Author Archives: Dan Goodin

Uber’s epic DB blunder is hardly an exception. GitHub is awash in passwords

Recent revelations that Uber stored a sensitive database key on a publicly accessible GitHub page generated its share of amazement and outrage. Some Ars readers called for the immediate termination of the employees responsible or for the enactment of new legal penalties for similar blunders in the future.

Left out of the discussion was a point Ars first tried to drive home more than two years ago. To wit, GitHub and other public code repositories are awash with personal credentials posted by tens of thousands, or possibly even millions, of people, some of whom work for extremely sensitive organizations. A case in point are GitHub entries that appear to include everything needed to log into many Secure File Transfer Protocol accounts. One GitHub search revealed almost 269,000 entries like the one pictured above, showing the domain name or IP address, username, and password needed to log in to each account. Similar searches generated almost two million entries for WordPress accounts.

A quick scan of the results shows that many of them represent no security threat at all, since the password fields are blank or the credentials belong to non-existent accounts or accounts that are accessible only to users already connected to the local network. But a mind-numbingly large percentage of the results appear to provide credentials for accounts on production servers. Whether percentage is 33, 25, or even 10, it’s way too high. It wouldn’t be surprising if many of the credentials offered shell accounts that ran with highly privileged administrator rights. To protect the careless, this post won’t reveal the specific search terms used, even though they are extremely easy for readers figure out on their own or to find on Twitter, in blog posts, or in other venues.

Read 3 remaining paragraphs | Comments

More IoT insecurity: This Blu-ray disc pwns PCs and DVD players

For more than a decade, malicious hackers have used booby-trapped USB sticks to infect would-be victims, in rare cases to spread virulent, self-replicating malware on air-gapped computers inside a uranium enrichment plant. Now, a security researcher says he has found a way to build malicious Blu-ray discs that could do much the same thing—without any outward signs that an attack was underway.

Stephen Tomkinson, a security consultant at NCC Group, said he has devised a proof-of-concept exploit that allows a Blu-ray disc to compromise both a PC running Microsoft Windows and most standalone Blu-ray players. He spoke about the exploit on Friday at the Securi-Tay conference at the Abertay University in Dundee, Scotland, during a keynote titled “Abusing Blu-ray players.”

“By combining different vulnerabilities in Blu-ray players, we have built a single disc which will detect the type of player it’s being played on and launch a platform-specific executable from the disc before continuing on to play the disc’s video to avoid raising suspicion,” Tomkinson wrote in an accompanying blog post. “These executables could be used by an attacker to provide a tunnel into the target network or to exfiltrate sensitive files, for example.”

Read 4 remaining paragraphs | Comments

“FREAK” flaw in Android and Apple devices cripples HTTPS crypto protection

Security experts have discovered a potentially catastrophic flaw that for more than a decade has made it possible for attackers to decrypt HTTPS-protected traffic passing between Android or Apple devices and hundreds of thousands or millions of websites, including AmericanExpress.com, Bloomberg.com, NSA.gov, and FBI.gov.

In recent days, a scan of more than 14 million websites that support the secure sockets layer or transport layer security protocols found that more than 36 percent of them were vulnerable to the decryption attacks. The exploit takes about seven hours to carry out and costs as little as $100 per site. The so-called FREAK attack—short for Factoring attack on RSA-EXPORT Keys—is possible when an end user with a vulnerable device—currently known to include Android smartphones, iPhones, and Macs running Apple’s OS X operating system—connects to a vulnerable HTTPS-protected website. Vulnerable sites are those configured to use a weak cipher that many had presumed had been retired long ago. At the time this post was being prepared, most Windows and Linux end-user devices were not believed to be affected.

Attackers who are in a position to monitor traffic passing between vulnerable end users and servers can inject malicious packets into the flow that will cause the two parties to use a weak 512-bit encryption key while negotiating encrypted Web sessions. Attackers can then collect some of the resulting exchange and use cloud-based computing from Amazon or other services to factor the website’s underlying private key. From that point on, attackers on a coffee-shop hotspot or other unsecured network can masquerade as the official website, a coup that allows them to read or even modify data as it passes between the site and the end user.

Read 10 remaining paragraphs | Comments

Wireless Device in Two Million Cars Wide Open to Hacking

An electronic dongle used to connect to the onboard diagnostic systems of more than two million cars and trucks contains few defenses against hacking, an omission that makes them vulnerable to wireless attacks that take control of a vehicle, according to published reports.

