endpoint security Archives

endpoint security

Heartbleed For Poets And Other Must-Reads

April 10, 2014 Paul Roberts

It’s H-Day + 2 – two full days since we learned that one of the pillars of online security, OpenSSL, has contained a gaping security hole for the past two years that rendered its protections illusory. As I wrote over on Veracode’s blog today: this one hurts. It exposes private encryption keys, allowing encrypted SSL sessions to be revealed. Trend Micro data suggests around 5% of one million Internet top-level domains are vulnerable. IOActive notes that Heartbleed also appears to leave data such as user sessions subject to hijacking, exposes encrypted search queries and leaves passwords used to access online services subject to snooping, provided the service hasn’t updated their OpenSSL instance to the latest version. In fact, its safe to bet that the ramifications of Heartbleed will continue to be felt for months – even years to come. In the meantime, there is a lot of interesting coverage and […]

The Heartbleed OpenSSL Flaw: What You Need To Know

April 8, 2014 Paul Roberts

There’s a serious vulnerability in most versions of the OpenSSL technology that requires an immediate update to avoid exposing sensitive information and Internet traffic to snooping. In response, the SANS Internet Storm Center (ISC) has raised its InfoCon (threat) level to “Yellow,” indicating that…well…the Internet’s not as safe a place today as it was yesterday, before the vulnerability was released. Here’s what we know right now: + Researcher Neel Mehta of Google Security discovered the vulnerability, which was apparently introduced with a OpenSSL update in December, 2011, but only fixed with the release of OpenSSL 1.0.1g on Monday. + Dubbed “heartbleed” (thank the Codenomicon marketing department for that one), the vulnerability (CVE-2014-0160) is described as a TLS heartbeat read overrun. TLS stands for Transport Layer Security. According to OpenSSL.org, vulnerable versions of the OpenSSL software have version numbers ranging from 1.0.1 and 1.0.2-beta. + Codenomicon described the vulnerability as an “implementation problem” […]

Internet of Things and the Enterprise (InfoGraphic)

March 18, 2014 Paul Roberts

I’m a big fan of infographics – at least when they’re well done and present insightful facts. That’s why I’m always on the lookout for good ones – especially when the subject is The Internet of Things. So I was interested to come across the latest contribution from IoT firm Xively (part of the company LogMeIn), which pulls together some factoids on IoT’s potential in the enterprise. Among the interesting statistics gussied up in this one: an Economist Intelligence Unit data point saying that 95 % of C-level executives expect their company to be using the Internet of Things in three years time, while 74% of them predicting that it will play a ‘major role’ in their business in that time. That’s kind of astounding when you consider it: executives saying ‘Here is this new kind of technology that we barely use now. But in three years, it will be […]

Google Readies SDK For Wearable Tech

March 10, 2014 Paul Roberts

Google will soon release a software development kit (SDK) for adapting its Android mobile operating system to wearable technology such as smart watches, according to statements by Sundar Pichai, Google’s Senior Vice President of Android, Chrome and Apps. Pichai was speaking over the weekend at the South by Southwest (SXSW) festival in Austin, Texas. He said that the SDK for wearables will be available sometime in the next two weeks and is intended to help flesh out the company’s vision for how wearable technology should work. The news was first reported here by The Guardian. Wearables are just another “platform” on which small, powerful sensors will be deployed, he said. “Sensors can be small and powerful, and gather a lot of information that can be useful for users. We want to build the right APIs for this world of sensors,” he is quoted saying. [Read more Security Ledger coverage […]

SOHOwned: 300K Home Routers Hacked

March 4, 2014 Paul Roberts

A string of reports in recent weeks has focused a spotlight on rising attacks against an often-overlooked piece of equipment that can be found in almost every home and business: the wireless router. Just this week, the security firm Team Cymru published a report (PDF) describing what it claims is a widespread compromise of small office and home office (SOHO) wireless routers that was linked to cyber criminal campaigns targeting online banking customers. Cymru claims to have identified over 300,000 SOHO devices (mostly in Asia and Europe) that were compromised. According to the report, the compromises first came to light in January, after Team Cymru analysts noticed a pattern of SOHO routers with overwritten DNS settings in central Europe. The affected devices are from a range of manufacturers, including well-known brands like D-Link, Micronet, Tenda and TP-Link. The devices were vulnerable to a number of attacks, including authentication bypass and cross-site […]