InfoSec links June 13, 2014

Safely Storing User Passwords: Hashing vs. Encrypting - Michael Coates - Dark Reading

A good description on the difference between symmetric encryption and hashing and some of the process involved in protecting passwords with those two methods.

Peek Inside a Professional Carding Shop - Brian Krebs - Krebs on Security

Krebs takes us on a wonderful tour of the professional carding shop "McDumpals." It's got the McDonalds arches and everything. It's a good read if you want to learn more about where stolen credit card information goes.

OpenSSL DTLS Fragment Out-of-Bounds Write: Breaking up is hard to do - Brian Gorenc - HP

A new vulnerability in OpenSSL has been found. This one isn't as scary as Heartbleed, but systems do need to be checked and patched. I know that Cisco has a long list of devices affected by this and that VMWare recently released a patch for ESXi 5.5 for the vulnerability. The article itself takes an in-depth technical look at the vulnerability.

This post first appeared on Exploring Information Security.

InfoSec Links May 2, 2014

Skimmers put inside Pearland gas pumps to steal credit, debit card info - Jeff Ehling - ABC 13 Houston

Skimmers are, actually, being found inside of pumps instead of on the outside. Which almost sounds like something out of the movies. Bad guy walks up to pump in maintenance uniform inserts device, walks away. Movie or not, the best course of action here is to make sure you're using your credit card, not your debit card to pay for gas or anything else for that matter.

Heartbleed Over-Hype - Tyler Reguly - The State of Security

One of the challenges of the information security community is educating users on what vulnerability, virus, trojan, etc. mean to them. This article brings up some good points on the heartbleed virus and educating users overall.

Heartburn from heartbleed forces wide-ranging rethink in open source world - Seth Rosenblatt - CNet

This article discusses how we could do a better job in open source and vetting the tools better that we use on the internet. The Heartbleed bug resulted from a vulnerability in OpenSSL, which is maintained by volunteers. If that sounds weird, it should. Major corporations and websites are relying on a volunteer open source project to secure their transmissions on the internet. It's a good technical read for those of you interested.

This post first appeared on Exploring Information Security.

Heartbleed Bug: Things To Know

The week of April 7, 2014, it was discovered that there was a very serious vulnerability on the internet. On a scale of 1-10, one security thought leader put the seriousness of the bug at an 11. Over half a million sites were vulnerable to this bug including many major websites such as Google, Facebook, Amazon, Yahoo, banking sites, etc.

Technically speaking a bug was found in SSL, which is used to secure internet traffic (HTTPS). The vulnerability allows attackers to get data that is being processed on the website at that time. Username, passwords, email address, social security numbers, bank information and etc. are all things that can be collected using this vulnerability. This comic has a pretty good visual explanation of the vulnerability.

This bug, only recently discovered by security researchers, has been around for two years. What that means is that we don’t know who knew about the bug and who didn’t, so we have to assume that all account information and other information on these affected websites have been compromised. Mashable has a list of sites that have been found to be affected by this bug.

Now that this bug is out in the open, it is being exploited by attackers. It is imperative that you change passwords on affected websites, and if the option is available I would highly recommend turning on two-factor authentication. However, before you do you need to make sure that the vulnerability has been fixed by the website; otherwise you’ll just compromise your new password immediately. I would recommend LastPass’ Heartbleed checker, because it tells you whether the website was previously vulnerable and if it’s vulnerable now. Here is a list of other sites to check the vulnerability of websites with.

·         http://filippo.io/Heartbleed/

·         http://heartbleed.criticalwatch.com/

·         https://lastpass.com/heartbleed/

·         https://www.ssllabs.com/ssltest/

Other Suggested Readings:

http://heartbleed.com/

http://bhconsulting.ie/securitywatch/?p=2103

http://www.vox.com/cards/heartbleed/how-does-the-heartbleed-attack-work

This post first appeared on Exploring Information Security.

OpenSSL Heartbleed Links April 12, 2014

Trying to protect yourself from Heartbleed could land you in jail - Chris Smith - BGR

There are laws in place that say testing a website's security without permissions is illegal. This would include running checks using Heartbleed websites or the Heartbleed Chrome app i linked to in Friday's post. They would have to enforce the law first, but technically you're still breaking the law when you do it. Which just further highlights how far behind the law is when it comes to the internet.

NSA Denies Knowing About Heartbleed Bug - Denver Nicks - Times

It was only a matter of time before the NSA was going to be thrown under the Heartbleed Bug Bus. The NSA has two directives to gather intelligence from it's enemies AND defend the country. Knowing about the bug in OpenSSL and not reporting it would be a massive epic fail for the NSA.

How The Heartbleed Bug Works - xkcd

A very well done, yet simple, visualization of how the Heartbleed bug works.

This post first appeared on Exploring Information Security.

InfoSec Links April 9, 2014

Microsoft: Let's be clear, WE won't read your email - but the cops will - Lain Thomson - The Register

Note to self: don't use Hotmail to distribute pirated copies of Windows 8.

The Heartbleed Bug, explained - Timothy B. Lee - Vox

I good explanation of the OpenSSL bug that has rocked the infosec world the past couple days. This is a pretty serious bug that puts millions of sites at risk and potentially your information such as passwords. Unfortunately, there's really nothing you can do about it except hope that the sites you have accounts on apply the patch that fixes the bug ASAP. Most big sites have probably already done it.

Xbox password flaw exposed by five-year-old boy - BBC

Five-year-old wants to get into his dads Xbox account. What does he do? Find a vulnerability in Microsoft's Xbox Live, thus starting his illustrious hacking career. It's not the least bit surprising that his dad works in security.

This post first appeared on Exploring Information Security.