December 18, 2018

Search Results for: Verisign

Is SSL Falling Apart? New Research Papers Find More Holes

(LiveHacking.Com) – Two new research papers (here and here) have been published which examine the low level details of SSL, specifically randomness aspects, and the results are surprising. According to the “Ron was wrong, Whit is right” paper,  two out of every one thousand RSA moduli that on the Internet today offer no security. While the Princeton’s Center for Information Technology Policy blog shows that 0.4% of all the public keys used for SSL web site security can be remotely compromised.

Two in one thousand is  0.2%, Princeton is talking 0.4%. These aren’t huge numbers… but a search on Google for how many sites have “https://” in the URL shows 19,640,000,000 sites. Some of these are sites about HTTPS and aren’t secure sites. If just one quarter of those are really using https, that is 4,910,000,000 sites. 0.4% of 1,964,000,000. That is a lot of SSL certificates. And a huge potential number of sites which can be hacked.

“Our conclusion is that the validity of the assumption is questionable and that generating keys in the real world for “multiple-secrets” cryptosystems such as RSA is signi cantly riskier than for “single-secret” ones such as ElGamal or (EC)DSA which are based on Die-Hellman,” wrote Arjen K. Lenstra et al.

SSL has been having a hard time recently and it is starting to look as if this system isn’t as robust as previously thought. Recent SSL stories include the BEAST, Diginotar and Verisign.

“Unfortunately, we’ve found vulnerable devices from nearly every major manufacturer and we suspect that more than 200,000 devices, representing 4.1% of the SSL keys in our dataset, were generated with poor entropy. Any weak keys found to be generated by a device suggests that the entire class of devices may be vulnerable upon further analysis,” wrote Nadia Heninger.

Google Releases Chrome 15.0.874.120 With a new Version of Flash Plus Various Security Fixes

Google has released Chrome 15.0.874.120 for Windows, Mac and  Linux with a new version of Flash. This new version of Adobe Flash player fixes several memory corruption vulnerabilities that could lead to arbitrary code execution.

Google paid out $2,000 in rewards for this version with the all of the monet going to Aki Helin of OUSPG:

  • [$500] [100465] High CVE-2011-3892: Double free in Theora decoder. Credit to Aki Helin of OUSPG.
  • [$500] [100492] [100543] Medium CVE-2011-3893: Out of bounds reads in MKV and Vorbis media handlers. Credit to Aki Helin of OUSPG.
  • [101172] High CVE-2011-3894: Memory corruption regression in VP8 decoding. Credit to Andrew Scherkus of the Chromium development community.
  • [$1000] [101458] High CVE-2011-3895: Heap overflow in Vorbis decoder. Credit to Aki Helin of OUSPG.
  • [101624] High CVE-2011-3896: Buffer overflow in shader variable mapping. Credit to Ken “strcpy” Russell of the Chromium development community.
  • [102242] High CVE-2011-3897: Use-after-free in editing. Credit to pa_kt reported through ZDI (ZDI-CAN-1416).
  • [102461] Low CVE-2011-3898: Failure to ask for permission to run applets in JRE7. Credit to Google Chrome Security Team (Chris Evans).

Note that the referenced bugs are kept private by Google until a majority of Chrome users have updated.

Google also fixed the following bugs:

  • Updated V8 – 3.5.10.23
  • Fix small print sizing issues (issues: 10218682472102154)
  • Fixed the “certificate is not yet valid” error for server certificate issued by a VeriSign intermediate CA. (issue 101555) [OS X only]

DigiNotar Issued Fake SSL Certificates for CIA, MI6 and Mossad

(LiveHacking.Com) – The aftermath of the security breach at DigiNotar continues to grow. New revelations about the extent of the breach have now come to light. It appears that since DigiNotar is a “root” certificate, it can assign authority to intermediaries to sign and validate certificates on its behalf. It seems now that the hackers have signed 186 intermediate certificates that masquerade as well-known certificate authorities like Thawte, Verisign and Equifax.

The expanded list of domains for which fraudulent certificates were issued now includes Facebook, Google, Microsoft, Yahoo!, Tor, Skype, Mossad, CIA, MI6, LogMeIn, Twitter, Mozilla, AOL and WordPress. A complete list can be downloaded from the Tor website.

As a result of the wide scale of this incident Google and Mozilla have now blocked all certificates issued by DigiNotar. According to Mozilla “DigiNotar issues certificates as part of the Dutch government’s PKIoverheid (PKIgovernment) program. These certificates are issued from a different DigiNotar-controlled intermediate, and chain up to the Dutch government CA (Staat der Nederlanden).” The Dutch government has since audited DigiNotar’s performance and removed it from its PKIoverheid role. Therefore all DigiNotar certificates will now be untrusted by Mozilla products.

Hacker Halted 2011 Lands in Miami for October Conference – LiveHacking.com Official Media Partner

(LiveHacking.Com) – The EC-Council has lined up the world’s top information security experts for Hacker Halted 2011. This year’s conference will take place from October 21-27 at the InterContinental Miami. LiveHacking.com is proud to be an official media partner of the 2011 conference.

