By Richard Nieva CNET News Security April 8, 2014 A major new security vulnerability dubbed Heartbleed was disclosed Monday night with severe implications for the entire Web. The bug can scrape a server’s memory, where sensitive user data is stored, including private data such as usernames, passwords, and credit card numbers. It’s an extremely serious issue, affecting some 500,000 servers, according to Netcraft, an Internet research firm. Here’s what you can do to make sure your information is protected, according to security experts contacted by CNET: Do not log into accounts from afflicted sites until you’re sure the company has patched the problem. If the company hasn’t been forthcoming

Tags: , , , , , , , , , ,
Tagged with: By Dan Goodin Ars Technica April 7, 2014 Researchers have discovered an extremely critical defect in the cryptographic software library an estimated two-thirds of Web servers use to identify themselves to end users and prevent the eavesdropping of passwords, banking credentials, and other sensitive data. The warning about the bug in OpenSSL coincided with the release of version 1.0.1g of the open-source program, which is the default cryptographic library used in the Apache and nginx Web server applications, as well as a wide variety of operating systems and e-mail and instant-messaging clients. The bug, which has resided in production versions of OpenSSL for more than two years, could make it possible for people to recover the private encryption key at the heart of the digital certificates used to authenticate Internet servers and to encrypt data traveling between them and end users. Attacks leave no traces in server logs, so there’s no way of knowing if the bug has been actively exploited. Still, the risk is extraordinary, given the ability to disclose keys, passwords, and other credentials that could be used in future compromises. “Bugs in single software or library come and go and are fixed by new versions,” the researchers who discovered the vulnerability wrote in a blog post published Monday. “However this bug has left a large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitations and attacks leaving no trace this exposure should be taken seriously.” The researchers, who work at Google and software security firm Codenomicon, said even after vulnerable websites install the OpenSSL patch, they may still remain vulnerable to attacks. The risk stems from the possibility that attackers already exploited the vulnerability to recover the private key of the digital certificate, passwords used to administer the sites, or authentication cookies and similar credentials used to validate users to restricted parts of a website. Fully recovering from the two-year-long vulnerability may also require revoking any exposed keys, reissuing new keys, and invalidating all session keys and session cookies. Members of the Tor anonymity project have a brief write-up of the bug here, and a this analysis provides useful technical details. [...]

Tags: , , , , , , , , , , , , , , , , , , , , , , ,
Tagged with: By Shimon Cohen Arutz Sheva 4/7/2014 The threatened #opisrael cyber-attack turned out to be a dud – but Israel does not have enough manpower to ward off a major cyber-attack. Dr. Michael Orlov, head of the cyber-engineering department of Shamoon College Engineering in Be’er Sheva, explained the problem to Arutz Sheva Monday. As Orlov explained, the hacking projects against Israel by Anonymous – a loosely organized group of hackers worldwide, but for #opIsrael mostly localized to Middle-Eastern countries – is a childish attempt to “feel important,” and nothing more. Currently, cyber-attacks against Israel largely focus on replacing a site’s content with propaganda, and leaving a site alone after it is fixed. This, he said, “is not a serious problem.” Future attacks may be, however. Orlov emphasizes that if a major country – e.g. Iran – were to set aside the “relatively small amount” of $50 million dollars to establish a professional hacking team, Israel could be in trouble. “We have seen Iran do this in the past to other countries, like Saudi Arabia,” Orlov stated, “Hackers attacked, broke into [websites] and deleted information. If this happens, we cannot dismiss the impact of attacks.” [...]

Tags: , , , , , , , , ,
Tagged with: By Jeremy Kirk IDG News Service March 31, 2014 One of the two banks suing Target and security vendor Trustwave over responsibility for one the largest data breaches in history has pulled out of the lawsuit. Trustmark National Bank, of New York, filed a notice of dismissal of its claims on Friday in U.S. District Court for the Northern District of Illinois. It had joined Green Bank of Houston in the class-action suit, which claims Target and Trustwave failed to stop the theft of 40 million payment card details and 70 million other personal records. The suit may have wrongly named Trustwave as one of Target’s IT security contractors. After the suit was filed on March 24, Trustwave said it would not comment on pending litigation and customarily does not identify its customers. Many agreements with IT vendors and customers are confidential. But on Saturday, Trustwave’s Chairman and CEO Robert J. McCullen added more clarity by writing a letter on its website saying Target did not outsource its data security or IT obligations to the company. [...]

