Hackin9
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: A vulnerability has been discovered and corrected in jbigkit: Stack-based buffer overflow in the jbg_dec_in function in libjbig/jbig.c in JBIG-KIT before 2.1 allows remote attackers to cause a denial of service (application crash) and possibly execute [More...]
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Updated a2ps packages fix security vulnerability: Brian M. Carlson reported that a2ps's fixps script does not invoke gs with the -dSAFER option. Consequently executing fixps on a malicious PostScript file could result in files being deleted or arbitrary [More...]
 
LinuxSecurity.com: A vulnerability has been discovered and corrected in php: The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers [More...]
 
LinuxSecurity.com: Updated python package fixes security vulnerabilities: Denial of service flaws due to unbound readline() calls in the imaplib, poplib, and smtplib modules (CVE-2013-1752). [More...]
 
LinuxSecurity.com: Updated file packages fix security vulnerabilities: The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers [More...]
 
LinuxSecurity.com: Updated yaml package fixes security vulnerability Ivan Fratric of the Google Security Team discovered a heap-based buffer overflow vulnerability in LibYAML, a fast YAML 1.1 parser and emitter library. A remote attacker could provide a specially-crafted YAML [More...]
 
LinuxSecurity.com: Updated php-ZendFramework packages fix security vulnerabilities: XML eXternal Entity (XXE) and XML Entity Expansion (XEE) flaws were discovered in the Zend Framework. An attacker could use these flaws to cause a denial of service, access files accessible to the server [More...]
 
LinuxSecurity.com: Updated yaml packages fix security vulnerabilities: Florian Weimer of the Red Hat Product Security Team discovered a heap-based buffer overflow flaw in LibYAML, a fast YAML 1.1 parser and emitter library. A remote attacker could provide a YAML document [More...]
 
LinuxSecurity.com: Updated perl-YAML-LibYAML packages fix security vulnerabilities: Florian Weimer of the Red Hat Product Security Team discovered a heap-based buffer overflow flaw in LibYAML, a fast YAML 1.1 parser and emitter library. A remote attacker could provide a YAML document [More...]
 
LinuxSecurity.com: Security Report Summary
 
Aurich Lawson / Thinkstock

Contrary to previous suspicions, it is possible for hackers exploiting the catastrophic vulnerability dubbed Heartbleed to extract private encryption keys from vulnerable websites, Web services firm Cloudflare reported Saturday.

As recently as yesterday, Cloudflare published preliminary findings that seemed to indicate that it would be difficult, if not impossible, to use Heartbleed to get the vital key that essentially unlocks the secure sockets layer padlock in millions of browsers. To be extra-sure, Cloudflare launched “The Heartbleed Challenge” to see how other people exploiting Heartbleed might fare. The company set up an nginx server running a Heartbleed-vulnerable version of OpenSSL and invited the Internet at large to steal its private key.

Just nine hours later, software engineer Fedor Indutny and Ilkka Mattila at NCSC-FI had obtained the server's private keys using nothing but the Heartbleed vulnerability. As of this writing, CloudFlare had confirmed a total of four winners: Rubin Xu, a PhD student in the Security group of Cambridge University, as well as security researcher Ben Murphy.

Read 11 remaining paragraphs | Comments

 

Pro2col Announces its Presence at InfoSec 2014
Newswire Today (press release)
NewswireToday - /newswire/ - Bournemouth, Dorset, United Kingdom, 2014/04/09 - Leading independent file transfer specialists Pro2col who will be exhibiting at InfoSec, is also pleased to announce an exclusive agreement with Thru to distribute their ...

 
The idea of an Amazon smartphone, reportedly in the works for a September release, may seem far-fetched or foolhardy but isn't that big a stretch for the ambitious shopping, device and content giant.
 
Apple outlined for the first time on Friday how it came up with the US$2.2 billion in damages that it wants a California jury to award it for Samsung's alleged "massive infringement" of five Apple patents.
 
The U.S. National Security Agency, which has a cybersecurity mission in addition to surveillance, has disputed a report that it knew about the Heartbleed security vulnerability for at least two years before other researchers disclosed the flaw this month.
 

CloudFlare lunched a challenge yesterday: Can You Get Private SSL Keys Using Heartbleed?[1]  The site created by CloudFlare engineers is located here and is intentionally vulnerable to heartbleed. If you manage to steal the private key from the site, they will post the full details on that site. So far two individuals have succeeded: Fedor Indutny (@indutny) and Ilkka Mattila of NCSC-F.[2]

If you have time and bandwidth, this might be a fun weekend project.

[1] http://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed
[2] https://www.cloudflarechallenge.com/heartbleed

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Companies are engaged in a kind of arms race with competitors to see how many apps they can get everyone to use. But this aggressive push for more apps is going to end up giving users app fatigue.
 
Internet Storm Center Infocon Status