Threatpost for B2B

Syndicate content
The First Stop For Security News
Updated: 9 hours 9 min ago

BlackBerry, Cisco Products Vulnerable to OpenSSL Bug

Fri, 04/11/2014 - 07:37

Vendors are continuing to check their products for potential effects from the OpenSSL heartbleed vulnerability, and both Cisco and BlackBerry have found that a variety of their products contain a vulnerable version of the software.

BlackBerry on Thursday said that several of its software products are vulnerable to the OpenSSL bug, but that its phones and devices are not affected. The company said its BBM for iOS and Android, Secure Workspace for iOS and Android and BlackBerry Link for Windows and OS X all are vulnerable to the OpenSSL flaw.

“BlackBerry is currently investigating the customer  impact of the recently announced OpenSSL vulnerability. BlackBerry customers can rest assured that while BlackBerry continues to investigate, we have determined that BlackBerry smartphones, BlackBerry Enterprise Server 5 and BlackBerry Enterprise Service 10 are not affected and are fully protected from the OpenSSL issue. A list of known affected and unaffected products is supplied in this notice, and may be updated as we complete our investigation,” the company’s advisory says.

Meanwhile, the list of Cisco products affected by the heartbleed vulnerability is much longer.

The company said in its advisory that many of its products, including its TelePresence Video Communications Server, WebEx Meetings Server, many of its Unified IP phones and several others, are vulnerable. Cisco also said that a far larger list of products are potentially vulnerable and are under investigation.

Cisco’s Sourcefire Vulnerability Research Team did some testing on the vulnerability and found that on vulnerable systems it could retrieve usernames, passwords and SSL certificates.

“To detect this vulnerability we use detection_filter (“threshold”) rules to detect too many inbound heartbeat requests, which would be indicative of someone trying to read arbitrary blocks of data. Since OpenSSL uses hardcoded values that normally result in a 61 byte heartbeat message size, we also use rules to detect outbound heartbeat responses that are significantly above this size. Note: you can’t simply compare the TLS record size with the heartbeat payload size since the heartbeat message (including the indicated payload size) is encrypted,” Brandon Stultz of Cisco wrote in a blog post.


Cyber Intelligence Asia 2014: CERTs and Industrial Security

Thu, 04/10/2014 - 20:47

In March I spoke at Cyber Intelligence Asia 2014, where CERTs from most Asians countries were presented.

The fact is that only a few CERTs are now dealing in some way with industrial security, ICS and SCADA matters. One of the best of those is CERT of Japan, which is doing a great job here, and Jack YS Lin provided a nice overview of their activities and experience. Japan has a national ICS Test Bed, somewhat similar to Idaho National Lab, and is the only country besides the US that has an ISASecure certification entity. However, not all Japanese CNIs (Critical National Infrastructures) or even Industrial Automation vendors are doing enough in the security space.

The other countries seem to me much less advanced than Japan in understanding the ICS security domain, its problems and pursuing country-wide enhancements.

During the conference, we discussed the government role in enhancing critical infrastructure protection, and found that it is not about putting more compliance toward the CNI operators (we all know that compliance is not security). Instead, it is more about educating, creating actionable awareness by using engaging techniques and tools so CNI operators will be involved in developing their own solutions for strengthening security.

My personal take is that the regulator’s role is mainly to do what business/market won’t do by itself. So in my opinion, the list includes (but surely not limited to):

  • Enhancing intelligence & law enforcement in the cyber space;

  • Following both short and long-term security strategies, targeted both for CNI operators and automation vendors;

  • Engaging CNI management in security decisions by raising awareness in tangible form, and not just developing cybersecurity frameworks;

  • Imposing the need to pass Cyber Resilience tests at ICS commissioning;

  • Including cyber security as a mandatory part of industrial safety/liability programs;

  • Investing in CNI professional trainings and certifications;

  • Creating ICS-CERTs, ICS honeypots and industrial cyber drills.

PS: and, as always, people at Cyber Intelligence Asia enjoyed practicing with the Kaspersky Industrial Protection Simulation. There were moderate results, compared with other security professionals we played with in north America and Europe. This might be correlated with a certain lack of understanding of ICS specifics as stated above. I hope, however, that the things will change sooner, than later.

Does your country have an ICS CERT or ICS activity in its CERT already? What’s working best in favor of Industrial Security in your area?

Cisco Patches Vulnerabilities, Looking Into Heartbleed Impact

Thu, 04/10/2014 - 16:32

Cisco patched four different vulnerabilities this week in one of its core operating systems and is now is beginning to look into the potential impact of this week’s Heartbleed vulnerability in at least 60 of its other products.

The patches, released yesterday, fix problems in the company’s Adaptive Security Appliance (ASA) software that could have led to privilege escalation, authentication bypass, and opened products running ASA to a denial of service attack. ASA is a family of security devices, firewalls and other apps.

If exploited, an attacker could combine the first two vulnerabilities – a Privilege Escalation vulnerability in its Adaptive Security Device Manager (ASDM) and a SSL VPN Privilege Escalation vulnerability – to gain administrative access to the affected system.

Another VPN bug, an authentication bypass vulnerability, could allow an attacker to access the internal network via SSL VPN.

The last and perhaps most serious bug affects ASA’s Session Initiation Protocol (SIP). Dug up by researchers from Trustwave’s SpiderLabs and Dell’s SecureWorks, the bug could allow an attacker to exhaust the system’s memory. If SIP’s inspection engine is enabled – and it is by default on systems – an attacker could send a  handcrafted packets to the system, make it unstable, force it to reload and trigger a denial of service (DoS) condition.

According to a security advisory the company posted Wednesday, a series of firewalls, routers and other Cisco appliances that run ASA are affected. The full list can be found here.

Cisco makes a point to note that on the whole, ASA is not one of the products it manufactures that is affected by this week’s much-buzzed-about OpenSSL Heartbleed vulnerability.

Cisco does acknowledge however that its ASDM product – which comes bundled with ASA – may be affected by the vulnerability. The company is now reportedly in the beginning stages of evaluating its entire product line to determine Heartbleed’s potential impact.

Ultimately however, when it comes to vulnerable software, it sounds as if it’s not going to be a “is it or isn’t it?” question but a “how many?” question.

In an advisory yesterday the company claimed that “multiple” Cisco products incorporate a version of the OpenSSL package that’s affected by Heartbleed, something that could “allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server.”

In a list updated today, there are apparently only 25 or so products that are not affected by Heartbleed but 11 that definitely are. Cisco is still looking into an extensive list of remaining products, 60+ in all, that may or may not be affected. It eventually plans to remediate the issues by releasing updates, along with workarounds if possible, in the near future.

