A British software engineer came up with “a fun playful name” for his consulting business. He’d named it:

“”>

Unfortunately, this did not amuse the official registrar of companies in the United Kingdom (known as Companies House). The Guardian reports that the U.K. agency “has forced the company to change its name after it belatedly realised it could pose a security risk.” Henceforward, the software engineer’s consulting business will instead be legally known as “THAT COMPANY WHOSE NAME USED TO CONTAIN HTML SCRIPT TAGS LTD.” He now says he didn’t realise that Companies House was actually vulnerable to the extremely simple technique he used, known as “cross-site scripting”, which allows an attacker to run code from one website on another.
Engadget adds: Companies House, meanwhile, said it had “put measures in place” to prevent a repeat. You won’t be trying this yourself, at least not in the U.K.

It’s more than a little amusing to see a for-the-laughs code name stir up trouble, but this also illustrates just how fragile web security can be.

Source: UK Agency Demands Company Stop Using Name Which Includes an HTML Closing Tag – Slashdot

One of the world’s top certificate authorities warns that phones running versions of Android prior to 7.1.1 Nougat will be cut off from large portions of the secure web starting in 2021, Android Police reported Saturday.

The Mozilla-partnered nonprofit Let’s Encrypt said that its partnership with fellow certificate authority IdenTrust will expire on Sept. 1, 2021. Since it has no plans to renew its cross-signing agreement, Let’s Encrypt plans to stop default cross-signing for IdenTrust’s root certificate, DST Root X3, beginning on Jan. 11 as the organization switches over to solely using its own ISRG Root X1 root.

It’s a pretty significant shift considering that as much as one-third of all web domains rely on the organization’s certificates. But since older software won’t trust Let’s Encrypt’s root certificate, this could “introduce some compatibility woes,” lead developer Jacob Hoffman-Andrews said in a blog post Friday.

“Some software that hasn’t been updated since 2016 (approximately when our root was accepted to many root programs) still doesn’t trust our root certificate, ISRG Root X1,” he said. “Most notably, this includes versions of Android prior to 7.1.1. That means those older versions of Android will no longer trust certificates issued by Let’s Encrypt.”

The only workaround for these users would be to install Firefox since it relies on its own certificate store that includes Let’s Encrypt’s root, though that wouldn’t keep applications from breaking or ensure functionality beyond your browser.

Let’s Encrypt noted that roughly 34% of Android devices are running a version older than 7.1 based on data from Google’s Android development suite. That translates to millions of users potentially being cut off from large portions of the secure web beginning in 2021

Source: Older Android Phones Won’t Support Many Secure Websites in 2021

In March 2020, KrebsOnSecurity alerted Swedish security giant Gunnebo Group that hackers had broken into its network and sold the access to a criminal group which specializes in deploying ransomware. In August, Gunnebo said it had successfully thwarted a ransomware attack, but this week it emerged that the intruders stole and published online tens of thousands of sensitive documents — including schematics of client bank vaults and surveillance systems.

The Gunnebo Group is a Swedish multinational company that provides physical security to a variety of customers globally, including banks, government agencies, airports, casinos, jewelry stores, tax agencies and even nuclear power plants. The company has operations in 25 countries, more than 4,000 employees, and billions in revenue annually.

Acting on a tip from Milwaukee, Wis.-based cyber intelligence firm Hold Security, KrebsOnSecurity in March told Gunnebo about a financial transaction between a malicious hacker and a cybercriminal group which specializes in deploying ransomware. That transaction included credentials to a Remote Desktop Protocol (RDP) account apparently set up by a Gunnebo Group employee who wished to access the company’s internal network remotely.

[…]

Larsson quotes Gunnebo CEO Stefan Syrén saying the company never considered paying the ransom the attackers demanded in exchange for not publishing its internal documents. What’s more, Syrén seemed to downplay the severity of the exposure.

“I understand that you can see drawings as sensitive, but we do not consider them as sensitive automatically,” the CEO reportedly said. “When it comes to cameras in a public environment, for example, half the point is that they should be visible, therefore a drawing with camera placements in itself is not very sensitive.”

It remains unclear whether the stolen RDP credentials were a factor in this incident. But the password to the Gunnebo RDP account — “password01” — suggests the security of its IT systems may have been lacking in other areas as well.

