Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.
Big items to consider: Microsoft plans to retire support for TLS certificates signed by the SHA1 hashing algorithm in the next four months, an acceleration brought on by new research showing it was even more prone to cryptographic collisions than previously thought. Tens of millions of stolen credentials for Gmail, Microsoft and Yahoo email accounts are being shared online by a young Russian hacker known as “the Collector” as part of a supposed larger trove of 1.17 billion records. An analysis of proof-of-concept (PoC) exploits shared online over the last year has shown that social media is the main distribution channel for PoCs, according to threat intelligence firm Recorded Future. All blogs hosted on Google’s blogspot.com domain can now be accessed over an encrypted HTTPS connection.
Microsoft to retire support for SHA1 certificates in the next 4 months – Publication: Ars Technica – Reporter name: Dan Goodin
The software maker hinted at the expedited deprecation in November. Last week, it made those plans official. Sometime this summer (for those in the Northern Hemisphere, anyway) the general release versions of Microsoft’s Edge and Internet Explorer browsers will stop displaying the address bar lock when visiting HTTPS sites protected by SHA1 certificates. The change will occur even sooner for upcoming Windows Insider Preview builds, which are mostly used by developers for testing purposes.
A Russian hacker gave away millions of email credentials for social media votes – Publication: PCWorld- Reporter name: Katherine Noyes
That’s according to Hold Security, which says it has looked at more than 272 million unique credentials so far, including 42.5 million it had never seen before. A majority of the accounts reportedly were stolen from users of Mail.ru, Russia’s most popular email service, but credentials for other services apparently were also included. Hold discovered the breach when its researchers came across the hacker bragging in an online forum. Though the hacker initially asked Hold for 50 rubles for the initial 10GB stash — that’s equivalent to about 75 cents — he eventually turned it over to them in exchange for likes and votes for him on social media.
PoC Exploits Mainly Distributed via Social Media – Publication: SecurityWeek – Reporter name: Eduard Kovacs
A search on Recorded Future’s threat intelligence platform uncovered roughly 12,000 PoC exploit references shared on the Web since March 22, 2015. The company says this represents a near 200 percent increase compared to the previous year. A large majority of the PoCs identified by researchers were disseminated via social media networks — primarily Twitter. In 97 percent of cases, social media has been used to share links to code repositories, paste sites, other social media networks, and deep Web forums hosting the actual PoC code. In some cases, PoC exploit references were found on code repositories, mainstream sites, blogs, forums, malware and vulnerability reporting websites, and paste sites.
Google turns on HTTPS for all Blogspot blogs – Publication: PCWorld – Reporter name: Lucian Constantin
Instead of the “HTTPS Availability” option, blog owners can now use a setting called “HTTPS Redirect,” which will redirect all visitors to the HTTPS version of their blogs automatically. If the setting is not used, users will still be able to access the non-encrypted HTTP version. Forcing HTTPS by default would have been better, but would have likely triggered mixed content alerts in users’ browsers for some blogs. These errors happen when a website served over HTTPS loads resources, such as images and code, from external servers that don’t use HTTPS.