Hackin9
Twitter was not affected by the Heartbleed Internet vulnerability that rocked the Web security world this week, making one less password consumers need to change to protect themselves, but users still need to be careful how they respond to the threat.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Hewlett-Packard will pay $108 million in penalties after subsidiaries in Russia, Poland and Mexico were found to have paid bribes to win business, the U.S. Department of Justice said Wednesday.
 
VMware is about to release a new version of its Horizon VDI (virtual desktop infrastructure) software that will allow administrators to manage VDI and non-VDI deployments in a unified manner, by using multiple VMware technologies.
 
Rick Osterloh has been promoted to president and chief operating officer of Motorola Mobility, the Google business unit that is being acquired by Lenovo.
 
Aurich Lawson / Thinkstock

Update: Errata Security's Robert Graham has acknowledged that he was mistaken in his assessment, and that private keys could be at risk. The original story below has been marked up accordingly.

There’s good news, bad news, and worse news regarding the “Heartbleed” bug that affected nearly two-thirds of the Internet’s servers dependent on SSL encryption. The good news is that many of those servers (well, about a third) have already been patched. And according to analysis by Robert Graham of Errata Security, the bug won’t expose the private encryption key for servers “in most software" (though others have said several web server distributions are vulnerable to giving up the key under certain circumstances.) 

The bad news is that about 600,000 servers are still vulnerable to attacks exploiting the bug. The worse news is that malicious “bot” software may have been attacking servers with the vulnerability for some time—in at least one case, traces of the attack have been found in audit logs dating back to last November. Attacks based on the exploit could date back even further.

Read 9 remaining paragraphs | Comments

 

There are a fair few sites popping up testing for this issue.  I know this is possibly overly motherly, sorry, but be careful.  You may not know who is running the site, what they are actually testing for and what is done with the information collected.  Consider sticking to the main sites and known security organisations.  

Metasploit now has a module out (https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb). NMAP likewise has a check.  QUALYS has their SSLLABS page.  Other security vendors are also providing checks in their scanning products.  

Not saying the free scanners are "evil", just saying be careful what you use.  

Cheers

Mark H

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
In what is definitely the stuff of science fiction, Land Rover has created a virtual transparent hood that allows drivers to see the ground directly in front of them.
 
Computerworld offers a Tip of the Hat to Shane Dingman of the Toronto Globe and Mail for an easy-to-understand look at the Heartbleed security bug -- what happened, what key websites are among the hundreds of thousands affected, and whether users can do anything at this point.
 
Adobe Flash Player and AIR CVE-2014-0507 Unspecified Buffer Overflow Vulnerability
 
The proposed $45.2 billion acquisition of Time Warner Cable by Comcast would give the company huge market power to determine broadband prices and Internet content, a group of U.S. senators said Wednesday.
 

A whitehat hacker from the Baltimore suburbs went too far in his effort to drive home a point about a security vulnerability he reported to a client. Now he’s unemployed and telling all on reddit.

David Helkowski was working for Canton Group, a Baltimore-based software consulting firm on a project for the University of Maryland (UMD), when he claims he found malware on the university’s servers that could be used to gain access to personal data of students and faculty. But he says his employer and the university failed to take action on the report, and the vulnerability remained in place even after a data breach exposed more than 300,000 students’ and former students’ Social Security numbers.

As Helkowski said to a co-worker in Steam chat, “I got tired of being ignored, so I forced their hand.” He penetrated the university’s network from home, working over multiple VPNs, and downloaded the personal data of members of the university’s security task force. He then posted the data to Pastebin and e-mailed the members of the task force anonymously on March 15.

Read 6 remaining paragraphs | Comments

 
 
[SECURITY] [DSA 2898-1] imagemagick security update
 
Canadian airline WestJet believes gamification, the notion of applying elements of game design to a workplace setting, can help its employees use more effectively its Oracle J.D. Edwards ERP (enterprise resource planning) system.
 
Dropbox unwrapped the enterprise edition of its cloud storage and file sync service on Wednesday, as it seeks to expand its customer base from consumers to businesses.
 
You know that little padlock icon you look for to ensure your Web traffic is encrypted and secure? It turns out that you might not be as secure as you think thanks to a vulnerability that was accidentally introduced into the code of OpenSSL.
 
Working to keep its place in an increasingly heated competitive landscape, MongoDB has updated its namesake open-source NoSQL database system with considerable performance improvements, a new automated management module and stronger security tools.
 
Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software
 
[ MDVSA-2014:073 ] file
 

As recent disclosures have reminded us, security is not a simple matter. Most will tell you that the weak link in the chain is us: we simply don't use good security habits. But we're only one part of a number of issues. Although passwords are weaker than they should be, a strong password used on a weak system won't be much help. There is still a lot of necessary work being done to ensure that communication between parties is strongly encrypted.

