Home Tags OpenSSL

Tag: OpenSSL

Penquin’s Moonlit Maze

Moonlight Maze is the stuff of cyberespionage legend.
In 1996, in the infancy of the Internet, someone was rummaging through military, research, and university networks primarily in the United States, stealing sensitive information on a massive scale.

To say that this historic threat actor is directly related to the modern day Turla would elevate an already formidable modern day attacker to another league altogether.

Inside OpenSSL’s battle to change its license: Coders’ rights, tech giants,...

Devs who fail to respond to call for change will count as 'yes' votes for ASL 2.0 Analysis  The OpenSSL project, possibly the most widely used open-source cryptographic software, has a license to kill – specifically its own.

But its effort to obtain permission to rewrite contributors' rights runs the risk of alienating the community that sustains it.…

PetrWrap: the new Petya-based ransomware used in targeted attacks

This year we found a new family of ransomware used in targeted attacks against organizations.

After penetrating an organization's network the threat actors used the PsExec tool to install ransomware on all endpoints and servers in the organization.

The next interesting fact about this ransomware is that the threat actors decided to use the well-known Petya ransomware to encrypt user data.

Android gets patches for critical OpenSSL, mediaserver, and kernel driver flaws

A five-month-old flaw in Android's SSL cryptographic libraries is among the 35 critical vulnerabilities Google fixed in its March security patches for the mobile OS.The first set of patches, known as patch level 2017-03-01, is common to all patched smartphones and contains fixes for 36 vulnerabilities, 11 of which are rated critical and 15 high. Android vulnerabilities rated critical are those that can be exploited to execute malicious code in the context of a privileged process or the kernel, potentially leading to a full device compromise.[ Expand your security career horizons with these essential certifications for smart security pros. | Discover how to secure your systems with InfoWorld's Security Report newsletter. ]One of the patched vulnerabilities is located in the OpenSSL cryptographic library and also affects Google's newer BoringSSL library, which is based on OpenSSL. What's interesting is that the flaw, identified as CVE-2016-2182, was patched in OpenSSL back in September.
It can be exploited by forcing the library to process an overly large certificate or certificate revocation list from an untrusted source.To read this article in full or to leave a comment, please click here

HackerOne opens up bug bounties to open source

HackerOne is bringing bug hunting and software testing to open source developers to help make open source software more secure and safer to use. A lot of modern tools and technologies depend on open source software, so a security flaw can wind up h...

Why the ‘Cloudbleed’ Data Leak Flaw Posed a Major Threat to...

A new type of data leak has come to light that could impact millions of people around the globe.

Google Project Zero, the research effort to find and fix critical software security flaws, reported that a vulnerability on the Cloudflare security service could enable the leak of passwords and data.

According to Cloudflare, the flaw could have allowed leaks of sensitive data from thousands of websites over a six-month period.

This incident has been dubbed Cloudbleed by some people in the cyber-security community because the threat was potentially as serious as the "Heartbleed" OpenSSL cryptography flaw that was reported in 2014 which posed a serious security threat to thousands of websites.

Cloudflare says it has patched the data leak flaw and moved quickly to purge any leaked data that may have circulated on search engines. While the full scope of the Cloudflare leak and exactly how many users were affected hasn’t been disclosed, this is the latest in a string of recent data privacy threats to affect internet users worldwide.

This slide show provides more details about the cause of the flaw and discusses why Cloudbleed is a serious problem.

OpenSSL Update Fixes High-Severity DoS Vulnerability

US-CERT issues alert to server admins warning of a dangerous OpenSSL vulnerability and urges 1.1.0 users update to version 1.1.0e.

Inside Confide, the chat app ‘secretly used by Trump aides’: OpenPGP,...

Security experts skeptical of encrypted messenger's claims Rumors that President Donald Trump's aides are using an encrypted messaging app called Confide has landed the software firmly in the spotlight – and under the security microscope.…

Latest Ubuntu Update Includes OpenSSL Fixes

Ubuntu users are encouraged to update their operating systems to the latest OpenSSL package versions to address a collection of vulnerabilities.

OpenSSL pushes trio of DoS-busting patches

One was fixed before anyone realised it was a security issue, so be careful when applying OpenSSL's released patches for a trio of denial-of-service bugs.…

Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017

On January 26, 2017, the OpenSSL Software Foundation released a security advisory that included three new vulnerabilities.

The foundation also released one vulnerability that was already disclosed in the OpenSSL advisory for Novemb...

OpenSSL issues new patches as Heartbleed still lurks

The OpenSSL Project has addressed some moderate-severity security flaws, and administrators should be particularly diligent about applying the patches since there are still 200,000 systems vulnerable to the Heartbleed flaw.OpenSSL updated the 1.0.2 ...