Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

NEWS - September 26, 2014

Sep 26, 2014 2:29AM PDT
As Bash damage spreads, experts warn of network attacks and an internet meltdown

Reports on the latest Bash bug have gone from bad to worse, as damage from the bug spreads and many early patches are proving ineffective. Unlike Heartbleed, Bash attacks allow for remote code execution, allowing an attacker to exploit the vulnerability for malware distribution. Most attacks from the bug will target web servers and network devices, with experts saying that PHP-based web applications will be particularly vulnerable. Connected devices like smart appliances are also expected to be vulnerable in the long-term, since the devices are often slow to be patched, but early reports indicate an alarming number of systems may be at risk. As Kaspersky Lab's David Jacoby put it, "the real scale of the problem is not yet clear."

In one early census, Errata Security's Robert David Graham ran a limited IP scan and found 3,000 vulnerable systems before the scan crashed, noting that embedded webservers on odd ports were particularly at risk. A few hours later, Graham discovered that someone was already using the same tactics toward less savory ends. "Someone is using masscan to deliver malware," Graham wrote in an update. "They'll likely have compromised most of the systems I've found by tomorrow morning."

Continued : http://www.theverge.com/2014/9/25/6843669/bash-shellshock-network-worm-could-cause-internet-meltdown

See posts by:
gwrach923: New Mac/Linux bug out
R. Proffitt: For those that want to know more

Related:
'Shellshock' Bug Spells Trouble for Web Security
Hackers thrash Bash Shellshock bug: World races to cover hole
Confused about Shellshock? Patch what you can or be PUNISHED
Apple promises Bash bug fix while claiming 'vast majority' of Mac users are unaffected

Discussion is locked

- Collapse -
Critical SSL flaw patched in Firefox, Thunderbird, Chrome
Sep 26, 2014 3:31AM PDT

If you are a Mozilla Firefox, Thunderbird or Seamonkey user, you should implement the latest patches issued by the company as soon as possible, as they fix a critical bug whose exploitation can lead to successful Man-in-the-Middle attacks.

The bug affects all versions of the Mozilla NSS library, and makes it vulnerable to a variant of a signature forgery attack previously published by Daniel Bleichenbacher, Mozilla has explained. "This is due to lenient parsing of ASN.1 values involved in a signature and could lead to the forging of RSA certificates."

The severity of the flaw is also proved by the fact that US-CERT released an alert about it, in which they also warned that the vulnerable Mozilla NSS library is often included in 3rd party software, including Linux distributions, Google Chrome, Google OS and others.

Continued : http://www.net-security.org/secworld.php?id=17414

Related: Mozilla Patches RSA Signature Forgery in Firefox, Thunderbird, NSS

Also see: Mozilla Firefox 32.0.3 Released

- Collapse -
Signature Systems Breach Expands
Sep 26, 2014 4:21AM PDT
Signature Systems Inc., the point-of-sale vendor blamed for a credit and debit card breach involving some 216 Jimmy John's sandwich shop locations, now says the breach also may have jeopardized customer card numbers at nearly 100 other independent restaurants across the country that use its products.

Earlier this week, Champaign, Ill.-based Jimmy John's confirmed suspicions first raised by this author on July 31, 2014: That hackers had installed card-stealing malware on cash registers at some of its store locations. Jimmy John's said the intrusion — which lasted from June 16, 2014 to Sept. 5, 2014 — occurred when hackers compromised the username and password needed to remotely administer point-of-sale systems at 216 stores.

Those point-of-sale systems were produced by Newtown, Pa., based payment vendor Signature Systems. In a statement issued in the last 24 hours, Signature Systems released more information about the break-in, as well as a list of nearly 100 other stores — mostly small mom-and-pop eateries and pizza shops — that were compromised in the same attack.

Continued: http://krebsonsecurity.com/2014/09/signature-systems-breach-expands/
- Collapse -
Shellshock: How to protect your Unix, Linux and Mac servers
Sep 26, 2014 4:21AM PDT

The only thing you have to fear with Shellshock, the Unix/Linux Bash security hole, is fear itself. Yes, Shellshock can serve as a highway for worms and malware to hit your Unix, Linux, and Mac servers, but you can defend against it.

However, Shellshock is not as bad as HeartBleed. Not yet, anyway.

While it's true that the Bash shell is the default command interpreter on most Unix and Linux systems and all Macs — the majority of Web servers — for an attacker to get to your system, there has to be a way for him or her to actually get to the shell remotely. So, if you're running a PC without ssh, rlogin, or another remote desktop program, you're probably safe enough.

A more serious problem is faced by devices that use embedded Linux — such as routers, switches, and appliances. If you're running an older, no longer supported model, it may be close to impossible to patch it and will likely be vulnerable to attacks. If that's the case, you should replace as soon as possible.

Continued : http://www.zdnet.com/shellshock-how-to-protect-your-unix-linux-and-mac-servers-7000034072/