Security Brief: Heartbleed Bug, Google Vulnerabilities, Arrested Hackers

The main stories for the week between April 7 and April 13, 2014

By on April 13th, 2014 00:59 GMT

In case you haven’t been online too much over the past week or if you fear you might have missed some important stories, here’s your chance to catch up.


Heartbleed Bug


The Heartbleed bug, the OpenSSL vulnerability that can be exploited to obtain sensitive information from affected servers, has made a lot of headlines this week. The bug is highly critical because it can be used to steal passwords, financial data, and the contents of communications.

A couple of days ago, experts confirmed that it can even be leveraged to obtain private keys. Some companies replaced SSL certificates before getting the confirmation, but Netcraft says there are still hundreds of thousands of certificates that need to be revoked.

Companies are struggling to patch their OpenSSL installations. While some have acted quickly, others haven’t, and experts say months could pass until every company has secured its systems.

In the meantime, cybercriminals have already started leveraging news about Heartbleed in their operations.

There’s one important question regarding the vulnerability. Has anyone exploited it? After all, Heartbleed has existed for two years before being patched by OpenSSL.

If we were to trust reports, the NSA has known about it for two years. However, the agency categorically denied knowing about it before its existence was made public.

Vulnerabilities

In addition to Heartbleed, this week we’ve learned of a lot of interesting vulnerabilities in popular software. Some bugs have been fixed, while others remain unpatched.

Many vulnerabilities have been reported in Google software. For instance, experts from Detectify have identified an XXE flaw in the Google Toolbar Button Gallery for which they’ve been rewarded with $10,000 (€7,200).

A total of 31 security holes have been patched by Google with the latest Chrome 34 update. Researchers who contributed to making Chrome more secure have been rewarded with a total of close to $30,000 (€21,600)

On the other hand, Google hasn’t been so generous with everyone. Israeli expert Guy Aharonovsky has identified a vulnerability in Chrome’s old speech recognition API that could be exploited to steal the transcript generated by application. However, Google says it’s a “low-severity” issue.

WordPress 3.8.2 was released this week. Only two vulnerabilities have been fixed, but the latest version also includes three security hardening changes.

In the “vulnerabilities” section of this week’s security brief we also have an SQL Injection fixed in Orbit Open Ad Server, a BlackBerry 10 remote code execution bug, 8 SQL Injection flaws addressed by Yahoo, and security improvements made in MongoDB 2.6.

Finally, TxTag has told Softpedia it’s working on fixing a serious vulnerability uncovered by security researcher David Longenecker.

Cybercrime

As far as cybercrime is concerned, we’ve seen a lot of arrests and indictments over the past week. US authorities unsealed an indictment charging nine people with being involved in a cybercriminal operation that leveraged the ZeuS Trojan to steal millions of dollars from bank accounts.

A 27-year-old from Texas, who’s believed to be part of the Anonymous movement, faces new charges. Initially, he was charged with hacking only one website, but this week he was informed of 14 additional counts related to computer hacking.

Two Americans and one Canadian have been charged with hacking into the systems of several major video game companies in an effort to steal unreleased games. They’re also said to have stolen information on Xbox One from Microsoft, before the Redmond company officially released the console.

Trying to be a white hat hacker can be difficult sometimes. One man had his house raided by the FBI after he exploited a vulnerability in the systems of the University of Maryland. He decided to prove his point after his responsible disclosure efforts were ignored.

Cameron Harrison, one of the tens of individuals accused of being involved with the identity theft service known as Carder.su, has pleaded guilty.

Here are some other stories worth reading:

Andrew “Weev” Auernheimer is free

Beware of “World of Warcraft: Warlords of Draenor” phishing scams!

Fake Android app “Virus Shield” shows why it’s important to stick to trusted solutions

Australian athlete injured after someone apparently hacked a videography drone

UK Department of Culture, Media and Sport Twitter account hacked

Comments

Security brief for April 7 - April 13, 2014
   Security brief for April 7 - April 13, 2014