Mini-Heartbleed info leak bug strikes Apache, airborne malware, NSA algo U-turn, and more

The security week in review

Roundup As ever, it's been a doozy of a week for cybersecurity, or lack thereof. The Equifax saga just keeps giving, the SEC admitted it was thoroughly pwned, and Slack doesn't bother to sign its Linux versions. We do spoil you so, Reg readers. And that was only yesterday. Here's the rest of the week's shenanigans we didn't get round to.

US snoops give up fight over encryption algorithms

The NSA has backed down on its efforts to push for two encryption algorithms to become worldwide standards, following pressure from crypto-gurus. It was feared by various nations – including Germany and Japan – that Uncle Sam's spying nerve-center was championing the global use of the data-scrambling methods because it knew exactly how to crack them. Therefore, it could decode data and communications secured by the two techniques.

The pair of algorithms are the Simon and Speck lightweight block ciphers. Now only the most toughest forms of the pair of mechanisms will be put forward to the ISO encryption standards body as these are unlikely to be defeated by the NSA's supercomputers any time soon.

It's basically a replay of the Dual EC DRBG shenanigans from a couple of years ago. That was an algorithm heavily advocated by the NSA and it turned out to be suspiciously flawed, allowing spies to crack encryption relying on the random number generator.

“I don’t trust the designers,” said an Israeli delegate to the ISO body regarding Simon and Speck. "There are quite a lot of people in NSA who think their job is to subvert standards."

Japanese finance house floored by DDoS

Japanese finance house Hirose FX was subjected to a DDoS attack on Monday. The assault affected the corporate website, as well as Hirose FX's trading tools.

Logging into the platform and accessing the website were hampered for more than an hour on Monday morning, according to reports.

Core blimey

Adaptive access control firm SecureAuth announced plans to merge with vulnerability discovery outfit Core Security on Wednesday. The plans are dependent on US regulatory approval, but would create a merged company with 1,500 customers and 360 employees worldwide.

By bringing together network, endpoint, vulnerability, and identity security, SecureAuth (headquartered in Irvine, California) and Core Security (headquartered in Roswell, Georgia) plan to combine their efforts to create an "identity-based security automation platform."

Bleeding 'ell

A Heartbleed-style bug has surfaced to menace Apache installs.

The Optionsbleed vulnerability in Apache Web Server is triggered by making HTTP "options" requests.

Like Heartbleed before it, the vulnerability can leak an affected (Apache) server's memory. Fortunately the flaw has been patched. A deep dive into the issue can be found in a post by security veteran Paul Ducklin on Sophos's Naked Security blog here.

AI surveillance peril

As AI and the IoT enable the collection of massive amounts of personal information, there is a risk that without appropriate safeguards and user control, a "surveillance society" could emerge, warned a report by the Internet Society out this week.

The non-profit's Global Internet Report, which looked into how the internet might impact society over the next five to seven years, warned that cybersecurity issues will "pressure governments to take decisions that could erode the open and distributed global governance of the internet," threatening personal freedoms and rights in the process.

CCTV spooknet

Security cameras infected with malware can receive covert signals and leak sensitive information from the very same surveillance devices used to protect facilities, Israeli boffins have demonstrated. The method, according to researchers, will work on both professional and home security cameras, and even LED doorbells, providing that devices work in the infra-red spectrum.

The same technique dubbed "aIR-Jumper" also enables a mechanism to create a covert, bidirectional, optical communication between air-gapped internal networks. The study was put together by a team of researchers from Israel's Ben-Gurion University of the Negev led by Dr Mordechai Guri.

A video put together by the team shows the camera infected with malware responding to covert signals by exfiltration data, including passwords and selected passages of the book The Adventures of Tom Sawyer.

Youtube Video

Hacking into air gapped networks is not new in itself, but the Israeli team's research is still noteworthy in exposing another potential route into systems. ®

Similar topics

Other stories you might like

  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading

Biting the hand that feeds IT © 1998–2022