Skip to content

Category: Hackerterrorcybercyber

Webservers in a Dishwasher

The Register reports on CVE-2017-7240, Web Server Directory Traversal in the Miele Professional PG 8528 Dishwasher (which is used in medical establishments to clean and properly disinfect laboratory and surgical instruments).

Yes, Dishwashers (and many microwaves and ovens) now come with touch screens, and network ports. Of course, as El Reg puts it

Appliance makers: stop trying to connect to the Internet, you’re no good at it. ®

but in this case the webserver even makes sense. The PG 8528 is a commercial washer and desinfector for hospitals and probably comes with remote service and diagnostics.

That makes it even worse that Miele has no security process for these devices at all:

And because Miele is an appliance company and not a pure-play IT company, it doesn’t have a process for reporting or fixing bugs.

Miele did not respond to the bug report they received in November 2016, ever.


Chrome considers Symantec CA rogue

Ryan Sleevi writes:

Since January 19, the Google Chrome team has been investigating a series of failures by Symantec Corporation to properly validate certificates. Over the course of this investigation, the explanations provided by Symantec have revealed a continually increasing scope of misissuance with each set of questions from members of the Google Chrome team; an initial set of reportedly 127 certificates has expanded to include at least 30,000 certificates, issued over a period spanning several years. […]

To balance the compatibility risks versus the security risks, we propose a gradual distrust of all existing Symantec-issued certificates, requiring that they be replaced over time with new, fully revalidated certificates, compliant with the current Baseline Requirements. […]

Given the nature of these issues, and the multiple failures of Symantec to ensure that the level of assurance provided by their certificates meets the requirements of the Baseline Requirements or Extended Validation Guidelines, we no longer have the confidence necessary in order to grant Symantec-issued certificates the “Extended Validation” status.


10 reasons not to do HTTPS interception

Marnix Dekker has an article on HTTPS interception as it is being done in some workplaces.

He lists:

  • Are you serious? We worked so hard to make the web more secure and you are fucking it up.
  • HSTS, you are breaking it.
  • Blinds the browser and the user, because you re-encrypt with wildcard certs.
  • Disrupts personal use.
  • Breaks pinning and CT.
  • Breaks with consumerization.
  • Disrupts BYOD.
  • Discourages good user practices.
  • Limited benefits.
  • and finally: Hard shell, soft inside is not going to work.



Ubuntu 12.04 LTS expires next month, but there’s the Dodo club

So Precise Pangolin was published as Ubuntu 12.04 LTS on April 26, 2012.

That’s a long time ago. Back then, Battleship, The Avengers (3D) and Cabin In The Woods (3D) were released. Intel released the Ivy Bridge Microarchitecture. The last proper US president campaigned for his second term and the US weren’t a failed state back then. It was a different world.


Magic circles banning autonomous cars

Trapping Autonomous Cars

Somebody sent me a link to Vice withe the comment “A multiple hit in the Venn Diagram of your interests”.

It’s about an artist using technology disguised as ritual magic to trap self-driving cars (and similar shenanigans). The assessent was correct, this is beautiful.

The image from the article shown above shows a self-driving car inside fake street markings. The broken lines allow the cars logic to enter the circle, the unbroken linkes mark a demarcation that must not be crossed, hence the car can never leave.

It ties back to a story my driving instructor told me. He was making a point about “How things are being presented matters”, relating about a beginners driver who had been told to imagine unbroken lines as a “wall that cannot be crossed” and who because of that had problems – sometimes rules must be broken to preserve their meaning and spirit.



MySQL and encrypted connections

2006 slides by Rasmus Lerdorf

Since 5.0, MySQL does allow natively encrypted connections to the database, and supposedly also does support client certs for user authentication. Supposedly, because I never tried.

MySQL as a database performs well with transient connections as they are prevalent in two-tier deployments (mod_php, mod_perl, mod_python to database), in which a database connection is made upon web request, and the connection is torn down at the end of the request. This model does not scale so well with encryption in the mix, as on connection a full TLS/SSL exchange must be made.


Docker Image Vulnerability Research

federacy reports “24% of the latest Docker images have significant vulnerabilities“.

The Report underlines the importance of running your own image building service and your own local registry when deploying Docker and Kubernetes.

And that includes the base operating system images, because the test above focused on latest images of official docker images of base operating system images, and known vulnerabilities in it. It lists last years vulnerabilities still being present in current images.

Leave a Comment

Zero Days

RAND Corp study about Zero Day exploits is now available. About 200 Zero Days have been analyzed, and data has been collected on how many groups find them, or how long they stay undetected. Among the findings:

  • Zero-day exploits and their underlying vulnerabilities have a rather long average life expectancy (6.9 years). Only 25 percent of vulnerabilities do not survive to 1.51 years, and only 25 percent live more than 9.5 years.
  • For a given stockpile of zero-day vulnerabilities, after a year, approximately 5.7 percent have been publicly discovered and disclosed by another entity.

The reports highlights the importance of things like Google’s Project Zero: Systematically testing software products of all kinds for possible weaknesses and exploitable bugs, then getting them fixed.


Leave a Comment