Information Security News
It looks like, as I had suspected, the CRL activity numbers we have been seeing did not reflect the real volume caused by the OpenSSL Heartbleed bug.
This evening I noticed a massive spike in the amount of revocations being reported by this CRL: http://crl.globalsign.com/gs/gsorganizationvalg2.crl
The spike is so large that we initially thought it was a mistake, but we have since confirmed that it's real! We're talking about over 50,000 unique revocations from a single CRL:
This is by an order of magnitude the largest spike in revocation activity seen in years, according to our current data.
We have set up a new page for everyone to monitor the activity as well as see how we are obtaining this data. The page can be found at https://isc.sans.edu/crls.html.
How will you use this page in your projects or general analysis? We'd love to hear some ideas.
If you know of other CRLs that we can add, please let us know in the comments! Additionally, if you would like to see an API call added so that you can automatically query us for this information, please let us know so that we are aware of the demand.
On a side note, we can see a clear upward trend in revocations over the past 3 or 4 years:
What do you attribute this consistent growth in revocations to? What do you think caused the previous spikes?
Alex Stanford - GIAC GWEB,
Research Operations Manager,
SANS Internet Storm Center
Private encryption keys have been successfully extracted multiple times from a virtual private network server running the widely used OpenVPN application with a vulnerable version of OpenSSL, adding yet more urgency to the call for operators to fully protect their systems against the catastrophic Heartbleed bug.
Developers who maintain the open source OpenVPN package previously warned that private keys underpinning VPN sessions were vulnerable to Heartbleed. But until Wednesday, there was no public confirmation such a devastating theft was feasible in real-world settings, said Fredrik Strömberg, the operator of a Sweden-based VPN service who carried out the attacks on a test server. An attacker carrying out a malicious attack could use the same exploit to impersonate a target's VPN server and, in some cases, decrypt traffic passing between an end user and the real VPN server.
Wednesday's confirmation means any OpenVPN server—and likely servers using any other VPN application that may rely on OpenSSL—should follow the multistep path for recovering from Heartbleed, which is among the most serious bugs ever to hit the Internet. The first step is to update the OpenSSL library to the latest version. That step is crucial but by no means sufficient. Because Heartbleed may have leaked the private key that undergirds all VPN sessions, updated users may still be susceptible to attacks by anyone who may have exploited the vulnerability and made off with the key. To fully recover from Heartbleed, administrators should also revoke their old key certificates, ensure all end user applications are updated with a current certificate revocation list, and reissue new keys.
Reader Philipp reported today a bug affecting his remaining Windows XP machines and Windows 2003 servers. Seems to be that all Windows XP and Windows 2003 machines with SC Forefront Endpoint Protection definition update 220.127.116.11 and later are affected. You might want to test definition update 18.104.22.168, as we have received reports stating that it fixes the problem. However, we have not seen yet any official statement from Microsoft regarding this issue.
If you disable Forefront because it's not letting your machine work, please place other controls that minimize the associated risk. Otherwise, your computers could be so easily hacked.
We also receive questions on which AV is the best. Since the answer is it depends on the company and the information security assets, you might want to check the Magic Quadrant for Endpoint Protection from Gartner Group and try to find yourself what is the best answer for your company. If you want to read the entire file, you can have it from Mcafee or Computerlinks.
We will update this diary if more information becomes available.
More information available at:
Oracle released its quarterly Criticical Patch Update (CPU) yesterday . As usual, the number of patches is quite intimidating. But remember these 104 fixes apply across the entire Oracle product range.
Some of the highlights:
CVE-2014-2406: A bug in Oracle's Database which allows a remotely authenticated user to gain control over the database.
37 new patches for Java SE, 35 of which allow remote execution as the user running the Java Applet (according to Oracle: "The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows)".
4 of the Java vulnerabilities have a base CVSS score of 10 indicating not only full remote code execution but also easy exploitability.
Posted by InfoSec News on Apr 16http://www.defensenews.com/article/20140415/DEFREG03/304150023/BAE-Shifts-Cyber-Software-Development-Malaysia
Posted by InfoSec News on Apr 16http://www.darkreading.com/author.asp?section_id=314&doc_id=1204483
Becrypt unveils innovative secure mobility solution at InfoSec Europe
LONDON, UK: Becrypt will be demonstrating tVolution Mini, the latest addition to its range of innovative secure mobility solutions at InfoSec Europe. tVolution Mini is a secure miniature computer the size of a credit card which plugs directly into the ...
Posted by InfoSec News on Apr 16http://www.koreatimes.co.kr/www/news/tech/2014/04/133_155401.html
Posted by InfoSec News on Apr 16http://www.theage.com.au/it-pro/security-it/hackers-from-china-waste-little-time-in-exploiting-heartbleed-20140416-zqvkd.html
Posted by InfoSec News on Apr 16http://krebsonsecurity.com/2014/04/hardware-giant-lacie-acknowledges-year-long-credit-card-breach/