Category: Blog

Trustico CEO Leaks HTTPS Certificate Keys Through Email

The CEO of Trustico, a TLS certificate reseller based in the United Kingdom, finds himself at the center of a controversy that raises a number of disturbing questions about browser-trusted security certificates.

The email in question was sent to Jeremy Rowley, an executive Vice President at DigiCert.  The catalyst that prompted the fateful email was that officials at Trustico notified DigiCert that 50,000 certificates originally issued by Symantec and resold by Trustico had been compromised and should be mass revoked due to security concerns.

Mr. Rowley, not wanting to take such drastic action without proof, asked for it.  In response, Trustico’s CEO emailed the private keys of 23,000 certificates, an action which drew shocked reactions from security professionals around the world when news of the email became public.

If you’re not familiar with the inner workings of browser-trusted certificates, there are a few problems here.  First, there’s no good reason why a reseller should have a copy of the private keys to begin with.  Second, even if that were the norm, to simply email them to a third party shows incredibly poor judgement, especially given that there’s no evidence the email in question was encrypted.  Third, customers used Trustico’s website to generate their private keys, which is a service that should never even have been offered.

To make matters even worse, not long after news of the email hit the internet, Trustico’s website went dark, when a security expert posted details about a critical vulnerability on the company’s website.  The flaw resides in a site feature that allows customers to confirm that certificates are properly installed.  Unfortunately, Trustico’s website had been compromised and any time a user would use the feature, the hackers could use the opportunity to run malicious code.  It’s a tangled web, and it paints everyone involved in a very bad light.

Facebook Post Removals May Soon Get An Appeals Process

There are some big changes coming to Facebook, which may have some serious unintended consequences.

In a recent interview, Mark Zuckerberg indicated that he’s considering allowing users to independently appeal to the content moderation team if their posts get taken down for violating various community policies.

On the surface of it, this seems like it would be a good thing. Zuckerberg said that the move is designed to give people in the Facebook communities what they want, rather than reflecting short-term, profit-driven wishes of the shareholders.

It’s a significant change because as of right now, Facebook only allows for appeals if content was removed for violation of copyright laws. In addition, the appeal must be made via a DMCA (Digital Millennium Copyright Act) notification, which makes it a somewhat daunting process.

Zuckerberg describes the new approach as follows: “So maybe the folks at Facebook make the first decision based on the community standards that are outlined, and then people can get a second opinion.  You can imagine some sort of structure, almost like a Supreme Court, that is made up of independent folks who don’t work for Facebook, who ultimately make the final judgement call on what should be acceptable speech in a community that reflects the social norms and values of people all around the world….I think we can build that internally as a first step.”

All of that looks good on paper, but there are some major problems with this approach.

First,  the company will struggle to find enough volunteers to monitor content and appeals to keep pace with demand.  Given the size of Facebook’s footprint on the web, that’s a very real concern. The new, easier appeal policy is certain to cause the number of appeals to explode.

Second, if not done with great care and forethought, it could further polarize the platform. It could lead to the development of more estranged “information silos,” which runs counter to what the company ultimately wants its global network to be.  In addition to that, it could easily lead to a massive backlash against the company.

Time will tell, but the coming months should be interesting indeed.

Microsoft To Help Intel With Security Issues

By now, you’ve almost certainly heard of the “Spectre” and “Meltdown” security flaws that affect every Intel chip produced in the last decade.  Users have been waiting for a fix for both of these since January, when the issues were first discovered.

From the beginning, Microsoft agreed to include the fix for Spectre in its regular software updates but insisted that Intel and PC manufacturers would have to push the Meltdown fix on their own.

Unfortunately, the overwhelming majority of users are still waiting, and in the meantime, untold millions of machines are at risk.  Intel’s first attempt at a fix was so spectacularly bad that the company urged users not to install it until a better fix could be rolled out.

