Security Now 287
5 stars based on
64 reviews
It's time for Security Now!. My goodness, we've got a lot to talk about, including Steve's new volume sci-fi opus; lots of security news, including an IoT company that's completely out of control. And then at the end, I promise, and I know this because I'm speaking to you from the future, Steve will cover protecting your privacy as you surf online. A really great how-to, coming up next on Security Now!. This is Security Now! It's time for, you got it, Security - well, because you downloaded it - Security Now!
And we're going to do that this week, I promise you, with Security Now! Well, we tried to get to our main topic last week, proactive privacy. And as everyone knows, we spent two hours getting right up to the line. But I didn't want to shortchange the topic because I know it will be of interest to our listeners.
In fact, there's already been some industry events that have followed on from what Congress has done. So anyway, today's title is "Proactive Privacy, Really. And while I was putting the show together, it was funny, too, because people were still sending me topics and ideas and "Oh, Steve, did you see this? But we do have grc security now bitcoin wiki bunch of fun stuff to talk about.
Symantec has found 40 past attacks which are explained by the Vault 7 document leaks. We're facing an incremental improvement in forthcoming CA, that is, Certificate Authority certificate issuance integrity, which is hopeful.
Today is Patch Tuesday of April, and Microsoft patched in today's patch a very worrisome zero-day vulnerability in Office that was being exploited in the wild. We'll talk about that. There's a new bot in town that has been named Brickerbot.
We're going to address the question of why you really need to secure your DNS registrar and how a Brazilian bank found out what happens if you don't. The present danger of fake VPN services. An older edition of Windows today hit its end of patch life. We've got some closing the loop feedback from our listeners; a little bit of miscellany; and then, as promised last week and delivered this week, a comprehensive survey of privacy-encroaching technologies and what we can do to limit their grasp.
So I think another great podcast. And of course today is the day that Grc security now bitcoin wiki starts grc security now bitcoin wiki out the Creators Update for a lot of people. So it's not only a Patch Tuesday, but some people will start getting the Creators Update, and over the next few days you'll be getting a Windows 10 Creators Update.
I know you won't be, but Well, it's just, you know, I warn you because probably next week and the week after and the week after we might have some other things to talk about having to do with Windows So we have a really great Picture of the Week. I just got the biggest kick out of grc security now bitcoin wiki. This shows two tweets.
Tavis Ormandy first tweets: Let me grc security now bitcoin wiki if you want to catch up. Although I doubt that that's actually how LastPass feels. I'm sure they're grateful to Tavis.
So Reuters picked up the news that Symantec had said to them, essentially in a press release, although they weren't naming the CIA as a function of their corporate policy not to do so, they had, after Symantec looked over the Vault 7 document leaks, grc security now bitcoin wiki clicked into place, and they were able to go back and look at data that they had captured of previous attacks where they hadn't known exactly what was going on. And in 40 different instances, that is, cyberattacks against at least 40 organizations around the world, they grc security now bitcoin wiki that the tools referenced in the leaked WikiLeaks documents that are ascribed, believed to be legitimately from grc security now bitcoin wiki CIA document trove, matched perfectly the attacks that they had no attribution for until now.
So it shouldn't come as a surprise. And these 40 corporations grc security now bitcoin wiki were attacked by these were spread out around 16 countries. So just sort of an interesting data point, that this is what grc security now bitcoin wiki would expect.
And props to Symantec for being in the business, having their feelers out, collecting this sort of data, and then saying, you know, we ought to take a look at the stuff we've collected in the past and see if any of this now makes more sense.
And they found out, yes, apparently, indeed it does. So Symantec probably has contractual security relationships with companies all over the place? And so they've got their monitors and probes in those grc security now bitcoin wiki networks. And so they're collecting data and archiving it in order to understand what's going on.
You have to wonder if they went to those companies and said, hey, by the way, you know that attack? That was the CIA. So we've talked endlessly about certificate authorities, about how we've got kind of this creaky system that's the best that we know how to put together at this point, given the technologies and tools that we have, that essentially allow two parties that have never met before, meaning a server and a client, to arrange at least a one-way trust relationship - that is, for the client to be able to know that it is actually connecting to the server it believes it is thanks to a third party, the third party grc security now bitcoin wiki the certificate authority, where the server has proved its identity to the certificate authority and the certificate authority has given the server a certificate, essentially an identity assertion certificate, which it gives to the grc security now bitcoin wiki.
