tag:blogger.com,1999:blog-82500171748468964952024-03-13T12:21:37.809-07:00Redback LabsUnknownnoreply@blogger.comBlogger3125tag:blogger.com,1999:blog-8250017174846896495.post-35881020535083556712016-01-04T09:49:00.002-08:002016-01-04T09:49:37.121-08:00Six Things to Watch for in 2016<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="cover" style="background-color: white; color: #222222; font-family: 'Open Sans', sans-serif; font-size: 14.6667px; letter-spacing: 0.293333px; line-height: 26.4px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;">
<div dir="ltr" style="margin: 0px; outline: none; padding: 0px; vertical-align: baseline;" trbidi="on">
<div class="MsoNormal" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin: 0px 0px 7.5pt; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-size: 12pt; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><br /></span></div>
<div class="MsoNormal" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin: 0px 0px 7.5pt; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-size: 12pt; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;">Well, if you thought you had it rough in 2014 because of big, bad Poodles and an irritating case of Heartbleed, things only got worse this year. Rather than intrusions permeating our IT systems and stealing our data, attacks got a bit more personal in 2015. Not only were privacy and civil liberties put at risk by legislators pushing overbearing rules based on an underwhelming knowledge of computers, but hackers and security research were squarely in the crosshairs of government and law enforcement. It was a rough year.<o:p></o:p></span></div>
<div class="MsoNormal" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin: 0px 0px 0cm; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-size: 12pt; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;">What’s ahead? Who knows? Who saw <a href="https://threatpost.com/security-researchers-wary-of-proposed-wassenaar-rules/112937/" style="color: #2b5797; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><span style="border: 1pt none windowtext; color: #f22637; margin: 0px; outline: none; padding: 0cm; vertical-align: baseline;">Wassenaar</span></a> coming? Or Going Dark? Or <a href="https://threatpost.com/juniper-backdoor-picture-getting-clearer/115709/" style="color: #2b5797; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><span style="border: 1pt none windowtext; color: #f22637; margin: 0px; outline: none; padding: 0cm; vertical-align: baseline;">backdoors in enterprise networking gear</span></a>? Nonetheless, 2016 can be better with some prep work against a best guess of what we might be in for as the new year turns.<o:p></o:p></span></div>
<div class="MsoNormal" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin: 0px; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<br /></div>
<div class="MsoNormal" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin: 0px 0px 0cm; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<b style="background: transparent; border: none; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><span style="border: 1pt none windowtext; color: #444444; font-size: 12pt; margin: 0px; outline: none; padding: 0cm; vertical-align: baseline;">Activism is Job 1</span></b><span style="color: #444444; font-size: 12pt; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><o:p></o:p></span></div>
<div class="MsoNormal" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin: 0px 0px 0cm; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-size: 12pt; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;">Security researchers and advocates have certainly grown up in the last two years. Emerging from the shadows of SOCs and IT labs, researchers spurred on by the assault on crypto, privacy and overall integrity of legitimate hacking, have evolved into a tidy and effective group of activists. Hopefully this trend continues, because with legislators and law enforcement convinced that things like CISA and Wassenaar and exceptional access are good ideas, there needs to be more voices from the security wilderness. Many of you have stood up and shouted about the lunacy of some of these ideas, and in the case of Wassenaar for example, a spate of rational, well thought-out comments put a <a href="https://threatpost.com/unusual-re-do-of-us-wassenaar-rules-applauded/114096/" style="color: #2b5797; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><span style="border: 1pt none windowtext; color: #f22637; margin: 0px; outline: none; padding: 0cm; vertical-align: baseline;">temporary halt to the U.S. implementation</span></a> of the rules. This was a victory that can be emulated on many fronts in 2016.<o:p></o:p></span></div>
<div class="MsoNormal" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin: 0px 0px 0cm; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-size: 12pt; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><br /></span></div>
<div class="MsoNormal" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin: 0px 0px 0cm; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<b style="background: transparent; border: none; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><span style="border: 1pt none windowtext; color: #444444; font-size: 12pt; margin: 0px; outline: none; padding: 0cm; vertical-align: baseline;">Securing Things</span></b><span style="color: #444444; font-size: 12pt; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><o:p></o:p></span></div>
<div class="MsoNormal" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin: 0px 0px 0cm; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-size: 12pt; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;">Brush off <a href="https://threatpost.com/valasek-todays-furby-bug-is-tomorrows-scada-vulnerability/114620/" style="color: #2b5797; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><span style="border: 1pt none windowtext; color: #f22637; margin: 0px; outline: none; padding: 0cm; vertical-align: baseline;">securing the Internet of Things</span></a> as a fad, tomorrow’s problem, perhaps. But that’s foolhardy. Against the kicking and screaming of those who know better, we continue to embed tiny, networked computers in just about everything without clearly mapping out security and privacy implications. Just like mobile and client-server architectures before it, IoT has been rushed to market and security is flailing its arms desperately trying to catch up. Thankfully, we had our first inflection point in 2015 demonstrating the need to slow down—literally. Charlie Miller and Chris Valasek’s <a href="https://threatpost.com/chris-valasek-on-car-hacking/113917/" style="color: #2b5797; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><span style="border: 1pt none windowtext; color: #f22637; margin: 0px; outline: none; padding: 0cm; vertical-align: baseline;">car-hacking research</span></a> put a real face on the problem of IoT security. Their ability to remotely manipulate a moving automobile’s controls forced a <a href="https://threatpost.com/fiat-chrysler-recalls-1-4-million-cars-after-software-bug-is-revealed/113936/" style="color: #2b5797; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><span style="border: 1pt none windowtext; color: #f22637; margin: 0px; outline: none; padding: 0cm; vertical-align: baseline;">recall of 1.4 million vehicles,</span></a> and in the bigger picture, caused an entire industry to stand up and take notice.<o:p></o:p></span></div>
<div class="MsoNormal" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin: 0px 0px 0cm; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-size: 12pt; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><br /></span></div>
<div class="MsoNormal" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin: 0px 0px 0cm; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<b style="background: transparent; border: none; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><span style="border: 1pt none windowtext; color: #444444; font-size: 12pt; margin: 0px; outline: none; padding: 0cm; vertical-align: baseline;">The Kids Are Not Alright</span></b><span style="color: #444444; font-size: 12pt; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><o:p></o:p></span></div>
<div class="MsoNormal" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin: 0px 0px 0cm; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-size: 12pt; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><a href="https://threatpost.com/109921/109921/" style="color: #2b5797; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><span style="border: 1pt none windowtext; color: #f22637; margin: 0px; outline: none; padding: 0cm; vertical-align: baseline;">Predicting at the start of 2015</span></a> that there would be a major health care data breach was a cakewalk. Five weeks into the year and we had <a href="https://threatpost.com/anthem-data-breach-could-affect-millions-of-consumers/110867/" style="color: #2b5797; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><span style="border: 1pt none windowtext; color: #f22637; margin: 0px; outline: none; padding: 0cm; vertical-align: baseline;">Anthem</span></a>, and shortly thereafter <a href="https://threatpost.com/1-1-million-affected-by-carefirst-bluecross-blueshield-breach/112951/" style="color: #2b5797; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><span style="border: 1pt none windowtext; color: #f22637; margin: 0px; outline: none; padding: 0cm; vertical-align: baseline;">CareFirst Blue Cross</span></a>. Health care data is the new hacker black, and attackers are taking advantage of organizations still behind in <a href="https://threatpost.com/latest-bsimm-data-puts-health-care-back-of-the-pack/115085/" style="color: #2b5797; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><span style="border: 1pt none windowtext; color: #f22637; margin: 0px; outline: none; padding: 0cm; vertical-align: baseline;">securing patient data and electronic health care systems</span></a>. For next year, shudder to think it, but cybercrime is going to continue to target personal data in a big way and they’re going to go younger. We’ve already seen VTech and Hello Kitty breaches impacting the personal data of tens of thousands of children, giving hackers a long shelf life of identities to be exploited for fraud. Expect more of it in 2016.<o:p></o:p></span></div>
<div class="MsoNormal" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin: 0px 0px 0cm; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-size: 12pt; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><br /></span></div>
