OpenSSL

The Enduring Terribleness of Home Router Security Matters to IoT

Last week, home broadband router maker ASUS was the latest vendor to issue an emergency patch for a critical vulnerability in its products. This, after proof-of-concept exploit code was released for the so-called “Inforsvr” vulnerability that affects several ASUS home routers. That vulnerability -if left unpatched – would allow anyone with access to a home- or small business network that used an ASUS broadband router to, essentially, commandeer the device. The “infosvr” feature is typically used for device discovery by the ASUS Wireless Router Device Discovery Utility, but the service also allowed unauthenticated users to execute commands through it using the “root” permissions, according to researcher Friedrich Postelstorfer, who created a proof of concept exploit for the security hole and released it on January 4. The exploit code finally prompted a patch from ASUS on January 13. The company had spent months analyzing the issue and working on a fix. Patch aside, it has been a worrying month for the […]

Continue Reading

Surprise: Branding a Bug is just as Hard as Branding Anything Else!

ZDNet’s @violetblue has a nice piece on the new fad for naming vulnerabilities – seen most recently with the OpenSSL Heartbleed vulnerability and the “Shellshock” vulnerability in Linux’s common BASH  utility. As Blue notes, the desire to “brand” bugs “changes the way we talk about security” – in part by giving complex, technical flaws down a common referent. But does giving a bug a logo make it frivolous? As she notes: the penchant for naming vulnerabilities may stem not from a desire to trivialize them – but a very practical response to the need to keep track of so many security holes in software. Regardless, Heartbleed – and the marketing by the firm Codenomicon that surrounde it – was the bug that launched a thousand ships, including Shellshock, Sandworm, and more. Read more coverage of Heartbleed here. But, as with . As security research and incident response are becoming more lucrative, expect the masonry […]

Continue Reading

Whack-A-Bash: New Vulnerabilities add to Patch Confusion

The good news about the rapid, industry response to the revelations about exploitable security holes in GNU Bash (Bourne Again Shell) (aka “Shellshock”) is that Linux users had a fix in hand almost as soon as they became aware of the problem those patches addressed. The bad news about the quick fixes for the two issues, CVE-2014-6271 and CVE-2014-7169, from the likes of Red Hat, Ubuntu, Debian and others is that – in being early- they fail to fix the problems we don’t yet know about. And that’s what we’re seeing in the wake of last week’s storm of patches: a steady drip-drip of disclosures that suggest that Bash may contain other problems worthy of new fixes. Within hours of the disclosure of the first holes, there were problems discovered by Red Hat Product Security researcher Todd Sabin, who found additional “off by one” errors in Bash that were assigned CVE-2014-7186 and CVE-2014-7187 and […]

Continue Reading
shellshock

Update: ShellShock’s Long Tail in the Enterprise

The recently disclosed vulnerability in the Linux Bash function dubbed “ShellShock” is creating a firestorm of coverage – and rightly so. The 22 year-old security hole is remotely exploitable and affects Linux based web servers and an unknown number of other devices that might run on linux and contain vulnerable services. However, unlike the recent “Heartbleed” OpenSSL vulnerability, identifying systems vulnerable to Shellshock won’t be easy. Shellshocked first came to light on Wednesday, when Linux vendors including Red Hat began warning about the security hole. The vulnerability allows a malicious actor to take advantage of built in Bash functions, wrapping them in environmental variables and then appending malicious code to the end of function definitions within the variable. In a blog post, Redhat said that any application that runs a shell script using Bash as the command interpreter, or that is hooked onto a shell is vulnerable to attack. Paul Venezia, writing over at InfoWorld, gives one […]

Continue Reading
heartbleed SSL image

Report: Community Health Hack Linked To Heartbleed OpenSSL Hole

The security firm TrustedSec said in a blog post on Tuesday that a recent hack of the healthcare network Community Health Services was the result of an attack on the so-called “Heartbleed” vulnerability in OpenSSL. According to TrustedSec, attackers targeted vulnerable VPN (virtual private network) software from Juniper networks in a breach that affected an estimated 4.5 million patients. TrustedSec cited a “trusted and anonymous source close to the CHS investigation” in its blog post. It said attackers were able to glean user credentials from memory on a CHS Juniper device by exploiting the Heartbleed vulnerability. Those credentials were used to login via the VPN to CHS’s network, then move laterally to the servers containing the patient data. [Read more Security Ledger coverage of the Heartbleed vulnerability here.] A separate report by Bloomberg attributed the attack to hackers in China, though it did not provide any evidence linking the attackers to a specific Chinese […]

Continue Reading
1 2 3 4 5 6 7