Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Vint Cerf wanted to make internet secure from the start, but secrecy prevented it
Explains to Google Hangout buds that tech was ‘classified’ at the time…
http://www.theregister.co.uk/2014/04/07/internet_inception_security_vint_cerf_google_hangout/
The NSA acted as a barrier to the rollout of encryption as standard from the very inception of the internet back in the mid 1970s.
Intel agencies including the NSA and GCHQ had already invented public key cryptography systems, but this work remained top secret.
Tomi Engdahl says:
The #1 New Paid App In The Play Store Costs $4, Has Over 10,000 Downloads, A 4.7-Star Rating… And It’s A Total Scam [Updated]
http://www.androidpolice.com/2014/04/06/the-1-new-paid-app-in-the-play-store-costs-4-has-over-10000-downloads-a-4-7-star-rating-and-its-a-total-scam/
However, you should be just as wary of security software as any other app. Case in point: there’s a slick new app in the Play Store called Virus Shield. It’s got a cool look and it’s easy to operate. Just press a single button and your virus shield is activated.
There’s just one problem: it’s a complete and total scam.
We mean it’s literally a fake security app: the only thing that it does is change from an “X” image to a “check” image after a single tap. That’s it. That’s all there is, there isn’t any more.
Update April 6, 2014 11:50pm PT: The app has now been taken down.
Tomi Engdahl says:
Heartbleed: Serious OpenSSL zero day vulnerability revealed
http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-revealed-7000028166/
Summary: A new OpenSSL vulnerability has shown up and some companies are annoyed that the bug was revealed before patches could be delivered for it.
New security holes are always showing up. The latest one, the so-called Heartbleed Bug in the OpenSSL cryptographic library, is an especially bad one.
While Heartbleed only effects OpenSSL’s 1.0.1 and the 1.0.2-beta release, 1.01 is already broadly deployed.
The flaw can potentially be used to reveal not just the contents of a secured-message, such as a credit-card transaction over HTTPS, but the primary and secondary SSL keys themselves.
CloudFlare, a Web security company, revealed in a blog posting details about the security hole and that they’ve fixed the bug.
At this time, I am informed by sources that Red Hat, Debian, SuSE, Canonical, and Oracle, to name a few, are working at a feverish pace to get the patched versions of OpenSSL out to their clients.
Tomi Engdahl says:
Supreme Court passes on NSA bulk phone surveillance case
Case will head to appeals court first, but will likely end up with the Supremes.
http://arstechnica.com/tech-policy/2014/04/supreme-court-passes-on-nsa-bulk-phone-surveillance-case/
The Supreme Court declined Monday to resolve the constitutionality of the National Security Agency’s bulk telephone metadata surveillance program, leaving intact what a lower-court judge described as an “almost-Orwellian” surveillance effort in which the metadata from every phone call to and from the United States is catalogued by US spies.
The move by the justices comes as the Obama administration and Congress consider dramatically revamping the spy program disclosed in June by NSA whistleblower Edward Snowden.
Tomi Engdahl says:
The Heartbleed Bug
http://heartbleed.com/
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library.
Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.
As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed.
What versions of the OpenSSL are affected?
Status of different versions:
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
The vulnerable versions have been out there for over two years now and they have been rapidly adopted by modern operating systems.
Tomi Engdahl says:
How to test if your OpenSSL heartbleeds
https://blog.ipredator.se/2014/04/how-to-test-if-your-openssl-heartbleeds.html
While patches for most distributions are already out, we found no instructions on how to test that the fixes are working once you have them installed. Of course you did restart your services after you installed the patches right?
Tomi Engdahl says:
OpenSSL Security Advisory [07 Apr 2014]
TLS heartbeat read overrun (CVE-2014-0160)
https://www.openssl.org/news/secadv_20140407.txt
Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
1.0.2 will be fixed in 1.0.2-beta2.
Tomi Engdahl says:
Windows XP still has 27 per cent market share on its deathbed
Windows 7 making some gains on XP Death Day
http://www.theregister.co.uk/2014/04/08/windows_xp_istilli_has_27_per_cent_market_share_on_its_deathbed/
Remember where you were once your patch Tuesday downloads end, because today is Windows XP death day.
Users other than the well-heeled and well-organised won’t receive so much as another byte of code to update the operating system as of today, bringing to an end an era that started with the operating system’s release to manufacturing on August 24th, 2001.
