WiFi is one of those services that people simply expect to see these days. When you walk into just about any public building you are going to start looking for the “free” WiFi that they have. Most people do not stop to think about that that looks like behind the scenes especially when you are in a smaller business. In a large business you have multiple wireless access points (WAPs) that are run by a central controller. This centralized control system makes it relatively simple to control both the business side and the guest side of the wireless network. These tools can be very expensive and out of the budget range for most small companies. Instead a small business will end up with either an edge device with built in wireless (and really bad service), a single WAP or multiple individual WAPs that need to be managed independently and have their own problems.
It seems that someone may have found a way around at least one of the latest hot fixes for OpenSSL. According to some talk around the darker places on the internet, a rehash of metadata can allow a malicious individual to get around the latest hot fix designed to stop someone from bypassing the CA check in OpenSSL. The original flaw was found to exist during certificate validation. When OpenSSL checks the certificate chain it will try to build an alternate route if the first attempt fails. Due to a flaw in the way this is done can allow a “bad guy” to actually force some of the secondary checks to be bypassed and allow an invalid cert to pass.
Just when you thought it was safe to use your credit card we are hearing rumblings of a breach at Hilton. According to Brian Kerbs and some of our own sources a payment card breach has taken place and the only unique feature about this was that all of the affected cards were used at a Hilton Property. This is not just the regular Hilton Logo properties, but also includes Embassy Suites, Doubletree, Hampton Inn and Suites, Waldorf Astoria Hates and Resorts, and potentially others. The exact timing of the breach is unclear at the moment, but could go as far back as November 2014.
Security and malware research company, Kaspersky has recently released a paper describing what they say is the “ultimate level of anonymity” used by any malicious hacking group. In their report they describe a new attack by the group Ouroboros as “exquisite”. This is the same group that was linked to the Turla malware last year so we are not talking about amateurs or script kiddies. The attack uses commercial satellites’ unencrypted communication channels to send and receive traffic to their C&C servers.
There are rumblings on the internet that all might not be well with EA after a round of password reset notices appear to have been sent out on Sunday (8-13-2015). EA does not give a specific reason behind the reset notifications other than suspicious activity. However, the timing seems to correlate with an authentication exploit that has been talked about on the darker side of the internet. These claims are that a group has been silently exploiting EA’s authentication servers for months. It is far from certain that EA has suffered a large-scale breach, but it does bring up the subject of authentication server security.
The life of a security researcher is not all beer and pizza. In most cases the days are long and very few seem to appreciate what you are doing. From the stand point of a security researcher they are the good guys trying to help push an agenda of security. They spend countless hours finding the holes in code and hardware before the “bad guys” do. Sure there are bug bounty programs that pay fairly well and some researchers work for larger firms, but it is not all about the money or attribution.
Last year at Black Hat USA 2014 we met up with a company that was looking to make some changes in the way we protect our data, Ionic Security. The concept was very simple, but the implementation was sure to be complex. I was not sure that what they wanted to accomplish could even happen. However, after a conversation with them I became more than interested. It was a simple concept, but it did not need to be overly complex. To make things even more interesting this was not a truly new idea, but it was one that had never been implemented for real data security.
In addition to seeing more than a few products and ideas during Black Hat and DEF CON we also had the chance to see something really cool from the team at Trustwave. This was not a product, but a chance to see the back end of the command and control servers for a new and improved version of the RIG exploit kit. To say that what they showed was impressive is an understatement.
The one common thing that I keep hearing everyone talk about at Black Hat and even DEF CON is how to protect your data. It is pretty much a given that if someone wants to get into your network they are going to get in. The number of flaws, vulnerabilities and compromises that are out there are simply too many to protect against. So there needs to be some other method to make sure that any sensitive data that you have is keep out of the hands of the “bad guys”. There are many suggestions about this, but most of them still try to do the same things stop the barbarians at the gate.
Have you ever lost your keys and had that moment of panic where you are not sure who might have them? This is not a good feeling. You do not know if someone has them and might use them to gain access to your things. This is the same feeling that should be running through the minds of every IT security professional right now when they think about their certificates and keys, but sadly this is just not happening. The reason that there is not more concern is that far too many even realize just how vulnerable they are.