GilmerFreePress.net

G-TechNote™: Bogus SSL Certificate for Windows Live Could Allow Man-in-the-Middle Hacks

Microsoft is scrambling to block a fraudulent HTTPS certificate that was issued for one of the company’s Windows Live Web addresses lest it be used by attackers to mount convincing man-in-the-middle attacks.

The phony Transport Layer Security/Secure Sockets Layer certificate was issued for “live.fi” and “www.live.fi”, which are addresses Microsoft reserves for its Windows Live services. The sensitive credential has already been revoked by Comodo, the browser-trusted certificate authority that issued it. But given the ease of defeating the current SSL revocation regimen, attackers may still be able to maliciously use the certificate against unsuspecting end users.

“The purpose of this advisory is to notify customers that an SSL digital certificate was improperly issued,“ Microsoft officials warned late Monday. “This SSL certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Microsoft web properties. It cannot be used to issue other certificates, impersonate other domains, or sign code.“

The race to kill all trust in the live.fi certificate is the latest event to underscore the problems with the SSL system, which remains the Internet’s de facto method for encrypting sensitive Web traffic and proving the authenticity of servers used for e-mail, banking, and shopping. As security researcher Moxie Marlinspike demonstrated in 2009, revocation lists browsers use to check the validity of TLS certificates are easily defeated. That’s because the online certificate status protocol and an earlier database known as certificate revocation lists trigger what’s known as a “soft fail” rather than a more secure but also harder-to-tolerate “hard fail.“ As a result, when an Internet outage makes a revocation list unavailable, most browsers will treat an unvalidated certificate as trusted. Attackers using a CA-issued counterfeit certificate to mount a man-in-the-middle attack can capitalize on this flaw by suppressing revocation response before it reaches a targeted end user.

The Gilmer Free Press

That means the only sure way to block an improperly issued certificate is for each browser maker to hard-code the revocation into an update. Windows 8 and 8.1 come with an automatic updater of revoked certificates. As the name suggests, the mechanism downloads revoked certificates without requiring users to take any action. An automatic updater is available for Windows 7, Windows Server 2008, and Windows Server 2008 R2, but users are required to install it first. Those using Windows Server 2003, and people who don’t have the automatic updater installed, are advised to check this link for an update that can be manually installed.

Google and Mozilla, makers of the Chrome and Firefox browsers, respectively, are likely to issue updates in the next day or two. E-mails sent to officials with both organizations went unanswered as this post was being prepared. Comodo officials also didn’t respond to a request for comment.


Easy to issue, hard to kill

The precise circumstances that allowed the fraudulent live.fi certificate to be issued aren’t clear, but Microsoft’s advisory suggested the forgery was the result of someone obtaining an e-mail address that’s typically reserved for website operators to demonstrate their control of a given domain.

“A certificate was improperly issued due to a misconfigured privileged email account on the live.fi domain,“ Microsoft officials wrote. “An email account was able to be registered for the live.fi domain using a privileged username, which was subsequently used to request an unauthorized certificate for that domain.“

This Comodo Web page says such e-mail addresses include those with the words admin, administrator, postmaster, hostmaster, and webmaster immediately to the left of the @ and the domain name for which the certificate is being applied. All it takes for someone to receive a domain-validated TLS certificate is to apply for one using such an address. Comodo will respond with an e-mail that contains a unique validation code and link. Clicking such a link is all the proof Comodo and many other certificate authorities require for proof the applicant is the legitimate owner of the domain.

The ease in obtaining such certificates, and the difficulty in killing them off once they’re issued, are potent reminders of the continued insecurity of one of the Internet’s most important security mechanisms. Until browser makers declare this credential dead, people visiting any Windows Live domain should remain extra vigilant.

G-TechNote™: Google Officially Announces Android 5.1

It’s still Lollipop, but this update will improve stability and performance.

After prematurely launching an Android One site with tons of references to Android 5.1, Google has finally announced Android 5.1 via its official Android blog. It looks to be a minor update, with Google saying it “improves stability and performance” over 5.0.

The Gilmer Free Press


The update isn’t all bugfixes though. Android 5.1 adds support for multiple SIM slots and HD voice. There’s also a new security feature called “Device Protection,“ which will lock a lost or stolen device until the user signs in with their Google account—the lockout even survives a factory reset.

We’ll dive in as soon as we get a copy. Google has only said it is “rolling out” 5.1; the company didn’t say where. We’d imagine it will hit AOSP and Nexus devices soon.

G-TechNote™: HTTPS-Crippling “FREAK” Bug Affects Windows After All

Computers running all supported versions of Microsoft Windows are vulnerable to “FREAK,“ a bug disclosed Monday that for more than a decade has made it possible for attackers to decrypt HTTPS-protected traffic passing between vulnerable end-users and millions of websites.

Microsoft confirmed the vulnerability in an advisory published Thursday. A vulnerability-scanning service at FREAKAttack.com, a site that offers information about the bug, confirmed the advisory, showing that the latest version of IE 11 running on a fully patched Windows 7 machine was susceptible. Previously, it was believed that the Windows system was immune to the attacks.

