Hacking & Security

Google Services Updated to Address OpenSSL CVE-2014-0160 (the Heartbleed bug)

Google Security Blog - 18 Duben, 2014 - 01:36
Posted by Matthew O'Connor, Product Manager

You may have heard of “Heartbleed,” a flaw in OpenSSL that could allow the theft of data normally protected by SSL/TLS encryption. We’ve assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps, App Engine, AdWords, DoubleClick, Maps, Maps Engine, Earth, Analytics and Tag Manager.  Google Chrome and Chrome OS are not affected. We are still working to patch some other Google services. We regularly and proactively look for vulnerabilities like this -- and encourage others to report them -- so that that we can fix software flaws before they are exploited. 

If you are a Google Cloud Platform or Google Search Appliance customer, or don’t use the latest version of Android, here is what you need to know:

Cloud SQL
We are currently patching Cloud SQL, with the patch rolling out to all instances today and tomorrow. In the meantime, users should use the IP whitelisting function to ensure that only known hosts can access their instances. Please find instructions here.

Google Compute Engine
Customers need to manually update OpenSSL on each running instance or should replace any existing images with versions including an updated OpenSSL. Once updated, each instance should be rebooted to ensure all running processes are using the updated SSL library. Please find instructions here.

Google Search Appliance (GSA)Engineers have patched GSA and issued notices to customers. More information is available in the Google Enterprise Support Portal.

AndroidAll versions of Android are immune to CVE-2014-0160 (with the limited exception of Android 4.1.1; patching information for Android 4.1.1 is being distributed to Android partners).

We will continue working closely with the security research and open source communities, as doing so is one of the best ways we know to keep our users safe.
Apr 12: Updated to add Google AdWords, DoubleClick, Maps, Maps Engine and Earth to the list of Google services that were patched early, but inadvertently left out at the time of original posting.

Apr 14: In light of new research on extracting keys using the Heartbleed bug, we are recommending that Google Compute Engine (GCE) customers create new keys for any affected SSL services. Google Search Appliance (GSA) customers should also consider creating new keys after patching their GSA. Engineers are working on a patch for the GSA, and the Google Enterprise Support Portal will be updated with the patch as soon as it is available.

Also updated to add Google Analytics and Tag Manager to the list of Google services that were patched early, but inadvertently left out at the time of original posting.

Apr 16: Updated to include information about GSA patch.
Kategorie: Hacking & Security

Clicking 'Like' can cancel your right to sue a company

Sophos Naked Security - 18 Duben, 2014 - 00:17
General Mills might be the first company to rig its legal terms to ensure that interacting with it in just about any way online - downloading or printing a coupon, visiting its website, or getting its email newsletter - means you can't sue it.

Samsung Galaxy S5 fingerprint reader hacked – it’s the iPhone 5s all over again!

Sophos Naked Security - 17 Duben, 2014 - 23:53
The Samsung Galaxy S5 fingerprint scanner can be fooled with wood glue, just like Apple's "Touch ID" sensor in the iPhone 5s. So why are both Apple and Samsung touting fingerprint scanners as more secure than passwords?

3 Million Customer Credit, Debit Cards Stolen in Michaels, Aaron Brothers Breaches

Krebs on Security - 17 Duben, 2014 - 23:19

Nationwide arts and crafts chain Michaels Stores Inc. said today that two separate eight-month-long security breaches at its stores last year may have exposed as many as 3 million customer credit and debit cards.

The disclosure, made jointly in a press release posted online and in a statement on the company’s Web site, offers the first real details about the breach since the incident was first disclosed by KrebsOnSecurity on January 25, 2014.

The statements by Irving, Texas-based Michaels suggest that the two independent security firms it hired to investigate the break-ins initially found nothing.

“After weeks of analysis, the Company discovered evidence confirming that systems of Michaels stores in the United States and its subsidiary, Aaron Brothers, were attacked by criminals using highly sophisticated malware that had not been encountered previously by either of the security firms,” the statement reads.

