Entries with tag software vulnerabilities.

Yet Another OpenSSL Vulnerability Is Found

A security researcher has discovered a new, remotely exploitable vulnerability in OpenSSL that could let an attacker intercept and decrypt traffic between vulnerable clients and servers. The Heartbleed flaw in the popular OpenSSL Internet security protocol, found earlier this year, forced many website operators to update their software and advise millions of users to change their passwords. The new vulnerability—which Masashi Kikuchi, a researcher with IT consultancy Lepidum Co., found—affects all OpenSSL versions. To exploit the bug, an attacker must first have a man-in-the-middle position on a network. (SlashDot)(Threat Post)(Computerworld)(OpenSSL Security Advisory)(Lepidium Co.)

Research: Attackers Could Use Radios to Hack Energy-Industry Sensors

New research finds that industrial sensors commonly used for energy-infrastructure monitoring could be hacked from distances of up to 64 kilometers (about 40 miles) via radio transmitter. Lucas Apa and Carlos Mario Penagos, researchers with security firm IOActive, say they found numerous software vulnerabilities in the wireless automation systems used in the oil and gas industry that hackers could use to launch attacks. They didn’t release details about the precise vulnerabilities, citing safety concerns. Apa and Penagos used a radio antenna for several types of attacks that disrupted the communications between a sensor and a base station or disabled the industrial control sensors. The researchers say they exploited several types of weaknesses in the devices, including unspecified configuration errors and weak cryptographic keys used to authenticate communications. A hacker could use the attacks to, for example, alter readings such as pressure and volume in a pipeline, which could alter the sensor readings and ultimately disable a pipeline or shut-down a facility’s operations or even cause an explosion that could result in injuries or deaths. The researchers say the problems they found cannot be easily fixed. The researchers gave their findings to the US Computer Emergency Readiness Team. Apa and Penagos plan to present their findings this week at the Black Hat USA security conference in Las Vegas. (PC World)(Reuters)(IOActive)

Showing 2 results.