Intel has since released an updated fix, but few users have taken advantage of it so far.  The reason is because most users simply don’t know how.  They’re not aware that they have to go to Intel’s website to manually download and install it, or wait for an OEM push, which could still be months away.

Given this reality and the extreme danger that Spectre poses, Microsoft has reversed course and agreed to make special Windows update releases that include the Spectre fix.  The first such update, KB4090007, is now out and available to users.

There are two important caveats to be aware of, however:

  • These special updates will not be delivered automatically. Users will have to go to the Windows Update Catalog and select the appropriate package, then run it on their computers
  • The updates are available only for Windows 10, version 1709, and Windows Server, version 1709
  • The currently available package (KB4090007) is meant for Intel Skylake CPU owners only. Additional packages will be released over the course of the next few months.

Netflix To Release More Parental Controls To Help Parents

If you have a Netflix account and children living at home, there’s a reason to cheer about the company’s most recent announcement.  They’re rolling out some robust new parental control features that will allow you to exert much more control over what your children are watching.

You can now set content-specific PINs to lock movies or TV shows. So for example, if you don’t want your children watching “Zombeavers” (yes, that’s a real movie, by the way), you could lock that content with a PIN.  This is in addition to the existing controls Netflix offers that allow parents to set broad PIN-based protections that block content at specified maturity levels.

Additionally, the company has stated that it will start displaying these maturity level designations at the start of each program to give parents greater awareness of what their children are watching.  The changes are slated to be rolled out over the next few months.

It’s probably not a coincidence that the rollout of these changes is slated to coincide with Disney’s planned launch of their own kid-friendly streaming service.

It’s worth noting that Netflix and Disney reached a streaming agreement back in 2012, which didn’t go into effect until 2016.  Disney has stated their intention to end the deal beginning with films released in 2019.  For their part, Netflix will retain the right to show older Disney films until the end of 2019.

Netflix has been the King of the video streaming hill for a long time, but the company is coming under increasing pressure from a growing number of competitors.  The company is fully aware that Disney already has the hearts and minds of millions of children around the world. They realize that unless they do something to bolster their parental controls feature set, they stand to lose ground to this latest entrant in the field of streaming video.

Your Kids’ Personal Info May Have Been Compromised

An identity threat company called 4iQ has recently published a report called “Identities in the Wild:  The Tsunami of Breached Identities Continues.”  Unfortunately, the information in the report contains all bad news.  Some of the details are simply confirmations of things we already knew, and some are shocking statistics that will leave you feeling dismayed.

For instance:

  • Cybercriminals and hackers are getting increasingly sophisticated – This isn’t new, but it’s even worse than that. While there are still a few “lone wolf” type hackers, organized syndicates are increasingly coming to the fore.  Their collaboration with each other is accelerating the development of ever-more-advanced tactics.  New threats are emerging at a much faster pace than data security personnel can respond.
  • Personal data breaches are now the second most common cybercrime on the planet, with corporate data breaches not far behind. The reason hackers are increasingly gravitating toward hacks of individuals has everything to do with the fact that most people have little to no security.  It’s just low-hanging fruit.  Corporate hacks are a bit more difficult, but as we’ve seen via the constant parade of headlines, these tend to be more far-reaching, with a scope and scale that can impact tens of millions of users, or more.
  • There has been a shocking 182 percent increase in the number of identities available on the Darknet belonging to children.

This last point is beyond disturbing.  Bad enough that your own personal and confidential data is at risk, but now your kids are increasingly at risk too. Hackers are using their information to apply for credit cards, rent cars and hotels, and more.

In addition to the obvious dangers of hackers around the world knowing everything there is to know about your kids, it can also irreparably damage your kids’ credit, long before they ever have an opportunity to make use of it.  A grim report that bears close reading.

Amazon Removing Music Storage Service At End Of April

If you use Amazon’s Cloud MP3 Locker to store your music online, now is the time to start looking for a new home for it.  Last year, the company announced that they were ending the service, but didn’t provide a firm date.  April 30, 2018 will be the last day you’ll be able to access your music if you don’t take action.

