Tag Archives: Heartbleed

3 Tips for Geeks to Save Their Holidays

If you’re a geek, like most people, you’ll probably visit your family for Christmas.
Like most people, you probably want to enjoy nice holidays with relatives and friends.
Unlike most people, you’ll probably have to face (many) tricky infosec-related questions during this period. So here are a few tips for geeks on that topic.

Heartbleed

  1. you want to unlock your phone, so you concentrate, and think about your PIN
  2. someone near you shouts “tell me what you think, chicken”
  3. you answer honestly (because you’re vulnerable to this particular word, like Marty McFly)
  4. you just leaked your secret PIN :(

To be exact, Hearbleed is not about a PIN, it’s about encryption key, but they both grant access if you know them.

It’s not about a phone, it’s about a widely used security library called OpenSSL – and in particular the “Heartbeat” extension of OpenSSL (hence the name Heartbleed)
It’s a bit more complicated than just shouting ‘chicken’, but it’s not too complicated either :(

And like Heartbleed, it’s about ‘attacking’ at the right moment: you’ll just get whatever is in the target’s mind at the moment of the attack: “buy bread & milk”, or what’s on TV tonight… or an access PIN.

Goto fail

Here is a dialog between you and your grandma:

  • You: “Grandma, you’ll guard that door. Follow exactly the instructions I’ll tell you now.”
  • Grandma: “OK”
  • Y: “The door should be closed”
  • G: “OK”
  • Y: “if it’s grandpa, leave the door open”
  • G: “OK”

But then, your child comes behind you, and just repeats the last part of your sentence, imitating your voice.

  • child: “leave the door open”
  • G: “OK”

Now the door is permanently open. Just because a statement was accidentally repeated, out of its original context.

Consequences

This is as simple as that: since a conditional piece of code was executed in all cases because of a mistake, one of the security doors of Apple’s operating system was always open: if you knew which door to go to, you could bypass the whole security and enter without any problem.

Shellshock

Your grandpa speaks an old forgotten dialect.
You only know one sentence in this language.
Because you learned it so long ago that you can’t clearly remember, you just think it’s a common greeting.
But it actually means “do this now”.
And your grandpa – a fragile person due to his age – would actually blindly do anything you ask him.
So far, no one noticed because no one gave an order to your grandpa in his dialect.

Yet he was vulnerable all the time (or at least, for the past 25 years). He’d just do anything if asked the right way.
Sadly, it turned out that a lot of people would actually also do the same.
It wasn’t a mistake, just some old dialect that very few people consciously understood.

Conclusion

Of course, there were much more than 3 major events this year, but that might be enough to convince your audience, and save your holidays :)

I hope this will help to face your relatives & friends’ questions without boring them.

May you enjoy nice holidays – Merry Christmas / happy solstice!

The post 3 Tips for Geeks to Save Their Holidays appeared first on Avira Blog.

NSA Director Says Agency Shares Vast Majority of Bugs it Finds

When the National Security Agency discovers a new vulnerability that looks like it might be of use in penetrating target networks, the agency considers a number of factors, including how popular the affected software is and where it’s typically deployed, before deciding whether to share the new bug. The agency shares most of the bugs […]

Google Releases Nogotofail Tool to Test Network Security

The last year has produced a rogues’ gallery of vulnerabilities in transport layer security implementations and new attacks on the key protocols, from Heartbleed to the Apple gotofail flaw to the recent POODLE attack. To help developers and security researchers identify applications that are vulnerable to known SSL/TLS attacks and configuration problems, Google is releasing a […]

How do open source tools stay secure?

Security of open source code is a hot topic, what with Heartbleed, Shellshock, and Poodle making the news. Open source code is now widely used everywhere, from big enterprises to small businesses. This recorded webinar discusses how to keep open source tools secure,

The post How do open source tools stay secure? appeared first on We Live Security.

Protect your mobile against tracking and hacking

AVG is proud to announce a great step forward in its Wi-Fi security offerings. Today we are introducing the brand new version of AVG Wi-Fi Assistant, an Android app that protects you from Wi-Fi tracking and Wi-Fi hacking.

The app, from the AVG Innovation team in Amsterdam, is currently in BETA, and we’d love your feedback. Get AVG Wi-Fi Assistant for FREE today from the Google Play store (some features require in-app purchasing).

Fueled by news of NSA leaks, security flaws like Heartbleed and browser extensions that make it simple to hack someone on public Wi-Fi, security and tracking are becoming key concerns for smartphone users worldwide.

Read on to learn more about Wi-Fi threats and how the new AVG Wi-Fi Assistant can help protect you.

 

Wi-Fi Security Threats

Wi-Fi hacking is the most common threat when it comes to public Wi-Fi. When you connect to an public Wi-Fi network (i.e. coffee shop, airport, or hotel), others maybe able to intercept your Internet traffic, collecting your passwords, private photos, emails, browser cookies and a lot more personal info. CNN has a hands-on example of this.  AVG Wi-Fi Assistant encrypts your communications to conceal them from hackers.

Wi-Fi tracking is the second big issue.  Currently specialized software solutions allow virtually anybody to use your phone’s Wi-Fi signal, to track your location and in some instances identify you. MIT Technology Review took a look at this Wi-Fi tracking technology and the inherent threats in this article . Wi-Fi tracking is even more worrying as most smartphone users have their Wi-Fi on all the time. This is increasingly an issue as retailers can use your Wi-Fi signal to track how you move around stores or around the city and even identify who you are. And that’s not all, if you keep your Wi-Fi open all the time hackers can trick your phone to connect to a fake Wi-Fi hotspot, and then snoop in at your private information.

AVG Wi-Fi Assistant can prevent tracking by turning off your Wi-Fi connection when you are not connected to a hotspot that you trust and automatically turns it back on when approaching the trusted hotspot again.

