Tag Archives: crypto

Security News for the Week Ending December 4, 2020

France Says it is Going Ahead with Digital Tax

France has been complaining that U.S. companies (mostly) have not been paying their fair share of French taxes since they are not selling widgets that delivered in France, so they came up with this digital tax, a 3% tax on digital services delivered in France. They held off for a while trying to get some sort of international tax agreement, but that does not appear to be happening, so they are moving forward with the tax. Only affects companies doing business in France with revenue more than 25 million Euros. Is this the wave of the future? Credit: Cybernews

FCC Chairman Pai to Step Down on Jan 20

Ajit Pai announced that he will step down from the FCC on inauguration day rather than having the new President fire him, which is almost guaranteed. Pai, a former telecom industry lawyer and lobbyist, said that he may try to create some rules in his remaining two months in support of the President’s efforts to hurt Facebook, Twitter and similar companies. Those rules would likely be reversed on the day after inauguration, so it is not clear why he would waste taxpayer money doing that, but that is Washington for you. Credit: CNBC

How Many Phishing Sites?

Since the beginning of this year, Google has flagged 46,000 web sites EACH WEEK as phishing sites. That is over 2 million so far, this year. This is a 20% increase over last year and the year is not over. Hackers can buy as many sites as they want, but, in part, they are looking for “look alike” sites – sites with a zero swapped for an Oh or an “L” swapped for a “1”. But also, they just take over sites with bad security. There is almost no way to track that, but I can say from personal analysis, that there are way more of the second kind than the first kind. Credit: KnowBe4

Docker Malware – Its a Thing

Docker containers are the darling of the development world – light weight and easy to deploy; self contained and OS agnostic, supported in the cloud – everything that developers want.

Three years after the first Docker malware showed up, it is now common. Malware gangs are now targeting Docker and Kubernetes.

Many of the attacks – surprise – are due to misconfigured Docker servers, leaving them exposed to attack. It appears that we in IT never learn. Just because tech is delivered slightly differently, the basics still apply.

To make a point, researchers looked at images publicly available in the Docker Hub. 51% had critical vulnerabilities and 6,500 of the images tested could be considered malicious.

You can wait until you are compromised or you can get ahead of the freight train. Credit: ZDNet and Dark Reading

Even Before Dust Settles on Swiss/CIA Deal to Subvert Encryption …. Another One

Even before all of the investigations are complete of the CIA’s compromise of Crypto AG and selling compromised encryption hardware to both our friends and enemies so we could spy on them, another story surfaces. Apparently Crypto AG was not the only one. Now the Swiss media is reporting that the CIA controlled another Swiss crypto company, Omnisec. The Swiss politicians are going crazy and calling for executions in the public square. Stay tuned, but assume your crypto has been compromised. By someone. Credit: Security Week

Password Reuse A Problem – 11 Million Ashley Madison Passwords Cracked Already

After the Ashley Madison breach, everyone sighed a breath of relief because the passwords were encrypted with bcrypt.  Bcrypt, as used by Ashley Madison, hashed the password 4,096 times.  That calculation meant that even with fast computers it would take centuries to crack all of them.

Until a group of hobbyists – yes hobbyists, not professional hackers – discovered 15.26 million of those passwords were also stored with an MD5 hash.  These hobbyists decided to try and crack the MD5 hash instead of the bcrypt hash.

To add insult to injury, since the source code was released, the hobbyists were able to examine it and find two “bugs” in how Ashley Madison’s programmers did the MD5 hash.

The combination of all this makes it one million times easier to crack the Ashley Madison passwords.

The hobbyists have already cracked 11 million of them and expect to crack another 4 million in the next two weeks.

So, what is the moral of this story?  There are several.

  • For users, password reuse, even though it is convenient, is a really bad habit because if one site gets hacked, the hackers can get into other sites where the user used the same password.  We have seen this numerous times before.
  • If you were/are an Ashley Madison customer, change your password now and DO NOT reuse that password anywhere else.
  • Triage the web sites that you visit.  For the important ones (such as banking or credit cards), if you are reusing those passwords, change them now.
  • Finally, for programmers, an independent third party review of the security of your web site is a good plan.  This means an in depth review, including the source code.  Without an in depth review, reviewers would not have caught Ashley Madison’s use of MD5 or the programming shortcuts that they took that made cracking the MD5 hashs even easier than it would have been.
  • While I never suggest that security by obscurity is sufficient to protect your company’s crown jewels, not protecting your source code will make it easier for hackers to find flaws to use against you.  Ask the folks at Ashley Madison.

And given that nearly 100 gigabytes of data has been released so far (the hackers say that they have been 300 and 400 gigabytes and will release more), researchers and hobbyists are not done pouring over that dump yet – not to mention future dumps, if they happen.  Don’t be surprised if there are more revelations.

We can use what we learn from this to make us safer.  OR NOT.

Food for though.

 

Information from this post came from Ars Technica.