This week in computer security

It's serious all right: http://heartbleed.com/

Yeah, I bet that guy says it was hacked. Otherwise he's going to get sued.
 
Joined
Aug 3, 2008
Messages
8,220
Location
Kansas City
Well, current reports say that the "Heartbleed" OpenSSL breach was actively used by "probably an Security Service" since 2 years already.

The paranoid one in me says that this backdoor could have been made by the NSA in the first place.

What both astonishes me and worries me at the same time is the sheer simplicity of the breach.
 
Joined
Nov 5, 2006
Messages
21,893
Location
Old Europe
I think you're right Alrik. It's the internet most unfortunate bug because it's involved in most open-sourced based security software. Luckily this will probably help provide funding for bettering these libraries. I think the Rust programming language [1] might be very helpful here. Mozilla is funding its development and there seems to be a healthy interest from open-source developers too.

[1] www.rust-lang.org
 
Last edited:
Joined
Mar 30, 2008
Messages
1,163
Location
Scandinavia
The bug was actually created by a German engineer who has confessed it was an accident, and not intentional. Here is some of the information with links if anyone is curious. So I don't see the need to cry foul with conspiracy theories.

Link- http://www.latimes.com/business/tec...ed-bug-20140410,0,2676251.story#axzz2yhtuRpC6
He lives in the German city of Munster and is among the community of programmers who contribute code to the OpenSSL project. OpenSSL is the open-source software that provides encryption for two-thirds of the Web's servers.

Seggelmann told the the Sydney Morning Herald that he did not notice the error when he wrote the flawed code that became the Heartbleed bug two years ago. And when he submitted it, the error was also missed by the person who reviewed the code.

"I was working on improving OpenSSL and submitted numerous bug fixes and added new features," he told the Herald. "In one of the new features, unfortunately, I missed validating a variable containing a length."

Seggelmann gave the interview in part to clarify that Heartbleed was a mistake, not deliberate. He wanted to counter rumors that it was part of some nefarious plot to create a backdoor to allow government security agencies to spy on Internet users.

"In this case, it was a simple programming error in a new feature, which unfortunately occurred in a security relevant area," he told the Herald. "It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project."
 
Joined
Oct 1, 2010
Messages
36,073
Location
Spudlandia
Well they (cloudflare and russian developers) proved that it is much more serious bug than I first figured it for. Fortunately it got a lot of attention so most IT people running websites have had to check their websites for the vulnerability. I don't blame the programmer one bit. I do blame the designers of the specification as why the heck do we need super dynamic heartbeat systems? Maybe also blame the super cleaver memory managment system that openssl uses. I thought the bugs in echo and icmp protocols years ago would have taught some lessons but i guess not.

But having said that, its probably a very good idea to change your passwords as soon as your favorite websites indicate they are clean. Especially for anything in the past 3-4 months.

Problem is figuring out which sites are not clean. After all how many people are going to compile openssl themselves and check for the heartbeat feature response and version at every site they visit. I compiled openssl myself since there were no current windows versions I could find but I'm not checking everysite I visit for the bug. Well except for ones getting my credit card info for now.
 
Joined
Apr 23, 2010
Messages
688
I don't blame the programmer one bit. I do blame the designers of the specification as why the heck do we need super dynamic heartbeat systems?
The programmer is the designer [1]. The idea behind Heartbeat is to keep a connection live when there is no network traffic, like keeping a VPN tunnel up and NAT (many computers behind one IP-address).

[1] http://tools.ietf.org/html/rfc6520
 
Joined
Mar 30, 2008
Messages
1,163
Location
Scandinavia
Thanks for the link. Didn't realize Seggelmann authored the spec too so I will blame him after all. You win.

I still don't see the point of arbitrary content in this spec? In TLS over UDP you do not have TCP heartbeats available so an inbuilt heartbeat in the protocol is ok to me but why can I request messages of 16K bytes from the server? TCP heartbeats have a data length of one byte to my recollection because routers can optimize out the packet if its payload data is zero length. It seems to want to use the heartbeat as an MTU probe as well which IMNSHO should be something more appropriate and closer to how TCP connections are supposed to work and negotiated upfront or part of the application. But then again I'm in industrial automation space and use heartbeats for liveliness checks not for path discovery. The next is that it is available to TCP connections and really has no place there.[/RANT]
 
Joined
Apr 23, 2010
Messages
688
@figment: Hehe. Not the best day for German engineering.

Speaking of security. I recommend doing a port scan of your own IP-address using http://mxtoolbox.com/PortScan.aspx. The page also lists your own IP at the bottom of the page in the grey section (see "Your IP is: 123.123.123.123"). If you find anything open and wonder why? Post the port numbers here.
 