The internet-wide Heartbleed bug stems from the way OpenSSL handles heartbeat extensions for TLS and was disclosed Monday but now speculation is rampant that it may have been exploited as far back as last November.

Heartbleed: A Bug With A Past and A Future

Thu, 04/10/2014 - 15:16

Bruce Schneier stood on the Source Boston keynote stage yesterday and used the word “ginormous” to describe the severity of the OpenSSL heartbleed bug.

“My guess is that when heartbleed became public, the top 20 governments in the world started exploiting it immediately,” Schneier said.

That’s assuming, of course, that those top 20 governments didn’t already have heartbleed and haven’t been exploiting it all along. The vulnerability in OpenSSL is an Internet-wide bug, one that’s kept a lot of people busy the last two days patching servers, revoking certificates, updating new ones, and changing a whole lot of passwords. And as Schneier said, governments may be slow in adopting new technologies, but when they do, they generally have the resources to do it well.

So is it equally ginormously dangerous to think the NSA, the Chinese or take-your-pick hacktivist group hasn’t been exploiting heartbleed since close to the time it was introduced into OpenSSL on New Year’s Eve 2011?

Ars Technica reported yesterday that MediaMonks of the Netherlands had evidence of exploit attempts going back to last November. Electronic Frontier Foundation technology projects director Peter Eckersley said inbound packets to MediaMonks contained TCP payload bytes that match those used by a proof-of-concept exploit.

Eckersley said the source IP addresses for those bytes belong to a botnet that’s been recording Freenode and other IRC activity.

“This is an activity that makes a little more sense for intelligence agencies than for commercial or lifestyle malware developers,” Eckersley said.

The EFF is asking network operators to check logs not only for the IP addresses in question, but for the TCP payload.

“A lot of the narratives around heartbleed have viewed this bug through a worst-case lens, supposing that it might have been used for some time, and that there might be tricks to obtain private keys somewhat reliably with it,” Eckersley said. “At least the first half of that scenario is starting to look likely.”

Heartbleed is so dangerous not only because it’s everywhere OpenSSL 1.0.1 to 1.0.1f is deployed, but also because attacks leave no trace. Everyone must assume they’re compromised. As expert Dan Kaminsky wrote today: “It’s a significant change, to assume the worst has already occurred.”

Kaminsky’s comment appears in a wide-ranging article on heartbleed, and the most salient point is that while OpenSSL may be the most prevalent TLS library and stands to reason that it’s among the most coveted technologies for compromise by intelligence agencies, it’s run by only a handful of competent and undercompensated people. A Wall Street Journal article points out that OpenSSL Project which funds OpenSSL development received less than $1 million from donations and consulting contracts.

“We are building the most important technologies for the global economy on shockingly underfunded infrastructure,” Kaminsky said. “We are truly living through Code in the Age of Cholera.”

Johns Hopkins professor and crypto expert Matthew Green said OpenSSL supports more than 80 platforms and reviews code contributions and changes from numerous sources, all with a fairly impressive record of not falling down on itself until this week.

“Maybe in the midst of patching their servers,” Green wrote this week, “some of the big companies that use OpenSSL will think of tossing them some real no-strings-attached funding so they can keep doing their job,”

Google Adds Continuous Monitoring of Android Apps

Thu, 04/10/2014 - 14:41

Google is adding a new security feature to Android designed to scan installed apps on a device and ensure that they’re not acting maliciously or taking unwanted actions. The system is built on Google’s existing app-verification model, which warns users if there’s a potential problem with an app they’re installing.

The addition to Android’s security system is meant to augment the Bouncer tool that Google uses to scan apps in the Play store for malicious functionality. That feature has been in place since 2012 and has enabled the company to help stem the tide of malicious apps making their way into the app store and onto users’ devices. Bouncer looks for known malware and other malicious behavior.

Android also has a feature that will verify apps during installation and may block them or warn the user of a problem.

Now, Google is adding the ability for Android to monitor the behavior of apps while they’re on a device.

“Building on Verify apps, which already protects people when they’re installing apps outside of Google Play at the time of installation, we’re rolling out a new enhancement which will now continually check devices to make sure that all apps are behaving in a safe manner, even after installation. In the last year, the foundation of this service—Verify apps—has been used more than 4 billion times to check apps at the time of install. This enhancement will take that protection even further, using Android’s powerful app scanning system developed by the Android security and Safe Browsing teams,” Rich Cannings, an android security engineer, wrote in a blog post.

Most Android users likely haven’t seen the warnings that the Verify apps system throws, but Cannings said that the new system provides an extra meausre of defense against malicious apps. Researchers have found that developers will sometimes send updates to installed apps, adding malicious or otherwise unwanted functionality.

“Because potentially harmful applications are very rare, most people will never see a warning or any other indication that they have this additional layer of protection. But we do expect a small number of people to see warnings (which look similar to the existing Verify apps warnings) as a result of this new capability,” Cannings said.

What Have We Learned: OpenSSL Heartbleed Bug

Thu, 04/10/2014 - 12:19

There’s nothing the Internet loves more than a fat, juicy story that it can sink its sharpened, yellowing canines into. And for the security community, the OpenSSL heartbleed vulnerability has been the equivalent of a 72-ounce steak. But an Internet-breaking vulnerability like this one is no good unless we can learn something from it (or at least give it a clever hashtag).

So let’s have a look at what’s gone down in the last few days and see what lessons we can take from all this.

The Internet is brittle. Actually, this isn’t a new lesson. The people who think about these things for a living have been saying this for years, or decades, in some cases. But they’ve probably been too kind. The Internet is a fish shack in the Florida Keys propped up on stilts, and the constant battering from the waves and erosion of the sea floor are taking their toll. It’s sort of listing to one side and there’s some barnacles growing on the pilings, but it’s still standing. For now. The infrastructure that supports the Internet is fragile and it’s dependent upon a small handful of old protocols. And that kind of prey rarely escape the notice of predators for long.

The long-term effects may be silent but deadly. OpenSSL is everywhere. Everywhere. By some estimates, it’s implemented on about two-thirds of Web sites, large ones, small ones, in-between ones. A  good number of the owners of the sites that use OpenSSL likely have no idea that their sites are affected, because they rely on hosting providers. And let’s not forget about the untold number of embedded devices that may have OpenSSL implemented in their firmware. Those devices are much harder to locate, test and patch than a typical Web server is.The really bad news, though, is that we may not know the ultimate effect of this vulnerability for some time, as it’s difficult to know whether an attacker has exploited the bug on a given target. We may see data breaches months from now that involve an attack on the OpenSSL vulnerability. And it is also difficult to determine how many sites have patched their systems, without a massive scan.

Breaking crypto–don’t do that. There’s been no shortage of speculation about the possibility of the NSA having an unspecified capability to break an encryption system such as SSL. But much of what we’ve seen from the leaked documents has shown that the agency, like most attackers, relies on implementation flaws and vulnerabilities in the code. They don’t need to build a supercomputer in a cave in North Dakota to break a cryptosystem when they can rely on someone making a mistake and get the same result. Human error is much more common than the ability to break an encryption algorithm.

The disclosure debate is still a thing. Well, sort of. News of the OpenSSL vulnerability first appeared Monday when the OpenSSL Project posted an advisory with a short description of the problem. Quickly, the scope of the vulnerability began to sink in and researchers realized how many sites, systems and devices could be vulnerable. Then people began wondering why some companies and vendors apparently had early warning about the vulnerability and others didn’t get the same courtesy. That discussion went downhill rather quickly. Large-scale vulnerabilities like the OpenSSL bug, by their nature, make it almost impossible to warn every company, site owner or vendor that’s potentially affected. This isn’t a flaw in a product with four customers. It’s the whole Internet. Neel Mehta, the researcher who discovered the bug, reported it to OpenSSL, which produced a patch and alerted users. That’s how things should work.

Internet-wide bugs still happen. Vulnerabilities like this one are, thankfully, relatively rare. Major bugs in ubiquitous software happen on a regular basis (see: Web browsers). We’ve seen serious problems in Apache, the DNS system, Microsoft IIS and other software that run large parts of the Internet in the past, and they’ve caused major problems in some cases. The OpenSSL vulnerability has all the makings of that level of vulnerability, given the package’s ubiquity and the potential consequences of a successful exploit against it. We think of systems such as utilities, SCADA and others as critical infrastructure, but, as Dan Kaminsky points out in his essay on heartbleed, there is entirely separate class of software that qualifies for that description. And that’s where the big fish still lie. “The answer is that we need to take Matthew Green’s advice, start getting serious about figuring out what software has become Critical Infrastructure to the global economy, and dedicating genuine resources to supporting that code.  It took three years to find Heartbleed.  We have to move towards a model of No More Accidental Finds,” Kaminsky wrote.

Image from Flickr photos of Dorothy Finley

Ensnare Attack Detection Tool Hopes to Frustrate Hackers, Too

Thu, 04/10/2014 - 07:13

BOSTON – Two engineers from Netflix this week released to open source a security tool that detects attacks against web applications—and also reacts to those attacks with responses they hope will flummox a hacker to the point that he moves on to his next target.

The utility is called Ensnare and is available on Github. It is a Ruby on Rails gem plug-in and once added to a Web application, it will add steps to requests browsers make to a web application server that will quickly detect attacks, characterize them, and send responses back to the browser that range from error messages, to security alerts, to agonizing delays. What makes Ensnare noteworthy is that it’s customizable and doesn’t interject itself with legitimate site users and affect their experience.

“We wanted to build something that was easy to use, that you could get running on a real application in 15 minutes and does advanced response handling,” said Scott Behrens, a senior application security engineer at Netflix, during his talk Wednesday at Source Boston. “We wanted to make it extensible too so that you could contribute to the project. We hope to collect metrics, learn about attacks and use that data to extend Ensnare to be more effective.”

Behrens said Ensare sits alongside an application and examines requests looking for bad behavior such as SQL injection or cross-site scripting attempts, and logs those. It can also be configured in the application layer to set booby-traps, or honey traps as they call them, that will be triggered by malicious activities in areas where legitimate users would never browse.

Behrens’s colleague Andy Hoernecke said when those traps are triggered, customizable responses can be sent to the attacker’s browser based on the aggregate number of violations and their severity. Legitimate requests, in the meantime, aren’t subjected to this experience.

“You can modify the response that comes back from the server; you can send a 404 message or send a message that says ‘We know what you’re doing,” or send an alert to the security team,” Hoernecke said. “It can send a message to you and hopefully it’s enough to move you on to something else.”

The first step Ensnare takes is to check for violations in requests; it determines whether they are malicious by matching them to a signature, for example.

“Violations are bad behavior tracked over time and aggregated. They are triggered by things like bad paths or exploit strings in request,” Hoernecke said. “They’re based on a particular configuration and weighted.”

It then determines a threshold for the requestor, who is logged via IP address, session ID or user ID in a database.

“By aggregating all three, Ensnare is more robust,” Hoernecke said. “We can track things if an attacker is doing tricky stuff to get around our protections that are in place.”

Thresholds are established through a number of attributes, including the number of violations that have occurred and how long the user is put into a trap.

“This is powerful state handling. We can do a lot of things to get the attacker to go away such as confusing them, distracting them or slowing them down,” Hoernecke said.

For example, if a user racks up five violations, the threshold can be configured to delay by 20 percent the time it takes to make a request and delaying the response by as long as 15 to 20 seconds. If the number of violations climbs to 20, the attacker could see delays climb into minutes—all without affecting site performance for legitimate users.

“If an attacker is testing the site, and the site starts delaying or redirecting, it gets frustrating,” Hoernecke said. “The responses are techniques that prevent an attacker from being successful in finding vulnerabilities or attacking the site. We hope to slow them down, block them, alert them or even annoy them.”

BlackBerry Patches Remote Code Execution Vulnerability

Wed, 04/09/2014 - 14:53

P { margin-bottom: 0.08in; }
-->BlackBerry’s Security Incident Response Team (BBSIRT) today released a security advisory resolving a remote code execution vulnerability in BlackBerry 10.

The company says it has no knowledge of attacks actively exploiting this bug in the wild.

“BlackBerry is committed to protecting customers from potential security risks, and while there are no known attacks targeting customers at this time, we recommend that all BlackBerry 10 smartphone customers apply the latest software update to be protected from this issue,” said Scott Totzke, the senior vice president of security at the company.

The vulnerability addressed by BSRT-2014-003 could have led to an attacker executing code remotely.

However, the advisory notes that the potential for an attacker to exploit this bug is severely limited and the risk it poses to users is limited by the fact that the attacker would need either physical access to the device in question or significant interaction from the customer.

Successful exploitation, the advisory notes, would require an attacker to send a maliciously crafted message over a Wi-Fi network to what is known as the qconnDoor service. Furthermore, exploitation of the bug requires that the targeted user is operating the device in development mode. In an alternate scenario, BBSIRT notes, an attacker could exploit an unpatched phone by connecting it to a computer and sending the exploit to the qconnDoor service directly.

“A stack-based buffer overflow vulnerability exists in the qconnDoor service supplied with affected versions of BlackBerry 10 OS. The qconnDoor service is used by BlackBerry 10 OS to provide developer access, such as shell and remote debugging capabilities, to the smartphone,” the advisory says.

“Successful exploitation of this vulnerability could potentially result in an attacker terminating the qconnDoor service running on a user’s BlackBerry smartphone. In addition, the attacker could potentially execute code on the user’s BlackBerry smartphone with the privileges of the root user (superuser).”

Bruce Schneier: Technology Magnifies Power in Surveillance Era

Wed, 04/09/2014 - 13:41

BOSTON – History is not entirely kind to those responsible for the Industrial Age in the 19th century. How, for example, were the consequences of industrial innovation such as pollution largely ignored?

Flash forward to today’s digital age and ask the same question: How are those responsible for building our infrastructure callously disregarding privacy and security in favor of rapid online innovation?

“I think this is the issue by which we will be judged when our grandchildren read the history of the early days of the Internet,” said Bruce Schneier today during his Source Boston keynote.

Schneier, who has been involved in reviewing the Snowden documents and advising journalists on how to best disseminate them, has been lecturing not only at security conferences, but to public policy makers on the risks of ubiquitous data. As an observer, he’s busy noting disturbing trends as governments flex their muscle online where previously it was the domain of the less-endowed.

“In general, technology magnifies power, but adoption rates are indifferent,” Schneier said. “The nimble and relatively powerless make use of new technology faster. They’re not hindered by bureaucracy or laws or ethics. There was an enormous change when they discovered the Net. Now a decade later when the government figures out how to use the Net, it had more raw power to magnify. That’s how you get weird situations where Syrian dissidents use Facebook to organize, and the government uses Facebook to arrest its citizens.”

With regard to NSA surveillance, the government has used several different methods to access data on targets, whether through court orders to obtain phone call metadata from carriers, or the subversion of Internet protocols to intercept network traffic.

The government, in this case, is just piggybacking on corporations’ collection of its customers’ personal data.

While corporations use it for marketing, the NSA uses it for surveillance.

“This stuff is being used by governments for good and bad. The NSA woke up and said ‘Corporations are spying on the Internet, let’s get ourselves a copy,’” Schneier said. “We see a lot of collection by governments overt and covert. Most NSA surveillance piggybacks corporate capabilities.”

Further exacerbating the mass collection of data by corporations and governments alike is the push to move data and services to the cloud, and the ubiquity of mobile devices, which provide location data to corporations and governments both. More piggybacking.

“Surveillance is the business model of the Internet,” Schneier said. “We build systems that spy on people in exchange for services.”

Data is currency, he said, and consumers especially will trade their privacy for convenience.

“Those things push us to give our data to corporate entities,” Schneier said. “Why do corporations want it? Persuasion. Facebook wants my data to sell me stuff. I like to think of this as a feudal model. At a most fundamental model, we are tenant farming for companies like Google. We are on their land producing data.”

The result is an assumed trust that Google, Facebook or any number of data brokers will do the right thing with personal data now that it’s stored on a third party server by a third party owner who can access the data and change the rules of engagement at any time. Governments, meanwhile, can sit back and let corporations do their collecting for them. Rather than force citizens they wish to monitor carry a tracking device, they can obtain location data from a telecommunications carrier. Rather than requiring citizens to report new personal relationships, governments know you’ll tell Facebook soon enough.

And as for metadata, which the government brushes off as bits of innocuous detail, Schneier said that metadata has far more value to an intelligence agency than data, that it’s far more intimate than a conversation.

“Metadata is us,” he said. “And it is easier to store, search and analyze. If you’re tracking a terror network, do you want conversations, or who is talking to who? You want the network. Fundamentally, we have reached the golden age of surveillance because we are all being surveiled ubiquitously.”

Adobe Patches AIR, Pwn2Own Vulnerability in Flash

Wed, 04/09/2014 - 13:08

Adobe has released updates for both its Flash Player and AIR software, patching four critical vulnerabilities, including one that was exposed at last month’s Pwn2Own hacking competition.

The Flash Player vulnerabilities carry the company’s highest severity rating, Priority 1, and could lead to arbitrary code execution and information disclosure on both Windows and Macintosh machines if left unpatched.

Since the flaws can potentially allow an attacker to take control of the affected system, Adobe is encouraging users apply the patches as soon as possible.

According to a security bulletin posted Tuesday the updates apply to versions and older of Flash Player for Windows and Macintosh and version for Linux.

Among the quartet of vulnerabilities  addressed in the update are a use-after-free vulnerability, a buffer overflow vulnerability, a security bypass vulnerability and a cross-site scripting vulnerability.

The use-after-free bug was dug up by Chaouki Bekrar and his squad of researchers at the French exploit vendor Vupen at last month’s Pwn2Pwn. Specifically, Vupen was able to chain the use-after-free vulnerability together with two other zero-days, a JIT spray and a sandbox escape to exploit Flash Player running on Internet Explorer 11.

Those running either Google Chrome or Internet Explorer 10 or 11 will have their Flash Player updated to the most recent version,, via mechanisms in those browsers.

While not as serious – Adobe rated the update Priority 3, its lowest priority – the company also took the time yesterday to update its Adobe Integrated Runtime (AIR) run-time system to version as it was affected by the same vulnerabilities.

For network administrators there’s a good chance the patches may have been lost in the shuffle of yesterday’s Patch Tuesday fixes. That update, the last ever for Windows XP, addressed two critical vulnerabilities in Microsoft Word and Internet Explorer.

Difficulty of Detecting OpenSSL Heartbleed Attacks Adds to Problem

Wed, 04/09/2014 - 11:58

The list of products and sites affected by the OpenSSL heartbleed vulnerability continues to grow, and as security teams implement the patch and dig into the thornier work of revoking certificates, a new problem is emerging: It’s difficult to know whether an attacker has exploited the vulnerability on a given system.

The nature of the vulnerability in OpenSSL is such that an attacker can exploit the vulnerability without the site operator knowing. The flaw lies in the way that the OpenSSL library handles the heartbeat extensions for TLS and it exists in many versions of the software. OpenSSL is deployed on a huge number of sites, roughly two-thirds of the Web by some estimates, and although the OpenSSL Foundation has released a fixed version, it could be some time before the majority of sites are patched.

Proof-of-concept exploit code for the vulnerability has been posted, and there now is a heartbleed Metasploit module that implements an attack on the flaw, as well.

Experts say that the ambiguity surrounding exploitation of the OpenSSL vulnerability adds an unwelcome layer to an already troubling security problem.

“It’s a nightmare vulnerability, since it potentially leaks your long term secret key — the one that corresponds with your server certificate. Worse, there’s no way to tell if you’ve been exploited. That means the prudent thing to do now is revoke your certificate and get a new one. We’ll see how many people do that,” said cryptographer Matthew Green, a professor at Johns Hopkins University.

Officials at Mozilla acknowledged this quandary in their advisory on the heartbleed vulnerability, which affected some of the organization’s systems running Firefox Persona and Firefox Accounts. Those systems run on Amazon Web Services using OpenSSL.

“Because these TLS connections terminated on Amazon ELBs instead of the backend servers, the data that could have been exposed to potential attackers was limited to data on the ELBs: TLS private keys and the plaintext contents of encrypted messages in transit,” Sid Stamm, senior manager of security and privacy engineering at Mozilla, said in a blog post.

“We have no evidence that any of our servers or user data has been compromised, but the Heartbleed attack is very subtle and leaves no evidence by design. At this time, we do not know whether these attacks have been used against our infrastructure or not. We are taking this vulnerability very seriously and are working quickly to validate the extent of its impact.”

The way that the OpenSSL heartbleed vulnerability works, an attacker who successfully exploits the bug can read up to 64KB of memory from a vulnerable machine, per request. Depending upon the circumstances, the attacker may be able to retrieve a server’s private key or other sensitive data.

Researchers have confirmed that Android devices running versions 4.1.0 and 4.1.1 also are vulnerable. The heartbeat extension was disabled in Android 4.2.

 Image from Flickr photos of Lauren Coolman

Siemens Ruggedcom Addresses BEAST Flaw in WiMax Products

Wed, 04/09/2014 - 08:00

The BEAST attack on some TLS implementations made major news when it was disclosed, showing that attackers could intercept and decrypt SSL-protected sessions in real time, breaking a significant portion of the confidentiality model of the protocol. Vendors rushed to patch and implement mitigations. That was in 2011. Nearly three years later, Siemens is pushing out a patch for a BEAST vulnerability in its Ruggedcom WIN WiMax platform.

The Ruggedcom WIN line comprises wireless base stations and subscriber stations and are designed to be secure and work in either fixed or mobile environments. On Tuesday, ICS-CERT posted an advisory, warning that several of the WIN products were vulnerable to a BEAST attack.

The flaw lies in the Web interface of the affected products, and Siemens has pushed out a firmware update that addresses the vulnerability.

“The SSL/TLS secured web interface of the affected products is vulnerable to the BEAST attack. As it uses SSL libraries, which are not compatible with 1/n-1 record splitting, some newer browser versions are not able to connect to the web interface,” the advisory says.

“An attacker who successfully exploits a system using this vulnerability may be able to access the session ID of the user’s current web session. If combined with a social engineering attack, the attacker may be able to read traffic exchanged between the user and the device.”

The affected products include WIN7000: all versions prior to v4.4, WIN7200: all versions prior to v4.4, WIN5100: all versions prior to v4.4, and WIN5200: all versions prior to v4.4, the advisory says.

The BEAST vulnerability in these products is remotely exploitable and ICS-CERT said that an attacker with middling skills would be able to exploit it. The update that Siemens released does not technically fix the vulnerability; instead, it enables the Web interface on the affected products to work with modern browsers that contain the BEAST mitigations.


Application Security the Etsy Way

Wed, 04/09/2014 - 08:00

BOSTON – Etsy is one of the Web’s biggest marketplaces. Its developers may be one of Web’s busiest teams.

Proudly, the vintage and homemade goods online store, will push code to production upwards of 50 times a day. And, according to Kenneth Lee, senior product security engineer, they do so with confidence they’re not going to break the site.

Lee explained during a talk Tuesday afternoon at Source Boston how Etsy has embraced a number of DevOps principles, in particular the marriage of development and monitoring processes, in order to push bug fixes, patches and feature enhancements.

Etsy relies on what it calls Feature Flags, code wrappers that allow security engineers to easily find particular functionality in the code tree, fix it if necessary, and roll it out incrementally to specific segments of Etsy users while determining how it will impact site availability and performance.

“We use them in development, QA and production,” Lee said. “Having code that uses feature flags gives you the ability, from an application security perspective, to easily find where interesting code is being utilized. When new functionality is ramped up to the website and we need to find it, it takes five seconds of grepping to find where it’s being used.”

Particular changes can be rolled out slowly and to certain users, such as to only one percent or 10 percent of buyers or sellers. Adding Feature Flags to old, legacy code also gives security engineers the ability to add logging tags that were previously left off.

“You need to be on top of your logging game to take advantage of Feature Flags,” Lee said. “With old features with no logging in place, when have to write a fix, you can add logging lines so you’ll have that awareness for future alerting and logging purposes.

“We always deploy with confidence,” Lee said. “With Feature Flags, we’re never forced into a scenario where it’s all or nothing when pushing out a security fix. Feature Flags give you the flexibility to make a decision of whether to ramp it up to five percent or 50 percent of users to see if anything breaks.”

The team also wrote a Web-based tool for its developers called Supergrep which calls out any lines of code as they’re logged that could be anomalous. Developers can see these unusual log patterns pop up as changes are made.

“Supergrep gives developers context. By having context, developers can filter out noise in things you expect to see in logs that’s OK versus what’s not OK,” Lee said.

This approach and ability to continue to evaluate a patch as it is rolled out incrementally is crucial because it also helps with deployments of high-priority patches. For example, Lee said, a vulnerability may be rated severe, but if it has not been exploited, there’s time for additional evaluation of logs to determine whether any activity on the network is taking advantage of it.

“It’s a powerful thing to say we can fix it today or wait until Monday at 9 a.m.,” Lee said. “If we write a patch, with Feature Flags, we can push out code and that doesn’t mean it’s on. By having a slow ramp up approach, you get the best of both worlds and ramp up slowly so you don’t take down the whole site.”

Last Call for XP, Office 2003 Updates: April Patch Tuesday Fixes 11 Vulnerabilities

Tue, 04/08/2014 - 15:52

As expected, Microsoft issued its final epitaph for Windows XP today, pushing out four security bulletins for 11 vulnerabilities, including the last updates for the oft-maligned, thirteen-year-old operating system. 

Despite it being XP’s last gasp from a security standpoint, it’s actually a relatively light batch of Patch Tuesday updates this month. Two of the bulletins are branded critical and the other two important, but all of them can lead to remote code execution in their respective software, including recent versions of Word and some versions of Internet Explorer, if left unpatched.

