Week3 Links
Spotted via HackerNews, Slashdot, /r/netsec, O’Reilly Security Newsletter, Twitter; via security bloggers including Krebs on Security, Troy Hunt; from classmates; and elsewhere.
Events and Conferences
RSA Conference is on now.
Hey-we-were-just-talking-about-that
Verizon Said to Near Yahoo Deal at Lower Price After Hacks, $250 million discount on a $5 billion deal.
Law and Politics
What are the rules for cybersearches when crossing broders? Does anyone here take extra precautions, such as using a “clean device”?
Is SecureDrop making it easier for government employees to leak? There are a LOT of leaks coming from the new administration, some of which have already cost the new national security advisor his job.
Enhanced Analysis of GRIZZLY STEPPE, a deep-dive into recent attacks carried out by nation-state adversaries.
Cryptography
There was a new paper called “The Security Impact of HTTPS Interception”, but I think it’s been taken offline in advance of presentation at a conference in a few weeks. Abstract:
As HTTPS deployment grows, middlebox and antivirus products are increasingly intercepting TLS connections to retain visibility into network traffic. In this work, we present a comprehensive study on the prevalence and impact of HTTPS interception. First, we show that web servers can detect interception by identifying a mismatch between the HTTP User-Agent header and TLS client behavior. We characterize the TLS handshakes of major browsers and popular interception products, which we use to build a set of heuristics to detect interception and identify the responsible product. We deploy these heuristics at three large network providers: (1) Mozilla Firefox update servers, (2) a set of popular e-commerce sites, and (3) the Cloudflare content distribution network. We find more than an order of magnitude more interception than previously estimated and with dramatic impact on connection security. To understand why security suffers, we investigate popular middleboxes and client-side security software, finding that nearly all reduce connection security and many introduce severe vulnerabilities. Drawing on our measurements, we conclude with a discussion on recent proposals to safely monitor HTTPS and recommendations for the security community.
Access Control
Introducing the Uber SSH Certificate Authority, time-bound certificates for SSH authentication.
Application Security
If it’s Patch Tuesday but there aren’t any patches, is it really Patch Tuesday?
Finding Ticketbleed, deeply technical blow-by-blow of discovering a vulnerability in an implementation of a protocol by a vendor. But read the “Disclosure” section about performing “responsible disclosure” working with the vendor security team.
Other
What’s the going rate for W-2 forms? Krebs answers…