US-based Progressive Insurance said it has used the SnapShot device in more than two million vehicles since 2008. The dongle tracks users’ driving to help determine if they qualify for lower rates. According to security researcher Corey Thuen, it performs no validation or signing of firmware updates, has no secure boot mechanism, no cellular communications authentication, and uses no secure communications protocols. SnapShot connects to the OBDII port of Thuen’s 2013 Toyota Tundra pickup truck, according to Forbes. From there, it runs on the CANbus networks that control braking, park assist and steering, and other sensitive functions.

“Anything on the bus can talk to anything [else] on the bus,” Thuen was quoted as saying in an article from Dark Reading. “You could do a cellular man-in-the-middle attack” assuming the attacker had the ability to spoof a cellular tower that transmits data to and from the device.

Read 1 remaining paragraphs | Comments

How Installing League of Legends and Path of Exile Left Some With a RAT

Official releases for the League of Legends and Path of Exile online games were found laced with a nasty trojan after attackers compromised an Internet platform provider that distributed them to users in Asia.

The compromise of consumer Internet platform Garena allowed the attackers to attach malicious software components to the official installation files for the two games, according to a blog post published Monday by antivirus provider Trend Micro. In addition to the legitimate game launcher, the compromised executable file also included a dropper that installed a remote access tool known as PlugX and a cleaner file that overwrote the infected file after it ran.

According to Trend Micro, the attackers took care to conceal their malware campaign, an effort that may have made it hard for victims to know they were infected. The cleaner file most likely was included to remove evidence that would tip users off to a compromise or the origin of the attack. The cryptographic hash that was included with the tampered game files was valid, so even people who took care to verify the authenticity of the game installer would have no reason to think it was malicious, Trend Micro researchers said. The researchers linked to this December 31 post from Garena. Translated into English, one passage stated: “computers and patch servers were infected with trojans. As a result, all the installation files distributed for the games League of Legends and Path of Exile are infected.”

Read 2 remaining paragraphs | Comments

Real or Not, Purported Hack on US Military is a Coup for Islamic Extremists

The Twitter and YouTube accounts belonging to the US Central Command were compromised on Monday by people who claimed they hacked sensitive US military PCs and leaked confidential material in support of the Islamic State.

The compromised CENTCOM Twitter account contained graphics and text supporting the Islamic State in Iraq and Syria (ISIS), and it warned the US to expect more hacks. It was carried out by a person or group dubbed the CyberCaliphate. Central Command is one of nine unified commands in the US military. With its area of responsibility covering Afghanistan, Iraq, Syria, and Iran, it leads the US campaign against Islamic State extremists. Monday’s attacks appeared to be carried out by the same group that earlier this month commandeered the Twitter accounts of CBS affiliate WBOC-TV and the Albuquerque Journal.

At the time this post was being prepared, there was conflicting evidence supporting the claim that anything more than CENTCOM’s Twitter and YouTube accounts were compromised. Files linked in a post on Pastebin contained what appeared to be rosters of US military personnel, including contact information for Army commands and retired Army generals. A separate series of documents, contained in a folder titled war-scenarios, showed PowerPoint slides that appeared to be related to war games exercises involving China, North Korea, and regions in Africa, Indonesia, and the Caspian. One slide in a file titled SOCOM_Africa_Scenario.ppt was dated January 12, 2015. It proposed a CIA operation in Congo and Southern Africa dubbed “Operation Cakewalk” to seize yellowcake uranium. CENTCOM officials confirmed the compromise of the social networking accounts but told CNN none of the leaked documents appeared to be classified.

Read 2 remaining paragraphs | Comments

DDoS Service Targeting PSN and Xbox Powered by Home Internet Routers

The miscreants taking credit for knocking image board site 8chan offline, and earlier for taking down Sony’s and Microsoft’s gaming networks, operates an attack platform powered mostly by thousands of hacked home Internet routers, according to a published report.

The revelation, in an article posted Friday by KrebsOnSecurity, is the latest evidence documenting a big uptick in the hacking of Internet routers. Over the past 18 months, researchers have uncovered several other large-scale attacks on routing devices, including those made by Asus, Linksys, and many other manufacturers. Routers are often ripe targets because users fail to change default passwords, and the devices often contain security vulnerabilities that can easily be exploited by attackers halfway around the globe.

