FBI iPhone hack lost forever, White House mobe compromised, SSH – and plenty more
Plus: How SEC's IT staff begged for more cash
Roundup Another week draws to a close so it's time to review the security news you may have missed in between the big hitters: the NSA contractor who leaked more exploits, Apple's encryption password blunder, and so on. This week we've seen bugs, hacking, and government silliness – take a look...
Computerinsel PhotoLine full of bugs
Researchers at Cisco's Talos security team have found a series of vulnerabilities in German image manipulation software Photoline.
Hackers could get remote code execution by sending in a specially crafted .gif and do the same with TARGA graphics files. The flaws appear to be in PhotoLine version 20.02 but may also affect earlier versions.
Juniper corrects world's least secure comma
Networking hardware vendor Juniper has removed a comma from this 2015 security advisory regarding a "denial of service due to maliciously crafted uBFD packet" problem.
As the update dated 2017-09-28 records, the gin palace has "removed a comma from paragraph for clarity". The paragraph now reads "received directly via VPN, MPLS". It previously read "received directly, via VPN, MPLS".
SSH 7.6 drops support for SSHv1, splats bugs
Sysadmins and developers alike, pay heed: the folk who tend SSH have pushed out a new version with a bunch of security patches and bug fixes.
Calling the release "primarily a bugfix", the maintainers also note that OpenSSH 7.6 "contains substantial internal refactoring".
Those deploying or writing to 7.6 are given notice of five details that might break existing implementations: SSHv1 support is gone, as is support for the hmac-ripemd160 message authentication code (MAC).
The deprecated arcfour, blowfish and CAST ciphers have been consigned to memory, RSA keys less than 1,024 bits long will be refused, and CBC (cipher block chaining) will no longer be offered by default.
The other security change plucked out by the developers relates to the SFTP server: "In read-only mode, sftp-server was incorrectly permitting creation of zero-length files," which is now fixed.
Other bug fixes and new features are listed in the release notes linked above.
SEC security team begged for funds before hack
Everyone knows the IT department always get blamed for hacking incidents – in some cases rightly. But leaked memos from the SEC show system administrators knew there were security issues at the agency but lacked the funds to do anything about it.
The head of the US financial watchdog's Digital Forensics and Investigations Unit officially complained that his department's budget of $100,000 was half a million dollars short of what was needed. However, his request was blocked and two months later the SEC was forced to admit that it had been comprehensively pwned.
Germany drops NSA spying investigation
The German authorities have dropped a two-year investigation into allegations that the UK and US intelligence agencies were spying on the German chancellor Angela Merkel.
The claims cause a massive row between the US and its allies after it was claimed that the personal phones of politicians were under surveillance. It's a touchy topic in a country whose Eastern side suffered decades of massive surveillance by the state.
"The prosecutors' investigations and the investigation by the NSA parliamentary committee have found no tangible evidence that US or British intelligence agencies undertook systematic and mass surveillance of German telecommunications and internet (usage) that is against the law," officials said.
FBI's secret iPhone hack won't be revealed
The hacking technique purchased by the FBI to unlock a murderer's iPhone won't be revealed, a US court has ruled [PDF].
After the San Bernardino shooting the FBI bought in a third-party supplier to break into the iPhone of one of the shooters. They reportedly paid $1m for the technology but this was never confirmed and Associated Press and other news organisations sued to find out how it was done. They lost and now we're unlikely to ever know.
US chief of staff's phones hacked
US government officials report that the personal phone of White House chief of staff John Kelly had been hacked.
Kelly asked White House IT staff to look at his smartphone after he complained that it wasn't updating and kept crashing. They found it had been compromised, possibly as early as last December.
A White House spokesperson said that Kelly had not used his personal phone for official business and had relied on government-secured hardware and software. So that's all right then.
More on Broadcom SoC hacking
For those following Google Project Zero's epic efforts compromising Broadcom Wi-Fi chipsets, Gal Beniamini has provided a lot more gory detail into how to hack systems-on-chip. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust