Don’t Believe the Hype
The computer security world is no stranger to hype, histrionics, and hyperbole. While there are certainly serious issues that are periodically discovered, we sometimes find ourselves halfway to our zero-day shelter before we realize we’ve gotten carried away.
Recently, the folks at Shadow Brokers released another batch of tools, kicking off hours of chaos over whether weaponized zero-day tools could find their way into the hands of script kiddies around the world. While the first look is crucial, you can’t always trust it, as independent testing and an announcement from Microsoft revealed that the vulnerabilities were patched on supported, up-to-date systems. (Everyone’s Windows machines are up to date and supported, right?)
While this spells trouble for legacy systems, unsupported operating systems have been a serious liability for years, regardless of leaked tools. As lcamtuf says, “if you’re scrambling to lock down your Internet-exposed SMB servers in response to the most recent revelations from Shadow Brokers, you’re probably in deep trouble – and it’s not because of the NSA.”
Next on the Wheel-O’-Hype: named bugs! While a recognizable name and central resource for information can be useful for quickly fixing vulnerabilities, sometimes the bug doesn’t live up to the doom-and-gloom marketing, forcing experts to fight the power of reactionary FUD that is out of proportion to the actual threat.
The latest in this saga of overblown threats is ringroad, essentially a design choice that can leak the length of a user’s password in network traffic. The issue appears to be the use of AES-GCM without taking extra effort to obscure the length of the input, leaving the ciphertext the same length as the plaintext.
While this is bad if an attacker can mount offline attacks against the password, the quoted research was (Read more...)
This is a Security Bloggers Network syndicated blog post authored by Cylance Research and Intelligence Team. Read the original post at: Cylance Blog