The TrendLabs Security Intelligence Blog :
The severity of the Heartbleed bug has led countless websites and servers scrambling to address the issue. And with good reason—a test conducted on Github showed that more than 600 of the top 10,000 sites (based on Alexa rankings) were vulnerable. At the time of the scanning, some of the affected sites included Yahoo, Flickr, OKCupid, Rolling Stone, and Ars Technica.
All the extended coverage of the flaw begs the question, "Are mobile devices affected by this?" The short answer: yes.
Mobile apps, like it or not, are just as vulnerable to the Heartbleed Bug as websites are because apps often connect to servers and web services to complete various functions. As our previous blog entry has shown, a sizable number of domains are affected by this vulnerability.
Continued : http://blog.trendmicro.com/trendlabs-security-intelligence/heartbleed-bug-mobile-apps-are-affected-too/
 | Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years. Thanks, CNET Support |
Alert
NEWS - April 11, 2014
" "Trivial" coding error in open source project wasn't intentional, report says."
The software developer who inserted a major security flaw into OpenSSL has said the error was "quite trivial" despite the severity of its impact, according to a new report.
The Sydney Morning Herald published an interview today with Robin Seggelmann, who added the flawed code to OpenSSL, the world's most popular library for implementing HTTPS encryption in websites, e-mail servers, and applications. The flaw can expose user passwords and potentially the private key used in a website's cryptographic certificate (whether private keys are at risk is still being determined).
The Herald reports:
Continued : http://arstechnica.com/information-technology/2014/04/heartbleed-developer-explains-openssl-mistake-that-put-web-at-risk/
Discussion is locked
9 Posts
- Collapse
- Collapse -
- Collapse -
called Heartbleed detector by Lookout that checks your device for vulnerability.
Dafydd.
- Collapse -
In the thread you started yesterday, I included information from Digital Trends and Malwarebytes.
While at Digital Trends I read a post titled "How to protect your phone or tablet from the Heartbleed OpenSSL bug". One of the sub-topics is .... "How to check if your Android phone is vulnerable".
He states ...........
' According to Google, about 34 percent of all Android devices still run Android 4.1.x, meaning more than 300 million phones and tablets could be vulnerable to this bug. Lookout has released an Android app to check if your mobile device has been compromised. You can download Heartbleed detector from the Google Play Store now.
If your phone is vulnerable and the heartbeat option is enabled, there's nothing you can do except check for updates. Go into Settings > About phone > System updates on most devices. Some devices will have Updates in another area of the Settings menu.'
I failed to include the information in my post / the thread. 
But now that you have here ...... all is well. 
Thanks and have a great weekend..
Carol
- Collapse -
More than 17,000 Facebook users were tricked by a bold scam that promised them over 100,000 followers on the social network and made them willingly inject dangerous code in their browser. Bitdefender has started to analyze the dubious profile promoting the scam after several Facecrooks fans complained about the social engineering trick. Hackers behind the scam could be of Turkish origin.
It all started with a freshly registered Facebook page. "Master of Hacking" promised to teach fans a new trick - "how to increase Facebook followers" to more then 100,000, 100,999 or 150,000 with a simple piece of code that users should insert into Google Chrome or the Maxthon browser. [Screenshot]
This time, computer hackers didn't bother to create a scam that delivers the malicious code without users' knowledge. They simply asked victims to copy it. Many thousands fell for the scam and it is still claiming victims. Most users who fell for the scam are from Turkey or Pakistan.
Continued : http://www.hotforsecurity.com/blog/facebook-follower-scam-prompts-victims-to-inject-themselves-with-dangerous-code-8381.html
- Collapse -
Which products and services are affected by the Heartbleed bug in OpenSSL? Vendors have started issuing security advisories telling users which of their products are safe and which will have to be updates.
Cisco has shared that over a dozen of its products and 2 of its services vere found to be vulnerable.