<div class="MsoNormal" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin: 0px 0px 0cm; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<b style="background: transparent; border: none; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><span style="border: 1pt none windowtext; color: #444444; font-size: 12pt; margin: 0px; outline: none; padding: 0cm; vertical-align: baseline;">Money On The Move</span></b><span style="color: #444444; font-size: 12pt; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><o:p></o:p></span></div>
<div class="MsoNormal" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin: 0px 0px 0cm; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-size: 12pt; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;">Now that mobile payment services like <a href="https://threatpost.com/rich-mogull-on-apple-pay/108367/" style="color: #2b5797; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><span style="border: 1pt none windowtext; color: #f22637; margin: 0px; outline: none; padding: 0cm; vertical-align: baseline;">Apple Pay</span></a> and Google Wallet have turned your smartphone into an extension of your wallets and bank accounts, expect hackers to turn out en masse against these systems. The juicy target for hackers may not be on the transaction side of mobile payments, but in the personal payment card data that lives on your device. An attacker with access to that data is a short hop away from being able to spoof your identity and payment data, and this is a shortcoming that needs to addressed next year.<o:p></o:p></span></div>
<div class="MsoNormal" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin: 0px 0px 0cm; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-size: 12pt; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><br /></span></div>
<div class="MsoNormal" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin: 0px 0px 0cm; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<b style="background: transparent; border: none; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><span style="border: 1pt none windowtext; color: #444444; font-size: 12pt; margin: 0px; outline: none; padding: 0cm; vertical-align: baseline;">Bury The Ghosts of APTs</span></b><span style="color: #444444; font-size: 12pt; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><o:p></o:p></span></div>
<div class="MsoNormal" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin: 0px 0px 0cm; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-size: 12pt; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;">Advanced persistent threats, a.k.a sophisticated <a href="https://threatpost.com/massive-decades-long-cyberespionage-framework-uncovered/111080/" style="color: #2b5797; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><span style="border: 1pt none windowtext; color: #f22637; margin: 0px; outline: none; padding: 0cm; vertical-align: baseline;">nation-state sponsored targeted attacks</span></a>, a.k.a China/Russia/the NSA, aren’t necessarily going away, but they are going to look different. Researchers at Kaspersky Lab say APT gangs are making strategic and tactical changes to their activities—likely since so many have been outed in the past 24 months. Expect to see more attacks with roots in memory-resident or fileless malware, Kaspersky says. APTs will be harder to detect because there will be fewer cookie crumbs for investigators to follow. The security company also said that APT gangs have likely invested enough in building custom malware and rootkits and commodity attacks will be repurposed more often.<o:p></o:p></span></div>
<div class="MsoNormal" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin: 0px 0px 0cm; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-size: 12pt; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><br /></span></div>
<div class="MsoNormal" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin: 0px 0px 0cm; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<b style="background: transparent; border: none; font-size: 14.6667px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><span style="border: 1pt none windowtext; color: #444444; font-size: 12pt; margin: 0px; outline: none; padding: 0cm; vertical-align: baseline;">Samy Time</span></b><span style="color: #444444; font-size: 12pt; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><o:p></o:p></span></div>
<div class="MsoNormal" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin: 0px 0px 0cm; outline: none; padding: 0px; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-size: 12pt; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;">Is there a more creative hacker than <a href="https://threatpost.com/how-a-10-usb-charger-can-record-your-keystrokes-over-the-air/110367/" style="color: #2b5797; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><span style="border: 1pt none windowtext; color: #f22637; margin: 0px; outline: none; padding: 0cm; vertical-align: baseline;">Samy Kamkar</span></a>? He’s been around for a long time, but it’s likely he’d be hard-pressed to remember a year when he had as much fun tackling new problems. Very few hackers can say their resume includes the use of a child’s messaging <a href="https://threatpost.com/using-a-toy-to-open-a-fixed-code-garage-door-in-10-seconds/113146/" style="color: #2b5797; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><span style="border: 1pt none windowtext; color: #f22637; margin: 0px; outline: none; padding: 0cm; vertical-align: baseline;">toy to open garage doors</span></a> on a whim, or <a href="https://threatpost.com/ownstar-device-can-remotely-locate-unlock-and-start-gm-cars/114042/" style="color: #2b5797; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><span style="border: 1pt none windowtext; color: #f22637; margin: 0px; outline: none; padding: 0cm; vertical-align: baseline;">game vehicles’ OnStar systems</span></a> to gain persistent access to vehicles. Thrown in his take on the <a href="https://threatpost.com/samy-kamkars-proxygambit-picks-up-for-defunct-proxyham/113832/" style="color: #2b5797; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;"><span style="border: 1pt none windowtext; color: #f22637; margin: 0px; outline: none; padding: 0cm; vertical-align: baseline;">ProxyGambit</span></a> attack, and Rolljam, another device that steal vehicular lock codes, and Kamkar had a busy year. Predicting what’s next is a crapshoot, but nothing in the</span></div>
