Information Security News
----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The following Cisco products that were previously identified as vulnerable and have been remediated:
Cisco Registered Envelope Service (CRES)
Cisco Webex Messenger Service
Cisco USC Invicta Series Autosupport Portal
This following software has been fixed and is available for download, for all affected products:
Cisco AnyConnect Secure Mobility Client for iOS - Fixed in version 3.0(9353)
Cisco WebEx Messenger Server - Fixed in 2.0MR2
Cisco TelePresence Video Communication Server (VCS) - Fixed in X8.1.1
For additional information on Cisco product, follow this Cisco Security Advisory.
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Nine people connected to the "Zeus" malware have been indicted, federal officials announced Friday as they declared the code "one of the most damaging pieces of financial malware that has ever been used."
An indictment (PDF) unsealed Friday charges nine people, most of them from the Ukraine. Two defendants—Yuriy Konovalenko, 31, and Yevhen Kulibaba, 36—were extradited to the United States and hauled Friday into Nebraska federal court, where the charges were unsealed. Most of the others remain at large.
The authorities said the defendants used Zeus to hijack account numbers, passwords, personal identification numbers, RSA SecureID token codes, and other data needed to illegally log in to online banking accounts, netting the defendants "millions of dollars." Prosecutors said they were responsible for "infecting thousands of business computers with malicious software."
by Sean Gallagher
Citing two anonymous sources “familiar with the matter,” Bloomberg News reports that the National Security Agency has known about Heartbleed, the security flaw in the OpenSSL encryption software used by a majority of websites and a multitude of other pieces of Internet infrastructure, for nearly the entire lifetime of the bug—“at least two years.” The sources told Bloomberg that the NSA regularly used the flaw to collect intelligence information, including obtaining usernames and passwords from targeted sites.
“When Edward Snowden warned that the NSA is ‘setting fire to the future of the internet,’ this is presumably the kind of thing he was talking about," said Jameel Jaffer, deputy legal director at the American Civil Liberties Union, in a statement emailed to Ars. "If this report is true, then the NSA is making hundreds of millions of people around the world more vulnerable to hacking and identity theft, and it’s compromising the trust that allows the internet to function. The NSA has lost sight of its mission, and it has lost sight of the values of the society it’s supposed to be protecting.”
The NSA has issued a statement denying the report. In an email to Ars, NSA spokesperson Vanee VInes provided this official statement: “NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report. Reports that say otherwise are wrong.”
NJVC and InfoSec Institute partner to provide cyber security training services
Government Security News
Information technology solutions provider NJVC, of Chantilly, VA, and information security training company InfoSec Institute, have announced a partnership to provide cyber security training services. NJVC can now implement federal government and ...
The Sydney Morning Herald published an interview today with Robin Seggelmann, who added the flawed code to OpenSSL, the world's most popular library for implementing HTTPS encryption in websites, e-mail servers, and applications. The flaw can expose user passwords and potentially the private key used in a website's cryptographic certificate (whether private keys are at risk is still being determined).
The Herald reports:
by Sean Gallagher
On April 9, Juniper Networks issued a security advisory for users of version 7 of its Secure Access SSL VPN (IVEOS) because of its vulnerability to the OpenSSL Heartbleed exploit, an attack that could expose user data through malicious use of the Transport Layer Security "Heartbeat" extension. This morning, the company added a number of other VPN and switch products to its security advisory, including the most recent release of the Junos OS and its Junos Pulse and IVEOS SSL virtual private networks.
"We are working around the clock to provide fixed versions of code for our affected products," the company's security team said in the advisory.
The affected products are:
=============== Rob VandenBrink Metafore(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Infosec teaching boost as security body (ISC)2 launches education programme
Security organisation (ISC)² has announced a new Global Academic Programme it hopes will boost the importance of security in higher education teaching programmes around the world. The larger purpose of the Programme is to address the growing skills ...
We're getting reports of client applications that are vulnerable to the heartbleed issue. Just as with server applications, these client applications are dependant on vulnerable versions of OpenSSL.
Another "patch soon" problem, you say? The patch will be installed when the vendor ... oh, wait a minute. Just exactly when will your TV's manufacturer update the web browser on your TV? And when will you be applying that patch? How about your in-laws TV? This vulnerability on the client side has the potential to be much longer-lived than on servers.
This combines the problem of the specific heartbleed vulnerabilty with the problem of embedded devices that may never be updated. Or devices that are updated by vendors for a year or two after release, then abandoned when the new model comes out - home routers and TV sets are great examples of this situation, but so are medical devices.
To add to that list, there is a large contingent of Android phones that have updates maintained by the carrier instead of the manufacturer (google), and do not see frequent updates, or may never see an update. These devices are used daily for almost everything - online banking comes immediately to mind. The combination of a general purpose device and a vulnerability that exposes memory to an attacker (in this case, a malicious or infected server) has the potential for some widespread mayhem, for as long as that device remains in service (years instead of weeks or months)
Other applications that encrypt but we don't often think of as "clients" include traditional database software, cloud services clients, dedicated / custom browsers for online services like entertainment, even device drivers for hardware all need to be assessed. It's also easy to say "client application XX is vulnerable", but that client application might exist on your PC, multiple tablet or phone platforms, TVs, DVRs, excercise equipment, fridges, thermostats - the list grows to include things that are smaller and smaller, that are less and less likely to be updated.
Client applications that are currently reported as vulnerable are:
(from http://security.stackexchange.com/questions/55119/does-the-heartbleed-vulnerability-affect-clients-as-severely )
If you've got confirmation of other vulnerable client applications, please post the relevant information (with links) in our comment section.
du's newly-launched Student InfoSec Award invites UAE students to change the ...
In the spirit of fostering innovation and nurturing the progression of local talent in the field of information security, du invites students across the UAE to participate in its newly-launched Student InfoSec Award. The Student InfoSec Award is a ...
Posted by InfoSec News on Apr 11http://www.thesmokinggun.com/documents/Microsoft-Xbox-hackers-576321
Posted by InfoSec News on Apr 11http://koreajoongangdaily.joins.com/news/article/Article.aspx?aid=2987770
Posted by InfoSec News on Apr 11http://www.telegraph.co.uk/technology/internet-security/10753180/Hacker-exposes-embarrassing-weakness-in-Mets-online-security.html
Posted by InfoSec News on Apr 11http://www.smh.com.au/it-pro/security-it/who-is-robin-seggelmann-and-did-his-heartbleed-break-the-internet-20140411-zqtjj.html
Posted by InfoSec News on Apr 11http://arstechnica.com/tech-policy/2014/04/whitehat-hacker-goes-too-far-gets-raided-by-fbi-tells-all/