Tomi Engdahl says:
The… Windows… XPocalypse… is… NIGH
DON’T PANIC, listen to Trev – you’ll be fine
http://www.theregister.co.uk/2014/04/08/microsoft_winodws_xp_operating_system_patch_tuesday/
The XPocalypse is upon us, gentlebeings, and those of us who must keep XP around are doomed! Or so some very expensive marketing pushes would have us believe.
Ask yourself how that Windows XP computer is actually being used. If it is sitting there accepting some files from the internet, processing them and then spitting the results out elsewhere, do you need to have USB enabled or CD drives hooked up? Consider – and I am not joking here – just gluing the USB ports up
Conversely, if the thing doesn’t need to be on the internet to do its job, ruthlessly block it from such. Put it on its own subnet and VLAN, wall it off from everything but the exact systems with which it will need to communicate and get a third-party firewall installed that will only talk to the systems you need to talk to.
Consider an inline firewall/ intrusion detection system operating as a separate appliance between your XP subnet and anything else they need to talk to.
If at all possible, lock XP up in a virtual machine. There are lots of reasons why this isn’t always possible – hardware dongles, the need to power proprietary hardware cards and so forth, but where possible, try.
You need to know not only when something is awry, but be able to rebuild that system from scratch at the drop of a hat.
The ultimate goal is a completely non-persistent copy of Windows XP.
Start from BartPE if you need a clean environment and from Hirens if you need one packed full of jam. Strip out what you don’t need and customise to your requirements. Test, retest, build and rebuild. Get yourself a version of XP that can last a decade because the only writeable locations the system talks to are the locations it absolutely needs to talk to in order to run its software and update its configuration.
Microsoft is committed to patching an XP descendant OS – POSReady 2009 – for some time to come. Any halfway competent blackhat could reverse-engineer the patches for that OS and exploit the now unpatched Windows XP classic.
Anti-malware programs are absolutely not going to save you.
Tomi Engdahl says:
Win XP security deadline: Think of the users, biz bods. You MUST protect their data
Keep printouts away from dumpsters, have a Plan B for XPocalypse. Simples – ICO
http://www.theregister.co.uk/2014/04/08/microsoft_windows_xp_end_of_life_data_protection/
The end of support for XP on Tuesday doesn’t only mean increased risk from hackers exploiting vulnerabilities that will never be patched. It also creates a heightened data protection risk to businesses, the UK’s data privacy watchdog has warned.
Estimates vary but Netmarketshare reckons Windows XP still has a death bed market share of 27 per cent.
“Organisations regularly end support for their older products,” Rice said. “And those with supported systems still need to be vigilant, as vulnerabilities will be discovered over time.”
Tomi Engdahl says:
Not your father’s spam: Trojan slingers attach badness to attachment WITHIN attachment
Banking baddies in recursive ruse
http://www.theregister.co.uk/2014/04/08/spam_attachment_within_spam_attachment_ruse_deployed_by_bank_trojan_slingers/
Cybercrooks are upping the ante by loading malware as an attachment inside another attachment in a bid to slip past security defences.
A new variant of the Upatre Trojan comes bundled in spammed messages that imitate emails from known banks such as Lloyds Bank and Wells Fargo.
Opening the “ZIP file” on a Windows machine results in an attempt to infect the machine
Tomi Engdahl says:
The 11GH/S HexFury Is The Latest In Low-Power ASIC Bitcoin Miners
http://techcrunch.com/2014/04/04/the-11ghs-hexfury-will-is-the-latest-in-low-power-asic-bitcoin-miners/?source=gravity&cps=gravity
If you’re a bitcoin nerd, you’ll know that finding cheap, low-power mining hardware is pretty hard to do.
It’s sold by ASICRunner and is in stock right now. At a little over $265
you’ll max out at about $15 a month until the difficulty goes up too far for this device to even be effective
Tomi Engdahl says:
The EU Court ruled the Data Retention Directive to be illegal
European Court of Justice found 8 In its April 2014 decision that the EU Data Retention Directive is invalid.
The Data Retention Directive, the so-called forced to save the Directive provides that electronic communications service providers for the service users’ traffic and location data, as well as the service the subscriber or user to identify the appropriate information needed. However, the Directive prohibits the content and applied for storing the data.