<div class="separator" style="clear: both; margin: 0px; outline: none; padding: 0px; text-align: center; vertical-align: baseline;">
</div>
IoT universe seems out of reach.<o:p></o:p><br /><div class="MsoNormal" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin: 0px 0px 7.5pt; outline: none; padding: 0px; vertical-align: baseline;">
</div>
</div>
<div style="outline: none; padding: 0px; vertical-align: baseline;">
</div>
<div style="clear: both; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;">
</div>
</div>
<div class="post-footer" style="background-color: white; color: #312c21; font-family: 'Open Sans', sans-serif; font-size: 14.6667px; letter-spacing: 0.293333px; line-height: 26.4px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;">
<div class="post-footer-line post-footer-line-1" style="border-top-color: rgb(250, 250, 250); border-top-style: solid; border-top-width: 1px; margin: 0px; outline: none; padding: 0px; vertical-align: baseline;">
<div id="mintshare_mini" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; font-family: arial, sans-serif; height: 35px; list-style: none; margin: 30px 0px 20px; outline: none; padding: 0px 15px; vertical-align: baseline; width: 100px;">
<a class="sharetext" href="https://www.blogger.com/null" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; color: black; cursor: pointer; display: block; font-size: 13px; font-weight: bold; height: 30px; line-height: 35px; margin: 0px; outline: none; padding: 0px 0px 0px 5px; text-align: center; vertical-align: baseline; width: 100px;"> </a></div>
</div>
</div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8250017174846896495.post-66806787214206692362016-01-04T09:48:00.001-08:002016-01-04T09:48:19.283-08:00Juniper Backdoor Password Goes Public<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="MsoNormal" style="background: white; margin-bottom: .0001pt; margin-bottom: 0cm; mso-line-height-alt: 10.5pt; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-family: "Open Sans",sans-serif; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IN;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMc6jpYBlY8rQA06FN-6EIXwsveojPyoT_wgFANhzAY-EVO39AjJk5r2qVFxM3JpRdELUTddXrnIPbLoUK8DBnjNtInyGXs73SOQoHU5tAMzMXb_huhyG0M7Jm8Fpy2FJGRF-ZOTL8vB0S/s1600/14369529746_54a17ffaf8_o-680x400.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="235" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMc6jpYBlY8rQA06FN-6EIXwsveojPyoT_wgFANhzAY-EVO39AjJk5r2qVFxM3JpRdELUTddXrnIPbLoUK8DBnjNtInyGXs73SOQoHU5tAMzMXb_huhyG0M7Jm8Fpy2FJGRF-ZOTL8vB0S/s400/14369529746_54a17ffaf8_o-680x400.jpg" width="400" /></a></div>
<div class="MsoNormal" style="background: white; margin-bottom: .0001pt; margin-bottom: 0cm; mso-line-height-alt: 10.5pt; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-family: "Open Sans",sans-serif; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IN;"><br /></span></div>
<div class="MsoNormal" style="background: white; margin-bottom: .0001pt; margin-bottom: 0cm; mso-line-height-alt: 10.5pt; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-family: "Open Sans",sans-serif; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IN;">Researchers from
two security firms have uncovered the password guarding one of the <a href="https://threatpost.com/juniper-finds-backdoor-that-decrypts-vpn-traffic/115663/"><span style="border: none windowtext 1.0pt; color: #f22637; mso-border-alt: none windowtext 0cm; padding: 0cm;">backdoors discovered in Juniper Networks’ ScreenOS</span></a>, the
operating system behind its NetScreen enterprise-grade firewalls.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; margin-bottom: .0001pt; margin-bottom: 0cm; mso-line-height-alt: 10.5pt; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-family: "Open Sans",sans-serif; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IN;">Fox-IT and Rapid7
found the secret code, which was <a href="https://community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor"><span style="border: none windowtext 1.0pt; color: #f22637; mso-border-alt: none windowtext 0cm; padding: 0cm;">disguised to look like debug code</span></a>, said Rapid7 chief
research officer HD Moore.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; mso-line-height-alt: 9.0pt; text-align: justify; vertical-align: baseline;">
<br /></div>
<div class="MsoNormal" style="background: white; margin-bottom: 7.5pt; mso-line-height-alt: 10.5pt; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-family: "Open Sans",sans-serif; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IN;">“This password allows an attacker to
bypass authentication through SSH and Telnet, as long as they know a valid
