Νέα Ασφάλειας

Upcoming changes in Google Chrome and Mozilla Firefox may finally spark the end for Extended Validation certificates as the browsers plan to do away with showing a company’s name in the address bar.

When connecting to a secure web site, an installed SSL/TLS certificate will encrypt the communication between the browser and web server. These certificates come in a few different flavors, with some claiming to offer a more thorough verification process or extra perks.

One certificate, called EV Certificates, are known for having a browser display the owner of the certificate directly in the browser’s address bar. This allegedly makes the site feel more trustworthy to a visitor.

In reality, the different types of SSL/TLS certificates all serve a single purpose and that is to encrypt the communication between a browser and web site. Anything extra is seen by many as just a marketing gimmick to charge customers for a more expensive “trustworthy” certificate.

In numerous blog posts, security researcher Troy Hunt has stated that EV Certificates will soon be dead as more and more sites switch away from them, because they are much harder to manage due to extra verification times, and because people have become to associate a padlock with a secure site rather than a company name.

With Safari already removing EV Certificate company info from the address bar, most mobile browsers not showing it, and Chrome and Mozilla desktop browsers soon to remove it, Hunt’s predictions are coming true. EV Certificates will soon be dead.

Read more »

Mozilla has finally introduced a mechanism to let Firefox browser automatically fix certain TLS errors, often triggered when antivirus software installed on a system tries to intercept secure HTTPS connections.

Most Antivirus software offers web security feature that intercepts encrypted HTTPS connections to monitor the content for malicious web pages before it reaches the web browser.

To achieve this, security software replaces websites’ TLS certificates with their own digital certificates issued by any trusted Certificate Authorities (CAs).

Since Mozilla only trusts those CAs that are listed in its own root store, the antivirus products relying on other trusted CAs provided by the operating system (OS) are not allowed to intercept HTTPS connections on Firefox.
Read more »

Google has started rolling out this month’s security updates for its mobile operating system platform to address a total of 33 new security vulnerabilities affecting Android devices, 9 of which have been rated critical in severity.

The vulnerabilities affect various Android components, including the Android operating system, framework, library, media framework, as well as Qualcomm components, including closed-source components.

Three of the critical vulnerabilities patched this month reside in Android’s Media framework, the most severe of which could allow a remote attacker to execute arbitrary code on a targeted device, within the context of a privileged process, by convincing users into opening a specially crafted malicious file.
Read more »

In recent years, several groups of cybersecurity researchers have disclosed dozens of memory side-channel vulnerabilities in modern processors and DRAMs, like Rowhammer, RAMBleed, Spectre, and Meltdown they have one thing in common and That’s OpenSSH.

As a proof-of-concept, many researchers demonstrated their side-channel attacks against OpenSSH application installed on a targeted computer, where an unprivileged attacker-owned process exploits memory read vulnerabilities to steal secret SSH private keys from the restricted memory regions of the system.

That’s possible because OpenSSH has an agent that keeps a copy of your SSH key in the memory so that you don’t have to type your passphrase every time you want to connect to the same remote server. However, modern operating systems by default store sensitive data, including encryption keys and passwords, in the kernel memory which can not be accessed by user-level privileged processes.

But since these SSH keys live on the RAM or CPU memory in plaintext format, the feature is susceptible to hacking attempts when the attacks involve memory read vulnerabilities.
Read more »

After Adobe, the technology giant Microsoft today—on June 2019 Patch Tuesday—also released its monthly batch of software security updates for various supported versions of Windows operating systems and other Microsoft products.

This month’s security updates include patches for a total of 88 vulnerabilities, 21 are rated Critical, 66 are Important, and one is rated Moderate in severity.

The June 2019 updates include patches Windows OS, Internet Explorer, Microsoft Edge browser, Microsoft Office and Services, ChakraCore, Skype for Business, Microsoft Lync, Microsoft Exchange Server, and Azure.

Four of the security vulnerabilities, all rated important and could allow attackers to escalate privileges, patched by the tech giant this month were disclosed publicly, of which none were found exploited in the wild.
Read more »