Link

19 Year-Old Vulnerability Continues to Haunt the Internet

Via Ars Technical:

A surprisingly big number of top-name websites—Facebook and PayPal among them—recently tested positive for a critical, 19-year-old vulnerability that allowed attackers to decrypt encrypted data and sign communications using the sites’ secret encryption key.

The vulnerability in the transport layer security protocol for Web encryption was disclosed in 1998 when researcher Daniel Bleichenbacher found it in the TLS predecessor known as secure sockets layer. A flaw in the algorithm that handles RSA encryption keys responded to certain types of errors in a way that divulged potentially sensitive information. With enough specially formed queries, attackers could exploit the weakness in a way that allowed them to decrypt ciphertext even when they didn’t have the secret decryption key. SSL architects responded by designing workarounds that suppressed the error messages rather than removing or rewriting the faulty RSA algorithm.

The vulnerability of Cisco’s ACE is concerning, because Cisco stopped supporting it several years ago and the researchers said the company has no plans to patch the product line. Even worse, it’s not possible to disable RSA encryption in the product, leaving users unable to follow one of the few possible workarounds for those unable to patch. What’s more, the researchers said Cisco is currently using ACE to serve content on cisco.com.

Companies that are responsible for providing critical infrastructure technologies need to be accountable for what they develop and sell. Imagine if a car company with a known-deficient vehicle refused to fix or repair it on the basis they didn’t support it any longer – there’d be class action suits almost immediately. The technology sector need to mature, and fast.

But as an aside, these are the sorts of weaknesses and vulnerabilities that the NSA and other national security agencies, along with private signals intelligence vendors, actively exploit. The actual ways in which cryptography is implemented are often rife with issues. One has to ask why Cisco and other major companies’ products were vulnerable in the first place but, also, whether the NSA or its sister agencies knew about the weaknesses and have been exploiting them instead of trying to better secure the public’s communications.

In theory the United States of America’s government, as well as the Canadian government, has a Vulnerabilities Equities Process (VEP). If this vulnerability was discovered but not disclosed it would be a damning indictment of the adequacy of the current VEP protocols.

Link

Two critical bugs and more malicious apps make for a bad week for Android

Ars Technica:

It was a bad week for millions of Android phone users. Two critical vulnerabilities were disclosed but remain unpatched in a large percentage of devices, while, separately, malicious apps were downloaded as many as 2.5 million times from Google’s official Play Marketplace.

The vulnerabilities, which are similar in severity to the Stagefright family of bugs disclosed last year, have been fixed in updates Google began distributing Tuesday. A large percentage of Android phones, however, aren’t eligible to receive the fixes. Even those that do qualify don’t receive them immediately (the September updates are currently not available as over-the-air downloads for either of the Nexus 5X devices in my household). That gives attackers crude blueprints for exploiting vulnerabilities that remain unpatched on millions of devices.

The bag of hurt continues unabated.

Link

Turning security flaws into cyberweapons endangers Canadians, experts warn

Turning security flaws into cyberweapons endangers Canadians, experts warn:

“The Snowden docs demonstrate that CSE is active in identifying vulnerabilities,” Christopher Parsons, a post-doctoral fellow at Citizen Lab, told CBC.

“The fact that CSE identifies vulnerabilities and is not reporting them means users are not receiving patches in order to secure their networks.”

Parsons said this “creates a really dangerous scenario.”

“Canadians need to have a discussion about this. Do we want to live in a world in which we’re protecting our own citizens? Or should the priority of Canadian government organizations [like CSE] be first and foremost hacking foreign systems?”

Canadian politicians, judges, journalists and business leaders use smartphones vulnerable to the flaws now fixed by Apple — and to flaws still unknown. The country’s infrastructure is increasingly networked and vulnerable to sabotage by a foreign intelligence agency.

In such a world, Parsons wondered, does national security mean using security flaws against potential enemies? Or disclosing and fixing them?

“We haven’t had that debate in this country,” he said.

It’s increasingly looking like we are going to have the debate concerning whether the Canadian government should be stockpiling vulnerabiltiies or actively working to close identified vulnerabilties. Let’s hope that the debate tilts in favour of protecting the citizenry instead of leaving it vulnerable to domestic and foreign attackers.

Link

Hackers Hijack a Big Rig Truck’s Accelerator and Brakes

Hackers Hijack a Big Rig Truck’s Accelerator and Brakes:

When WIRED reached out to trucking industry body the National Motor Freight Traffic Association about the Michigan research, the NMFTA’s chief technology officer Urban Jonson said the group is taking the researchers’ work seriously, and even funding future research from the same team. And Jonson acknowledged that the possibility of the nightmare scenario they present, of a remote attack on heavy vehicles, is real. “A lot of these systems were designed to be isolated,” says Jonson. “As automobile manufacturers are increasingly connecting vehicles with telematics systems, some of these issues need to be addressed.”

That the Association’s reaction is to work with researchers instead of trying to sue them is a very good sign.