Software Development jobs in SF Bay area

Wednesday, April 9, 2014

Heartbleed Bug (vulnerable OpenSSL) CVE-2014-0160

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected by the SSL encryption used to secure the Internet. SSL provides security and privacy for applications such as web, email, instant messaging (IM) and virtual private networks (VPNs).


The Heartbleed bug allows anyone on the Internet to read the user names and passwords, instant messages, emails and business critical documents and communication protected by the vulnerable versions of the OpenSSL software. It compromises the secret keys used to identify the service providers and to encrypt the traffic. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users. 

Operating system distributions that have shipped with the vulnerable OpenSSL version:
Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
CentOS 6.5, OpenSSL 1.0.1e-15
Fedora 18, OpenSSL 1.0.1e-4
OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) 
OpenBSD 5.4 (OpenSSL 1.0.1c 10 May 2012)
FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
NetBSD 5.0.2 (OpenSSL 1.0.1e)
OpenSUSE 12.2 (OpenSSL 1.0.1c)

Operating system distribution with versions that are not vulnerable:
Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
SUSE Linux Enterprise Server
FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013
FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)

This was published as a follow-up to the OpenSSL advisory on 7th of April 2014. 

The OpenSSL project has made a statement at
https://www.openssl.org/news/secadv_20140407.txt.

NCSC-FI published an advisory at
https://www.cert.fi/en/reports/2014/vulnerability788210.html. 

Individual vendors of operating system distributions, affected owners of Internet services, software packages and appliance vendors may issue their own advisories.

References:
CVE-2014-0160
NCSC-FI case# 788210
http://www.openssl.org/news/secadv_20140407.txt 
(published 7th of April 2014, ~17:30 UTC)
http://blog.cloudflare.com/staying-ahead-of-openssl-vulnerabilities 
(published 7th of April 2014, ~18:00 UTC)
http://heartbleed.com
(published 7th of April 2014, ~19:00 UTC)
http://www.ubuntu.com/usn/usn-2165-1/
http://www.freshports.org/security/openssl/
https://blog.torproject.org/blog/openssl-bug-cve-2014-0160
https://rhn.redhat.com/errata/RHSA-2014-0376.html
http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html
https://lists.fedoraproject.org/pipermail/announce/2014-April/003205.html
http://www.kb.cert.org/vuls/id/720951
https://www.cert.fi/en/reports/2014/vulnerability788210.html
https://www.cert.at/warnings/all/20140408.html
http://www.circl.lu/pub/tr-21/

Test your server for HeartBleed bug here:
https://heartbleed.hostgator.com/

Saturday, April 5, 2014

The NSA domestic spying program is wrong! - Wednesday, April 19, 2006

This is a repeat post of an article I wrote back in

Wednesday, April 19, 2006

The NSA domestic spying program is wrong!


The Bush administration seems to be shreding the fourth admendment as fast as they can, with little or no regard for the Bill of Rights, the Constitution, or any checks and balances imposed by laws or Congress.

Looking at the news lately, I have been outraged, but not shocked at what we have dicovered in the last few weeks from the papers the EFF has filed in court to block AT&T from wholesale eavedropping on ALL internet and phone traffic across the country and around the world.

The thing that got my attention was the equipment being used. It is a pretty high-end gizmo called the Narus STA 6400, which is a semantic traffic analyzer. The Narus STA technology is used by intelligence agencies because it is able to analyze large amounts of data. Like 10 Gigabytes of data per second, tapping into the OC-192 fiber that makes up the backbone of all IP communications worldwide! Here is a little bit about this wonderful device from Narus...

NarusInsight Intercept Suite - Packet-level, flow-level, and application-level usage information is captured and analyzed as well as raw user session packets for forensic analysis, surveillance or in satisfying regulatory compliance for lawful intercept. The capabilities include playback of streaming media (i.e. VoIP), rendering of Web pages, examination of e-mail and the ability to analyze the payload/attachments of e-mail or file transfer protocols. (source: Narus.com)

The NarusInsight Discover Suite (NDS) captures and classifies traffic and data on monitored links in real time at true carrier speeds (up to 10G/OC-192). Detailed layer 3 to layer 7 data are collected and correlated across every link and element on the network.
NDS empowers users to manage IP traffic and applications including VoIP, Skype, P2P (e.g., BitTorrent, e-Donkey/e-Mule, FastTrack/Kazaa, Gnutella, etc.), messaging (AOL IM/ICQ, Yahoo IM, MSN Messenger, Jabber, IRC, MMS), streaming media (RTP, RTCP, RTSP), e-mail (SMTP,POP3,IMAP), Web browsing and push to talk (PTT). (source: Narus)

If it was only being used to spy on "terrorists", and if proper proceedures were followed, nobody would bat an eye. Support would be universal, as long as the laws were followed and a court warrent was obtained in the 72 hour timeframe. FISA was put in place to limit the power the federal goverment had on wire-tapping private citizens after the Nixon administration took massive amounts of wire-tapped phone calls and used it for political purposes.

