Remember when security researchers found a vulnerability in OpenSSL that potentially put the entire world at risk of having their data compromised? Well, Heartbleed appears not to be the end of these vulnerabilities. Well, Google has found another vulnerability in an older version of SSL, in SSL 3.0. Thankfully, SSL 3.0 has mostly been replaced by TLS 1.0, TLS 1.1 and TLS 1.2 but many of those systems still have SSL 3.0 as a backup in the event of a need to support this legacy protocol.

Three Google security researchers published a paper back in September called This POODLE bites: Exploiting the SSL 3.0 Fallback in that document, Bodo Möller, Thai Duong and Krzysztof Kotowicz from Google basically state upfront that SSL 3.0 is obsolete and insecure and that’s why most companies, websites and overall the world no longer uses it. However, because some implementations keep SSL 3.0 as a legacy support feature, there are some security vulnerabilities that can be exploited as a result of this. They also say, by simply disabling SSL 3.0 you can completely avoid this vulnerability as a whole. They call the attack that happens as a result of the downgrade to SSL 3.0 the POODLE (Padding Oracle On Downgraded Legacy Encryption) which allows them to steal “secure” HTTP cookies or any bearer tokens.

If you can’t disable SSL 3.0 for one reason or another in your setup, then they’ve provided for a detailed solution which helps work around this fallback vulnerability. Realistically this is nowhere near as scary as Heartbleed or Shellshock which are more broadly vulnerable on more systems and create a much greater effect on the victim’s data. But nonetheless, this is something that system administrators need to address on their own secure implementations in order to ensure that they do not become exposed to this SSL 3.0 Poodle attack.

The post Google Discovers Vulnerability in SSL 3.0 appeared first on VR World.

Many people have been awaiting Google’s Android 4.4.4 update which many expected would get rolled out at Google IO. They weren’t necessarily wrong since Google IO starts on Wednesday and there will probably be a lot of Android news in terms of new versions of the OS and improvements coming to it. However, many expected the Android Kit Kat 4.4.3 to 4.4.4 update to be fairly minor compared to other Android updates, and they were also correct to think so as the entire update was only 2.5 MB to download, as opposed to an entirely new OS image.

Over the course of the past few days, this update has been rolling out and most of the reports are indicating that this is mostly a security fix for the OpenSSL vulnerability that patches the heartbleed exploit. There isn’t much else by ways of this update other than the fact that it may mean that any and all other Android devices that don’t have 4.4.4 are probably or possibly vulnerable. So, from that standpoint, that’s a bit concerning if you’re an Android user without a Nexus phone running Kit Kat 4.4.4. You can get the 4.4.4 update over the air via your carrier or you can download it directly from Google’s repository through the SDK and install it that way. However, that method should only be used by people that know how to flash a phone.

As Google IO starts up this week, we’ll probably see Android 4.5 news or possibly Android 5.0 which will likely incorporate a lot of major UI changes and all of the bugfixes from previous Android versions as well. Hopefully it won’t come with new hardware requirements (like memory) forcing new flagship phones to be 3 and 4 GB. However, I do believe we’ll hear a lot about 64-bit on Android in ways that we haven’t heard before. I think that Google is going to put a lot of focus on improving the core OS’ functionality and adapting towards higher performance while also talking a lot about wearables and Android Wear.

The post Google Rolls Out Android 4.4.4 Update Right before Google IO appeared first on VR World.

On Monday, as a follow up to the awareness around the Heartbleed bug and all of the rumors that circulated around it, The Whitehouse posted a blog clarifying their stance on how they approach vulnerabilities such as Heartbleed. In fact, the NSA categorically denied any knowledge of the Heartbleed bug officially on Twitter, even though they have been known to lie to Congress and the American people without hesitation, so their honesty is a little more than at question.

So, what exactly are they going to disclose and when? Well, there’s a nifty little check list that the Whitehouse has provided us with so that we know when an agency should withhold information from the public and when it should make it public.

