HITB GSEC Singapore (August 21st - 25th)
Register Online Now!
The latest OpenSSL security hole isn't a bad one as these things go. It's no Heartbleed, Freak, or Logjam. But it's serious enough that, if you're running alpha or beta operating systems, you shouldn't delay patching it.
Fortunately, the affected OpenSSL versions are not commonly used in enterprise operating systems. For example, it doesn't impact shipping and supported versions of Red Hat Enterprise Linux (RHEL) or Ubuntu. In the case of Ubuntu, it does affect the 15.10 development release, but the patch is already available.
Seven hours is all it takes to crack the encryption that is in place on some supposedly secure websites. Security experts blame the US government's ban on the use of strong encryption back in the 1990s for a vulnerability that has just come to light. Named FREAK (Factoring attack on RSA-EXPORT Keys), the flaw exists on high-profile websites including, ironically, NSA.gov.
Some of the world's leading websites—including those owned or operated by Bank of America, VMware, the US Department of Veteran's Affairs, and business consultancy Accenture—are vulnerable to simple attacks that bypass the transport layer security encryption designed to thwart eavesdroppers and spoofers.
The newspaper Süddeutsche Zeitung reports that the German spy agency BND will spend €28 million on what it calls its 'Strategic Technical Initiative' (SIT) next year, and that it has asked the German government for a further €300 million (original in German). The German edition of the English-language site "The Local" explains how the money will be used:
The aim of the programme is to penetrate foreign social networks and create an early warning system for cyber attacks.
Microsoft has released a Fix It to disable the feature which was the subject of the POODLE attack. The Fix It, a program which implements changes in the registry, makes the process simpler than the alternatives.
POODLE is the name given to a vulnerability in SSL version 3.0 found earlier this month by a Google researcher. SSL was supplanted by TLS and the current version is 1.2, but systems may fall back to older versions if the server does not support the newer ones.