Information Security News
In the security community, the deprecation of SSL has been hailed as a good thing by almost everyone. Not only has SSL been deprecated, its been deprecated with extreme prejudice, and with extreme rapidity. And not just in browsers (see Johanness story here https://isc.sans.edu/diary/19323 )
However, its become apparent in recent weeks that while most website administrators have caught up quickly to the new reality of TLS-Only encryption in browsers, many system administrators have been caught flat-footed.
Just in the last couple of weeks, Ive worked with system administrators who have had problems administering critical system infrastructure, infrastructure that uses SSL for its HTTPS connection, and does support TLS. While the vendors of this infrastructure will quickly point out that a firmware update to their gear will quickly solve this problem, these firmware updates have almost universally come late to the party - in a lot of cases they havent been available until fairly recently.
Admins are often caught off-guard, not realizing that theyre browser update has broken their infrastructure admin until something important happens, something that requires adding a SAN LUN, adding Fiber Channel Zones for that new pod of servers, or doing a remote power off / power on of a critical server using its remote console board.
Stuff that I have seen personally has included (Vendor names left out, sorry):
The catch-22 in this situation is that, looking at this list, all of these things are very tough to book intrusive administration for. Scheduling a firmware update for the admin console of your SAN for instance can be a very challenging task - IT Management is likely to use terms like Outage, Risk, often with the word Unacceptable in the same sentence. For things like your large Solaris or AIX Servers, Storage systems and so on, management is often much more comfortable NOT approving patches or updates, electing instead to isolate them to a secured vlan. .... Or worse yet, to not patch them and NOT isolate them.
(Mind you, the golden rules of pentesting include things like secured vlans arent and air gap networks are isolated, except for that one wire or one firewall rule ...)
What have you found that you couldnt admin because of SSL deprecation? Was an update available? And if so, did you kick yourself for not applying it 2 years ago, or was the paint still wet on the update? Have you applied an update to deal with this, and found that it broke something else?
Please, share on our comment form. And feel free to include vendor names - just because I cant doesnt limit you that way!
Researchers sifting through the confidential material stolen from spyware developer Hacking Team have already uncovered a weaponized exploit for a currently unpatched vulnerability in Adobe Flash, and they also may have uncovered attack code targeting Microsoft Windows and a hardened Linux module known as SELinux.
Hacking Team documentation accompanying the Flash exploit said it targeted "the most beautiful Flash bug for the last four years," according to a blog post published Wednesday by researchers from antivirus provider Trend Micro. The use-after-free flaw resides in a Flash Bytearray object. Researchers at competing AV company Symantec have confirmed the existence of a Flash exploit that works against the latest version of Flash (18.0..194). They also have confirmed it works against people viewing content with Internet Explorer, and it's presumed it will work against other browsers as well.
"Symantec has confirmed the existence of a new zero-day vulnerability in Adobe Flash which could allow attackers to remotely execute code on a targeted computer," they wrote in a blog post published Tuesday. "Since details of the vulnerability are now publicly available, it is likely attackers will move quickly to exploit it before a patch is issued."
Posted by InfoSec News on Jul 07http://www.nextgov.com/cybersecurity/2015/07/pentagon-contractors-ranked-below-retailers-and-banks-when-it-comes-cybersecurity/116899/
Posted by InfoSec News on Jul 07http://www.v3.co.uk/v3-uk/news/2416111/fbi-puts-usd3m-bounty-on-head-of-gameover-zeus-malware-creator
Posted by InfoSec News on Jul 07http://arstechnica.com/security/2015/07/massive-leak-reveals-hacking-teams-most-private-moments-in-messy-detail/
Posted by InfoSec News on Jul 07http://www.stltoday.com/sports/baseball/professional/cardinals-fire-scouting-director/article_b529088f-70c3-51c5-bab2-106afa1d2a12.html
Posted by InfoSec News on Jul 07http://www.bobsguide.com/guide/news/2015/Jul/6/overcoming-paralysis-why-financial-services-organisations-have-to-race-to-update-their-windows-server-strategy.html