June 3, 2020

The mystery of the expiring Sectigo web certificate

By Paul Ducklin

There’s a bit of a kerfuffle in the web hosting community just at the moment over an expired web security certificate from a certificate authority called Sectigo, formerly Comodo Certificate Authority.

Expired certificates are a problem because they cause the web server that relies on them to show up as “invalid” to any program that tries to do the right thing and verify the validity of the site it’s connecting to.

But this problem isn’t Sectigo’s fault – indeed, the company has had a warning about the impending problem available for a while now, explaining what was about to happen and why.

The problem comes from what’s known as backwards compatibility, which is a jargon way of saying “trying to support old software reliably even though it really ought to have been upgraded to a newer and more reliable version”.

Read more at https://nakedsecurity.sophos.com/2020/06/02/the-mystery-of-the-expiring-sectigo-web-certificate/

Hacker posts database stolen from Dark Net free hosting provider DH

By Lisa Vaas

In March, some 7,600 dark-web sites – about a third of all dark-web portals – were obliterated in an attack on Daniel’s Hosting (DH), the most popular provider of .onion free hosting services. Its portal was breached, its database was stolen, and its servers were wiped.

That was punch one. Punch two landed on Sunday, when a hacker going by the name KingNull or @null uploaded a copy of DH’s stolen database to a file-hosting portal and then gave ZDNet a heads-up about the leak.

ZDNet reports that a cursory analysis of the data dump shows that it includes 3,671 email addresses, 7,205 account passwords, and 8,580 private keys for .onion (dark web) domains.

Back in March, Daniel Winzen, the German software developer who runs DH, originally said that his portal was kaput, at least for the foreseeable future… which he also said, more or less, after DH suffered an earlier attack in September 2018. During the 2018 attack, hackers had rubbed 6,500 sites off the dark web in one fell swoop.

DarkOwl – a darknet intelligence, tools, and cybersecurity outfit that keeps an eye on DH and other dark web goings-on and which analyzed the September 2018 breach – had spotted Winzen’s post acknowledging the most recent attack and shared it on Twitter on 10 March. That’s the same day that DH’s hosting database got knocked out.

Who is KingNull – the hacker who went on to post DH’s database – and who else has it in for DH? Since they first spotted Winzen’s March tweet, DarkOwl analysts have looked for answers and published their take on the involved parties, which dark-net subcultures they can be traced to, and online chats about the attack. In one such discussion, an actor claimed that Winzen was compromised while accessing child abuse content.

Read more at https://nakedsecurity.sophos.com/2020/06/02/hacker-posts-database-stolen-from-dark-net-free-hosting-provider-dh/

Crime agency turns to Google ads to deter teen DDoS hackers

By John E Dunn

Britain’s National Crime Agency (NCA) has hit on what looks like a simple way to stop impressionable teens from being sucked into cybercrime – advertise the terrible legal consequences using Google Ads.

Spotted earlier in the month by security blogger Brian Krebs, during May anyone searching for Distributed Denial of Service (DDoS) ‘stresser’ and ‘booter’ would have found it hard to miss the ads, one of which apparently ran the following blunt warning at the top of search results:

Gaming and cyber crime – Booting is illegal.

Booters are illegal DDoS-for-hire services used to overload websites with huge amounts of traffic, with gaming servers a favourite target (stressers are synonymous with much the same nefarious idea although in theory they also have legitimate uses such as helping sysadmins model the traffic capacity of their websites).

We couldn’t track down this ad, but the gist of the message would have been similar to the NCA’s official page, which pushes the message that in the UK (and the US) DDoS attacks are definitely a bad idea if you don’t want a visit from the police in the early hours of the morning.

It sounds too good to be true – can a simple ad deter teen would-be hackers that easily? In fact, the evidence of similar campaigns run by the NCA in the past is that it has some effect.

Read more at https://nakedsecurity.sophos.com/2020/06/02/crime-agency-turns-to-google-ads-to-deter-teen-ddos-hackers/

No password required! “Sign in with Apple” account takeover flaw patched

By Paul Ducklin

A security researcher from Delhi in India is a tidy $100,000 richer thanks to a bug bounty payout from Apple for an account takeover flaw that he discovered in the Sign in with Apple system.

Bhavuk Jain, a serial bug bounty hunter, has described how he found the sort of bug that leaves you thinking, “It can’t have been that simple!”

Apparently, however, it was.

When we say “simple”, of course, we don’t mean that the bug itself was glaringly obvious to find and that anyone could have done it in 60 seconds.

Fortunately, a lot of security holes that leave you with a facepalm feeling after you hear about them depend on a researcher knowing where to look in the first place.

Finding “simple” bugs is often an intangible mixture of skill, experience, doggedness, intuition and – we have to be honest here – at least a bit of luck,

What’s simple about this one was the theoretical ease with which anyone who knew how to trigger it could have exploited it.

Read more at https://nakedsecurity.sophos.com/2020/06/01/no-password-required-sign-in-with-apple-account-takeover-flaw-patched/


Advanced Computer Services of Central Florida

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.

Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC.  We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.

No trip charges within Polk County

No after-hours or weekend fees

$45.00/hr Residential

$65.00/hr Commercial - free system evaluation