Monthly Archives: April 2014

security

Quis hackiet ipsos hackes?

acunetix Yesterday, Israeli security researched Danor Cohen reported that Acunetix’s web application security scanner has an exploitable vulnerability. Although the blog post is titled “Pwn the n00bs”, I’ve seen several origanizations use Acunetix to perform scans on (their own?) web applications.

Security bugs appear in all pieces of software; including security scanners and hacking tools. These tools often require to run as root (to perform privileged actions, such as putting a network interface into promiscious mode, etc). LiveUSB security distributions often run all commands as root and could pose a problem. Even though you are running a liveUSB environment, users often mount their HDD or external media to save files. Open source tools can often be fixed easily, but commercial software a la Acunetix usually relies on vendor update channels.

Be careful when running all software, even your security software/hacking tools can be vulnerable.

misc

HeartBleed: we’re sslcrewed

heartbleedThe year 2014 is only a hundred days old, and this is probably the security bug of the year. In case you haven’t heard it, and shame on you if you didnt. HeartBleed is an exploit on a OpenSSL’s TLS Heartbeat extensions. It goes well undetected, and nearly half a billion (yes, B) of websites are vulnerable. We’re not even talking about most other SSL services, embedded systems and so on. It allows an attacker to read chunks of memory (per 64 Kilobytes) which may contain SSL secret keys, passwords, messages, etc.

More technical information can be seen on heartbleed.com, and you can check your site using this site.

You can be sure that most blackhat parties, including several intelligence services have tried already to extract information from your SSL enabled websites. If not, you’ll see an increase in HTTPS connections this weekend. Patch your servers, chnge your certificates, change your passwords; all of them. If somebody was storing all your SSL data in the past, they will have a way to find the key to decrypt all of it now, it’s that bad.