Information Security News
Richard Porter --- ISC Handler on Duty(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
by Cyrus Farivar
The results? iSEC, the company contracted to review the bootloader and Windows kernel driver for any backdoor or related security issue, concluded (PDF) that TrueCrypt has: “no evidence of backdoors or otherwise intentionally malicious code in the assessed areas.”
While the team did find some minor vulnerabilities in the code itself, iSEC labeled them as appearing to be “unintentional, introduced a the result of bugs rather than malice.”
The catastrophic Heartbleed security bug that has already bitten Yahoo Mail, the Canada Revenue Agency, and other public websites also poses a formidable threat to end-user applications and devices, including millions of Android handsets, security researchers warned.
Handsets running version 4.1.1 of Google's mobile operating system are vulnerable to attacks that might pluck passwords, the contents of personal messages, and other private information out of device memory, a company official warned on Friday. Marc Rogers, principal security researcher at Lookout Mobile, a provider of antimalware software for Android phones, said some versions of Android 4.2.2 that have been customized by the carriers or hardware manufacturers have also been found to be susceptible. Rogers said other releases may contain the critical Heartbleed flaw as well. Officials with BlackBerry have warned the company's messenger app for iOS, Mac OS X, Android, and Windows contains the critical defect and have released an update to correct it.
The good news, according to researchers at security firm Symantec, is that major browsers don't rely on the OpenSSL cryptographic library to implement HTTPS cryptographic protections. That means people using a PC to browse websites should be immune to attacks that allow malicious servers to extract data from an end user's computer memory. Users of smartphones, and possibly those using routers and "Internet of things" appliances, aren't necessarily as safe.
by Dan Goodin
Underscoring the severity of the Heartbleed bug affecting huge swaths of the Internet, hackers exploited the vulnerability to steal taxpayer data for at least 900 Canadian citizens and an unknown number of businesses, officials in that country warned Monday morning.
Canada Revenue Agency (CRA) officials said they removed public access to online tax services last Tuesday, a day after the catastrophic defect in the widely used OpenSSL cryptography library surfaced. But by then it was too late. Hackers casing online CRA services were nonetheless able to exploit the OpenSSL flaw, which makes it possible to pluck private encryption keys, passwords, and other sundry sensitive data out of the private computer memory of servers running vulnerable versions of the open-source library.
"Regrettably, the CRA has been notified by the Government of Canada's lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period," Canadian officials disclosed in a blog post published Monday morning. "Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed."
We are going back to INFOCon Green today. Things have stabilized and the INFOCon is used to indicate change. Awareness of Heartbleed is well saturated and Internet teams everywhere appear to be responding appropriately.
Some points to be aware:
In summary, please keep scanning and patching all of your servers and encourage all end users to change their passwords after a site's certificate has been updated.
ISC Handler on Duty
Posted by InfoSec News on Apr 14http://arstechnica.com/security/2014/04/private-crypto-keys-are-accessible-to-heartbleed-hackers-new-data-shows/
Posted by InfoSec News on Apr 14http://www.israelnationalnews.com/News/News.aspx/179572
Posted by InfoSec News on Apr 14http://www.wired.com/2014/04/att-hacker-conviction-vacated/
Posted by InfoSec News on Apr 14http://www.dailymail.co.uk/news/article-2603782/Banksy-art-work-showing-government-agents-spying-phone-box-appears-Cheltenham-house-near-GCHQ.html
Posted by InfoSec News on Apr 14http://www.vox.com/2014/4/12/5601828/we-massively-underinvest-in-internet-security
Pro2col announces its presence at InfoSec and an exclusive distribution deal ...
PR Web (press release)
Leading independent file transfer specialists Pro2col announces that it will be exhibiting at InfoSec 2014. Pro2col is also pleased to announce an exclusive agreement with Thru to distribute their industry leading file transfer solution in the UK and ...