Information Security News
by Robert Lemos
The Electronic Frontier Foundation, Mozilla, Cisco, Akamai, and other organizations have teamed up to create the infrastructure and tools necessary to help websites offer more secure and private browsing to their visitors.
The group plans to establish a non-profit organization, Let’s Encrypt, that will freely offer digital certificates and open-source tools for configuring and offering the secure Web functionality known as Secure HTTP (HTTPS). While offering free digital certificates is certainly enticing, creating the tools to easily manage the certificate process and set up Web servers to properly handle HTTPS is the most important part of the effort, Peter Eckersley, technology projects director for the EFF, told Ars.
“The unfortunate truth is that there are a lot of obscure and head-spinning technical details that need to be gotten right for a top-notch HTTPS deployment,” he said. “With Let’s Encrypt, we are going to automate as much of that as we possibly can.”
Microsoft has released an unscheduled update to patch a critical security hole that is being actively exploited to hack Windows-based servers.
A flaw in the Windows implementation of the Kerberos authentication protocol allows attackers with credentials for low-level accounts to remotely hijack extremely sensitive Windows domain controllers that allocate privileges on large corporate or government networks. The privilege elevation bug is already being exploited in highly targeted attacks and gives hackers extraordinary control over vulnerable networks.
"The only way a domain compromise can be remediated with a high level of certainty is a complete rebuild of the domain," Microsoft engineer Joe Bialek wrote in a blog post accompanying Thursday's patch. "An attacker with administrative privilege on a domain controller can make a nearly unbounded number of changes to the system that can allow the attacker to persist their access long after the update has been installed. Therefore it is critical to install the update immediately."
by Dan Goodin
In a coup for privacy advocates, strong end-to-end encryption is coming to Whatsapp, a cross-platform instant messaging app with more than 500 million installations on the Android platform alone.
Until now, most popular messaging apps for smartphones have offered woefully inadequate protections against eavesdropping. Whatsapp, which Facebook recently acquired for $19 billion, has itself been criticized for a series of crypto blunders only spooks in the National Security Agency would love. Most other mobile apps haven't done much better, as a recent scorecard of 39 apps compiled by the Electronic Frontier Foundation attests. Many fail to implement perfect forward secrecy, which uses a different key for each message or session to ensure that an adversary who intercepts a key can't use it to decrypt old messages. The notable exception among popular messaging apps is Apple's iMessage, but it's not available for Android handsets.
Enter Moxie Marlinspike, the highly regarded security researcher and principal developer of TextSecure, an SMS app for Android. Over the past three years, his team at Open Whisper Systems has developed a open encryption protocol for asynchronous messaging systems. That specification is now being incorporated into Whatsapp.
Microsoft November out-of-cycle patch
Note: MS14-066 was also updated today to fix some of the issues previously discussed with the introduction of the additional TLS cipher suites. Folks running Server 2008 R2 and Server 2012 are urged to reinstall
Update (2014-11-18 19:45 UTC) - After reading Microsoft">Critical: Anything that needs little to become interesting">Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu
by Sean Gallagher
Mark Paffrath, a Navy veteran who worked as a housekeeper for the Drury hotel chain, claims he was fired from his job on Saturday after posting photos and video on Facebook of dozens of vehicles from the Department of Homeland Security massed in a Missouri hotel garage. Paffrath told CNN that Drury’s head of security “called me a terrorist, saying that I dishonorably served my country for posting those pictures and videos on Facebook.”
The vehicles and a large number of people from Homeland Security’s Federal Protection Services arrived last week, apparently in preparation for the announcement of a grand jury decision on whether to charge police officer Darren Wilson in the death of teenager Michael Brown. They were parked at the hotel where Paffrath worked, a short drive from Ferguson in suburban St. Louis. Paffrath posted the video and images of rows of federal vehicles on Thursday, including one with the caption “Why are all these vehicles here, I wonder if it has anything to do with Ferguson? #Ferguson, #No justice, no peace."
Paffrath’s former employer would not comment on how the hotel learned of the posted images, some of which are still publicly viewable on Paffrath’s Facebook page. A Drury hotel spokesperson told CNN, “We do not publicly discuss confidential personnel matters. The safety and privacy of our guests and our team members has always been and will remain our top priority." The hotel management may have seen the photos as a violation of the privacy of guests.
Today, Microsoft will release MS14-068. This is one of the bulletins that was skipped in Novembers patch Tuesday update.
The bulletin fixes a privilege escalation vulnerability and Microsoft rated it Critical.
It does however appear that Microsoft still has process issues with releasing updates. For example, the Monthly Bulletin Summary for November now only lists this one bulletin . The bulletin page itself is still blank, but will likely be released around 1:30pm ET.
We will update/replace this diary once the full bulletin is released.