Entries with tag openssl.

Google Responds to Heartbleed Flaw with BoringSSL

Problems associated with the Heartbleed Internet-security vulnerability discovered earlier this year continue with hundreds of thousands of servers still operating with unpatched problems in the open-source OpenSSL cryptographic library. To address these concerns, Google announced it is developing BoringSSL, based on OpenSSL, which is an open source implementation of the Secure Sockets Layer and Transport Layer Security protocols. Researchers discovered a flaw in OpenSSL that attackers could exploit to access an application’s memory, including sensitive data and private encryption keys. Google is developing BoringSSL, rather than just patching OpenSSL, because it can no longer keep up with all the patches. “As Android, Chrome, and other products have started to need some subset of these patches, things have grown very complex,” said Google software engineer Adam Langley, “The effort involved in keeping all these patches straight across multiple code bases is getting to be too much.” The company is now importing changes from OpenSSL into BoringSSL .Google plans to contribute its BoringSSL code to the OpenSSL open-source project. The new SSL fork should appear in Google’s Chromium repository soon and in the Android OS after that. (eWeek)(PC World)(Naked Security)(BoringSSL)

Yet Another OpenSSL Vulnerability Is Found

A security researcher has discovered a new, remotely exploitable vulnerability in OpenSSL that could let an attacker intercept and decrypt traffic between vulnerable clients and servers. The Heartbleed flaw in the popular OpenSSL Internet security protocol, found earlier this year, forced many website operators to update their software and advise millions of users to change their passwords. The new vulnerability—which Masashi Kikuchi, a researcher with IT consultancy Lepidum Co., found—affects all OpenSSL versions. To exploit the bug, an attacker must first have a man-in-the-middle position on a network. (SlashDot)(Threat Post)(Computerworld)(OpenSSL Security Advisory)(Lepidium Co.)

Bug Leaves Linux, Open Source Users at Risk

Security researchers have discovered a new vulnerability in open source software that attackers could exploit to launch malware attacks. Developers have since released a patch for the bug in the GnuTLS cryptographic code library, which could place Linux and other open source software users at risk for problems such as buffer overflow attacks. GnuTLS is an open-source implementation of Internet encryption protocols including Secure Sockets Layer; Transport Layer Security; and Datagram Transport Layer Security, used in various Linux distributions. An infected server could exploit the vulnerability during the handshake between the Secure Sockets Layer and Transport Layer Security, culminating in the crash of vulnerable clients. It could also allow attackers to execute code on the system. The vulnerability was reported by Joonas Kuorilehto, a principal systems engineer at Codenomicon, the same vendor of vulnerability-testing tools responsible for finding the Heartbleed flaw in the OpenSSL Internet-security protocol earlier this year. (Ars Technica)(PC World)(Red Hat Bug Tracker)

Canadian Man First Arrested for Using Heartbleed Exploit

A Canadian man arrested 15 April 2014 is the first person known to have been arrested for using Heartbleed – a vulnerability in Open SSL encryption – in a data breach. Stephen Arthuro Solis-Reyes, 19, of London, Ontario, is being charged with one count of Unauthorized Use of a Computer and one count of Mischief in Relation to Data after he allegedly stole 900 social insurance numbers and other data from the Canada Revenue Agency, according to the Royal Canadian Mounted Police. Computer equipment in the suspect’s home was seized. No other information was released. Those affected by the theft will be contacted by registered mail, according to the agency, which will also offer free credit protection services and additional security on their accounts. Solis-Reyes, a computer science student attending Western University, is scheduled to appear in an Ottawa court 17 July 2014. (Reuters)(The Associated Press)(PC Mag)

Serious Web Encryption Vulnerability Affects Internet Users Worldwide

A newly discovered problem in a ubiquitous Web encryption technology leaves Internet users worldwide vulnerable to hacking and is being called one of the most serious security flaws uncovered in recent years. Researchers from Google and Codenomicon, a vendor of robustness testing tools, found Heartbleed, a vulnerability in OpenSSL, an open-source implementation of the SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols that has existed for at least two years. An attacker could exploit the vulnerability, bypassing SSL and TLS encryption to access sensitive data, including passwords, that Internet users transmit. Security experts say network administrators should change their online passwords and must patch their Web and email servers to prevent these problems. Codenomicon CEO David Chartier said, “I don't think anyone that had been using [OpenSSL] is in a position to definitively say they weren't compromised.” (Reuters)(The Associated Press)

Showing 5 results.