Hackers Steal More Than 3TB of Data from Vevo
A group of hackers called OurMine has leaked 3.12TB of files belonging to video-hosting service Vevo. The files were obtained after hackers compromised an employee’s account on Okta, a single sign-on service used by Vevo’s staff to access business applications, Gizmodo reports.
The company confirmed to Gizmodo that it is investigating a data breach after an employee fell victim to a phishing scam via Linkedin. OurMine has since removed the files from its website, citing “a request from Vevo.”
The large amount of data compromised in this incident highlights the risks that even simple phishing attacks can pose to organizations and the need for companies to deploy stricter access controls.
Microsoft Azure Adds Encryption for Data in Use
There are typically three layers where data needs to be protected: while in transit, while at rest and while in use. Securing data in transit and at rest is done with secure transport protocols including TLS and storage or database encryption schemes. However, protecting data while it’s processed by applications in RAM has always been a hard problem to tackle.
Various types of attacks can result in complete access to a system’s memory and give hackers access to data in plain text that would otherwise be protected. There’s a reason why many malware programs that steal credit card information from point-of-sale systems are called memory scrapers—they obtain sensitive data from RAM where it’s not encrypted.
Attackers could use stolen credentials to gain full administrative privileges on computers, could escape from virtual machines into underlying servers by exploiting vulnerabilities or could work with malicious insiders who have physical access to sensitive systems. These are typically game-over scenarios for data security in many environments, but not anymore on Microsoft’s Azure cloud computing platform.
On Thursday, the company announced Azure confidential computing, a new feature available through its Early Access program that allows applications to process sensitive data inside a Trusted Execution Environment (TEE). This is a separate area of the processor—an enclave—with its own private memory that can only be accessed by authorized code. The code is continually checked by the TEE and access is revoked if it’s altered in any way.
Azure’s confidential computing system offers a software-based TEE called the Virtual Secure Mode (VSM) that is implemented through Microsoft’s Hyper-V hypervisor, as well as a hardware-based TEE based on the Software Guard Extensions (SGX) from Intel’s newer processors. Microsoft already uses this feature for Azure SQL Database and SQL Server, but plans to expand it.
“Put simply, confidential computing offers a protection that to date has been missing from public clouds, encryption of data while in use,” said Mark Russinovich, the CTO for Microsoft Azure, in a blog post. “This means that data can be processed in the cloud with the assurance that it is always under customer control.”
Google Publishes Timeline for Removing Trust in Symantec Certificates
Google previously announced plans to revoke trust for all SSL certificates issued by Symantec, one of the largest certificate authorities in the world. This action is in response to multiple incidents of certificate mis-issuance at the company over the past few years and has likely contributed to Symantec’s recent decision to sell its certificate business to DigiCert.
The trust removal will happen in two steps and now there’s a timeline that should help organizations plan the replacement of their Symantec-issued SSL certificates.
The first big change will come in Chrome 66, which will reach beta in March 2018 and stable in April. That version of the browser will not trust any Symantec certificates issued before June 1, 2016. If you have any long-lived certificates that were issued before June 1, 2016, and won’t expire by March 15, 2018, you should replace them until that date.
The more drastic action will be taken in Chrome 70, which will reach beta stage Sept. 13, 2018, and stable Oct. 23, 2018. In that Chrome version, Google will remove Symantec’s root certificates so any end user certificates that chain back to them no longer will be trusted.
Symantec expects its certificate issuance operations to be switched over to DigiCert’s infrastructure by Dec. 1. If your Symantec-issued certificates are scheduled to expire after this date, you can obtain new ones from DigiCert or another CA when they expire. However, if they expire before Dec. 1 and you renew them from Symantec’s current infrastructure, keep in mind that they will stop working in Chrome 70.
