Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Enlarge

It was a tough week for TeamViewer, a service that allows computer professionals and consumers to log into their computers from remote locations. For a little more than a month, a growing number of users have reported their accounts were accessed by criminals who used their highly privileged position to drain PayPal and bank accounts. Critics have speculated TeamViewer itself has fell victim to a breach that's making the mass hacks possible.

On Sunday, TeamViewer spokesman Axel Schmidt acknowledged to Ars that the number of takeovers was "significant," but he continued to maintain that the compromises are the result of user passwords that were compromised through a cluster of recently exposed megabreaches involving more than 642 million passwords belonging to users of LinkedIn, MySpace, and other services.

Ars spoke with Schmidt to get the latest. What follows is a lightly edited transcript of the conversation:

Read 15 remaining paragraphs | Comments

 

libtiff, as the name implies, is a library used to parse TIFF formatted images. While you dont run into TIFF images on the web every day, the format is quite popular for higher-resolution/high qualityapplications like printing. TIFF allows the user to select between lossless or lossycompression depending on the preferences of the user.

While the library is very popular, a reader wrote in last week asking if the library is still maintained.

Currently, there are three security issues listed in NISTsvulnerability database. These issues affect the most recent version of libtiff (4.0.6), which was released in September last year. Popular software, like for example Google Chrome, uses libtiff and could be used to exploit these vulnerabilities.

This issue isnt unique to libtiff. Important libraries (not just open source, the same problem can come up with commercial software as well...) stop being maintained without notice, and users of these libraries have no idea that new vulnerabilities are no longer patched.

If you develop software, it is critical that you track code that you include (again: open source and commercial). There are a number of check you should perform before adding a library to your repository of approved third party code:

- is the code still maintained?(e.g. are there any outstanding vulnerabilities known)
- how would you learn about a patch being released? (mailing list? )
- is the codes license compatible with your project? (some open source licenses restrict commercial use)

And most important: Have a repository of approved third party code! Dont just include libraries without considering alternatives first. Code reuse is great, and developers should take advantage of already written code, but you have to manage the use of third party code.

And finally: What is your exit strategy? I have no idea what to recommend in the libtiff case. Can you do without it? Can you afford to wait (I dont see any exploits ... yet ... publicly...)

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Jacob Appelbaum, as seen in this 2013 photo. (credit: Tobias Klenze)

Tor Project officials say that one of their most public-facing developers and a member of the "Core Team," Jacob Appelbaum, left the organization on May 25 after "public allegations of sexual mistreatment."

In a statement published Saturday on the Tor Project's website, the organization wrote:

These types of allegations were not entirely new to everybody at Tor; they were consistent with rumors some of us had been hearing for some time. That said, the most recent allegations are much more serious and concrete than anything we had heard previously.

We are deeply troubled by these accounts.

We do not know exactly what happened here. We don't have all the facts, and we are undertaking several actions to determine them as best as possible. We're also not an investigatory body, and we are uncomfortable making judgments about people's private behaviors.

The statement continued, saying that Tor is "working with a legal firm" specializing in sexual misconduct. The statement added:

Read 4 remaining paragraphs | Comments

 
Internet Storm Center Infocon Status