SSL 3.0 POODLE

SSL POODLE

Google security researchers have disclosed a vulnerability in SSL 3.0 that allows attackers to determine the plaintext of secure connections. Attackers can use the flaw to trigger network faults to push browsers back to the 15 year-old platform.

POODLE is short for Padding Oracle On Downgraded Legacy Encryption.

Google’s response to the flaw is a plan to scrub SSL 3.0 support from the Chrome browser. The company recommended users switch to tools that instead use TLS_FALLBACK_SCSV, the Transport Layer Security Signalling Cipher Suite Value. Doing so will be more effective than simply disabling SSL 3.0, which will create compatibility issues.

If either side supports only SSL 3.0, then too bad, so sad, and a serious update required to avoid insecure encryption, If SSL 3.0 is neither disabled nor the only possible protocol version, then the attack is possible if the client uses a downgrade dance for interoperability. The flaw allows attackers to steal ‘secure‘ HTTP cookies and HTTP Authorization header contents, among other bearer tokens.

Read more about POODLE here: https://www.openssl.org/~bodo/ssl-poodle.pdf and here: http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html

FYI, this attack is widely applicable!!!

Posted in Security Blog | Tagged , , , , , , , , , , , | Comments Off on SSL 3.0 POODLE

The Perfect Dropbox Meme

outsidethebox
If you are wondering what I’m talking about, read the article over here: https://www.carmelowalsh.com/2014/10/seven-million-dropbox-passwords/

Found on Cheezburger

Posted in Security Blog | Tagged , , , | Comments Off on The Perfect Dropbox Meme

SandWorm

sandworm

On Tuesday, October 14, 2014, iSIGHT Partners – in close collaboration with Microsoft – announced the discovery of a zero-day vulnerability impacting all supported versions of Microsoft Windows and Windows Server 2008 and 2012.

Microsoft has patched this vulnerability in the October 14, 2014 patch release – CVE-2014-4114. Exploitation of this vulnerability was discovered in the wild in connection with a cyber-espionage campaign that iSIGHT Partners attributes to Russia. Visibility into this campaign indicates targeting across the following domains. It is critical to note that visibility is limited and that there is a potential for broader targeting from this group (and potentially other threat actors) using this zero-day.

  • NATO
  • Ukranian government organizations
  • Polish government and private sectors
  • Western European government organizations
  • European telecommunications firms
  • Energy sector firms
  • Unite States academic organizations

The malware steals sensitive documents, SSL keys and code-signing certificates, among other things. The Windows zero day affects all currently supported versions of Windows and researchers said that exploiting the bug is extremely simple. The exploit code can be loaded into any Office document and when it executes, the machine doesn’t crash, so the user is likely unaware of the attack. Some have called this malware, “trousersnake” as it requires the user to unzip an attachment. lol.

Spearphishing emails sent to victims are highly customized to appeal to the recipients’ interests, such as a white paper targeted at attendees of the GlobSec conference. Other documents are specifically targeted at users in countries such as Poland and Ukraine.

p.s. Sandworm is not an actual worm (write once read many)

Posted in Security Blog | Tagged , , , , , , , | Comments Off on SandWorm

The Human Side of IT Security

human-side-of-it-security-month-infographic

Found on Dell’s website, this graphic will help you keep an eye out for common security pitfalls and learn what organizations and end users can do to minimize risks.

Posted in Security Blog | Tagged , , , , | Comments Off on The Human Side of IT Security

Seven Million Dropbox Passwords

6070i9236E263B01B8B7A
6,937,081 usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts.

I recommend that users turn on two-factor authentication and install a time-based, one-time password app on a mobile device.

To enable two-step verification:

  • Sign in to the Dropbox website.
  • Click on your name from the upper-right of any page to open your account menu.
  • Click Settings from the account menu and select the Security tab, or click here for a shortcut.
  • Under Two-step verification section, click Enable.
  • Click Get started.
  • For security reasons, you’ll be asked to re-enter your password to enable two-step verification. Once you do, you’ll be given the choice to receive your security code by text message or to use a mobile app.
  • After enabling the feature, consider adding a second phone number that can receive text messages as well. If you ever lose your primary phone, you’ll be able to receive a backup security code to that number instead.

Or, move away from dropbox, I recommend using Google Drive, OneDrive, and Box.net.

Posted in Security Blog | Tagged , , , , | Comments Off on Seven Million Dropbox Passwords

AZ State Fair 2014

For a fun treat, we went to the Arizona State Fair, ate some funnel cake and other fried crap, and then watched a Sublime and Rome concert. It was fun and it was also Damien’s first concert!

20141012_163348

20141012_163449

20141012_165704
I saw this Superman at comicon.

20141012_172639

20141012_184325

Posted in life | Comments Off on AZ State Fair 2014

Tiny Robot Bees

Posted in Security Blog | Tagged , , , | Comments Off on Tiny Robot Bees

Snapchat, the Snappening

Snapchat pictures stolen through third party apps. More nudes online. Users of the app, many of them teenagers, have apparently had their photos gathered over a number of years before being posted on a website. The leak – dubbed the ‘Snappening’ – comes after the iCloud security breach, the ‘Fappening’ in which nude photos of celebrities were posted.

Posted in Security Blog | Tagged , , , , , | Comments Off on Snapchat, the Snappening

NOVA Labs – Cybersecurity Lab

novacyberlabs

I stumbled upon a little jewel yesterday when I found PBS Presents: The Secret Lives of Hackers. The video is nicely done, but what’s more is the website that the video was originally posted on. PBS, the Public Broadcasting Service, has a cybersecurity lab on their NOVA site.

The game allows you to defend a company that is the target of increasingly sophisticated cyber attacks. Your task is to strengthen your cyber defenses and thwart the attackers by completing a series of cybersecurity challenges. You’ll crack passwords, craft code, and defeat malicious hackers. How cool is that? Aside from that, they have Cybersecurity Video Quizzes, and a video library.

The game is actually quite fun and I recommend it for not just National Cyber Security Awareness Month, but for general information security employee awareness.

Visit http://www.pbs.org/cgi-registry/sitemembershiplink.cgir to donate and support NOVA PBS.

Posted in Security Blog | Tagged , , , , , , , , , , , , | Comments Off on NOVA Labs – Cybersecurity Lab

Instructables.com Defaced

Screenshot from 2014-10-10 22:29:54

I just happened to stumble upon this today. It happened 20 minutes ago from the time stamps.

Posted in Security Blog | Tagged , , , | Comments Off on Instructables.com Defaced