Those compromising routers for financial gain appear to be members of the Lizard Squad, a group that operates an online attack service that promises to take down any site a paying customer has requested. KrebsOnSecurity namesake Brian Krebs cited security researchers assisting law enforcement officials investigating the group. The researchers asked to remain anonymous. According to Krebs, the for-hire denial-of-service service is powered by a network of compromised devices that mostly include home routers from around the world that are protected by little more than default usernames and passwords. Krebs wrote:

Read 1 remaining paragraphs | Comments

World’s First (Known) Bootkit for OS X Can Permanently Backdoor Macs

Securing Macs against stealthy malware infections could get more complicated thanks to a new proof-of-concept exploit that allows attackers with brief physical access to covertly replace the firmware of most machines built since 2011.

Once installed, the bootkit—that is, malware that replaces the firmware that is normally used to boot Macs—can control the system from the very first instruction. That allows the malware to bypass firmware passwords, passwords users enter to decrypt hard drives and to preinstall backdoors in the operating system before it starts running. Because it’s independent of the operating system and hard drive, it will survive both reformatting and OS reinstallation. And since it replaces the digital signature Apple uses to ensure only authorized firmware runs on Macs, there are few viable ways to disinfect infected boot systems. The proof-of-concept is the first of its kind on the OS X platform. While there are no known instances of bootkits for OS X in the wild, there is currently no way to detect them, either.

The malware has been dubbed Thunderstrike, because it spreads through maliciously modified peripheral devices that connect to a Mac’s Thunderbolt interface. When plugged into a Mac that’s in the process of booting up, the device injects what’s known as an Option ROM into the extensible firmware interface (EFI), the firmware responsible for starting a Mac’s system management mode and enabling other low-level functions before loading the OS. The Option ROM replaces the RSA encryption key Macs use to ensure only authorized firmware is installed. From there, the Thunderbolt device can install malicious firmware that can’t easily be removed by anyone who doesn’t have the new key.

Read 9 remaining paragraphs | Comments

Browsing in Privacy Mode? Super Cookies Can Track You Anyway

For years, Chrome, Firefox, and virtually all other browsers have offered a setting that doesn’t save or refer to website cookies, browsing history, or temporary files. Privacy-conscious people rely on it to help cloak their identities and prevent websites from tracking their previous steps. Now, a software consultant has devised a simple way websites can in many cases bypass these privacy modes unless users take special care.

Ironically, the chink that allows websites to uniquely track people’s incognito browsing is a much-needed and relatively new security mechanism known as HTTP Strict Transport Security. Websites use it to ensure that an end user interacts with their servers only when using secure HTTPS connections. By appending a flag to the header a browser receives when making a request to a server, HSTS ensures that all later connections to a website are encrypted using one of the widely used HTTPS protocols. By requiring all subsequent connections to be encrypted, HSTS protects users against downgrade attacks, in which hackers convert an encrypted connection back into plain-text HTTP.

Sam Greenhalgh, a technology and software consultant who operates RadicalResearch, has figured out a way to turn this security feature into a potential privacy hazard. His proof of concept is known as HSTS Super Cookies. Like normal cookies, they allow him to fingerprint users who browse to his site in non-privacy mode, so if they return later, he will know what pages they looked at. There are two things that give his cookies super powers. The first is that once set and depending on the specific browser and platform it runs on, the cookies will be visible even if a user has switched to incognito browsing. The second is that the cookies can be read by websites from multiple domain names, not just the one that originally set the identifier. The result: unless users take special precautions, super cookies will persist in their browser even when private browsing is turned on and will allow multiple websites to track user movements across the Web.

Read 6 remaining paragraphs | Comments

Critical networks in US, 15 other nations, completely owned, possibly by Iran

For more than two years, pro-Iranian hackers have penetrated some of the world’s most sensitive computer networks, including those operated by a US-based airline, auto maker, natural gas producer, defense contractor, and military installation, security researchers said.

In many cases, “Operation Cleaver,” as the sustained hacking campaign is being dubbed, has attained the highest levels of system access of targets located in 16 countries total, according to a report published Tuesday by security firm Cylance. Compromised systems in the ongoing attacks include Active Directory domain controllers that store employee login credentials, servers running Microsoft Windows and Linux, routers, switches, and virtual private networks. With more than 50 victims that include airports, hospitals, telecommunications providers, chemical companies, and governments, the Iranian-backed hackers are reported to have extraordinary control over much of the world’s critical infrastructure. Cylance researchers wrote:

Perhaps the most bone-chilling evidence we collected in this campaign was the targeting and compromise of transportation networks and systems such as airlines and airports in South Korea, Saudi Arabia and Pakistan. The level of access seemed ubiquitous: Active Directory domains were fully compromised, along with entire Cisco Edge switches, routers, and internal networking infrastructure. Fully compromised VPN credentials meant their entire remote access infrastructure and supply chain was under the control of the Cleaver team, allowing permanent persistence under compromised credentials. They achieved complete access to airport gates and their security control systems, potentially allowing them to spoof gate credentials. They gained access to PayPal and Go Daddy credentials allowing them to make fraudulent purchases and allow[ing] unfettered access to the victim’s domains. We were witnessed [sic] a shocking amount of access into the deepest parts of these companies and the airports in which they operate.

Tuesday’s 86-page report relies on circumstantial evidence to arrive at the conclusion that the 20 or more hackers participating in Operation Cleaver are backed by Iran’s government. Members take Persian handles such as Salman Ghazikhani and Bahman Mohebbi; they work from numerous Internet domains, IP addresses, and autonomous system numbers registered in Iran; and many of the custom-configured hacking tools they use issue warnings when their external IP addresses trace back to the Middle Eastern country. The infrastructure supporting the vast campaign is too sprawling to be the work of a lone individual or small group; it could only have been sponsored by a nation state.

Read 7 remaining paragraphs | Comments

Phishing Scam That Penetrated Wall Street Just Might Work Against You, Too

Researchers have uncovered a group of Wall Street-savvy hackers that has penetrated the e-mail accounts of more than 100 companies, a feat that has allowed them to obtain highly valuable plans concerning corporate acquisitions and other insider information.

FIN4, as the group is known, relies on a set of extremely simple tactics that in many cases has allowed them to remain undetected since at least the middle of 2013, according to a report published Monday from security firm FireEye. Members boast a strong command of the English language and knowledge of corporate finance and Fortune 500 culture. They use that savvy to send highly targeted spearphishing e-mails that harvest login credentials for Microsoft Outlook accounts. The group then uses compromised accounts of one employee, customer, or partner to send spearphishing e-mails to other company insiders. At times, the attackers will inject a malicious message into an ongoing e-mail discussion among multiple people, furthering their chances of success.

E-mails are sent from the accounts of people the target knows, and they discuss mergers, acquisitions, or other topics already in progress. The attackers often bcc other recipients to make it more difficult to detect the malicious e-mail. The messages appear to be written by native English speakers and often contain previously exchanged Microsoft Office documents that embed hidden malicious macros. This results in fraudulent e-mails that are extremely hard to detect, even by some people who have been trained to spot such phishing campaigns. Witness the following:

Read 6 remaining paragraphs | Comments

Highly Advanced Backdoor Trojan Cased High-profile Targets for Years

Researchers have unearthed highly advanced malware they believe was developed by a wealthy nation-state to spy on a wide range of international targets in diverse industries, including hospitality, energy, airline, and research.

Backdoor Regin, as researchers at security firm Symantec are referring to the trojan, bears some resemblance to previously discovered state-sponsored malware, including the espionage trojans known as Flame and Duqu, as well as Stuxnet, the computer worm and trojan that was programmed to disrupt Iran’s nuclear program. Regin likely required months or years to be completed and contains dozens of individual modules that allowed its operators to tailor the malware to individual targets.

To remain stealthy, the malware is organized into five stages, each of which is encrypted except for the first one. Executing the first stage triggers a domino chain in which the second stage is decrypted and executed, and that in turn decrypts the third stage, and so on. Analyzing and understanding the malware requires researchers to acquire all five stages. Regin contains dozens of payloads, including code for capturing screenshots, seizing control of an infected computer’s mouse, stealing passwords, monitoring network traffic, and recovering deleted files. Other modules appear to be tailored to specific targets. One such payload included code for monitoring the traffic of a Microsoft IIS server. Another sniffed the traffic of mobile telephone base station controllers.

Read 4 remaining paragraphs | Comments

Using a Password Manager on Android? It May be Wide Open to Sniffing Attacks

In early 2013, researchers exposed some unsettling risks stemming from Android-based password managers. In a paper titled “Hey, You, Get Off of My Clipboard,” they documented how passwords managed by 21 of the most popular such apps could be accessed by any other app on an Android device, even those with extremely low-level privileges. They suggested several measures to help fix the problem.

