Security Simplified ! - A Kaapagam Technologies IT Security Blog

HeartBleed : An OpenSSL vulnerability

9. April 2014 13:33 by CA in Vulnerability

A vulnerability affecting OpenSSL has been reported and it may affect your organization. The "Heartbleed" SSL vulnerability affects widely deployed versions of the OpenSSL library, which is used in the majority of software, including web, email, database and chat-servers.

How does it work?

This vulnerability allows an attacker to read a portion of memory from the remote system without the need for any known credentials or other authentication forms. The leaked memory areas might contain a lot of different contents ranging from leftover data from previous communication over log messages, up to private key material employed by the service / daemon. For this reason, there are lots of possible attack scenarios that can result from the vulnerability. An attacker who gains access to the private key of the server certificate can subsequently mount man-in-the-middle attacks against clients and impersonate the server/service. Log messages might also contain credentials or affect the privacy of communications by other clients.
More...

Snapchat : 4.6 Million Usernames & Phone numbers Exposed

2. January 2014 10:28 by CA in Hack, Privacy Leak, Vulnerability

Mid December 2013, Researchers at Gibson Security published Snapchat code allowing phone numbers matching after the exploit disclosures were ignored as theoretical by SnapChat. It lloks like Hackers took GibSec disclosure more serious than SnapChat

 

On January 1, 2014, an anonymous user announced the release of SnapchatDB and 4.6 million usernames and matched phone numbers in a Hacker News post.

 

The Snapchat accounts - even those marked 'private' - were exposed in a database hack that Snapchat knew about for four months, ignored, then told press last week was only "theoretical."  More...

A very obliging Siri opens up a vulnerability in iOS 7.0.2

1. October 2013 19:40 by CA in Vulnerability

An Israeli researcher has found a way to access a locked iPhone's contacts and messages database using Siri.

 

In a YouTube video, Dany Lisiansky showed how a locked phone running iOS 7.0.2 can be opened by using Siri's voice control to make a call to an attacker's system. This "feature" then allows an attacker to access the target handset's Phone application, giving access to call history, voicemail, and entire list of contacts by following seven steps:

More...

Microsoft IE Zero Day Flaw Affects All Versions

18. September 2013 11:45 by CA in Hack, Vulnerability

Microsoft is reporting an unpatched vulnerability in all versions of Internet Explorer. All versions of IE, other than those running on Windows Server, are vulnerable. This includes Internet Explorer 11 on Windows 8.1 and RT.

 

The vulnerability comes from a memory corruption bug which could lead to remote code execution. Microsoft says that they are aware of targeted attacks exploiting this vulnerability on Internet Explorer 8 and 9. Exploits such as these are often version-specific, even if the vulnerability affects multiple versions.

 

The Fix It solution is available from this link. To apply it, click the Fix It icon above the Fix This Problem link. Applying this solution may limit some functionalities of IE, so if you run into problems after applying this interim patch, you can click the Fix It icon to the right of that “enable” button to reverse the update.

More...