SECURE 2014 Registration

Testing Heartbleed from the client-side perspective

18 April 2014 T.B.

hnp-conference

In the last week or so infosec headlines were dominated by reports in the OpenSSL vulnerability (CVE-2014-0160). We blogged on what the situation looked like in regard to Polish services and address space (and TOR as well). It is worth noting however that the OpenSSL library is used not only in the server software. It is also very common element of the client software. What does that mean? If a client software that is using a vulnerable version of OpenSSL connects to a crafted malicious server, the server can ‘download’ a portion of data from client memory. This portion may contain data on which software operates, i.e. password for a database or configuration.

To simplify testing of client applications CERT Polska prepared a service that allows to test any client software using SSL – from web browsers to custom console applications.

Is your app vulnerable?


http://www.cert.pl/heartbleed/ – Heartbleed client test
 

Heartbleed in TOR (and in Poland)

11 April 2014 Łukasz Siewierski

hnp-conference

In the last few days the most popular vulnerability seems to be CVE-2014-0160. This two years old vulnerability was in OpenSSL library, versions 1.0.1a-f, and allows to read a part of the memory of the process. The use of this library is very prevalent not only in the server environments (e.g. WWW, or mail), but also on desktops in some client applications. However, the most popular browsers are not affected in any way. We publish our analysis of this CVE and its effect on TOR and Polish network. Information on the Electronic Frontier Foundation Deeplinks blog allows to speculate that the intelligence agencies knew about the bug a year ago and actually used it.

Read more

SECURE 2014 Call for Speakers is Now Open

7 April 2014 piotrk

SECURE 2014 is a conference dedicated entirely to IT security and addressed to administrators, security team members and practitioners in this field. SECURE’s unique feature is the organisers’ commitment to providing participants with reliable information about everything that is current and meaningful in IT security. A high professional level of the talks is ensured by CERT Polska during the paper selection process. Particular emphasis is on practical solutions, analysis of the current threats, latest trends in countering threats as well as important legal issues. Participants have an opportunity to gain the latest knowledge, improve their qualifications and exchange experience with experts.

Read more

Honeynet Project Workshop CrackMe Solution

Łukasz Siewierski

Win a Honeynet Workshop pass! (UPDATE)

2 April 2014 Łukasz Siewierski

Konferencja Honeynet Workshop w Warszawie

11 March 2014 pawelj

CERT Polska takes part in a new international project

25 February 2014 alex