Posts

Showing posts from November, 2015

Weekly Infosec News Brief: 24-30 Nov

Image
Dell Laptops Shipped with Unsecure Certificate Authority Installed Dell laptops shipped since this August included, pre-installed, a root certificate authority from Dell called "eDellRoot" that also included the authority's own private key. Even deleting the root certificate does not solve the problem, as the "Dell Foundation Services" Windows service will re-install the certificate if it is deleted. The Dell System Detect service has also been found to install its own root certificate, including the private key. Because these certificates include their own private keys and are installed as root certificate authorities in the OS, an attacker could create their own certificates signed by these and the relevant computers would see them as legitimate signed certificates for websites, drivers, and other software. Lenovo was found last year to similarly install their own root certificates for pre-installed software. Because of the difficulty of avoiding these typ

Weekly Infosec News Brief: 16-24 November

Image
Growing Concern About Java Deserialization Bug as a Working Exploit is Demonstrated A long-standing concern about how Java handles serialized objects is drawing increased concern because of a practical exploit demonstrated by Foxglove Security last week. The exploit potentially affects a large number of Java web applications (Java Server Pages), and has been proven to affect common middleware layers including JBoss, WebSphere, and WebLogic. The flaw's exploitability is highly dependent on how applications are developed; if your enterprise has any externally-exposed Java-based web applications, you should ensure your developers are checking for this flaw. http://www.darkreading.com/informationweek-home/why-the-java-deserialization-bug-is-a-big-deal/d/d-id/1323237 http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#thevulnerability Dell Laptops Shipped with Unsecure Certificate Autho

Weekly Infosec News Brief: 9-15 Nov

Image
Microsoft Issues Twelve Updates, Including Four to Fix Critical IE and Windows Vulnerabilities Last week, on “Patch Tuesday,” Microsoft issued a new batch of updates for its products. Four of these are classified as “critical,” including one for Internet Explorer, one for their new Edge browser (part of Windows 10), and one for the Windows kernel. The Internet Explorer vulnerability, MS15-112, is the most likely to be exploited in the wild, and should be a priority for organizations to patch as quickly as possible. The Windows patch, MS15-115, was modified and re-released on Wednesday after some users experienced problems following its installation. If you have not installed security update 3097877 yet, ensure you have the version from November 11th before installing. https://support.microsoft.com/en-us/kb/3097877 http://www.computerworld.com/article/3004464/application-security/four-critical-patches-for-november-patch-tuesday-update-core-windows-and-office-components.html http:/

Weekly Infosec News Brief: Nov 2-8

Image
Microsoft to Start Blocking SHA-1 Certificates Earlier than Planned Following the announcement last month that the SHA-1 hashing algorithm is even easier to defeat than previously believed, tech companies are moving up their timetables to stop using certificates based on the outdated algorithm. Microsoft is now following Google (with Chrome) and Mozilla (with Firefox) in announcing that their products will stop accepting SHA-1 certificates in June of 2016, rather than at the end of 2016 as originally planned. Websites and applications still using SHA-1 certificates will soon be causing users to receive security warnings from most popular browsers. You can check your site’s certificate (or others sites’ certificates) at Qualys’ SSL Labs . http://www.computerworld.com/article/3001681/security/microsoft-follows-mozilla-in-considering-early-ban-on-sha-1-certificates.html Flaw in TrueCrypt Software Allows for Potential Full System Compromise TrueCrypt is a popular tool available

Weekly Infosec News Brief: Oct 26 - Nov 1

Image
Google Gives Symantec an Ultimatum on Certificate Security Procedures Last Thursday, Google laid out several conditions to Symantec for the transparency and security of their certificate authority. The ultimatum comes after Google's discovery in September that Symantec had issued several invalid test certificates for Google domains. Google stated that if their conditions were not met, Google may begin showing warnings in the Chrome browser, and/or in search results, for sites using Symantec-issued certificates. Symantec purchased Verisign, until this year the largest issuer of security certificates, in 2010, and continues to be one of the most widely-used and trusted issuers of such certificates for validating websites and software, as well as enabling encryption. These types of certificates are the foundation of many security functions, so if they are not being issued in a trust-worthy fashion it negatively affects the reliability of many controls. http://www.computerworld.co