What I’m Thinking About March

Lots of lost certificates

23,000 HTTPS certificates axed after CEO emails private keys | Ars Technica The email was sent on Tuesday by the CEO of Trustico, a UK-based reseller of TLS certificates issued by the browser-trusted certificate authorities Comodo and, until recently, Symantec. It was sent to Jeremy Rowley, an executive vice president at DigiCert, a certificate authority that acquired Symantec’s certificate issuance business after Symantec was caught flouting binding industry rules, prompting Google to distrust Symantec certificates in its Chrome browser. In communications earlier this month, Trustico notified DigiCert that 50,000 Symantec-issued certificates Trustico had resold should be mass revoked because of security concerns.

Strava loses the location of an army base

Strava released a heat map of where their users were running, swimming, and cycling as a marketing tool. They failed to properly anonymize the data and inadvertently gave away the locations of secret US army bases and some details about their users. This shows how difficult anonymization is. I think we could have helped Strava identify these risks before they released the data.

• Steve Loughran: Advanced Denanonymization through Strava

• [Fitness tracking app Strava gives away location of secret US army bases

  Technology

  The Guardian](https://www.theguardian.com/world/2018/jan/28/fitness-tracking-app-gives-away-location-of-secret-us-army-bases)

ML is still scary

Have I mentioned how scary Machine Learning is getting? Let’s recap:

• We can create audio that simulates anybody’s voice, based on a few samples
• We can use ML to face swap photos and videos
• Faceswapping, Unethical Videos, and Future Shock - YouTube
• Family fun with deepfakes. Or how I got my wife onto the Tonight Show – sven charleer
• New tool swaps Nicolas Cage with every actor in every film ever

Krebs talks about Jackpotting ATMs

Krebs on Security posts a lot about ATM insecurities, but he’s talking about “Jackpotting” ATMs in the US now. This crime installs malicious software or hardware on the ATMs that forces the machine to spit out huge amounts of cash. Our embedded security services could help with an attack like this. There are two sides to this attack, first the software protections that need to be in place and the physical ones (most attacks require the attacker to plug in an ethernet cable or a keyboard to initiate the attack). First ‘Jackpotting’ Attacks Hit U.S. ATMs — Krebs on Security

Blockchain

No, You Probably Don’t Need a Blockchain - Ashton Kemerling

Have I Been Pwn’d?

Troy Hunt: I’ve Just Launched “Pwned Passwords” V2 With Half a Billion Passwords for Download

This is truly an exceptional resource for checking emails, passwords, and getting breach notifications.

When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. - NIST

A friend of mine, craSH was asked recently what the number one mistake companies are often making right now for AWS security. His response was insecure configuration of S3 buckets - we’ve seen dozens of cases where this has been breached lately, e.g.:
Verizon: https://www.upguard.com/breaches/verizon-cloud-leak
Experian: https://www.scmagazine.com/open-aws-s3-bucket-exposes-sensitive-experian-and-census-info-on-123-million-us-households/article/720067/
Accenture: https://www.upguard.com/breaches/cloud-leak-accenture
US Army Intel: https://arstechnica.com/information-technology/2017/11/army-red-disk-intel-sharing-system-left-exposed-in-open-aws-data-store/
Many others, more every day: https://www.tripwire.com/state-of-security/featured/preventing-yet-another-aws-s3-storage-breach-with-tripwire/

Posted By: Joe Basirico