Read about it more in detail here on Redhat’s site. This vulnerability affects all applications using certain versions of OpenSSL, so this is a cross-platform issue.

This isn’t nearly as atrocious as Heartbleed was as there isn’t a chance of leaking your private keys. However, if you use Qualsys labs excellent SSL web scanner to check your site’s security, this will immediately degrade your web application to an “F”.

Scrutiny of SSL has been ramped up significantly in the wake of Heartbleed, so if your application deals with any kind of regulated data I suggest you patch your servers immediately.

For Ubuntu users, this means it is time to do an OS upgrade to 14.04 LTS if you aren’t running a previous LTS version that is still receiving security updates…

do-release-upgrade your way to a safer tomorrow…

I have tagged this post with “heartbleed” as folks researching that issue need to pay attention to this one as well. The fix is the same; patch OpenSSL!

Regards!

References:
https://access.redhat.com/site/articles/904433
https://www.ssllabs.com/ssltest/analyze.html

Free penetration testing tools abound. Free, easy-to-use penetration testing tools… not as much. Free, easy-to-use, web-hosted penetration testing tools, rarer still.

I came across an excellent, web-hosted NMAP port scanning tool and I wanted to make sure I linked it here in case I needed it again in the future. Without further ado…

https://pentest-tools.com/discovery-probing/tcp-port-scanner-online-nmap

I haven’t explored the rest of the site, but the ability to quickly hit a public site and “fingerprint” the most common open ports is very very handy. I hope others find this as useful as I have! What is nice about it, is that because it is web-hosted, it requires zero setup on your own machine and quickly running scans is simple as everything is GUI’d.

I have found zenmap useful if you are looking for something locally hosted to do internal scans between machines. It isn’t quite as easy to use and I have gotten some odd results from it but it provides more flexibility, especially on windows, vs. just going to the cmd shell and running the common “ping” and “telnet” commands.

While we are on the topic of excellent, free, web-hosted tools. SSL Labs has an absolutely phenomenal SSL testing suite for checking your sites SSL security. In the wake of heartbleed, there has been a lot of attention given to SSL security. If you are a company that runs a public site or sites with SSL, I recommend you start checking them now to make sure that they are configured as well as can be.

You can access that tool here:
https://www.ssllabs.com/ssltest/analyze.html

Reference:
http://security.stackexchange.com/questions/32/what-tools-are-available-to-assess-the-security-of-a-web-application/38#38
https://pentest-tools.com/discovery-probing/tcp-port-scanner-online-nmap
https://www.ssllabs.com/ssltest/analyze.html

I have already discussed Heartbleed in detail and have provided instructions on how to close the hole on affected server. Now that the hole is closed the final step is changing your server’s private key and “re-keying” your SSL certificates. Re-keying simply involves creating a new certificate signing request and sending it to your (most likely) external certification signing authority. Once received, they should send you an updated key pair. The last step will be telling your application that uses SSL (in this case, and many others Apache) to use the new keys. Lets dive in!
(more…)

Recently we had to wrestle with the Heartbleed bug. Heartbleed, was/is a major flaw in certain versions of OpenSSL, which is itself an “open source” project/application/codebase… This has had all of the armchair developers (myself included in that mix) either defending the concept of open-development or attacking it on grounds that it is less secure. I hold strongly to the former opinion that open development is a better way of doing things but that is rooted more in my personal philosophies (which I do believe have merit) and not exactly in some strong study on the issue itself.

A quick Google search shows me that most people don’t even think about it, they just speak their mind and move on (like so many other topics…) and as a result make a lot of idiotic statements one way or the other. Hopefully this isn’t just another idiotic statement adding to the noise :). That same search also tells me that very little hard research has been done on the matter to validate anyone’s opinions.

Well, now a critical error has been found in Internet Explorer and there has already been evidence of its exploitation in the wild. (more…)

Heartbleed was a major vulnerability in the SSL protocol used by many many sites and services. Folks have been scrambling to patch it up quickly since it was announced a few days prior.

If you are in the process of doing just that for yourself or your organization, you might be so busy fixing websites and webservers that you forget about other services that also make use of the OpenSSL protocol.

One such service, OpenVPN. Particularly “Access Server” as it has a client-facing Web front-end. Luckily, there is already a new version of access server released and updating your existing servers is quite simple on most Linux distributions.
(more…)