More from: Technical

Cloud Providers compromise Domain Security

This just in via email from newsletter@feistyduck.com. More information is available here: https://community.letsencrypt.org/t/important-what-you-need-to-know-about-tls-sni-validation-issues/50811

Cloud provider vulnerability causes Let’s Encrypt to disable SNI domain validation

A major issue with some cloud providers allowed the unauthorized issuance of Let’s Encrypt certificates. Although the issue clearly lies with the cloud providers, Let’s Encrypt nevertheless has decided to disable the corresponding validation method.

Frans Rosén discovered that he could use the SNI validation method from the ACME protocol (https://labs.detectify.com/2018/01/12/how-i-exploited-acme-tls-sni-01-issuing-lets-encrypt-ssl-certs-for-any-domain-using-shared-hosting/) to issue certificates for domains hosted on certain cloud providers. He explicitly mentions Heroku and Amazon CloudFront.

TL;DR: I was able to issue SSL certificates I was not supposed to be able to. AWS CloudFront and Heroku were among the affected. The issue was in the specification of ACME TLS-SNI-01 in combination with shared hosting providers. To be clear, Let’s Encrypt only followed the specification, they did nothing wrong here. Quite the opposite I would say.

The core of the issue is that these providers allow users to upload certificates that the system will serve automatically to TLS requests with the corresponding server name. The ACME SNI validation method uses temporary certificates that end with .acme.invalid.

After the issue was reported, Let’s Encrypt almost immediately disabled the TLS-SNI-01 validation method. Let’s Encrypt subsequently decided that, with a few exceptions, it will stay disabled. The newer TLS-SNI-02 method is vulnerable as well. A new TLS-SNI-03 method that considers this problem is being developed, but for the time being users should switch to either the HTTP or the DNS validation method.


UI Cause of Hawaii Missile Scare

When salespeople started calling themselves “web designers” web sites became little more than confusing, over packed, repositories for cartoon graphics: lots of color and little clearity. Clean, usable, UI design is one where the human using the interface, hence User Interface, easily knows what to select.

No more than seven (7) actionable items should be on any screen (where the menu counts as one item). No menu should have more than seven (7) choices and there should not be more than three (3) levels to any menu object. Choices should be logically arranged, following international norms and standards (in apps for years we have had File, Edit, View, … Help but sadly there is still not enough cross site predictability on web pages for even menus ending with … About Us, Contact Us, Privacy Policy). “Artistic License” belongs on artistic entertainment web sites, not on business sites employees use to get work done.

From a recent solicitation email from Codecademy.com:

On an otherwise quiet Saturday morning, the State of Hawaii learned the hard way about the consequences of relying on a poorly designed user interface (UI).

An employee at Hawaii’s Emergency Management Agency triggered an emergency alert last Saturday indicating that a ballistic missile was about to hit the islands.

Your first impulse might be to blame the employee for creating this statewide false alarm. But in the discipline of User Interface Design, there is no such thing as user error. Well designed software should anticipate the needs of its users, provide clear warning messages when users are about to take drastic actions, and make errors easy to catch and reverse.

Take a look at the remarkably confusing UI that caused the error:

The employee accidentally clicked “PACOM (CDW) – STATE ONLY” instead of the similarly named option “DRILL-PACOM (DEMO) STATE ONLY”, creating massive panic until a follow up message 40 minutes later revealed it was a mistake.

Codecademy.com offers their web site UI programming course description at https://www.codecademy.com/pro/intensive/build-website-uis for those who might be interested.


Meltdown attack targets Intel processors

For some reason I have felt the preference to buy AMD processors in all my builds for the last decade. I am not against Intel – I used Intel and Motorola processors from the 1970’s onward. I do use liquid cooling and other after market heat sink arrangements which causes me to prefer the socket arrangements for AMD because I feel the AMD is more mechanically solid, but I could identify nothing really significant in my mind that caused this preference. Here is one more little nudge in the AMD direction.

From Information Week’s Dark Reading

Meltdown allows user applications to pilfer information from the operating system memory, as well as secret information of other programs. “If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure,” the researchers wrote in an FAQ about the attacks. “Luckily, there are software patches against Meltdown,” referring to Linux, Windows, and OS X updates (not all of which are yet available, however).

Most Intel processors since 1995 are affected by Meltdown, with the exception of Intel Itanium and Intel Atom prior to 2013). Only Intel processors are confirmed to be affected by it so far.


Worst passwords of 2017

From an article on Tech Republic

“Hackers know your tricks, and merely tweaking an easily guessable password does not make it secure,” says Slain. “Our hope is that our Worst Passwords of the Year list will cause people to take steps to protect themselves online.”

Here are the top 20 worst passwords of 2017:

1. 123456

2. password
3. 12345678

4. qwerty

5. 12345

6. 123456789

7. letmein

8. 1234567

9. football

10. iloveyou

11. admin

12. welcome

13. monkey

14. login

15. abc123

16. starwars

17. 123123

18. dragon

19. passw0rd

20. master

Read more on Tech Republic at https://www.techrepublic.com/article/the-20-worst-passwords-of-2017-did-yours-make-the-list/


Microsoft Office exploit

How to remove fingerprints from Windows 10

From Tech Republic today: A newly discovered Microsoft Office zero day could put any machine with an Office install at risk. According to a blog post from cyber security company Sophos, the exploit can deliver remote access Trojans (RATs) without the need to run macros. There’s also not a guaranteed way to stop DDE attacks since they rely on remote access to malicious code and therefore avoid a good portion of antivirus protections.

See the article on Tech Republic