A warning from SANS to end users against Heartbleed

The risk of Heartbleed client-side attacks and recommendations for end users is focused at the fourth briefing on the bug from the SANS Institute's Internet Storm Centre (ISC).

SANS is the most trusted and by far the largest source for information security training and security certification in the world. A range of individuals from auditors and network administrators, to chief information security officers are sharing the lessons they learn and are jointly finding solutions to the challenges they face. At the heart of SANS are the many security practitioners in varied global organizations from corporations to universities working together to help the entire information security community.

"A lot of the effort initially has been on servers, and servers are certainly at the most risk — not just web servers, but mail servers, and all of that good stuff as well. Everything that uses OpenSSL with an affected version is vulnerable, whether it's a client, whether it's a server — and of course as an end user, you're mostly concerned about the client part," said SANS presenter and ISC chief technology officer Johannes Ullrich.

Clients are indeed vulnerable, said Ullrich, but not the most popular ones. At the operating system level, Apple's OS X uses OpenSSL version 0.9.8, not the Heartbleed-vulnerable version 1.0.1, and Windows doesn't use OpenSSL at all — although there can be a risk from Windows application that have been statically compiled against OpenSSL libraries.

"It's unlikely that a normal, average home windows user has OpenSSL on their system," Ullrich said. "You're not going to run a web server on your home Windows machine." And Android devices are the main client-side risk, because it's the only major operating system that uses OpenSSL widely.

"The first message [for home and family users] is 'Do not patch.' This sounds counter-intuitive, and yes there may be software that people have installed that does use OpenSSL," he said. But for home users who've seen Heartbleed scare stories in the mainstream media, being caught by scams is the greater risk.

The second message is that, yes, changing passwords to online services is "probably a good idea", Ullrich said. "Even if if didn't get leaked, it's probably not going to break anything." And, because changing so many passwords is a pain, get a password manager.
"If you still have to remember all your passwords, and if you are able to do so, your passwords are too weak," he said.

Continue reading →

Call of Duty is not secure from Heartbleed

Heartbleed took Call of Duty: Black Ops II‘s blood out too, according to security researchers.
The Heartbleed security bug is a simple example of memory leakage through overflow vulnerability in the Heartbeat component of OpenSSL. Bits of memory in 64 kilobyte chunks may be extracted from the process’s memory. This could yield anything, including encryption keys, bits of traffic, credentials or session keys. The flaw is potentially among the most damaging ever to surface on the web but there's been little evidence that it has been widely exploited so far - leading some security experts to say it's been overblown.

However Ken Munro, a senior partner at Pen Test Partners, came across evidence of a real world) example of the vulnerability being exploited – in the popular online multiplayer game Call of Duty: Black Ops II. He logged in to shoot some enemies after a busy day of ethical hacking, only to see a series of messages suggesting a compromise had taken place.

"What we can surmise is that the CoD developers had connected to the Steam developer portal and either their session ID or, even worse, credentials had been stolen," Munro told El Reg.
"Fortunately whoever did this just decided to make it obvious; but imagine the damage that could have been caused by a malicious user. This is a prime game played (looking at Steam stats) by about 10,000 people a day. We could mess around with achievements, or even push a dodgy patch to cause a compromise of the all the players of the game!"

Chris Boyd, a malware intelligence analyst at anti-virus firm Malwarebytes, and a gaming security expert, agreed that Munro had uncovered circumstantial evidence of a compromise CoD while arguing that this might easily have been pulled off with another exploit.

"It's entirely possible the person responsible for the message didn't use Heartbleed to snag a login - they may have grabbed it by another means entirely, but decided to use the account to post a more general alert to the gaming community and devs at large," Boyd told El Reg. "In fact, this highlights the fact that we may see more compromises which have nothing to do with Heartbleed, but end up trading off the high profile of the threat.  This could lead to yet more confusion on the part of both developers and users of popular web services over the coming weeks."

Boyd agreed with Munro that the intention of the unknown perp was not malign.

"While it's difficult to say exactly what functionality the person responsible for compromising the game in this way had access to, it seems their intention was to warn rather than harm," Boyd said. "Anybody concerned about achievement tampering should know that it's easy enough for someone to do that themselves without an entire game needing to be compromised first. As for the possibility of malicious patches going out, PC updates are traditionally a little easier to get out than (say) the XBox Live network where all updates are put through rigorous testing before being given the green light."

Munro is sticking to his guns in suggesting Heartbleed is the most likely culprit.

"Timing-wise the most likely candidate is Heartbleed," Munro said, adding that Boyd is also right to say that "we only have the hacker’s claim - but that certainly doesn’t preclude it from being the truth."

Yet it is not sure whether it really is the HeartBleed or something else which has compromised Call of Duty: Black Ops II.

Continue reading →

Military Satellites Vulnerable to Hacking

Researchers warned that many of the satellites manufactured by some of the biggest government contractors are vulnerable to several exploits from which the satellite can be exploit and hacked to disrupt military operations.

