Security News for the Week Ending March 6, 2020
Let’s Encrypt Became Let’s Revoke and Then Let’s Confuse
Let’s encrypt sent out an alert early this week that they were going to revoke 3 million HTTPS certificates on March 4th. That was going to happen because of a software bug on their part which meant that they possibly issued certificates when they should not have. They executed a very aggressive notification process to web site owners and just before the deadline, 1.7 million of those certificates were updated. Another million of these certificates were “duplicates” which they did not explain, but which I think means that they issued two certificates to the same site in the error window, which is likely because their certificates only last 90 days. That only leaves a few hundred thousand potentially bad certificates and worst case, those will only be valid for another 90 days and most likely much less. As a result Let’s Revoke became Let’s Change Our Minds and they decided not to revoke those remaining certificates. Confused? Me too. By threatening to revoke certificates they got web site owners to update their certificates without having to actually revoke them.
The root issue was that in some cases web site owners had created a DNS CAA record which specifies WHO is allowed to issue certificates for that web site (EVERYONE SHOULD DO THIS) and Let’s Encrypt was not authorized to issue certificates for those sites. There was no issue with the security of the certificates issued. Source: Ars Technica
Feds Warn Foreign Actors With “Sharp Consequences” if They Interfere With 2020 Elections
The heads of the State Department, Justice Department, DoD, Office of the Director of National Intelligence, Homeland Security, FBI, NSA and CISA issued a joint statement this week threatening sharp consequences if foreign actors attempt to influence public sentiment or shape voter perceptions ahead of Super Tuesday.
First of all, that is an empty threat, since they issued it one day before Super Tuesday.
Second, these same people came before Congress last week and said that foreign actors were already doing it, so bring on the sharp consequences already – they are doing exactly that.
It is fair to say that the level of Federal effort to try and reduce foreign influence is significantly better than it was in 2016, but we also need to remember that the U.S. has been doing the exact same thing around the world for decades; the tools are just better now. Source: DoD
Researchers Find 70 Chrome Browser Extensions Stealing Your Data – Google Says That is Not Right
Security researcher Jamila Kaya working with folks from Cisco’s Duo Security identified 71 Chrome browser extensions that were downloaded more than 1.7 million times. Those extensions uploaded user’s private data without permission. This was used as part of a malvertising (malware laced advertising) campaign. The extensions connected the user’s browsers to a command and control server to infect user’s computers.
The not quite right part is that Google, after being informed, found another 430 extensions doing the same thing.
The good news is that Google not only removed the extensions from the Chrome store but also, with the click of a few keys, deauthorized those extensions in all of the affected browsers, effectively instantly shutting down the data stream. For now.
BOTTOM LINE, USERS NEED TO AVOID INSTALLING EXTENSIONS UNLESS THEY ARE ABSOLUTELY NECESSARY. Source: ARS Technica
China Says U.S. Has Been Hacking Them Since 2008
Qihoo 360, a prominent cybersecurity firm says that the CIA has been hacking Chinese businesses and government agencies going back to 2008. Targeted industries include aviation, research, petroleum and Internet companies. They claim that the CIA is able to track real time global flight status, passenger information, trade freight and other related information.
They are basing this on behavioral fingerprints which match software from the Vault 7 leak that Joshua Schulte is on trial for right now and which the Intelligence Community says caused us a lot of damage because it exposed our tools, techniques and practices.
We should not forget that gathering intelligence is the CIA’s job, so this is not surprising, but the information comes at a time when the U.S. is pressing China not to hack us. Source: The Hacker News
Have I Been Pwned is NO LONGER FOR SALE
Troy Hunt has been trying to sell his Have I Been Pwned web site for about a year now, but had some strong requirements for any buyers. He thought he had a buyer lined up, but after 11 months, that deal fell through. Rather than start over, Troy worked out a way that he could still operate the site but have it be less intrusive on his time. In celebration, he added 1.7 billion records to the database (there are a LOT of breached records, folks). Troy is a good guy, the site is a very useful tool and I am glad he figured out a way to keep the site alive. Source: Threatpost