The first critical patch (MS14-017) fixes a zero day first discovered last month in Microsoft Word. The patch fixes three vulnerabilities in total, chief among them the RTF memory corruption vulnerability that’s been discussed in depth over the past month. That bug could open the program up to remote code execution and let an attacker gain administrative rights if a specially crafted RTF file is either opened or previewed in Word or Outlook. Microsoft first warned about the vulnerability – first in an advisory last month, then in a Fix-It – after it discovered limited targeted attacks that used it for a vector in the wild. The exploit for the zero day, rather complex in nature, includes ASLR bypass, ROP techniques and shellcode with multiple mechanisms designed to circumvent analysis. In addition to the memory corruption bug, the patch also fixes two additional vulnerabilities; a file format converter vulnerability in Office and a stack overflow vulnerability in Word.

The Word issue is the only bug being patched today that’s actively being exploited, so naturally experts are calling it the biggest priority of the four for service administrators.

“This continues a trend we’ve seen of Office-based exploits being successfully used in targeted attacks over the past few years,” Marc Maiffret, the CTO of BeyondTrust said Tuesday. “Deploy this patch as soon as possible to fix vulnerabilities in both Word and Office Web apps.”

The second critical patch (MS14-018) also fixes a memory corruption bug, six of them to be exact, in most versions (6-9, 11) of Internet Explorer.  Much like the Word vulnerability if a user were to stumble upon a malicious webpage an attacker could exploit the bug to execute code on the computer in the context of its current user. This vulnerability is one of two that affect components on XP, including IE 6 for those still running XP’s Service Pack 3 and its Professional x64 Edition Service Pack 2.

A previously disclosed file handling vulnerability (MS14-019) was also fixed by today’s updates that could have allowed remote code execution in Windows. If left unpatched an attacker could trick a user to run a specially crafted .bat or .cmd file and gain command. While still important it’s safe to say this vulnerability may be the least dangerous of today’s patches as a user would have to be tempted to execute a batch file on a malicious network share. Still, this is the second issue that could affect users running some outdated versions of XP.

The last patch (MS14-020) addresses a hole that could open a machine up to remote code execution if someone were to open a specially crafted Microsoft Publisher file.

While it may seem minor, Ross Barrett, Senior Manager of Security Engineering at Rapid7, is encouraging any firms that use the software on their system to prioritize the patch.

“I expect anyone who still works with it might actually be gullible enough to click on email attachments of Publisher documents,” Barrett said of the vulnerability on Tuesday.

On top of the two bulletins that affect XP, both the Publisher issue and the Word issue figure into two bulletins that also affect Microsoft Word 2003, the final four updates for both XP and Office 2003.

If somehow you missed it, Microsoft is ending support for XP, Internet Explorer 6 and Office 2003 today, meaning this month’s patches mark the last time the company will issue security updates for these products. While it’s only a scant four bulletins, this makes April’s Patch Tuesday an essential  one for those who rely on the outdated platforms and apps.

It’s assumed many admins are in the process of migrating off of XP – but it’s likely they’ll continue to have their hands full, not just with today’s updates, but also recent updates from Google, Mozilla, Apple and other companies following last month’s Pwn2Own competition.

It’s widely expected that a subset of attackers will ramp up exploits targeting XP after today and potentially examine patches for modern Windows 7 and 8 systems and adapt them to now no-longer supported XP machines.

Learn How to Speak ‘Cyber,’ Even If It Pains You

Tue, 04/08/2014 - 15:03

BOSTON – The cynical security wonk wouldn’t necessarily lower himself to use the word “cyber” in an elevator pitch about his profession or day-to-day responsibilities. After all, how would that go over in the Twittersphere, or at an industry conference?

At the risk of peer derision, security people frankly need to get over themselves and learn how to communicate the risks and threats businesses face every day in a language society at large speaks. Society speaks “cyber,” for example, and doesn’t’ relate to ideas and processes such as risk assessments, vulnerability management and any other ubiquitous notion in the security lexicon that just doesn’t translate outside the security bubble.

Justine Aitel, the head of cyber risk at Dow Jones, delivered that message during her keynote at Source Boston 2014 Tuesday afternoon. Aitel’s talk was a refreshing take on the echo chamber that plagues security, urging engineers, developers, administrators and researchers alike to escape the insular nature of the industry and foremost, learn how to communicate with the outside world. She spoke of the problem in the context of what she called the participation age, where efforts such as crowdsourcing and crowdfunding have become pervasive and have flipped the balance of power and influence on its head.

“What has the participation age given us? It’s given a voice to the little guy and has brought transparency to the way the big guy works,” Aitel said. “IT risk has not moved into the participation age properly. We have failed to communicate well outside the industry with society at large. Society doesn’t understand what we do.”

Aitel emphasized the need for soft skills beyond just speaking the business’s language.

“We’ve amassed all this secret power and technical capabilities. We know how to start, stop and control systems,” Aitel said. “But with power comes problems. People in positions of power are not known as great communicators and are not known for being willing to evolve.

“If we want our industry to participate, we have to learn how to communicate beyond our industry, change the way we behave, listen, and share,” Aitel said. “Listening is hard, and most of us suck at listening. It sounds so basic, so many are not capable doing this.”

Aitel is a year into her stint at Dow Jones, the parent company of the Wall Street Journal and other media properties. The media industry is in a time of flux and immense competitive pressure, and Aitel said flexibility and agility is key to long-term success. In her position as the enterprise’s top risk evaluator and policy maker, she’s charged with understanding and communicating risk beyond her team’s cubes. Having a spreadsheet of vulnerabilities is a record of risk to the business, but if she cannot explain why a particular CVE is a danger to Dow Jones, she won’t get prioritized development time to get code changes implemented.

“Change code requests are not good enough,” Aitel said. “I have to translate those into business risks. That’s really helped us.”

Aitel also pointed out another shortcoming: the lack of metrics that enable security management to make quick decisions about IT risk. Hiring consultants at a steep cost doesn’t scale when it comes to translating risks beyond vulnerabilities and threats. Again, learning softer skills are a hand-in-hand necessity along with technical chops.

“Our industry rewards people for their strengths. We celebrate vulnerability exploitation or cryptography expertise,” Aitel said. “We don’t celebrate people who work on weaknesses such as communication skills. If we don’t focus on them, we’re not going to be able to reach outside our industry and we won’t stay relevant in the participation age.”

Google Patches 31 Flaws in Chrome

Tue, 04/08/2014 - 14:55

Google has patched a long list of serious security vulnerabilities in Chrome, including at least 19 highly rated flaws. The company patched a total of 31 vulnerabilities in Chrome 34 and paid out more than $28,000 in rewards to researchers who reported bugs to Google.

Among the security fixes in Chrome 34 are patches for a number of use-after-free vulnerabilities in various components of the browser. Google’s internal security team also discovered quite a few of the vulnerabilities patched in the latest release.