It has uncovered that there are many vulnerabilities in software and ground-based satellites manufactured by British companies Cobham and Inmarsat says security consultancy.

The U.S based computer emergency response team warned about the vulnerabilities in January.

Many of the issues were in Broadband Global Area Network. BGAN is designed to provide internet and voice connectivity for remote teams. The affected Haris BGAN satellites terminals are also by military , including NATO for tactical radio communications.



The Cobham Aviator machines could be compromised to alter satellite communications, such as the Aircraft Communications Addressing and Reporting System (Acars), used by a plane.

ACARS is used to transmit vital informations such as fuel levels , it was usually used to track the movements of MH370 flight soon it disappeared. 

The manufacturers were warned about the vulnerabilities in which some of the vulnerabilities are claimed to be exploited with little technical ability , these flaws are present in the products from atleast two years.

 

Continue reading →

Hackers Targeted Carlson Hotel in Minnetonka

Carlson hotel in Minnetonka has launched its hotel's rewards point system called "Club Carlson Gold Points " , Recently hackers compromised into its security. According to the Hotel Officials , About $35,000 of the worth of rewards of 650 customers has been stolen by hackers.

The company noticed irregular transaction to a club members accounts 12 days ago. Company says that when they noticed the transactions , they immediately freeze the accounts.

All of the members who have been affected and have been contacted and their stolen rewards has been replaced. The company is urging the members which had access to Club Carlson's account to check their balance and change their passwords.

The accounts didn't contained any financial information , it only included the addresses of the members and their email addresses according to the company as they are saying. This case is still under investigation.

 

Continue reading →

OpenSSL bug hunt!!

A campaign has started to raise $250,000 for an OpenSSL bug – and its organizers hope it will help ensure the Heartbleed omnishambles is never repeated.

The campaign, spearheaded by computer security startup Bugcrowd, aims to raise the cash by 29 April: the money will be distributed as rewards to infosec bods who discover and report bugs in crucial crypto-library OpenSSL.

A pitch on crowdtilt.com explains:
“With many eyes and the right incentive all bugs are shallow. It's up to the Internet to come to the table and provide the incentive required to make sure wide-scale security exposures like Heartbleed don't happen again.
This Crowdtilt will fund a focused crowd-sourced security assessment on OpenSSL. 100% of the proceeds will be offered to security researchers. Any leftover funds will be passed on to the OpenSSL Software Foundation.
Anyone can sponsor at any amount. Sponsors will be credited as Defenders of the Internet, and sponsors who commit over $5,000 will be specially mentioned and thanked.
Together let’s make the Internet a safer place.”

Donations thus far stand at a modest $5,400, but the fund has only just opened. Even so, the fundraiser is working on what looks like a tight deadline.

Casey Ellis, chief exec of Bugcrowd, explained that the initiative was independent from OpenSSL.
"The [OpenSSL] developers are aware of our efforts but are also obviously quite busy at the moment, so it's fair to say that we are doing this independently," Ellis said.

Bug-bounty programs have become commonplace across the IT industry: the schemes reward researchers for reporting flaws to vendors, rather than hawking them through exploit brokers or vulnerability marketplaces.

Heartbleed is a serious flaw in the widely used OpenSSL: a programming blunder allows miscreants to silently read passwords, private crypto-keys and other sensitive data from the memory of vulnerable servers, PCs, phones, tablets and other devices.

That's bad, but it's no remote-code execution hole, admittedly; there have been worse flaws in other internet-facing software that allowed attackers to plant all sorts of nasties on systems.

 

Continue reading →

Pakistan Calls for founding of National Cyber Security Council

type='html'>

Pakistan’s Upper House this week began debating a new bill seeking to establish a National Cyber Security Council, an agency the nation feels is needed to keep NSA at bay

Senator Mushahid Hussain Sayed on Monday presented The Cyber Security Council Bill 2014 with the aim of creating a body to draft policy, guidelines and strategy on cyber security issues according to international best practices.

As well as working to counter emerging online threats, it will also try to facilitate better communication and information-sharing between government and private sectors. To help achieve this, members of the proposed council would apparently be drawn from both sectors.

Sayed said:
‘Given the clear and present danger of threat to Pakistan’s national security related to cyber warfare, as demonstrated by revelations of intrusion into privacy and spying by overseas intelligence networks, and given the context that cyber warfare is currently being weighed actively in the region where Pakistan is located, it is imperative that Pakistan take institutional steps to combat this threat’.

Pakistan’s security concerns, of course, are not limited to possible NSA spying. Hacktivists purportedly from the Islamic republic frequently trade online attacks with those from arch rival India, and occasionally further afield.

The latest Enemies of the Internet report from Reporters without Borders called out the Pakistan Telecommunication Authority (PTA) for its increasingly prolific attempts to blacklist URLs and filter web content.

While lawmakers in Islamabad talk about “major non-traditional, non-military threats the country is facing” from the likes of the US, they should also probably focus more scrutiny on their own government.

Who Got Hacked , copy rights

View the original article here

Continue reading →