The Court stated that the directive in question deal with the protection of privacy and personal data protection of the fundamental rights of a large scale and in a particularly severe.
- The Court’s decision is a clear statement on the confidentiality of communications. The decision will inevitably have an impact on the Finnish debate on the need for mass intelligence. I
Source: http://www.lvm.fi/tiedote/4395687/eu-tuomioistuin-totesi-tietojen-sailyttamista-koskevan-direktiivin-laittomaksi#.U0QDq_ajfZo.twitter
Tomi Engdahl says:
Replacing a computer? Do not succumb to a dangerous error
Switching between computers usually want to keep the old machine useful files. The data transfer should be done with caution.
The new computer is to be taken as a rule immediately use – and sometimes security is forgotten. The worst situation is where data security is not ensured even in the old computer. On the old computer files may include such items as viruses and other malicious software.
Data security company Nixu technology leader Pekka Sillanpää , the computer buyer, you should first acquire an external hard drive, as well as a new computer security program.
- Information should be moved first from your old computer to an external hard disk, Sillanpää says.
- After this, the hard drive is connected to a new computer, and it is worth checking files stored on your security program before they are transferred to the new computer.
External hard drive is in any case a worthwhile purchase, as the disc can be used to back up important files.
Source: Iltasanomat
http://www.iltasanomat.fi/digi/art-1288674678778.html
Tomi Engdahl says:
Mt Gox’s ‘transaction malleability’ claim rubbished by researchers
The dog ate my Bitcoin
http://www.theregister.co.uk/2014/04/09/mt_goxs_transaction_malleability_claim_rubbished_by_researchers/
By now, we all know the Magic the Gathering Online Exchange says it came undone because of a gap in the Bitcoin protocol called “transaction malleability”. Now, two ETH Zurich researchers have rubbished that claim.
Successful attacks, they state, can be identified because they’re eventually confirmed in a block
In the period from January 2013 to February 7 2014, when Mt Gox halted withdrawals (therefore blocking any transaction malleability attacks), the researchers say, there weren’t enough “conflict sets” to account for the 750,000 Bitcoins the exchange said were lost
Tomi Engdahl says:
Chrome makes new password grab in version 34
Even with autocomplete off, Google will ask if it can ‘help’ by storing your passwords
http://www.theregister.co.uk/2014/04/09/chrome_makes_new_password_grab_in_version_34/
Google has announced that Chrome 34 is now stable enough to be promoted to the Stable Channel. In a few days it will therefore become the default version for millions of users.
But Chrome 34 will also “ … now offer to remember and fill password fields in the presence of autocomplete=off.” That means that even if users turn off Chrome’s feature that collects and automatically enters their login credentials to web services, the browser will nonetheless make the offer to do so.
All the time.
“It is the security team’s view that this is very important for user security by allowing users to have unique and more complex passwords for websites.”
Tomi Engdahl says:
Office, IE, Flash fixes accompany Windows XP’s final Patch Tuesday
Microsoft, Adobe move to fix more security flaws
http://www.theregister.co.uk/2014/04/08/office_ie_and_flash_fixes_accompany_final_xp_patch_tuesday/
Microsoft has released patches for critical security vulnerabilities in Word and Internet Explorer on what is to be the final Patch Tuesday update for Windows XP systems.
Tomi Engdahl says:
Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping
Exploits allow attackers to obtain private keys used to decrypt sensitive data.
http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/
For a more detailed analysis of this catastrophic bug, see this update, which went live about 18 hours after Ars published this initial post.
Researchers have discovered an extremely critical defect in the cryptographic software library an estimated two-thirds of Web servers use to identify themselves to end users and prevent the eavesdropping of passwords, banking credentials, and other sensitive data.
The warning about the bug in OpenSSL coincided with the release of version 1.0.1g of the open-source program, which is the default cryptographic library used in the Apache and nginx Web server applications, as well as a wide variety of operating systems and e-mail and instant-messaging clients. The bug, which has resided in production versions of OpenSSL for more than two years, could make it possible for people to recover the private encryption key at the heart of the digital certificates
Tomi Engdahl says:
This is affecting some on-line services even taking services off-line, like Minecraft has done:
We temporarily took down our servers due to this: http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/ … A LOT of websites and services are affected by this. Be careful.
