|
Your continuous donations keep RPGWatch running!
RPGWatch Forums » General Forums » Tech Help » This week in computer security

Default This week in computer security

April 12th, 2014, 01:11
It's serious all right: http://heartbleed.com/

Yeah, I bet that guy says it was hacked. Otherwise he's going to get sued.
Zloth is offline

Zloth

Zloth's Avatar
I smell a… wumpus!?

#141

Join Date: Aug 2008
Location: Kansas City
Posts: 2,702

Default 

April 12th, 2014, 12:06
Well, current reports say that the "Heartbleed" OpenSSL breach was actively used by "probably an Security Service" since 2 years already.

The paranoid one in me says that this backdoor could have been made by the NSA in the first place.

What both astonishes me and worries me at the same time is the sheer simplicity of the breach.

Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius and a lot of courage to move in the opposite direction. (E.F.Schumacher, Economist, Source)
Alrik Fassbauer is offline

Alrik Fassbauer

Alrik Fassbauer's Avatar
TL;DR

#142

Join Date: Nov 2006
Location: Old Europe
Posts: 15,936

Default 

April 12th, 2014, 22:35
I think you're right Alrik. It's the internet most unfortunate bug because it's involved in most open-sourced based security software. Luckily this will probably help provide funding for bettering these libraries. I think the Rust programming language [1] might be very helpful here. Mozilla is funding its development and there seems to be a healthy interest from open-source developers too.

[1] www.rust-lang.org
Last edited by hishadow; April 12th, 2014 at 22:47.
hishadow is offline

hishadow

Level N+1

#143

Join Date: Mar 2008
Location: Southern parts of Norway
Posts: 1,140

Default 

April 12th, 2014, 22:48
The bug was actually created by a German engineer who has confessed it was an accident, and not intentional. Here is some of the information with links if anyone is curious. So I don't see the need to cry foul with conspiracy theories.

Link- http://www.latimes.com/business/tech…#axzz2yhtuRpC6
He lives in the German city of Munster and is among the community of programmers who contribute code to the OpenSSL project. OpenSSL is the open-source software that provides encryption for two-thirds of the Web's servers.

Seggelmann told the the Sydney Morning Herald that he did not notice the error when he wrote the flawed code that became the Heartbleed bug two years ago. And when he submitted it, the error was also missed by the person who reviewed the code.

"I was working on improving OpenSSL and submitted numerous bug fixes and added new features," he told the Herald. "In one of the new features, unfortunately, I missed validating a variable containing a length."

Seggelmann gave the interview in part to clarify that Heartbleed was a mistake, not deliberate. He wanted to counter rumors that it was part of some nefarious plot to create a backdoor to allow government security agencies to spy on Internet users.

"In this case, it was a simple programming error in a new feature, which unfortunately occurred in a security relevant area," he told the Herald. "It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project."

"Frankly Sir /Madam I don't give a damn about your opinion."- Couchpotato
Couchpotato is offline

Couchpotato

Couchpotato's Avatar
LazyGamer
RPGWatch Team

#144

Join Date: Oct 2010
Location: Potato Land
Posts: 9,142

Default 

April 13th, 2014, 03:13
Well they (cloudflare and russian developers) proved that it is much more serious bug than I first figured it for. Fortunately it got a lot of attention so most IT people running websites have had to check their websites for the vulnerability. I don't blame the programmer one bit. I do blame the designers of the specification as why the heck do we need super dynamic heartbeat systems? Maybe also blame the super cleaver memory managment system that openssl uses. I thought the bugs in echo and icmp protocols years ago would have taught some lessons but i guess not.

But having said that, its probably a very good idea to change your passwords as soon as your favorite websites indicate they are clean. Especially for anything in the past 3-4 months.

Problem is figuring out which sites are not clean. After all how many people are going to compile openssl themselves and check for the heartbeat feature response and version at every site they visit. I compiled openssl myself since there were no current windows versions I could find but I'm not checking everysite I visit for the bug. Well except for ones getting my credit card info for now.
figment is offline

figment

figment's Avatar
Sentinel
RPGWatch Donor

#145

Join Date: Apr 2010
Posts: 513

Default 

April 13th, 2014, 15:45
Originally Posted by figment View Post
I don't blame the programmer one bit. I do blame the designers of the specification as why the heck do we need super dynamic heartbeat systems?
The programmer is the designer [1]. The idea behind Heartbeat is to keep a connection live when there is no network traffic, like keeping a VPN tunnel up and NAT (many computers behind one IP-address).

[1] http://tools.ietf.org/html/rfc6520
hishadow is offline

hishadow

Level N+1

#146

Join Date: Mar 2008
Location: Southern parts of Norway
Posts: 1,140

Default 

April 13th, 2014, 17:32
Thanks for the link. Didn't realize Seggelmann authored the spec too so I will blame him after all. You win.

