Issue 8

WhatsApp vulnerability allows snooping on encrypted messages

Easily the biggest story this week. The Guardian reported a 'backdoor' in Whatsapp's encryption, allowing for a third party to snoop on a conversation.
Even though Signal uses the same protocol, it does not have this issue, because it comes down to an implementation choice and Signal made it differently.
From what I understand, the choice is: what to do when a message is not yet received by the other party, but meanwhile the sender changes phones or sim card, which changes his keys. Do you drop the old message, or send it anyway with maybe a warning?
A third party could snoop by reading the old message before delivery, re-encrypting it, and sending it through without the receiver knowing.
And yes, it's crypto, so I'm butchering this explanation. Hackernews thread here. Moxie, creator of Signal, counters the article here.


A new and very convincing Gmail phishing attack

This link shows a new phishing attack in action, where you get an e-mail from a known contact with what looks like a plausible attachment. However, the attachment isn't really a file, it's an embedded image, which when clicked prompts you to a very realistic Google login page. Something to be aware about.
More thorough explanation here, and a Hackernews discussion about it here


If you flash a peace-sign in a picture, your fingerprints might be duplicated

Essentially, if the bottom of your fingers is displayed on a picture, under the right conditions, one could replicate your finger prints and use it to unlock iPhones and fingerprint scanners. At least according to research from the National Institute of Informatics (NII). Hard to believe, but it might actually be possible.


GoDaddy revokes 9,000 SSL certificates wrongly validated by code bug

GoDaddy was obliged to revoke thousands of SSL certificates as the result of an unspecified software bug. In a blog post, GoDaddy said the bug was introduced six months ago and has affected 8.850 certs, which will now be revoked.


Google releases Key Transparency

Google has released a new project called Key Transparency. It's a repository where third-party applications can look up the public key of an online persona. It will also make sure that any changes to those public keys are visible to everyone.
Sounds extremely similar to Hackernews thread here.


Windows 10 security: 'So good, it can block zero-days without being patched'

The strong title aside, this is a boon to Microsoft for incorporating strong anti-exploit mitigation techniques in the Windows 10 Anniversary Update of August 2016. They seem certain that it stops two recently discovered zero-days, even without explicitly patching the vulnerabilities.


SHA-1 End Times Have Arrived

If, starting next week, you get reports of strange warning messages from your employees or customers, the problem might be the switch from SHA-1 to SHA-256.
A deadline was set a few years back that SHA-1 signed certificates would no longer be marked as secure by the top browsers, out of fear that it would become technologically and financially conceivable to spoof a SHA-1 hash. That deadline will arrive at the 24th of January.
There was a process developed for exceptions, however, because of for example credit card terminals not being able to upgrade their internal validations. Facebook also faced their own issues with up to 7 percent of it's users, particularly in developing countries, still using hardware that can't use SHA-256.


Google documenting security measures for its infrastructure

This is a long but extremely informative read explaining from a high-level how Google secures its operations. It really gives you a glimpse of what a complex beast Google must be to keep safe.



This is a curated Github repository by nebgnahz that tracks known IoT hacks and related documentation.


The most common passwords of 2016

Always fun and sad to see a list of most popular passwords. The top three is predictable: "123456", "123456789" and "qwerty".
Two curious entries are "18atcskd2w" and "3rjs1la7qe". It's suggested by Graham Cluley that these might be passwords used by bots when creating accounts for spamming and phishing.