Source: https://twitter.com/notch/status/453516309851291648
Tomi Engdahl says:
The Heartbleed Bug, explained
http://www.vox.com/2014/4/8/5593654/heartbleed-explainer-big-new-web-security-flaw-compromise-privacy
There was big news in the computer security world yesterday when researchers announced a massive vulnerability in popular web encryption software called OpenSSL. Major online service providers are scrambling to address the problem. What happened? And how does it affect you? Read on to find out.
What is the Heartbleed Bug?
The majority of SSL-encrypted websites are based on an open-source software package called OpenSSL. On Monday, researchers announced a serious bug in this software that exposes users’ communications to eavesdropping. OpenSSL has had this flaw for about 2 years.
pecifically, a vulnerable computer can be tricked into transmitting the contents of the server’s memory, known as RAM.
Is that bad?
Yes. There’s a lot of private information stored in a server’s memory.
“This vulnerability is not very difficult to exploit for those who know about it,”
There aren’t precise statistics available, but the researchers who discovered the vulnerability note that the two most popular web servers, Apache and nginx, use OpenSSL. Together, these vulnerable servers account for about two-thirds of the sites on the web. SSL is also used by other internet software, such as desktop email clients and chat software.
Google says that “we have assessed the SSL vulnerability and applied patches to key Google services.” Facebook says it had already addressed the issue when it was publicly disclosed.
Unfortunately, there’s nothing users can do to protect themselves if they visit a vulnerable website.
Tomi Engdahl says:
Security Flaw Emphasizes the Need to Change Passwords
http://bits.blogs.nytimes.com/2014/04/08/security-flaw-emphasizes-the-need-to-change-passwords/?_php=true&_type=blogs&_r=0
Wait a day or so. Then change the passwords on the web services you use.
That is probably the best advice for web users unnerved by reports of a potential vulnerability for email and other online accounts because of the security flaw called Heartbleed.
“There’s nothing users can do until the web services have made their sites secure,” Mr. Seiden said.
The Heartbleed scare, even if it doesn’t turn out to hurt many consumers, is a reminder of the importance of password hygiene.
Tomi Engdahl says:
‘Heartbleed’ bug undoes Web encryption, reveals Yahoo passwords
http://www.cnet.com/news/heartbleed-bug-undoes-web-encryption-reveals-user-passwords/
A flaw in software that’s widely used to secure Web communications means that passwords and other highly sensitive data could be exposed. Some say they’ve already found hundreds of Yahoo passwords.
Tomi Engdahl says:
Attack of the week: OpenSSL Heartbleed
http://blog.cryptographyengineering.com/2014/04/attack-of-week-openssl-heartbleed.html
The start of my last class was pretty lame, which meant either (1) we’d finally learned how to make our crypto software secure, or (2) something terrible was about to happen.
Heartbleed is a surprisingly small bug in a piece of logic that relates to OpenSSL’s implementation of the TLS ‘heartbeat’ mechanism. The bug is present in OpenSSL versions 1.0.1 through 1.0.1f (and not in other versions).
The problem is fairly simple: there’s a tiny vulnerability — a simple missing bounds check — in the code that handles TLS ‘heartbeat’ messages. By abusing this mechanism, an attacker can request that a running TLS server hand over a relatively large slice (up to 64KB) of its private memory space. Since this is the same memory space where OpenSSL also stores the server’s private key material, an attacker can potentially obtain (a) long-term server private keys, (b) TLS session keys, (c) confidential data like passwords, (d) session ticket keys.
Any of the above may allow an attacker to decrypt ongoing TLS sessions or steal useful information.
You can test if a given server is vulnerable using one of these tools
Having identified a problem, the first step is to patch OpenSSL. Fortunately this is relatively easy. The 1.0.1g version is not vulnerable, and Debian has a patch. You can also recompile OpenSSL with the -DOPENSSL_NO_HEARTBEATS option.
Sadly, this is only the beginning. Since there’s no way to tell whether a server has been exploited (and exploit code is now in the wild) you need to assume that it is. This means the safe move is to revoke your certificate and get a new one. Have fun.
Tomi Engdahl says:
Python Heartbleed (CVE-2014-0160) Proof of Concept
https://gist.github.com/sh1n0b1/10100394
Tomi Engdahl says:
Hackers attach corporate networks increasingly though third party devices:
Hackers Lurking in Vents and Soda Machines
http://www.nytimes.com/2014/04/08/technology/the-spy-in-the-soda-machine.html
They came in through the Chinese takeout menu.
