Information Security News
Unlike announced a few month ago, the infamous "Port 32764" backdoor was not fully patched in new routers . As a reminder, the original backdoored allowed unrestricted/unauthenticated root access to a router by connecting to port 32764. The backdoor was traced back to components manufactures by Sercomm. Sercomm delivers parts for a number of name brand routers sold under the brands of Cisco, Linksys, Netgear, Diamond and possibly others.
An analysis of an updates router by Synacktive revealed that the code implementing the backdoor is still present, and can be activated to listen again by sending a specific Ethernet packet. The packet would not be routed, so an attacker has to have access to the local network the router is connected to, which significantly lowers the probability of exploitation, but doesn't eliminate it.
The packet activating the backdoor is identified by an Ethernet type of 0x8888.
Apple today released patches for OS X, iOS and Apple TV. The OS X patches apply for versions of OS X back to Lion (10.7.5). Vulnerabilities fixed by these patches can lead to remote code execution by visiting malicious web sites.
For more details, see Apples security update page . Links to the actual update details should become available shortly.
Apple has patched versions of its iOS and OS X operating systems to fix yet another extremely critical cryptography vulnerability that leaves some users open to surreptitious eavesdropping. Readers are urged to install the updates immediately.
The flaw resides in the secure transport mechanism of iOS version 7.1 and earlier for iPhones and iPads and the Mountain Lion 10.8.5 and Mavericks 10.9.2 versions of Mac OS X, according to advisories here and here. The bug makes it possible to bypass HTTPS encryption protections that are designed to prevent eavesdropping and data tampering by attackers with the capability to monitor traffic sent by and received from vulnerable devices. Such "man-in-the-middle" attackers could exploit the bug by abusing the "triple handshake" carried out when secure connections are established by applications that use client certificates to authenticate end users.
"In a 'triple handshake' attack, it was possible for an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker's data in one connection, and renegotiate so that the connections may be forwarded to each other," Apple's warning explained. "To prevent attacks based on this scenario, Secure Transport was changed so that, by default, a renegotiation must present the same server certificate as was presented in the original connection."
Federal safety officials have issued an urgent warning about software defects in an anesthesia delivery system that can cause life-threatening failures at unexpected times, including when a cellphone or other device is plugged into one of its USB ports.
The ARKON anesthesia delivery system is used in hospitals to deliver oxygen, anesthetic vapor, and nitrous oxide to patients during surgical procedures. It is manufactured by UK-based Spacelabs Healthcare Ltd., which issued a recall in March. A bug in Version 2.0 of the software running on the device is so serious that it could cause severe injury or death, the US Food and Drug Administration warned last week in what's known as a Class I recall. In part, the FDA advisory read:
Reason for Recall: Spacelabs Healthcare is recalling the ARKON Anesthesia System with Version 2.0 Software due to a software defect. This software issue may cause the System to stop working and require manual ventilation of patients. In addition, if a cell phone or other USB device is plugged into one of the four USB ports for charging, this may also cause the System to stop working.
This defect may cause serious adverse health consequences, including hypoxemia and death. Spacelabs Healthcare received one report related to the software defect. There has been no injuries or deaths associated with this malfunction.
At least 16 vulnerable units were in place at hospitals in North Carolina and South Carolina, according to the Class I advisory, the most serious type of recall notice issued by the FDA.
OpenBSD founder Theo de Raadt has created a fork of OpenSSL, the widely used open source cryptographic software library that contained the notorious Heartbleed security vulnerability.
OpenSSL has suffered from a lack of funding and code contributions despite being used in websites and products by many of the world's biggest and richest corporations.The decision to fork OpenSSL is bound to be controversial given that OpenSSL powers hundreds of thousands of Web servers. When asked why he wanted to start over instead of helping to make OpenSSL better, de Raadt said the existing code is too much of a mess.
"Our group removed half of the OpenSSL source tree in a week. It was discarded leftovers," de Raadt told Ars in an e-mail. "The Open Source model depends [on] people being able to read the code. It depends on clarity. That is not a clear code base, because their community does not appear to care about clarity. Obviously, when such cruft builds up, there is a cultural gap. I did not make this decision... in our larger development group, it made itself."
Posted by InfoSec News on Apr 22http://www.computerworld.com/s/article/9247802/SEC_seeks_data_on_cyber_security_policies_at_Wall_Street_firms
Posted by InfoSec News on Apr 22http://www.zdnet.com/hackers-attack-spokeo-un-civil-aviation-org-in-nine-site-crime-spree-7000028594/
Posted by InfoSec News on Apr 22http://online.wsj.com/news/article_email/SB10001424052702304626304579508212978109316-lMyQjAxMTA0MDIwMTEyNDEyWj
Posted by InfoSec News on Apr 22http://www.chicagotribune.com/business/technology/la-fi-tn-aol-hacked-email-phishing-twitter-20140421,0,6586634.story
Posted by InfoSec News on Apr 22http://arstechnica.com/security/2014/04/how-heartbleed-transformed-https-security-into-the-stuff-of-absurdist-theater/