In addition to the security patches, Google introduced a change in Chrome 34 that will allow users to save passwords in the browser even if they have the autocomplete feature disabled.

“As we’ve previously discussed, Chrome will now offer to remember and fill password fields in the presence of autocomplete=off. This gives more power to users in spirit of the priority of constituencies, and it encourages the use of the Chrome password manager so users can have more complex passwords. This change does not affect non-password fields,” Daniel Xie of the Chrome team said.

Here’s the list of public bugs fixed in Chrome 34:

[$5000][354123] High CVE-2014-1716: UXSS in V8. Credit to Anonymous.

[$5000][353004] High CVE-2014-1717: OOB access in V8. Credit to Anonymous.

[$3000][348332] High CVE-2014-1718: Integer overflow in compositor. Credit to Aaron Staple.

[$3000][343661] High CVE-2014-1719: Use-after-free in web workers. Credit to Collin Payne.

[$2000][356095] High CVE-2014-1720: Use-after-free in DOM. Credit to cloudfuzzer.

[$2000][350434] High CVE-2014-1721: Memory corruption in V8. Credit to Christian Holler.

[$2000][330626] High CVE-2014-1722: Use-after-free in rendering. Credit to miaubiz.

[$1500][337746] High CVE-2014-1723: Url confusion with RTL characters. Credit to George McBay.

[$1000][327295] High CVE-2014-1724: Use-after-free in speech. Credit to Atte Kettunen of OUSPG.

[$3000][357332] Medium CVE-2014-1725: OOB read with window property. Credit to Anonymous

[$1000][346135] Medium CVE-2014-1726: Local cross-origin bypass. Credit to Jann Horn.

[$1000][342735] Medium CVE-2014-1727: Use-after-free in forms. Credit to Khalil Zhani.

Real-Time, Interactive Map Tracks Global Cyber Threats

Tue, 04/08/2014 - 10:07

P { margin-bottom: 0.08in; }
-->Information security has become a global problem, and getting a handle on the scope of the threats to users is a difficult task. A new interactive infographic illustrates a variety of cyber threats in real time, as detected by the Kaspersky Security Network (KSN).

The threats are broken down by type into six categories: on-access scans (OAS), on-demand scans (ODS), web antivirus (WAV), mail antivirus (MAV), intrusion detections systems (IDS), and vulnerability scans (VUL). Users can view the statistics for each of these types of threats globally or per country, by clicking on individual countries within the map.

The graphic essentially represents a real-time painting of threats detected by the millions of users and partners around the world that have opted into the company’s distributed infrastructure of threat-intelligence data gathering.

More specifically, threats in the OAS category are those that are triggered when an antivirus program begins scanning malicious objects in the open, run, copy, or save operations. The ODS sub-system is triggered when a user manually scans for and finds a virus. The WAV category contributes to the map when security systems detects a new malicious Web object. The MAV type constitutes those threats that are detected by scanners within user-email systems. When programs detect malicious objects within the network stack, the IDS sub-system is triggered. And the VUL category lights up when a separate vulnerability-based module finds malware targeting known bugs.

Beyond the types of threats detected on a per-country basis, map-viewers can also see where each country ranks in terms of the number of infections detected there. Right now, Russia, Vietnam, India, the United States, and Germany make up the top five most-infected countries in the world. China (6), Indonesia (7), France (8), Kazakhstan (9), and Ukraine (10) round out the rest of the world’s top 10 most-infected country’s per Kaspersky Lab data.


Seriousness of OpenSSL Heartbleed Bug Sets In

Tue, 04/08/2014 - 10:00

UPDATE–Site operators and software vendors are scrambling to fix the OpenSSL heartbleed bug revealed Monday, a vulnerability that enables an attacker to extract 64 KB of memory per request from a server. Attacks can leak private keys, usernames and passwords and other sensitive data, and some large sites, including Yahoo Mail and others, are vulnerable right now.

The vulnerability exists in OpenSSL 1.0.1f and older versions and the maintainers released a patch for the flaw on Monday. However, now that the details of the vulnerability are public, researchers have begun digging into it and several tools have been published to test various domains to see whether they’re vulnerable. Some high-profile sites, including Yahoo Mail, Lastpass, the OpenSSL site and the main FBI site have been confirmed to leak certain information via the bug. There also is a proof-of-concept exploit for the flaw posted on Github.

Lastpass officials said that they patched the vulnerability Tuesday morning, and that user data was never at risk. The company was running a vulnerable version of OpenSSL, but had other security measures in place that mitigated the risk.

“However, LastPass is unique in that your data is also encrypted with a key that LastPass servers don’t have access to. Your sensitive data is never transmitted over SSL unencrypted – it’s already encrypted when it is transmitted, with a key LastPass never receives. While this bug is still very serious, it could not expose LastPass customers’ encrypted data due to our extra layers of protection. On the majority of the web, user data is not encrypted before being transmitted over SSL, hence the widespread concern,” the company said in a blog post.

“Also, LastPass has employed a feature called “perfect forward secrecy”. This ensures that when security keys are changed, past and future traffic also can’t be decrypted even when a particular security key is compromised. ”

The vulnerability lies in the way that OpenSSL handles the heartbeat extension in the TLS protocol.

A missing bounds check allows an attacker to read up to 64 KB of memory on a machine protected by OpenSSL.

“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users,” a description of the vulnerability written by Codenomicon says.

OpenSSL is perhaps the most widely deployed SSL library and appears in a wide variety of applications, including a number of Linux distributions. Red Hat and Ubuntu already have issued patches for the vulnerability.

But the larger problem is that many SSL certificates could be compromised now, as the secret key that protects a given certificate could be disclosed in an attack on this vulnerability. The process of revoking and reissuing those certificates could go on for a long time, depending upon how many organizations realize their sites are vulnerable and how quickly they respond.

“It’s a nightmare vulnerability, since it potentially leaks your long term secret key — the one that corresponds with your server certificate. Worse, there’s no way to tell if you’ve been exploited. That means the prudent thing to do now is revoke your certificate and get a new one. We’ll see how many people do that,” said cryptographer Matthew Green, a professor at Johns Hopkins University.

The vulnerability in OpenSSL appears to have been introduced two years ago. A test site that enables users to enter domains to check their vulnerability status has been up since Monday.

Ivan Ristic, director of application security research at Qualys, said that the OpenSSL heartbleed flaw is potentially quite damaging for many organizations because of the ease of exploitation and the implications of a successful attack.

“This vulnerability is very easy to exploit. It’s very easy to build from scratch (starting with the OpenSSL diff), and there are also several tools that can be downloaded and used, in a matter of minutes,” Ristic said.