 

Wi-Fi Security Solutions

AVG Wi-Fi Assistant protects you against Wi-Fi Tracking and Wi-Fi Hacking by combining smart Wi-Fi Automation with VPN encryption in one simple to use app, for free. Here’s how it works:

Wi-Fi Security

Turn on VPN (Virtual Private Network) when you connect to a Wi-Fi Hotspot to conceal your data from unfriendly eyes. VPN secures your Internet connection and encrypts all the data you’re sending and receiving. This allows you to  use mobile data with lesser risk of your data or passwords being stolen.

Every month you get 500Mb of free VPN encryption; if you need more, you can upgrade to our premium VPN plan. We think this is a must have feature for online banking, emailing, or logging into your social networking accounts.

Wi-Fi Automation

AVG Wi-Fi Assistant runs in the background and learns the locations of Wi-Fi hotspots you connect to – without using GPS. It then uses your location to automatically turn your phone’s Wi-Fi adaptor on and off, exactly when you need it, hiding you from trackers. As a bonus, turning the Wi-Fi connection on and off can even extend your battery life.

Just to recap here are the Key Benefits of AVG Wi-Fi Assistant

  • Prevent password hacking
  • Prevent Wi-Fi tracking
  • Save battery power

Download the AVG Wi-Fi Assistant today and do let us know what you think.

“Poodle” security hole has a nasty bite

poodles

“Poodle” bites on open WiFi networks with multiple users.

A security hole called Poodle could allow hackers to take over your banking and social media accounts.

Yesterday, Google researchers announced the discovery of a security bug in version 3 of the Secure Sockets Layer protocol (SSLv3). This web technology is used to encrypt traffic between a browser and a web site, and can give hackers access to email, banking, social accounts and other services.

Poodle bites multiple users in unsecure open WiFi networks, like the ones you use at coffee shops, cafes, hotels, and airports.

“To exploit the vulnerability, you must be running javascript, and the attacker has to be on the same network as you—for example, on the same Starbucks Wi-Fi network you’re using,” explained Kim Zetter in a WIRED article.

Avast experts strongly recommend that our users protect themselves when using free WiFi with avast! SecureLine VPN.

Poodle is not considered as serious a threat as this past spring’s Heartbleed bug which took advantage of a vulnerability in OpenSSL, and or last month’s Shellshock bug in Unix Bash software.

SSLv3 is an outdated standard (it’s a decade and a half old), but some browsers, like Internet Explorer 6, and older operating systems, like Windows XP, only use the SSLv3 encryption method. Google’s security team recommends that systems administrators turn off support for SSLv3 to avoid the problem, but warns that this change will break some sites.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.

What is the Bash bug, and how do I prevent my systems from being Shellshocked?

Shellshock is a newly discovered security flaw that has been around for 22 years, and works by exploiting the very nature of web GUI.

Shellshock

Working in the same way as SQL injection, Shellshock allows users to insert Bash (a Unix-based command processor, or shell) commands into a server via a web form or similar method, and exploits the very nature of environment variable handling, which is that after assigning a function to a variable, any trailing code in the function will be then executed.

Where the SQL injection vulnerability allows a hacker access to the database, Shellshock gives the hacker an authentication-free access to the server, which makes it much more powerful. With this type of access, one with malicious intent could create a worm that could multiply and reproduce the exploit across entire networks to collect or modify data, or open other security holes that would otherwise be closed. Though Bash does not natively run on Microsoft Windows machines, it can be ported, but it is not yet known if the vulnerability will remain present.

Ok, so I get it, it’s dangerous. Am I vulnerable?

Absolutely.

Why?

Because Unix has a much wider grip on our networks than most people can really appreciate. Due to its ubiquity, everything from routers and smartphones, TVs, cars and more could be exploited. Worse, is that many of those devices are very difficult to update. Your home router, for example, has control of all your incoming and outgoing network traffic, and if someone has that, not only do they have the potential to collect your data, but to enable ports, disable the firewall, and further their access into your network infrastructure. With that being said, if you are running any versions of Unix or Mac, and haven’t familiarized yourself with this vulnerability, you’re well overdue.

Luckily, many vendors have now patched for Shellshock by updating Bash, but at this time, Apple users should wait for an update.

I’m running Unix. What do I do now?

First, it’s best to find out if you’re affected. Specifically, are you running Redhat, Ubuntu, Fedora, CentOS (v5-7) CloudLinux, or Debian? If so, then run this command to find out if you’re vulnerable.

$ env x=’() { :;}; echo vulnerable’ bash -c “echo this is a test”

If you see nothing but “this is a test,” you’ve successfully run the exploit, and you’ve got some work to do.

Luckily, most Linux distributions have issued fixes, so you can simply run your update manager. For those who haven’t, you can do so manually by running the following commands:

yum update bash

OR

sudo apt-get update && sudo apt-get install bash

Help, I have a Mac!

Are you infected? Run this command from your shell and find out.

$ env x=’() { :;}; echo vulnerable’ bash -c ‘echo hello’

If you’ve got Mac machines in your environment that can be exploited, you can disable the exploit by temporarily changing the default user shell. For IT administrators that have the know-how, get started right away – but for those that have to ask “how?,” it’s best to keep your eyes peeled and wait for an official update from Apple.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.

What to do about Shellshock bash bug on Mac OS X, web servers, routers, and more

The “Bash Bug” or “Shellshock” vulnerability means a wide range of devices, servers and computers, including Mac OS X, will need to be patched to prevent abuse by malicious persons. Here’s advice about what to do and links to more in-depth resources.

The post What to do about Shellshock bash bug on Mac OS X, web servers, routers, and more appeared first on We Live Security.