In Brief: Although severe, a new vulnerability in OpenSSL that allows an attacker to impersonate a trusted CA serveris expected to have minimal impact. OpenSSL today issued a high severity advisory warning of forged certificates. During certificate verification, the alert says OpenSSL will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. This could allow an adversary to impersonate a trusted CA server and eavesdrop on otherwise encrypted communication. Fortunately, the flaw only affects versions of OpenSSL released last month and not yet available in some OSs such as Ubuntu. Affected versions are OpenSSL 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. Despite the severity, experts expect the overall impact will be minimal. “Exploiting the OpenSSL vulnerability (CVE-2015-1793) is not quick or easy, making it nowhere near as serious as Heartbleed,” said Veracode’s Vice President of Research Chris Eng in an email. “For starters, an […]
news
Hacking Team Breach Unleashes New Adobe Flash Zero Day
In Brief: As a result of a hack at Hacking Team, and the subsequent disclosure of nearly 400 BG of documents and tools, a new zero day targeting all versions of Adobe Flash has been reported in the wild. Last Sunday, the firm known as Hacking Team was breached. Amid the 400GB of company disclosed from the controversial Italian company were some zero days. These include two Adobe Flash and Windows kernel zero days. One of the Flash zero days is what Hacking Team described on an internal document as “the most beautiful Flash bug for the last four years.” Adobe has issued an security bulletin for CVE-2015-5119, which affects Windows, Linux, and Apple products. Successful exploitation can result in a crash and remote access to the infected machine. Adobe has said it is working on an emergency patch, which could come as early as today. Trend Micro has identified […]
Opinion: The IoT’s Wild West is Your Home Network
In-brief: Jackson Shaw of Dell warns that home networks are like the Wild West frontier when it comes to threats to the Internet of Things. Your broadband router is the covered wagon.
AV-Test.org Finds Popular Fitness Trackers Lack Security
Av-Test.org, an organization known for its thorough and independent testing of antivirus products, has found the usual suspects of lack of authentication and encryption — security lapses that are all too common in IoT devices — present in popular fitness bands. Av-Test.org, an organization known for its thorough and independent testing of antivirus products, has found the usual suspects of lack of authentication and encryption—security lapses that are all too common in IoT devices—are also present in popular fitness bands such as those from Fitbit and Acer. While the Jawbone UP24, Polar Loop and Sony Smartband Talk SWR32 scored the best security of those products tested. The researchers admit that counting steps or number of calories burned may not constitute a leak of PII, but acknowledge that in the future that may be different, with manipulation and/or data theft leading to more or less serious threats to user privacy and […]
Akamai Identifies Old Protocol in New DrDoS Attacks
An old protocol found in SOHO routers may be responsible for recent DrDoS attacks, says the security steam at Akamai. Akamai, through the company’s Prolexic Security Engineering & Research Team (PLXsert), issued an alert today for an old protocol that could be used in Distributed Reflection Denial of Service attacks (DrDoS) attacks. Routing Information Protocol v1 (RPIv1) allows routers in small networks to share route information. For example a router running RIPv1 would send a request over UDP 520 when it is first powered on and other devices on the network, listening for this request, would send the new router a list of routes. In this case the list of routes would be sent instead to a designated target. It has since been replaced with RIPv2 but many older units still have RIPv1 enabled by default. “This version of the RIP protocol was first introduced in 1988 – more than […]
