Heartbleed plugin, ready for FaasTElevenPaths 10 abril, 2014 There is a lot of good information about Hearbleed out there, there is little more to add. It is a extremely serious vulnerability, that has shaken the internet from the bottom up. Known as Heartbleed, CVE-2014-0160, affects different versions of OpenSSL, from 1.0.1 to 1.0.1f and 1.0.2-beta1. It is fixed in 1.0.1g version. Although media talked about 66% of affected sites, actually that is the figure corresponding to Apache and nginx market. Not all of them will use OpenSSL and, not all of them using it would be vulnerable. The problem has already been fixed in our Latch servers. By the way, we have renewed our certificates for the API connection. If you as a costumers were doing a certificate check on your side, you must update it with the new ones released yesterday What can happen to me? If a vulnerable version of OpenSSL is used, potentially, any user could be able to access an OpenSSL memory chunk. This means that, whatever is in memory in that moment, may be extracted by an attacker in a «clean», easy and remote way. In other words, if this extracted memory chunk contains users, passwords or session cookies or even the private key for that server (something that depends on probability and on «brute force»)… this information would be exposed. Since an attacker may connect as many times as necessary, it seems serious indeed. So, the one attacked is not only the server, but its users, accounts, etc. Even depending on how SSL is configured, conversations between server and client could be retrospectively decrypted. There are lots of scripts with proof of concepts that allow to, with just a click, attack vulnerable servers and, as a collateral effect, its users. FaasT and Heartbleed The Faast team has been getting with it during the last two days to adapt and create the code that checks if webs are indeed vulnerable. We already have this feature in our tool, as a plugin. FaasT tests the vulnerability with any OpenSSL used, even if its version claims to be safe. HeartBleed real time detection, shown in FaasT vulnerabilities list Faast features includes a way to show, as a picture, the evidence of a vulnerability exploited in a target. The evidence is shown both in the scanning report (in PDF) and the web interface. Example of an evidence with FaasT How to implement Oauth protocol in Powershell (an example with Latch)Cómo se usa la aleatoriedad en la seguridad
Telefónica Tech Boletín semanal de ciberseguridad, 18 — 24 de junio Caída de los servicios de Microsoft Office 365 y Cloudflare a nivel mundial A lo largo del pasado martes se vieron interrumpidos múltiples servicios web a nivel mundial. El origen...
Cristina del Carmen Arroyo Siruela Día de la mujer ingeniera: construyendo nuevos caminos El término “ingeniero” proviene del latín, ingenium, en castellano ingenio. Desde hace mucho tiempo, se ha asociado el mundo de la ingeniería con el sexo masculino. Pero ¿es el...
Cristina del Carmen Arroyo Siruela Los ataques más comunes contra las contraseñas y cómo protegerte Una credencial de acceso es básicamente un nombre de usuario y una contraseña asociada a esa persona y a los permisos de accesos que tiene otorgados para una aplicación,...
Telefónica Tech Webinar: Sports Tech, la revolución digital del fútbol El pasado 15 de junio desde Telefónica Tech organizamos un webinar dedicado a la tecnología en el deporte: “Sports Tech, la revolución digital del fútbol”, disponible ya en nuestro...
Telefónica Tech Boletín semanal de ciberseguridad, 13 — 17 de junio Hertzbleed. Nuevo ataque de canal lateral contra procesadores AMD e Intel Investigadores de seguridad de varias universidades de Estados Unidos han descubierto un nuevo ataque de canal lateral que afecta...
Telefónica Tech ¡Estamos de estreno! Conoce la nueva web de Telefónica Tech Cyber Security & Cloud En Telefónica Tech no dejamos de crecer y de trabajar para ser el partner tecnológico de las empresas en su proceso de transformación digital. Como parte de este propósito Telefónica Tech...