A Vulnerability Safari: Journey to the Center of iOS
Not wanting to be left out of the bug squashing bonanza, Apple has released iOS 10.2.1 to address 18 CVEs. The majority of vulnerabilities focus on WebKit − the framework which powers Safari and web browsing in iOS applications − and two vulnerabilities that affect the iOS kernel.
The WebKit vulnerabilities allow an attacker to steal sensitive data, like usernames and passwords, or execute arbitrary code by tricking a user into visiting a malicious web page. The kernel vulnerabilities allow an attacker to gain complete control over a device, allowing access to the device’s microphone, camera, location data, calls, and messages.
We recommend the following for iOS (and mobile users in general):
- Always keep your device up to date with the latest security patches
- Enable automatic updates to minimize the overhead of checking for updates
- Don’t click on strange links
Dear Internet, You’re Breaking My Heart
It’s been almost two years since the public disclosure of the infamous Heartbleed vulnerability and per a recent Shodan report, almost 200,000 servers are still vulnerable to CVE-2014-0160.
As if we didn’t have enough problems with vulnerable SSL/TLS libraries, Symantec’s certificate authority (CA) was caught being very naughty by improperly issuing over 100 certificates. This isn’t the first instance of a misbehaving certificate authority, and it’s unlikely to be the last as certificate requirements tighten and CAs are incentivized to issue as many certificates as possible. SSL/TLS interception capabilities will only grow as more and more websites transition to HTTPS for increased privacy, security, and content integrity.
Protect your environment from leaking sensitive information by:
- Keeping your software and libraries up to date
- Revoking and re-generating any SSL/TLS certificates on servers affected by Heartbleed
- Removing untrusted root certificate authorities
- Monitoring certificate issuances for your domains at: https://crt.sh/
Your Passwords Are Bad and You Should Feel Bad
It seems like every website on the Internet requires you to register and login with a username and password these days. Along the same lines, it also seems like there’s a new database dump of usernames and passwords from hacked websites every day.
According to the team at SplashData, “123456” is the most popular password of 2016. Look, if your password shows up in a Sesame Street skit, it’s a bad password.
We could go on and on about choosing a secure password, but this isn’t news to anyone, and clearly people aren’t taking it to heart. So, let’s keep it simple: just use a password manager to generate and store your passwords. Password managers make life simpler by reducing the cognitive overhead of remembering unique strong passwords. Seriously, next time you visit friends or family who have sticky notes with their passwords next to their computers, show them the ways of the password manager. Be their Obi Wan.
If you want to go above and beyond to secure your login credentials, we highly recommend that you:
- Use multi-factor authentication (MFA) where available. Here’s an ever-growing list of sites that support MFA.
- Check if your credentials have been compromised at Have I Been Pwned? If they have, time to change those passwords by generating new, secure ones in your password manager.
Great Balls of Fire(walls)
Wall building is so hot right now that China has taken steps to fortify its “Great Firewall” to block unauthorized VPN services.
After years of extinguishing VPN services, only to have new providers quickly fire up, China is taking steps to require VPN providers to obtain approval to operate — effectively making current VPN services illegal. Service providers will likely have to record and monitor user activity as part of the government approval process, negating the privacy benefits of using a VPN.
However, it’s only a matter of time until rogue VPN providers figure out new methods of breaking through the Great Firewall like a wrecking ball.
We recommend following the GreatFire Project for updates on China’s Internet censorship.
LavaBit Reborn
Rising from the ashes, LavaBit has announced its relaunch in the ‘post-Snowden world’ with a new service called the Dark Internet Mail Environment (DIME). LavaBit erupted into national attention in 2013 as part of the investigations into Edward Snowden when the FBI requested its SSL/TLS private keys to decrypt traffic. Instead of complying with the order, LavaBit decided to shut down operations.
The relaunch of LavaBit promises end-to-end security without requiring the user to have a Ph.D. in cryptology by operating in three different modes (Trustful, Cautious, or Paranoid) depending on the user’s risk profile.
There’s always been an ongoing battle between security and usability (user-friendliness), and the creation of tools such as DIME is an exciting development to transition users over into a secure environment.
Now we’ll just have to make sure there aren’t any unauthorized SSL/TLS certificates issued for LavaBit and remember to use a secure password to protect our email encryption key and we’re golden, right?
Get Well Soon, FX
Finally, we would like to extend our warmest "get well" wishes to Felix ‘FX’ Lidner. We wish you a speedy recovery and hope to see you soon.
