In a paper [PDF] published in time for a cryptography conference in Silicon Valley this week, the authors from French research institute INRIA note that while MD5 (and its successor SHA1) are being phased out, they continue to be used in “mainstream protocols” like TLS, IKE, and SSH.

This is not exactly news, but the assumption has always been that its continued use doesn’t compromise security due to “pre-image resistance,” meaning it would require far too much computational power to crack. The paper argues this isn’t true and you could crack a code in an hour (given a powerful server) and use it to impersonate an end user – i.e., break into a system.

Source: The sloth is coming! Quick, get MD5 out of our internet protocols

Source: IOActive Labs Research: Drupal – Insecure Update Process

Issue #1: Whenever the Drupal update process fails, Drupal states that everything is up to date instead of giving a warning.

Issue #2: An attacker may force an admin to check for updates due to a CSRF vulnerability on the update functionality

Issue #3: Drupal security updates are transferred unencrypted without checking the authenticity, which could lead to code execution and database access.

Around the same time the first database was discovered a second, smaller database was also found by researcher Chris Vickery. This second database contains voter profiles similar to those previously discovered, however, it also includes records that hold targeted demographic information.
MORE ON CSO:Lost in the clouds: Your private data has been indexed by Google

While the overall total of records is lower (56,722,986 compared to 191 million) it’s still a concerning figure, but this discovery took a steep downturn when more than 18 million records containing targeted profile information were added to the mix.

This second database has voter information from states that began with the letters A-I, but excluding Illinois and Iowa. The scattered information suggests the data was being added in stages, and the exposed database wasn’t intended for public disclosure.
What’s in the database?

The second database contains the general voter profile, which includes a voter’s name, address, phone number, date of birth, voting record, etc. In fact, comparing records from both databases confirmed they are essentially the same, but the dates on the second database are newer (April 2015) and some of the field names are different – suggesting the core data came from the same source file.

This source file has been previously identified by political experts as Nation Builder Election Center data. This is further supported by the existence of an nbec_precinct_code and a voter ID code consisting of 32 letters and numbers separated by dashes.

As mentioned in the first story, Nation Builder is under no obligation to identify customers, and once the data has been obtained, they cannot control what happens to it.

While the previously discovered voter database contained more records, this second database, though smaller, contains more information. The standout issue is that these additional data points are targeted towards building an issues-based profile of the voter. While that might be fine for any number of election campaigns, having this data exposed to the public is a goldmine for criminals.

The second database contains several fields for custom text. Depending on the record some of them have answers, while others do not. There’s also fields that flag the profile as being copied from another data source, and those that determine if the voter has been contacted. In addition, there are fields for determining of the voter is active and if they’re a donor.

Other fields include email address, something that wasn’t part of the larger voter database covered last week; as well as records focused on health issues, gun ownership, household values (e.g., religion / social issues), fishing and hunting interests, auto racing interests, longitude and latitude of the voter, income level, and occupation.

When it comes to overlap and additions to the basic voter file, the additional fields in this second database look at gender identification, political party affiliation, political contributions, religious affiliation and if they’re a religious donor, a field denoting bible lifestyle, as well as how many robocall (auto dialed) campaigns they’ve been part of.

Source: 18 million targeted voter records exposed by database error

A government position paper, published by the Ministry of Security and Justice on Monday and signed by the security and business ministers, concludes that “the government believes that it is currently not appropriate to adopt restrictive legal measures against the development, availability and use of encryption within the Netherlands.”

The conclusion comes at the end of a five-page run-through of the arguments for greater encryption and the counter-arguments for allowing the authorities access to the information.

“By introducing a technical input into an encryption product that would give the authorities access would also make encrypted files vulnerable to criminals, terrorists and foreign intelligence services,” the paper noted. “This could have undesirable consequences for the security of information communicated and stored, and the integrity of ICT systems, which are increasingly of importance for the functioning of the society.”

The formal position comes just months after the Dutch government approved a €500,000 ($540,000) grant to OpenSSL, the project developing the widely used open-source encryption software library

Source: Dutch govt says no to backdoors, slides $540k into OpenSSL without breaking eye contact

An independent computer security researcher uncovered a database of information on 191 million voters that is exposed on the open Internet due to an incorrectly configured database, he said on Monday.

The database includes names, addresses, birth dates, party affiliations, phone numbers and emails of voters in all 50 U.S. states and Washington, researcher Chris Vickery said in a phone interview.