Unable to breach the computer network at a big oil company, hackers infected with malware the online menu of a Chinese restaurant that was popular with employees. When the workers browsed the menu, they inadvertently downloaded code that gave the attackers a foothold in the business’s vast computer network.
Companies scrambling to seal up their systems from hackers and government snoops are having to look in the unlikeliest of places for vulnerabilities.
Companies have always needed to be diligent in keeping ahead of hackers — email and leaky employee devices are an old problem — but the situation has grown increasingly complex and urgent as countless third parties are granted remote access to corporate systems. This access comes through software controlling all kinds of services a company needs: heating, ventilation and air-conditioning; billing, expense and human-resources management systems; graphics and data analytics functions; health insurance providers; and even vending machines.
Break into one system, and you have a chance to break into them all.
“We constantly run into situations where outside service providers connected remotely have the keys to the castle,” said Vincent Berk, chief executive of FlowTraq, a network security firm.
Ponemon Institute, last year found that roughly a quarter — 23 percent — of breaches were attributable to third-party negligence.
“When you know you’re the target and you don’t know when, where or how an attack will take place, it’s wartime all the time,” Ms. Hallawell said. “And most organizations aren’t prepared for wartime.”
Tomi Engdahl says:
EU court rejects requirement to keep data of telecom users
http://www.reuters.com/article/2014/04/08/us-eu-data-ruling-idUSBREA370F020140408
The European Union’s highest court on Tuesday overthrew a rule that required telecoms companies to store the communications data of EU citizens for up to two years, on the grounds that it infringed on basic rights.
Brussels introduced the data-retention directive in March 2006 after bombings on public transport in Madrid and London. The aim was to give the authorities better tools to investigate and prosecute organised crime and terrorism.
The rule had required telecoms service providers to keep traffic and location data as well as other information needed to identify the user, but not the content of the communication.
Austrian and Irish courts had asked the European Court of Justice to rule if the law was in line with the Charter of Fundamental Rights of the EU.
Tomi Engdahl says:
Cloud bazaar Amazon stitches up Heartbleed OpenSSL vulns
Bezos & Co patch mammoth web infrastructure to stop memory-leaking frightener
http://www.theregister.co.uk/2014/04/08/aws_heartbleed/
Amazon is working to patch “Heartbleed” memory-leak vulnerablities in its Amazon Web Services hosting infrastructure.
At the time of writing, Amazon said it had dealt with all its Elastic Load Balancers affected by Heartbleed, apart from those in its vast “US-EAST-1″ data center region.
“The vast majority of load balancers have been updated and we continue to work on the remaining load balancers and expect them to be updated within the next few hours,” it said.
Tomi Engdahl says:
Napster cofounder’s Jerk.com accused of acting like … err … jerks
Site charged with seeking payments to clear smear profiles
http://www.theregister.co.uk/2014/04/09/napster_cofounders_jerkcom_accused_of_acting_like_err_jerks/
The US Federal Trade Commission (FTC) is cracking down on a site they say lifted user information to create smear profiles on a for-profit reputation site.
The FTC said that the operators of Jerk.com (which appears to have since been taken down) harvested data from millions of Facebook users to create profiles without permission, and then charged users to clear unflattering information.
Tomi Engdahl says:
Cyber hostage-takers SCAMMED six times as many people last year
Your money or your file? Targeted attacks lasted longer too – report
http://www.theregister.co.uk/2014/04/09/symantec_threat_report/
Malware-powered frauds that lock up victims’ computers – or worse yet, encrypt files and force them to pay a fee to unlock their information – increased by 500 per cent during 2013, according to a study by Symantec.
Symantec’s latest global Internet Security Threat Report also revealed that targeted attack campaigns for the purposes of either cyber-espionage or cyber-crime exploded over the last year, increasing by 91 per cent over the reporting period.
Tomi Engdahl says:
Bruce Schneier / Schneier on Security:
Heartbleed is a catastrophic bug in OpenSSL, on a scale of 1 to 10, it is an 11
Heartbleed
https://www.schneier.com/blog/archives/2014/04/heartbleed.html
Heartbleed is a catastrophic bug in OpenSSL
“Catastrophic” is the right word. On the scale of 1 to 10, this is an 11.
Half a million sites are vulnerable, including my own. Test your vulnerability here.
The bug has been patched. After you patch your systems, you have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected.
Tomi Engdahl says:
Heartbleed test
http://filippo.io/Heartbleed/
Enter the hostname of a server to test it for CVE-2014-0160.
Tomi Engdahl says:
Revoke, reissue, invalidate: Stat! Security bods scramble to plug up Heartbleed
Paper is safe. Clay tablets too
http://www.theregister.co.uk/2014/04/09/heartbleed_vuln_analysis/
The catastrophic crypto key password vulnerability in OpenSSL affects far more than web servers, with everything from routers to smartphones also affected.
The so-called “Heartbleed” vulnerability (CVE-2014-0160) can be exploited to extract information from the servers running vulnerable version of OpenSSL, and this includes email servers and Android smartphones as well as routers.
Hackers could potentially gain access to private encryption key before using this information to decipher the encrypted traffic to and from vulnerable websites.
The bug exists in the OpenSSL 1.0.1 source code and stems from coding flaws in a fairly new feature known as the TLS Heartbeat Extension. “TLS heartbeats are used as ‘keep alive’ packets so that the ends of an encrypted connection can agree to keep the session open even when they don’t have any official data to exchange,”
Many routers and other forms of networking equipment use OpenSSL to secure mini web servers to run admin interface, leaving networking equipment vulnerable as a result.
Networking giant Cisco was quick to put out put out an advisory.
Smartphones and tablets running Android 4.1.1 are also thought to be vulnerable.
“The ‘Heartbleed’ bug has epic repercussions since it affects one of the cryptographic suites that is used to run critical services on the Internet (OpenSSL 1.0.1),”
“The ‘Heartbleed’ SSL vulnerability affects widely deployed versions of the OpenSSL library which is used in the majority of software”
Tomi Engdahl says:
OpenSSL Security Advisory [07 Apr 2014]
TLS heartbeat read overrun (CVE-2014-0160)
https://www.openssl.org/news/secadv_20140407.txt
A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.
Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected
Tomi Engdahl says:
OpenSSL vulnerability – Heartbleed
https://community.openvpn.net/openvpn/wiki/heartbleed
A vulnerability in OpenSSL, nicknamed heartbleed, was published in April 2014 1. OpenVPN uses OpenSSL as its crypto library by default and thus is affected too.
If your OpenVPN is or has been vulnerable to heartbleed you should consider your keys, and the traffic over the VPN tunnel, compromised.
Your OpenVPN is affected when your OpenVPN is linked against OpenSSL, versions 1.0.1 through 1.0.1f.
Replace the keys for each peer that was active while linked against a vulnerable OpenSSL.
Tomi Engdahl says:
Are Android client affected too?
Android shipped OpenSSL 1.0.1 as of 4.1, but disable heartbeats since 4.1.2. That means only Android 4.1(.0) and 4.1.1 are vulnerable.
Source: https://community.openvpn.net/openvpn/wiki/heartbleed
Tomi Engdahl says:
“Internet bad problem requires immediate action” – were found in Finland
A serious problem found in SSL encryption to protect, for example, Web services, passwords and payment transactions were found. The problem is named Heartbleed.
Kyberturvallisuuskeskus Finnish Communications Regulatory Authority has published a special warning. According to the network administrator and requires immediate action. Kyberturvallisuuskeskus calls for administrators to update the server OpenSSL libraty immediately.
An interesting detail SSL Affair is that the problem was discovered in Finland. The greatest attention was focused on the Google Security Unit Neel Mehtaan, which first reported the problem in the OpenSSL developers.
However, it also found fault Codenomicon Finnish company. Codenomicon found the problem in developing SafeGuard technology used in security problems for automated searching. The company reported ssl problem Kyberturvallisuuskeskus, which began to coordinate the fix for this issue. Ssl-hole, however, came out the other way, before this process is completed.
Source: Tietokone
http://www.tietokone.fi/artikkeli/uutiset/internetin_paha_vika_vaatii_valittomia_toimia_loydettiin_suomessa
Tomi Engdahl says:
MtGox CEO faces likely US arrest as legal woes mount over failed bitcoin exchange
http://gigaom.com/2014/04/08/mtgox-ceo-faces-likely-us-arrest-as-legal-woes-mount-over-failed-bitcoin-exchange/
Summary: The head of what was the world’s biggest bitcoin exchange will almost certainly not step foot in the US for an April 17 court appearance.
