Menu
The Tech News Blog

April 19, 2014

Websites Fixing Heartbleed Bug, VPNs Still Vulnerable

 Heartbleed

After the initial panic over the Heartbleed bug, which some researchers earlier this month guessed had infected two-thirds of all Web servers, researchers at Sucuri reported Friday that just 2 percent of the top 1 million websites on the Internet remain infected and all of the top 1,000 sites have been patched against the OpenSSL vulnerability.

But also on Friday, Mandiant researchers reported an attack they tracked beginning on April 8 in which an attacker "leveraged the Heartbleed vulnerability in a SSL VPN concentrator to remotely access our client's environment," culminating in the hijacking of "multiple active user sessions."

So in short, the good news is that the vast majority of websites, and all of the most heavily trafficked sites on the Web, have fixed this vulnerability, which is an exploit of a bug in Open SSL code responsible for sending "Heartbeat" notifications between servers and clients, including PCs and mobile devices.



April 9, 2014

Heartbleed Bug: Should You Panic?

Heartbleed Bug

Heartbleed, a bug within OpenSSL, is making headlines this week, and while it might seem like a rather technical issue, it has some real-world ramifications that could impact the online services you use every day. Even worse, there's really no way to tell what malicious activity has occurred thanks to Heartbleed.

Heartbleed is a vulnerability in the open-source encryption standard OpenSSL. It's so named because it affects heartbeat, which is a way to ensure that there is communication between each end of a connection. Heartbleed mimics a heartbeat, allowing it to intercept data.

No matter how secure you think your information is, it's not. The same goes for passwords, even if they're 16 characters long and filled with a nonsensical mix of symbols and numbers. Malware analyst Mark Loman demonstrated that some Yahoo Mail passwords are easily viewed in plain text as result of Heartbleed.



April 8, 2014

Microsoft Issues Final XP, Office 2003 Updates for Patch Tuesday

Microsoft Patch Tuesday

Microsoft released four security updates fixing 11 vulnerabilities in Windows, Microsoft Office, Internet Explorer, and Microsoft Publisher as part of its April Patch Tuesday release. The security bulletins for Windows XP and Office 2003 are the last publicly-released patches for these two products, as Microsoft ended support today.

Seven of the vulnerabilities affect Windows XP, and four affect Office 2003. "This is an important Patch Tuesday for users who rely on the outdated platforms and applications that move to self-support this month," said Russ Ernst, director of product management at Lumension.

The top bulletin addresses three vulnerabilities in Microsoft Word (MS14-017), including the recently discovered zero-day vulnerability in the RTF (Rich Text Format) parser. If an attacker successfully tricks the user into opening a malicious RTF document in an unpatched version of Microsoft Word, the attacker can remotely execute code on the system. The other two vulnerabilities are flaws with the Word 2007 and 2010 File Format Conversion Utility and a stack overflow bug in Word 2003.



March 20, 2014

Google Encrypts All Gmail Messages After NSA Snooping

Gmail Logo

Google is upping the security of Gmail with new measures to protect your email from prying eyes.

The Web giant on Thursday announced that from now on, Gmail will always use an encrypted HTTPS connection when you check and send email. Gmail has always supported HTTPS, and in 2010 Google turned it on for everyone by default, but users still had the option to turn this protection off. From now on, Gmail is HTTPS-only, meaning the mail service no longer allows the more insecure HTTP connections.

"Today's change means that no one can listen in on your messages as they go back and forth between you and Gmail's servers — no matter if you're using public Wi-Fi or logging in from your computer, phone or tablet," Gmail Security Engineering LeadNicolas Lidzborski wrote in a blog post.

One reason to avoid HTTPS is that it could be a tad slower than HTTP. But Google said it has been working for some time to address performance issues and now feels it has reached a point where it no longer makes sense to allow HTTP connections, a spokeswoman for the company told PCMag. Most Gmail users already use HTTPS, so this is just the final step in the transition.



March 14, 2014

Target Ignored Data Breach Warning Signs

Target Black Friday

Target this week acknowledged that it probably could have done more to prevent a hack that impacted up to 70 million shoppers.

"With the benefit of hindsight, we are investigating whether, if different judgments had been made the outcome may have been different," a Target spokeswoman said in a statement.

News of the Target breach emerged in December and impacted those who used credit or debit cards in U.S. Target stores between Nov. 27 to Dec. 15. The retailer said the breach affected 40 million credit and debit card numbers, as well as the personal information of up to 70 million individuals.

The hack is in the news again this week after a Bloomberg BusinessWeek article said that Target ignored warnings about a possible intrusion. The report says Target used a malware detection tool from FireEye, and that the product picked up on sketchy behavior in late November. Target was notified "and then ... nothing happened," according to BusinessWeek.



March 11, 2014

McAfee Issues Warning About ‘Dark Web’

McAfee

The "dark Web" might sound like something out of a comic book, but it's actually a lot closer to home and was instrumental in pulling off recent, high-profile attacks like the ones that hit retailers like Target.

