Kicking the Certificate Habit →
Dr. Jaap-Henk Hoepman's security posts (via his blog), detailing his provocative yet fundamentally sound thoughts on the subject of terminating the utilization of certificates is today's absolute MustRead.
The basic idea - A few days ago I explained the idea including a mechanism to detect phishing attacks. This makes the protocol more complex, and creates confusion. So let’s try again, explaining the basic idea first. Whenever a browser sets up a new TLS connection with a domain, the web server serving that domain respond with its public key (instead of a certificate, as is currently the case) in the initial TLS handshake. (This is more precise than saying that the web server sends its public key in the header of every page it sends.)... Read more at Dr. Hoepman' blog
Goatse of Cloudbleed →
via the eponymous Phoneboy, comes his take on the latest security foible of a major backend provider (in this case Cloudflare), entitled 'Cloudflares with a Chance of Goatse', Mr. Welch-Abernathy explains it all, in imitiable form. Today's MustRead.
Mozilla Firefox Certificate Cache Coughs Up Credentials →
Meanwhile, in cruft news...
A Tale of Cruftery
First discovered by security researcher Alexander Klink, and discussed on his shift or die blog, the leakage documentation he has amassed is a tour de force in correct handling of the discovery. Mozilla's response has been a tad lackadaisical and (disappointlingly) still in telemetry data gathering mode as of this post.
The Workaround
Superb work by Alexander; nonetheless, he does suggest regular cleansing your browser user profile (if you are so unlucky as to be using the browser under scrutiny, yet most likely, a good idea on any browser). There are many tools available that deal with the cache cleaning task (both scripted and manual, GUI-based and not, both in-built and otherwise). Enjoy the cruft. H/T
Fingered →
Relatively new fingerprinting techniques were brought to my attention last week (H/T), that (reportedly) focus on the identification of browser users and utilization across multiple application deployments. Enjoy.
DNSChanger, Redux →
Apparently, DNSChanger has reared it's pernicious head again, infecting large numbers of unwary users and vectored through steganographic code malware inclusion within major news site banner ads... This time, per The Hacker News reporter Swati Khandelwal, comes the bad news of both the vector and the attack.
Blind XSS →
From BruteLogic (via Firewall Consultant's Trey Blalock) comes this treatise on Blind XSS.
95 Percentile →
Reported by Security Week, comes the revelation that 95% of all HTTPS servers do not possess HTTP Strict Transport Security (aka HSTS) deployments.
As Netcraft’s Paul Mutton explained in a recent blog post, these vulnerabilities can be exploited in phishing, pharming and man-in-the-middle (MiTM) attacks when a user unintentionally attempts to access a secure site via HTTP, meaning that the attacker does not have to spoof a valid TLS certificate to be successful. These attacks are easier to be carried out compared to those targeting TLS, such as the DROWN attack. - via SecurityWeek
Verizon's Cookie
Mozilla Privacy Fix, Too Late?
The always erudite Richi Jennings, writing at Computerworld expounds on the apparent longevity (or not) of Mozilla Foundations' Firefox web browser, and the privacy quotient, thereto. Today's Must Read.
Mozilla To Release Track Protection →
via Martin Brinkmann at the extraordinary GHacks blog, comes word of Mozilla Foundations' Firefox anti-tracking components slated for release in Firefox Stable 42 on November 3rd, 2015. Outstanding!
Mozilla Privacy and Security Settings →
via gHacks, comes this superlative compendium of Mozilla's Firefox Security and Privacy related settings. All conveniently packaged for ease of deployment. And, as with any modification of the platform you have chosen, examine the settings thoroughly, test exhaustively, and deploy with mindful caution. Enjoy.
Google Initiates Attack Site Reporting
via Anthony Freed, writing at Norse Coporation's Darkmatters blog, comes this better-late-than-never tale of Google Inc.'s (NasdaqGS: GOOG) effort to warn users of attack sites prior to the user opening up the miscreant's page.
Saturday Security Maxim
Infinity Maxim: There are an unlimited number of security vulnerabilities for a given security device, system, or program, most of which will never be discovered (by the good guys or bad guys).
Comment: This is probably true because we always find new vulnerabilities when we look at the same security device, system, or program a second or third time, and because we always find vulnerabilities that others miss, and vice versa. - as compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
Twenty Eight Teams Advance to CyberPatriot National Finals Competition →
News, of the latest crop of secondary school cyber-defense teams advancing into the finals of the CyberPatriot National Finals Competition. CyberPatriot has additional information for those of you that wish to attend the live National Finals Competition on March 13th through and inclusive of March 15th, 2015 in National Harbor, Maryland. Congratulations to All!
GoDaddy, Compromised Again... →
What, really? Apparently, GoDaddy security has failed to measure up, yet again. via Swati Khandelwal writing at HackerNews, comes the sorry tale of failed code (in the form of XSRF vulnerabilities), obvious failed quality control, and on top of all of that, no security checks pre-deployment. Astounding.