cross pond high tech
118.6K views | +0 today
Follow
cross pond high tech
light views on high tech in both Europe and US
Your new post is loading...
Your new post is loading...
Scooped by Philippe J DEWOST
Scoop.it!

U.S. urges removing Superfish program from Lenovo laptops

U.S. urges removing Superfish program from Lenovo laptops | cross pond high tech | Scoop.it
The U.S. government on Friday advised Lenovo Group Ltd customers to remove a "Superfish," a program pre-installed on some Lenovo laptops, saying it makes users vulnerable to cyberattacks.

The Department of Homeland Security said in an alert that the program makes users vulnerable to a type of cyberattack known as SSL spoofing, in which remote attackers can read encrypted web traffic, redirect traffic from official websites to spoofs, and perform other attacks.

"Systems that came with the software already installed will continue to be vulnerable until corrective actions have been taken," the agency said.

Adi Pinhas, chief executive of Palo Alto, California-based Superfish, said in a statement that his company's software helps users achieve more relevant search results based on images of products viewed. He said the vulnerability was "inadvertently" introduced by Israel-based Komodia, which built the application described in the government notice.

Philippe J DEWOST's insight:

of US government, Chinese laptops, and Israeli software "inadvertently" introduced vulnerabilities...

more...
No comment yet.
Scooped by Philippe J DEWOST
Scoop.it!

Does your Heartbleed ?

Does your Heartbleed ? | cross pond high tech | Scoop.it

"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.

 

Basically, an attacker can grab 64K of memory from a server.  The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory.  This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable.  And you have to assume that it is all compromised.  All of it.

"Catastrophic" is the right word.  On the scale of 1 to 10, this is an 11.

Philippe J DEWOST's insight:

I have been used to see BT's Security Chief more softtoned. This OpenSSL bug must be very serious.

more...
No comment yet.
Scooped by Philippe J DEWOST
Scoop.it!

Google Reveals SSL 3.0 Encryption Vulnerability

Google Reveals SSL 3.0 Encryption Vulnerability | cross pond high tech | Scoop.it

Google researchers announced(PDF link) that they have found a bug in the SSL 3.0 protocol. The exploit could be used to intercept critical data that’s supposed to be encrypted between clients and servers.

The exploit first allows attackers to initiate a “downgrade dance” that tells the client that the server doesn’t support the more secure TLS (Transport Layer Security) protocol and forces it to connect via SSL 3.0. From there a man-in-the-middle attack can decrypt secure HTTP cookies. Google calls this the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack.

 

In other words, your data is no longer encrypted. Google researchers Bodo Möller, Thai Duong and Krzysztof Kotowicz recommend disabling SSL 3.0 on servers and in clients. The server and client will default to the more secure TSL and the exploit won’t be possible.

Philippe J DEWOST's insight:

openSSL was not the only one. Now that #SSL 3.0 is broken, what's left ?

more...
No comment yet.