Weekly Security Link Dump (Week of May 18th)
Welcome to the Weekly Security Link Dump for the week of May 18th! This week, we'll take a look at some new tech, some broken crypto, and a few guides to help you improve the security of your workstation and your product.
After several high-profile articles calling for the deprecation of plaintext HTTP recently, the new HTTP/2 RFC has arrived! While it doesn't explicitly mandate SSL/TLS, HTTP/2 definitely has some improvements from a security perspective. Unfortunately, the Open Smart Grid Protocol has not had such good news this week, as researchers uncovered serious issues with some of their non-standard cryptographic algorithms. You can find out more about these and other topics below the fold.
If you have any feedback about this week's links, the format of these posts, or anything else, please let me know!
News / Opinions
- HTTP/2 RFC released - The RFC for HTTP/2 was released recently, and it looks to be quite a major shift from HTTP/1.1 in a lot of ways, including compressed headers, server push, and more. Changes that impact security include mandating TLS >=1.2 and deprecating a large number of cipher suites, among other things. Section 10 is all about the security considerations to keep in mind with HTTP/2, if you're interested in learning more.
Weak homegrown crypto dooms open smart grid protocol - Security researchers have discovered serious issues in the cryptography of the Open Smart Grid Protocol, releasing a new paper called Dumb Crypto in Smart Grids to report their findings. In the words of these researchers, some of the crypto "has been found to be extremely weak, and cannot be assumed to provide any authenticity guarantee whatsoever." Thankfully, the OSGP Alliance has stated that they intend to update this crypto, but they will still be using their own algorithms instead of using common standards, which is heavily frowned upon by most cryptography experts.
How to make two binaries with the same MD5 hash - In case you needed any more proof that you shouldn't be using MD5 anymore, especially for verifying hashes of arbitrary binary files, someone has developed a simple PHP tool to generate hash collisions, allowing virtually anyone to easily spoof MD5 hashes.
What one may find in robots.txt - Security researchers will often use a tool like DirBuster or wfuzz to discover directories or files that might not be linked to in public places during an engagement, but this test is only as good as your wordlist. To create a new wordlist, a French security researcher has harvested thousands of robots.txt files that often explicitly list files that website owners don't want search engine crawlers (or bad guys) to know about, and sorted it by frequency of occurrences. Great way to keep an updated list if you ask me.
Reference / Tutorials
A week with a Rails security strategy - This article presents a nice framework for taking care of the security of your products on a weekly basis. It is geared towards Rails, but you can replace a lot of the Rails-specific pieces with the applicable tools for the language you're using. It includes simple processes like checking for outdated packages that might have security issues and checking out and updating TLS/SSL configurations, but it also contains more holistic processes like thinking about the guts of your application's login system, for example.
Secure yourself, part 1: air-gapped computer, GPG and smartcards - Feeling particularly paranoid today? This guide will tell you how to set up an air-gapped computer, configure a Yubikey, and much more.
Random Link of the Week
- Lily - Ever wanted a drone to capture all your motions on HD video? Just throw this thing in the air, and it will fly around tracking you and shooting video automatically. Personally, I'm not looking forward to the day we have thousands of these things flying around everywhere capturing everything we do, but at least they'll look cool.