Since MtGox filed for bankruptcy, lawyers and creditors have been engaged in a global chase in search of what amounts to digital dust. The legal process has been especially complicated, owing to the borderless nature of bitcoin, and to the case’s multiple jurisdictions: the bankruptcy proceedings are underway in Japan and the United States, and the related CoinLab proceeding has so far involved deposing the assistant of a French national — Karpeles — in Taiwan.
Tomi Engdahl says:
Heartbleed: mundane coding error more devastating than fancy crypto attacks like BEAST, CRIME
Attack of the week: OpenSSL Heartbleed
http://blog.cryptographyengineering.com/2014/04/attack-of-week-openssl-heartbleed.html
Tomi Engdahl says:
What Heartbleed Can Teach The OSS Community About Marketing
http://www.kalzumeus.com/2014/04/09/what-heartbleed-can-teach-the-oss-community-about-marketing/
If you’re a technologist and you’re not living under a rock, you’ve heard about Heartbleed, which is a Severity: Apocalyptic bug in the extraordinarily widely deployed OpenSSL software. Heartbleed lets anyone capable of finding a command line read encryption keys, passwords, and other private data out of affected systems. If you don’t remember addressing this in the last 48 hours close this window immediately and get to work.
Heartbleed is much better marketed than typical for the OSS community, principally because it has a name, a logo, and a dedicated web presence.
Compare “Heartbleed” to CVE-2014-0160, which is apparently the official classification for the bug.
Geeks sometimes do not like when technical facts are described in emotionally evocative fashion.
The Heartbleed announcement should be taught in Technical Writing courses. It is masterful communication.
That is tight, precise, hard-hitting writing,
The Heartbleed logo is probably one of the highest ROI uses of ~$200 in the history of software security. (I don’t actually know whether they got it done for $200, but that is about what I paid the last time I had a logo done for an OSS project.)
There exists a huge cultural undercurrent in the OSS community which suggests that marketing is something that vaguely disreputable
Tomi Engdahl says:
Heartbleed Security Flaw Emphasizes the Need to Change Passwords
http://bits.blogs.nytimes.com/2014/04/08/security-flaw-emphasizes-the-need-to-change-passwords/?_php=true&_type=blogs&_r=0
Wait a day or so. Then change the passwords on the web services you use.
That is probably the best advice for web users unnerved by reports of a potential vulnerability for email and other online accounts because of the security flaw called Heartbleed.
Immediately changing passwords could feed a new password into a website that has not fixed the flaw
“There’s nothing users can do until the web services have made their sites secure,” Mr. Seiden said.
“This is a good time to review your password practices in general,”
Tomi Engdahl says:
Alleged Silk Road Creator’s Lawyer Denies Bitcoin Is ‘Monetary Instrument,’ Moves To Drop All Charges
http://www.forbes.com/sites/andygreenberg/2014/04/01/alleged-silk-road-creators-lawyer-denies-bitcoin-is-monetary-instrument-moves-to-drop-all-charges/
Tomi Engdahl says:
Yahoo DMARC Implementation Breaks Most Mailing Lists
http://tech.slashdot.org/story/14/04/09/2047205/yahoo-dmarc-implementation-breaks-most-mailing-lists
DMARC (Domain-based Message Authentication, Reporting & Conformance) is a two-year-old proposed standard previously discussed on Slashdot that is intended to curb email abuse, including spoofing and phishing. Unfortunately, as implemented by Yahoo, it claims most mailing list users as collateral damage.
Tomi Engdahl says:
Canada Halts Online Tax-Filing Services
‘Heartbleed’ Bug Could Expose Masses of Personal Information; Services Seen Resuming This Weekend
http://online.wsj.com/news/article_email/SB10001424052702303873604579491861092490006-lMyQjAxMTA0MDAwOTEwNDkyWj
Canada shut down its online tax-filing services just weeks before millions of Canadians must file their tax returns, citing the emergence of a computer bug that could expose masses of critical personal information.
It wasn’t clear why Canada took the unusual step, which it called a “preventative” measure to “safeguard the integrity of the information we hold.”
Last year more than 20 million Canadian taxpayers submitted their tax returns electronically, representing 75% of all filings.
