Security Leftovers, Certificate Status Protocol (OCSP) Besieged by Let's Encrypt, and Windows TCO Tales
-
SANS ☛ New Exploit Variation Against D-Link NAS Devices (CVE-2024-3273), (Tue, Jul 23rd)
In April, an OS command injection vulnerability in various D-Link NAS devices was made public [...]
-
Bruce Schneier ☛ 2017 ODNI Memo on Kaspersky Labs
It’s heavily redacted, but still interesting.
Many more ODNI documents here.
-
Federal News Network ☛ CISA executive director to depart after three years
Brandon Wales is the second senior leader to depart CISA in recent months. He led many of CISA's internal and external initiatives over the last three years.
-
Security Week ☛ Law Enforcement Disrupts DDoS-for-Hire Service DigitalStress
Authorities in the UK infiltrated and disrupted the DDoS-for-hire service DigitalStress, and one suspect was arrested.
-
Dark Reading ☛ Cyberattackers Exploit Microsoft SmartScreen Bug in Stealer Campaign
CVE-2024-21412 — a "high" severity, 8.1 CVSS-scored security bypass bug in SmartScreen — was first disclosed and fixed on Feb. 13. Since then, it has been used in campaigns involving well-known infostealers like Lumma Stealer, Water Hydra, and DarkGate.
Now, five months later, Fortinet has flagged yet another campaign involving two more stealers: Meduza and ACR. Attacks thus far have reached the US, Spain, and Thailand.
Sometimes, organizations take their time updating third-party software. By contrast, "The attackers in this case are taking advantage of software that's native on Microsoft Windows, which would be updated in normal Microsoft patch cycles," notes Aamir Lakhani, global security strategist and researcher at Fortinet. "It's a little unclear and concerning when these vulnerabilities are not patched, because it could indicate there are other Microsoft vulnerabilities that are not being patched as well."
-
Confidentiality
-
Let's Encrypt ☛ Intent to End OCSP Service - Let's Encrypt
Today we are announcing our intent to end Online Certificate Status Protocol (OCSP) support in favor of Certificate Revocation Lists (CRLs) as soon as possible. OCSP and CRLs are both mechanisms by which CAs can communicate certificate revocation information, but CRLs have significant advantages over OCSP. Let’s Encrypt has been providing an OCSP responder since our launch nearly ten years ago. We added support for CRLs in 2022.
Websites and people who visit them will not be affected by this change, but some non-browser software might be.
-
University of Toronto ☛ The Online Certificate Status Protocol (OCSP) is basically dead now
The (web) TLS news of the time interval is that Let's Encrypt intends to stop doing OCSP more or less as soon as Microsoft will let them. Microsoft matters because they are apparently the last remaining major group that requires Certificate Authorities to support OCSP in order for the CA's TLS root certificates to be supported. This is functionally the death declaration for OCSP, including OCSP stapling.
-
Monzo Bank Limited ☛ How we securely generate sensitive secrets
Secrets are everywhere. Whether it’s the private key that lets you authenticate with an SSH server, the credential that grants you powers in AWS, or the password for your Minecraft account, you need some way to securely generate and manage it.
We’ve talked before about how we store secrets and how we use them to delegate trust and confer sensitive privileges. In this post we’ll cover how we’re making use of AWS Nitro Enclaves to securely and verifiably perform sensitive operations (like generating secrets).
-
-
Windows TCO
-
Security Week ☛ 57,000 Patients Impacted by Michigan Medicine Data Breach
Potentially exposed information contained in some emails and attachments includes names, addresses, dates of birth, medical record numbers, diagnostic and treatment information, and health insurance information. Both patients and insurance guarantors were affected.
-
Tom's Hardware ☛ Patched Microsoft Defender flaw still being used to deliver information-stealing malware to vulnerable machines
Fortinet FortiGuard Labs observed the latest stealer campaign spreading multiple files that can sidestep Microsoft Defender’s SmartScreen to download malicious software to target computers. The security vulnerability was addressed in CVE-2024-21412.
-
Update
More in LWN:
-
Let's Encrypt plans to drop support for OCSP
Let's Encrypt has announced that it intends to end support "
as soon as possible
" for the Online Certificate Status Protocol (OCSP) over privacy concerns. OCSP was developed as a lighter-weight alternative to Certificate Revocation Lists (CRLs) that did not involve downloading the entire CRL in order to check whether a certificate was valid. Let's Encrypt will continue supporting OCSP as long as it is a requirement for Microsoft's Trusted Root Program, but hopes to discontinue it soon: We plan to end support for OCSP primarily because it represents a considerable risk to privacy on the Internet. When someone visits a website using a browser or other software that checks for certificate revocation via OCSP, the Certificate Authority (CA) operating the OCSP responder immediately becomes aware of which website is being visited from that visitor's particular IP address. Even when a CA intentionally does not retain this information, as is the case with Let's Encrypt, CAs could be legally compelled to collect it. CRLs do not have this issue. People using Let's Encrypt as their CA should, for the most part, not need to change their setups. All modern browsers support CRLs, so end-users shouldn't notice an impact either.