Big security news week with the Cloudflare “Cloudbleed” bug and the practical attack on SHA-1 (secure hash algorithm) from Google, huh?
This week’s edition of #MobSec5 includes:
- Cloudbleed “…possibly worse than the Heartbleed bug.”
- Judge rules you can’t line a building’s residents up to attempt to unlock seized Apple devices with their fingerprint
- Will we see President Trump’s cybersecurity executive order next week?
- And more
Thanks for reading. Have a great weekend, be good, and stay safe.
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
“A severe security vulnerability has been discovered in the CloudFlare content delivery network that has caused big-name websites to expose private session keys and other sensitive data.”
Cloudflare reports that 0.00003 percent of HTTP requests made through their systems between February 13 and February 18 may have exposed sensitive data. Working with a number of search engines, the company identified 770 unique cached URIs that included leaked memory and said any leaked memory was purged. It is possible though that residual caches of this data still exist. This particular bug is an example of how a developer can do everything right but by relying on a third party’s library or service, still make their app vulnerable. NowSecure CTO David Weinstein explained the Cloudbleed bug’s impact on mobile apps and published a list of popular iOS apps that may have been affected in a blog post.
Google Online Security Blog: Announcing the first SHA1 collision
(Google Security Blog)
“Today, 10 years after of SHA-1 was first introduced, we are announcing the first practical technique for generating a collision.”
Google has advocated for the sunsetting of SHA-1 and hopes the discovery will convince the industry that it needs to move on to SHA-256 and other more secure alternatives.
“A new Android banking trojan poses as a legitimate weather forecast app in an effort to steal users’ banking credentials.”
“Look for U.S. President Donald Trump’s administration to push for increased cybersecurity spending in government, but also for increased digital surveillance and encryption workarounds.”
There’s still no official word on when to expect the release of the Trump administration’s executive order on cybersecurity (though it may come prior to the president speaking to Congress on Tuesday). A purported draft of the order states, “Effective immediately, Agency Heads shall use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework), or any successor document, developed by the National Institute of Standards and Technology to manage their agency’s cyber risk.” NIST will host webinars at the beginning of March discussing how to use the framework and explaining updates published in January. Unfortunately registration for the live events is already full, but recordings of the webinars will be published within two weeks.
Who is listening?: Hijacking devices
“The next time you open your smartphone, be sure that you know what it’s doing behind the scenes.”
“For a relatively small fee, you can snoop on someone’s messages, call logs, photos, and location from across the planet.”
The reporter writes, “Within minutes, I had downloaded the malware, turned off an Android security setting that would allow it to install itself, entered my subscription key, and was ready to collect data.” So, to install the malware and compromise the device, physical access to the unlocked phone was necessary.
“A federal magistrate judge in Chicago recently denied the government’s attempt to force people in a particular building to depress their fingerprints in an attempt to open any seized Apple devices as part of a child pornography investigation.”
iPhone Robbers Try to iPhish Victims
(Krebs On Security)
“Not long after the husband texted the stolen phone — offering to buy back the locked device — he soon began receiving text messages stating the phone had been found.”
How Peter Thiel’s Palantir Helped the NSA Spy on the Whole World
“Palantir has never masked its ambitions, in particular the desire to sell its services to the U.S. government — the CIA itself was an early investor in the startup through In-Q-Tel, the agency’s venture capital branch.”
P.S. If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now via the NowSecure Subscription Center.