Let's Encrypt completes huge upgrade, can now rip and replace 200 million security certs in 'worst case scenario'
Plus: SentinelOne picks up Scalyr, fatal flaws in TCP, and a view on Supermicro
In brief Internet Security Research Group nonprofit Let's Encrypt has massively upgraded its certification hardware and software so that it can delete and reissue all its certs in less than 24 hours.
Last April the certificate authority was forced to kill three million HTTPS certs after a bug was found in its automated certificate management environment, about 2.6 per cent of its 150 million live certificate base. That caused some head-scratching.
"What if that bug had affected all of our certificates? That's more than 150 million certificates covering more than 240 million domains," said Let's Encrypt exec director Josh Aas. "What if it had also been a more serious bug, requiring us to revoke and replace all certificates within 24 hours? That's the kind of worst case scenario we need to be prepared for."
After upgrading its network to fiber and replacing aging Intel big iron with the latest AMD Epyc chip, not to mention some cunning software changes, Let's Encrypt now says it can revoke and replace 200 million certificates in less than 24 hours, should a catastrophic security failure occur.
SentinelOne scoops up threat-data speedsters from ex-Googlers Scalyr
Machine-learning security specialist (and apparent bane of RIM) SentinelOne has splurged $155m in cash and equities for 10-year-old startup Scalyr to try to speed up operations.
Scalyr was co-founded by former Google Docs architect Steve Newman after the Chocolate Factory bought his nascent cloud word processing biz Writely in 2006 and turned it into the Gsuite we know and scream at today.
Newman set up Scalyr to use some of the analysis skills he'd honed on high-speed data analysis, and SentinelOne wants to use the technology to trawl through its vast pools of threat data quickly and smartly.
"We built Scalyr to solve critical data challenges for a cloud-first world," said Newman. "I'm excited for the Scalyr team to become part of SentinelOne and solve one of the world's most pressing big data problems – cybersecurity."
TCP looking sickly
Nine out of 11 major TCP/IP stacks tested by security shop Forescout carry fatal flaws that would allow an attacker to perform a man-in-the-middle attack, according to a report out this week.
The vulnerable stacks, predominantly used in IoT devices, are TI-NDKTCPIP, cycloneTCP, uC/TCP-IP, FNET, picoTCP, uIP, MPLAB Net, Nut/Net and Nucleus NET, with only lwIP and Nanostack proving solid under testing. All the failures were derived from issues with Initial Sequence Numbers (ISN) generation, the randomised digits that stop TCP collisions and ensure security.
"Most vendors have already issued patches and/or mitigation recommendations to users," the team said, adding that they had been disclosed in October. "The developers of Nut/Net are working on a solution, and Forescout has not received a response from the uIP developers."
The Supermicro case – a personal view
Three years after Bloomberg originally reported that Chinese spymasters were installing surreptitious silicon onto Supermicro motherboards, the story is back.
Despite some having claimed to have seen the silicon, or have heard of its existence, we have yet to see a single chip that fits the bill and Supermicro and others are adamant that the claimed issue doesn't exist.
If 15 years writing about IT security have taught this hack anything, it's that you can never rule out a really cunning hack. But, at the same time, the Sagan standard must apply – "Extraordinary claims require extraordinary evidence."
To date we've seen no hard evidence that the Supermicro story is true, and plenty of evidence to suggest that it might be a case of mistaken identity – maybe subverting an existing chip via a firmware flaw that got misunderstood. We shall, hopefully, see. ®