I still don't see the point of arbitrary content in this spec? In TLS over UDP you do not have TCP heartbeats available so an inbuilt heartbeat in the protocol is ok to me but why can I request messages of 16K bytes from the server? TCP heartbeats have a data length of one byte to my recollection because routers can optimize out the packet if its payload data is zero length. It seems to want to use the heartbeat as an MTU probe as well which IMNSHO should be something more appropriate and closer to how TCP connections are supposed to work and negotiated upfront or part of the application. But then again I'm in industrial automation space and use heartbeats for liveliness checks not for path discovery. The next is that it is available to TCP connections and really has no place there.[/RANT]
figment is offline

figment

figment's Avatar
Sentinel
RPGWatch Donor

#147

Join Date: Apr 2010
Posts: 513

Default 

April 13th, 2014, 22:13
@figment: Hehe. Not the best day for German engineering.

Speaking of security. I recommend doing a port scan of your own IP-address using http://mxtoolbox.com/PortScan.aspx. The page also lists your own IP at the bottom of the page in the grey section (see "Your IP is: 123.123.123.123"). If you find anything open and wonder why? Post the port numbers here.
hishadow is offline

hishadow

Level N+1

#148

Join Date: Mar 2008
Location: Southern parts of Norway
Posts: 1,140

Default 

May 15th, 2014, 17:24
I was just reading about a new virus which hijacks PCs and uses them to get BitCoins and other money-like similar stuff. Hijacked PCs are said to get hot, because of the heavy use of the CPU. It spreads via Face Book.

More here : http://wiki.secarmour.com/2014/05/ma…-facebook.html

According to a German news entry on www.heise.de ., the NSA intercepts and secretly opens postage packages, takes out routers, infects them with "beacon implants" (malware, it seems), and sends them to the original destionation again.

English-language Screenshots from a speech which is illustrating this here : http://www.heise.de/newsticker/meldu…k-2187858.html

Cisco is one of the affected producers of networking devices.

Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius and a lot of courage to move in the opposite direction. (E.F.Schumacher, Economist, Source)
Alrik Fassbauer is offline

Alrik Fassbauer

Alrik Fassbauer's Avatar
TL;DR

#149

Join Date: Nov 2006
Location: Old Europe
Posts: 15,936

Default 

July 26th, 2014, 11:18
A new Trojan called Retefe is uninstalling itself after the infection - and it is still able to effectively operate, though indirectly, then.

More information for example here : http://www.microsoft.com/security/po…Retefe.A#tab=2

Payload

Steals sensitive information

Trojan:Win32/Retefe.A can steal sensitive information from your PC, such as your online user names and passwords. It does this by installing a fake self-signed certificate and intercepting traffic through your Internet browser.

It installs a fake self-signed certificate with the thumbprint 3DDF56A7004D90034D77E2D97F68C56FAA3C93AD:

[ef51a7616b853ac2.png]

It then installs the self-signed certificate to be used by the Firefox browser.

It also changes the DNS server to an IP address of a server controlled by the attacker. We have seen the following IP addresses being used:

193.169.244.191
93.171.202.99

Stops processes

Trojan:Win32/Retefe.A terminates the following processes if they are running:

iexplore.exe
firefox.exe
chrome.exe
In short, the Trojan installs its own self-signed certificate, and redirects browsers to the trojan's web sitres, which appear to be trustable, because of the trojan's certificate …

Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius and a lot of courage to move in the opposite direction. (E.F.Schumacher, Economist, Source)
Alrik Fassbauer is offline

Alrik Fassbauer

Alrik Fassbauer's Avatar
TL;DR

#150

Join Date: Nov 2006
Location: Old Europe
Posts: 15,936

Default 

July 26th, 2014, 12:11
It also changes the DNS server to an IP address of a server controlled by the attacker.
This.
I've never understood why Microsoft didn't make a basic security on TCPIP properties.
A software, not the keyboard input, wants to add/change DNS? Warn the user exactly what's going on and give him an option to shut down that process!
Instead, they're forcing touchscreen OS.

Toka Koka
joxer is online now

joxer

joxer's Avatar
The Smoker
RPGWatch Donor

#151

Join Date: Apr 2009
Posts: 6,043

Default 

July 30th, 2014, 23:45
BitTorrent, the company with a torrent client of the same anme and the company that acquired then turned utorrent into adwarae/bloatware might be your only chance against NSA.

Bleep is a software that should provide you completely private chatty - since noone really can't record the full thing and those tiny bits caught can't reconstruct the whole thing.

Interested? Sign for alpha or wait for the full thing (currently win 7/8 only, future verions go phone):
http://blog.bittorrent.com/2014/07/3…nly-pre-alpha/

Now seriously, I'm in love with Viber so don't see a practical use for this unless their data stream provides better sound quality. On the other hand, "secret" government agencies would probably use Bleep on daily basis.

Toka Koka
joxer is online now

joxer

joxer's Avatar
The Smoker
RPGWatch Donor

#152

Join Date: Apr 2009
Posts: 6,043

Default 

August 13th, 2014, 04:40
http://www.symantec.com/connect/blog…s-new-cash-cow

A good read regarding how criminals have moved on to our cell phones.
redman5427 is offline

redman5427

redman5427's Avatar
Keeper of the Watch

#153

Join Date: Oct 2006
Location: its kinda frozen
Posts: 796
RPGWatch Forums » General Forums » Tech Help » This week in computer security
Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

All times are GMT +2. The time now is 14:06.
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
Copyright by RPGWatch