Security News > 2020 > March

The vulnerability is the ability to register almost exact lookalike domain names. Simple attacks would attempt to register a domain using similar Latin characters - for example G00GLE.COM to look like GOOGLE.COM. The first example uses zeros rather than the correct letter Os; and a successfully registered lookalike domain would likely be used as a malicious phishing site.

In the past, there were two main reasons: TLS certificates were complicated and time-consuming to acquire and use; and they cost money that sites such as charities, hobbyists and small businesses resented having to pay, especially given that certificates need renewing regularly. Let's Encrypt certificates are valid for 90 days, and autorenew for most users when there are 30 days or fewer left on their current certificates.

This week we discuss the latest in the Clearview AI debacle, get more tales from the ransomware swamp and discover how often our smart speakers are listening to us. Host Anna Brading is joined by Sophos experts Paul Ducklin and Peter Mackenzie, and me!

Learn from the experts what it takes to keep hackers away from your personal data. White Ops CEO Tamer Hassan uses the most extreme approach to protecting his personal data.

So how can security organizations improve their visibility? One of the most impactful changes they could make is to re-evaluate their network sensor placement. Sensors report network alerts and metadata to your on-premises Network Enterprise appliances or to the remote Network Cloud.

Researchers at Soluble today said they worked with Verisign to thwart the registration of domain names that use homoglyphs - non-Latin characters that look just like letters of the Latin alphabet - to masquerade as legit domains. First reported back in the 2000s, this technique allow miscreants to use characters that, when displayed in the browser bar, appear to show the URL of a valid site - such as Apple.com or Google.com - despite being a completely different domain name.

Free and open certificate authority Let's Encrypt is revoking over 3 million currently-valid certificates after discovering a bug in its Certification Authority Authorization code. Thus, a subscriber could issue certificates for validated domain names 30 days after validation, without a second check being performed 8 hours prior to issuance, and the certificate would be issued even if someone installed CAA records for that domain name to prohibit certificate issuance by Let's Encrypt.

"In a notification email to its clients, the organisation said:"We recently discovered a bug in the Let's Encrypt certificate authority code. Typically, a Web server that services many separate domain names and uses Let's Encrypt to secure them receives a single LE certificate that covers all domain names used by the server rather than a separate cert for each individual domain.

The Information Commissioner's Office has fined Cathay Pacific Airways £500,000 for leaky security that exposed the personal data of 9.4 million passengers - 111,578 of whom were from the UK. The breach, which occurred between October 2014 and May 2018, exposed passengers' names, passport and identity details, dates of birth, postal and email addresses, phone numbers, and travel history, as well as 430 credit card numbers, 27 of which were active. The unauthorised access was first suspected in March 2018, when Cathay's database suffered a brute force attack, and confirmed in May. A Cathay Pacific spokesman said at the time that the combination of data accessed varied for each affected passenger.

Starting with 20:00 UTC, today, the non-profit certificate authority Let's Encrypt will begin it's effort to revoke a little over 3 million TLS/SSL certificates that it issued while a bug affected its CA software. "The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let's Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let's Encrypt."