In a paper [PDF] published in time for a cryptography conference in Silicon Valley this week, the authors from French research institute INRIA note that while MD5 (and its successor SHA1) are being phased out, they continue to be used in “mainstream protocols” like TLS, IKE, and SSH.

This is not exactly news, but the assumption has always been that its continued use doesn’t compromise security due to “pre-image resistance,” meaning it would require far too much computational power to crack. The paper argues this isn’t true and you could crack a code in an hour (given a powerful server) and use it to impersonate an end user – i.e., break into a system.

Source: The sloth is coming! Quick, get MD5 out of our internet protocols

Source: IOActive Labs Research: Drupal – Insecure Update Process

Issue #1: Whenever the Drupal update process fails, Drupal states that everything is up to date instead of giving a warning.

Issue #2: An attacker may force an admin to check for updates due to a CSRF vulnerability on the update functionality

Issue #3: Drupal security updates are transferred unencrypted without checking the authenticity, which could lead to code execution and database access.

Around the same time the first database was discovered a second, smaller database was also found by researcher Chris Vickery. This second database contains voter profiles similar to those previously discovered, however, it also includes records that hold targeted demographic information.
MORE ON CSO:Lost in the clouds: Your private data has been indexed by Google

While the overall total of records is lower (56,722,986 compared to 191 million) it’s still a concerning figure, but this discovery took a steep downturn when more than 18 million records containing targeted profile information were added to the mix.

This second database has voter information from states that began with the letters A-I, but excluding Illinois and Iowa. The scattered information suggests the data was being added in stages, and the exposed database wasn’t intended for public disclosure.
What’s in the database?

The second database contains the general voter profile, which includes a voter’s name, address, phone number, date of birth, voting record, etc. In fact, comparing records from both databases confirmed they are essentially the same, but the dates on the second database are newer (April 2015) and some of the field names are different – suggesting the core data came from the same source file.

This source file has been previously identified by political experts as Nation Builder Election Center data. This is further supported by the existence of an nbec_precinct_code and a voter ID code consisting of 32 letters and numbers separated by dashes.

As mentioned in the first story, Nation Builder is under no obligation to identify customers, and once the data has been obtained, they cannot control what happens to it.

While the previously discovered voter database contained more records, this second database, though smaller, contains more information. The standout issue is that these additional data points are targeted towards building an issues-based profile of the voter. While that might be fine for any number of election campaigns, having this data exposed to the public is a goldmine for criminals.

The second database contains several fields for custom text. Depending on the record some of them have answers, while others do not. There’s also fields that flag the profile as being copied from another data source, and those that determine if the voter has been contacted. In addition, there are fields for determining of the voter is active and if they’re a donor.

Other fields include email address, something that wasn’t part of the larger voter database covered last week; as well as records focused on health issues, gun ownership, household values (e.g., religion / social issues), fishing and hunting interests, auto racing interests, longitude and latitude of the voter, income level, and occupation.

When it comes to overlap and additions to the basic voter file, the additional fields in this second database look at gender identification, political party affiliation, political contributions, religious affiliation and if they’re a religious donor, a field denoting bible lifestyle, as well as how many robocall (auto dialed) campaigns they’ve been part of.

Source: 18 million targeted voter records exposed by database error

A government position paper, published by the Ministry of Security and Justice on Monday and signed by the security and business ministers, concludes that “the government believes that it is currently not appropriate to adopt restrictive legal measures against the development, availability and use of encryption within the Netherlands.”

The conclusion comes at the end of a five-page run-through of the arguments for greater encryption and the counter-arguments for allowing the authorities access to the information.

“By introducing a technical input into an encryption product that would give the authorities access would also make encrypted files vulnerable to criminals, terrorists and foreign intelligence services,” the paper noted. “This could have undesirable consequences for the security of information communicated and stored, and the integrity of ICT systems, which are increasingly of importance for the functioning of the society.”

The formal position comes just months after the Dutch government approved a €500,000 ($540,000) grant to OpenSSL, the project developing the widely used open-source encryption software library

Source: Dutch govt says no to backdoors, slides $540k into OpenSSL without breaking eye contact