Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

NEWS - April 25, 2014

Apr 25, 2014 2:04AM PDT
Tech giants, chastened by Heartbleed, finally agree to fund OpenSSL

"IBM, Intel, Microsoft, Facebook, Google, and others pledge millions to open source."

The important role OpenSSL plays in securing the Internet has never been matched by the financial resources devoted to maintaining it.

The open source cryptographic software library secures hundreds of thousands of Web servers and many products sold by multi-billion-dollar companies, but it operates on a shoestring budget. OpenSSL Software Foundation President Steve Marquess wrote in a blog post last week that OpenSSL typically receives about $2,000 in donations a year and has just one employee who works full time on the open source code.

Given that, perhaps we shouldn't be surprised by the existence of Heartbleed, a security flaw in OpenSSL that can expose user passwords and the private encryption keys needed to protect websites.

Continued : http://arstechnica.com/information-technology/2014/04/tech-giants-chastened-by-heartbleed-finally-agree-to-fund-openssl/

Related:
Tech giants back initiative for funding crucial open source projects
Heartbleed prompts joint vendor effort to boost OpenSSL, security
Group Backed by Google, Microsoft to Help Fund OpenSSL and Other Open Source Projects

Discussion is locked

- Collapse -
Viber mobile messenger app leaves user data unencrypted
Apr 25, 2014 2:46AM PDT

Viber, a mobile messenger app that allows users to make phone calls and send text messages and images for free, also gives up plenty of free user data to anyone who wants to listen.

According to researchers from the University of New Haven (UNH) in Connecticut, US, Viber's app sends user messages in unencrypted form - including photos, videos, doodles, and location images.

All of that rich data from users is also stored unencrypted on Viber's servers, rather than being deleted immediately, and is accessible without credentials, just a link, the UNH researchers said.

It's the second cryptographic blunder exposed by UNH researchers in as many weeks - the UNH Cyber Forensics Research & Education Group disclosed on 13 April 2014 that the WhatsApp messenger app also gives away user location data in unencrypted form.

Continued : http://nakedsecurity.sophos.com/2014/04/24/here-we-go-again-viber-mobile-messenger-app-leaves-user-data-unencrypted/

- Collapse -
Number of Sites Vulnerable to Heartbleed Plunges by 2/3
Apr 25, 2014 2:46AM PDT

TrendLabs Security Intelligence Blog:

Two weeks ago, we talked about how many sites in the top 1 million domains (as judged by Alexa) were vulnerable to the Heartbleed SSL vulnerability. How do things stand today? [Screenshot: Sites vulnerable as of April 22]

Globally, the percentage of sites that is vulnerable to Heartbleed has fallen by two-thirds, to just under 10 percent. Only three TLDs we looked at have percentages above the global number: Brazil (.BR), China (.CN), and Russia (.RU).

The only TLD with a 100% cleanup record was the .gov domain, reserved for the use of US government sites.The Australian (.AU), British (.UK), German (.DE), and Indian (.IN) TLDs also had rates that were significantly lower than the global average.

Continued : http://blog.trendmicro.com/trendlabs-security-intelligence/number-of-sites-vulnerable-to-heartbleed-plunges-by-two-thirds/

- Collapse -
Weight loss spam storm hits Twitter, users beware!
Apr 25, 2014 4:40AM PDT

Weight loss spam is once again being massively spewed out from compromised Twitter accounts, but the question on everyone's mind is how the accounts got commandeered by the spammers in the first place.

Apparently it was first noticed a few days ago, when a reporter of the Sydney Morning Herald spotted that the Twitter account of his friend sported the following message: "I lost so much weight with this secret trick! ".

Knowing that the friend in question is both tech-savvy and paranoid, the two went through possible compromise scenarios together. Having rejected the possibility of her having been phished and her password having been brute-forced, and taking into account the scale of the spam attack, they concluded that a third-party service that had access her Twitter account was likely compromised.

