OpenSSL bug CVE-2014-0160

Posted on April 8, 2014 by mea

If you’re using an older OpenSSL version, you’re safe.

via OpenSSL bug CVE-2014-0160 | The Tor Blog.

I find that statement quite interesting due to how many security experts tout keeping your software constantly updated without realizing sometimes updates can introduce exploit vectors.

From: The Heartbleed Bug

What makes the Heartbleed Bug unique?

Bugs in single software or library come and go and are fixed by new versions. However this bug has left large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously.

Am I affected by the bug?

You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company’s site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL.

From: Exploits allow attackers to obtain private keys used to decrypt sensitive data.

They called on white-hat hackers to set up “honeypots” of vulnerable TLS servers designed to entrap attackers in an attempt to see if the bug is being actively exploited in the wild. The researchers have dubbed the vulnerability Heartbleed because the underlying bug resides in the OpenSSL implementation of the TLS heartbeat extension as described in RFC 6520 of the Internet Engineering Task Force.

SSL TLS HTTPS Web Server Certificate Fingerprints

Posted on March 5, 2014 by mea

Public and Private keys form cryptographically matched pairs. It is not feasible to derive one from the other, yet what one encrypts only the matching other can decrypt. Website SSL security certificates provide the site’s Public cryptographic key which is the public side of the server’s secret Private cryptographic key which is never publicly disclosed. Only the certificate’s public key can be used to encrypt data which the remote server can decrypt only using its matching private key. Since the SSL Proxy Appliance does not have the private key of the remote server—because only the remote server has it—the fake & fraudulent certificate the SSL Proxy provides to the user’s web browser is forced to use a different public key for which it does have a matching private key. And that means that no matter how hard any SSL-intercepting Proxy Appliance may try to spoof and fake any other server’s certificate, the certificate’s public key MUST BE DIFFERENT

via GRC | SSL TLS HTTPS Web Server Certificate Fingerprints

The remote server’s REAL certificate and the SSL Appliance’s FAKED certificate MUST HAVE AND WILL HAVE radically different fingerprints. They will not be remotely similar..

The Two Cultures of Computing

Posted on December 26, 2013 by mea

There are now two main cultures in computing: Most computer users treat software as a tool for getting tasks done, while programmers hold conversations with their software. One big challenge when teaching programming, no matter in what language, is getting students used to a conversation-oriented programmer culture, which is very different than a tool-oriented user culture.

via Philip Guo – The Two Cultures of Computing.

GSMA Creates Remotely Managed SIM For M2M Applications

Posted on December 20, 2013 by mea

To fix this issue, the GSMA has developed a non-removable SIM that can be embedded in a device for the duration of its life, and remotely assigned to a network. This information can be subsequently modified over-the-air, as many times as necessary.

The GSMA says its new SIM can reduce ongoing operational and logistical costs. Replacing one SIM is not going to break the bank, but replacing a few million could make a dent in any budget, it reckons.

via GSMA Creates Remotely Managed SIM For M2M Applications.

Stop listening to your users

Posted on November 11, 2013 by mea

He said after the application is released, they don’t learn from the complaints nearly as much as they learn from watching the employees use the application on the job and see where the issues are. It’s much easier to observe the problem than trying to tease it out of the users.

via Stop listening to your users | CITEworld.

In response to NSA revelations, the internet’s engineers set out to PRISM-proof the net

Posted on October 31, 2013 by mea

Yet one major caveat remains. While the IETF might be able to secure the pipes through which users’ data travel, users must also be able to trust the parties where their data is stored: software, hardware and services such as Cisco, Gmail and Facebook. These parties can hand over user data directly to government agencies.

via In response to NSA revelations, the internet’s engineers set out to PRISM-proof the net | Radio Netherlands Worldwide.

TR-069: Still Sexy After All These Years

Posted on October 25, 2013 by mea

Today, a quarter of all broadband lines on the planet are managed by TR-069 and its management of devices has been expanded in line with changes in the type of devices needing to be managed (many devices can be managed from gateways to VoIP devices to set-top boxes). And the complexity you now see in the connected home environment in terms of technology (and the protocols used) is just not an issue for the continually evolving TR-069, as non-TR-069 devices can be proxy managed.

via TR-069: Still Sexy After All These Years | Light Reading.

“Bloodsucking leech” puts 100,000 servers at risk of potent attacks

Posted on August 16, 2013 by mea

The threat stems from baseboard management controllers that are embedded onto the motherboards of most servers. Widely known as BMCs, the microcontrollers allow administrators to monitor the physical status of large fleets of servers, including their temperatures, disk and memory performance, and fan speeds. But serious design flaws in the underlying intelligent platform management interface, or IPMI, make BMCs highly susceptible to hacks that can cascade throughout a network, according to a paper presented at this week’s Usenix Workshop on Offensive Technologies.

via “Bloodsucking leech” puts 100,000 servers at risk of potent attacks | Ars Technica.

Motorola Is Listening

Posted on July 2, 2013 by mea

Most subsequent connectivity to both services (other than downloading images) is proxied through Motorola’s system on the internet using unencrypted HTTP, so Motorola and anyone running a network capture can easily see who your friends/contacts are (including your friends’ email addresses), what posts you’re reading and writing, and so on. They’ll also get a list of which images you’re viewing, even though the actual image download comes directly from the source.

via Motorola Is Listening – Projects – Beneath the Waves.

Smartphones easily used to skim credit card data

Posted on April 24, 2013 by mea

The app used the near field communication (NFC) antenna built into the Galaxy SIII phone, a feature available on many phones running Google’s Android operating system. The antenna is normally used to allow two phones to talk to each other.

via Smartphones easily used to skim credit card data – Manitoba – CBC News.

Bucktown Bell

Cut to the chase.

Category Archives: Interfaces