The Michaels breach first came to light just weeks after retail giant Target Corp. said that cyber thieves planted malware on cash registers at its stores across the nation, stealing more than 40 million credit and debit card numbers between Nov. 27 and Dec. 15, 2013. That malware was designed to siphon card data when customers swiped their cards at the cash register.

According to Michaels, the affected systems contained certain payment card information, such as payment card number and expiration date, about both Michaels and Aaron Brothers customers. The company says there is no evidence that other customer personal information, such as name, address or debit card PIN, was at risk in connection with this issue.

The company’s statement says the attack on Michaels’ targeted “a limited portion of the point-of-sale systems at a varying number of stores between May 8, 2013 and January 27, 2014.”

“Only a small percentage of payment cards used in the affected stores during the times of exposure were impacted by this issue,” the statement continues. “The analysis conducted by the security firms and the Company shows that approximately 2.6 million cards may have been impacted, which represents about 7% of payment cards used at Michaels stores in the U.S. during the relevant time period. The locations and potential dates of exposure for each affected Michaels store are listed on www.michaels.com.”

Regarding Aaron Brothers, Michaels Stores said it has confirmed that between June 26, 2013 and February 27, 2014, 54 Aaron Brothers stores were affected by this malware, noting that the locations for each affected Aaron Brothers store are listed on www.aaronbrothers.com.

“The Company estimates that approximately 400,000 cards were potentially impacted during this period. The Company has received a limited number of reports from the payment card brands and banks of fraudulent use of payment cards potentially connected to Michaels or Aaron Brothers.”

This incident marks the second time in three years that Michaels Stores has wrestled with a widespread compromise of its payment card systems. In May 2011, Michaels disclosed that crooks had physically tampered with some point-of-sale devices at store registers in some Chicago locations, although further investigation revealed compromised POS devices in stores across the country, from Washington, D.C. to the West Coast.

Michaels says that while the Company has received limited reports of fraud, it is offering identity protection, credit monitoring and fraud assistance services through AllClear ID to affected Michaels and Aaron Brothers customers in the U.S. for 12 months at no cost to them. Details of the services and additional information related to the ongoing investigation are available on the Michaels and Aaron Brothers websites at www.michaels.com and www.aaronbrothers.com.

Incidentally, credit monitoring services will do nothing to protect consumers from fraud on existing financial accounts — such as credit and debit cards — and they’re not great at stopping new account fraud committed in your name. The most you can hope for with these services is that they alert you as quickly as possible after identity thieves have opened or attempted to open new accounts in your name.

As I noted in a recent story about the credit monitoring industry, the offering of these services has become the de facto public response for companies that experience a data breach, whether or not that breach resulted in the loss of personal information that could lead to actual identity theft (as opposed to mere credit card fraud). For more information about the limitations of credit monitoring services and more proactive steps that you can take to better protect your identity and credit file, check out this story.

Kategorie: Hacking & Security

This Netcraft tool flags sites affected by Heartbleed

Computerworld.com [Hacking News] - 17 Duben, 2014 - 22:33
Worried about how the Heartbleed vulnerability may affect your personal accounts? A new tool may be of help.
Kategorie: Hacking & Security

Looking for malicious traffic in electrical SCADA networks - part 2 - solving problems with DNP3 Secure Authentication Version 5, (Thu, Apr 17th)

SANS [Internet Storm Center] - 17 Duben, 2014 - 22:25

I received this week a very valuable e-mail from the DNP Technical Committee Chair, Mr. Adrew Wes ...(more)...

Kategorie: Hacking & Security

Mission-critical satellite communications wide open to malicious hacking

Ars Technica - 17 Duben, 2014 - 22:13
https://commons.wikimedia.org/wiki/File:Hammer_Ace_SATCOM_Antenna.jpg

Mission-critical satellite communications relied on by Western militaries and international aeronautics and maritime systems are susceptible to interception, tampering, or blocking by attackers who exploit easy-to-find backdoors, software bugs, and similar high-risk vulnerabilities, a researcher warned Thursday.

