SNAFU

Welcome back to the coalface to all of you who had some nice relaxing time off over the Easter (or ‘Spring’ if you are of an American persuasion) break.

The way that the dates of Easter (although not Spring – that is all about the Sun, hmm) are down to the timing of the full moon means that they can fall either before or after another very important day; Microsoft’s Patch Tuesday.

This year Patch Tuesday came after Easter, causing shoulders to tense, stomachs to churn and hopefully patching to be executed and checked.

This month’s package is really something, fixing 24 critical vulnerabilities and a whole host of other nasties. As is usually the case Adobe have done a #metoo announcing fixes for a number of issues.

Rather than regurgitate the words of others, we would draw your attention to the advice given by Mr Brian Krebs or John E Dunn of Sophos Naked security labs who must be shivering at his keyboard in the current, non Spring like weather.

It will come as no surprise that world+dog are recommending patching. Mr Krebs recommends perhaps leaving it a few days to see if any of the updates will bork your environment. Given the hardcore nature of some of these patches, that is probably good advice, at least on systems that unlike Windows 10 do not update automatically by default.

Hopefully that covers ‘appropriate messaging’, leaving the rest of this week’s missive to discuss very interesting (honest) developments in the world of random numbers.

Way back in 2007, the legend that is Bruce Schneier wrote an essay for Wired magazine highlighting the issues involved with potential flaws (or indeed state sanctioned backdoors, mwahaha) in current random number generators (DRBG’s – Deterministic Random Bit Generator), specifically one called Dual_EC_DRBG. This pesky algorithm has had more press than many reality TV stars, even been covered twice in this blog, here and here.

There is rarely smoke without fire so this is a fairly big issue for the secure operation and privacy (from the aforementioned nation state actors) of things like TLS and things that may use TLS, such as DNS over TLS.

11 years later, over the hill comes a hoody wearing band of potential saviours; none other than the US National Institute of Standards and Technology, who have developed fool proof random number generation using Quantum entanglement. We can’t even begin to understand the mathematics (or ‘math’..) or physics (‘physics’) behind this which are detailed in the fantastically titled paper: ‘Experimentally generated randomness certified by the impossibility of superluminal signals’ and can’t really see when this technique will be applicable IRL, but all developments in Quantum as applied to security are very interesting, to us anyway. If, like us, you don’t understand many words in the paper, the boys and girls at The Register have done a great job of making it slightly understandable.

Regular readers may recall that one of our more whacky predictions for 2018 would be the impact of Quantum on security. We were thinking about instantaneous key breaking and decryption of legacy crypto along with unbreakable cyphers. This is a step in that direction and we look forward to the results of what will surely become a quantum arms race.

Back in the real world, we wish you well with your patching. If you would like some advice or assistance on any security related issues, please contact us at: [email protected] or call 66363635237286575234983423462489237982498718181919 (not really, that’s just a pseudo random number generated using the ‘eyes closed’ technique, our actual number: 020 7517 3900).