Hackin9
Tens of thousands of new digital certificates have been issued by Comodo in the wake of the "Heartbleed" security flaw, which has put Internet users' data at risk.
 

With more mass-media attention to the heartbleed bug, we are getting more questions from "normal users" about the heartbleed bug.

The "Heartbleed" bug is not affecting end users using Windows. It does not affect standard Windows browsers (Internet Explorer, Firefox, Chrome). It may affect some selected third party software, but most likely, you do not need to patch anything. The only widely used consumer platform vulnerable is Android 4.1.1, but there isn't much you can do about it but wait for a patch for your phone.

However, it is possible that a web site you used is or was affected by "Heartbleed". The result may be that the password you are using on the site was captured by someone attacking this site. So you may need to change the password that you used on the site.

How do I know if a site is/was vulnerable?

Your best bet is https://lastpass.com/heartbleed/ . They will show you if a site is vulnerable right now, or may have been vulnerable in the past. Tehre is a chance that the site received a new certificate that still uses the old issue date, which can lead to sites being identified as "not fixed". 

Should I change my password?

If you think the site was vulnerable, and is no longer vulnerable, then you should change your password. If in doubt, change your password. Changing your password while the site is still vulnerable probably doesn't hurt, but the new password may leak again, so the change may not help.

Should I avoid sites that are still vulnerable?

Yes

I received an e-mail from a site I use asking me to change my password. Should I do so?

First of all: Don't click on any links in this email. Then go to the website and change your password (even if the e-mail was a fake, it doesn't hurt to change your password as long as you are sure you go to the right site). Use the "lastpass" URL above to check if the site is/was vulnerable.

What else should I do?

Standard "safe computing" practices: use difficult to guess passwords, keep your system up to date, use anti-malware, be cautious with links distributed via e-mail.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
If you've been waiting impatiently to get a pair of Google Glass, mark your calendar and grab your checkbook.
 

Cisco has issued a security bulletin for customers about the Heartbleed bug in the OpenSSL cryptography code, and it’s not about Web servers. So far, the company has unearthed 11 products and 2 services susceptible to attack through the vulnerability, which can be used to retrieve random bits of content from an attacked device’s memory. Cisco’s IOS XE operating system for network hardware is one of the higher-profile products on the company's list.

Cisco has already patched the two services—Cisco’s Registered Envelope Service (CRES) and Webex Messenger Service—that were deemed vulnerable. Most of the remaining products on Cisco's list are connected to the company’s collaboration products, such as its UCS unified messaging platform. They also include IP telephones, communications servers, and messaging systems:

  • Cisco AnyConnect Secure Mobility Client for iOS
  • Cisco Desktop Collaboration Experience DX650
  • Cisco Unified 7800 series IP Phones
  • Cisco Unified 8961 IP Phone
  • Cisco Unified 9951 IP Phone
  • Cisco Unified 9971 IP Phone
  • Cisco TelePresence Video Communication Server (VCS)
  • Cisco IOS XE
  • Cisco UCS B-Series (Blade) Servers
  • Cisco UCS C-Series (Stand alone Rack) Servers
  • Cisco Unified Communication Manager (UCM) 10.0
  • Cisco Registered Envelope Service (CRES)
  • Cisco Webex Messenger Service

The list isn’t yet complete—the company is still investigating whether over 60 additional products, including other versions of the IOS operating system and other network hardware, are vulnerable.

Read on Ars Technica | Comments

 
JBIG-KIT LibJbig Image File Handling CVE-2013-6369 Remote Buffer Overflow Vulnerability
 
GNU a2ps CVE-2014-0466 Arbitrary Command Execution Vulnerability
 
Google is boosting Android security safeguards to better detect potentially harmful apps throughout their life cycle.
 
Website and server administrators will have to spend considerable time, effort and money to mitigate all the security risks associated with Heartbleed, one of the most severe vulnerabilities to endanger encrypted SSL communications in recent years.
 
Wearable computers "took a huge step forward" in 2013 and shipments of smartwatches and related devices will grow by 78% a year until 2018, IDC said Thursday.
 
Microsoft's demand that Windows 8.1 users install this week's major update was another signal that the company is serious about forcing customers to adopt its faster release strategy, experts said today.
 
