New OpenSSL vulnerability puts encrypted communications at risk of spying

A newly discovered vulnerability that allows spying on encrypted SSL/TLS communications has been identified and fixed in the widely used OpenSSL library.

The vulnerability, which is being tracked as CVE-2014-0224, can be exploited to decrypt and modify SSL (Secure Sockets Layer) and TLS (Transport Layer Security) traffic between clients and servers that use OpenSSL, if the version of the library on the server is 1.0.1 or newer.

In order to pull off a successful attack, the attacker would first need to be able to intercept connections between a targeted client and a server. This is known as a man-in-the-middle (MitM) position and can be gained on insecure wireless networks, by hacking into routers or by using other methods.

The security flaw was discovered by Masashi Kikuchi, a researcher from Japanese IT consulting company Lepidum, and was patched in OpenSSL 0.9.8za, 1.0.0m and 1.0.1h released Thursday. These new versions also address three denial-of-service issues and a remote code execution vulnerability when the library is used for Datagram Transport Layer Security (DTLS) connections.

The man-in-the-middle attack is possible because OpenSSL accepts ChangeCipherSpec (CCS) messages inappropriately during a TLS handshake, Kikuchi said in a blog post. These messages, which mark the change from unencrypted to encrypted traffic, must be sent at specific times during the TLS handshake, but OpenSSL accepts CCS messages at other times as well, Kikuchi said.

The problematic code has existed since at least OpenSSL 0.9.1c, which was released in December 1998, so the bug is over 15 years old, Adam Langley, a senior software engineer at Google, said in an analysis of the issue posted on his personal blog.

Source:
http://www.pcadvisor.co.uk/news/security/3523618/new-openssl-vulnerability-puts-encrypted-communications-at-risk-of-spying/

Posted in Internet, Privacy, Security | No Comments

Experts Discover File-Encrypting Android Ransomware

Security vendor ESET claims to have discovered the first ever piece of file-encrypting Android ransomware, which has an associated C&C server hosted on a TOR domain to hide its location.

Source:
http://www.infosecurity-magazine.com/view/38716/experts-discover-fileencrypting-android-ransomware/

Posted in Internet, Mobile, Privacy, Security | No Comments

Google Plans To Launch An Easy-To-Use Chrome Plug-In For Email Encryption Soon

Google today announced that it will soon release a Chrome plug-in that will enable end-to-end encryption for web-based email services. The plug-in is based on the OpenPGP email encryption standard.

Google’s plan here is to make encryption easy enough to use to become widespread among mainstream users. Right now, unless you are fairly technical and can get extensions like Mailvelope to work for you, using Gmail — or any other popular email service — with encryption enabled is pretty hard. Because of this, very few people actually encrypt their messages today.

While Google announced this project today, however, it isn’t actually launching the plug-in yet. Instead, it is sharing the source code with the community to test and evaluate it. Given the recent issues around the Heartbleed bug in the OpenSLL library, that’s probably the right approach. “Prematurely making End-To-End available could have very serious real world ramifications,” Google rightly says.

The plug-in is covered by Google’sVulnerability Reward Program, so developers and security researchers who find issues with it can get prizes for finding bugs.

Google says that the new plug-in will let “anyone” enable end-to-end email encryption “through their existing web-based email provider.” Chances are then, this plug-in will work with more than just Gmail and cover other popular services as well. Given that the recipients have to somehow decrypt your encrypted email, it wouldn’t make sense to just offer this for Gmail anyway.

Source:
http://techcrunch.com/2014/06/03/google-plans-to-launch-an-easy-to-use-chrome-plug-in-for-email-encryption-soon/

Posted in Internet, Privacy, Security | No Comments

ISPs urged to quarantine infected computers

The recent effort to disrupt the Gameover Zeus botnet includes plans for Internet service providers to notify victims, but some security researchers think ISPs should play an even bigger role in the future by actively quarantining infected computers identified on their networks.

Law enforcement agencies from several countries including the FBI and Europol announced Monday that they worked with security vendors to disrupt the Gameover Zeus botnet, which is estimated to have affected between 500,000 and 1 million computers.

“Individuals in the U.K. may receive notifications from their Internet Service Providers that they are a victim of this malware and are advised to back up all important information — such as files, photography and videos,” the U.K.’s National Crime Agency said in a statement on its website.

Notifying Internet users of malware infections, especially when their computers become part of known botnets, has become a relatively common practice for some ISPs in recent years.

For example, in the U.S., Comcast introduced security alerts for its Xfinity service subscribers back in 2010, while in Germany the government partnered with ISPs to notify users whose computers are infected with malware on an ongoing basis and help them clean their machines.

However, ISPs should take even a bigger role in the fight against botnets as “desperate times call for desperate measures,” said Rik Ferguson, global vice president of security research at Trend Micro, Monday in a blog post.

Source:
http://www.computerworld.com/s/article/9248812/ISPs_urged_to_quarantine_infected_computers?taxonomyId=17

Posted in Internet, Privacy, Security | No Comments

Comcast to Encrypt Email For Security

Comcast Corp. the nation’s largest Internet provider by number of homes and businesses served, Tuesday said it would begin scrambling customers’ email to protect it from prying eyes.

The move came just hours after Google called out email providers, including Comcast, for not using encryption. Google Tuesday publicized for the first time the share of its email traffic with other providers that remains encrypted. According to Google, fewer than 1% of Gmail messages sent to Comcast.net addresses remained encrypted on a sample day last month.

Comcast spokesman Charlie Douglas said the company is testing encryption and would begin using it more broadly on customers’ email “within a matter of weeks.” He said Comcast is “very aggressive about this.”

The moves were an indication that some tech companies see privacy as a consumer issue after a year of leaks from Edward Snowden, the former National Security Agency contractor. Mr. Snowden’s leaks prompted Facebook Inc., Microsoft Corp. and Yahoo Inc., among others, to make it harder for government spies to read emails as they cross the Internet’s backbone.

Google began encrypting Gmail messages by default in 2010. The process uses math to turn messages into a jumble of numbers and letters that can only be read with a key. The challenge: It only works if both sides are using it.

Source:
http://online.wsj.com/articles/comcast-to-encrypt-email-for-security-1401841512

Posted in Internet, Privacy, Security | No Comments