The conference is split into two distinctive parts. From October 21 to October 24 is ‘Hacker Halted | Academy’, a series of technical training & certification classes led by world class instructors. Among the courses will be the renowned Certified Ethical Hacker (CEH) program (a recently accepted certification of DoD Directive 8570.01M Change 2). Then from October 25 to October 27 is ‘Hacker Halted | Conference’. With a comprehensive agenda, and an international line up of speakers, the Hacker Halted Conference promises to be one of the best information security conferences this year.

Keynote speakers highlights at Hacker Halted 2011 include:

  • Bruce Schneier, Chief Security Technology Officer at BT, best-selling author of Applied Cryptography, developer of cryptographic algorithms, such as AES-finalist Twofish, and de facto spokesperson for the information security field
  • George Kurtz, Worldwide Chief Technology Officer and Executive Vice President of McAfee, former CEO of Foundstone, before it was acquired by McAfee, and co-author of Hacking Exposed: Network Security Secrets & Solutions.
  • Philippe Courtot, chairman and CEO of Qualys, former chairman and CEO of Signio (acquired by VeriSign), and former member of the Board of Trustees for The Internet Society.

Other speakers include Barnaby Jack, of the Black Hat 2010 ATM hacking demonstration fame and Moxie Marlinspike, Fellow at the Institute of Disruptive Studies, who has discovered numerous high profile security vulnerabilities, including flaws in SSL/TLS.

Hacking: The Next Generation (Animal Guide)

  • Paperback: 304 pages
  • Publisher: O’Reilly Media; 1 edition (September 10, 2009)
  • Language: English
  • ISBN-10: 0596154577
  • ISBN-13: 978-0596154578

With the advent of rich Internet applications, the explosion of social media, and the increased use of powerful cloud computing infrastructures, a new generation of attackers has added cunning new techniques to its arsenal. For anyone involved in defending an application or a network of systems, Hacking: The Next Generation is one of the few books to identify a variety of emerging attack vectors.

You’ll not only find valuable information on new hacks that attempt to exploit technical flaws, you’ll also learn how attackers take advantage of individuals via social networking sites, and abuse vulnerabilities in wireless technologies and cloud infrastructures. Written by seasoned Internet security professionals, this book helps you understand the motives and psychology of hackers behind these attacks, enabling you to better prepare and defend against them.

  • Learn how “inside out” techniques can poke holes into protected networks
  • Understand the new wave of “blended threats” that take advantage of multiple application vulnerabilities to steal corporate data
  • Recognize weaknesses in today’s powerful cloud infrastructures and how they can be exploited
  • Prevent attacks against the mobile workforce and their devices containing valuable data
  • Be aware of attacks via social networking sites to obtain confidential information from executives and their assistants
  • Get case studies that show how several layers of vulnerabilities can be used to compromise multinational corporations

Author

Nitesh Dhanjani is a well known security researcher, author, and speaker. Dhanjani is currently Senior Manager at a large consulting firm where he advises some of the largest corporations around the world on how to establish enterprise wide information security programs and solutions. Dhanjani is also responsible for evangelizing brand new technology service lines around emerging technologies and trends such as cloud computing and virtualization.

Prior to his current job, Dhanjani was Senior Director of Application Security and Assessments at a major credit bureau where he spearheaded brand new security efforts into enhancing the enterprise SDLC, created a process for performing source code security reviews & Threat Modeling, and managed the Attack & Penetration team.

Dhanjani is the author of “Network Security Tools: Writing, Hacking, and Modifying Security Tools” (O’Reilly) and “HackNotes: Linux and Unix Security” (Osborne McGraw-Hill). He is also a contributing author to “Hacking Exposed 4” (Osborne McGraw-Hill) and “HackNotes: Network Security”. Dhanjani has been invited to talk at various information security events such as the Black Hat Briefings, RSA, Hack in the Box, Microsoft Blue Hat, and OSCON.

Dhanjani graduated from Purdue University with both a Bachelors and Masters degree in Computer Science.

Dhanjani’s personal blog is located at dhanjani.com.

Billy Rios is currently a Security Engineer for Microsoft where he studies emerging risks and cutting edge security attacks and defenses. Before his current role as a Security Engineer, Billy was a Senior Security Consultant for various consulting firms including VeriSign and Ernst and Young. As a consultant, Billy performed network, application, and wireless vulnerability assessments as well as tiger team/full impact risk assessments against numerous clients in the Fortune 500.

Before his life as a consultant, Billy helped defend US Department of Defense networks as an Intrusion Detection Analyst for the Defense Information Systems Agency (DISA) and was an active duty Officer in the US Marine Corps (deployed in support of OIF in 2003). Billy s thought leadership includes speaking engagements at numerous security conferences including: Blackhat Briefings, RSA, Microsoft Bluehat, DEFCON, PacSec, HITB, the Annual Symposium on Information Assurance (ASIA), as well as several other security related conferences. Billy holds a Master of Science degree in Information Systems, a Master of Business Administration degree, and an undergraduate degree in Business Administration

Brett Hardin is a Security Research Lead with McAfee. At McAfee, Brett bridges security and business perspectives to aid upper management in understanding security issues. Before joining McAfee, Brett was a penetration tester for Ernst and Young’s Advanced Security Center assessing web application and intranet security for Fortune 500 companies.

In addition, Brett also is the author of misc-security.com. A blog dedicated to focusing on security topics from a high-level or business-level perspective.

Brett holds a bachelor of science in Computer Science from California State University at Chico.

Source:[Amazon.com]