username,” Moore said. “If you want to test this issue by hand, telnet or ssh
to a Netscreen device, specify a valid username, and the backdoor password. If
the device is vulnerable, you should receive an interactive shell with the
highest privileges.”<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; margin-bottom: 7.5pt; mso-line-height-alt: 10.5pt; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-family: "Open Sans",sans-serif; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IN;">Fox-IT was the first to find the
password—needing six hours, it said, to do so—thought it did not publish it.</span></div>
<div class="MsoNormal" style="background: white; margin-bottom: 7.5pt; mso-line-height-alt: 10.5pt; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-family: "Open Sans",sans-serif; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IN;">Juniper released an emergency patch
last Thursday closing the holes introduced by the two backdoors, one of which
allows for passive decryption of VPN traffic moving through Juniper’s
appliances, and the other allows for remote administrative access over SSH or
Telnet.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; margin-bottom: 7.5pt; mso-line-height-alt: 10.5pt; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-family: "Open Sans",sans-serif; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IN;">Juniper senior vice president and
chief information security officer Bob Worrall said the two vulnerabilities
were discovered during a recent internal code review and affect ScreenOS
6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20. The earliest affected
version was released Sept. 12, 2012.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; margin-bottom: 7.5pt; mso-line-height-alt: 10.5pt; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-family: "Open Sans",sans-serif; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IN;">Moore, however, said that the
authentication backdoor is not present in older versions of ScreenOS, adding
that it’s likely the 6.2.0 series is not affected, but was vulnerable to the
VPN vulnerability.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; margin-bottom: 7.5pt; mso-line-height-alt: 10.5pt; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-family: "Open Sans",sans-serif; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IN;">“We were also unable to identify the
authentication backdoor in versions 6.3.0r12 or 6.3.0r14. We could confirm that
versions 6.3.0r17 and 6.3.0r19 were affected, but were not able to track down
6.3.0r15 or 6.3.0r16,” Moore said. “This is interesting because although the
first affected version was released in 2012, the authentication backdoor did
not seem to get added until a release in late 2013 (either 6.3.0r15, 6.3.0r16,
or 6.3.0r17).”<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; margin-bottom: .0001pt; margin-bottom: 0cm; mso-line-height-alt: 10.5pt; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-family: "Open Sans",sans-serif; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IN;">Juniper has made <a href="http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&actp=search"><span style="border: none windowtext 1.0pt; color: #f22637; mso-border-alt: none windowtext 0cm; padding: 0cm;">new versions of the affected firmware</span></a> available,
sans backdoors, and admins are urged to patch immediately.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; margin-bottom: 7.5pt; mso-line-height-alt: 10.5pt; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-family: "Open Sans",sans-serif; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IN;">Heightening the concern was the
revelation that Juniper’s affected NetScreen appliances utilize the maligned
Dual_EC_DRBG random number generator that has long been considered backdoored
and was front-and-center of allegations that the NSA was involved in
compromising the algorithm. In December 2013, Reuters alleged in a report that
RSA Security was paid $10 million in a secret contract with the NSA to use
Dual_EC which the spy agency could easily crack.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; margin-bottom: .0001pt; margin-bottom: 0cm; mso-line-height-alt: 10.5pt; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-family: "Open Sans",sans-serif; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IN;">Cryptographer <a href="https://www.imperialviolet.org/2015/12/19/juniper.html"><span style="border: none windowtext 1.0pt; color: #f22637; mso-border-alt: none windowtext 0cm; padding: 0cm;">Adam Langley</span></a> on Saturday published a report on his
personal site that summarizes much of the chatter around the backdoors and the
discovery of Dual_EC. Specifically, Langley surmises that the presence of the
Dual_EC could explain how passive decryption of VPN traffic is possible.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; margin-bottom: .0001pt; margin-bottom: 0cm; mso-line-height-alt: 10.5pt; text-align: justify; vertical-align: baseline;">
<br /></div>
<div class="MsoNormal" style="background: white; margin-bottom: .0001pt; margin-bottom: 0cm; mso-line-height-alt: 10.5pt; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-family: "Open Sans",sans-serif; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IN;">Dual_EC is regarded
as a poor choice for a RNG, given that it’s performance is sluggish, and the
output is predictable given enough resources and knowledge about how it works.
