This past week a new bug has been discovered. It has been nicknamed the “Shellshock”. The bug is a glitch within bash in the Unix command shell. Basically, the command line will run a function but after the function is over it can continue to run code.
This is an issue that has gone unnoticed for almost 25 years. There are few issues. if a hacker get to your home computer, can simply run a function and some some malicious code and infect your system. However, if you are using a firewall it is not as big of a concern. Servers though are a little bit different. They are easier to infect since they aren’t protected by firewall and little complex to fix.
Good news is there are many patches already released since the discoverer, so fixing the bug will require a system update.
A few weeks ago, there were evidence that Home Depot had a security breach when credit cards were put up for sale on a black market website. This was already covered by this blog in this post. Since then, Home Depot has not only confirmed a breach, but that it had existed from April to September 2014. The release also tells that the malware was found in American and Canadian stores installed in the self-checkout machines, and have been removed from use. There were no signs of data breaches in normal checkout machines, Mexican stores, American or Canadian online websites. Despite card information being compromised, there were no signs that PIN numbers were recorded. Home Depot has also finished installing enhanced encryption in U.S stores on September 15 and Canadian stores are expected to be finished in early 2015. The breach was closed but after 56 million cards were affected. The malware used in this breach was reported to not have been seen in other attacks, however there are signs that this breach was done by the same group of hackers responsible for Target last year. According to Krebsonsecurity.com, the thieves were stealing card information up to five days after first signs of the breach on September 2nd. As of September 22, 2014, Home Depot holds the record for the largest retail card breach. Second place goes to TJX with 45.6 million cards and third place goes to Target with 40 million.
There is now a way from people to steal your ATM PIN code. All it takes is a add on to your phone. What this add on does is that it makes your camera on your phone inferred. This means that you can now see the heat signature’s of things through your camera. How this is a problem is that after someone types their PIN in a ATM if you walk up and take a picture of the keypad with this inferred camera you can see what keys they pressed before they left. You can also tell for the most part in what order the keys where pressed by how bright the color that is left. There is only 2 ways that you can protect yourself from this. One thing that would make this difficult would be if the PIN had the same number in it 2 or more times. The other would be rub you hand on the keypad after you are done putting in you PIN so that the heat of your hand would get on all of the keys making it impossible to know which ones you really used. There is a 80% accuracy if the image was taken right after the PIN was typed in. After 1 minute there is about a 50% of getting the PIN right. The case that has the infrared camera on it is only about 200$ and you can get it at any Apple store. Also this does not work on metal keypads because it reflects and dissipates the heat to fast. Rubber and plastic keypads work the best for retaining the heat signature.
On September 5th, Google announced that it will begin ‘sunsetting’ the SHA-1 cryptographic hash algorithm. This algorithm was designed almost a decade ago in 2005 and Google is now telling the world that it has not withstood the test of time. SHA-1 is currently used in SSL encrypted certificate signatures for HTTPS. This allows a website to encrypt your connection to the site and verify that the site you are connecting to is genuine.
In its statement, Google cites the ease and affordability of collision attacks against SHA-1 for the decision to phase out the algorithm. Basically, this means that Google is worried that nefarious individuals will engineer certificates that produce the same SHA-1 hash as the legitimate HTTPS certificates. This would allow these individuals to pose as a legitimate site, such as facebook.com, in order to scam, phish, or infect users.
How will this problem be fixed? In the short term, Google will soon be changing the visual security indicator for HTTPS in Chrome to alert users of the issue. Additionally, Google is looking towards the successor of SHA-1, SHA-2, to replace the outdated cryptographic hash algorithm. SHA-2 provides substantially more security and is supported by nearly every current operating system and browser. Google also is not alone in this fight: both Microsoft and Mozilla have announced plans to move away from SHA-1 in the future.
In China they have many large websites / search engines blocked for the use of their citizens such as Google. But seeing the value that Google presents the Government set up a nation wide system called CERNET (Chinese Education and Research Network) to allow students, teachers and researchers to access the resources Google can provide. In recent weeks students and teachers that use CERNET have reported that their searches have returned with errors such as “Invalid SSL certification”. The company in charge of CERNET’s security is called GreatFire. After they had shared their findings with another security based software company named Netresec, they concluded that these attacks are similar if not identical to the Man in the Middle attacks the Chinese government used on GitHub (A developer site) last winter. Upon looking into the mater with more detail they have found that the Chinese government was using these “MitM” attacks to get into the CERNET system and block “Harmful” search inquires.