Crypto certificates impersonating Google and Yahoo pose threat to Windows users

People using Internet Explorer and possibly other Windows applications could be at risk of attacks that abuse counterfeit encryption certificates recently discovered masquerading as legitimate credentials for Google, Yahoo, and possibly an unlimited number of other Internet properties.

A blog post published Tuesday by Google security engineer Adam Langley said the fraudulent transport layer security (TLS) certificates were issued by the National Informatics Centre (NIC) of India, an intermediate certificate authority that is trusted and overseen by India's Controller of Certifying Authorities (CCA). The CCA, in turn, is trusted by the Microsoft Root Store, a library that IE and many other Windows apps rely on to process the TLS certificates that banks, e-mail providers, and other online services use to encrypt traffic and prove their authenticity. (Firefox, Thunderbird, and Chrome on Windows aren't at risk. More about that later in this post.)

Unknown scope

In an update posted Wednesday, Langley said the CCA confirmed that the bogus certificates were the result of a compromise of NIC's certificate issuance process. The CCA reportedly said only four certificates were compromised. In a sign the CCA's findings aren't reliable, or at least are only tentative, Langley went on to say Google researchers are aware of still more counterfeit credentials stemming from the NIC breach.

Read 8 remaining paragraphs | Comments

Cisco Addresses Apache Struts 2 Vulnerability

Original release date: July 09, 2014

Multiple Cisco products include an implementation of Apache Struts 2 which contains a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and execute arbitrary commands on a targeted system.

Cisco products affected by this vulnerability include:

  • Cisco Business Edition 3000 Series
  • Cisco Identity Services Engine (ISE)
  • Cisco Media Experience Engine (MXE) 3500 Series
  • Cisco Unified Contact Center Enterprise (Cisco Unified CCE)

US-CERT encourages users and administrators to review the Cisco Advisory and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Your favorite mobile apps leave a trail of cookie crumbs

Instagram's cookies and unencrypted Web traffic give you up to anyone watching packets pass by.
Sean Gallagher

Most people know the privacy risk of Web cookies—the bits of data that Web browsers store and return to websites to help them keep track of your credentials, where you are in an application, and other information. Advertisers, social media services, and search engine providers use cookies to track users' travels on the Web to target them for advertising. And as we’ve reported, those cookies can be used by someone surveilling Web traffic to track you as well.

But when people use mobile applications, they’re also vulnerable to the same sort of cookie tracking. Many mobile apps are just Web applications wrapped in a package for an app store—they send cookies back to the same server to identify the user and provide location information and other data about a device to the application vendor, third parties, or anyone who happens to be watching network traffic. Taken together with other data, these cookies can be used to track individuals as they wander the world, posing a significant privacy risk.

There are other components of the Web content consumed by mobile apps that can be used in tracking. Some use REST interfaces that pass data as part of their requests back to servers, and that data is often sent in the clear. JavaScript elements within Web content can also access local device data and send it back as a data structure; this data is often sent unencrypted as well, and the process follows a common enough format for hackers or intelligence organizations to reverse engineer it.

Read 18 remaining paragraphs | Comments

Microsoft drops case that severed DNS hosting for millions of No-IP nodes

Microsoft has formally settled legal differences with No-IP, the dynamic domain name host that was kneecapped by a botnet takedown that recently knocked out service to millions of legitimate hostnames.

As we reported, Microsoft surrendered the 23 No-IP domains last week. A bare-bones statement e-mailed to journalists Wednesday morning said the agreement settled a controversial lawsuit Microsoft filed in late June that allowed the software maker to confiscate 23 No-IP domain names before the service provider had an opportunity to oppose the maneuver in court. The malware families targeted in the latest takedown infected more than 7.4 million machines in the past year alone, Microsoft said.

A federal judge approved Microsoft's confidential ex parte motion arguing that the software maker was entitled to seize control of the addresses because No-IP owner Vitalwerks Internet Solutions failed to follow industry practices designed to prevent malware operators from abusing the service. In the course of a few hours, millions of connections from law-abiding users were severed. The statement read in part:

Read 3 remaining paragraphs | Comments