We have also established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure. This interagency process helps ensure that all of the pros and cons are properly considered and weighed. While there are no hard and fast rules, here are a few things I want to know when an agency proposes temporarily withholding knowledge of a vulnerability:

• How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?

• Does the vulnerability, if left unpatched, impose significant risk?

• How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?

• How likely is it that we would know if someone else was exploiting it?

• How badly do we need the intelligence we think we can get from exploiting the vulnerability?

• Are there other ways we can get it?

• Could we utilize the vulnerability for a short period of time before we disclose it?

• How likely is it that someone else will discover the vulnerability?

• Can the vulnerability be patched or otherwise mitigated?

So, basically, The Whitehouse and the administration of Obama are basically saying that if a vulnerability doesn’t really affect us too much, but can gain us lots of valuable intelligence we should keep our mouths shut. What is interesting about this supposed “rigorous” process for vulnerability disclosure is that there is no time limit set for how long they are allowed to wait until they disclose a vulnerability. There is no limitation on how long they can leave a vulnerability open if it passes all of these checks that they’ve established. They mention utilizing the vulnerability for a short period of time, but that doesn’t actually mean anything because a short period of time could be a day, a week, a month, or a year.

With the Heartbleed bug and the public disclosure around it, there were a lot of companies scrambling to patch the bug and some attacks that utilized it immediately after its disclosure. However, if left unpatched, Heartbleed could have disasterous implications and would give any government with knowledge of it almost unlimited access across the web. As a result, many people simply don’t believe that The Whitehouse and the NSA were unaware of such a bug, especially since the NSA had quietly exploited countless other bugs continually without any concern.

The post The Whitehouse Says They Have Right to Withhold a Security Vulnerability appeared first on VR World.

According to a report coming out of Bloomberg, the NSA supposedly knew of the OpenSSL Heartbleed bug for nearly 2 years and used it to their advantage when they needed to. This makes the entire belief that the bug was an accidental mistake in the code that hadn’t been noticed much less probable. Not to mention the fact that the heartbleed bug is effecting almost the entire internet and puts the security of most passwords into question. The problem, however, is that not enough websites have fixed their certificates to patch this issue. There are hundreds of thousands if not millions of affected sites that handle critical user email accounts, bank accounts and various other sensitive data. The day that the bug was found and announced a fix was also issued to resolve the issue, however, system administrators are slow to implement the fix as attacks are already supposedly under way.

In any case, it is advisable to change all of your passwords to sensitive accounts and to enable 2-step authentication as well, considering the fact that such issues could be discovered in the future and that you could be vulnerable until then, like now. The real truth of the matter is that this issue is an unfortunate situation and in today’s online world there is no doubt that one has to remain vigilant and stay on top of all potential security risks. It also doesn’t help that the NSA and CIA are building backdoors into hardware across the entire IT industry and that they are effectively building in backdoors for hackers to exploit if they figure out how and where to look. The fact that these governmental agencies are doing this in light of trying to claim that foreign companies cannot be trusted (see Huawei) is hypocritical at the very least and damaging to the US economy at the very most. There is no doubt in my mind that the government’s involvement in both covert espionage and industrial espionage is causing other countries to not want to do business with US companies, even if those companies have absolutely no knowledge of their insecurities.

As far as this Heartbleed bug goes, you should be mindful of your passwords and accounts and likely change them over the course of the next few days as companies update their OpenSSL and issue new certificates. Unfortunately, until then, you’re pretty much cannon fodder for any hackers that want to exploit this. So, be careful and enable 2-step authentication wherever possible, because even if they have your password, the likelihood that they ALSO have access to your phone is very narrow. However, some 2-step authenticaion does use email, so be careful of that and change your email passwords ASAP.

The post The NSA Exploited the OpenSSL Heartbleed Bug for 2 Years appeared first on VR World.