Tomi Engdahl says:
Half a million widely trusted websites vulnerable to Heartbleed bug
http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html
A serious overrun vulnerability in the OpenSSL cryptographic library affects around 17% of SSL web servers which use certificates issued by trusted certificate authorities. Already commonly known as the Heartbleed bug, a missing bounds check in the handling of the TLS heartbeat extension can allow remote attackers to view up to 64 kilobytes of memory on an affected server. This could allow attackers to retrieve private keys and ultimately decrypt the server’s encrypted traffic or even impersonate the server.
Tomi Engdahl says:
Enter a URL or a hostname to test the server for CVE-2014-0160.
http://filippo.io/Heartbleed/
Tomi Engdahl says:
Google Chrome now remembers the passwords your bank doesn’t want it to
http://www.geek.com/apps/google-chrome-now-remembers-the-passwords-your-bank-doesnt-want-it-to-1590530/
Google Chrome 34 arrived on the Stable Channel yesterday, and it brought with it the usual security patches and stability tweaks as well as a few new features. Among them: the password manager will now store passwords for sites that normally block that from happening (like your bank’s or credit card company’s).
Typically, sites like banks will disable built-in password managers by adding the autocomplete=off parameter to the password input field. They consider it a security risk to store credentials for their services, which may be true in some cases.
But if a Google Chrome user can store their password, they might be more willing to use a more complex one — instead of easy-to-remember passwords like ‘password123′ and ‘letmein.’ Chrome has also got a built-in password generator now
Now, Google is not alone in thinking that a user’s preference should override an institution’s.
Tomi Engdahl says:
F-Secure’s Hypponen: check your credit card bill urgently – a new security hole to tease online store customers
The reason is the recent discovery Heartbleed hole containing a number of encrypted traffic to Web sites. Aperture seems to Hyppönen, the first and foremost online stores.
The usual nettisurffailija can not do anything about the security hole, but only webmasters can fix the problem.
Source: Tietoviikko
http://www.tietoviikko.fi/uutisia/stt+fsecuren+hypponen+tarkista+luottokorttilasku+kiireesti++uusi+tietoturvaaukko+kiusaa+nettikauppojen+asiakkaita/a980890
Tomi Engdahl says:
Heartbleed bug puts the chaotic nature of the Internet under the magnifying glass
http://www.washingtonpost.com/business/technology/heartbleed-bug-puts-the-chaotic-nature-of-the-internet-under-the-magnifying-glass/2014/04/09/00f7064c-c00b-11e3-bcec-b71ee10e9bc3_story.html
A major flaw revealed this week in widely used encryption software has highlighted one of the enduring — and terrifying — realities of the Internet: It is inherently chaotic, built by multitudes and continuously tweaked, with nobody in charge of it all.
The Heartbleed bug, which security experts first publicly revealed on Monday, was a product of the online world’s makeshift nature. While users see the logos of big, multibillion-dollar companies when they shop, bank and communicate over the Internet, nearly all of those companies rely on free software — often built and maintained by volunteers — to help make those services secure.
Heartbleed, security experts say, was lodged in a section of code that had been approved two years ago by a developer that helps maintain OpenSSL
While the extent of the damage caused by the bug may never be known, the possibilities for data theft are enormous.
At the very least, many companies and government agencies will have to replace their encryption keys, and millions of users will have to create new passwords on sites where they are accustomed to seeing the small lock icon that symbolizes online encryption.
“This was old code. Everyone depends on it. And I think that just everyone assumed that somebody else was dealing with it,”
Tomi Engdahl says:
The Real Threat From The Heartbleed Security Flaw Is The NSA
“The best guess is that the only ones exploiting this bug are spy agencies, if anyone at all.”
http://www.buzzfeed.com/charliewarzel/the-nsa-and-the-real-problem-behind-the-heartbleed-security
Heartbleed, the enormous security bug that could affect up to two-thirds of the internet, has left more than 500,000 websites exposed to attackers. And while many are worried their information was left vulnerable to criminal hackers, one security adviser believes the NSA could well have been the true beneficiary of the flaw.
“This is an honest amateur programming mistake,” Sophos Security Senior Adviser Chet Wisniewski told BuzzFeed, noting that there is almost zero likelihood surveillance organizations were behind the flaw. “It sounds like somebody just hit the ‘enter’ key before completing their thought.”
Tomi Engdahl says:
The Heartbleed Hit List: The Passwords You Need to Change Right Now
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/