FREAK attacks—short for Factoring attack on RSA-EXPORT Keys—are possible when an end-user with a vulnerable device connects to a vulnerable HTTPS-protected website. Vulnerable sites are those configured to use a weak cipher that many presumed had been retired long ago. In analyses immediately following Monday’s disclosure of FREAK, it was believed Android devices, iPhones and Macs from Apple, and smartphones from Blackberry were susceptible. The addition of Windows dramatically increases the number of users known to be vulnerable.

The Gilmer Free Press

Attackers who are in a position to monitor traffic passing between vulnerable users and vulnerable servers can inject malicious packets into the flow that will cause the two parties to use a weak 512-bit encryption key while negotiating encrypted Web sessions. Attackers can then collect some of the resulting exchange and use cloud-based computing from Amazon or other services to factor the website’s underlying private key. The process requires about seven hours and $100. From that point on, attackers on a coffee-shop hotspot, rogue employees working at an ISP, or nation-state-sponsored hackers can masquerade as the official HTTPS-protected website, a coup that allows them to read or even modify data as it passes between the site and the end-user.

Meanwhile, Android and Apple devices

On Thursday, Google developers released an updated version of Chrome for Mac that can’t be forced to use the weak 512-bit cipher, effectively closing the FREAK hole when OS X users are on the Google browser. At the time this post was being prepared, Chrome for Android remained vulnerable, and Google officials have yet to provide any public estimate on when a fix would be available. Apple officials have said patches for OS X and iOS would be released next week. Microsoft’s advisory provided no estimate on when a patch would be available, either. In the interim, people on vulnerable devices should consider using Firefox, which over the past two days has consistently been labeled as safe by the FREAKAttack site.

In recent weeks, security researchers scanned more than 14 million HTTPS-protected websites and found that 36 percent of them supported the weak cipher, meaning they are vulnerable to the attack. As of Thursday morning, vulnerable sites included AmericanExpress.com, Groupon.com, Bloomberg.com, and many more. Microsoft’s advisory offers several work-arounds for more technically inclined readers, but some of them will prevent IE from connecting as expected to certain websites.

Despite the large number of sites and end-user devices known to be vulnerable, there has been considerable debate among security professionals about just how critical the threat posed by FREAK is. Support for the argument the threat is low is the fact that it’s hard or impossible for adversaries to carry out FREAK attacks remotely or in mass numbers. Additionally, Google, Facebook, and most other large sites aren’t vulnerable. These considerations and the perception the threat is low are likely contributing to the slow pace of patches coming from Apple, Google, and Microsoft.

Still other researchers say the severity is much higher. Besides the millions of websites and incomprehensibly high number of end-user devices now known to be vulnerable, other reasons to think FREAK is severe is the fact that it has existed for a decade. That means it’s possible malicious attackers have known about and exploited it for years already.

West Virginia Network Partners with URcast to Expand Access to Learning Content for K-12 Students

Program gives students access to lessons in or outside the classroom without Internet connection

The West Virginia Network (WVNET), a branch of the West Virginia Higher Education Policy Commission, has partnered with URcast to provide K-12 students in classrooms across West Virginia access to learning content without an Internet connection.

URcast, a content distribution application customized for the K-12 classroom, provides caching services that allow students to view content without an Internet connection wherever they have a computer, tablet or smart phone. This is made possible by reallocating bandwidth and placing a caching server within the school.

“Caching speeds up student Internet access so classroom time is learning time, not waiting time,” said Paul Hill, the Commission’s Chancellor. “A faster speed of delivery can provide students with more personalized learning experiences and give teachers greater opportunities to engage their students on the lesson at hand.”

Mt. Vernon Elementary School in Barbour County is currently participating as a pilot school in the program. This rural school has seen early success with providing instructional materials, including books and videos, on students’ devices that they can access on the school bus and at home in the evenings, on weekends or on snow days without the Internet.

“Access to technology is an essential component of a world class education,” said West Virginia Superintendent of Schools Michael Martirano. “The partnership between WVNET and URcast will provide our staff and students with a valuable tool to help cross the digital divide and make learning exciting, relevant and meaningful. Having access to robust and engaging content at school, on the bus and at home will extend the learning environment to traditionally underserved areas.”

A video showcasing Mt. Vernon Elementary School’s success with the program:


WVNET is currently seeking additional pilot schools to participate in this project and bring new technology to their students. Interested schools can contact Booker Walton, Customer Resource Specialist at WVNET, at or 304-293-5192.

For more information, visit www.wvnet.edu/urcast.


Permalink - Link to This Article

~~~ Readers' Comments ~~~

Print This Article



Tumblr StumbleUpon Reddit Print Email LinkedIn Pinterest Google+ Facebook Twitter Addthis
Click Below for More...

Page 344 of 346 pages « First  <  342 343 344 345 346 >


The Gilmer Free Press

Copyright MMVIII-MMXVIII The Gilmer Free Press. All Rights Reserved