2018 Cymmetria MazeRunner Community Edition Announced →
Gadi Evron has announced the latest edition of Cymmetria MazeRunner Community Edition. I'm particularly interested in the Python Enhanced Responder.py/Pass-the-Hash deception capabilities. Enjoy!
DGA, The Algorithm →
Hongliang Liu and Yuriy Yuzifovich, writing at the Security & Data Science Blog, a Nominum blog, provide a tour dé force analysis of the so-called DGA - Domain Generation Algorithm battleground. Today's Must Read.
Satellite Woe →
The New(ish) Interweb
A new DNS root environ, courtesy of our friends in Russia and the People's Republic of China - ostensibly arriving in August of 2018. Essentially, both countries will begin managing their own 'internal' DNS infrastructure for the majority of their 'in-country' routing. What could go wrong?
See You, See Me: Certificate Transparency
...and then there's this: Certstream, ostensibly, a near 'real-time' certificate transparency log stream (in this case an update stream that security engineers can plug-into their unholy workflow). Fundamentally, security administrators - through prudent autmomation - can take a gander at TLS/SSL certificates as those objects are issued in near 'real time' through the lens of Certstream. Really, a superb idea in the effort to afford transparecny to the entire arcane methodology that is SSL/TLS certification issuance. H/T
"Certificate Transparency aims to remedy these certificate-based threats by making the issuance and existence of SSL certificates open to scrutiny by domain owners, CAs, and domain users. Specifically, Certificate Transparency has three main goals:
- Make it impossible (or at least very difficult) for a CA to issue a SSL certificate for a domain without the certificate being visible to the owner of that domain.
- Provide an open auditing and monitoring system that lets any domain owner or CA determine whether certificates have been mistakenly or maliciously issued.
- Protect users (as much as possible) from being duped by certificates that were mistakenly or maliciously issued. Certificate Transparency satisfies these goals by creating an open framework for monitoring the TLS/SSL certificate system and auditing specific TLS/SSL certificates." via.
TLS-N, The Sharing →
News (HatTip) of TLS-N, the new extension to Transport Layer Security that ostensibily permits both Non-Repudiation and Secure Data Sharing (think Blockchain smart contracts data sharing). The organization's whitepaper detailing TLS-N is today's Must Read artifact. Outstanding.
Nonce, The Reuse Gambit
Alas, the WPA assumed 'secure implementation' is no more with the discovery (by Dr. Vanhoef) of forced nonce reuse.
'In a key reinstallation attack, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying cryptographic handshake messages. When the victim reinstalls the key, associated parameters such as the incremental transmit packet number (i.e. nonce) and receive packet number (i.e. replay counter) are reset to their initial value. Essentially, to guarantee security, a key should only be installed and used once. Unfortunately, we found this is not guaranteed by the WPA2 protocol. By manipulating cryptographic handshakes, we can abuse this weakness in practice.' - via Mathy Vanhoef, Ph.D. and Frank Piessens, Ph.D.
Mozilla Foundation To Begin Collecting User Browsing Data
via gHacks author Martin Brinkmann, comes the astonishing tale of deeply flawed user data management at Mozilla Foundation. Along with the Foundation' Firefox browser Resource and Web Extension data leakage woes, now comes a highly user antagonistic decision to commence collecting user browsing data in an opt-out decision tree. Truly this weeks evidence that Blatant Stupidity still exists in the browser world.
"Mozilla's Georg Fritzsche published information on the plan to collect additional data yesterday on the Mozilla Governance group. In it, he describes the issue that Mozilla engineers face currently. While Firefox may collect the data when users opt-in, Mozilla believes that the data is biased and that only data collecting with opt-out would provide unbiased data that the engineers can work with. Questions that this data may help answer include "which top sites are users visiting", "which sites using Flash does a user encounter", and "which sites does a user see heavy Jank on" according to Fritzsche." excerpt via Martin Brinkmann writing at gHacks
JHutchins' SharknAT&To →
Folks, gird yourselves for the truly horrifying... Read the superlative security reportage by jhutchins at NoMotion, in which, the good Hutchins details the cruft-laden, and fundamentally idiotic practice of hard-coding accounts in low-end routerland. Behold SharknAT&To, and more, much more... Today's Must Read. H/T
"When evidence of the problems described in this report were first noticed, it almost seemed hard to believe. However, for those familiar with the technical history of Arris and their careless lingering of hardcoded accounts on their products, this report will sadly come as no surprise. For everyone else, prepare to be horrified." - via NoMotions' jhutchins
NANOG, Punky Duero's 'Root DNSSEC KSK Rollover' →
ICANN has slated the DNSSEC Key Sigining Key Rollover for 2017/10/11. It is highly recommended to update your systems with the new key prior to the key signing key rollover date. Examine - if you will - the ICANN Root Zone KSK Rollover site for additional detail. In the meantime, enjoy Punky Duero's outstanding NANONG DNSSEC KSK Rollover Lighting Talk from the NANOG June 2017 confab.