The services - Cisco's Registered Envelope Service and Webex Messenger Service - have already been patched, but the products, which include the company's IOS XE operating system, have yet to be fixed. And, the list might yet turn out to be incomplete, as the investigation is still ongoing.
"A subset of Juniper's products were affected by the Heartbleed vulnerability including certain versions of our SSL VPN software, which presents the most critical concern for customers. We issued a patch for our SSL VPN product on Tuesday and are working around the clock to provide patched versions of code for our other affected products," Juniper Networks' spokesperson has revealed, and urged customers to contact Juniper's Customer Support Center for detailed advisories and product updates.
Microsoft has assured users that most Microsoft's offerings are not vulnerable, including all Windows operating systems and IIS versions.
Continued : http://www.net-security.org/secworld.php?id=16679
- Collapse -
"Tax collector has 58,000 PCs still running the aged XP; will spend $30M to upgrade to Windows 7"
The U.S. Internal Revenue Service (IRS) acknowledged this week that it missed the April 8 cut-off for Windows XP support, and will be paying Microsoft millions for an extra year of security patches.
Microsoft terminated Windows XP support on Tuesday when it shipped the final public patches for the nearly-13-year-old operating system. Without patches for vulnerabilities discovered in the future, XP systems will be at risk from cyber criminals who hijack the machines and plant malware on them.
During an IRS budget hearing Monday before the House Financial Services and General Government subcommittee, the chairman, Rep. Ander Crenshaw (R-Fla.) wondered why the agency had not wrapped up its Windows XP-to-Windows 7 move.
Continued : http://www.computerworld.com/s/article/9247634/IRS_misses_XP_deadline_pays_Microsoft_millions_for_patches
- Collapse -
Citing two anonymous sources "familiar with the matter," Bloomberg News reports that the National Security Agency has known about Heartbleed, the security flaw in the OpenSSL encryption software used by a majority of websites and a multitude of other pieces of Internet infrastructure, for nearly the entire lifetime of the bug—"at least two years." The sources told Bloomberg that the NSA regularly used the flaw to collect intelligence information, including obtaining usernames and passwords from targeted sites.
"When Edward Snowden warned that the NSA is 'setting fire to the future of the internet,' this is presumably the kind of thing he was talking about," said Jameel Jaffer, deputy legal director at the American Civil Liberties Union, in a statement emailed to Ars. "If this report is true, then the NSA is making hundreds of millions of people around the world more vulnerable to hacking and identity theft, and it's compromising the trust that allows the internet to function. The NSA has lost sight of its mission, and it has lost sight of the values of the society it's supposed to be protecting."
Continued : http://arstechnica.com/security/2014/04/nsa-used-heartbleed-nearly-from-the-start-report-claims/
Related: NSA secretly exploited devastating Heartbleed bug for years, report says
- Collapse -
The U.S. Department of Justice has brought charges against nine alleged members of a criminal organization that distributed the Zeus Trojan used to steal millions of dollars from bank accounts nationwide.
The DOJ's charges, unsealed Friday in U.S. District Court for the District of Nebraska, include conspiracy to participate in racketeering activity, conspiracy to commit computer fraud and identity theft, aggravated identity theft, and multiple counts of bank fraud.
Two defendants, Yuriy Konovalenko, 31, and Yevhen Kulibaba, 36, are scheduled to be arraigned Friday at the federal courthouse in Lincoln, Nebraska, the DOJ said in a press release. The two were recently extradited from the U.K. after a federal grand jury charged them in August 2012.
The Zeus Trojan infected thousands of business computers and captured passwords, account numbers and other information necessary to log into online banking accounts, the DOJ said.
Continued: http://www.pcworld.com/article/2142841/us-charges-nine-with-distributing-zeus-malware.html
Related: "Zeus" scammers accused of stealing millions, infecting thousands of computers
CNET Forums
Operating Systems
Software
Electronics & Gadgets
Hardware
Tablets & Mobile Devices
General Help
Roadshow Autos
Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic