Hackin9
Many organizations today are looking for things that talk to the Internet. Sensors, cameras, medical equipment and even snowplows are on that wish list.
 
Google has confirmed its acquisition of drone maker Titan Aerospace and hinted that the technology could be used for a lot more than providing Internet access to remote parts of the world.
 
Enterprise IT vendors are rushing to protect users from the Heartbleed bug, which has been found in some servers and networking gear and could allow attackers to steal critical data -- including passwords and encryption keys -- from the memories of exposed systems.
 

Richard Porter --- ISC Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

On Monday, after seven months of discussion and planning, the first-phase of a two-part audit of TrueCrypt was released.

The results? iSEC, the company contracted to review the bootloader and Windows kernel driver for any backdoor or related security issue, concluded (PDF) that TrueCrypt has: “no evidence of backdoors or otherwise intentionally malicious code in the assessed areas.”

While the team did find some minor vulnerabilities in the code itself, iSEC labeled them as appearing to be “unintentional, introduced a the result of bugs rather than malice.”

Read 7 remaining paragraphs | Comments

 

The catastrophic Heartbleed security bug that has already bitten Yahoo Mail, the Canada Revenue Agency, and other public websites also poses a formidable threat to end-user applications and devices, including millions of Android handsets, security researchers warned.

Handsets running version 4.1.1 of Google's mobile operating system are vulnerable to attacks that might pluck passwords, the contents of personal messages, and other private information out of device memory, a company official warned on Friday. Marc Rogers, principal security researcher at Lookout Mobile, a provider of antimalware software for Android phones, said some versions of Android 4.2.2 that have been customized by the carriers or hardware manufacturers have also been found to be susceptible. Rogers said other releases may contain the critical Heartbleed flaw as well. Officials with BlackBerry have warned the company's messenger app for iOS, Mac OS X, Android, and Windows contains the critical defect and have released an update to correct it.

The good news, according to researchers at security firm Symantec, is that major browsers don't rely on the OpenSSL cryptographic library to implement HTTPS cryptographic protections. That means people using a PC to browse websites should be immune to attacks that allow malicious servers to extract data from an end user's computer memory. Users of smartphones, and possibly those using routers and "Internet of things" appliances, aren't necessarily as safe.

Read 8 remaining paragraphs | Comments

 
A SpaceX cargo mission launch that had been scheduled for Monday afternoon has been scrubbed because of a helium leak on a rocket.
 
Microsoft is updating its Web-based Office Online suite, narrowing the features gap with the main Office 365 and Office 2013 suites installed on users' devices.
 
Google, which has been looking for new ways to deliver Internet connectivity, has acquired Titan Aerospace, a New Mexico-based company known for making solar-powered drones.
 
It's hard to overstate the impact of the Microsoft Office for iPad. The arrival of the dominant productivity suite on the dominant tablet promises to change how iPads are viewed in the enterprise. Office for iPad may also crush competitive apps, shut out cloud storage providers and limit MDM vendors.
 
Box has patched the Heartbleed security hole on its servers and has advised its customers to change their passwords.
 
More U.S. Internet users report they have been victims of data breach, while 80 percent want additional restrictions against sharing of online data, according to two surveys released Monday.
 
Canada's tax authority and a popular British parenting website both lost user data after attackers exploited the Heartbleed SSL vulnerability, they said Monday.
 
Mozilla today named former executive Chris Beard as its interim CEO and appointed him to its board of directors.
 
Websites that use encryption could be elevated in Google search results sometime in the future, according to The Wall Street Journal.
 
Microsoft released Windows Phone 8.1 today, and contrary to its label of "Windows Phone Preview for Developers," anyone can upgrade their current Windows Phone 8-powered handset.
 
Facebook is mere weeks away from becoming a registered e-money firm in Ireland, the Financial Times reported.
 
The operator of an independent website aimed at helping users of J.D. Edwards enterprise resource planning software has shut it down after Oracle alleged the site infringed on its copyrights.
 
Failing to hear any further pings from the missing Malaysian airliner, searchers today began using an autonomous underwater torpedo-shaped robot.
 
Google is pushing to realize its vision of modular smartphones with a conference this week that will give developers a closer look at its Project Ara.
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Net-SNMP could be made to crash if it received specially crafted networktraffic.
 
LinuxSecurity.com: Security Report Summary
 

Underscoring the severity of the Heartbleed bug affecting huge swaths of the Internet, hackers exploited the vulnerability to steal taxpayer data for at least 900 Canadian citizens and an unknown number of businesses, officials in that country warned Monday morning.

Canada Revenue Agency (CRA) officials said they removed public access to online tax services last Tuesday, a day after the catastrophic defect in the widely used OpenSSL cryptography library surfaced. But by then it was too late. Hackers casing online CRA services were nonetheless able to exploit the OpenSSL flaw, which makes it possible to pluck private encryption keys, passwords, and other sundry sensitive data out of the private computer memory of servers running vulnerable versions of the open-source library.

"Regrettably, the CRA has been notified by the Government of Canada's lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period," Canadian officials disclosed in a blog post published Monday morning. "Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed."

Read 4 remaining paragraphs | Comments

 
One of the legacies of Edward Snowden's treason is that companies are now concerned about the insider threat more than they ever were before. He demonstrates that a single person inside an organization can devastate the organization. While technology should have caught Snowden, there is also the realization that his coworkers and managers should have noticed indications of unusual activities.
 

We are going back to INFOCon Green today.   Things have stabilized and the INFOCon is used to indicate change.  Awareness of Heartbleed is well saturated and Internet teams everywhere appear to be responding appropriately.  

