SSL | Breaking Cybersecurity News | The Hacker News

When assessing an organization's external attack surface, encryption-related issues (especially SSL misconfigurations) receive special attention . Why? Their widespread use, configuration complexity, and visibility to attackers as well as users make them more likely to be exploited.  This highlights how important your SSL configurations are in maintaining your web application security and minimizing your attack surface. However, research shows that most (53.5%) websites have  inadequate security and that  weak SSL/TLS configuration is amongst the most common application vulnerabilities. Get your SSL configuration right, and you'll enhance your cyber resilience and keep your apps and data safe. Get it wrong, however, and you can increase your organization's attack surface, exposing your business to more cyberattacks. We'll explore the impacts of SSL misconfigurations and explain why they present such a significant attack surface risk. Then, we'll show you how a s...

It is finally time to say GoodBye to the old and insecure Web security protocols. Citing the long history of weaknesses in the Secure Sockets Layer (SSL) 3.0 cryptographic protocol and the RC4 Cipher Suite, Google plans to disable support for both SSLv3 as well as RC4 stream cipher in its front-end servers. While announcing on its official blog , the Search Engine giant said the company is looking to put away SSLv3 and RC4 in all of its front-end servers, and eventually, in all its software including Chrome, Android, Web crawlers, and email servers. The move by Google came as no surprise, considering the fact that both RC4 and SSLv3 have been deemed unsecure by the Internet Engineering Task Force (IETF). What are the Problems? SSLv3, which was made outdated 16 years ago, has a long history of security problems like BEAST , out of them the most recent one was POODLE ( Padding Oracle On Downgraded Legacy Encryption ) attacks, which lead to the recovery of plaintext communication...

The problem is simple: all breaches start with initial access, and initial access comes down to two primary attack vectors – credentials and devices. This is not news; every report you can find on the threat landscape depicts the same picture.  The solution is more complex. For this article, we'll focus on the device threat vector. The risk they pose is significant, which is why device management tools like Mobile Device Management (MDM) and Endpoint Detection and Response (EDR) are essential components of an organization's security infrastructure. However, relying solely on these tools to manage device risk actually creates a false sense of security. Instead of the blunt tools of device management, organizations are looking for solutions that deliver device trust . Device trust provides a comprehensive, risk-based approach to device security enforcement, closing the large gaps left behind by traditional device management solutions. Here are 5 of those limitations and how to ov...

Heartbleed has left a worst impression worldwide affecting millions of websites and is also supposed to put millions of Smartphones and tablets users at a great risk. Heartbleed is a critical bug ( CVE-2014-0160 ) in the popular OpenSSL cryptographic software library, that actually resides in the OpenSSL's implementation of the TLS/DTLS heartbeat extension, which allows attackers to read portions of the affected server's memory, potentially revealing users data such as usernames, passwords, and credit card numbers, that the server did not intend to reveal. OpenSSL is a widely-used cryptographic library which implements the SSL and TLS protocol and protects communications on the Internet, and mostly every websites use either SSL or TLS, even the Apache web server that powers almost half of the websites over internet utilizes OpenSSL. But to assume that the users using desktop browsers to visit websites are vulnerable to the Heartbleed bug, will be wrong. Despite 40...

The Bloomberg claimed that the U.S. National Security Agency (NSA) knew about the most critical Heartbleed flaw and has been using it on a regular basis to gather " critical intelligence " and sensitive information for at least past two years and decided to keep the bug secret, citing two sources ' familiar with the matter '. In response to the above report, NSA has issued a ' 94 character' statement today denying the claims that it has known about the Heartbleed bug since two years and that it has been using it silently for the purpose of surveillance. " NSA was not aware of the recently identified Heartbleed vulnerability until it was made public ," the U.S. intelligence agency said on its Twitter feed . Heartbleed is one of the biggest Internet vulnerabilities in recent history that left large number of cryptographic keys and private data such as usernames, passwords, and credit card numbers, from the most important sites and services on the Int...

Millions of websites, users' passwords, credit card numbers and other personal information may be at risk as a result of the Heartbleed security flaw , a vulnerability in widely used cryptographic library ' OpenSSL '. [ READ DETAILS HERE ] Netcraft survey says that about half a million widely trusted active websites on the internet are vulnerable to the heartbleed bug, which means the information transmitting through hundreds of thousands of websites could be vulnerable, despite the protection offered by encryption techniques. According to Netcraft, " the heartbeat extension was enabled on 17.5% of SSL sites, accounting for around half a million certificates issued by trusted certificate authorities. These certificates are consequently vulnerable to being spoofed (through private key disclosure), allowing an attacker to impersonate the affected websites without raising any browser warnings. " Among the trusted names running OpenSSL is Yahoo!, which has been ...

Are you safe from the critical bug Heartbleed?? OpenSSL- the encryption technology used by millions of websites to encrypt the communication and is also used to protect our sensitive data such as e-mails, passwords or banking information.  But a tiny, but most critical flaw called " Heartbleed " in the widely used OpenSSL opened doors for the cyber criminals to extract sensitive data from the system memory. WHAT IS HEARTBLEED? SSL and TLS are known to provide communication security and privacy over the Internet for applications such as websites, email, instant messaging (IM), including some virtual private networks (VPNs). Heartbleed is a critical bug ( CVE-2014-0160 ) is in the popular OpenSSL cryptographic software library, that actually resides in the OpenSSL's implementation of the TLS (transport layer security protocols) and DTLS ( Datagram TLS ) heartbeat extension (RFC6520). This bug was independently discovered by a team of security enginee...