“According to the SSL Pulse statistics, about 32% of the servers in that data set support TLS 1.2. Chances are most of them run OpenSSL, and are thus vulnerable. So that’s a very large number of servers. Because this is so easy to exploit, we’re already seeing many attacks. Servers that did not have Forward Secrecy are the most vulnerable, because a serious adversary, who has a recording of the encrypted site traffic, might now be able to easily recover the site’s private key and use it to decrypt traffic retroactively.”

This article was updated on April 8 to include information from Lastpass.

The Muddy Waters of XP End-of-Life and Public Disclosures

Tue, 04/08/2014 - 06:03

Windows XP security support ends Tuesday and until now, most of the public hand-wringing over XP’s end-of-life has been about the potential for malware outbreaks against unpatched vulnerabilities that have been stockpiled by hackers anxiously awaiting April 8, 2014.

But what about vulnerabilities in XP that have been responsibly shared with Microsoft and won’t be fixed? Those too are perpetual zero-days after Tuesday.

Microsoft has made huge strides in developing trusted relationships with security researchers who are actively submitting bugs to Microsoft across its product lines. For Microsoft’s part, it has done outreach to researchers, clarified disclosure policies and processes and established bounty programs for bypasses of innate Windows mitigations.

And Microsoft isn’t to be faulted for its business decision made long ago to end extended support for XP that includes security patches. Yet the fact remains whatever XP systems remain in circulation after tomorrow will be exposed and that brings up questions, such as: How will white or gray hats respond? For example, will there be a firestorm of public disclosures in the coming weeks?

“I know a subset of people who have disclosed stuff [in XP] to Microsoft that has not been patched, and that’s given what I know. I’m sure there’s more I don’t know of,” said Ross Barrett, senior manager of security engineering at Rapid7. “I wouldn’t encourage researchers to publically disclose their researche because they think that might make Microsoft issue a patch, because that’s not going to happen. The only result is that it would increase the exposure for people at large.

“It’s a muddy bit of water,” Barrett said. “Microsoft has been good about dealing with researchers who have been doing the right thing by following responsible disclosure procedures, but now they’re not seeing action.”

Microsoft did not respond to a request for comment in time for publication.

HP’s Zero Day Initiative, which buys vulnerabilities and exploits from researchers and shares them first with customers and then the affected vendor, has 203 advisories pending public disclosure listed on its website, 54 of which are Microsoft vulnerabilities going back a year. The website doesn’t list the specific Microsoft product affected, but Microsoft has more than any other major vendor on the list.

“I’m sure there’s tons of stuff still out there; some of it is design flaw stuff that Microsoft can’t fix or never got around to it,” Barrett said. “I’m sure there’s a backlog of stuff, but the clock has run out on XP.”

Microsoft has already announced its final XP patch, a fix for a zero-day in Word that will be available Tuesday (Office 2003 support also ends Tuesday). The fear among some experts is that hackers will look at Microsoft security bulletins for vulnerabilities in supported products and trace those back to their potential exploitability in XP.

“Absolutely hackers do that,” Barrett said. “If you’ve got a vulnerability in this file, they’ll track it back to a particular DLL and see that it’s been part of the OS since 2002 and not updated since 2004, they’ll know it’s vulnerable.

“You might see a golden age of XP vulnerabilities for the next four to six months when adoption of XP is still relatively high and countermeasures are no longer in place. Then you’ll start to see it fade as it’s less used.”

Qualys CTO Wolfgang Kandek has been tracking XP use in certain industries through the company’s vulnerability scanner. Financial institutions still have the highest use of XP at 21 percent, followed by transportation at 14 percent (though this has dropped from 55 percent 12 months ago). Retail, another industry run ragged by hackers, is also at 14 percent. Support for Windows XP Embedded, which runs inside a number of consumer and commercial devices in these industries, does not run out until Jan. 12, 2016.

“This is an additional weakness for these (retail) systems,” Kandek said. “There are already problems with remote management, default passwords that work everywhere, a bunch of things that were done to make management easier that were not configured well. This just adds to it.”

Kandek said that roughly 70 percent of vulnerabilities that were patched in 2013 were found in Windows 8 through XP.

“I don’t see why that would stop in May, June or July. Attackers can use that knowledge as pointer into XP to find if a vulnerability exists. It’s an accelerator for them. My feeling is that after two or three months, there will be tools in public that reliably exploit XP. I can definitely see how that would make an attacker’s work much easier.”

OpenSSL Fixes Serious TLS Vulnerability

Mon, 04/07/2014 - 16:23

The maintainers of the OpenSSL library, one of the more widely deployed cryptographic libraries on the Web, have fixed a serious vulnerability that could have resulted in the revelation of 64 KB of memory to any client or server that was connected.

The details of the vulnerability, fixed in version 1.0.1g of OpenSSL, are somewhat scarce.

The OpenSSL Project site says that the bug doesn’t affect versions prior to 1.0.1.

“A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64kB of memory to a connected client or server,” the OpenSSL release notes for 1.0.1g say.

The OpenSSL library is deployed in a huge number of operating systems and applications, including a wide variety of Unix and Linux distributions, as well as OS X. Popular Web servers such as Nginx and Apache also are affected. Some major cloud-based applications and platforms, including CloudFlare. That company’s engineers implemented a fix for the OpenSSL vulnerability last week, before the details of the bug were disclosed.

“OpenSSL is the core cryptographic library CloudFlare uses for SSL/TLS connections. If your site is on CloudFlare, every connection made to the HTTPS version of your site goes through this library. As one of the largest deployments of OpenSSL on the Internet today, CloudFlare has a responsibility to be vigilant about fixing these types of bugs before they go public and attackers start exploiting them and putting our customers at risk,” Nick Sullivan of CloudFlare wrote in a blog post.

“We encourage everyone else running a server that uses OpenSSL to upgrade to version 1.0.1g to be protected from this vulnerability. For previous versions of OpenSSL, re-compiling with the OPENSSL_NO_HEARTBEATS flag enabled will protect against this vulnerability. OpenSSL 1.0.2 will be fixed in 1.0.2-beta2.”

The folks at Codenomicon have put together an FAQ on the bug, which they’ve dubbed the Heartbleed vulnerability. Their explanation says that the flaw could enable anyone on the Internet to read the memory of a machine that’s protected by a vulnerable version of the library.

“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users,” the description says.

“You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company’s site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. Many of online services use TLS to both to identify themselves to you and to protect your privacy and transactions. You might have networked appliances with logins secured by this buggy implementation of the TLS. Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services.”

OpenSSL 1.0.1g also includes a fix that addresses a certain variety of side-channel attack.

“The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack,” the CVE entry for the bug says.