Symantec tricked into revoking SSL certs with fake keys

Hanno Böck. Journo tests legitimacy processes.

A bogus private digital key was sufficient to fool security vendor Symantec into revoking a transport layer security (TLS) certificate for a domain, a researcher has discovered.

German freelance infosec journalist Hanno Böck set out to test if certificate authorities like Comodo and Symantec have rigorous processes in place to check the legitimacy of private keys for digital certificates.

Certificate authorities are expected to revoke TLS credentials if the private keys have been compromised; Böck said certificate issuers should cryptographically check that the private key in question belongs to the purported TLS credential.

Böck registered two test domains with his identity hidden, and obtained TLS certificates via Symantec’s RapidSSL brand as well as Comodo.

He then created fake private keys for both domains, uploaded them to the Pastebin website, and reported to Comodo and Symantec that the keys had been compromised.

Where Comodo spotted that the key for the domain certificate was fake, Symantec accepted the one in Böck’s report and revoked the certificate.

“No harm was done here, because the certificate was only issued for my own test domain. But I could’ve also faked private keys of other peoples’ certificates,” he wrote.

“Very likely Symantec would have revoked them as well, causing downtimes for those sites. I even could’ve easily created a fake key belonging to Symantec’s own certificates.”

He also noted that Symantec didn’t tell the domain owner the certificate was revoked because of a key compromise, potentially leaving administrators unable to figure out why the credential had been pulled.

Böck said there was no excuse for Symantec’s approach.

“It indicates that they

View the Original article

Microsoft rolls out cloud-based fuzzing tool

“Project Springfield” comes alive.

Microsoft has released a software bug finding tool that the company says will help developers identify flaws and vulnerabilities before software under development is released.

Code-named “Project Springfield”, the tool was announced as a preview in September last year.

It performs what is known as fuzzing, which involves entering large amounts of random data into a software system to see if this causes unexpected behaviour or crashes that can be exploited for attacks.

Microsoft said companies would usually hire security experts to conduct fuzz testing, if they did it all.

“As the sheer volume of software that companies create and use has increased, it’s gotten harder to keep up with the dizzying pace of testing so much software – but more important than ever to keep systems safe from attackers,” the company said.

Microsoft’s Security Risk Detection (MSRD) tool uses artificial intelligence to automate the reasoning process that security experts use to find bugs, and augments this with cloud-based scaling.

MSRD lets developers test their software in a virtual machine, along with a program that runs through different fuzzing scenarios, to find potential bugs. Results are accessible via a web-based portal.

The new tool has its origin in Microsoft’s Scalable, Automated, Guided Execution (SAGE pdf) whitebox fuzzer, which the company has used since the mid-2000s to test several products including Windows 7 prior to release.

A preview of MSRD for Linux is also available for coders who program across multiple platforms.

View the Original article

Sweden exposed sensitive data on citizens, military personnel

Sent unredacted drivers licence database to marketers.

Swedish authorities are battling to contain a major privacy breach that has seen sensitive information on its citizens and the country’s military leaked to companies and individuals outside the Nordic nation.

In 2015 the Swedish Transport Authority hired IBM to move the country’s drivers licence register to the cloud. IBM in turn used subcontractors in the Czech Republic and Romania.

These contractors were given access to the full dataset from the Transport Authority, which included information like photographs and home addresses on Swedish Air Force and special forces personnel.

The overseas contractors did not have security clearance to view such sensitive information, which also included road and bridge weight capacities and whether a vehicle is armoured, Sweden’s national TV broadcaster SvT reported.

People in witness protection programs were also included in the drivers licence data.

Rather than making available a redacted version of the database, the Swedish Transport Authority instead sent out clear text emails to the companies asking them to manually delete the sensitive information they held.

The email messages listed the full details of the individuals the government agency wanted removed.

While the data breach took place in March last year when the unredacted information was made available, the scandal has only now come into the public eye.

Sweden’s government knew about the data breach last year but kept quiet about it, according to SvT.

The general-director of the Swedish Transport Authority, Maria Ågren, resigned from her position in January this year.

Her resignation was originally attributed to differences with the government, but in July this year, Ågren was fined SEK 70,000 (A$10,740) for leaking classified information and harming national security.

