Lots of lost certificates
23,000 HTTPS certificates axed after CEO emails private keys | Ars Technica The email was sent on Tuesday by the CEO of Trustico, a UK-based reseller of TLS certificates issued by the browser-trusted certificate authorities Comodo and, until recently, Symantec. It was sent to Jeremy Rowley, an executive vice president at DigiCert, a certificate authority that acquired Symantec’s certificate issuance business after Symantec was caught flouting binding industry rules, prompting Google to distrust Symantec certificates in its Chrome browser. In communications earlier this month, Trustico notified DigiCert that 50,000 Symantec-issued certificates Trustico had resold should be mass revoked because of security concerns.
Strava loses the location of an army base
Strava released a heat map of where their users were running, swimming, and cycling as a marketing tool. They failed to properly anonymize the data and inadvertently gave away the locations of secret US army bases and some details about their users. This shows how difficult anonymization is. I think we could have helped Strava identify these risks before they released the data.
- Steve Loughran: Advanced Denanonymization through Strava
- Fitness tracking app Strava gives away location of secret US army bases | Technology | The Guardian
ML is still scary
Have I mentioned how scary Machine Learning is getting? Let’s recap:
- We can create audio that simulates anybody’s voice, based on a few samples
- We can use ML to face swap photos and videos
- Faceswapping, Unethical Videos, and Future Shock - YouTube
- Family fun with deepfakes. Or how I got my wife onto the Tonight Show – sven charleer
- New tool swaps Nicolas Cage with every actor in every film ever
Krebs talks about Jackpotting ATMs
Krebs on Security posts a lot about ATM insecurities, but he’s talking about “Jackpotting” ATMs in the US now. This crime installs malicious software or hardware on the ATMs that forces the machine to spit out huge amounts of cash. Our embedded security services could help with an attack like this. There are two sides to this attack, first the software protections that need to be in place and the physical ones (most attacks require the attacker to plug in an ethernet cable or a keyboard to initiate the attack). First ‘Jackpotting’ Attacks Hit U.S. ATMs — Krebs on Security
Blockchain
No, You Probably Don’t Need a Blockchain - Ashton Kemerling
Have I Been Pwn’d?
Troy Hunt: I’ve Just Launched “Pwned Passwords” V2 With Half a Billion Passwords for Download
This is truly an exceptional resource for checking emails, passwords, and getting breach notifications.
When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. - NIST
A friend of mine, craSH was asked recently what the number one mistake companies are often making right now for AWS security. His response was insecure configuration of S3 buckets - we’ve seen dozens of cases where this has been breached lately, e.g.: Verizon: https://www.upguard.com/breaches/verizon-cloud-leak Experian: https://www.scmagazine.com/open-aws-s3-bucket-exposes-sensitive-experian-and-census-info-on-123-million-us-households/article/720067/ Accenture: https://www.upguard.com/breaches/cloud-leak-accenture US Army Intel: https://arstechnica.com/information-technology/2017/11/army-red-disk-intel-sharing-system-left-exposed-in-open-aws-data-store/ Many others, more every day: https://www.tripwire.com/state-of-security/featured/preventing-yet-another-aws-s3-storage-breach-with-tripwire/
Posted By: Joe Basirico