Ground-, sea-, and air-based satellite terminals from a broad spectrum of manufacturers—including Iridium, Cobham, Hughes, Harris, and Thuraya—can be hijacked by adversaries who send them booby-trapped SMS text messages and use other techniques, according to a 25-page white paper published by penetration testing firm IOActive. Once a malicious hacker has remotely gained control of the devices, which are used to communicate with satellites orbiting in space, the adversary can completely disrupt mission-critical satellite communications (SATCOM). Other malicious actions include reporting false emergencies or misleading geographic locations of ships, planes, or ground crews; suppressing reports of actual emergencies; or obtaining the coordinates of devices and other potentially confidential information.

"If one of these affected devices can be compromised, the entire SATCOM infrastructure could be at risk," Ruben Santamarta, IOActive's principal security consultant, wrote. "Ships, aircraft, military personnel, emergency services, media services, and industrial facilities (oil rigs, gas pipelines, water treatment plants, wind turbines, substations, etc.) could all be impacted by these vulnerabilities."

Read 5 remaining paragraphs | Comments

Kategorie: Hacking & Security

Like Apple’s TouchID, Galaxy S5 Vulnerable to Fingerprint Hack

Threatpost - 17 Duben, 2014 - 21:03

Researchers published a video this week demonstrating how Samsung’s latest entry in the smartphone arena, the Galaxy S5, is vulnerable to a hack that involves lifting and copying fingerprints to trick the phone’s biometric sensor.

Much like the Apple iPhone 5S, the smartphone, which first hit the market last week, boasts a fingerprint scanner as an added layer of security.

Now the same research outfit that was able to hack the iPhone’s 5S’s Touch ID feature last year, Germany’s Security Research Labs (SRLabs), has managed to bypass a similar feature on the Galaxy S5. Like the iPhone hack the Galaxy hack relies on the attackers using a mold of a fingerprint; or in this case a lab-manufactured wood glue replica of a print, to carry out their attack.

In a video posted Tuesday the researchers claim their method allows for “seemingly unlimited authentication attempts without ever requiring a password.”

While this may sound like a pretty farfetched exploit vector – a user would have to have the Finger Scanner set up on this exact brand of phone and an attacker would have to go through the trouble of creating the fingerprint replica – as the folks from SRLabs note, it could have implications for those who use the new fingerprint scan feature on PayPal’s Android app.

That app allows users to transfer funds using their fingerprint as a biometric authenticator, meaning that if an attacker had access to your phone, and one of these fingerprint molds, they’d be able to make purchases and unsolicited money transfers from the account.

In the video the researchers demonstrate how an attacker could wire himself money via PayPal from a person’s debit account. Using the fingerprint replica it takes three swipes for PayPal to recognize the bogus fingerprint, but according to the researcher, attackers could be allowed “multiple attempts to make a successful swipe with this spoof.”

In a statement released by the company this week PayPal downplayed the issue, claiming they were taking SRLabs’ findings seriously but were confident that its app is still “easier and more secure” than using passwords or credit cards. PayPal added that it could simply deactivate cryptographic keys associated with fingerprints on accounts from lost or stolen devices and allow users to make a new one.

The company added that in the unlikely occurrence that one of its users gets duped by an attacker with one of these phony fingerprint scans, it will reimburse any losses they incur.

To use the S5’s fingerprint scanner, the phone requires users to swipe a finger eight times over the home button. The user can then use that fingerprint to lock their screen, verify their Samsung account or authenticate their PayPal account.

A number of critics have been vocal against using fingerprints as a biometric authentication measure for years now. Some of those voices, including researchers from the Chaos Computer Club (CCC) and SRLabs, have pointed out that whenever a fingerprint gets stolen, there’s no way to change it and that it’s easy to lift users’ fingerprints off of items, including their personal devices.

