- There is yet another vulnerability in Adobe PDF reader that has been revealed and there are known exploits in the wild. Warn clients about the risk of opening PDF files from unknown sources. Adobe has not yet issued a patch, but there is a third party patch available. It is quite unusual for a third-party researcher to issue a patch before the vendor. WAKE UP, Adobe!.

- No one likes to lose employees, through layoffs for any other reason, but layoffs are a matter of survival for many companies in this economy. This article highlights a recent web survey that should concern any employer. A large percentage of employees leaving their jobs take more with them than the contents of their desks. This risk is not completely avoidable, but employers should do all they can to prevent company data from leaving with former employees.

- Finally, and this is hardly shocking, wi-fi networks in airports are very risky. Make sure clients know how to use SSL connections and/or a VPN connection to secure communications on public networks. Laptops should be configured to connect to infrastructure networks only - airports are full of rogue ad-hoc "free" wi-fi opportunities (as in opportunities to be hacked). I have seen more than one traveler bring these back to the office after a business trip.

Dennis H in West Virginia, US

February 25, 2009

First of all, thanks to David Lanciault for being the first to post a distribution email about this breaking security news. "The Sky Is Falling" headlines started been spreading across the security blogs a day or two ago. I wanted to take a break from the firewall series to address this issue, but I also wanted to wait until more details were revealed. As I had hoped, Steve and Leo are have also addressed the issue in this week's episode of Security Now! (episode 177).

SSL is the very foundation of internet security and is also essential to many other security systems. If it were truly broken, this would be the most significant security event in decades. SSL IS NOT BROKEN!!! Blogs thrive on headline-grabbing hype and most of the bloggers either don't understand how the Public Key Infrastructure Works, or just don't care about being accurate.

In brief:

- The exploit demonstrated attacks known weaknesses in the MD5 (Message Digest v.5) hashing algorithm. Past Security Corner articles have discussed the PKI, certificates, and hashing algorithms in some detail. Weaknesses in MD5 have been a growing concern for the past couple of years. Unfortunately, quite a few root Certificate Authorities have not seen this as a reason to stop using MD5. Many others, however, have done so and have moved to the exclusive use of SHA (Secure Hash Algorithm), version 1 or 2. These hashing algorithms are not affected by the most current exploit and there are no known exploits against them. You can bet that ALL root CAs will be changing quickly to SHA. The SSL standard does not prescribe or rely upon the use of MD5
- Creating a rogue Certificate Authority (which is what this compromise of MD5 allows), also depends upon the predictability of serial numbers and time stamps used by root CAs. This can be changed quickly to thwart these attacks.
- Although the necessary calculations took only 2 days (using 200 Playstation 3s), duplicating the entire process would take an estimated six months, so there is no reason to panic. SSL will continue to be secure.

To be sure, this is a BIG WAKE-UP CALL to those CAs that have not recognized the vulnerability associated with the continued use of MD5. THANKFULLY, it was a couple of security researchers (the "good guys") who made this public so it can be addressed. The internet community must, and will, move quickly to resolve this issue. I will post more news as it become available.

Dennis H in West Virginia, US

January 1, 2009