Security Alerts & News
by Tymoteusz A. Góral

#2041 Security lapse exposed New York airport's critical servers for a year
NEW YORK -- A security lapse at a New York international airport left its server backups exposed on the open internet for almost a year, ZDNet has found.

The internet-connected storage drive contained several backup images of servers used by Stewart International Airport, but neither the backup drive nor the disk images were password protected, allowing anyone to access their contents.

The airport, about 60 miles north of Manhattan, serves hundreds of thousands of passengers each year, and is regularly used by the military. The airport is known for accommodating charter flights of high-profile guests, including foreign dignitaries.
#2040 Watershed SHA1 collision just broke the WebKit repository, others may follow
Thursday's watershed attack on the widely used SHA1 hashing function has claimed its first casualty: the version control system used by the WebKit browser engine, which became completely corrupted after someone uploaded two proof-of-concept PDF files that have identical message digests.

The bug resides in Apache SVN, an open source version control system that WebKit and other large software development organizations use to keep track of code submitted by individual members. Often abbreviated as SVN, Subversion uses SHA1 to track and merge duplicate files. Somehow, SVN systems can experience a severe glitch when they encounter the two PDF files published Thursday, proving that real-world collisions on SHA1 are now practical.
#2039 Linus Torvalds on SHA1 and Git: 'The sky isn't falling'
The real worry about Google showing SHA-1 encryption is crackable, as pointed out by Peter Gutmann, a cryptography expert at the at the University of Auckland, New Zealand, is "with long-term document signing and certificates". But, what about the distributed version control system Git code repositories? Linus Torvalds, Linux and Git's inventor, doesn't see any real security headaches ahead for you.

Torvalds and other Linux kernel developers created Git in 2005 as Linux's distributed version control system. It's also used by multiple major companies including Facebook, Google, and Twitter, to manage their code-bases. Git is also used in GitHub, the world's most popular source code-management site. Even Microsoft uses GitHub. Indeed, Microsoft has more open-source developers than any other company on GitHub.
#2038 SHA1 collider
Quick-and-dirty PDF maker using the collision from the SHAttered paper.
#2037 Removing user admin rights mitigates 94% of all critical Microsoft vulnerabilities
Just by preventing access to admin accounts, a system administrator could safeguard all the computers under his watch and prevent attackers from exploiting 94% of all the critical vulnerabilities Microsoft patched during the past year.

This is the conclusion of a study carried out by cyber-security firm Avecto for the second year in a row, after, at the same time last year, it discovered that a sysadmin could mitigate 86% of all critical vulnerabilities Microsoft patched in 2015, just by taking the same action and disabling admin rights.

What this growth from 86% to 94% means is that the security of Microsoft products is getting better, if users would only start following industry best practices and stop using admin accounts for daily work.
#2036 List of sites possibly affected by Cloudflare's Cloudbleed HTTPS traffic leak
Between 2016-09-22 - 2017-02-18 session tokens, passwords, private messages, API keys, and other sensitive data were leaked by Cloudflare to random requesters. Data was cached by search engines, and may have been collected by random adversaries over the past few months.

Requests to sites with the HTML rewrite features enabled triggered a pointer math bug. Once the bug was triggered the response would include data from ANY other Cloudflare proxy customer that happened to be in memory at the time. Meaning a request for a page with one of those features could include data from Uber or one of the many other customers that didn't use those features. So the potential impact is every single one of the sites using Cloudflare's proxy services (including HTTP & HTTPS proxy).

"The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests), potential of 100k-200k paged with private data leaked every day"
#2035 How security products are tested – part 1
The demand for tests appeared almost simultaneously with the development of the first antivirus programs – in the mid-to-late 1990s. Demand created supply: test labs at computer magazines started to measure the effectiveness of security solutions with the help of self-made methodologies, and later an industry of specialized companies emerged with a more comprehensive approach to testing methods.

The first primitive tests scanning huge collections of malicious and supposedly malicious files taken from everywhere were rightfully criticized first and foremost by the vendors. Such tests were characterized by inconsistent and unreliable results, and few people trusted them.
#2034 The real cost of ransomware: Attacks take most victims offline for at least a week
It only takes seconds for ransomware to block access to an entire network, but the vast majority of businesses remain locked out of crucial files and systems for a week or more, with the impact causing severe financial and reputational damage.

Data gathered from over a thousand businesses which have been victims of ransomware within the last year suggests that 85 percent of those infected by the malicious file encrypting software had their systems forced offline for at least a week, while a third of cases resulted in data being inaccessible for a month or more.

Worryingly, 15 percent of those targeted with ransomware found that their data was completely unrecoverable.
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12