Continued : http://www.net-security.org/secworld.php?id=16736

Related: Mystery attack drops avalanche of malicious messages on Twitter

- Collapse -
Google Changes Ciphers in OpenSSL for Chrome on Android
Apr 25, 2014 4:40AM PDT

The emergence of mobile platforms such as iOS and Android have presented a number of challenges in terms of security. Not much can be done about some of these, like users leaving their phones in bars. But engineers at Google have been working on one of the thornier ones of late-how to provide solid encryption on mobile platforms without crushing performance-and have implemented a pair of new cipher suites in Chrome to help address it.

Performance always has been a concern on mobile devices, but has become less of an issue in recent years as mobile processors have improved and bandwidth has expanded. However, when encryption operations come into the picture, performance is again a concern. Encryption takes processing resources on the device and also can eat up bandwidth with large outputs. To help alleviate both of these issues, and improve the security of the sessions on Chrome on Android, Google has implemented ChaCha20 and Poly1305 in the mobile browser.

Continued : http://threatpost.com/google-changes-ciphers-in-chrome-on-android/105694

Related: Google speeds up encrypted Web communications in Chrome on Android

- Collapse -
Mozilla Creates $10K Bug Bounty Program for New Certificate
Apr 25, 2014 4:41AM PDT
.. Verification Library

Mozilla has announced a new bug rewards program for security researchers that find flaws in the new certificate verification library it plans to use in the upcoming Firefox 31 release.

As part of the program, the company will offer researchers $10,000 for critical security flaws found before the end of June.

"As we've all been painfully reminded recently (Heartbleed, #gotofail) correct code in TLS libraries is crucial in today's Internet and we want to make sure this code is rock solid before it ships to millions of Firefox users," blogged Daniel Veditz, security lead at Mozilla.

"We are primarily interested in bugs that allow the construction of certificate chains that are accepted as valid when they should be rejected, and bugs in the new code that lead to exploitable memory corruption," he blogged. "Compatibility issues that cause Firefox to be unable to verify otherwise valid certificates will generally not be considered a security bug, but a bug that caused Firefox to accept forged signed OCSP responses would be."

Continued: http://www.securityweek.com/mozilla-creates-10k-bug-bounty-program-new-certificate-verification-library

Related: Mozilla to strengthen SSL certificate verification in Firefox
- Collapse -
Spammers Use Non-Latin Characters to Evade Spam Filters
Apr 25, 2014 4:41AM PDT

"Spammers keep coming up with new ways to evade spam filters. Recently, they've started replacing regular characters with similar-looking symbols in hopes that their scammy emails make it to inboxes."

According to experts from Kaspersky Lab, the subject and the body of these spam emails might appear to be normal at first sight. However, a closer look reveals that many Latin characters have been replaced with symbols that look similar from other alphabets.

This trend appears to be popular among cybercriminals targeting users in Italy. Experts have spotted various types of spam messages in which this technique is utilized. The spammers use Cyrillic, Greek and even IPA symbols to replace Latin characters.

This is possible because of the UTF-8 coding system, which enables users to combine multiple types of characters in the same message.

This simple trick could be enough to bypass classic spam filters. On the other hand, Kaspersky says its own anti-spam solutions are not so easy to trick. They can detect spam even if non-Latin characters are utilized.

Continued : http://news.softpedia.com/news/Spammers-Use-Non-Latin-Characters-to-Evade-Spam-Filters-439215.shtml

- Collapse -
Brows(er)ing for Updates
Apr 25, 2014 5:07AM PDT

"Malwarebytes Unpacked" Blog:

When you update software on your PC, I bet you'd be hard pressed to think of an occasion where it notified you via web browser.

Programs tend to keep themselves to themselves and everything of a notification nature "in-house"...especially where updates are concerned.

More often than not, when you see a notification in your web browser that something needs to be fixed, updated or tweaked it's usually a sign that somebody wants to make a little money out of you by making some additions to the system (or fill in some surveys).

Over the last few months we've covered fake Flash updates, browser updates, Java and YouTube. Here's a site which focuses more on the various programs on your PC potentially needing updating as a whole as opposed focusing on just one product, located at

updatenowpro(dot)com

with the following landing page splash:

Continued : http://blog.malwarebytes.org/online-security/2014/04/browsering-for-updates/