A security researcher has discovered a new, remotely exploitable vulnerability in OpenSSL that could let an attacker intercept and decrypt traffic between vulnerable clients and servers. The Heartbleed flaw in the popular OpenSSL Internet security protocol, found earlier this year, forced many website operators to update their software and advise millions of users to change their passwords. The new vulnerability—which Masashi Kikuchi, a researcher with IT consultancy Lepidum Co., found—affects all OpenSSL versions. To exploit the bug, an attacker must first have a man-in-the-middle position on a network. (SlashDot)(Threat Post)(Computerworld)(OpenSSL Security Advisory)(Lepidium Co.)
Showing posts with label vulnerability. Show all posts
Showing posts with label vulnerability. Show all posts
Wednesday, June 18, 2014
Thursday, March 13, 2014
Belkin Home Automation Vulnerability Uncovered
Security researchers asked consumers to stop using Belkin’s WeMo home automation products after finding various vulnerabilities in the items that attackers could use to gain access to home networks, thermostats, or other connected devices. The line of products enable individuals to use their IOS and Android smartphones and computers to remotely control items including light switches, Web cams, motion sensors, and other home appliances. They were found to be exposing the password and cryptographic signing key used to ensure that firmware updates are valid, stated IOActive, a security firm. The US Computer Emergency Response Team issued a vulnerability note with five identified issues in the products. Belkin, in an 18 February 2014 statement, says it has fixed the vulnerabilities, which include updates to the API server, firmware, and application that could have possibly allowed the devices to be attacked. (Ars Technica)(eWeek)(IO Active)(Belkin)
Friday, November 15, 2013
Verizon Vulnerability Left Subscribers’ Texting Histories Accessible
A vulnerability in Verizon Wireless’ Web-based customer portal let anyone with subscribers’ phone numbers download their complete short-message-service history, including the phone numbers of people with whom they communicated. The Verizon website failed to verify that the number entered into the application actually belonged to the person entering it. Once a number was entered, the person could download its SMS message history. A Verizon customer reportedly discovered the vulnerability and reported it to the company. Verizon then took more than a month to resolve the issue and another month to publicly disclose it. Verizon issued a statement to Engadget stating “we addressed this issue as soon as our security teams were made aware of it. Customer information was not impacted.” (SlashDot)(ThreatPost)(Engadget)
Friday, June 15, 2012
Android vulnerability debugged
ScienceDaily (Apr. 12, 2012) — A group of Italian researchers have discovered and neutralized a serious vulnerability present in all versions of Android, the popular operating system developed by Google specifically for smartphones and tablet computers. The vulnerability could have been easily exploited by malicious software applications, with the effect of making devices based on Google's operating system currently on the market completely unusable. The solution proved to be effective and will be included in a future update.
The work was conducted by researchers working in various Italian universities and research centers: Prof. Alessandro Armando, Head of the "Security & Trust" Research Unit at the Bruno Kessler Foundation in Trento and coordinator of the DIST's Artificial Intelligence Laboratory at the University of Genoa, prof. Alessio Merlo (Telematic University E-Campus), Prof. Mauro Migliardi (coordinator of the Green Energy Aware Security at the University of Padua) and Luca Verderame (recent graduate in Computer Engineering at the University of Genoa).
The team of researchers promptly reported the vulnerability to Google and to the Android "security team," providing a detailed analysis of related risks. It also designed a solution that was verified by the security team of Android, and that -- given its effectiveness -- will be adopted in a future operating system update.
If it had not been neutralized, the vulnerability discovered by the Italian team would have allowed a malicious application software (malware) to saturate the physical resources of the device, leading to complete blockage of both Android-based smartphones and Tablet computers. An especially insidious problem because this particular application does not require any authorization during installation and would tend to appear harmless to the user.
This research will be published on the proceedings of the "27th IFIP International Information Security and Privacy Conference -- SEC 2012" (Heraklion, Crete, Greece, June 4-6, 2012).
Technical Information
The identified vulnerability is based on a defect in the control of communication between applications and vital components of Android that allows to systematically exhaust the memory resources of the device by the generation of an arbitrarily large number of processes. The fundamental principle of the security of Android is the total separation between the applications (sandboxing) to ensure that each of these cannot affect in any way the operation of the others. The team of Italian researchers showed that this separation is violated in current systems and indicated the solution to be able to restore it.
Share this story on Facebook, Twitter, and Google:Other social bookmarking and sharing tools:
Story Source:
The above story is reprinted from materials provided by Fondazione Bruno Kessler, via AlphaGalileo.
Note: Materials may be edited for content and length. For further information, please contact the source cited above.
Note: If no author is given, the source is cited instead.
Disclaimer: Views expressed in this article do not necessarily reflect those of ScienceDaily or its staff.
Subscribe to:
Posts (Atom)