One option that has received waves of attention over the last ten years is quantum key distribution (QKD). Despite its promise of absolute security, QKD has many practical difficulties that have limited it to niche applications. Now, in a nice bit of work, researchers have shown how to implement QKD for handheld devices.

A quick recap of QKD

Light has a property called polarization, which is measured with respect to a reference frame. So, for instance, horizontally polarized light has its electric field aligned with the ground, while vertically polarized light has its electric field aligned perpendicular to the ground. In between, we can have diagonal and anti-diagonal polarized light.

Read 13 remaining paragraphs | Comments

 
LinuxSecurity.com: Updated openssh packages fixes security vulnerabilities: sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located [More...]
 
LinuxSecurity.com: An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having Critical [More...]
 
LinuxSecurity.com: Updated openssl packages fix security vulnerability: The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a [More...]
 
LinuxSecurity.com: Security Report Summary
 
[ MDVSA-2014:072 ] php-ZendFramework
 
[ MDVSA-2014:071 ] yaml
 
[ MDVSA-2014:070 ] yaml
 
[ MDVSA-2014:068 ] openssh
 

Pro2col Announces its Presence at InfoSec 2014
Newswire Today (press release)
NewswireToday - /newswire/ - Bournemouth, Dorset, United Kingdom, 2014/04/09 - Leading independent file transfer specialists Pro2col who will be exhibiting at InfoSec, is also pleased to announce an exclusive agreement with Thru to distribute their ...

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Samba 'key.pem' Local Insecure File Permissions Vulnerability
 
[ MDVSA-2014:069 ] perl-YAML-LibYAML
 
MediaFire has launched a storage and file-sharing service that it argues is more secure than Amazon's.
 
Multiple Vendors XMPP Server XMPP-Layer Compression Denial of Service Vulnerability
 

Miss Teen USA Promoting Privacy at InfoSec World 2014
Virtual-Strategy Magazine (press release)
“Counterveillance” is new software that helps prevent cyber-intrusion, unauthorized spying, snooping and stealing personal and/or corporate information. While anti-virus and firewall software products provide a degree of protection, cyber crooks and ...

and more »
 

CNN International

Revoke, reissue, invalidate: Stat! Security bods scramble to plug up Heartbleed
Register
"This issue is a timely reminder that all software can contain security vulnerabilities," wrote Brian Honan, the infosec consultant who founded and heads up the Republic of Ireland's Computer Security Incident Response Team, in an edition of the SANS ...
Just how bad is 'Heartbleed'?Business Spectator
Critical flaw found in Internet encryptionITWeb

all 582 news articles »
 
As the hunt for missing Malaysian flight 370 narrows, searchers are preparing to use the Bluefin 21, a 16-foot-long autonomous robot, to look for wreckage beneath the ocean's surface.
 
Risks to enterprises are not only of the security breach variety from outside attackers, malicious insiders or even careless employees. Another comes from everybody in an organization a even its most loyal, careful, capable members.
 
SQL Injection in Orbit Open Ad Server
 

Miss Teen USA Promoting Privacy at InfoSec World 2014
IT Business Net
Counterveillance is new software that helps prevent cyber-intrusion, unauthorized spying, snooping and stealing personal and/or corporate information. While anti-virus and firewall software products provide a degree of protection, cyber crooks and ...

and more »
 
As people are running around having an entertaining day we thought it might be a good idea to keep track of the various vendor notifications.   I'd like to start a list here and either via comments or sending it let us know of vendor notifications relating to this issue.   Please provide comments to the original article relating to the vulnerability itself,  and use this post to only provide links to vendor notifications rather than articles etc about the issue.  
 
So far:  
  • CACert - https://blog.cacert.org/2014/04/openssl-heartbleed-bug/
  • Cisco - http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed
  • Fortinet - http://www.fortiguard.com/advisory/FG-IR-14-011/
  • Gentoo Linux - http://www.gentoo.org/security/en/glsa/glsa-201404-07.xml
  • Juniper -  http://kb.juniper.net/InfoCenter/index?page=content&id=KB29004 (login required)
  • Juniper - http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10623
  • F5 - http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html
  • Novell - http://support.novell.com/security/cve/CVE-2014-0160.html 
  • OpenVPN - https://community.openvpn.net/openvpn/wiki/heartbleed
  • Aruba - http://www.arubanetworks.com/support/alerts/aid-040814.asc
  • CheckPoint - https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk100173
  • openssl - https://www.openssl.org/news/secadv_20140407.txt
  • redhat - https://access.redhat.com/security/cve/CVE-2014-0160
  • Slackware - hxxp://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.533622
  • sparklabs/viscosity openvpn client - https://www.sparklabs.com/viscosity/releasenotes/
  • watchguard - http://watchguardsecuritycenter.com/2014/04/08/the-heartbleed-openssl-vulnerability-patch-openssl-asap/
  • viscosity - https://www.sparklabs.com/blog/
There are no doubt more please add them via comments.   Please stick to security related products, operating systems and core infrastructure items.  
 
