This week, we give thanks to Fortinet for reminding us what awful crypto with hardcoded keys looks like
Plus more from the world of infosec
Roundup Here's a summary of recent infosec news beyond what we've already covered – earlier than usual because some of us have Thanksgiving to get through in the US. By the way, watch out for hackers taking advantage of IT teams suffering turkey comas.
Fortinet fsck up: Some Fortinet networking equipment was caught sending customers' sensitive information over the internet to its servers using weak encryption – XOR and a hardcoded static key. The weakness is present in FortiGate and Forticlient products that have the FortiGuard Web Filter, FortiGuard AntiSpam and FortiGuard AntiVirus features.
Said information potentially includes, depending on your setup, the serial number of the device, full HTTP URLs visited by users (collected for web filtering), email data (for message filtering) and other info.
The security blunder, uncovered by the team at security biz SEC Consult, would allow network eavesdroppers to potentially snoop on web browsing and manipulate some messages – for example, cancelling out malware detection alerts.
SEC reported the flaws in May 2018, and it’s only in the last week that a fix has been released shutting the holes. Admins should upgrade to FortiOS 6.2.0, FortiClientWindows 6.2.0, and FortiClientMac 6.2.2 as soon as possible.
Stop press... Dell is mulling selling its RSA security wing for $1bn, Bloomberg reports, though no concrete plans are afoot.
Coding flaws to avoid: The US government has drawn up a fresh list of the most dangerous software security bugs, with out-of-bounds memory buffer accesses topping the roster. This time, it seems officials used some math and CVE vulnerability figures to produce the table rather than rely on subjective interviews with industry professionals.
“We shifted to a data-driven approach because it enables a more consistent and repeatable analysis that reflects the issues we are seeing in the real world,” said CWE project leader Chris Levendis. “We will continue to mature the methodology as we move forward.”
US also cracks the whip on vulnerability disclosure: While we’re on the topic of Uncle Sam, its Cybersecurity and Infrastructure Security Agency has issued a directive mandating that all government departments must have a setup in place to allow researchers to privately disclose any discovered code vulnerabilities.
“Most federal agencies lack a formal mechanism to receive information from third parties about potential security vulnerabilities on their systems,” it said. “Many agencies have no defined strategy for handling reports about such issues shared by outside parties. Only a few agencies have clearly stated that those who disclose vulnerabilities in good faith are authorized.”
The directive will apply to all federal, executive branch, departments, and agencies to devise and publish a vulnerability disclosure program for flaw-hunters to report holes safely and without fear of being dragged into court. Those submitting vulnerabilities must be able to do so anonymously from anywhere in the world.
Departments will have 270 days to get systems in place before the cybersecurity agency starts enforcing the directive.
Google publishes state hacking stats: When it comes to protecting netizens from state-sponsored hacking, Google has been bragging about its work in the area. Over the past 12 months, the Chocolate Factory’s Threat Analysis Group says it has tracked 270 government-backed hacking crews from more than 50 countries, and issued more than 12,000 alerts to folks that they were being phishing by government spies in 149 countries. It also took down disinformation campaigns in Africa and Papua New Guinea.
Splunk has a Y2020 problem: Data analytics outfit Splunk is warning users that they need to upgrade due to a serious timing issue.
According to an advisory, on January 1, 2020 all of its unpatched products will struggle to handle event timestamps that use a two-digit year. On September 13, they will also fail to deal with timestamps that are based on Unix time.
NYPD blue over ransomware: New York’s finest has admitted to getting hit by a ransomware attack that took down its LiveScan fingerprint database.
According to the New York Post, a contractor was setting up a display last October and plugged in a mini-PC that was infected with ransomware. It spread to 23 machines, knocking out the fingerprint checking service. In the end, 200 machines were reformated to make sure the spread of the malware was arrested. ®