Authentic8 Blog Author: Les Dunston

Is Shellshock the biggest vulnerability ever? Maybe so, but not for long. Be prepared for more.

img_2014-09-25_Ars-Technica

NEWS

The techno-sphere is on fire again, this time with news of a newly discovered vulnerability present in a ubiquitous component of the internet infrastructure. Just a few months ago, Heartbleed gave us all a lesson on how OpenSSL works and how to secure network communications. It also demonstrated that the infrastructure we rely on has gaping security holes. At the time, experts called Heartbleed the “worst security flaw ever.” But the industry responded and the furor died down. Now, a vulnerability in Bash dubbed Shellshock has taken Heartbleed’s place as the worst ever. We’ll leave it to others to hash out which flaw deserves the title of ‘worst.’ What matters is that our infrastructure is vulnerable and there are almost certainly other exploits that haven’t be found yet. Or they have been found and just haven’t been publicised.

This latest vulnerability is within Bash, the de facto command line shell that exists on all Unix/Linux systems.

Lessons learned from Code Spaces

img_2014-06-23_Code-Spaces

NEWS

Last Tuesday, Code Spaces came under a DDoS Attack. The attacker then obtained access to Code Spaces’ Amazon console and demanded ransom for the safe return of the account. For some unknown or yet-to-be-explained reason, Code Spaces decided to start changing Amazon credentials in an effort to regain control of the account. This is where the story goes from bad to worse. The attacker, noticed Code Spaces’ activity and retaliated by deleting EC2 instances, S3 buckets, and EBS snapshots. This effectively laid waste to all of Code Spaces infrastructure and backups. The devastation was so bad, it not only knocked Code Spaces offline, but offline indefinitely. Game over.

We feel for Code Spaces. Building, deploying, and maintaining an online service is a difficult endeavour. Ne’er-do-wells lurk at every corner trying to knock your service offline or steal data. The sophistication varies from script kiddies to state sponsored attacks. The most potent attacks though, come from the inside. Regardless of the

In the wake of Heartbleed, make sure your browser checks for revoked certs

img_heartbleed_341x413

SECURITY

The Heartbleed bug is a serious vulnerability in the popular OpenSSL cryptographic software library.

Last Monday, Heartbleed, one of the worst security vulnerabilities in the history of the Internet was announced to the public. This isn't hyperbole - ⅔ of the Internet’s websites rely on the underlying OpenSSL libraries are at the center of the exploit. For a while, it looked like an exploit in theory, but Cloudflare announced a challenge to see if the security community was overreacting to the tin foil hat crowd. It turns out that the vulnerability can and has been exploited.

Any site using the underlying OpenSSL cryptographic software library that contained the vulnerability has been scrambling over the past week to update systems. It has been great to see the rapid and broad-based response, but updating and patching systems is only the initial step to dealing with the issue. The patch stops attackers from continuing to steal sensitive information like private keys and passwords, but