Apple users: OS X Mavericks (10.9) ships by default with OpenSSL 0.9.8. However, if you are using mac ports, OpenSSL 1.0.1 is installed. An update is available (run "sudo upgrade outdated").
 
an NMAP script has also been released to check for the vunerability According to the tweet "script ssl-heartbleed.nse committed to #nmap as rev 32798"  That should help speed up checking.  
 
We have started seeing active checking for this issue, so I would encourage people to hurry up and patch. 
 
Cheers
 
Mark H
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Сross-Site Request Forgery (CSRF) in XCloner Standalone
 
Adobe Systems released security updates for Flash Player and AIR in order to address four critical vulnerabilities that could lead to arbitrary code execution and information disclosure.
 
Xen Linux netback CVE-2014-2580 Remote Denial of Service Vulnerability
 
Linux Kernel CVE-2014-2568 Information Disclosure Vulnerability
 
CVE-2014-0160 mitigation using iptables
 
[ MDVSA-2014:067 ] openssl
 
Cisco ONS 15454 System Software Controller Card CVE-2014-2141 Denial of Service Vulnerability
 
Cisco ONS 15454 System Software CVE-2014-2140 Denial of Service Vulnerability
 
Cisco ONS 15454 System Software Controller Card CVE-2014-2139 Denial of Service Vulnerability
 
Cisco Security Advisory: OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products
 
FreeBSD Security Advisory FreeBSD-SA-14:06.openssl [REVISED]
 
FreeBSD Security Advisory FreeBSD-SA-14:06.openssl
 
FreeBSD Security Advisory FreeBSD-SA-14:05.nfsserver
 
Microsoft suspended serving Windows 8.1 Update to businesses that rely on WSUS (Windows Server Update Services), saying that a bug would prevent devices from recognizing future updates.
 
Alternative titles like chief digital officer and chief technology officer muddy the situation and might even dilute authority.
 
Aerial videography drone maker DJI introduced its next generation quad-copter, the Phantom 2 Vision Plus, at NAB in Las Vegas Monday.
 
Microsoft's dominance in business may be mammoth but it isn't absolute, as Tim Dickson, the director of technology at Auberge Resorts, has found.
 
Multiple HP Products CVE-2013-6216 Unspecified Privilege Escalation Vulnerability
 

Posted by InfoSec News on Apr 09

http://www.nextgov.com/cloud-computing/2014/04/public-or-private-cloud-your-agency-decision-comes-down-risk-disa-cio-says/82114/

By Frank Konkel
Nextgov.com
April 8, 2014

For federal agencies, deciding whether information, data or applications
belong in a public or private government cloud or a hybrid combination of
the two is no easy feat.

Myriad factors play into these decisions – projected cost savings,
information sensitivity and...
 

Posted by InfoSec News on Apr 09

http://www.informationweek.com/healthcare/mobile-and-wireless/nurses-say-pagers-must-go-hospitals-drag-feet-/d/d-id/1204255

By Alison Diana
InformationWeek.com
4/8/2014

Nurses and other healthcare workers who communicate vital patient
information say they need an alternative to outdated pagers and insecure
smartphones.

At most hospitals, nurses are still required to communicate with
colleagues and doctors via Voice over IP (VoIP) or pagers....
 

Posted by InfoSec News on Apr 09

http://www.cnet.com/news/how-to-protect-yourself-from-the-heartbleed-bug/

By Richard Nieva
CNET News
Security
April 8, 2014

A major new security vulnerability dubbed Heartbleed was disclosed Monday
night with severe implications for the entire Web. The bug can scrape a
server's memory, where sensitive user data is stored, including private
data such as usernames, passwords, and credit card numbers.

It's an extremely serious issue,...
 

Posted by InfoSec News on Apr 09

http://www.darkreading.com/author.asp?section_id=314&doc_id=1204252

By Kelly Jackson Higgins
Dark Reading
4/7/2014

Fifth annual DEF CON Social Engineering Capture the Flag Contest kicks off
today with new "tag team" rules to reflect realities of the threat.

The wildy popular DEF CON Social Engineering contest this year in Las
Vegas will feature a new twist: Each contestant will be assigned a
teammate to whom they must hand-off...
 

Posted by InfoSec News on Apr 09

http://www.lawfareblog.com/2014/04/thoughts-on-usg-candor-to-china-on-cyber/

By Jack Goldsmith
lawfareblog.com
April 8, 2014

Paul is skeptical about the USG’s unilateral briefing to Chinese officials
on some of its cyber operations and doctrines that David Sanger discloses
in the NYT. He argues that China is unlikely to reciprocate, he doubts
the usefulness of the unilateral disclosure, and he wonders why the USG
does not share the...
 
Internet Storm Center Infocon Status