Still though, fingerprint spoofs, known in some circles as ‘fake fingers’ are not easy to produce. CCC hacker Starbug, who was famously the first to break Apple’s TouchID last fall, used a high resolution image of a fingerprint with latex to produce his.

“This demonstrates—again—that fingerprint biometrics is unsuitable as [an] access control method and should be avoided,” the CCC said in September.

Kategorie: Hacking & Security

Several Tor Exit Nodes Vulnerable To Heartbleed Bug

The Hacker News - 17 Duben, 2014 - 21:00
Half of the Internet fall victim to the biggest threat, Heartbleed bug and even the most popular online anonymity network Tor is also not spared from this bug. Tor is one of the best and freely available privacy software, runs on the network of donated servers that lets people communicate anonymously online through a series of nodes that is designed to provide anonymity for users and
Kategorie: Hacking & Security

Certificate Revocations Shoot Up in Wake of OpenSSL Heartbleed Bug

Threatpost - 17 Duben, 2014 - 19:50

The after effects of the OpenSSL heartbleed vulnerability continue to spread through the technology industry, nearly two weeks after the details of the flaw were disclosed. One of the latest repercussions is a huge increase in the number of SSL certificates being revoked, as site owners and hosting providers go through the process of replacing vulnerable certificates.

Certificate authorities and other organizations maintain certificate revocation lists that browsers can use to determine whether a certificate on a given site has been revoked. Site owners will revoke certificates for a number of reasons, including security problems. Those revocations typically go unnoticed, unless a high-profile site is involved or there’s some event that causes a large number of sites to need to replace their certificates.

Enter heartbleed.

In the last few days, there has been a tremendous spike in the volume of certificate revocations.

A good portion of that increase–which saw revocations go from perhaps a few thousand a day to more than 70,000 earlier this month–can be attributed to CloudFlare replacing all of the certificates for sites that it manages. The company was one of the few organizations that got early warning about the OpenSSL bug before the software’s maintainers revealed the details.

“After learning the full extent of the bug and that it had been live on the Internet for two years, we started an investigation to see whether our private keys and those of our customers were at risk,” Nick Sullivan of CloudFlare wrote in a blog post.

“We started our investigation by attempting to see what sort of information we could get through Heartbleed. We set up a test server on a local machine and bombarded it with Heartbleed attacks, saving the blocks of memory it returned. We scanned that memory for copies of the private key and after extensive scanning, we could not find a trace of it.”

CloudFlare then issued a public challenge, asking researchers to see whether they could get the private key from a vulnerable server the company set up. Within a few hours, someone succeeded. And several other people later won the challenge, as well, retrieving the private key.

“A nagging question is why, when OpenSSL has functions to cleanse memory, are these chunks of keys being found in memory. We are continuing to investigate and if a bug is found will submit a patch for OpenSSL,” Sullivan wrote.

“The more HTTPS traffic the server serves, the more likely some of these intermediate values end up on the heap where Heartbleed can read them. Unfortunately for us, our test server was on our local machine and did not have a large amount of HTTPS traffic. This made it a lot less likely that we would find private keys in our experimental setting. The CloudFlare Challenge site was serving a lot of traffic, making key extraction more likely. There were some other tricks we learned from the winners about efficiently finding keys in memory.”

There’s been some discussion about whether it is practical for an attacker to retrieve the private key of a target server using the heartbleed attack, and Sullivan said he sees it as doable.

“Based on these findings, we believe that within two hours a dedicated attacker could retrieve a private key from a vulnerable server. Since the allocation of temporary key material is done by OpenSSL itself, and is not special to NGINX, we expect these attacks to work on different server software including non-web servers that use OpenSSL,” he wrote.

 

Kategorie: Hacking & Security

Heartbleed sees first arrest in wake of Canada Revenue Agency breach

Sophos Naked Security - 17 Duben, 2014 - 17:57
The arrest of Stephen Arthuro Solis-Reyes, who is alleged to have grabbed 900 Social Insurance Numbers from the Canadian tax authorities over a period of six hours, marks the first time that authorities have apprehended someone in relation to the "heartbleed" bug in OpenSSL.

