Security News #0x6F: At least I have caught up to heartbleed…
Yeah, I am still behind. Hopefully I can catch up a bit while I am here with the Towson CyberDefense team as they compete in the National Collegiate Cyber Defense Competition.
Heartbleed is a huge issue caused by an error in OpenSSL; the underlying problem has been labelled CVE 2014-0160.
- If you want to see where it all began, here is the original security advisory of the problem, from April 7.
- Threatpost quickly jumped out with an explanatory piece, as folks began to recognize the severity of the problem. (April 7)
- By the next day, word had gotten out to all of the major outlets; the New York Times published their piece on April 8.
- The folks at XKCD have a nice explanation of the problem, at least in comic form.
- If you want some technical details, take a look at Sean Cassidy’s post, as well as Matthew Green’s post. Any technical discussion should also include Theo De Raddts’s discussion on how certain security features were disabled by the OpenSSL team.
- The problem is so important that the site heartbleed.com now tracks data related to the bug. Troy Hunt has a nice page that provides "Everything you need to know about the Heartbleed SSL bug."
- By the next day (April 8), exploit code began to appear. One such piece is the work of Michael Davis. The folks at exploit-db have two exploits. If that is not enough, the folks at bugcrowd have a list of PoC and exploit code. Of course, the folks at Metasploit have gotten involved as well.
- If you want to check if a particular web site is vulnerable to heartbleed, you can try the Qualys SSL Server Test which tests SSL connections against a number of standards, including a heartbleed vulnerability test.
- There have been a number of estimates of the number of web servers vulnerable to heartbleed. The folks at Errata Security estimated the number at 600,000 just after the initial announcement.
- Speaking of Errata Security, they mistakenly thought that heatbleed could not leak private keys.
- Bloomberg reported that the NSA has been exploiting heartbleed for years. I have not seen much corroborating evidence though, so consider this when you read the piece.
- Remember that heatbleed affects all sorts of things, like Ruby, pfSense, Metasploit, Call of Duty, and many Cisco products. including some of their VoIP phones.
- One of the problems with heartbleed was that this is a critical piece of code but with few maintainers operating on a shoestring budget.
- Interestingly, the engineer apparently responsible for the programming error at the root of the problem insists that the error was accidental.
- As you ponder heartbleed, please consider that simply scanning the Internet for the vulnerability may not be legal, depending on your jurisdiction.
- A new version of the venerable Offline NT Password & Registry Editor has been released. It now works on Windows systems up to Windows 8.1, and allows users to be simply promoted to local admin.
- WinRAR on Windows is vulnerable to an attack where a
.zipfile will show files in one directory, but WinRAR will extract it to another directory. A Metasploit module can now exploit this flaw.
- The problem CVE 2014-1761 in malformed
.rtffiles has been patched in MS 14-017, but there is also now a new Metasploit module to attack this problem. HP also has a technical analysis of the flaw.
- Writing your own exploit code is getting simpler each day. Andrew Morris shows how to use Python and PyInstaller to develop malware that grabs its payload directly from Pastebin.
- In class, we talk about being "always ethical, all the time". Take a look at the recent Reddit AMA of someone who claims that they were raided by the FBI after admitting to hacking into the University of Maryland. You should also take a look at the subequent piece by Ars Technica. And if you haven’t yet set aside 45 minutes to watch this video on how to act with the police, then I heartily suggest that you find the time.
- Microsoft XP has reached end-of-life; no new security patches will be issued.