Information Security News
Just how bad is 'Heartbleed'?
According to Ty Miller, founder and CEO of infosec firm Threat Intelligence, there may be up to 117,000 vulnerable web servers using a vulnerable version of SSL. Miller adds that the actual number of vulnerable systems will be far greater since this ...
Cimcor to Sponsor & Attend Central Ohio ISSA Information Security Summit
Insurance News Net (press release)
InfoSec Management Cimcor has a long history of supporting information security organizations such as ISSA. According to Mike Moskalick , regional sales manager for CimTrak, "we actively seek to partner with organizations such as the ISSA. They provide ...
For more than two years, the Internet's most popular implementation of the Transport Layer Security (TLS) protocol has contained a critical defect that allowed attackers to pluck passwords, authentication cookies, and other sensitive data out of the private server memory of websites. Ars was among the millions of sites using the OpenSSL library, and that means we too were bitten by this extraordinarily nasty bug.
By mid morning Tuesday, Ars engineers already updated OpenSSL and revoked and replaced our site's old TLS certificate. That effectively plugged the hole created by the vulnerability. By installing the OpenSSL update, attackers could no longer siphon sensitive data out of our server memory. And although there's no evidence the private encryption key for Ars' previous TLS certificate was compromised, the replacement ensured no one could impersonate the site in the event hackers obtained the key.
With Ars servers fully updated, it's time to turn our attention to the next phase of recovery. In the hours immediately following the public disclosure of the so-called Heartbleed vulnerability, several readers reported their Ars accounts were hijacked by people who exploited the bug and obtained other readers' account passwords. There's no way of knowing if compromises happened earlier than that. Ars has no evidence such hacks did occur, but two years is a long time. There's simply no way of ruling out the possibility.
Overview of the April 2014 Microsoft patches and their status.
|#||Affected||Contra Indications - KB||Known Exploits||Microsoft rating(**)||ISC rating(*)|
Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution
(Replaces MS14-001 )
Cumulative Security Update for Internet Explorer
(Replaces MS14-012 )
Vulnerability in Windows File Handling Component Could Allow Remote Code Execution
(Replaces MS12-081 )
Vulnerability in Microsoft Publisher Could Allow Remote Code Execution
(Replaces MS13-042 )
(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.
------(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Lest readers think "catastrophic" is too exaggerated a description for the critical defect affecting an estimated two-thirds of the Internet's Web servers, consider this: at the moment this article was being prepared, the so-called Heartbleed bug was exposing end-user passwords, the contents of confidential e-mails, and other sensitive data belonging to Yahoo Mail and almost certainly countless other services.
The two-year-old bug is the result of a mundane coding error in OpenSSL, the world's most popular code library for implementing HTTPS encryption in websites, e-mail servers, and applications. The result of a missing bounds check in the source code, Heartbleed allows attackers to recover large chunks of private computer memory that handle OpenSSL processes. The leak is the digital equivalent of a grab bag that hackers can blindly reach into over and over simply by sending a series of commands to vulnerable servers. The returned contents could include something as banal as a time stamp, or it could return far more valuable assets such as authentication credentials or even the private key at the heart of a website's entire cryptographic certificate.
Underscoring the urgency of the problem, a conservatively estimated two-thirds of the Internet's Web servers use OpenSSL to cryptographically prove their legitimacy and to protect passwords and other sensitive data from eavesdropping. Many more e-mail servers and end-user computers rely on OpenSSL to encrypt passwords, e-mail, instant messages, and other sensitive data. OpenSSL developers have released version 1.0.1g that readers should install immediately on any vulnerable machines they maintain. But given the stakes and the time it takes to update millions of servers, the risks remain high.
SANS's lead author Dr. Eric Cole to be honoured at Infosecurity Europe 2014
On 1st May at 10:00am, Dr. Cole will offer a presentation at the InfoSec Europe “Keynote Theatre” which will provide a candid view of the current state of the industry and emerging threat landscape. In addition, Dr. Cole is available to the press and ...
by Peter Bright
It's finally here. After 12 years, 6 months, and 12 days on the market, Windows XP has hit its end of life. It will receive its last ever set of patches on Windows Update today (or "Woo" as Microsoft remarkably pronounces it internally), and for the most part, that will be that. Any flaws discovered from now on—and it's inevitable that some will be discovered—will never be publicly patched.
How bad is this going to be? It's probably going to be pretty bad. By some measures, about 28 percent of the Web-using public is still using Windows XP, and these systems are going to be ripe for exploitation.
While we can hope that personal firewalls and NAT systems will prevent any kind of Code Red or Nimda-style self-propagating worm from infecting these systems, exploitation through the likes of malicious e-mail attachments, Office documents, USB keys, and browsers is inevitable.
(this article is work in progress and will be updated as we have new information. Also see the comments for links to signatures and other information provided by readers)
We decided to go to Infocon Yellow to alert readers of this vulenrability.
For those of you using OpenSSL 1.0.1 (most recent Unix systems), it is critical that you patch the openssl library, as well as binaries compiled statically with openssl, as soon as possible. 
The attack will allow a remote attacker to read up to 64kBytes of system memory from your system per attack attempt. The attack works against servers as well as against clients. While not all software using SSL necessarily uses the OpenSSL library, many do. (see our prior diary)
A proof of concept exploit has been made available and I have tested it. It can be used to remotely scan for vulnerable systems.  We have not yet detected wide spread use of the exploit, but it is literally hours old. At this point, we don't think the vulnerability was known in the underground before the official release, but it is possible.
Check if you are vulnerable. "openssl version -a" will return the version information. If your version is 1.0.1, you MAY be vulnerable. Only version 1.0.1g is NOT vulnerable. Other major versions (0.9x, 1.0.0 ...) are not vulnerable.
Rule of thumb: If you are using OpenSSL, and if you are supporting TLS 1.2 (check ssllabs.com) , then you are vulnerable unless patched.
Patch! Ubuntu, CentOS and others have patches available. OS X Mavericks has NO PATCH available. Windows is likely not vulnerable, but if you are running open source software like Apache that uses OpenSSL, then you may be vulnerable.
You may want to consider replacing SSL certificates if you are afraid that the exploit was already used against your site. But the exploit is not limited to secret SSL key. All data in memory is potentially at risk.
The PoC exploit above can be used to scan your network remotely.
We don't have IDS signatures (yet... wait for updates here). There is no log entry in your web server log as the exploit happens after the SSL session is established, and before the HTTP request is sent.
nginx, after being patched, logs the following from the PoC exploit:
2014/04/08 12:37:18 [info] 4151#0: *724561 peer closed connection in SSL handshake while SSL handshaking, client: 126.96.36.199, server: 0.0.0.0:8443
You can play Flappy Bird on a POINT OF SALE TERMINAL
Mobile Point of Sale (MPOS) devices can be easily hacked and leave banks and retailers wide open to fraud, warn infosec researchers. Security researchers from MWR InfoSecurity, the same security firm that researched serious vulnerabilities in chip-and ...
Posted by InfoSec News on Apr 08http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/
Posted by InfoSec News on Apr 08http://www.nytimes.com/2014/04/08/technology/the-spy-in-the-soda-machine.html
Posted by InfoSec News on Apr 08http://www.israelnationalnews.com/News/News.aspx/179376