now browsing by tag


‘Scambaiting’ is racist and dangerous, so let’s stop celebrating it | #romancescams | romancescams | #scams

Source: National Cyber Security – Produced By Gregory Evans

Fraud has reached “epidemic” levels in the UK over the past 12 months, costing up to £190 billion a year and constituting what the Royal United Services Institute has called […]

The post ‘Scambaiting’ is racist and dangerous, so let’s stop celebrating it | #romancescams | romancescams | #scams appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | hacker | Bug prompts Let’s Encrypt to revoke over 3M TLS certificates

Source: National Cyber Security – Produced By Gregory Evans

Beginning today, Let’s Encrypt is revoking more than 3 million of its Transport Layer Security (TLS) certificates, following the discovery of a bug that affects the way it rechecks CAA (Certificate Authority Authorization) records.

“Most subscribers issue a certificate immediately after domain control validation, but we consider a validation good for 30 days,” explained Jacob Hoffman-Andrew, Let’s Encrypt engineer, in a Feb. 29 post on the on-profit certificate authority’s website. However, in cases where cert issuance is delayed for more than eight hours, Let’s Encrypt must recheck CAA records, even though the records were originally checked during the domain control validation process. That’s where the vulnerability comes into play.

Hoffman-Andrew described the bug, which was introduced on July 25, 2019, as follows: [W]hen a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.”

Altogether, 3,048,289 certificates are infected, or roughly 2.6 percent of the approximately 116 million active certificates issued by Let’s Encrypt, which is operated by the San Francisco, Calif.-based Internet Security Research Group. One million of these are duplicates of certificates that typically are reissued on a frequent basis, Hoffman-Andrew further explained on the Bugzilla website as well as in an FAQ page on the Let’s Encrypt site.

Let’s Encrypt identified its CA software vendor is Boulder. The cert authority said the bug was originally reported by a Let’s Encrypt community member on February 18 and was fixed on Feb. 29. Let’s Encrypt has since created a tool for users to determine if they are affected by the vulnerability. Affected subscribes are encouraged to renew and replace their impacted certificates.

Original Source link

The post #cybersecurity | hacker | Bug prompts Let’s Encrypt to revoke over 3M TLS certificates appeared first on National Cyber Security.

View full post on National Cyber Security

#comptia | #ransomware | Let’s make ransomware MORE illegal, says Maryland – Naked Security

Source: National Cyber Security – Produced By Gregory Evans

The oft-attacked city of Baltimore not only uses mind-bogglingly bad data storage. Its home state, Maryland, also knows how to swiftly propose mind-bogglingly bad legislation that would outlaw possession of ransomware and put researchers in jeopardy of prosecution.

It is, of course, already a crime to use the data/systems-paralyzing malware in a way that costs victims money, but proposed legislation, Senate Bill 30, would criminalize mere possession.

It’s not supposed to keep researchers from responsibly researching or disclosing vulnerabilities, but like other, similar “let’s make malware more illegal” bills before it, SB 30’s attempts to protect researchers could “use a little more work,” as pointed out by Ars Technica‘s Sean Gallagher.

It covers much of the same ground as does Federal law, but SB 30 would take it a step further by labelling the mere possession of ransomware as a misdemeanor that would carry a penalty of up to 10 years imprisonment and/or a fine of up to $10,000.

The draft could get yet more draconian still: Earlier this month, members of the Maryland Senate Judicial Proceedings Committee said they’d actually prefer to make the crime a felony, according to Capital News Service.

The problematic outlawing of “unauthorized access”

Besides mere possession of ransomware, the bill would outlaw unauthorized, intentional access or attempts to access…

…all or part of a computer network, computer control language, computer, computer software, computer system, computer service, or computer database; or copy, attempt to copy, possess, or attempt to possess the contents of all or part of a computer database accessed.

It would also criminalize acts intended to “cause the malfunction or interrupt the operation of all or any part” of a computer, the network it’s running on, and their software/operating system/data. Also verboten: intentional, willful, unauthorized possession or attempts to identify a valid access code, or publication or distribution of valid access codes to unauthorized people.

Where does that leave researchers? Partially protected by a thin blanket that doesn’t protect them from liability, experts say.