Juniper’s Dual_EC implementation, however, does not use pre-defined
NSA-introduced points, suggesting, as Langley wrote: “[Juniper] used a
backdoored RNG but changed the locks. Then this attack <i><span style="border: none windowtext 1.0pt; mso-border-alt: none windowtext 0cm; padding: 0cm;">might</span></i> be explained by saying that someone broke in
and changed the locks <i><span style="border: none windowtext 1.0pt; mso-border-alt: none windowtext 0cm; padding: 0cm;">again</span></i>.”<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; margin-bottom: .0001pt; margin-bottom: 0cm; mso-line-height-alt: 10.5pt; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-family: "Open Sans",sans-serif; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IN;"><br /></span></div>
<div class="MsoNormal" style="background: white; margin-bottom: 7.5pt; mso-line-height-alt: 10.5pt; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-family: "Open Sans",sans-serif; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IN;">In other words, it could be that
someone else used the NSA’s backdoor in Dual_EC to attack Juniper.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; margin-bottom: 7.5pt; mso-line-height-alt: 10.5pt; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-family: "Open Sans",sans-serif; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IN;">Langley wrote:<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; mso-line-height-alt: 10.5pt; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-family: "Open Sans",sans-serif; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IN;">“<i><span style="border: none windowtext 1.0pt; mso-border-alt: none windowtext 0cm; padding: 0cm;">We’re not sure that’s actually
what happened,</span></i> but it seems like a reasonable hypothesis at
this point. If it’s correct, this is fairly bananas. Dual-EC is not a
reasonable RNG…Huge compromises were made in its design in order to meet its primary
objective: to be a NOBUS passive backdoor. (NOBUS is an intelligence community
term for ‘nobody but us,’ i.e. other parties shouldn’t be able to use the
backdoor). Why would it be used in ScreenOS in the first place?”<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; mso-line-height-alt: 10.5pt; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-family: "Open Sans",sans-serif; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IN;"><br /></span></div>
<div class="MsoNormal" style="background: white; margin-bottom: .0001pt; margin-bottom: 0cm; mso-line-height-alt: 10.5pt; text-align: justify; vertical-align: baseline;">
<i><span style="border: none windowtext 1.0pt; color: #444444; font-family: "Open Sans",sans-serif; font-size: 12.0pt; mso-border-alt: none windowtext 0cm; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IN; padding: 0cm;"><a href="https://www.flickr.com/photos/electronicfrontierfoundation/"><span style="color: #f22637;">Image courtesy EFF Flickr feed.</span></a></span></i><span style="color: #444444; font-family: "Open Sans",sans-serif; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IN;"><o:p></o:p></span></div>
<br />
<div class="MsoNormal" style="text-align: justify;">
<span style="background: white; font-family: 'Open Sans', sans-serif; font-size: 9pt; line-height: 107%;"> </span> <o:p></o:p></div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8250017174846896495.post-34026112426105310822016-01-04T09:44:00.002-08:002016-01-04T09:44:53.222-08:00Google Announces SHA-1 Deprecation Timeline<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdJxOfdtLI14mvYknqnA_LQv1_3f78anKHnIqnLiZhwAosUZgTdIk3dFUyG0Jen2RdVpIiSCnwjvfrqgv_nw_iYeX60F5An_t1N1FQ_qNPbF3gG6kgi2Ui74t9fjlrQXFxQGKA992sZujc/s1600/chromehowto.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="235" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdJxOfdtLI14mvYknqnA_LQv1_3f78anKHnIqnLiZhwAosUZgTdIk3dFUyG0Jen2RdVpIiSCnwjvfrqgv_nw_iYeX60F5An_t1N1FQ_qNPbF3gG6kgi2Ui74t9fjlrQXFxQGKA992sZujc/s400/chromehowto.jpg" width="400" /></a></div>
<div class="MsoNormal" style="background: white; margin-bottom: 7.5pt; mso-line-height-alt: 10.5pt; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-family: "Open Sans",sans-serif; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IN;">Google has announced its timeline for
deprecating SHA-1 certificates, despite concerns expressed recently that
sunsetting the broken encryption hashing algorithm will disconnect millions
