Security Roundup - 2016-01-11
More SHA1 News
SLOTH Attacks Make It Even More Important To Get Rid of SHA1 and MD5
Not just for TLS, but SSH as well. “Against IKE initiator authentication, the researchers were able to carry out impersonation attacks, and downgrade attacks against SHA-1 in SSH 2 and TLS 1.1 handshakes.”
Latest c3 conference presentations, which contain quite a few security topics. Just found out about this, so haven’t watched anything yet, but a few I plan to watch:
- Neither Snow Nor Rain Nor MITM - The State of Email Security in 2015
- APT Reports and OPSEC Evolution, or: These are not the APT reports you are looking for
- Beyond your cable modem - How not to do DOCSIS networks
- Breaking Honeypots for Fun and Profit
- Lifting the Fog on Red Star OS - A deep dive into the surveillance features of North Korea’s operating system
- Logjam: Diffie-Hellman, discrete logs, the NSA, and you
- State Of The Onion
- Shopshifting - The potential for payment system abuse
- (In)Security of Embedded Devices’ Firmware - Fast and Furious at Large Scale
Lots Of Security Issues With Hardware Appliances
After a more extensive review, Juniper to replace random number generation in a number of products. Said random number generation (Dual_EC), was known to be backdoored in 2007.
Modem Vulnerability Left Blackphone Vulnerable
Remote root level exploit discovered in modem system.
Comcast Home Security System Vulnerable To Attack
Jamming sensor communication causes base station to think everything is fine. An example of failing ‘open’ as a problem.
FireEye Patches Vulnerability in Passive Monitoring System
Allowing for attackers to have FireEye execute malicious code via email, without any human intervention.
On The More Business-y Side:
Venture Capital and Cyber-Security.
How To Make Your Security Assessments Actionable Short post, but interesting read given we are essentially making security assessments. What extra information can we provide to make sure our issues are easily actionable?