Vulnerabilities | SWITCH Security-Blog

05/06/2014
by Serge Droz 4 Comments

Breaking News: New OpenSSL Vulnerabilities

Today the OpenSSL team announced new versions of the popular openssl libraries, which fixes several critical vulnerabilities. At the time of writing no exploits are seen in the wild. Never the less we suggest to patch in timely manner.

The following versions are affected:

OpenSSL 0.9.8
OpenSSL 1.0.0
OpenSSL 1.0.1

Most of the popular OS vendors should have patches out by now, or in a short while.

08/05/2014
by Frank Herberg

Unser SWITCH Security-Report für Mai 2014 ist verfügbar

Die aktuelle Ausgabe unseres monatlich erscheinenden ‘SWITCHcert Reports zu aktuellen Trends im Bereich IT-Security und Privacy‘ ist soeben erschienen.

Themen diesen Monat:

Android prüft zukünftig kontinuierlich installierte Apps – Fake-Virenscanner ist Shooting Star in Googles App-Store
US-Behörde schafft vollendete Tatsachen in Sachen Netzneutralität
«Heartbleed» setzt Frust und Hoffnung der Open-Source-Entwickler frei
Dropbox will mit Hilfe von Condoleezza Rice weltweit expandieren
Und wie immer Links zu spannenden Präsentationen, Artikeln und Videos rund um die Themen IT-Security und -Privacy.

Zum Download (PDF):

Haben Sie unseren vorigen Security-Report verpasst? Hier kommen Sie zum Archiv.

17/04/2014
by Frank Herberg

IT-Security-Links #54

First of all: The coolest Heartbleed-Memory-Dump so far.
How to avoid a heart attack: After the first rush of Heartbleed patching, people should investigate which of their other services or devices are vulnerable as well.
The German Aerospace Centre (DLR) in Cologne has been the victim of a targeted attack carried out by state-sponsored hackers.
The fingerprint sensor in the Samsung Galaxy S5 is as insecure and poorly implemented as the one in the iPhone 5S.
Crimeware or APT? Malware’s “Fifty Shades of Grey”: Security experts from FireEye have been monitoring the activities of a cybercrime group that uses various types of malware in its operations.
Results of the TrueCrypt source code audit: No critical flaws or intentional backdoors.
The Economics of Security: How can you quantify the true value of a security investment?
After the Heartbleed experience it’s time to admit it: We have a library security problem.

11/04/2014
by Frank Herberg

IT-Security-Links #53

This week the IT-Security world was busy with 3 important things: Heartbleed, Heartbleed and Heartbleed. It’s a serious vulnerability in the very widespread OpenSSL cryptographic software library. The bug has been introduced while implementing the Heartbeat extension in December 2011. When exploited it leads to the leak of memory contents, which might be secret keys or credentials.
Next week the IT-Security world will probably be busy with “the other side of Heartbleed”: Client Vulnerabilities or Reverse Heartbleed. And the question, which services and products are also affected.
2nd major data theft in Germany this year: 18 Million email addresses and passwords have been stolen. Among them also 38.000 which are registered in Switzerland.
WinXP in SCADA systems: Never change a running system? This computer wisdom of the 80th is still reality in critical infrastructure environments.
Android Security: Collin Mulliner compiled a list of Android Hardening Tools.
Security Researcher have to think out-of-the-box: A five-year-old boy worked out a security vulnerability on Microsoft’s Xbox Live service. And has been officially thanked by the company.

28/03/2014
by Frank Herberg

IT-Security-Links #52

Microsoft released a Security Advisory this week to notify customers that opening an e-mail containing a crafted RTF file in Outlook may hand the computer to hackers. Microsoft provides a fix-it tool. Another option: Read your e-mail in plain text.
The Full Disclosure security mailing list has been shut down after 12 years and more than 91.500 posts …
…and reborn under new management after a few days! You need to manually subscribe if you wish to be a member.
Amazon Web Services (AWS) is urging developers using GitHub to ensure they haven’t inadvertently exposed their log-in credentials. A search on GitHub reveals thousands of results where code containing AWS secret keys. (How to remove sensitive data on GitHub.)
NTP DDoS Attacks: Since December 2013 there has been a dramatic rise in NTP traffic, much of it due to NTP amplification attacks. According to the Open NTP Version (Mode 6) Scanning Project, currently 4.6 million distinct IPs (IPv4) respond to a NTP Mode 6 query.
Operation Windigo: Hackers compromised more than 25.000 servers and used them for stealing SSH credentials, sending an average of 35 million spam messages on a daily basis and infecting visitors with malware. ESET published a 69-page paper (PDF) with details of the large and sophisticated operation.
Data Privacy: Is it an out of date concept or more important than ever?

German:

Die Digitale Gesellschaft Schweiz hat ihren Swiss Lawful Intercept Report 2014 veröffentlicht. Dieser dokumentiert die Überwachungsaktivitäten der Kantone und des Dienstes Überwachung Post- und Fernmeldeverkehr (ÜPF).

28/02/2014
by Frank Herberg

IT-Security-Links #50

The ICC Belgium published a 72-page Cyber Security Guide including a Security Self Assessment Questionnaire.
Have you heard about the Security Bloggers Network? It’s the largest collection of information security focused blogs and podcasts in the world with almost 300 different blogs and podcasts included. They offer one feed of all the sites. (Sub-feeds for specified categories are in the works.)
Mobile Malware: Ten Years of Mobile Malware – From Symbian Worm to Tor-Based Android Backdoor, an overview by Softpedia with a nice graph from Symantec. Also Kaspersky published an article on Mobile Malware Evolution.
On 20th February 2014 the Niklaus Wirth Birthday Symposium took place in Zurich. Slides and video recordings of the talks are freely available. We recommend Software Defenses Using Compiler Techniques, a talk about compiler-generated software diversity as a defense mechanism against cyber attacks.
Anatomy of a “goto fail” – Apple’s SSL bug explained, by Sophos.

21/02/2014
by Frank Herberg

IT-Security-Links #49

Economic Crime Data: PwC published the findings of their Global and Swiss Economic Crime Survey 2014 as well as a 30-page PDF “Global Economic Crime Survey 2014 – A Swiss Perspective“.
More than 300.000 credentials were posted on Pastebin in 2013 according to a recent analysis by a Swiss security firm – which is just a small percentage of the stolen information posted publicly by hackers.
Sophos says 2013 was an epic year for data breaches – with over 800 million records lost.
DDoS: Who run the DDoS-for-hire services and why they themselves have to hide behind DDoS protection?
DDoS: What comes after NTP reflection attacks? And a friendly BCP38-reminder…
Meet Brian Krebs: How the author of the widely read cyber security blog ‘Krebs on Security’ lives and survives.
The ‘Moon’ worm never reaches a device which has anti-virus protection running on it. Why? It infects your Linksys router.

SWITCH Security-Blog

SWITCH-CERT IT-Security Blog

Category Archives: Vulnerabilities