from the Internet.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; margin-bottom: .0001pt; margin-bottom: 0cm; mso-line-height-alt: 10.5pt; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-family: "Open Sans",sans-serif; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IN;">SHA-1’s demise has
been accelerated in recent months since researchers published a paper
explaining that <a href="https://threatpost.com/practical-sha-1-collision-months-not-years-away/114979/"><span style="border: none windowtext 1.0pt; color: #f22637; mso-border-alt: none windowtext 0cm; padding: 0cm;">practical collision attacks could be months, instead of years,
away</span></a>.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; mso-line-height-alt: 9.0pt; text-align: justify; vertical-align: baseline;">
<br /></div>
<div class="MsoNormal" style="background: white; margin-bottom: .0001pt; margin-bottom: 0cm; mso-line-height-alt: 10.5pt; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-family: "Open Sans",sans-serif; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IN;">Google, on Friday,
announced that starting with Chrome 48 in early January, users will see error
messages displayed if the browser encounters a site signed with a SHA-1
certificate issued on or after Jan. 1, 2016, 11 days from today. By Jan. 1,
2017, or possibly even as early as July 1, 2016, SHA-1 will be blocked
altogether in Chrome. Microsoft has already announced it will start <a href="https://threatpost.com/microsoft-considers-earlier-sha-1-deprecation-deadline/115299/"><span style="border: none windowtext 1.0pt; color: #f22637; mso-border-alt: none windowtext 0cm; padding: 0cm;">blocking SHA-1-signed certs</span></a> in June 2016.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; margin-bottom: .0001pt; margin-bottom: 0cm; mso-line-height-alt: 10.5pt; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-family: "Open Sans",sans-serif; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IN;">At this point,
sites that have a SHA-1-based signature as part of the certificate chain (not
including the self-signature on the root certificate) will trigger a fatal
network error,” Google said in its <a href="https://googleonlinesecurity.blogspot.com/2015/12/an-update-on-sha-1-certificates-in.html"><span style="border: none windowtext 1.0pt; color: #f22637; mso-border-alt: none windowtext 0cm; padding: 0cm;">announcement</span></a>. “This includes certificate chains that
end in a local trust anchor as well as those that end at a public CA.”<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; margin-bottom: 7.5pt; mso-line-height-alt: 10.5pt; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-family: "Open Sans",sans-serif; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IN;">Microsoft and Mozilla are on similar
timelines for ending support for SHA-1, and urge site operators to support
SHA-2, drop support for non-RC4 cipher suites, and implement TLS.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; margin-bottom: .0001pt; margin-bottom: 0cm; mso-line-height-alt: 10.5pt; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-family: "Open Sans",sans-serif; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IN;">In the meantime, <a href="https://www.facebook.com/notes/alex-stamos/the-sha-1-sunset/10153782990367929/"><span style="border: none windowtext 1.0pt; color: #f22637; mso-border-alt: none windowtext 0cm; padding: 0cm;">Facebook</span></a> and <a href="https://blog.cloudflare.com/sha-1-deprecation-no-browser-left-behind/"><span style="border: none windowtext 1.0pt; color: #f22637; mso-border-alt: none windowtext 0cm; padding: 0cm;">CloudFlare</span></a> recently made public pleas to reexamine
the path forward on SHA-1. Facebook chief security officer Alex Stamos shared
data that shows that up to 7 percent of browsers in use do not support SHA-256,
for example, and that tens of millions will be cut off from the Internet as of
next Friday.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; margin-bottom: 7.5pt; mso-line-height-alt: 10.5pt; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-family: "Open Sans",sans-serif; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IN;">“A disproportionate number of those
people reside in developing countries, and the likely outcome in those counties
will be a serious backslide in the deployment of HTTPS by governments,