Source: Database of 191 million U.S. voters exposed on Internet: researcher

The official Twitter account for myGov – a portal for accessing government services online – told Aussies this week: “Going overseas this summer? If you’re registered for myGov security codes make sure you turn them off before you go.”

The startling tweets come complete with professional cartoon graphics, clearly suggesting that rather than a civil servant going rogue on an idle afternoon, the advice was produced as a matter of policy.

Source: Australian government urges holidaymakers to kill two-factor auth

Because some people can’t receive SMS in foreign countries. This is a bad idea ™

And that password is: <<< %s(un='%s') = %u.

Source: How to log into any backdoored Juniper firewall – hard-coded password published

The energy-time entanglement technology for quantum encryption studied here is based on testing the connection at the same time as the encryption key is created. Two photons are sent out at exactly the same time in different directions. At both ends of the connection is an interferometer where a small phase shift is added. This provides the interference that is used to compare similarities in the data from the two stations. If the photon stream is being eavesdropped there will be noise, and this can be revealed using a theorem from quantum mechanics – Bell’s inequality.

On the other hand if the connection is secure and free from noise, you can use the remaining data, or photons, as an encryption key to protect your message.

What the LiU researchers Jan-Åke Larsson and his doctoral student Jonathan Jogenfors have revealed about energy-time entanglement is that if the photon source is replaced with a traditional light source, an eavesdropper can identify the key, the code string. Consequently they can also read the message without detection. The security test, which is based on Bell’s inequality, does not react – even though an attack is underway.

Physicists at Stockholm University have subsequently been able to demonstrate in practical experiments that it is perfectly possible to replace the light source and thus also eavesdrop on the message.

But this problem can also be solved.

“In the article we propose a number of countermeasures, from simple technical solutions to rebuilding the entire machine,” said Jonathan Jogenfors.

Source: Swedish researchers reveal security hole

When a user opens an Outlook email or previews the email in one of the Outlook panels, the OLE mechanism will automatically read the embedded Flash object and try to execute it, to provide a preview.

Since most Flash exploits only need to be executed to work, and because there’s a flaw in the Outlook security sandboxing system, an attacker can easily embed malicious Flash objects inside emails and have other malicious code executed via older (Flash) vulnerabilities.

Source: BadWinmail Microsoft Outlook Bug Can Give Attackers Control Over PCs

A database for sanriotown.com, the official online community for Hello Kitty and other Sanrio characters, has been discovered online by researcher Chris Vickery. The database houses 3.3 million accounts, and has ties to a number of other Hello Kitty portals.

The records exposed include first and last names, birthday (encoded, but easily reversible Vickery said), gender, country of origin, email addresses, unsalted SHA-1 password hashes, password hint questions, their corresponding answers, and other data points that appear to be website related.

Source: Database leak exposes 3.3 million Hello Kitty fans

ouch

Source: Important Announcement about ScreenOS® – J-Net Community

FireEye sell security appliances to enterprise and government customers. FireEye’s flagship products are monitoring devices designed to be installed at egress points of large networks, i.e. where traffic flows from the intranet to the internet.

Source: Project Zero: FireEye Exploitation: Project Zero’s Vulnerability of the Beast

All you need to do is send the jar in an email or get someone to visit a site with the jar on it and you can modify the bios and get access to their network information.

A vulnerability in Grub2 has been found. Versions from 1.98 (December, 2009) to 2.02 (December, 2015) are affected. The vulnerability can be exploited under certain circumstances, allowing local attackers to bypass any kind of authentication (plain or hashed passwords). And so, the attacker may take control of the computer.

Source: Back to 28: Grub2 Authentication Bypass 0-Day

Oops

Apparently people hate the software as well

Source: MacKeeper valt eindelijk door de mand

Vuvuzela relies on dummy traffic to hide the real connections

Before it’s decided where to store its content, the message goes through different servers, which send out dummy traffic to all interconnected users.

The server notifies the recipient that there’s a message for them, the user then goes to retrieve it, also passing through different mailboxes to get at the message’s location. When a connection is made through one of these mailboxes by a recipient searching for their message, each of these servers sends out dummy network packets on the network.

With so much fake traffic, and with senders and recipients moving past their destinations to intentionally create even more fake traffic after they’ve left or retrieved the actual message, you can only imagine how much data an attacker would have to sniff out before getting a clue of who’s talking to whom.