Joined
Mar 30, 2008
Messages
1,163
Location
Scandinavia
I was just reading about a new virus which hijacks PCs and uses them to get BitCoins and other money-like similar stuff. Hijacked PCs are said to get hot, because of the heavy use of the CPU. It spreads via Face Book.

More here : http://wiki.secarmour.com/2014/05/malware-analysis-of-malicious-facebook.html

According to a German news entry on www.heise.de ., the NSA intercepts and secretly opens postage packages, takes out routers, infects them with "beacon implants" (malware, it seems), and sends them to the original destionation again.

English-language Screenshots from a speech which is illustrating this here : http://www.heise.de/newsticker/meld...ost-versandte-US-Netzwerktechnik-2187858.html

Cisco is one of the affected producers of networking devices.
 
Joined
Nov 5, 2006
Messages
21,893
Location
Old Europe
A new Trojan called Retefe is uninstalling itself after the infection - and it is still able to effectively operate, though indirectly, then.

More information for example here : http://www.microsoft.com/security/p...a/Entry.aspx?Name=Trojan:Win32/Retefe.A#tab=2

Payload

Steals sensitive information

Trojan:Win32/Retefe.A can steal sensitive information from your PC, such as your online user names and passwords. It does this by installing a fake self-signed certificate and intercepting traffic through your Internet browser.

It installs a fake self-signed certificate with the thumbprint 3DDF56A7004D90034D77E2D97F68C56FAA3C93AD:

[ef51a7616b853ac2.png]

It then installs the self-signed certificate to be used by the Firefox browser.

It also changes the DNS server to an IP address of a server controlled by the attacker. We have seen the following IP addresses being used:

193.169.244.191
93.171.202.99

Stops processes

Trojan:Win32/Retefe.A terminates the following processes if they are running:

iexplore.exe
firefox.exe
chrome.exe

In short, the Trojan installs its own self-signed certificate, and redirects browsers to the trojan's web sitres, which appear to be trustable, because of the trojan's certificate ...
 
Joined
Nov 5, 2006
Messages
21,893
Location
Old Europe
It also changes the DNS server to an IP address of a server controlled by the attacker.
This.
I've never understood why Microsoft didn't make a basic security on TCPIP properties.
A software, not the keyboard input, wants to add/change DNS? Warn the user exactly what's going on and give him an option to shut down that process!
Instead, they're forcing touchscreen OS.
 
Joined
Apr 12, 2009
Messages
23,459
BitTorrent, the company with a torrent client of the same anme and the company that acquired then turned utorrent into adwarae/bloatware might be your only chance against NSA. :)

Bleep is a software that should provide you completely private chatty - since noone really can't record the full thing and those tiny bits caught can't reconstruct the whole thing.

Interested? Sign for alpha or wait for the full thing (currently win 7/8 only, future verions go phone):
http://blog.bittorrent.com/2014/07/...ittorrent-bleep-now-in-invite-only-pre-alpha/

Now seriously, I'm in love with Viber so don't see a practical use for this unless their data stream provides better sound quality. On the other hand, "secret" government agencies would probably use Bleep on daily basis.
 
Joined
Apr 12, 2009
Messages
23,459
Joined
Nov 5, 2006
Messages
21,893
Location
Old Europe
uTorrent, one of the most popular torrent clients, upon the latest update installs virtual currency miner malware on your PC!
http://torrentfreak.com/utorrent-quietly-installs-riskware-bitcoin-miner-users-report-150306/

I don't know if any of you uses any torrent client (I do and it downloads stuff from HumbleBundle superfast), but if you're using uTorrent, do not update it!
Seems that removal of this malware is so complicated you may end up reinstalling OS.

For uTorrent specifically, the best option is to just install version 2.2.1 that contains no ads and just disable updating in it's options later.
 
Joined
Apr 12, 2009
Messages
23,459
Let it be said that Utorrent was not intrinsically bundled with such malware; it was instead included in the "extra options" you had to opt out of during install.

In any case, I think I'll be making the switch to QBitTorrent the next time I need to reinstall for whatever reason. It has a simple UI much like UTorrent, but none of the surreptitious stuff.
 
Joined
Nov 10, 2008
Messages
5,973
Location
Florida, USA
Joined
Jun 5, 2009
Messages
1,502
I don't really blame the client here.
I blame governments who failed to declare bitcoin and other such frauds as illegal business.
 
Joined
Apr 12, 2009
Messages
23,459
Got an to 100 % like PayPal looking e-mail.

Only difference : The link ended with the domain .xyz

The whole adress - without what follows it - is this :

Code:
1295648048-www.paypal.central-process-payment.xyz

No idea what this "1295648048" number is meant to be,

but the freaking thing is that the e-mail looks to 100 % legit.

Except that PayPal doesn't own anything with the endiong of .xyz
 
Joined
Nov 5, 2006
Messages
21,893
Location
Old Europe
Back
Top Bottom