Tor Begins Blacklisting Exit Nodes Vulnerable to Heartbleed

Threatpost - 17 Duben, 2014 - 17:40

The Tor Project has begun blacklisting exit nodes vulnerable to the Heartbleed vulnerability in OpenSSL.

Researcher Collin Mulliner, with the Systems Security Lab at Northeastern University in Boston, published the results of an experiment he conducted using a publicly disclosed Heartbleed proof-of-concept exploit against 5,000 Tor nodes. Mulliner said that 1,045 nodes, or a little more than 20 percent, were vulnerable to the bug.

Mulliner said only Tor exit nodes were leaking plaintext user traffic, including host names, credentials and web content. Mulliner conducted his experiment for three days last Friday through Sunday, and his results are a point-in-time snapshot. A post yesterday from Tor Project leader Roger Dingledine on the Tor mailing list said that 380 vulnerable exit keys were being rejected.

Heartbleed was publicly reported on April 7. The vulnerability lies in the heartbeat function in OpenSSL 1.0.1 to 1.0.1f which publicly leaks 64 KB of memory to any client or server pinging a web server running the vulnerable crypto library. The memory leaks can disclose in plaintext anything from user credentials to private server keys if the attack is repeated enough. Several researchers have already managed to retrieve private SSL keys in an online challenge from vendor CloudFlare. Speculation is that intelligence agencies and/or hackers may have been exploiting it since November. Mulliner said he did not try to extract private keys from Tor, nor did he think it was possible.

Tor promises anonymity to its users by using proxies to pass encrypted traffic from source to destination. Mulliner said he used a random list of 5,000 Tor nodes from the Dan.me.uk website for his research; of the 1,045 vulnerable nodes he discovered, he recovered plaintext traffic that included Tor plaintext announcements, but a significant number of nodes leaked user traffic in the clear.”

“I found a significant amount of plaintext user traffic, complete Web traffic, session IDs; everything you would find if you ran Heartbleed against a normal Web server,” Mulliner said.

Heartbleed saves attackers the work of setting up their own exit node and waiting for traffic to pass through it. Using Heartbleed, all a hacker would have to do is query a vulnerable exit node to obtain traffic, Mulliner said.

Dingledine yesterday published the first list of rejected exit nodes and said those nodes will not be allowed back on the network.

“I thought for a while about trying to keep my list of fingerprints up-to-date (i.e. removing the !reject line once they’ve upgraded their openssl), but on the other hand, if they were still vulnerable as of yesterday, I really don’t want this identity key on the Tor network even after they’ve upgraded their OpenSSL,” Dingledine wrote. He added that he hopes others will add to this list as other vulnerable relays are discovered.

Tor acknowledged some of its components were vulnerable to Heartbleed in a post to its blog on April 7.

Mulliner said it was a fairly straightforward process to write a script to run a Heartbleed proof of concept.

“Anybody who can get the Python script can play around with it,” Mulliner said, adding that there are likely fewer vulnerable Tor nodes now than when he ran his scans last week since some have likely been patched and Tor has begun blacklisting. “The data is dated, but it’s a good picture of that point in time.”

Kategorie: Hacking & Security

Kurt Baumgartner on APT Attacks in the Enterprise

Threatpost - 17 Duben, 2014 - 16:59

Dennis Fisher talks with Kaspersky Lab security researcher Kurt Baumgartner about the specter of APT attacks in enterprises, what kind of tactics APT attackers are using now and the effect of the Heartbleed openSSL bug on the certificate  authority system.

http://threatpost.com/files/2014/04/digital_underground_151.mp3
Kategorie: Hacking & Security

Now there’s an easy way to flag sites vulnerable to Heartbleed

Ars Technica - 17 Duben, 2014 - 15:52
Netcraft

Developers at Internet services company Netcraft have released a browser extension that makes it easy for Web surfers to know if the site they're visiting is vulnerable to the catastrophic Heartbleed vulnerability.

