Bruce Schneier has an interesting post about a new free and open Certificate Authority, called Let's Encrypt. Let's Encrypt is designed to let any web server administrator obtain a server certificate that is recognized by the major browsers at no charge and even more important automatically. Part of the Let's Encrypt model is automating the steps that can prove to the CA that the certificate request is coming from an entity that controls both the server and the domain.

Living without browser Java has been easy. The only thing I've used that wanted to use the browser plugin for Java was the download manager on a web site that also had direct SSL links. No biggie.

Paul Ducklin has an interesting piece on HTML 5. Although browsers have been building HTML 5 support into their browsers for a while, it officially became a standard as of October 28th. As the press release from the W3C Consortium states HTML5 brings to the Web video and audio tracks without needing plugins; programmatic access to a resolution-dependent bitmap canvas, which is useful for rendering graphs, game graphics, or other visual images on the fly; native support for scalable vector graphics (SVG) and math (MathML);

Let's start with a story. We recently were estimating the effort to fix up a client's audit findings, when I read "update web server configurations to upgrade SSL support from SSLv2 to SSLv3." To be fair to the auditor, the findings were probably reported before the vulnerability I will describe below (POODLE) was announced. However, SSLv3 was already viewed with suspicion, and had to be disabled if a system needed to be FIPS 140-2 compliant. While not every system needs that, it's indicative that SSLv3 is disallowed from the standard. (By the way the auditor was correct that SSLv2 needed to be disabled. In addition to its many weaknesses, SSLv2 is not compliant with either FIPS 140-2 or the PCI DSS.) Moral: the fact that one version of a protocol is bad doesn't make the next version acceptable. A recent announcement of a new vulnerability in SSLv3 (CVE-2014-3566) when using ciphers operating in cipher block chaining (CBC) mode. Because of how SSLv3 handles the block structure and padding out plain text to the block size, it is possible to construct attacks that manipulate padding to disclose plain text.

There is a lot of attention on the posting of Dropbox user name and password combinations on Pastebin. The posters claim that the 400 accounts posted are just the first installment of almost 7 million that they hold. Spot checking by security researchers indicate that they are genuine (although a follow dump as not). Dropbox has issued a statement their servers were not hacked:

What is the vulnerability? There was a vulnerability announcement on September 24, 2014 of a bug (CVE-2014-6271) in the Bourne-again shell, bash, that is the default command line interpreter in most Linux and many Unix distributions, including variants that form the basis of many embedded devices and appliances. The bug allows for remote code injection that can cause arbitrary commands to be run on the attacked system. There are several avenues for making this happen, but the single most potent one is by attacking web servers that can run CGI commands.

The Daily Kos has a remarkable piece by Arliss Bunny (hat tip to Bruce Shneier for spotting this) describing the actions of the Fed on 9/11. The piece was researched by going through the annual reports of all 12 Federal Reserve Banks, and led the author to the conclusion that "on 9-11 and the days which immediately followed, a relatively small number of people did some genuinely, physically heroic things in order to keep the economy from going off the rails..." When the planes hit the towers it was a busy day and all but one Washington based member of the Fed Board of Governors were elsewhere. Chairman Alan Greenspan was flying home from Switzerland at the time, and would not know what happened until his plane had returned to Zürich. It fell to the one senior person in DC, Federal Reserve Vice Chairman Roger W. Ferguson, Jr., to coordinate the Fed's response. In some ways Ferguson was the ideal choice, since he led the Fed's Y2K planning and response. That turned out to be a meticulously planned effort which did a good job of expecting the unexpected in ways that served them well.

Malware attacks against Point of Sale (POS) terminals came into the collective consciousness with a big splash with the Target breach late last year, and the recent disclosure of data breaches at 51 UPS franchise stores and a major data breach at major chains owned (or recently owned) by SuperValue including SuperValue, Cub Foods, Albertsons, Acme Markets, Jewel-Osco, Shaw's and Star Markets. Last week the U.S. Secret Service warned that over 1000 US business were affected by Backoff, an up-and-coming piece of POS malware. Backoff's method of operation is not new, but is very well executed. Like other POS malware, it installs a memory scraper onto the terminal to capture credit card track data as well as a keystroke logger, establishes communications with a command and control server, and exfiltrates both payment card and keystroke data. The crime syndicates using Backoff have become highly skilled at compromising systems through remote access software in order to establish a "jump server" from which to find and infect POS terminals.

I'm a big fan of using mobile phones, especially smart phones, as security tokens. If the user locks the phone with a passcode, then it's a pretty good bet that your token is in the right hands. And, unlike little hardware tokens, nobody leaves home without their phone anymore. In addition to applications that might send me a token by SMS, I have three token apps on my smartphone: Symantec VIP which I use for Ebay, PayPal, Symantec MSS, remote login to one of my clients, and some others. Google Authenticator for various Google accounts and for WordPress. Duo Security which I use for my own SSH logins. This was cool until I went into a swimming pool with my iPhone in my bathing suit pocket.

An appreciation My old friend and former colleague Steve Bellovin has an interesting blog at Columbia, where he's a professor of computer science. Steve is one of those guys who has just done stuff for his whole career. As a graduate student he helped invent Usenet, which I credit as being the first computer social network. His time at Bell Labs (which is where our paths first crossed) produced a lot of different things, possibly most famously his work with Bill Cheswick on internet firewalls and security. For his last sabbatical from Columbia, he was the Chief Technologist of the Federal Trade Commission for a year. Steve's blog is not notable for it's volume, it's notable for its gems -- thoughtful and thought provoking pieces on a wide variety of topics. There's currently a pair of posts worth reading.