Welcome to the April edition of the SSL.com Roundup, in which we look back on the past month in digital security. Read on for our collection of what struck us over the past four weeks, and stay safe out there!
Rest in Peace, Dan Kaminsky
SSL.com joins the cybersecurity community in mourning researcher Dan Kaminsky. Dan was best known for his 2008 discovery of a major flaw in the Domain Name System (DNS) that allowed a wide range of attacks and could direct unknowing users to malicious imposter sites. His research also included uncovering vulnerabilities in X.509 authentication, a foundation of PKI and digital certificates. Kaminksy was remembered in the New York Times as an “internet security savior” in a touching obituary written by Nicole Perlroth. She writes:
“The internet was never designed to be secure,” Mr. Kaminsky recalled in a 2016 interview. “The internet was designed to move pictures of cats. We are very good at moving pictures of cats.” But, he added: “We didn’t think you’d be moving trillions of dollars onto this. What are we going to do? And here’s the answer: Some of us got to go out and fix it.”
eSigner Public Beta Registration
In news from our own camp, SSL.com invites EV code signing and document signing customers to participate in the public beta of eSigner, SSL.com’s new unified cloud platform for document and code signing.
eSigner includes:
- eSigner Express GUI web application for document signing and EV code signing
- Cloud Signature Consortium (CSC) API for document signing and EV code signing
- CodeSignTool command-line tool for EV code signing
Any SSL.com Document Signing or EV Code Signing certificate may be enrolled in eSigner, letting you sign documents and code from any internet-connected device without USB tokens, HSMs, or PKI expertise. Organizations can integrate eSigner with their document and code signing workflows, including CI/CD automation. Software publishers and service providers can use eSigner to offer digital signing capabilities to their customers.
eSigner will be a subscription-based service when fully launched. However, beta participants will get early access to eSigner Express, CSC API, and CodeSignTool with no subscription charges prior to eSigner’s full commercial release. To sign up, please fill out the eSigner beta registration form and an SSL.com team member will contact you with details.
IoXT Alliance Announces New Mobile App Security Standard
The ioXt (Internet of Secure Things) Alliance, an industry group developing and advocating for IoT security standards, has announced that it is expanding its compliance program with a new security standard for mobile apps. The new mobile application profile includes requirements for virtual private network (VPN) applications. You can read more about the new standard on the Google Security Blog. As they explain it:
The ioXt Mobile Application Profile provides a minimum set of commercial best practices for all cloud connected apps running on mobile devices. This security baseline helps mitigate against common threats and reduces the probability of significant vulnerabilities. The profile leverages existing standards and principles set forth by OWASP MASVS and the VPN Trust Initiative, and allows developers to differentiate security capabilities around cryptography, authentication, network security, and vulnerability disclosure program quality. The profile also provides a framework to evaluate app category specific requirements which may be applied based on the features contained in the app.
In terms of Public Key Infrastructure, or PKI, the new standards ask that all network traffic is encrypted and that verified TLS is used when possible. The new program also enforces x509 certificate pinning for primary services.
‘Massive’ macOS Bug Bypasses Security Requirements
A vulnerability in Apple’s macOS operating system that allowed attackers to install malware without triggering security warnings has been found. The bug allowed bad actors to bypass macOS security features like Gatekeeper, File Quarantine and App Notarization to take control of computers. Lorenzo Franceschi-Bicchierai covered the bug for Vice Magazine’s Motherboard in a piece that stressed how dangerous the vulnerability was. Because it bypassed security warnings, a double-click by any user could introduce malware. And that’s not all:
What’s worse, at least one group of hackers have been taking advantage of this bug to infect victims for months, according to Jaron Bradley, detections lead at Apple-focused cybersecurity company Jamf Protect… “One of our detections alerted us to this new variant, and upon closer inspection we discovered its use of this bypass to allow it to be installed without an end user prompt,” Bradley said in an online chat. “Further analysis leads us to believe that the developers of the malware discovered the zero day and adjusted their malware to use it in early 2021.”
Apple has released version 11.3 of macOS, which should be downloaded immediately, as it contains a patch for the bug. Once that’s taken care of, you might want to check out the detailed rundown Dan Goodin over at Ars Technica has written about how hackers exploited the vulnerability to install malware.