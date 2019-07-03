Security: OpenPGP, Cisco, Windows, Magento, Georgia and China
Someone Is Spamming and Breaking a Core Component of PGP’s Ecosystem
Last week, contributors to the PGP protocol GnuPG noticed that someone was “poisoning” or “flooding” their certificates. In this case, poisoning refers to an attack where someone spams a certificate with a large number of signatures or certifications. This makes it impossible for the the PGP software that people use to verify its authenticity, which can make the software unusable or break. In practice, according to one of the GnuPG developers targeted by this attack, the hackers could make it impossible for people using Linux to download updates, which are verified via PGP.
It’s unclear who’s behind these attacks, but the targets are Robert J. Hansen and Daniel Kahn Gillmor, both OpenPGP protocol developers.
“We've known for a decade this attack is possible. It's now here and it's devastating,” Hansen wrote in his attack post-mortem.
Certificates Issued to Huawei Subsidiary Found in Cisco Switches
Researchers noticed that the firmware for some Cisco switches contains X.509 certificates and associated private keys issued to a US-based subsidiary of Huawei. An investigation by the networking giant revealed that it was an oversight related to the use of an open-source third-party component.
[...]
In an informational advisory published on Wednesday, Cisco says its FindIT development team uses OpenDaylight for testing purposes and the certificates should not have been included in production firmware.
St John Ambulance becomes latest casualty of a ransomware attack
Though it's "confident" that data has not been shared outside St John Ambulance, it fessed that the data of everyone who has opened an account, booked or attended a training course until February 2019 was affected.
This data includes names, courses, contact details, costs, invoicing details and, in some cases, driving licence data. No passwords or credit card details were taken, and no records have been doctored.
Magento Patches Flaws Leading to Site Takeover
Because at one point in the sanitization process sanitized links are injected back into the string via vsprintf(), an additional double quote is injected into the tag, which allows for an attribute injection.
“This allows an attacker to inject arbitrary HTML attributes into the resulting string. By injecting a malicious onmouseover event handler and a style attribute to make the link an invisible overlay over the entire page, the XSS payload triggers as soon as a victim visits a page that contains such an XSS payload and moves his mouse,” the security firm says.
Because the method is used to sanitize order cancellation notes, an attacker could exploit the vulnerability to inject arbitrary JavaScript that is triggered when an employee reviews the cancelled order.
Server image mystery in Georgia election security case
The FBI data could reveal whether [attackers] tampered with elections in Georgia because the server in question had a gaping security hole that went unpatched for more than six months before being publicly exposed. Data on the server included passwords used by county officials to access elections management files.
Technicians at the Center for Elections Systems at Kennesaw State University, which then ran the state’s election system, erased the server’s data on July 7, 2017, less than a week after the voting integrity suit was filed. After the AP reported on it three months later, Kemp denied ordering the data destruction or knowing about it in advance and called it reckless, inexcusable and inept.
But the FBI had a forensic backup, which it made in March 2017 when it investigated the security hole. The FBI has not responded to repeated requests by the AP to confirm that it continues to possess the data. FBI Atlanta spokeswoman Jenna Sellitto wouldn’t say whether the FBI has examined the data on that image to determine whether any tampering or other malicious activity occurred.
Georgia Failed to Subpoena Image of Wiped Elections Server
Marilyn Marks of the Coalition for Good Governance, a plaintiff in the case, said that if the state failed to secure the data from the FBI — despite informing U.S. District Judge Amy Totenberg in October 2017 of its intent to do so with the subpoena — it clearly has something to hide.
"If they have destroyed records then it can be presumed that those records would have shown our allegations to be true," Marks said.
Neither the Secretary of State's office nor an attorney representing it in the case, Josh Belinfante, would say why the subpoena was never filed. Nor would they say whether they had obtained the data through other means for secure safekeeping. The FBI in Atlanta also wouldn't say whether it has provided the state with a copy.
Antivirus firms start flagging spyware installed by Chinese border control
It recently came to light that the border control authority in China's Xinjiang region was installing surveillance software on the phones of tourists without their knowledge or consent. The software apparently kept an eye out for terms that related to Islamic extremism and literature by the Dalai Lama.
