doing 110 km/hr!
• Home security devices being sold in NZ could be controlled by other parties.
• Baby monitors can be listened into, and worse.
• Barbie Dolls are relatively hard to take over.

So are the IoT really a problem? In late September a DDoS attack was launched against a well known security writer. The attack forced his website off line for a time by the huge volume of traffic sent to it. What is interesting is that most of the devices involved in the attack were on line cameras (it is estimated that about 1.5 million cameras were involved).

The security issues with the IoT may well turn out to be a bigger problem than Y2K. When preparing for Y2K it was possible to identify likely systems that needed fixing, and then update them. In the end a Y2K disaster was avoided since we understood how to fix the problems.

The problem with IoT is that we cant identify and/or fix most of the devices. Few manufacturers of an IoT device include options for efficiently getting updates onto the device. Almost no one will commit to providing support for any set time. For most devices, if there is a significant security issues with them, it will be a case of throwing them away.

So this comes back to the original question. Can my light bulbs DoS me?

Well, the current versions probably cannot launch a co-ordinated network attack, which is good. However, a bad player may well be able to take control of your light bulbs. Think about the result of all your lights coming on at 3 am. Perhaps we should call this a DoSl (Denial of Sleep).

What to do? Some of the functionality of some IoT devices is truly exciting. We are going to see more and more options out there. When buying these devices we need to start thinking about the impact if things go wrong. Ask the retailer about security updates. If updates are available ask for how long support will be provided.

Finally, be prepared to throw the device away. This may end up your only option.

In March this year I wrote about the upswing in ransomware attacks. Well since then we have seen even more attacks. Unfortunately some people have been caught out by the attackers and have had files encrypted.

Luckily everyone so far has been able to restore their data from backups and other sources.

The criminal gangs running these attacks are constantly looking for new ways to get results. Recently they used a flaw in certain types of Word docs. These were Word files with macros in them. Once we worked out what they were up to we started using our spam management system PureMessage to quarantine all these Word files with macros (these have a docm suffix). Only a few genuine files were quarantined and they were still available to the user.

During August we quarantined about 150 000 docm files.

Since then we have seen a decline in the use of docm files but a large increase in zip files. Zip files are a convenient way to bundle together a number of files in a compressed format that makes them easier to distribute.

During the first 12 days of September we quarantined about 1.5 million zip files. Almost all of these had some sort of malicious content.

Dealing with these ongoing attacks is a team effort and we all have a part to play. Remember if something looks suspicious then get someone to check it out.

Passwords and password memorisation simply stated is a chore and many people reuse the same password for multiple services to avoid having to remember them. Enter password managers. I am not going to review them in this post, rather point you to a lifehacker article that does a decent job of reviewing them.

The summary is to use one that meets you needs rather than re-use the same password. If you go the next step, you can then store your password file (which should already be encrypted) on an internet facing service such as the Otago Syncplicity service where it will be available to you from anywhere on the internet.

Oracle Fixes 40 Vulnerabilities in Java.
On Tuesday, June 18, Oracle issued a Critical Patch Update for Java 7 for Mac and for Windows. There are 40 security issues fixed as well as enabling online certificate revocation checking by default. On the same day, Apple issued an updated version of Java 6 for OS X Snow Leopard, Lion, and Mountain Lion. Snow Leopard users cannot upgrade to Java 7.

http://krebsonsecurity.com/2013/06/critical-update-plugs-40-security-holes-in-java/
http://www.scmagazine.com//oracle-releases-java-update-to-close-37-high-risk-vulnerabilities/article/299264/
http://www.computerworld.com/s/article/9240173/Java_7_Update_fixes_40_security_issues_turns_on_certificate_revocation_check?taxonomyId=17
http://www.computerworld.com/s/article/9240171/Apple_pours_OS_X_Snow_Leopard_another_Java_fix?taxonomyId=17

With the Christmas just around the corner many people will be ordering from overseas. As part of the online ordering process many companies use email to confirm orders and provide updates. The spammers know this and take advantage of the increase in this type of email by sending out their “ware” hoping to catch people. Most anti-spam systems do a very good job of blocking these, but some still gets through.

The common thread among phishing emails to watch out for include:

unfamiliar transaction report from a familiar business
an attachment with no explanation in the message body
“phishing” or asking for your email password
asking you to “log in” to obtain something

Looking into the messages’ headers can prove helpful but this is a little more technical and is best covered elsewhere. So enjoy the festive season and remember not to respond to emails from companies that you didn’t ordered from.

I came across this phish the other day and it is quite compelling. It seems that resorting to sarcasm is the latest social engineering attack for luring users into supplying their credentials:

Do you think we are joking, the username and password which you provide is not correct, we are contacting you to inform you that your <domain> mailbox has exceeded to 90% of its quota. And when it reaches 100%, new messages will be rejected and bounce back to the sender. To avoid missing mail, please keep your mailbox at a reasonable size. Fill the below: provide the below completely and correctly, because the info you provide to us we can’t reset your <domain> because is not the correct info. Note we are contacting you for the last time.

User name:
Password:
Retype Password:
Date of Birth:

The reply to email address was obviously not from within the organisation. I am pleased to say that no Otago users responded.

One of the most important protections against malware is to have up-to-date versions of software in use. The base OS and some applications are very good at checking and updating themselves, but there are lots of applications that leave it up to you to check; and who has time for that?

The security services company Secunia has recently updated their Personal Software Inspector application, and you can find the v3 beta version available free of charge at https://secunia.com/psi_30_beta_launch/

This app scans your Windows PC, looking for outdated software; it then downloads and installs the updates for you. I have a Windows virtual machine here that I occasionally use, and it has very little installed on it at all; PSI still found updates for Firefox, Opera and most importantly Adobe Flash!

If you are responsible for maintaining the state of your own Windows PC, I’d recommend adding Secunia PSI to your toolbox.