companies and NGOs that wish to reach their target populations,” Stamos wrote.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; margin-bottom: 7.5pt; mso-line-height-alt: 10.5pt; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-family: "Open Sans",sans-serif; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IN;">CloudFlare CEO Matthew Prince,
meanwhile, made his case by pointing out that unlike when MD5 was put out to
pasture and SHA-1 support was widespread, the same cannot be said for SHA-2,
which is also not supported on older mobile devices.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; margin-bottom: 7.5pt; mso-line-height-alt: 10.5pt; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-family: "Open Sans",sans-serif; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IN;">“In a Silicon Valley tech company,
where most employees get a new laptop every year and having a 5-year-old phone
is unheard of, this may not seem like a problem. But the Internet is used by
billions of people around the world and most of them don’t have the latest
technology,” Prince said. “To understand the impact, we spent the last few
weeks testing browser connections to CloudFlare’s network for SHA-2 support. We
see approximately 1 trillion page views for more than 2.2 billion unique
visitors every month, which gives us a pretty representative sample of global
traffic.”<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; margin-bottom: 7.5pt; mso-line-height-alt: 10.5pt; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-family: "Open Sans",sans-serif; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IN;">Prince said approximately 37 million
could be cut off from the Internet by the SHA-1 deprecation. Stamos, meanwhile,
proposed that the CA/Browser Forum create a new Legacy Verified certificate
that would issued to organizations that have made SHA-256 certs available to
moder browsers.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; margin-bottom: 7.5pt; mso-line-height-alt: 10.5pt; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-family: "Open Sans",sans-serif; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IN;">“Such verification can be automated
or manual, and appropriate measures can be put in place to reduce the risk of a
collision attack. Those protections could include requiring LV applicants to
have already passed OV or EV verification, as well as technical best practices
such as serial number randomization,” Stamos wrote. “If this change cannot be
implemented by December 31st, then we call on the CA/B Forum to delay the
implementation of the SHA-1 rules for the period necessary to establish
standards for Legacy certificates.”<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; margin-bottom: .0001pt; margin-bottom: 0cm; mso-line-height-alt: 10.5pt; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-family: "Open Sans",sans-serif; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IN;">The rush began in
earnest in October when an <a href="https://eprint.iacr.org/2015/967.pdf"><span style="border: none windowtext 1.0pt; color: #f22637; mso-border-alt: none windowtext 0cm; padding: 0cm;">academic paper</span></a> demonstrated with some measure of
practicality that tweaks to existing attacks and advances in the analysis of
SHA-1 drastically reduce the cost and time to generate a collision attack
against SHA-1, dropping the cost down to between $75,000 and $100,000 USD and
trimming down the time to between 49 and 78 days, both well within reach of
resourced nation-state attackers and higher end cybercrime outfits.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; margin-bottom: 7.5pt; mso-line-height-alt: 10.5pt; text-align: justify; vertical-align: baseline;">
<span style="color: #444444; font-family: "Open Sans",sans-serif; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IN;">“This is not an easy issue, and there
are well-meaning people with good intentions who will disagree,” Stamos said.
“We hope that we can find a way forward that promotes the strongest encryption
technologies without leaving behind those who are unable to afford the latest
and greatest devices.”<o:p></o:p></span></div>
<br />
<div class="MsoNormal" style="text-align: justify;">
<span style="background: white; font-family: 'Open Sans', sans-serif; font-size: 9pt; line-height: 107%;"> </span><o:p></o:p></div>
</div>
Unknownnoreply@blogger.com0