In past months, we have reported about critical vulnerabilities in many wireless Routers including Netgear, Linksys,  TP-LINK, Cisco, ASUS, TENDA and more vendors, installed by millions of home users worldwide. Polish Computer Emergency Response Team (CERT Polska) recently noticed a large scale cyber attack ongoing campaign aimed at Polish e-banking users. Cyber criminals are using known router vulnerability which allow attackers to change the router's DNS configuration remotely so they can lure users to fake bank websites or can perform Man-in-the-Middle attack. ' After DNS servers settings are changed on a router, all queries from inside the network are forwarded to rogue servers. Obviously the platform of a client device is not an issue, as there is no need for the attackers to install any malicious software at all. ' CERT Polska researchers said. That DNS Hijacking trick is not new, neither most of the router vulnerabilities are, but still millions of...

Are you fond of playing games on your Smartphone like Angry Birds or Subway Surfer ?? You should now stop wasting your time, because NSA is utilizing your gaming energy in the best possible way. According to the latest documents leaked by former U.S. Government contractor Edward Snowden , Some of the world's most popular Smartphone applications are telling British (GCHQ) and American intelligence agencies ( NSA ) everything about you. NSA is tapping communication across the Internet of all " leaky " apps ( Unencrypted app, without SSL connection ) to peek into the tremendous amounts of very personal data, including your age, location, sex and even sexual preferences. This is really unacceptable! The Guardian claims that the NSA and its UK counterpart GCHQ have been developing capabilities to take advantage of these 'leaky' apps, collecting most sensitive information such as sexual orientation and " even sends specific sexual preferences such a...

Tor is one of the best and freely available privacy software that lets people communicate anonymously online through a series of nodes that is designed to provide anonymity for users and bypass Internet censorship. When you use the Tor software, your IP address remains hidden and it appears that your connection is coming from the IP address of a Tor exit relay or nodes , which can be anywhere in the world. An exit relay is the final relay that Tor traffic passes through before it reaches its destination. According to a recent report ' Spoiled Onions: Exposing Malicious Tor Exit Relays ', published by security researchers Phillip Winter and Stefan Lindskog revealed that almost 20 exit relays in the Tor anonymity network that attempted to spy on users' encrypted traffic using man-in-the-middle techniques. Both Researchers spent more than four months studying on the Tor exit nodes using their own scanning software called " exitmap " and detected su...

Google has found that the French government agency using unauthorized digital certificates  for some of its own domains to perform man-in-the-middle attacks on a private network. Google security engineer Adam Langley described the incident as a "S erious Security breach ", which was discovered in early December. Rogue digital certificates that had been issued by French certificate authority ANSSI, who closely work with the French Defense agency. "In response, we updated Chrome's certificate revocation metadata immediately to block that intermediate CA, and then alerted ANSSI and other browser vendors. Our actions addressed the immediate problem for our users" Google has immediately blocked the misused intermediate certificate and updated Chrome's certificate revocation list to block all dodgy certificates issued by the French authority. In a statement, ANSSI said that the intermediate CA certificate was used to inspect encrypted traffic with the user's knowle...

A new hacking technique dubbed BREACH can extract login tokens, session ID numbers and other sensitive information from SSL/TLS encrypted web traffic in just 30 seconds. The technique was demonstrated at the Black Hat security conference in Las Vegas ( Presentation PDF  & Paper ) by Gluck along with researchers Neal Harris and Angelo Prado, which allows hackers to decodes encrypted data that online banks and e-commerce sites from an HTTPS channel. Neal, Yoel and Angelo ( From left to right) at BlackHat BREACH ( Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext ) is very targeted and don't decrypt the entire channel. BREACH manipulates data compression to pry out doses of information from HTTPS protected data, including email addresses, security tokens, and other plain text strings. Angelo Prado told The Hacker News , " We are using a compression oracle is leveraging the building blocks from CRIME , on a diff...

The most common approach to protect data during communication on the Android platform is to use the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols. Thousands of applications in the Google Play market that are using these implementations. A group of researchers including Sascha Fahl, Marian Harbach, Thomas Muders, Matthew Smith from Distributed Computing & Security Group - Leibniz University of Hannover, Hannover, Germany and Lars Baumgärtner, Bernd Freisleben from Department of Math. & Computer Science - Philipps University of Marburg, Marburg, Germany, have presented a paper that  most of these applications contain serious mistakes in the way that SSL/TLS is implemented, that leaving them vulnerable to man-in-the-middle attacks that could compromise sensitive user data such as banking credentials, credit card numbers and other information. Tests performed on 100 selected apps confirmed that 41 of them were vulnerable to known atta...

The Internet has created many new global business opportunities for enterprises conducting online commerce. However, the many security risks associated with conducting e-commerce have resulted in security becoming a major factor for online success or failure. Whether you are an individual or a company, you should approach online security in the same way that you would approach physical security for your home or business. Not only does it make you feel safer but it also protects people who visit your home, place of business, or website. It is important to understand the potential risks and then make sure you are fully protected against them. In the fast-paced world of technology, it is not always easy to stay abreast of the latest advancements. For this reason it is wise to partner with a reputable Internet security company. Here we have a very cool guide from  Symantec , This guide will de-mystify the technology involved and give you the information you need to ...