You are here

Infosec in 2018: A year of fail

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings, Industry analyst and editor, RJAssociates

Farewell, 2018—we hardly knew you.

Except the outgoing year was chock-full of infosec FAIL. Not a single week went by without matériel for your humble blogwatcher’s battle against security stupidity.

Here are 12 of the most popular, as voted by your clicks. In this week’s Security Blogwatch, we look back on each month of foolishness.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Nice Shoes

[ Explore the challenges and opportunities facing SOCs in TechBeacon's new guide. Plus: Get the 2019 State of Security Operations report. ]

January sums it up

Of course, Intel and AMD kicked off the year in fine style—Spectre and Meltdown: CPU bugs put a scare in the air:

Spooked yet?

Meltdown and Spectre: With all the screaming hype about this pair of CPU bugs, you’d be forgiven for thinking the sky is falling. But it might even be worse than you thought.

For starters, patching all your PCs might be incredibly hard. Second, we’ll probably see more vulnerabilities in the Intel Instruction Set Architecture (ISA). And third, it’s entirely possible that hackers have been secretly exploiting these problems for years.

So hold on to your hats. In … Security Blogwatch, we overheat some ghosts.

Don’t expect things to get better in 2018. This could be the tip of an extremely cold iceberg.

February

Way back in February, your humble blogwatcher wos carful too aviod tyops—Grammarly leaks everything you've ever typed in the service. Everything:

Grammarly, the grammar-checking service, had an enormous hole in its browser extension.

Tavis Ormandy discovered that any webpage could easily hijack your session and steal all the information in your Grammarly account. And that includes absolutely everything you've typed into the service.

It's a jarring reminder that most browser extensions can capture this sort of sensitive data. In … Security Blogwatch, we wonder if we can trust any of them.

If you offer a browser extension, be careful not to leak sensitive info. And if you’re an IT shop, consider restricting browser extensions by policy.

[ Effective SecOps requires staying one step ahead. Get up to speed with this Webinar covering UEBA and MITRE ATT&CK ]

March

iPhone-wielding perps were warned in March—GrayKey adds to iPhone-unlock arsenal. How strong are your PINs?

Law enforcement has a new option for unlocking a suspect’s iPhone. An American startup called Grayshift is offering a service it’s calling GrayKey.

It joins Cellebrite, a similar service, out of Israel, revealed last week. But Grayshift is at least homegrown and is thought to employ one Braden Thomas, an ex-Apple security engineer.

Except Thomas left Apple more than five years ago, so I’m not sure exactly how relevant his past employment is. In … Security Blogwatch, we dump our NAND.

If Grayshift and Cellebrite can, so can hackers. Make sure your users have strong PINs.

April

April evoked hair bands—WebAuthn/CTAP: Final countdown for passwords? Don't count on it:

Conspiring against the password.

Passwords must die. On that we’re all agreed. Amirite?

FIDO and W3C want to set the standard for 21st-century authentication. They seek to do away with phishing, credential breaches, and MITM attacks. And the major browsers seem to be playing along.

But is anyone experiencing déjà vu here? In … Security Blogwatch, we’ve heard it all before.

While previous attempts failed, this looks like one to watch. But be cautious of dancing on the bleeding edge, because this might not be the panacea it appears to be.

May

May may have overblown its warning—Security Blogwatch EFF has egg on face over PGP-S/MIME "EFAIL" hyberbole:

Pretty Ghastly Privacy; Stupid/MIME.

The Electronic Frontier Foundation is under fire this week, accused of over-hyping “EFAIL”—a set of vulnerabilities in email encryption tools based on PGP, GPG and S/MIME.

Stop using it, says the EFF. But critics are calling the warnings “overblown,” “disproportionate,” “irresponsible,” “a private vendetta,” and “an epic fail.”

What a palaver. In … Security Blogwatch, we wonder who was still using PGP and S/MIME, anyway.

What other ancient software layers do you rely on? And to the security researchers: Enough with the hyperbole, already.

June

Flaming June burned your budget—WPA3 lands with whopping Wi-Fi security update. What's your upgrade path?:

WPA3 FTW.

This week, the team behind Wi-Fi—the people who insist the name is hy-phen-a-ted—have started certifying products supporting WPA3.

It’s more secure, less hackable, and will even protect the open network at your local coffee shop. Those, at least, are the claims of the Wi-Fi Alliance.

Yep, it’s time to buy all new equipment again.

Better start planning for a new network kit. Or if you’re choosing equipment right now, get vendors' assurances for a WPA3 upgrade path.

July

In July, wither democracy? Voting back door reveals risks of dev/sec/ops fiefdoms:

ES&S spills to Senate.

The biggest voting-machine vendor in the US admits some of its machines were remotely controllable. Wait, what?

ES&S’s election-management systems sold between 2000 and 2006 might have secretly contained a copy of pcAnywhere, a buggy remote-control app. This is fine.

So a back door, essentially. In … Security Blogwatch, we hang our chads in shame.

This is what happens when you don’t centralize or at least coordinate Dev, Ops, Security, etc.

August

August brought an august wrinkle—WPA2 hack allows Wi-Fi password crack much faster:

PMKID vuln in PSK nets.

Wi-Fi encryption developed yet another chink in its armor this week. It’s now much easier to grab the hashed key.

So a hacker can capture a ton of WPA2 traffic, take it away, and decrypt it offline.

WPA3 can’t come soon enough. In … Security Blogwatch, we’re in your GPUs, hashing your cats.

WPA2 Personal considered harmful, but the sky’s not falling (yet).

September

In September, we celebrated shifting browser shares—Chrome at 10: Google reshapes web security, now wants to 'kill' the URL:

Chrome has a tweenage tantrum.

The Google Chrome browser is 10 years old this week.

Let’s review how Chrome has changed web security since 2008. Let’s also check out the new features of Chrome 69, including a much-improved password manager.

But Google’s got a super-controversial proposal to “kill”—or at least hide—the ubiquitous URL. In … Security Blogwatch, we welcome our Googly overlords.

Congratulations, we killed Microsoft’s browser oligopoly, and replaced it with Google’s. Be careful what you wish for!

October

This story from October is still a mystery—Bloomberg spy chip: The story that will not die:

Big story or bogus shenanigans?

Bloomberg Businessweek’s story about hacked Super Micro server motherboards continues to reverberate around the tech echo chamber. You remember: the one about tiny spy chips in Apple and Amazon data centers, right?

“The Big Hack,” as the publication calls it, sets journalist against tech titan. The three companies are issuing ever-stronger denials, while Bloomberg’s editors doggedly stick to the story they’ve been working on for more than a year.

After three weeks, we’re still talking about it. And what does that tell you? In … Security Blogwatch, we unpick, unwrap, and unwisely underline.

There’s something going on, but what? This is at least a reminder that state actors are powerful, and wield that power in many ways.

November

November produced another warning about browser extensions—Data from 120M hacked Facebook accounts for sale in Russia:

In Russia, data sell you.

Yet another 5% of Facebook’s data leaks? The BBC Russian service reports 120,000,000 users’ private messages and other details for sale at 10¢ per user.

But Facebook denies blame: It was a malicious browser extension, y’see. But no, it's not going to tell us which one.

Why so serious, Mister Zuckerberg? In … Security Blogwatch, we flog many dead horses.

IT: Consider forbidding browser extensions on enterprise desktops, except for whitelisted code.

SecOps: Use analytics to identify programmatic access by extensions.

December

And then there was December’s dire denouement—Google panics as huge new bug found in Google+:

G+ APIs laid to REST.

It happened again, but this time it's 100 times worse. Google found another security hole in Google Plus.

This time, the bug’s in a RESTful API—and affects more than 50 million accounts. That’s far more than the 500,000 exposed last time.

And there we have a neat excuse to further accelerate the shutdown of the “failed” social network. But is this just a pretext, or is G+ really unmaintainable? In … Security Blogwatch, we figure out what’s really going on.

Find your own vulnerabilities before someone else does.

And Finally…

I lost count of the number of references in Nice Shoes, by Jonathan Lawrence and Tommy Mack


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Blue Diamond / Nick Youngson / Alpha Stock Images (cc:by-sa)

[ Find out how to take control of credentials privilege in your organization in this Oct. 31 Webinar. You'll learn best practices, more. ]