[…]

Source: Security Blueprints of Many Companies Leaked in Hack of Swedish Firm Gunnebo — Krebs on Security

Researchers have extracted the secret key that encrypts updates to an assortment of Intel CPUs, a feat that could have wide-ranging consequences for the way the chips are used and, possibly, the way they’re secured.

The key makes it possible to decrypt the microcode updates Intel provides to fix security vulnerabilities and other types of bugs. Having a decrypted copy of an update may allow hackers to reverse engineer it and learn precisely how to exploit the hole it’s patching. The key may also allow parties other than Intel—say a malicious hacker or a hobbyist—to update chips with their own microcode, although that customized version wouldn’t survive a reboot.

“At the moment, it is quite difficult to assess the security impact,” independent researcher Maxim Goryachy said in a direct message. “But in any case, this is the first time in the history of Intel processors when you can execute your microcode inside and analyze the updates.” Goryachy and two other researchers—Dmitry Sklyarov and Mark Ermolov, both with security firm Positive Technologies—worked jointly on the project.

The key can be extracted for any chip—be it a Celeron, Pentium, or Atom—that’s based on Intel’s Goldmont architecture.

[…]

attackers can’t use Chip Red Pill and the decryption key it exposes to remotely hack vulnerable CPUs, at least not without chaining it to other vulnerabilities that are currently unknown. Similarly, attackers can’t use these techniques to infect the supply chain of Goldmont-based devices.

[…]

In theory, it might also be possible to use Chip Red Pill in an evil maid attack, in which someone with fleeting access to a device hacks it. But in either of these cases, the hack would be tethered, meaning it would last only as long as the device was turned on. Once restarted, the chip would return to its normal state. In some cases, the ability to execute arbitrary microcode inside the CPU may also be useful for attacks on cryptography keys, such as those used in trusted platform modules.

“For now, there’s only one but very important consequence: independent analysis of a microcode patch that was impossible until now,” Positive Technologies researcher Mark Ermolov said. “Now, researchers can see how Intel fixes one or another bug/vulnerability. And this is great. The encryption of microcode patches is a kind of security through obscurity.”

Source: In a first, researchers extract secret key used to encrypt Intel CPU code | Ars Technica

It’s said the NSA drew up a report on what it learned after a foreign government exploited a weak encryption scheme, championed by the US spying agency, in Juniper firewall software.

However, curiously enough, the NSA has been unable to find a copy of that report.

On Wednesday, Reuters reporter Joseph Menn published an account of US Senator Ron Wyden’s efforts to determine whether the NSA is still in the business of placing backdoors in US technology products.

Wyden (D-OR) opposes such efforts because, as the Juniper incident demonstrates, they can backfire, thereby harming national security, and because they diminish the appeal of American-made tech products.

But Wyden’s inquiries, as a member of the Senate Intelligence Committee, have been stymied by lack of cooperation from the spy agency and the private sector. In June, Wyden and various colleagues sent a letter to Juniper CEO Rami Rahim asking about “several likely backdoors in its NetScreen line of firewalls.”

Juniper acknowledged in 2015 that “unauthorized code” had been found in ScreenOS, which powers its NetScreen firewalls. It’s been suggested that the code was in place since around 2008.

The Reuters report, citing a previously undisclosed statement to Congress from Juniper, claims that the networking biz acknowledged that “an unnamed national government had converted the mechanism first created by the NSA.”

Wyden staffers in 2018 were told by the NSA that a “lessons learned” report about the incident had been written. But Wyden spokesperson Keith Chu told Reuters that the NSA now claims it can’t find the file. Wyden’s office did not immediately respond to a request for comment.

The reason this malicious code was able to decrypt ScreenOS VPN connections has been attributed to Juniper’s “decision to use the NSA-designed Dual EC Pseudorandom Number Generator.”

[…]

After Snowden’s disclosures about the extent of US surveillance operations in 2013, the NSA is said to have revised its policies for compromising commercial products. Wyden and other lawmakers have tried to learn more about these policies but they’ve been stonewalled, according to Reuters.

[…]

Source: NSA: We’ve learned our lesson after foreign spies used one of our crypto backdoors – but we can’t say how exactly • The Register

And this is why you don’t put out insecure security products, which is exactly what products with a backdoor are. Here’s looking at you, UK and Australia and all the other countries trying to force insecure products on us.