Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Plan for TLS Certificate Renewal Automation

The Chromium Project, which underlies the Chrome browser as well as Microsoft's Edge browser, has announced that it is planning to introduce a proposed maximum "term limit" of 7 years for root CA's, as well as a maximum validity period of 3 years for subordinate CA's, and has submitted these proposed changes to the CA/Browser Forum Server Certificate Working Group for consideration. It is not clear if Google will unilaterally enforce these changes in Chrome if the Working Group rejects them.

Of more pressing concern for most readers, however, is the related proposal to reduce the maximum validity period for TLS server certificates from 398 days to just 90 days. This is just a continuation of a long-standing trend - the maximum validity period used to be three years, but was then reduced to two years and most recently, just over a year; I have routinely warned course attendees against buying long-validity certificates since most CA's do not distribute CRL's for server certificates and a compromise could allow an attacker to masquerade as the victim server for anything up to three years.

The rationale for a 90-day validity is to allow for faster adoption of emerging security capabilities and best practices, as well as promoting cryptographic agility - a 90-day validity will make it easier to quickly adopt new post-quantum algorithms.

I long ago adopted the practice of documenting the procedure of documenting the certificate renewal procedure for our certificates - a process which was frustrated by continual changes at the CA, which made certificate renewal an unnecessarily stressful and error-prone process. Readers who only manage one or two certificates for annual renewal will recognise the problem and view the prospect of manual renewal every three months with some horror. Fortunately, there is a solution.

The ACME (Automatic Certificate Management Environment) protocol enables automatic lifecycle management of TLS certificates. For example, it automates the domain verification step required by the CA - otherwise performed manually by email or creation of a text file containing a hash value on the web server - as well as the generation of a private key and submission of a Certificate Signing Request and the receipt of the issued certificate. Some ACME clients can even install the new certificate and configure the web server to use it.

The most popular ACME client is the Electronic Frontier Foundation's certbot, which is available via the standard package manager for many Linux distributions and has quite comprehensive online instructions. However, Let's Encrypt provides a useful list of alternative clients.

In a timely coincidence, Google Trust Services has announced that it will now provide free TLS certificates for Google Domains customers, and their blog post walks users through the process of installing the required API key and then using the Certbot client to register an account and obtain a certificate.

Electronic Frontier Foundation, Certbot, web page, undated. Available online at https://certbot.eff.org/.

Let's Encrypt, ACME Client Implementations, web page, 29 June 2022. Available online at https://letsencrypt.org/docs/client-options/.

Uncredited, Moving Forward, Together, Chromium Project page, 3 March 2023. Available online at https://www.chromium.org/Home/chromium-security/root-ca-policy/moving-forward-together/.

Warner, Andy and Carl Krauss, Google Trust Services now offers TLS certificates for Google Domains customers, blog post, 2 March 2023. Available online at https://security.googleblog.com/2023/03/google-trust-services-now-offers-tls.html.

Blackcat Turns Nasty

In yet another example of the consequence of not paying ransom demands, the Russia-based Blackcat ransomware group has made good on threats against a medical practice in Lackawanna Count, Pennsylvania. In February, the group compromised a radiation oncology system which stored photographs of patients undergoing cancer treatment, but the Lehigh Valley Health Network refused to pay the ransom demand.

A few weeks later, Blackcat threatened to publish data stolen from the system, claiming "We are ready to unleash our full power on you!". Now they have followed through, releasing graphic images of patients who are undergoing treatment for breast cancer, along with 7 documents containing patient information.

This is another step in an escalation by ransomware operators, as they attempt to deal with victims who refuse to pay up. As the media covers more and more cases of ransomware attacks, the public is coming to understand how aggressive the ransomware operators are and just how difficult perfect defence is, as well as the fact that paying only encourages cybercriminals.

It would be going too far to say the public - especially the directly affected victims - are sympathetic to compromised enterprises, but they are now in no doubt that the bad guys are the attackers, not the companies they breach. But it certainly makes it easier for affected companies to refuse to pay people who commit such heinous crimes.

In related news, Amazon's Ring smart doorbell division is denying that it has fallen victim to a ransomware attack by a group called ALPHV, which is known to use Blackcat. However, leaked internal chats suggest that Ring's security teams are working on something.

Newman, Lily Hay, Ransomware Attacks Have Entered a ‘Heinous’ New Phase, Wired, 13 March 2023. Available online at https://www.wired.com/story/ransomware-tactics-cancer-photos-student-records/.

Truță, Filip, Amazon’s Ring Denies Hackers’ Claims of Ransomware Infection, Bitdefender blog, 15 March 2023. Available online at https://www.bitdefender.com/blog/hotforsecurity/amazons-ring-denies-hackers-claims-of-ransomware-infection/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.