Almost two years later, the threat remains viable in at least some, if not all, of the apps originally analyzed. An app recently made available on Google Play, for instance, has no trouble divining the passwords managed by LastPass, one of the leading managers on the market, as well as the lesser-known KeePassDroid. With additional work, it’s likely that the proof-of-concept ClipCaster app would work seamlessly against many other managers, too, said Xiao Bao Clark, the Australia-based programmer who developed it. While ClipCaster does nothing more than display the plaintext of passwords that LastPass and KeePassDroid funnel through Android handsets, a malicious app with only network privileges could send the credentials to an attacker without the user having any idea what was happening.

“Besides the insecurity of it, what annoyed me was that I was never told any of this while I was signing up or setting up the LastPass app,” Clark wrote in an e-mail. “Instead, I got the strong impression from LastPass that everything was very secure, and I needn’t worry about any of it. If they at least told users the security issues using these features brings, then the users themselves could decide on their own trade-off between usability and security. Not mentioning it at all strikes me as disingenuous.”

Read 12 remaining paragraphs | Comments

Many Tor-Anonymized Domains Seized by Police Belonged to Imposter Sites

A large number of the Tor-anonymized domains recently seized in a crackdown on illegal darknet services were clones or imposter sites, according to an analysis published Monday.

That conclusion is based on an indexing of .onion sites available through the Tor privacy service that cloaks the location where online services are hosted. Australia-based blogger Nik Cubrilovic said a Web crawl he performed on the darknet revealed just 276 seized addresses, many fewer than the 414 domains police claimed they confiscated last week. Of the 276 domains Cubrilovic identified, 153 pointed to clones, phishing, or scam sites impersonating one of the hidden services targeted by law enforcement, he said.

If corroborated by others, the findings may be viewed as good news for privacy advocates who look to Tor to help preserve their anonymity. Last week’s reports that law enforcement agencies tracked down more than 400 hidden services touched off speculation that police identified and were exploiting a vulnerability in Tor itself that allowed them to surreptitiously decloak hidden services. The revelation that many of the seized sites were imposters may help to tamp down such suspicions. In a blog post published Monday, Cubrilovic wrote:

Read 1 remaining paragraphs | Comments

FBI’s Most Wanted Cybercriminal Used His Cat’s Name as a Password

When he was arrested at his Chicago home in 2012 for hacking the website of security think tank Stratfor, the dreadlocked Jeremy Hammond was the FBI’s most wanted cybercriminal. Authorities tracked him down with the help of top LulzSec member Hector Xavier Monsegur. But it has never been known how they managed to shut the lid of him computer, effectively encrypting the contents of Hammond’s hard drive, which the hacker was able to encrypt as agents armed with assault rifles were raiding his home.

An Associated Press profile of the 29-year-old’s life behind bars provides a possible answer. Hammond’s password was “Chewy 123.”

Hashing algorithms protecting encryption keys are by design extremely slow, making cracking attacks harder to carry out. The more guesses the attacker tries the exponentially longer it will take. As demonstrated in previous Ars articles such as Why passwords have never been weaker—and crackers have never been stronger and Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”, “Chewy 123” would be among the earlier candidates any experienced cracker would try. And assuming agents performed any research on their then suspect, “Chewy 123” would almost certainly have been near the top of the list. “Chewy,” it turns out, was the name of Hammond’s cat.

Read 1 remaining paragraphs | Comments

iPhone, Galaxy S5, Nexus 5, and Fire Phone fall like dominoes at Pwn2Own

An iPhone 5S, Samsung Galaxy S5, LG Nexus 5, and Amazon Fire Phone were all hijacked by whitehats on the first day of an annual hacking contest that pays hefty cash prizes for exploits bypassing security sandbox perimeters.

Day one of the Mobile Pwn2Own competition at the PacSec conference in Tokyo repeated a theme struck over and over at previous Pwn2Own events. If a device runs software, it can be hacked—regardless of claims made by marketers or fans. Organized by the Hewlett-Packard-owned Zero Day Initiative and sponsored this year by Google and Blackberry, Mobile Pwn2Own awards as much as $150,000 for the most advanced hacks, with a total prize pool of $425,000. In exchange, contestants agree to turn over technical details to the organizer and keep them confidential until the underlying vulnerabilities have been patched.

During the first day, according to this HP blog post, the following hacks took place:

Read 2 remaining paragraphs | Comments

Stuxnet Worm Infected High-Profile Targets before Hitting Iran Nukes

The Stuxnet computer worm that attacked Iran’s nuclear development program was first seeded to a handful of carefully selected targets before finally taking hold in uranium enrichment facilities, according to a book published Tuesday.

