You probably shouldn’t rely on the security of your encrypted email. Even if you’re using current encryption technologies, certain conditions may arise during transit that cause your message to be transmitted in plain text.
There’s a well-reasoned response to a common question about the responsibility of Certificate Authorities over on the Let’s Encrypt blog. These fine folks will soon be providing free HTTPS certificates to the world, so they’ve been answering a lot of questions about how their service will work.
There’s going to be a minor apocalypse, starting January 1, 2016. On that date, Certificate Authorities will stop issuing certificates that use SHA1 encryption. SHA1 is now considered too weak for use, and is being phased out in favour of SHA2, which is much stronger. Just one problem: people stuck using older browser software and devices will lose their ability to access secure web sites and use those devices. There’s more technical nitty-gritty over at Ars Technica.
Symantec hasn’t done enough to clean up its Certificate Authority activities, according to Google. This follows the discovery that Symantec employees were issuing unauthorized certificates. Google has warned Symantec to provide a proper accounting of its CA activities or face the consequences.
A critical vulnerability in the blogging platform Joomla was discovered in October. The bug exists in all versions of Joomla from 3.2 onward. A patch was developed and made available, and anyone who manages a Joomla 3.x -based site is strongly advised to install the patched version (3.4.5) as soon as possible.
It’s increasingly dangerous to be a computer security researcher. New agreements could even make the work illegal in some regions.
Flaws in many self-encrypting external hard drives from Western Digital mean their encryption can be bypassed, according to researchers.
Google made it easier to determine why a site is flagged as unsafe, adding a Safe Browsing Site Status feature to their Transparency Report tools.
Mozilla is following the lead of Google and Microsoft, and plans to all but eliminate support for binary plugins in Firefox by the end of 2016. Binary browser plugins for Java, Flash, and Silverlight provide convenience but are a never-ending security headache. There’s one exception: Mozilla will continue to support Flash as a Firefox plugin for the foreseeable future.
The FBI teamed up with security vendors to take down another botnet in October. The Dridex botnet mainly targeted banking and corporate institutions, gathering private data and uploading it to control servers.
Cisco researchers, working with Limestone Networks, disrupted a lucrative ransomware operation in October.
A stash of thirteen million user names and plain text passwords was recently obtained by a security researcher. The records were traced to 000Webhost, an Internet services provider.
The Patreon funding web site was breached, and private information about subscribers, including encrypted passwords and donation records, was published online. Source code was also stolen, which may make decrypting the passwords much easier.
Researchers discovered numerous iPhone applications that collect and transmit private user information, in violation of Apple’s privacy policies. These apps apparently made it into the App Store because of a loophole in the validation process.
87% of Android-based devices are vulnerable to security exploits. Google develops Android updates quickly enough, but phone makers are typically very slow to make updates available to users.
New Android vulnerabilities, dubbed ‘Stagefright 2.0’ by researchers, were announced in early October. As many as a billion Android devices are vulnerable, and although patches were made available by Google, they may take weeks or months to find their way to individual devices.
A malicious Android adware campaign tricks unwary users into installing apps that appear to be from trusted vendors. These apps use slightly-modified icons of legitimate apps to fool users.