Knowing a little about the program, it seems my darkest fears are true. I suspected that they were doing exactly what they claim to not be doing, wholesale interception of ALL Internet traffic and phone calls, using packet analyzers to sift thru a ocean of data, looking for a few key words or any suspicious activity.

This means any phone call, any email, any Instant Messaging, any P2P programs, and all of your web surfing has been intercepted and analyized by the NSA and the Bush administration.

If that makes you feel all warm and fuzzy, like he is just trying to "protect" us from the evil-doers, think about this.

This is the guy who exposed a CIA undercover agent for political purposes, to refute the claims her husband was making regarding the facts leading us into war in Iraq. If you think he would do a end-run around Congress and the FISA courts to "protect" us, and not use anything he learns for political purposes, you are badly mistaken. They would use anything they learn to the fullest advantage, to expose some political enemy's dirty secrets, or to extort favors from a business, and Congress is just now finding out about it.

We will see in the next election how much outrage is in the country over this.

WHAT FOLLOWS IS THE ACTUALL LETTER FROM MARK KLEIN.


Statement
--Mark Klein, April 6, 2006


My Background:

For 22 and 1/2 years I worked as an AT&T technician, first in New York and then in California.

What I Observed First-Hand:

In 2002, when I was working in an AT&T office in San Francisco, the site manager told me to expect a visit from a National Security Agency agent, who was to interview a management-level technician for a special job. The agent came, and by chance I met him and directed him to the appropriate people.

In January 2003, I, along with others, toured the AT&T central office on Folsom Street in San Francisco -- actually three floors of an SBC building. There I saw a new room being built adjacent to the 4ESS switch room where the public's phone calls are routed. I learned that the person whom the NSA interviewed for the secret job was the person working to install equipment in this room. The regular technician work force was not allowed in the room.

In October 2003, the company transferred me to the San Francisco building to oversee the Worldnet Internet room, which included large routers, racks of modems for customers' dial-in services, and other equipment. I was responsible for troubleshooting problems on the fiber optic circuits and installing new circuits.

While doing my job, I learned that fiber optic cables from the secret room were tapping into the Worldnet circuits by splitting off a portion of the light signal. I saw this in a design document available to me, entitled "Study Group 3, LGX/Splitter Wiring, San Francisco" dated Dec. 10, 2002. I also saw design documents dated Jan. 13, 2004 and Jan. 24, 2003, which instructed technicians on connecting some of the already in-service circuits to the "splitter" cabinet, which diverts some of the light signal to the secret room. The circuits listed were the Peering Links, which connect Worldnet with other networks and hence the whole country, as well as the rest of the world.

One of the documents listed the equipment installed in the secret room, and this list included a Narus STA 6400, which is a "Semantic Traffic Analyzer". The Narus STA technology is known to be used particularly by government intelligence agencies because of its ability to sift through large amounts of data looking for preprogrammed targets. The company's advertising boasts that its technology "captures comprehensive customer usage data ... and transforms it into actionable information.... (It) provides complete visibility for all internet applications."

My job required me to connect new circuits to the "splitter" cabinet and get them up and running. While working on a particularly difficult one with a technician back East, I learned that other such "splitter" cabinets were being installed in other cities, including Seattle, San Jose, Los Angeles and San Diego.

What is the Significance and Why Is It Important to Bring These Facts to Light?

Based on my understanding of the connections and equipment at issue, it appears the NSA is capable of conducting what amounts to vacuum-cleaner surveillance of all the data crossing the Internet -- whether that be peoples' e-mail, Web surfing or any other data.

Given the public debate about the constitutionality of the Bush administration's spying on U.S. citizens without obtaining a FISA warrant, I think it is critical that this information be brought out into the open, and that the American people be told the truth about the extent of the administration's warrantless surveillance practices, particularly as it relates to the Internet.

Despite what we are hearing, and considering the public track record of this administration, I simply do not believe their claims that the NSA's spying program is really limited to foreign communications or is otherwise consistent with the NSA's charter or with FISA. And unlike the controversy over targeted wiretaps of individuals' phone calls, this potential spying appears to be applied wholesale to all sorts of Internet communications of countless citizens.

Attorney contact information:

Miles Ehrlich
Ramsey & Ehrlich LLP

Source: Legal Pad
Link to the full story is here.



God help us.

Can you call or write your Senator and Congressmen for me? Not that it will do us any good but it's a start..