In its latest quarterly threat report, McAfee found that scammers are purchasing credit card numbers and other personal data on the dark Web just as the average consumer might be buying something on Amazon. The recent rash of point-of-sale credit card hacks, the report found, can mostly be traced back to off-the-shelf systems.

Those attacks include Target, as well as Neiman Marcus, White Lodging, Harbor Freight Tools, Easton-Bell Sports, Michaels craft stores, and 'witchcraft. McAfee found about 40 million credit card numbers for sale, which were stolen in batches of 1 million and 4 million at a time.

"The breaches were unprecedented in numbers of records stolen, but what is even more notable is how well the malware industry served its customers," the report said.



February 25, 2014

Apple Patches Critical OS X ‘Gotofail’ Security Hole

Apple logo

Apple on Tuesday issued an update for OS X that fixes a serious SSL security hole the company already fixed in its iOS devices late last week.

The so-called "gotofail" flaw, which stemmed from an extra line accidentally added in Apple's source code, could let an attacker on the same network as a victim eavesdrop on all user activity. Apple on Friday pushed out an update for the iPhone, iPad, and iPod touch, but experts warned that Mac desktops and laptops were still at risk.

Tuesday's security update, OS X version 10.9.2, fixes the bug in both OS X Mavericks and the older Mountain Lion; older versions of Mac OS X are not believed to be affected. To get the update, head to your Mac's Apple menu and select Software Update. Users should install the update as soon as possible.



February 24, 2014

Apple Security Bug Could Let Hackers Intercept Encrypted Data

Apple logo

Apple on Friday quietly pushed out an update for its mobile devices to fix a major security flaw that could allow attackers to intercept encrypted email and other data. Experts warn that Mac desktops and laptops are still at risk.

The flaw, which relates to how iOS 7 validates the SSL certificates intended to protect websites, could let an attacker on the same network as a victim eavesdrop on all user activity. Apple did not reveal too much information about the problem, though experts who have studied the bug said hackers could launch so-called man in the middle attacks to intercept messages as they pass from a user's device to sites like Gmail, Facebook, or even online banking.

"An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS," Apple said in its advisory.

As PCMag's Security Watch blog noted, SSL certificate validation is "critical" for establishing secure sessions with websites.

"By validating the certificate, the bank website knows that the request is coming from the user, and is not a spoofed request by an attacker," PCMag's Fahmida Rashid wrote. "The user's browser also relies on the certificate to verify the response came from the bank's servers and not from an attacker sitting in the middle and intercepting sensitive communications."



February 23, 2014

Apple Fixes “Fundamental” SSL Bug in iOS 7

ios 7.06 bugApple quietly released iOS 7.06 late Friday afternoon, fixing a problem in how iOS 7 validates SSL certificates. Attackers can exploit this issue to launch a man-in-the-middle attack and eavesdrop on all user activity, experts warned.

"An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS," Apple said in its advisory.

Users should update immediately.

Watch Out for Eavesdroppers
As usual, Apple didn't provide a lot of information about the issue, but security experts familiar with the vulnerability warned that attackers on the same network as the victim would be able to read secure communications. In this case, the attacker could intercept, and even modify, the messages as they pass from the user's iOS 7 device to secured sites, such as Gmail or Facebook, or even for online banking sessions. The issue is a "fundamental bug in Apple's SSL implementation," said Dmitri Alperovich, CTO of CrowdStrike.

The software update is available for the current version of iOS for iPhone 4 and later, 5th generation iPod Touch, and iPad 2 and later. iOS 7.06 and iOS 6.1.6. The same flaw exists in the latest version of Mac OS X but has not yet been patched, Adam Langley, a senior engineer at Google, wrote on his ImperialViolet blog. Langley confirmed the flaw was also in iOS 7.0.4 and OS X 10.9.1



February 16, 2014

Kickstarter Hacked, Credit Card Data Safe

Kickstarter example

The group funding site Kickstarter was recently the target of a hack by an unknown individual or group of individuals. Yes, some of the data that the service stores about you – if you're a user – was tapped into. However, there's a bit of a silver lining: Credit card data and passwords appear relatively safe, with a caveat.

Kickstarter officially notified the world about the hack yesterday via a blog post from company CEO Yancey Strickler, although the attack itself happened this past Wednesday. According to Strickler, Kickstarter was tipped off about the unauthorized access by "law enforcement officials" that evening. Once notified, Kickstarter "immediately closed the security breach and began strengthening security measures throughout the Kickstarter system," according to the related Kickstarter blog post.

Following an investigation – hence the reason why users were notified Saturday instead of, say, Thursday — Kickstarter was able to determine that its users' credit card data remained safe from pilfering. However, that doesn't mean that the attacker(s) left empty-handed:

"While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one," reads Strickler's blog post.