RC4’s Dead and White House On Security
Last week, I was in the UK attending a WatchGuard Partner conference, and as a result I only shot two videos and skipped my weekly summary. Nonetheless, there was still plenty of interesting information security (infosec) news, which I don’t want you to miss. So to make up for it, let me quickly share three infosec stories I would have covered if I had had more time:
- Lots of The Hacking Team breach updates: Through the week, we learned a lot more about The Hacking Team organization from the 400GBs of data made public by their network breach. For instance, they had more zero day exploits that first suspected; They leveraged BGP flaws to launch man-in-the-middle attacks, and they worked with both the FBI and DEA to snoop out TOR users. If you’re following this infosec drama, Wikileaks has made all The Hacking Team’s stolen email public. Check out the links below to learn the latest Hacking Team gossip.
- The White House brags about cybersecurity: Last week, the White House released a CyberSecurity Fact Sheet detailing everything the US government has done this year to improve the nation’s cybersecurity stance. Highlights include creating a new office in charge of the problem, and encouraging the government and private industry to share threat intelligence. Check out the references if you’d like more details.
- RC4 gets another nail in its coffin: RC4 is a very popular hashing algorithm we’ve used for decades. Unfortunately, over the years it has been proven weak due to many vulnerabilities in this old function. Most security experts already consider RC4 dead, that said, new research [PDF] has proven RC4 even weaker. Without going into the details, this new discovery mean bad guys can break RC4 in days instead of months. If you are using RC4, it’s time to move on.
Those are the stories I missed, but the week included many others. If you are interested in all of them, feel free to peruse the Reference section below. I’ll get back to my regularly scheduled videos this week.
References:
- Hacking Team Updates
- Wikileaks posts The Hacking Team’s email – Engadget
- FBI worked with The Hacking Team to snoop on TOR – ZDNet
- The Hacking Team thinks they are the “good guys” – Engadget
- The Hacking Team exploits BGP in MitM attacks – Ars Technica
- Hacking Team sat on three Flash 0days – Computer World
- Hacking Team breach suspects include ex-employees – Reuters
- The DEA cancels The Hacking Team contract – Motherboard
- The FBI also had a The Hacking Team contract – Motherboard
- The White House details its 2015 cybersecurity efforts – IT Pro Portal
- The actual 2015 cybersecurity Fact Sheet – WhiteHouse.gov
- RC4 was broken, but this is the nail in the coffin – Ars Technica
- Scientific paper on new RC4 weakness [PDF] – RC4NoMore
- Harvard University got hacked – The Register
- Epic Games forums hacked and credentials stolen – Kotaku
- Hackers target Bitstamp to steal Bitcoin – Business Insider
- POS malware targeting Trump hotels? – Computer World
- TeslaCrypt gaming malware gets worse – Business Insider
- One anonymizing router project disappears, another pops up – Business Insider
- HackNet: An upcoming new game/hacking simulator – Motherboard
- PawnStorm attackers leveraging a patched Java 0day – Trend Micro
- MalwareBytes releases a free Mac version of their software – MalwareBytes
- Facebook execs say kill Flash – ZDNet
- Voat (a site similar to Reddit) hit by DDoS – Business Insider
- Chinese government can shut down citizen’s Internet – The Register
- Apparently Subway makes a pretty secure mobile app – The Register
- White hats score 1M miles with United bug bounty program – CBC
- UCLA Health breach affects 4.5M patients – The Register
- The FBI exploits Drive-by downloads to catch criminals – Motherboard