Tags: , , , , , , , , , , , , , , , ,
Tagged with:

Problems with running to SSL in fear of the NSA.

On March 28, 2014, in Personal, Security, by Lawrence Pingree

Recently, a whole host of companies have been rapidly implementing SSL across their entire websites in response to the NSA scandal. I for one don’t buy into the paranoia to the extent that the media and everyone else does. As an american citizen, my expectation is that my government is doing what it can to protect me and as a technologist I am constantly advising organizations globally on what they need to do to protect themselves. In the process, it is very common for the technologies to be deployed to peer into user network traffic. The main goal of this inspection is to protect users, not spy and snoop on their activities. I realize that organizations are a bit different than that of a government agency but honestly folks, when have you seen court cases involving NSA data? Its very far and few between. Intelligence is about gathering information. Information is used as context in decision making, we all do this and seek information for all decisions we make.

Now I am not defending the NSA’s tromping through the US constitution, I agree that our government should be tightly controlled and held to the constitutional standards set forth by our forefathers. I only want to shed some light on what “we” already do as organizations globally. We as organizations go way beyond tracking “metadata” about the users that use our networks, and this is largely in order to protect ourselves from the evil presented by the hackers and nation states that wish to get into our information or steal our intellectual property.

Now we come to the use of SSL, although I do believe that all folks that are concerned with government monitoring or the transport of sensitive information over the internet should be encrypted, one thing that organizations need to consider are the impacts to the user experience and their own infrastructure.  Leveraging SSL for absolutely all content can have a dramatic performance disadvantage. Although SSL encryption is now much easier to implement due to hardware performance enhancements. Implementing SSl can have huge impacts and must be considered by all that are involved. I urge the community at large and the IETF to push for mixed-mode web content encryption and new standards in browsers that would provide encryption that can be specified only for sensitive things like the transport of cookies, forms, specific called out elements and other such information without the need to transport absolutely everything over an encrypted channel. I realize that HTML does provide for this but many browsers prompts users with warnings making it difficult for web content providers to selectively encrypt content that “must” be secured, while other content can remain unencrypted. There could be a concerted effort that eliminates the need for browser warnings while also improving security of “sensitive” content.

One major disadvantage here is that for organizations that wish to dramatically reduce network load and leverage caching proxies, SSL must be terminated at the proxy in order for these proxy caches to be effective. This actually diminishes security quite extensively and could introduce potential liability (not a lawyer so this isn’t legal advice). The reason I bring up this topic is that I leverage a network proxy cache myself and I really don’t want to pierce my SSL sessions en-mass to properly cache my network resources.

My two cents. What are yours?

Tags: , , , , , , , , , , , , , , , , , , , , ,
Tagged with: By MATTHEW GOLDSTEIN Dealbook The New York Times MARCH 26, 2014 A growing number of big corporate clients are demanding that their law firms take more steps to guard against online intrusions that could compromise sensitive information as global concerns about hacker threats mount. Wall Street banks are pressing outside law firms to demonstrate that their computer systems are employing top-tier technologies to detect and deter attacks from hackers bent on getting their hands on corporate secrets either for their own use or sale to others, said people briefed on the matter who spoke on the condition of anonymity. Some financial institutions are asking law firms to fill out lengthy 60-page questionnaires detailing their cybersecurity measures, while others are doing on-site inspections. Other companies are asking law firms to stop putting files on portable thumb drives, emailing them to nonsecure iPads or working on computers linked to a shared network in countries like China and Russia where hacking is prevalent, said the people briefed on the matter. In some cases, banks and companies are threatening to withhold legal work from law firms that balk at the increased scrutiny or requesting that firms add insurance coverage for data breaches to their malpractice policies. “It is forcing the law firms to clean up their acts,” said Daniel B. Garrie, executive managing partner with Law & Forensics, a computer security consulting firm that specializes in working with law firms. “When people say, ‘We won’t pay you money because your security stinks,’ that carries weight.” [...]