MIT researchers claim that attackers can even infiltrate more than half of its mailbox network, but if at least one mailbox server is left intact, users will be able to safely communicate because of all the fake traffic.

Source: MIT Creates Untraceable Anonymous Messaging System Called Vuvuzela

Transport and energy companies will have to ensure that the digital infrastructure that they use to deliver essential services, such as traffic control or electricity grid management, is robust enough to withstand cyber-attacks, under new rules provisionally agreed by internal market MEPs and the Luxembourg Presidency of the EU Council of Ministers on Monday.
[…]
Moreover this directive marks the beginning of platform regulation
[…]
MEPs put an end to current fragmentation of 28 cybersecurity systems by listing sectors – energy, transport, banking, financial market, health and water supply – in which critical service companies will have to ensure that they are robust enough to resist cyber-attacks. These companies must also be ready to report serious security breaches to public authorities.

Member states will have to identify concrete “operators of essential services” from these sectors using certain criteria: whether the service is critical for society and the economy, whether it depends on network and information systems and whether an incident could have significant disruptive effects on its provision or public safety.

In addition, some internet services providers, such as online marketplaces (e.g. eBay, Amazon), search engines (e.g. Google) and clouds, will also have to ensure the safety of their infrastructure and to report on major incidents. Micro and small digital companies will get an exemption, the deal says.

In addition, a network of Computer Security Incidents Response Teams (CSIRTs), set up by each member state to handle incidents, will have to be established to discuss cross border security incidents and identify coordinated responses.

Source: First ever EU rules on cybersecurity

This does give member states a large amount of power over sectors they deign to call essential – they can burden these companies with huge administrative overhead and crush them that way, with the only recourse being the expensive EU courts.

A litany of unsecured portals with generic usernames, sometimes no passwords at all, personnel allowing views of unencrypted Google docs with passwords…

Source: Epic failure of Phone House & Dutch telecom providers to protect personal data: How I could access 12+ million records #phonehousegate | Weblog | Sijmen Ruwhof

Nasty maintenance software allows all kinds of privilege escalation. Please uninstall!

Source: Lenovo: Verwijder onze bloatware

A hacker is releasing customer records after a bank in the United Arab Emirates refused to pay a ransom of $3 million in bitcoins.

Most of the bank’s customers, however, did not learn that their data had been stolen and published online until the newspaper contacted them.

Files purporting to come from the hacker, and viewed by WIRED, appear to show bank customer credit card transactions for purchases made at retailers and restaurants around the world, including the US. The records include the credit card number, amount of purchase and authorization code, though not the customer name. Other files purport to show the balances on 50,000 bank cards. Some of the files are Excel spreadsheets; others appear to be entire SQL databases stolen by the hacker.

Source: Hacker Leaks Customer Data After a United Arab Emirates Bank Fails to Pay Ransom

What a wonderful thing working in the cloud is!

Source: Part of the world’s IT brought down by Azure Active Directory issue

App Engine task queue tasks sloo…ooww for ~10% of instances

Source: Google in 24-hour cloud brownout

PHP continues to be one of the main sources for many security bugs

With a huge fanbase and used in countless of apps and websites around the Internet, PHP is ranked the worst when it came to command injection bugs, but also came close to the top when it came to SQL injections, cross-site scripting bugs, and cryptographic issues.

Taking a closer look at PHP, we also see that 86% of all the analyzed apps included XSS issues, 73% included cryptographic issues, 67% allowed for directory traversal, 61% for code injection, 58% had problems with credentials management, 56% included SQL injection issues, and 50% allowed for information leakage.

When it came to policy compliance tests, scanned PHP applications passed the OWASP Top 10 tests only in 19% of the cases. ColdFusion had the only lowest rating with 17% while C/C++ passed OWASP tests in 60% of the cases.

Source: Top Programming Languages That Generate Software Vulnerabilities

If storing the personal data of almost 5 million parents and more than 200,000 kids wasn’t bad enough, it turns out that hacked toymaker VTech also left thousands of pictures of parents and kids and a year’s worth of chat logs stored online in a way easily accessible to hackers.

On Friday, Motherboard revealed that earlier this month a hacker broke into the servers of VTech, a Hong Kong-based company that makes internet-connected gadgets and toys. Inside the servers, the hacker found the names, email addresses, passwords, and home addresses of 4,833,678 parents, and the first names, genders and birthdays of more than 200,000 kids.

Source: Hacker Obtained Children’s Headshots and Chatlogs From Toymaker VTech