Web Analytics

December 2019 Security Roundup

This month, we cover messaging/spy app ToTok, the impending expiration of self-signed certificates on Cisco devices, and a new RSA key cracking record.

Happy Holidays from SSL.com! We hope that you’ve all had a happy and prosperous 2019 and are looking forward to big things in 2020 (as are we)! In our final roundup of the year, we’ll be talking about:

  • A “secure” messaging app that turned out to be a tool for government spying
  • Cisco’s self-signed certificate expiration issue
  • New records for RSA key factoring and discrete logarithm computation

And when you’re finished here, please also check out our new article on what certificate authorities (CAs) do and how hard it is to be one!

Messaging App ToTok is U.A.E. Spy Tool

On December 22, the New York Times reported that a popular messaging app ToTok is also a spying tool used by the United Arab Emirates (U.A.E.) government to “try to track every conversation, movement, relationship, appointment, sound and image of those who install it on their phones.” Emirati citizens were attracted to the app because the U.A.E. blocks the functionality of encrypted messaging applications such as WhatsApp and Skype.

ToTok was revealed to the Times to be a spying tool by both U.S. officials who had seen a classified intelligence assessment, and an anonymous digital security expert who said he had gotten the information from “senior Emirati officials.” The app, which bills itself as “secure” despite making no claims of end-to-end encryption, was also widely promoted by Chinese telecom company Huawei.

Both Apple Google have already removed ToTok from their app stores, but the app has already been downloaded millions of times by users.

SSL.com’s takeway: If you installed this app, delete it immediately, and be careful about the apps you install and the privileges you grant them to access your location and other personal data. As pointed out by another recent New York Times piece, “Your smartphone is one of the world’s most advanced surveillance tools,” and those capabilities are not limited to supplying you with “relevant” ads.

Self-signed certificates on many Cisco devices about to expire

Cisco’s field notice FN-70498 (December 20, 2019) warns users that self-signed X.509 certificates on devices running affected releases of Cisco IOS or IOS XE software will expire at midnight on January 1, 2020. Additionally, new self-signed certificates cannot be created on these devices after this date unless a software upgrade is applied.

After updating the device’s software, any self-signed certificates must be regenerated and exported to any devices requiring it in their trust store.

Cisco notes that:

This issue affects only self-signed certificates that were generated by the Cisco IOS or Cisco IOS XE device and applied to a service on the device. Certificates that were generated by a Certificate Authority (CA), which includes those certificates generated by the Cisco IOS CA feature, are not impacted by this issue.

Following Cisco’s announcement, Rapid7 Labs used Sonar scan data to identify “over 80,000 Cisco devices that will likely be impacted by this expending expiration issue.” Could yours be among them?

SSL.com’s takeway: By all means update your software if this issue affects you, but we like Cisco’s first suggested workaround, “Install a certificate from a CA,” even better.

New RSA Key-Cracking Record

Dan Goodin at Ars Technica reports that a team of researchers led by Emmanuel Thomé of France’s National Institute for Computer Science and Applied Mathematics have set new records by factoring the “largest RSA key size ever computed and a matching computation of the largest-ever integer discrete logarithm.” The records consist of the factoring of RSA-240 (795 bits) and the computation of a discrete logarithm of the same size.

These records are not due solely to Moore’s Law (the tendency for the number of transistors in ICs to double every two years), as the computational speed gains are greater than would be predicted by incremental hardware improvements alone. Instead, the researchers credit improvements in the software implementation of the Number Field Sieve algorithm used to perform the calculations:

To demonstrate the boost in efficiency, the researchers ran their software on hardware that was identical to that used to compute the 768-bit discrete logarithm in 2016. They found that using the old hardware to sieve the record 795-bit size would take 25% less time than it took the same equipment to perform the 768-bit DLP computation.

SSL.com’s takeway: We agree with Nadia Heninger (a researcher on the record-breaking team), that the “takeaways for practitioners are basically that we hope they have followed advice to move to at least 2048-bit RSA, Diffie-Hellman, or DSA keys as of several years ago, which would keep them safe from any of these improvements.”

 

Thank you for choosing SSL.com! If you have any questions, please contact us by email at Support@SSL.com, call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page.


We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.