18 April 2014 T.B.
In the last week or so infosec headlines were dominated by reports in the OpenSSL vulnerability (CVE-2014-0160). We blogged on what the situation looked like in regard to Polish services and address space (and TOR as well). It is worth noting however that the OpenSSL library is used not only in the server software. It is also very common element of the client software. What does that mean? If a client software that is using a vulnerable version of OpenSSL connects to a crafted malicious server, the server can ‘download’ a portion of data from client memory. This portion may contain data on which software operates, i.e. password for a database or configuration. P>
To simplify testing of client applications CERT Polska prepared a service that allows to test any client software using SSL – from web browsers to custom console applications.
Is your app vulnerable?
11 April 2014 Łukasz Siewierski
In the last few days the most popular vulnerability seems to be CVE-2014-0160. This two years old vulnerability was in OpenSSL library, versions 1.0.1a-f, and allows to read a part of the memory of the process. The use of this library is very prevalent not only in the server environments (e.g. WWW, or mail), but also on desktops in some client applications. However, the most popular browsers are not affected in any way. We publish our analysis of this CVE and its effect on TOR and Polish network. Information on the Electronic Frontier Foundation Deeplinks blog allows to speculate that the intelligence agencies knew about the bug a year ago and actually used it.
7 April 2014 piotrk
SECURE 2014 is a conference dedicated entirely to IT security and addressed to administrators, security team members and practitioners in this field. SECURE’s unique feature is the organisers’ commitment to providing participants with reliable information about everything that is current and meaningful in IT security. A high professional level of the talks is ensured by CERT Polska during the paper selection process. Particular emphasis is on practical solutions, analysis of the current threats, latest trends in countering threats as well as important legal issues. Participants have an opportunity to gain the latest knowledge, improve their qualifications and exchange experience with experts.