U.S. businesses can share most cyberthreat information with competitors without facing antitrust enforcement action, two U.S. enforcement agencies said Thursday.
 
The Heartbleed bug has affected about two-thirds of the world's websites, meaning virtually everyone should be taking steps to protect themselves now.
 
The U.S. received twice as many H-1B visa petitions as it can give out under its 85,000 visa cap, and is thus distributing the visas via lottery.
 
The freedom and openness of the Internet are at stake after the U.S. government announced plans to end its contractual oversight of ICANN, some critics said Thursday.
 
BlackBerry is not going to bail out of the handset business, but needs to return to its enterprise roots to reverse its slide, according to CEO John Chen.
 

CNN

'Heartbleed' OpenSSL vulnerability: A slow-motion train wreck
TechTarget
I've been around a long time in infosec, and this is one of the scariest bugs I've seen. Period. Don't take it lying down," said Williams in a webcast Wednesday. "To put this in perspective, this is much scarier than Conficker, much scarier than ...
Critical flaw found in Internet encryptionITWeb
Just how bad is 'Heartbleed'?Business Spectator
Revoke, reissue, invalidate: Stat! Security bods scramble to plug up HeartbleedRegister

all 2,201 news articles »
 
In space, they say, no one can hear you scream. Some marketers feel the same way about Facebook.
 
A federal court in New Jersey this week affirmed the Federal Trade Commission's contention that it can sue companies on charges related to data breaches, a major victory for the agency.
 
JR Raphael compares the images from a Samsung Galaxy S5 camera to an HTC One (M8) camera.
 
 
OWASP ZAP 2.3.0
 
Sendy 1.1.9.1 - SQL Injection Vulnerability
 

A team of security researchers at the University of Michigan has used an open source network scanner called ZMap to search the Internet for servers still vulnerable to the "Heartbleed" exploit, which can be used to retrieve user names, passwords, and possibly even private encryption keys from servers that use the popular OpenSSL 1.0.1 cryptographic library. OpenSSL patched the vulnerability earlier this week, but hundreds of thousands of Web servers and other network-connected devices that use the affected libraries are still vulnerable.

ZMap, developed at the University of Michigan by Assistant Professor J. Alex Halderman and computer science graduate students Zakir Durumeric and Eric Wusterow, can perform a complete scan of the Internet's address space in less than 45 minutes if run on a machine with a gigabit network connection. Durumeric, Halderman, undergraduate computer science student David Adrian, and Research Associate Professor Michael Bailey configured a ZMap scan for the Heartbleed vulnerability, seeded with Alexa's list of the 1 million most popular domains on the Internet.

"As of 4:00 PM on April 9, 2014," the researchers reported in their results, "we found that 34 percent of the Alexa Top 1 Million websites support TLS. Of the websites that support HTTPS, 11 percent are vulnerable, 27 percent safely support the heartbeat extension, and 61 percent do not support the heartbeat extension (and are therefore safe). While we are still completing full scans of the Internet, initial results show that approximately 6% of all hosts that support HTTPS remain vulnerable. We will be updating these numbers as more scan results become available. We are not releasing full Internet-wide scans at this time."

Read 2 remaining paragraphs | Comments

 
Earlier this week, I posted a question to Twitter and one reader offered an interesting rant on the topic, one that I felt was worth sharing.
 
BlackBerry released a security update for its BlackBerry 10 OS to address a critical vulnerability that could allow remote attackers to execute arbitrary code on affected devices.
 
In Windows 8.1 Update, Microsoft may be finally getting it right: The latest version of its operating system finally bridges the gap between touch and traditional computing.
 
Price cuts from Amazon, Google and Microsoft support predictions that the public cloud computing market is a race to the bottom -- for pricing, that is. Customers will no doubt benefit, but cloud providers who aren't one of those three companies should be prepared for a long, hard war of attrition.
 
 
[ MDVSA-2014:075 ] php
 

I started getting emails yesterday asking me to change passwords on services I do not have accounts on - complete with helpful links - back-ended by malware and/or credential harvesting of course

Just a few minutes ago, I also received a legit email along the same lines, from a security organization.  Unfortunately, they also included links (OOPS), this time legit links, but that's still a big miss on their part.

It's worth a reminder to your user community, clients and even family if you support their machines (and bad computing habits) also. 

