Don’t Use Hardcoded Keys (DUHK) – Security researchers have found a serious security issue involving an old pseudo-random number generator (PRNG) protocol, deprecated in many products but still found in around 25,000 devices made by Fortinet. Protocol ANSI X9.31, from the 1990s was approved and in use up until 2016 as it uses fixed keys as one of the inputs to generate pseudorandom numbers.However, as one of the researchers explains:
“If an attacker were to obtain K (one of the pseudorandom number generator’s (PRG’s) input values somehow, and then was able to learn only a single 16-byte raw output block (Ri) from a working PRG, she could do the following: (1) guess the timestamp T, (2) work backwards (decrypting using K) in order to recover the corresponding state value V, and now (3) run the generator forwards or backwards (with guesses for T) to obtain every previous and subsequent output of the generator.
“Thus, if an application uses the ANSI generator to produce something like a random nonce (something that is typically sent in a protocol in cleartext), and also uses the generator to produce secret keys, this means an attacker could potentially recover those secret keys and completely break the protocol.”
Patches are available for the Fortinet products however there may be other vendors and devices using the same protocol, which were not identified in the initial search. This may be the tip of the iceberg but for now, if you use Fortinet products which utilise the protocol, you know what to do.
Offshore Legal Firm Hacked – Financial details of some of the world’s richest individuals is likely to be published in the near future after a Bermuda based legal firm was breached by hackers. Appleby has been bracing for the coming storm and has been approached by the International Consortium of Investigative Journalists after information was leaked. The leak is also expected imminently as Appleby recently published that “a data security incident last year which involved some of our data being compromised,” had occurred. The Telegraph is running with the story today and has stated “it is understood the leak involves some of Britain’s wealthiest people, who were instructing lawyers and public relations companies in an effort to protect their reputations.” We will just have to wait and see what is leaked in the coming days.