Information Security News
A New York assemblyman has reintroduced a new bill that aims to essentially disable strong encryption on all smartphones sold in the Empire State.
Among other restrictions, the proposed law states that "any smartphone that is manufactured on or after January 1, 2016 and sold or least in New York, shall be capable of being decrypted and unlocked by its manufacturer or its operating system provider."
If it passes both houses of the state legislature and is signed by the governor, the bill would likely be the first state law that would impose new restrictions on mobile-based cryptography. Undoubtedly, if it makes it that far, the law would likely face legal challenges from Apple and Google, among others.
A critical bug that can leak secret cryptographic keys has just just been fixed in OpenSSH, one of the more widely used implementations of the secure shell (SSH) protocol.
The vulnerability resides only in the version end users use to connect to servers and not in versions used by servers. A maliciously configured server could exploit it to obtain the contents of the connecting computer's memory, including the private encryption key used for SSH connections. The bug is the result of code that enables an experimental roaming feature in OpenSSH versions 5.4 to 7.1
"The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys," OpenSSH officials wrote in an advisory published Thursday. "The authentication of the server host key prevents exploitation by a man-in-the-middle, so this information leak is restricted to connections to malicious or compromised servers."
2016-01-14:Updated to show">OpenSSHvulnerabilities likeHeartbleed.
OpenSSH 7.1p2 has been released with a security fix for a vulnerability recently assigned toCVE-2016-0777 . CVE 2016-0777 is a client information leak that could leak private keys to a malicious server. A workaround is available for previous versions of OpenSSH .
Early reports from Redhat  and the OpenBSD Journal  provide">Since version 5.4, the OpenSSH client supports an undocumented feature called roaming. If a connection to an SSH server breaks unexpectedly, and if the server supports roaming as well, the client is able to reconnect to the server and resume the interrupted SSH session. ">An information leak flaw was found in the way OpenSSH client roaming feature was implemented. The information leak is exploitable in the default configuration of certain versions of the OpenSSH client and could (depending on the clients version, compiler, and operating system) allow a malicious SSH server to steal the clients private keys.
has similarities to the 2014 Heartbleed vulnerability that affected the OpenSSL crypto library. Heartbleed was much more serious, because the bug made it possible for anyone with moderate hacking skills to exploit any website using OpenSSL. By contrast, the OpenSSH bug can only be exploited after a vulnerable end user connects to a maliciously-configured server .
Thanks David, for the tipper!
Modest Growth in InfoSec Employment
Among BLS's 840 Standard Occupation Classifications, or SOCs, only one exists for IT security: information security analysts. And, according to an Information Security Media Group analysis of BLS data, the number of individuals designated as ...
Posted by InfoSec News on Jan 14http://www.computerworld.com/article/3022060/security/6-critical-updates-for-january-patch-tuesday.html
Posted by InfoSec News on Jan 14Forwarded from: THOTCON <info (at) thotcon.org>
Posted by InfoSec News on Jan 14http://www.theregister.co.uk/2016/01/14/cloud_security_alliance_says_infosec_wonks_would_pay_1m_ransoms/
Posted by InfoSec News on Jan 14http://www.healthcareitnews.com/news/8-out-10-mobile-health-apps-open-hipaa-violations-hacking-data-theft
Posted by InfoSec News on Jan 14http://www.pcmag.com/article2/0,2817,2497873,00.asp
Posted by InfoSec News on Jan 14http://thenextweb.com/gadgets/2016/01/12/now-someone-can-steal-your-wi-fi-password-from-your-doorbell/
Posted by InfoSec News on Jan 14http://www.wired.com/2016/01/hacking-team-leak-helps-kaspersky-researchers-find-zero-day-exploit/
Cloud Security Alliance says infosec wonks would pay $1m ransoms
Some companies will pay hackers up to US$1 million in ransoms to claw back stolen data according to a poll by the Cloud Security Alliance. The survey garnered 209 respondents of which half were in IT security and a third from tech with most hailing ...