Hackin9

EU governments are CRAP at cloud, moans Brussels' infosec watchdog
The Register
European governments haven't got a clue how to implement cloud services. So say the EU's own cybersecurity experts. ENISA (the European Network and Information Security Agency) has released a report on the adoption of something it calls “Gov Cloud”, ...

 

As I have stated in the past,I am not a fan of all of the incomprehensible warning messages that average users are inundated with, and almost universally fail to understand, and the click-thru culture these dialogsare propagating.

Unfortunately this is not just confined to websites on the Internet. With the increased use of HTTPS for web based management, this issue is increasingly appearing on corporate networks." />

The issue in most cases is caused by what is called a self-signed certificate. Essentially a certificate not backed up by a recognized certificate authority. The fact is that recognized certificates are not cheap. For vendors to supply valid certificates for every device they sell would add significant cost to the product and would require the vendor to manage those certificates on all of their machines.

The Internet Security Research Group (ISRG)a public benefit corporation sponsored by the Electronic Frontier Foundation (EFF), Mozilla and other heavy hitters aims to help reduce this problem and cleanup the invalid certificate warning dialogs.

Their project, Lets Encrypt, aims to provide certificates for free, and automate the deployment and expiry of certificates.

Essentially, a piece of software is installed on the server which will talk to the Lets Encrypt certificate authority. From Lets Encypts website:

The Lets Encrypt management software will:

  • Automatically prove to the Lets Encrypt CA that you control the website
  • Obtain a browser-trusted certificate and set it up on your web server
  • Keep track of when your certificate is going to expire, and automatically renew it
  • Help you revoke the certificate if that ever becomes necessary.

While there is still some complexity involved it should make it a lot easier, and cheaper, for vendors to deploy legitimate certificates into their products. I am interested to see how they will stop bad guys from using their certificates for Phishing sites, and what the process will be to report fraudulent use, but I am sure all of that will come.

Currently, it sounds like the Lets Encrypt certificate authority will start issuing certificates in mid-2015.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
OpenEMR 'validateUser.php' SQL Injection Vulnerability
 
OpenKM Authentication Bypass Vulnerability
 
WordPress Frontend Uploader Plugin 'errors' Parameter Cross Site Scripting Vulnerability
 
b2evolution 'admin.php' Cross-Site Scripting Vulnerability
 

I have been tracking DDOS volume and patterns for a few years. We have seen the attacks move from DNS to NTP, to chargenthen on to SSDP and occasionally QOTD. I think we have a much better understanding of the vulnerabilities which are enabling thesuccessful amplification of">ISPs,to reduce the impact of this style of attack. " />

What I havent been able to understand is why since late last year, other than the occasional booter and attacks on Brian Krebs,the incidence and volume of these attacks has dropped off almost completely?

Any ideas?

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Ekahau Real-Time Location System CVE-2014-2716 Multiple Security Weaknesses
 
Papoo Light Multiple HTML Injection Vulnerabilities
 
X7 Chat 'lib/message.php' Arbitrary Code Execution Vulnerability
 

Information security and lawyers: Three ways to be besties
TechTarget
Legal teams have long played an important role in information security (infosec) and compliance programs. The expertise that attorneys bring to the table complements the knowledge of technical subject matter that IT professionals posess and, when ...

 

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Joomla! Googlemaps Plugin Multiple Remote Security Vulnerabilities
 
Internet Storm Center Infocon Status