The extension works on the Chrome, Firefox, and Opera browsers. It's available here, and you can read Netcraft's description of it here. Once installed, it provides a bleeding heart icon and warning sign when users visit a site that remains susceptible to one or more of the risks posed by Heartbleed, the extremely critical bug that allows attackers to pluck sensitive data from the memory of vulnerable servers. Exposed data most often seems to include usernames and passwords, but it can also include taxpayer identification numbers and even the private encryption keys that are a website's crown jewels.

The Netcraft extension will alert users if an OpenSSL-powered site has yet to install an update that's immune to Heartbleed exploits. It also lets people know if sites that have updated OpenSSL are still using an HTTPS encryption certificate that has yet to be changed since OpenSSL was updated. That latter alert is crucial, since possession of a private encryption key makes it possible for attackers to impersonate HTTPS-protected sites with malicious sites that are almost impossible for most end users to detect. Out of an abundance of caution, all sites that were vulnerable to Heartbleed should assume their keys are now in the hands of malicious attackers.

Read 3 remaining paragraphs | Comments

Kategorie: Hacking & Security

Nový algoritmus Googlu dokáže vyluštit i složitý test CAPTCHA

Zive.cz - bezpečnost - 17 Duben, 2014 - 15:04
Některé testy CAPTCHA jsou poslední dobou natolik složité, že jimi neprojde nejen stroj, ale také člověk. V Googlu to ale vidí jinak, jejich nový systém totiž dokáže rozlousknout vlastní systém CAPTCHA na stránkách Googlu s vyšší než 90% úspěšností. Toto by měl podle plánu rozluštit pouze člověk. ...
Kategorie: Hacking & Security

Invoking Assembly Code in C#

InfoSec Institute Resources - 17 Duben, 2014 - 14:00

Abstract This article explains the techniques of inline Assembly programming by linking or invoking the CPU-dependent Native Assembly 32-bit code to C#.NET managed code. The .NET framework in fact doesn’t support assembly code execution explicitly via the CLR compiler because it JITs the IL code to native code, and there [...]

The post Invoking Assembly Code in C# appeared first on InfoSec Institute.

Kategorie: Hacking & Security

Kanadská policie chytila prvního hackera, který zneužil chyby Heartbleed

Zive.cz - bezpečnost - 17 Duben, 2014 - 13:58
Police zatkla prvního hackera, který v praxi zneužil Heartbleed. Jedná se o devatenáctiletého studenta informatiky z kanadské Western University. Podle plátku Calgary Herald policie polapila Stephena Arthura Solise-Reyese v Londýně poblíž Toronta a obvinila jej ze zneužití cizího počítačového ...
Kategorie: Hacking & Security

Windows XP's retirement turns into major security project for Chinese firm

InfoWorld.com [Security] - 17 Duben, 2014 - 13:55

Microsoft may have retired Windows XP, but one of China's leading security vendors is trying to keep the OS threat-free, and rolling out protection software to hundreds of millions of users in the nation.

On April 8, Microsoft officially ended support to the OS, meaning that Windows XP users will no longer receive security updates from the company. In preparation, Chinese security vendor Qihoo 360 has been developing its own free "XP Shield" software for Chinese PC users.

Kategorie: Hacking & Security

Windows XP's retirement turns into major security project for Chinese firm

InfoWorld.com [Security] - 17 Duben, 2014 - 13:55

Microsoft may have retired Windows XP, but one of China's leading security vendors is trying to keep the OS threat-free, and rolling out protection software to hundreds of millions of users in the nation.

On April 8, Microsoft officially ended support to the OS, meaning that Windows XP users will no longer receive security updates from the company. In preparation, Chinese security vendor Qihoo 360 has been developing its own free "XP Shield" software for Chinese PC users.

Kategorie: Hacking & Security
Syndikovat obsah