Back in December, the company stopped allowing users to upload new tracks to their music storage system, which users were formerly allowed to store up to 250 songs for free.

In the company’s most recent announcement about the coming changes, they made two important clarifications.  First, there is a back-end way you can keep access to your existing music files, but it requires action on your part.  You’ll need to log in, go to your Music Settings and click the “Keep My Songs” button.  Failing to take this step will result in your music being deleted.

Second, the company stresses that these changes do not apply to music purchased through Amazon Prime, or Amazon’s digital music streaming service.  Those files will still be available, with no action needed on your part.

While it’s a sad development, it’s not surprising in the least.  Increasingly, companies that provide cloud-based storage are streamlining or scaling their services back.  Amazon isn’t the first, and they certainly won’t be the last.  Last year, both DropBox and Microsoft Onedrive (two prominent players in the cloud storage ecosystem) announced scalebacks to the amount of storage offered in their free accounts.

While it’s true that storage has become increasingly low cost, it’s also true that the growth in popularity of cloud storage has exploded. Companies offering the service have had to scale back, lest they become completely overwhelmed.

In any case, there’s still time to move or preserve your files, but you’ll want to take action sooner rather than later.

New And Potentially More Dangerous Intel Vulnerability Discovered

The “Spectre” vulnerability that impacts literally every Intel chip made over the last decade keeps finding new ways to make the news.  In this instance, researchers at Ohio State University have discovered a new variant of the vulnerability that they have dubbed “SGX Spectre.”  To understand how it’s different, a bit of explanation is in order.

SGX stands for “Software Guard eXtensions,” and is a feature only found in the latest Intel processors.  It allows applications to create “data enclaves,” which are hardware-isolated portions of a CPU’s processing memory.  The purpose of such enclaves is to give applications a secure space to run operations that deal with especially sensitive data, like passwords and encryption keys.

The original Spectre and Meltdown vulnerabilities were unable to extract any data from SGX enclaves, but SGX Spectre can. Even worse, the recent Spectre patches will do nothing to prevent it.

Intel has announced that on March 16, it will release an update for its SGX SDK that adds SGX Spectre mitigations.  App developers will need to integrate the update into their SGX-capable apps and issues an update to all users.

The research team had this to say about the recent discovery:

“SgxPectre Attacks can completely compromise the confidentiality of SGX enclaves.  Because vulnerable code patterns exist…and are difficult to be eliminated, the adversary could perform SgxPectre Attacks against any enclave programs.

Because there are vulnerable code patterns inside the SDK runtime libraries, any code developed with Intel’s official SGX SDK will be impacted by the attacks.  It doesn’t matter how the enclave program is implemented.”

In addition to the discovery of SGX Spectre, the research team discovered new variations of the original security flaws, which they have dubbed MeltdownPrime and SpectrePrime, respectively.  Needless to say, more patches will be forthcoming.

Alexa Now Makes It Easy To Donate To Charity

Amazon has made a small but significant change to its Alexa service, which now makes it possible to donate to charity by issuing voice commands.

So far, there are 48 charities connected to the system, with more in the pipeline.  There are two ways you can make use of the new feature.  The first is to simply say, “Alexa, make a donation.”

Doing this will prompt Alexa to ask you which charity you want to donate to, and the dollar amount to be donated.

The second method is to say something like, “Alexa, donate $20 to the American Red Cross,” or one of the others currently tied into the donation system.  Alexa will use whatever payment information you have tied into your Amazon account (including Amazon Pay, if you use it).

This isn’t the first time Amazon has taken steps to make donations to charity easier.  Not long ago, the company collaborated with an organization called “Give Back Box,” which allows users to reuse Amazon boxes to ship donations to various charity groups.

The company’s motivations for making these changes are unclear, but it could be a bid to help their new Amazon Pay system gain more momentum.  Regardless of the reasoning, these are exciting changes indeed. Given Amazon’s global reach, it’s all but certain to be a boon to the charities tied into the program.  Even better, these changes may well prompt other tech giants to make similar moves.

If you own a business of any size and are in the habit of making donations as part of your firm’s goodwill and outreach, Amazon just made it easier to do that.  If not, then at the very least, when you opt to make a personal donation you now have a convenient way to do so.

Windows Media Player May Be Replaced By Microsoft App

A Reddit user named “Noam_ha” recently posted a screenshot displaying a popup message when users open the venerable Windows Media Player (WMP), asking users if they would instead like to open the video file with the company’s more modern Movies and TV app.

The popup message touts the Movie and TV app’s advantages, which includes better battery life if running on a phone or laptop, better compatibility with more modern video formats, a mini-view, and support for 360-degree video on Augmented Reality devices.

There are several interesting things to note here:

First, while the new popup message clearly signals Microsoft’s preferences, the reality is that in many ways, the Movie and TV app is a poor substitute for WMP.  It only has modest functionality and has a downright awful interface. Even worse, many features found in WMP (like streaming video from online repositories, queuing, and variable play speeds), are simply not present in the new app.

Second, this appears to be a recent shift inside the company, because WMP comes pre-installed on Windows 10.

On the other hand, WMP hasn’t received a significant update since the Movie and TV app was first released with the launch of Windows 7.  In that respect, at least, the writing has been on the wall for some time now.

This marks the second beloved app that Microsoft has decided to kill in recent months.  Recall that just last year, the company announced the end of Microsoft Paint, a kludgy, barely functional graphics program that was nonetheless, strangely beloved by users.  It was retired and replaced with “Paint 3D,” and now, all indications are that Windows Media Player is headed for a similar fate.

That wouldn’t necessarily be a bad thing, but given the condition of  the new Movies and TV app, the decision probably isn’t going to win Microsoft any friends.

Vega Stealer Malware Goes After Your Saved Credentials

There’s a new security threat to be worried about, and security professionals are warning that it could be very bad indeed.  The new malware is known as the “Vega Stealer,” and is currently being used in a relatively simplistic phishing campaign designed to harvest financial data that has been saved in both Google Chrome and Firefox browsers.  Unfortunately, based on an analysis of the code, it could be a much more serious threat.

Vega Stealer isn’t 100 percent original work, but rather, is a variant of another nasty bit of malware known as “August Stealer.”  Built on the .NET framework, it’s designed to ferret out and steal cryptocurrency wallets, passwords, cookies, saved credit cards, and more.

If your computer is infected, and you’re using Firefox, Vega Stealer will specifically target the files “key3.db” and “key4.db,” along with “cookies.sqlite” and “logins.json,” which store a variety of keys and passwords.

In addition to that though, it can also take screen captures of your PC and scan for, and steal any file with the following extensions:

  • .pdf
  • .xlsx
  • .xrft
  • .docx
  • .doc

Of course, it would be a trivial matter for the owners of the malware to expand this list even further.

As mentioned, the current campaign isn’t terribly sophisticated, relying on emails bearing titles like “Online Store Developer Required.”  The emails being sent contain a poisoned file called “brief.doc” which contains macros designed to install the malware.

If the recipient clicks on the word doc, it will install a file named “ljoyoxu.pkzip” in that user’s “Music” directory, and then automatically executes the file so it can begin harvesting.

Researchers from Proofpoint, who found the malware strain had this to say:

“The document macro utilized in this campaign is a commodity macro that we believe is for sale and used by multiple actors, including the threat actor spreading Emotet banking Trojan.  However, the URL pattern from which the macro retrieves the payload are the same as those used by an actor we are tracking who distributes the Ursnif banking Trojan, which often downloads secondary payloads such as Nymaim, Gootkit, or IcedID.  As a result, we attribute this campaign to the same actor with medium confidence.”

Be on your guard.