Speaking to Swedish media, the newly appointed general-director of the country’s Transport Authority, Jonas Bjelfvenstam, said the government agency has embarked on a set of measures to improve its IT security, but cannot guarantee that foreigners without security clearance won’t have access to the sensitive data in the drivers licence database.

View the Original article

G Suite customers leak internal data via Groups

Tick a box configuration mistake.

A simple configuration mistake has seen hundreds of companies using Google’s G Suite productivity platform publish internal information to the internet, researchers have found.

G Suite provides the Google Groups sharing and messaging service, which was originally designed as a gateway to Usenet newsgroups.

In an advisory

View the Original article

Kaspersky offers free anti-virus software

Looks for security data to power its machine learning.

Kaspersky is rolling out a free version of its anti-virus software across the globe, a product launch that comes amid mounting suspicion in the United States that the firm is vulnerable to Russian government influence.

Kaspersky Free was immediately available in the United States, Canada, and several Asia Pacific countries and would launch in other regions in the coming months, Eugene Kaspersky, the company founder, wrote in a blog post.

Kaspersky said the free version was not intended to replace the paid versions of its anti-virus software, describing it as offering “the bare essentials,” such as email and web anti-virus protection and automatic updates.

But the free software would benefit all of Kaspersky Lab’s customers by improving machine learning across its products, he said.

The company has been working on Kaspersky Free for 18 months, a development phase that included pilot versions in several markets including Russia, Ukraine, China and Scandinavian countries.

Founded in 1997, Kaspersky Lab grew rapidly through the 2000s to become one of the world’s leading anti-virus software companies. 

But the company has faced suspicion for years about its ties to Russia’s Federal Security Service or FSB.

Concerns about the company have metastasised in the United States in recent years due to the deterioration in US-Russia relations following Russia’s invasion of Crimea in 2014 and later when US intelligence agencies concluded that Russia had hacked the 2016 US presidential election.

Moscow denies the hacking allegations, and Kaspersky has repeatedly denied it has any untoward relationship with any government, saying the accusations against it lack evidence.

Last month FBI agents visited the homes of Kaspersky employees as part of a counterintelligence probe, and the Trump administration took steps to remove the company from a list of approved vendors who sell technology products to federal government agencies.

There is also a bill in US congress that would explicitly prohibit the US Department of Defense from using Kaspersky products.

Privately held Kaspersky said its US revenue, most of which comes from selling anti-virus software to consumers and small businesses, slipped from US$164 million in 2014 to about US$156 million in 2016.

View the Original article

Equinix to fit out remaining part of SY4 data centre

Stumps up $55 million.

Equinix will invest US$42 million (A$54.7 million) into the phase two expansion of its SY4 data centre in Sydney’s south.

SY4, which is located in the suburb of Alexandria, was announced back in April 2015. The build-out was split into two stages, each with a capacity of 1500 cabinets.

The company officially brought the first 1500 cabinets online in August last year when it opened the facility, at a cost of US$97 million.

Now it has announced plans to deploy the remaining 1500 cabinets in the space, bringing the total capacity up to that which it had initially planned for – 3000 cabinets and around 12,500 square metres of usable floor space.

The operator said demand for cloud services continued to be a driver for expansion.

Equinix – like others in the space – has established itself up as a major point of interconnection between third-party clouds and an enterprise’s own systems.

The company’s Australian managing director Jeremy Deutsch said it supported “more than 100 local and multinational companies in SY4.”

He said the commitment to fit out the remaining portion of the building would enable more organisations to gain “direct, private access to the leading cloud providers, as well as many specific cloud services” as part of hybrid cloud strategies.

The investment comes as Equinix continues to dominate data centre rankings published by Cloudscene, a data centre directory business owned by entrepreneur Bevan Slattery.

Equinix was ranked as the top operator across all four geographies tracked by Cloudscene, which covers North America, EMEA, Asia and Oceania, the latter of which encompasses Australia.

View the Original article

Govt to review Australian space sector

Meet the academic and industry leaders overseeing the process.

The government is set to review Australia’s space industry with a view to creating a strategy to support its growth over the course of the next decade.

The capability review will be led by an expert review group chaired by former CSIRO chief executive Dr Megan Clark.