The new account, included in Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon by Wired reporter Kim Zetter, is at odds with the now-popular narrative that the malware first penetrated Iran’s Natanz enrichment facility and later unexpectedly broke loose to infect hundreds of thousands of other sites across the globe. That earlier account, provided by New York Times journalist David Sanger, characterized the escape outside of Natanz as a programming error that was never intended by engineers in the US and Israel, the two countries Sanger and Zetter said devised and unleashed Stuxnet. According to Zetter, the world’s first known cyber weapon first infected Iranian companies with close ties to Iranian nuclear facilities and only later found its way to Natanz.

“To get their weapon into the plant, the attackers launched an offensive against four companies,” Zetter wrote. “All of the companies were involved in industrial control processing of some sort, either manufacturing products or assembling components or installing industrial control systems. They were likely chosen because they had some connection to Natanz as contractors and provided a gateway through which to pass Stuxnet to Natanz through infected employees.”

Read 6 remaining paragraphs | Comments

Unpatched bug in Mac OS X gives root access to untrusted people

An unpatched vulnerability in Yosemite and some earlier versions of Apple’s Mac OS X allows untrusted people to take full control of users’ machines, a security researcher has warned.

Dubbed Rootpipe, the privilege escalation bug allows people to gain root access, a nearly unrestricted level of system privileges, without first entering the “sudo” password, according to a recent report published by MacWorld. Sudo is a mechanism that’s designed to prevent code execution, file deletions, and other sensitive operations from being carried out by unauthorized people who have physical access to a computer.

“Normally there are ‘sudo’ password requirements, which work as a barrier, so the admin can’t gain root access without entering the correct password,” Emil Kvarnhammar, a researcher at Swedish security firm Truesec, told Macworld. “It took a few days of binary analysis to find the flaw, and I was pretty surprised when I found it.”

Read 2 remaining paragraphs | Comments

Crypto attack that hijacked Windows Update goes mainstream in Amazon Cloud

Underscoring just how broken the widely used MD5 hashing algorithm is, a software engineer racked up just 65 cents in computing fees to replicate the type of attack a powerful nation-state used in 2012 to hijack Microsoft’s Windows Update mechanism.

Nathaniel McHugh ran open source software known as HashClash to modify two separate images—one of them depicting funk legend James Brown and the other R&B singer/songwriter Barry White—that generate precisely the same MD5 hash, e06723d4961a0a3f950e7786f3766338. The exercise—known in cryptographic circles as a hash collision—took just 10 hours and cost only 65 cents plus tax to complete using a GPU instance on Amazon Web Service. In 2007, cryptography expert and HashClash creator Marc Stevens estimated it would require about one day to complete an MD5 collision using a cluster of PlayStation 3 consoles.

The MD5 hash for this picture—e06723d4961a0a3f950e7786f3766338—is precisely the same for the one below. Such “collisions” are a fatal flaw for hashing algorithms and can lead to disastrous attacks.

The practical ability to create two separate inputs that generate the same hash is a fundamental flaw that makes MD5 unsuitable for most purposes. (The exception is password hashing. Single iteration MD5 hashing is horrible for passwords but for an entirely different reason that is outside the scope of this post.) The susceptibility to collisions can have disastrous consequences, potentially for huge swaths of the Internet.

Read 4 remaining paragraphs | Comments

Google Releases “nogotofail” to Detect HTTPS Bugs Before They Bite Users

Following a string of catastrophic vulnerabilities recently discovered in HTTPS encryption protections, Google engineers have released an app that allows developers to detect bugs and glitches that may leave passwords and other sensitive information open to snooping.

The open source tool is dubbed nogotofail, a reference to the so-called goto fail flaw that gave attackers an easy way to surreptitiously circumvent HTTPS-protected connections of Apple iOS and OS X devices. Since its discovery in February, various implementations of the underlying secure sockets layer (SSL) and transport layer security (TLS) protocols have suffered several other devastating vulnerabilities, including a flaw in the GnuTLS library, the catastrophic Heartbleed bug in OpenSSL, and the more recently disclosed in version 3 of SSL.

“The Android Security Team has built a tool, called nogotofail, that provides an easy way to confirm that the devices or applications you are using are safe against known TLS/SSL vulnerabilities and misconfigurations,” Google engineers wrote in a blog post published Tuesday morning. “Nogotofail works for Android, iOS, Linux, Windows, Chrome OS, OSX, in fact any device you use to connect to the Internet. There’s an easy-to-use client to configure the settings and get notifications on Android and Linux, as well as the attack engine itself which can be deployed as a router, VPN server, or proxy.”

Read 1 remaining paragraphs | Comments