Tags: , , , , , , , , , , , , , , , , , ,
Tagged with: By jerichoattrition March 26, 2014 After John Cartwright abruptly announced the closure of the Full Disclosure mail list, there was a lot of speculation as to why. I mailed John Cartwright the day after and asked some general questions. In so many words he indicated it was essentially the emotional wear and tear of running the list. While he did not name anyone specifically, the two biggest names being speculated were ‘NetDev’ due to years of being a headache, and the more recent thread started by Nicholas Lemonias. Through other channels, not via Cartwright, I obtained a copy of a legal threat made against at least one hosting provider for having copies of the mails he sent. This mail was no doubt sent to Cartwright among others. As such, I believe this is the “straw that broke the camels back” so to speak. A copy of that mail can be found at the bottom of this post and it should be a stark lesson that disclosure mail list admins are not only facing threats from vendors trying to stifle research, but now security researchers. This includes researchers who openly post to a list, have a full discussion about the issue, desperately attempt to defend their research, and then change their mind and want to erase it all from public record. As I previously noted, relying on Twitter and Pastebin dumps are not a reliable alternative to a mail list. Others agree with me including Gordon Lyon, the maintainer of and author of Nmap. He has launched a replacement Full Disclosure list to pick up the torch. Note that if you were previously subscribed, the list users were not transferred. You will need to subscribe to the new list if you want to continue participating. The new list will be lightly moderated by a small team of volunteers. The community owes great thanks to both John and now Gordon for their service in helping to ensure that researchers have an outlet to disclose. Remember, it is a mail list on the surface; behind the scenes, they deal with an incredible number of trolls, headache, and legal threats. Until you run a list or service like this, you won’t know how emotionally draining it is. Note: The following mail was voluntarily shared with me and I was granted permission to publish it by a receiving party. It is entirely within my legal right to post this mail. From: Nicholas Lemonias. ( Date: Tue, Mar 18, 2014 at 9:11 PM Subject: Abuse from $ISP hosts To: abuse@ Dear Sirs, I am writing you to launch an official complaint relating to Data Protection Directives / and Data Protection Act (UK). Therefore my request relates to the retention of personal and confidential information by websites hosted by Secunia. These same information are also shared by UK local and governmental authorities and financial institutions, and thus there are growing concerns of misuse of such information. Consequently we would like to request that you please delete ALL records containing our personal information (names, emails, etc..) in whole, from your hosted websites ( and that distribution of our information is ceased . We have mistakenly posted to the site, and however reserve the creation rights to that thread, and also reserve the right to have all personal information deleted, and ceased from any electronic dissemination, use either partially or in full. I hope that the issue is resolved urgently without the involvement of local authorities. I look forward to hearing from you soon. Thanks in advance, *Nicholas Lemonias* Update 7:30P EST: Andrew Wallace (aka NetDev) has released a brief statement regarding Full Disclosure. Further, Nicholas Lemonias has threatened me in various ways in a set of emails, all public now. [...]

Tags: , , , , , , , , , , , , , , , , , , , ,
Tagged with: March 25, 2014 Like many of us in the security community, I (Fyodor) was shocked last week by John Cartwright’s abrupt termination of the Full Disclosure list which he and Len Rose created way back in July 2002. It was a great 12-year run, with more than 91,500 posts during John’s tenure. During that time he fought off numerous trolls, DoS attacks, spammers, and legal threats from angry vendors and researchers alike. John truly deserves our appreciation and thanks for sticking with it so long! Some have argued that we no longer need a Full Disclosure list, or even that mailing lists as a concept are obsolete. They say researchers should just Tweet out links to advisories that can be hosted on Pastebin or company sites. I disagree. Mailing lists create a much more permanent record and their decentralized nature makes them harder to censor or quietly alter in the future. Jericho from OSVDB and Attrition elaborates further in this great post. Upon hearing the bad news, I immediately wrote to John offering help. He said he was through with the list, but suggested: “you don’t need me. If you want to start a replacement, go for it.” After some soul searching about how much I personally miss the list (despite all its flaws), I’ve decided to do so! I’m already quite familiar with handling legal threats and removal demands (usually by ignoring them) since I run, which has long been the most popular archive for Full Disclosure and many other great security lists. I already maintain mail servers and Mailman software because I run various other large lists including Nmap Dev and Nmap Announce. [...]

Tags: , , , , , , , , , , , , , , , ,
Tagged with: