Google researchers spotted malware developers creating malformed code signatures seen as valid in Windows to bypass security software. Roughly a month ago, Google Threat Analysis Group security researcher Neel Mehta discovered that the developers of an unwanted software known as OpenSUpdater started signing their samples with legitimate but intentionally malformed certificates, accepted by Windows but rejected by OpenSSL. By breaking certificate parsing for OpenSSL, the malicious samples would not be detected by some security solutions that use OpenSSL-powered detection rules and allowed to perform their malicious tasks on victims' PCs. "Since mid-August, OpenSUpdater samples have carried an invalid signature, and further investigation showed this was a deliberate attempt to evade detection," Mehta said.
Indonesian authorities have admitted that the COVID-19 vaccination certificate of the nation's President has circulated online and tried to explain that it's an indication of admirable transparency, rather than lamentable security. In one camp are those who argue that the document's unplanned public debut is more evidence that Indonesia's government is bad at securing information.
Carnegie Mellon University's Software Engineering Institute announced the appointment of Gregory J. Touhill as director of the SEI's CERT Division. The SEI's CERT Division is known around the world for its culture of innovation in cybersecurity areas such as cyber incident management, malicious software analysis, cyber resilience, insider threat detection and mitigation, and cyber workforce development.
Two high-severity vulnerabilities in the OpenSSL software library were disclosed on Thursday alongside the release of a patched version of the software, OpenSSL 1.1.1k. OpenSSL is widely used to implement the Transport Layer Security and Secure Sockets Layer protocols, which support encrypted network connections. "In order to be affected, an application must explicitly set the X509 V FLAG X509 STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose," the OpenSSL advisory explains.
Sectigo's chief compliance officer has hit out at Google for minimizing the visibility of Extended Validation HTTPS certificates in Chrome. In a chat with The Register, Sectigo CCO Tim Callan said his biz, which among other things is one of the biggest sellers of EV HTTPS certificates, was "Going to remove street and postal information from all of our public sites," seeing as Google thinks no one cares where a business is based.
"EU Agency for Cybersecurity Executive Director, Juhan Lepassaar, said:"The agreement ENISA signed with CERT-EU is a stepping-stone in utilising our synergies to the benefit of EU Member States and the EU Institutions, Agencies and Bodies. "Our structured cooperation comes at a time where the EU and its Member States need to strengthen their cybersecurity capabilities more than ever."
Internet Security Research Group nonprofit Let's Encrypt has massively upgraded its certification hardware and software so that it can delete and reissue all its certs in less than 24 hours. Last April the certificate authority was forced to kill three million HTTPS certs after a bug was found in its automated certificate management environment, about 2.6 per cent of its 150 million live certificate base.
When Google Chrome 90 arrives in April, visitors to websites that depend on TLS server authentication certificates from AC Camerfirma SA, a digital certificate authority based in Madrid, Spain, will find that those sites no longer present the secure lock icon. Mozilla, maker of Chrome rival Firefox, has been trying to decide whether Camerfirma's history of questionable certificate management practices - documented in a lengthy list - warrants banishing the Spanish company's certificates from its Root Store - the set of certificates Firefox recognizes as trustworthy by default.
Researchers have disclosed a new family of Android malware that abuses accessibility services in the device to hijack user credentials and record audio and video. The malware repeatedly reopens the Settings screen every eight seconds until the user turns on permissions for accessibility and device usage statistics, thus pressurizing the user into granting the extra privileges.
We explain how two French researchers hacked the Google Titan security key product, and dig into the Mimecast certificate compromise story to see what we can all learn from it. WHERE TO FIND THE PODCAST ONLINE. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.