SECURITY BITS: Meaner POODLE bug that bypasses TLS crypto bites 10 percent of websites

Some of the world’s leading websites—including those owned or operated by Bank of America, VMware, the US Department of Veteran’s Affairs, and business consultancy Accenture—are vulnerable to simple attacks that bypass the transport layer security encryption designed to thwart eavesdroppers and spoofers. The attacks are a variation on the so-called POODLE exploits disclosed two months ago .

Read more: Meaner Poodle Exploits

SECURITY BITS: Complex piece of malware with James Bond Level espionage capabilities: Meet Regin.

A highly complex piece of malware with James Bond-level espionage capabilities has been spying on governments, infrastructure operators, businesses and individuals since 2008, according to security company Symantec.

Detailed in a company blog post, the back-door type Trojan, called “Regin”, can be highly customised through the use of modules depending on its intended target and has allegedly been used as a tool for mass surveillance.

Regin has been found to infect its victims in multiple ways, from luring them to spoofed versions of well-known websites and installing itself to exploiting applications.

The malware has claimed a number of victims as part of two waves, with a first version targeting organisations between 2008 and 2011 before being withdrawn. It re-emerged in 2013 to target companies, government entities and research institutions, with almost half of all infections targeting private individuals, small businesses and telecoms companies.

Read more:

Complex piece of malware…..

 

SECURITY BITS: Security bug in WordPress renders site visitors the potential victims.

It never ends. This time it’s WordPress’ turn. A four year old security bug in comments on WordPress could be used to launch a wide variety of malicious script-based attacks on site visitors’ browsers. Very bad indeed. This does not affect the latest version of WordPress (v4) but most sites still run on v3 which makes more than 80% of WordPress sites vulnerable. But their visitors are the ones that are vulnerable. Read more here:

http://arstechnica.com/security/2014/11/four-year-old-comment-security-bug-affects-86-percent-of-wordpress-sites/#p3

SECURITY BITS: The “Poodle” attack and the end of SSLv3

Finally a good piece on the Poodle attack and the end of SSLv3 from on Mozilla Blog. The short version:

In late September, a team at Google discovered a serious vulnerability in SSL 3.0 that can be exploited to steal certain confidential information, such as cookies. This vulnerability, known as “POODLE”, is similar to the BEAST attack. By exploiting this vulnerability, an attacker can gain access to things like passwords and cookies, enabling him to access a user’s private account data on a website.

Any website that supports SSLv3 is vulnerable to POODLE, even if it also supports more recent versions of TLS. In particular, these servers are subject to a downgrade attack, in which the attacker tricks the browser into connecting with SSLv3. This relies on a behavior of browsers called insecure fallback, where browsers attempt to negotiate lower versions of TLS or SSL when connections fail.

 

Today, Firefox uses SSLv3 for only about 0.3% of HTTPS connections. That’s a small percentage, but due to the size of the Web, it still amounts to millions of transactions per day.

You can find all the information you need from a Mozilla perspective here:

The Mozilla Blog

SECURITY BITS: And then Dropbox has been leaking passwords. What’s next?

Hi,

We’ve had to deal with one security breach after the other lately. Bash, Target, Home Depot, Heartbleed and others. We also know that Dropbox is not the service you would choose for your most sensitive data because of the one key for all issue. And today we got to know it got worse: Login information has leaked through a third party application connected to Dropbox, you kow one of those services that you have to approves when it tries to access and work with your Dropbox. This one has been stealing password. More here:

 

Hundreds of Dropbox accounts compromised via third party service

 

Change your password! How many times have we heard that lately? Far too many!