Helpful emails with links in them are in most cases NOT helpful.  Don't click that link!

If it's legitimate, and especially this week, by all means browse to the affected site and change your password.  That's always a good idea.  But following an email link to a password change page is a good way to get your credentials stolen, or a good way to pick up a nice "gift" of malware.

 

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

ITWeb

Critical flaw found in Internet encryption
ITWeb
ITWeb Security Summit 2014. A showcase for infosec thought leaders, featuring interactive workshops that provide intensive information for company executives, ITWeb Security Summit 2014 takes place from 27 to 29 May at the Sandton Convention Centre.
Just how bad is 'Heartbleed'?Business Spectator
Revoke, reissue, invalidate: Stat! Security bods scramble to plug up HeartbleedRegister

all 1,838 news articles »
 
CSOs need to take a number of steps as soon as possible to protect their organizations against the OpenSSL vulnerability that has shaken the tech industry, experts say.
 
Sophos Web Appliance Privilege Escalation and Remote Code Execution Vulnerabilities
 
iVault Private P&V 1.1 iOS - Path Traversal Vulnerability
 
BlueMe Bluetooth v5.0 iOS - Code Execution Vulnerability
 
AppFish Offline Coder v2.2 iOS - Persistent Software Vulnerability
 

We were talking yesterday that with the Heart Bleeds issue front and center, what about the "everything else" factor?

With everyone so focused on this one issue, coupled with the knowledge that *lots* of folks still have XP and in the all the OpenSSL excitement might not have patched.  In particular, the horde of XP machines we call ATMs would be a particularly good target this week (or any other week until they get updated really).  So please folks, let's do what we can on the OpenSSL side, but keep the needed focus on other areas too!

Mark's story yesterday on OpenSSL "check" sites makes the great point that these sites can be collecting information as well as giving you info.  Keep in mind that we expect to see some bogus sites pop up to - I'd expect to see some fake check sites distributing malware if we don't see them already

How about SSL and other site issues that aren't vulnerable to Heartbleed?

As I'm assessing client sites and products for Heartbleed, I'm taking the time to do a more complete (but still quick) assessment.  So the client gets a list of:

  • sites that have self-signed certs
  • broken cert chains
  • sites that allow a less than desireable SSL Encryption level
  • and so on, you get the idea

In short, all those SSL things that were in the last several assessment reports, but were never fixed for some reason.  Folks have the perception that "SSL is hard", so I often see admins avoid anything changing anything that affects it, even when it's called out in a security assessment report.  But this weeks focus on SSL is forcing these issues into the light of day, and allowing us to get a lot of them resolved.


===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Google has invested in robotics company Savioke, which plans to produce a robot that could work in places such as nursing homes and hospitals.
 
The looming threat of running an unsupported OS wasn't enough to save PC shipments from continuing their slide in the first quarter.
 
Dropbox, the cloud storage and file sharing vendor, is expanding its scope into photo management and document collaboration.
 
PHP Fileinfo Component Remote Denial of Service Vulnerability
 
Zend Framework Multiple Information Disclosure and Security Bypass Vulnerabilities
 
[SECURITY] [DSA 2899-1] openafs security update
 
Canada Revenue Agency has halted online filing of tax returns by the country's citizens following the disclosure of the Heartbleed security vulnerability that rocked the Internet this week.
 
Jose Vildoza's 62-year-old father was using his old Windows computer when a warning in broken English flashed on the screen: your files have been encrypted.
 
Today's tools are a lot like yesterday's in some respects, except they add features for cloud, social, Web and mobile. They're also a whole lot easier to use.
 
OSIsoft PI Interface for DNP3 CVE-2013-2828 Local Denial of Service Vulnerability
 
OSIsoft PI Interface for DNP3 CVE-2013-2809 Remote Denial of Service Vulnerability
 
Orbit Open Ad Server '/guest/site_directory' SQL Injection Vulnerabilitiy
 

InfoSec Institute Partners with AFCEA International
Virtual-Strategy Magazine (press release)
“The shortage of information security professionals is the biggest crisis facing the United States,” said President Barack Obama in his January 2014 State of the Union Address. InfoSec's mission is to prepare these professionals, and one way they are ...

and more »
 
Internet Storm Center Infocon Status