Innovate. Accelerate. Win.
September 18-19 | Las Vegas and Virtual
#MIMSummit2023 Join top security leaders looking to redefine what’s possible at the must-see industry event of 2023.
As data increasingly translates to dollars, an ever-more-vigilant eye is turned towards the providers we trust. This week, three of the biggest players in the information sector battle encryption vulnerabilities, bugs and flaws as holes in encryption strategies are exploited. The fight for privacy takes a turn as Apple faces heat for storing encrypted emails in an unencrypted location. And, internet giant Cisco faces several bugs in its small business routers while the Amazon Ring faces wi-fi takeover as a consequence of using HTTP. How key players in data management are defining encryption protocol, this week in the Encryption Digest.
Cisco firmware needs an update: same crypto keys on multiple routers
According to their website, 85% of all internet traffic runs through Cisco systems. That’s a lot of data to protect. And when that data leads to web traffic for small businesses, mistakes can become even more costly.
That’s why networking giant Cisco has been issuing firmware fixes for several vulnerabilities found on several small-business routers. According to one report, Cisco “explains that the researchers found two static X.509 certificates with the corresponding public-private key pairs and one static SSH host key in the devices' firmware.”
Therefore, all infected devices are host to the same encrypted keys—rendering them useless.
Venafi’s Kevin Bocek weighs in on the significance of the finds; “It's unfortunate that many organizations still haven’t realized how important machine identities are to security. For example, it would be unthinkable for an organization to use the same default password on multiple machines but similar missteps with keys and certificates are increasingly common.”
Researchers then found another set of routers with a bug that could allow an authenticated bad actor a malicious takeover with root privileges. This time the alert sounded a weighted warning, earning it a rating of 8.8 out of 10 for severity.
Cisco reports that the incidents were oversights by the development team, and that the “keys were never used for live functionality in shipping products.” However, the presence of these oversights is concerning.
With the proliferating number of private keys to keep track of within any encrypted enterprise strategy, it’s no wonder that some get lost, forgotten, or “overlooked.” Bocek suggests, “The only way to prevent these kinds of mistakes is to put in place a strong machine identity management program.”
- X.509 Certificate Too Slow for DevOps?
- Cisco Detects Malware in Encrypted Traffic
- Lethal Apps, Contraband Huawei and a Door that Unlocks Itself
Apple fixes flaw that leaves [just part of] your email exposed
It’s not that unencrypted.
Only parts of your emails are stored in a macOS database where Siri learns more about you from other apps. And it’s only the unencrypted text from emails that were supposed to be encrypted. Well, that’s only because it stores S/MIME encrypted emails in an unencrypted database.
Wait a minute.
In a Medium article back in July, IT specialist Bob Gendler disclosed that (should-be) encrypted S/MIME emails were being stored in a file, snippets.db on macOS, unencrypted. S/MIME emails require a private key to read the encrypted message, secured with a public key on the side of the sender. Storing in snippets.db removed the need for a private key, leaving the emails exposed.
Alongside other Apple apps, Mail is stored in the database for the purpose of helping Siri learn more about the user. It’s always nice when she suggests your favorite taco place.
But disabling Siri should prevent the system from collecting your personal data, including personal emails. Only it doesn’t.
As we turn to private entities to secure our data from the prying eyes (government entities, perhaps), this is a highly inconvenient mistake. In the wake of the multi-million dollar “Privacy. That’s iPhone” campaign, it raises some uncomfortable questions.
Concerning the exposure, you can go into System Preferences and switch off Mail’s “Learn from this App” to prevent anyone else [besides Siri?] from getting access to new emails. You can mitigate current risk by deleting the old.
The incident was brought to Apple’s attention in July of this year. The company says they will resolve the issue with the next round of updates.
- Why Machine Identities Matter in the Fight for Privacy
- Overheard in the Press: Backdoor Debate Rages On
Amazon ring video doorbell: still using HTTP?
No fancy attack needed here. Unfortunately, by some oversight, what was becoming trusted as one of the safest ways to answer the door was secured by one of the lowest forms of internet security.
Amazon rolled out its very popular Ring Video Doorbell over the porous HTTP. As we may know, “HTTP is a 'sniffable' protocol, which means that everything exchanged between parties can be eavesdropped on by a potential actor within physical proximity," as Bogdan Botezatu states, director of threat research and reporting at Bitdefender, the company that broke the news.
In something out of a Home Alone sequel, all the attacker needs to do is scout out a house with an Amazon ring, get within distance with the right equipment and then send de-authentication messages until the owner thinks the device is malfunctioning and runs the authentication process again. Doing so will expose the plaintext credentials, allowing an attacker to pick those up and run with them to potentially connect to any device on the network. This can be your family’s cell phones, your personal work emails, and of course, the video feed from your Amazon Ring.
Ever wonder who your kids bring over? You’re not the only one.
As Botezatu explained, "The doorbell receives the Wi-Fi network password in plain text. Anyone who has access to the password in the proximity of the router can connect to the respective network and start probing for new devices, access network shares or even control equipment."
Amazon has released an automatic security update; no word on if that includes HTTPS.