Also advising the review will be:

UNSW Canberra’s chair for space engineering Professor Russell Boyce, who is spearheading a $10m push to “fly affordable, responsible in-orbit missions” using cubesats to test and develop “innovative new technologies for spacecraft”. The uni went to market for seven engineers earlier this year and claims to have “the largest space capability in Australia.”Michael Davis, who chairs the Space Industry Association of Australia (SIAA). His organisation expressed disappointment earlier this year when the federal budget saw no money allocated to a civil space program for Australia – something the SIAA has been pressing for, particularly as Australia grows its credentials as a hub for cubesat development.
“The SIAA appreciates that its proposals constitute a rethinking of the governmental structures required for the administration and oversight of a permanent national space program,” the SIAA said. “We will continue to advocate for the establishment of an internationally recognised national space agency as a fundamental first step in a strategy to build on our scientific and industrial capabilities.”Dr David Williams, who is presently a CSIRO director with executive oversight of areas including astronomy and space science, the Australian Telescope National Facility, and Data61. He was previously chief executive of the United Kingdom Space Agency.Dr Stuart Minchin, who heads environmental geoscience at Geoscience Australia and has a strong interest in Earth observation and monitoring.Professor Steven Freeland, who is dean of the school of law at Western Sydney University and has a strong background in space law and policy development.Professor Anna Moore, who is the director of ANU’s advanced instrumentation and technology centre (AITC). She has built major instruments used in observatories worldwide, including in Australia, Japan and the United States.Dr Jason Held, who is the director and founder of Saber Astronautics, which has operations in Sydney. He was previously a US Army major and Army space support team leader for USSTRATCOM (formerly Space Command), and has worked on major projects including the Hubble space telescope. He’s also the founder of the Delta-V space accelerator which supports aerospace start-ups in Sydney.Flavia Tata Nardini, co-founder and CEO of Adelaide’s Fleet Space Technologies. Last month she wrote an open letter to the government asking for a “dedicated Australian space agency”. She began her career at the European Space Agency as a propulsion test engineer.

The review will begin this month and is expected to be completed by the end of March 2018. It is expected to consult with “key stakeholders and state jurisdictions”, among others.

Minister for Industry, Innovation and Science, Arthur Sinodinos, said the review “will lead to a national strategy for the space sector that reflects both our developing strengths and national interests over the next decade”.

“Ensuring that the right strategic framework is in place to support the growth of Australian’s space industry will be core to the review process,” he said in a statement.

“The Australian government wants to ensure the right framework and mix of incentives are in place to assist Australia’s growing space industry sector to participate successfully in this global market.”

View the Original article

NextDC looks to take back data centre building ownership

Launches takeover for real estate trust.

NextDC has launched a bid to buy back the property group it set up in late 2012 to own the land and buildings used for its first three data centres.

The company has been trying to fend off an investment firm’s efforts to take over Asia Pacific Data Centre Group, whose sole assets are buildings housing NextDC’s Sydney1, Melbourne1 and Perth1 data centres.

NextDC created APDC in December 2012 and listed the $207 million property trust early in 2013. The data centre operator then took long-term leases on the buildings, ensuring APDC could promise investors an “attractive yield” from a “single landlord and tenant arrangement”.

APDC was essentially an exercise in capital recycling for NextDC, a way of raising money that could be re-invested in data centre fitout and expansion. NextDC sold down its majority stake in APDC later in 2013.

In May this year, 360 Capital Group took a 19.8 percent stake in APDC at a cost of $35.8 million, making it the largest single security holder. It has since made a conditional offer to buy out the rest of the company.

NextDC countered last week by re-taking a 14.1 percent stake back in APDC for $29 million, and has now launched its own conditional offer to take over the data centre trust.

The company said it would offer $1.85 per security, funded entirely from its cash reserves.

“In 2015, we advised the market of our change in strategy to own more of our data centre properties over the longer term when we announced that NextDC would proceed to develop and own the new data centres for Brisbane (B2) and Melbourne (M2),” NextDC CEO Craig Scroggie said in a market filing.

Scroggie said that taking over APDC – and therefore the ownership of its earlier data centres – represented a “low risk acquisition” for the company.

The battle over APDC has become increasingly hostile as NextDC and 360 Capital Group traded accusations.

Financial analysts reacted positively to news that NextDC would launch a bid for APDC.

View the Original article