Some points to be aware:

  • Patching will continue and hopefully fill remaining gaps.
  • Certificate Revocation Lists (CRLs) will grow, which may lead to slower load times in some cases. Please let us know if you are observing CRL issues.
  • There is no practical way to identify if a certificate has actually been updated, unless you recorded the certificate serial number.   It is common to check the creation date, BUT a CA can re-issue a new certificate and keep the original creation date. This is silly but should be noted.
  • The client side (wget, curl, etc...) of Heartbleed is mostly a non-issue, but there are a few exceptions. Watch for VPN client updates.
  • Certificates continue to be revoked.  We have taken the liberty to look at the CRL counts of sixteen different CA's since April 1, 2014. 


 

In summary,  please keep scanning and patching all of your servers and encourage all end users to change their passwords after a site's certificate has been updated.


-Kevin
--
ISC Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The Web browser has been a major infection vector for years, allowing malware to be transported to millions of computers through phishing, man-in-the-middle, SQL injection and countless other attacks. But what if there were a way to stop this madness and secure the browsing channel itself?
 
EMC RSA Data Loss Prevention Improper Session Management Local Privilege Escalation Vulnerability
 
Elfutils libdw 'check_section()' Function Remote Heap Based Buffer Overflow Vulnerability
 
It's been business as usual for IT outsourcing providers in Ukraine, though the ongoing military and political uncertainty has had a public relations impact.
 
Bill Gates, Steve Jobs and Edward Snowden all launched tech careers without four-year college degrees, and that may be true for a large percentage of techies.
 
Thanks to the advent of Big Data, new algorithms and massive, affordable computing power, artificial intelligence is now, finally, on a roll again.
 
The Gnome Foundation does not have any cash reserves as expenses on a women outreach program had to be made ahead of actually receiving payments from sponsors.
 
Microsoft has revealed how it will squeeze Windows 8.1 onto devices with storage space as small as 16GB to fulfill a promise earlier this year that OEMs could produce low-cost tablets and laptops.
 
Akamai Technologies, whose network handles up to 30% of all Internet traffic, said Sunday a researcher found a fault in custom code that the company thought shielded most of its customers from the Heartbleed bug.
 
The administration of U.S. President Barack Obama favors disclosing to the public vulnerabilities in commercial and open source software in the national interest, unless there is a national security or law enforcement need, NSA says.
 
Four researchers working separately have demonstrated a server's private encryption key can be obtained using the Heartbleed bug, an attack thought possible but unconfirmed.
 
cURL/libcURL CVE-2014-0139 SSL Certificate Validation Security Bypass Vulnerability
 
CIS Manager 'TroncoID' Parameter SQL Injection Vulnerability
 

Posted by InfoSec News on Apr 14

http://arstechnica.com/security/2014/04/private-crypto-keys-are-accessible-to-heartbleed-hackers-new-data-shows/

By Megan Geuss
Ars Technica
April 12, 2014

Contrary to previous suspicions, it is possible for hackers exploiting the
catastrophic vulnerability dubbed Heartbleed to extract private encryption
keys from vulnerable websites, Web services firm Cloudflare reported
Saturday.

As recently as yesterday, Cloudflare published preliminary...
 

Posted by InfoSec News on Apr 14

http://www.israelnationalnews.com/News/News.aspx/179572

By Ari Soffer
Israel National News
4/13/2014

Israeli hackers have gone on the offensive against their anti-Israel
opponents in revenge for the #OpIsrael hacking attack against Israeli
sites and servers.

After the failed "operation" by members of the "Anonymous" hacker network,
Israeli hackers from Israel Elite Force took the fight to them - robbing
them of their...
 

Posted by InfoSec News on Apr 14

http://www.wired.com/2014/04/att-hacker-conviction-vacated/

By Kim Zetter
Threat Level
Wired.com
04.11.14

A hacker sentenced to three and a half years in prison for obtaining the
personal data of more than 100,000 iPad owners from AT&T’s unsecured
website is about to go free, after a ruling today that prosecutors were
wrong to charge him in a state where none of his alleged crimes occurred.

Andrew "Weev" Auernheimer was in...
 

Posted by InfoSec News on Apr 14

http://www.dailymail.co.uk/news/article-2603782/Banksy-art-work-showing-government-agents-spying-phone-box-appears-Cheltenham-house-near-GCHQ.html

By Sam Creighton
Mail Online
13 April 2014

Mysterious street artist Banksy is thought to have unveiled his latest
creation, taking aim at the thorny issue of government surveillance.

The guerrilla graffiti artist is believed to be behind the image of three
trenchcoat clad agents eavesdropping on a...
 

Posted by InfoSec News on Apr 14

http://www.vox.com/2014/4/12/5601828/we-massively-underinvest-in-internet-security

By Timothy B. Lee
Vox.com
April 12, 2014

What caused the Heartbleed Bug that endangered the privacy of millions of
web users this week? On one level, it looks like a simple case of human
error. A software developer from Germany contributed code to the popular
OpenSSL software that made a basic, but easy-to-overlook mistake. The
OpenSSL developer who approved...
 

Pro2col announces its presence at InfoSec and an exclusive distribution deal ...
PR Web (press release)
Leading independent file transfer specialists Pro2col announces that it will be exhibiting at InfoSec 2014. Pro2col is also pleased to announce an exclusive agreement with Thru to distribute their industry leading file transfer solution in the UK and ...

 
Internet Storm Center Infocon Status