The browser then is able to verify the authenticity of the certificate by checking its signature, which can only be created, thanks to the magic of crypto, by that certificate authority, which thus proves through this chain that at one point the certificate authority was convinced that the server was who they said they were.
So that's the system. Unfortunately, there are all kinds of ways this can break. And we've talked about many of them. Our old-time, long-time listeners will remember the podcast where I had a meltdown when I looked at the size of the certificate authority root store in Windows because I remember when it was 11 trusted CAs, and it was like It was like, what has happened?
Because the nature of the system I just described means that anyone can sign a certificate for any server. And if you trust the signer, grc security now bitcoin wiki you trust the server. And so that grc security now bitcoin wiki create a problem with abuse. And, well, for example, we have seen situations where a fourth certificate authority - that is, not a first, second, or third party, but a fourth party, someone completely unrelated - issued a certificate for, for example, Google.
And we trust it because we trust all the certificates that party issues. So the problem that any of the hundreds of certificate authorities we trust can sign a certificate for any domain, that's an aspect of frailty in our system.
Just last week an RFC that's been in the process for four years was formalized, and the CAB, the Certificate Authority Browser forum, or consortium, has formally required that, within six months, by September ofall certificate authorities must honor a new record type for DNS. We've talked about DNS. Eventually people will just give up or run out, and they'll have no choice.
We don't have that now. So that represents a weak link in our existing system. But the reason I'm so excited about DNS is that it is, once it's secured, it's this otherwise very well-designed hierarchical caching directory. And you can put all kinds of stuff in it, not just IP addresses. But, for example, we're already storing text records to use for helping to diminish spoofing, where for example the DNS says for an email server that valid email from, for example, GRC.
And so somebody receiving email that wants to make sure it's not spoofed can make a DNS text record query for the SPF record and get what I am publishing as the only valid source for email from GRC. Well, what is coming is known - and so the typical IP is an "A" record, an address grc security now bitcoin wiki. And what this is, it's very much like the antispoofing for email, where the domain owner, like GRC.
Grc security now bitcoin wiki of course my CAA record will say Digicert. And so what this does is it publishes the name of my authorized certificate authority, who is the signer for my certificates. There's no enforcement here, but what this does is the CAB Forum is saying that within six months all certificate authorities must query a domain that they grc security now bitcoin wiki being requested to issue a certificate for, for the CAA record.
And if that specifies a certificate authority other than them, they must decline the certificate. So essentially it's a way of authorizing who you want to be able to generate certificates for your domain. To the degree that that authorization is honored by other CAs, it will prevent a class of problems that we've had. It's grc security now bitcoin wiki strong protection, and no way is it cryptographically amazing.
It's like a hint or a clue. It's, you know, this is who my CA is. And you can do a comma-separated list. You can also have a null list. You can do double quote, semicolon, double quote [";"] which means nobody is authorized to issue certificates for the moment. In which case, after September, or actually at any time that you're publishing a CAA record moving forward, if you yourself want to ask your CA to give you a new certificate, you'll have to put them in that record so that they can see they're authorized.
Once you've got your new certificate, you could change it back to a null list, which locks down any subsequent certificate issuance - but, again, for those authorities that follow it.
So this won't do anything to prevent deliberate malicious grc security now bitcoin wiki of certificates. But again, it's something that is easy to be retrofitted in, which we normally have a problem with. It's having a hard time because we already have DNS.
IPv6 is having a hard time because we already have IPv4. Here we can just easily grc security now bitcoin wiki this on. Everybody's got six months. There's an RFC that explains it.
There's a bunch of existing services that either have it already supported, or it's coming online. So there is a way to sort of override its lack of knowledge, sort of put in, like manually create a record entry, if your server doesn't support it. But I will be updating myself quickly, or soon, because it's just - it's time to.
I don't remember now what it was that I chose. But anyway, so just nice, backward-compatible, it's not going to end all the problems. But for well-meaning certificate authorities that don't know they should not issue a certificate for a domain, starting in September of this year, about six months from now, they will be forced to verify that they're not excluded from issuing a certificate based on the policy being published by that domain.
So I think it's a nice step forward.
