Two patches are coming down the patch management pipe starting today. First, Adobe is supposed to release yet another out-of-band patch for its flash player to address a zero day vulnerability discovered in the Hacking Team breach.
And on Monday OpenSSL announced they would be releasing a patch for a "high" severity vulnerability in OpenSSL versions 1.0.2d and 1.0.1p.
Hooray patches!
This post first appeared on Exploring Information Security.
Safely Storing User Passwords: Hashing vs. Encrypting - Michael Coates - Dark Reading
A good description on the difference between symmetric encryption and hashing and some of the process involved in protecting passwords with those two methods.
Peek Inside a Professional Carding Shop - Brian Krebs - Krebs on Security
Krebs takes us on a wonderful tour of the professional carding shop "McDumpals." It's got the McDonalds arches and everything. It's a good read if you want to learn more about where stolen credit card information goes.
OpenSSL DTLS Fragment Out-of-Bounds Write: Breaking up is hard to do - Brian Gorenc - HP
A new vulnerability in OpenSSL has been found. This one isn't as scary as Heartbleed, but systems do need to be checked and patched. I know that Cisco has a long list of devices affected by this and that VMWare recently released a patch for ESXi 5.5 for the vulnerability. The article itself takes an in-depth technical look at the vulnerability.
This post first appeared on Exploring Information Security.
Skimmers put inside Pearland gas pumps to steal credit, debit card info - Jeff Ehling - ABC 13 Houston
Skimmers are, actually, being found inside of pumps instead of on the outside. Which almost sounds like something out of the movies. Bad guy walks up to pump in maintenance uniform inserts device, walks away. Movie or not, the best course of action here is to make sure you're using your credit card, not your debit card to pay for gas or anything else for that matter.
Heartbleed Over-Hype - Tyler Reguly - The State of Security
One of the challenges of the information security community is educating users on what vulnerability, virus, trojan, etc. mean to them. This article brings up some good points on the heartbleed virus and educating users overall.
Heartburn from heartbleed forces wide-ranging rethink in open source world - Seth Rosenblatt - CNet
This article discusses how we could do a better job in open source and vetting the tools better that we use on the internet. The Heartbleed bug resulted from a vulnerability in OpenSSL, which is maintained by volunteers. If that sounds weird, it should. Major corporations and websites are relying on a volunteer open source project to secure their transmissions on the internet. It's a good technical read for those of you interested.
This post first appeared on Exploring Information Security.
The week of April 7, 2014, it was discovered that there was a very serious vulnerability on the internet. On a scale of 1-10, one security thought leader put the seriousness of the bug at an 11. Over half a million sites were vulnerable to this bug including many major websites such as Google, Facebook, Amazon, Yahoo, banking sites, etc.
Technically speaking a bug was found in SSL, which is used to secure internet traffic (HTTPS). The vulnerability allows attackers to get data that is being processed on the website at that time. Username, passwords, email address, social security numbers, bank information and etc. are all things that can be collected using this vulnerability. This comic has a pretty good visual explanation of the vulnerability.
This bug, only recently discovered by security researchers, has been around for two years. What that means is that we don’t know who knew about the bug and who didn’t, so we have to assume that all account information and other information on these affected websites have been compromised. Mashable has a list of sites that have been found to be affected by this bug.
Now that this bug is out in the open, it is being exploited by attackers. It is imperative that you change passwords on affected websites, and if the option is available I would highly recommend turning on two-factor authentication. However, before you do you need to make sure that the vulnerability has been fixed by the website; otherwise you’ll just compromise your new password immediately. I would recommend LastPass’ Heartbleed checker, because it tells you whether the website was previously vulnerable and if it’s vulnerable now. Here is a list of other sites to check the vulnerability of websites with.
· http://filippo.io/Heartbleed/
· http://heartbleed.criticalwatch.com/
· https://lastpass.com/heartbleed/
· https://www.ssllabs.com/ssltest/
Other Suggested Readings:
http://bhconsulting.ie/securitywatch/?p=2103
http://www.vox.com/cards/heartbleed/how-does-the-heartbleed-attack-work
This post first appeared on Exploring Information Security.
Trying to protect yourself from Heartbleed could land you in jail - Chris Smith - BGR
There are laws in place that say testing a website's security without permissions is illegal. This would include running checks using Heartbleed websites or the Heartbleed Chrome app i linked to in Friday's post. They would have to enforce the law first, but technically you're still breaking the law when you do it. Which just further highlights how far behind the law is when it comes to the internet.
NSA Denies Knowing About Heartbleed Bug - Denver Nicks - Times
It was only a matter of time before the NSA was going to be thrown under the Heartbleed Bug Bus. The NSA has two directives to gather intelligence from it's enemies AND defend the country. Knowing about the bug in OpenSSL and not reporting it would be a massive epic fail for the NSA.
How The Heartbleed Bug Works - xkcd
A very well done, yet simple, visualization of how the Heartbleed bug works.
This post first appeared on Exploring Information Security.
This is really serious stuff people. If you haven't been paying attention to the Heartbleed bug news, now is the time. Below are some links to get you started.
Everything you need to know about the Heartbleed Bug - Timothy B. Lee - Vox
Pretty good description and intuitive layout to get to know everything about the Heartbleed Bug.
Heartbleed - Codenomicon
This site is kind of, sort of, the official site of the Heartbleed bug. It was up very quickly and gives a lot of detail on the latest vulnerability to rock the internet.
Heartbleed Bug: What Can You Do? - Brian Krebs - Krebs On Security
If you're wondering what you should be doing in regards to this vulnerability, Brian lays it out clearly in this post. Get ready to reset a lot of passwords.
The Heartbleed Hit List: The Passwords You Need to Change - Mashable
Okay so the full title is "The Passwords You Need to Change Right Now," which is being a little melodramatic (it's a ratings based site, they're looking for the clicks). Before you go running to change passwords make sure the websites that have been vulnerable have fixed the vulnerability. There is no sense in changing a password if they're still vulnerable because your new password would be immediately vulnerable. If a site offers two-factor authentication, turn it on (Google has it). To check websites there are a number of sites (and Chrome addons) you can use. Here are the ones I've used:
SSL Server Test - Qualys
This post first appeared on Exploring Information Security.
Microsoft: Let's be clear, WE won't read your email - but the cops will - Lain Thomson - The Register
Note to self: don't use Hotmail to distribute pirated copies of Windows 8.
The Heartbleed Bug, explained - Timothy B. Lee - Vox
I good explanation of the OpenSSL bug that has rocked the infosec world the past couple days. This is a pretty serious bug that puts millions of sites at risk and potentially your information such as passwords. Unfortunately, there's really nothing you can do about it except hope that the sites you have accounts on apply the patch that fixes the bug ASAP. Most big sites have probably already done it.
Xbox password flaw exposed by five-year-old boy - BBC
Five-year-old wants to get into his dads Xbox account. What does he do? Find a vulnerability in Microsoft's Xbox Live, thus starting his illustrious hacking career. It's not the least bit surprising that his dad works in security.
This post first appeared on Exploring Information Security.