Bank of the Internet

This is, perhaps, a little heavy on the geek side. I think there may already be a bit part reserved for me on The Big Bang Theory, along with an XXL-sized Star Trek uniform (preferably not a security redshirt uniform).

However, if you’re actually reading this, I guess there’s a reasonable chance that you’re among the elite (very) few who don’t altogether hate my cheesy little cartoons. One of the most valued members of that elite band is Aryeh Goretsky who used this one in his ESET 2014 Mid-Year Threat Report broadcast.

The webinar itself has been and gone, but you can catch a recording on the ESET Internet Security Threats Channel. There’s a list of the topics covered and a link to the recording in Aryeh’s blog article.

(No, this blog is emphatically not part of the ESET empire, but I kind of like the cartoon.)

android2

David Harley
Small Blue-Green World

 

Division by Zero Day

Yes, it’s a vaguely IT-related post, just for a change.

A few days ago, there was a flurry of interest the LinkedIn issue raised by Zimperium with potential Man In The Middle attacks (somehow, this always makes me think of Rob Brydon) using SSL-stripping.

I must admit, I was somewhat irritated by the very trivial issue of the misuse of the term zero-day vulnerability. If Zimperium has notified LinkedIn six times about the issue, I don’t think it can be described as a zero-day vulnerability, since it’s known to the provider. Unless the notifications have been disappearing into a black hole somewhere, but Zimperium’s blog indicates that LinkedIn acknowledged to them last year that the issue existed. And in fact, SSL-stripping has been a known attack for quite a few years. As far as I can see, it isn’t a vulnerability at all in terms of the SSL trust model: it’s an implementation issue.

HTTPS is essentially HTTP with a supervening layer of SSL/TLS. While Zimperium’s blog doesn’t describe a specific vulnerability, what it refers to as SSL-stripping involves intercepting transactions between the victim and the server and replacing https requests with http. If SSL is used throughout the site, though, it should fail with a ‘connection refused’ message unless the attacker is using other tools that directly attack the underlying trust model and the way certificates are checked. HSTS (HTTP Strict Transport Security) helps by telling the browser that only HTTPS connections are allowed, but the HSTS header can be stripped in some scenarios.

There are a couple of measures (as described by Zimperium) that the consumer can take right now: turn on HTTPS for all LinkedIn transactions in Account/Security Settings, and always log in to https://www.linkedin.com, not http://www.linkedin.com.

Of course, there may be other issues that Zimperium’s blog doesn’t mention, and I’m not familiar with their pen-test toolkit, so can’t comment on the details of their findings.

David Harley
Small Blue-Green World

 

 

Up the creche without a puddle

Wasn’t sure which blog was the most appropriate, so I hedged my bets. Oops. Shouldn’t have mentioned hedges. A-tishoo!!!!

David Harley
Small Blue-Green World

Shropshire Blues

Spotted outside The Bridge in Ludlow. However, Jude didn’t take the hint and insisted on walking me home via The Linney. Admittedly, there aren’t many shops open in Ludlow on a Sunday evening. On the other hand, the last stretch via the castle was rather pollen-rich for my tastes on a warm, dry summer’s evening.

creche

David Harley
Small Blue-Green World

View original post