NEWS - April 08, 2014

by Carol~ Apr 8, 2014 4:55AM PDT

'Heartbleed' Bug Exposes Passwords, Web Site Encryption Keys

Researchers have uncovered an extremely critical vulnerability in recent versions of OpenSSL, a technology that allows millions of Web sites to encrypt communications with visitors. Complicating matters further is the release of a simple exploit that can be used to steal usernames and passwords from vulnerable sites, as well as private keys that sites use to encrypt and decrypt sensitive data.

From Heartbleed.com:

"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users."

An advisory from Carnegie Mellon University's CERT notes">http://www.kb.cert.org/vuls/id/720951]notes that the vulnerability is present in sites powered by OpenSSL versions 1.0.1 through 1.0.1f. According to Netcraft, a company that monitors the technology used by various Web sites, more than a half million sites are currently vulnerable. As of this morning, that included Yahoo.com, and — ironically — the Web site of openssl.org. This list at Github appears to be a relatively recent test for the presence of this vulnerability in the top 1,000 sites as indexed by Web-ranking firm Alexa.

Continued : http://krebsonsecurity.com/2014/04/heartbleed-bug-exposes-passwords-web-site-encryption-keys/

Related:
Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping
Critical crypto bug exposes Yahoo Mail passwords Russian roulette-style
Heartbleed bug affects Yahoo, Imgur, OKCupid sites; users face losing passwords

Discussion is locked

Kaspersky Lab Weblog:

Support for Windows XP is ending: after today there will be no new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates.

Is this a problem? After all, it's a 12-year old operating system.

It wouldn't be, if it weren't for the fact that there are still a lot of people running Windows XP - our data indicate that around 18 per cent of our customers are still running Windows XP. That's a lot of people wide open to attack once the security patches dry up: effectively, every vulnerability discovered from now will become a zero-day vulnerability - that is, one for which there is no chance of a patch.

The problem will be compounded once application vendors stop developing updates for Windows XP - every un-patched application will become another potential point of compromise, further increasing the potential attack surface.

Continued : http://www.securelist.com/en/blog/208213056/End_of_the_line_for_Windows_XP

Related:
Rest in Peace, Windows XP
The XPocalypse is upon us: Windows XP support has ended
XPocalypse: Experts Warn of Attackers Hoarding Windows XP 'Forever Days'

In little over a week, a developer selling a security app named Virus Shield on Google Play has managed to earn over $40,000, and the software topped the list of most downloaded new paid apps. But unfortunately for those who paid for it, the app in question actually does nothing to protect the device, as the claims made by the developer are completely bogus.

"The app description says that it 'Prevents harmful apps from being installed on your device,' 'scans apps, settings, files, and media in real time,' and 'protects your personal information.' Oh, and it has a low impact on battery life, and has 'No, ZERO pesky advertisements!'," Android Police's Michael Crider reported. "There's just one problem: it's a complete and total scam."

Continued : http://www.net-security.org/secworld.php?id=16650

Related: Fake Android anti-virus app taken down

NEWS - April 08, 2014

CNET Forums

Other Forums

Forum Info