Mini-Heartbleed info leak bug strikes Apache, airborne malware, NSA algo U-turn, and more
The security week in review
Roundup As ever, it's been a doozy of a week for cybersecurity, or lack thereof. The Equifax saga just keeps giving, the SEC admitted it was thoroughly pwned, and Slack doesn't bother to sign its Linux versions. We do spoil you so, Reg readers. And that was only yesterday. Here's the rest of the week's shenanigans we didn't get round to.
US snoops give up fight over encryption algorithms
The NSA has backed down on its efforts to push for two encryption algorithms to become worldwide standards, following pressure from crypto-gurus. It was feared by various nations – including Germany and Japan – that Uncle Sam's spying nerve-center was championing the global use of the data-scrambling methods because it knew exactly how to crack them. Therefore, it could decode data and communications secured by the two techniques.
The pair of algorithms are the Simon and Speck lightweight block ciphers. Now only the most toughest forms of the pair of mechanisms will be put forward to the ISO encryption standards body as these are unlikely to be defeated by the NSA's supercomputers any time soon.
It's basically a replay of the Dual EC DRBG shenanigans from a couple of years ago. That was an algorithm heavily advocated by the NSA and it turned out to be suspiciously flawed, allowing spies to crack encryption relying on the random number generator.
“I don’t trust the designers,” said an Israeli delegate to the ISO body regarding Simon and Speck. "There are quite a lot of people in NSA who think their job is to subvert standards."
Japanese finance house floored by DDoS
Japanese finance house Hirose FX was subjected to a DDoS attack on Monday. The assault affected the corporate website, as well as Hirose FX's trading tools.
Logging into the platform and accessing the website were hampered for more than an hour on Monday morning, according to reports.
Adaptive access control firm SecureAuth announced plans to merge with vulnerability discovery outfit Core Security on Wednesday. The plans are dependent on US regulatory approval, but would create a merged company with 1,500 customers and 360 employees worldwide.
By bringing together network, endpoint, vulnerability, and identity security, SecureAuth (headquartered in Irvine, California) and Core Security (headquartered in Roswell, Georgia) plan to combine their efforts to create an "identity-based security automation platform."
A Heartbleed-style bug has surfaced to menace Apache installs.
The Optionsbleed vulnerability in Apache Web Server is triggered by making HTTP "options" requests.
Like Heartbleed before it, the vulnerability can leak an affected (Apache) server's memory. Fortunately the flaw has been patched. A deep dive into the issue can be found in a post by security veteran Paul Ducklin on Sophos's Naked Security blog here.
AI surveillance peril
As AI and the IoT enable the collection of massive amounts of personal information, there is a risk that without appropriate safeguards and user control, a "surveillance society" could emerge, warned a report by the Internet Society out this week.
The non-profit's Global Internet Report, which looked into how the internet might impact society over the next five to seven years, warned that cybersecurity issues will "pressure governments to take decisions that could erode the open and distributed global governance of the internet," threatening personal freedoms and rights in the process.
Security cameras infected with malware can receive covert signals and leak sensitive information from the very same surveillance devices used to protect facilities, Israeli boffins have demonstrated. The method, according to researchers, will work on both professional and home security cameras, and even LED doorbells, providing that devices work in the infra-red spectrum.
The same technique dubbed "aIR-Jumper" also enables a mechanism to create a covert, bidirectional, optical communication between air-gapped internal networks. The study was put together by a team of researchers from Israel's Ben-Gurion University of the Negev led by Dr Mordechai Guri.
A video put together by the team shows the camera infected with malware responding to covert signals by exfiltration data, including passwords and selected passages of the book The Adventures of Tom Sawyer.
Hacking into air gapped networks is not new in itself, but the Israeli team's research is still noteworthy in exposing another potential route into systems. ®