"The CRA also declined to explain how it determined which SINs were
hacked, since Heartbleed intrusions are hard to detect.²
My guess is he was probably quite proud of himself and went and told the
agency. ³Hey you¹ve got Heartbleed, look at all the SIN¹s somebody can
get.² and then they promptly
I'm guessing he scripted to pull as many login/passes (or cookies) as
possible, then simply looped through them and grabbed the SIN data from the
web interface. Needing to "login" to each.
Indeed, what an idiot.
On Wed, Apr 16, 2014 at 12:27 PM, Justin Bull wrote:
> Some 19 year old kid used h
Am 17.04.2014 01:06, schrieb Tim:
>> and the others need a MITM attack which is not *that* easy
>> as connect to a server and send a heartbleed-packet without
>> anything in the logs of the attacked server
>
> I agree with you here. It seems that Lucky13 requires much more
> access and is much
> and the others need a MITM attack which is not *that* easy
> as connect to a server and send a heartbleed-packet without
> anything in the logs of the attacked server
I agree with you here. It seems that Lucky13 requires much more
access and is much harder to pull off in practice. Unless ther
Ruby openssl has a vulnerability when a public key is a issued prior writing to
private key and is reopened during a script it spoofs a CA private key.
PoC script https://gist.github.com/10446549
___
Sent through the Full Disclosure mailing list
http:/
Also remember to actually try the exploit, even if you think your
0.9.8 installation isn't vulnerable. We found several devices which
were running a safe version in the audit paperwork, but actually
running a vulnerable version in practice.
-Paul
On Wed, Apr 16, 2014 at 6:03 PM, Ron Bowes wrote:
and the others need a MITM attack which is not *that* easy
as connect to a server and send a heartbleed-packet without
anything in the logs of the attacked server
frankly outside a public hotspot / untrusted network nobody
but the NSA and otehr agencies are able to really to MITM
Am 16.04.2014 2
The fact that for BEAST, CRIME and LT there is not a fully implemented
and *public* PoC, doesn't mean
that those attack were/are not critical.
They were very critical when they came out, and involved more trickery
than Heartbleed to work.
I guess you can find full PoC implementations if you searc
On Wed, 16 Apr 2014 18:10:15 +0800
Shawn wrote:
> I do believe Lucky-thirteen is far
> more dangerous than heartbleed, we just don't know.
I'd really like to hear some arguments to back that claim.
Basically, Lucky13 is a protocol problem and thus the fix is a bit less
obvious than for heartblee
Hi @ll,
the $*§ware by the name of "McAfee Security Scanner Plus" that Adobe dares
to push to unsuspecting users of Microsoft Windows trying to get flash player
from their main distribution page was
developed, packaged and tested by people who obviously never heard of "long"
filenames which may
http://dnlongen.blogspot.com/2014/04/CVE-2014-2719-Asus-RT-Password-Disclosure.html
In mid February, I wrote that a substantial portion of ASUS wireless
routers would fail to update their firmware. In fact, the "check for
update" function would inform the administrator that the router was fully
u
Some 19 year old kid used heartbleed to gain access to the CRA systems and
purge 900 SINs (akin to SSN) from the agency.
What a fool.
http://www.theglobeandmail.com/news/national/rcmp-charge-teen-in-relation-to-alleged-heartbleed-bug-theft/article18041007/#dashboard/follows/
--
Best Regards,
Ju
I. VULNERABILITY
-
Reflected XSS Attacks vulnerabilities F-Secure Messaging Security Gateway
V7.5.0.892
II. BACKGROUND
-
F-Secure Messaging Security Gateway protects your company's
confidential data. Users can easily send encrypted e-mails, and
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
SAP Router Password Timing Attack
1. *Advisory Information*
Title: SAP Router Password Timing Attack
Advisory ID: CORE-2014-0003
Advisory URL:
http://www.coresecurity.com/advisories/sap-router-password-timing-attack
Date publis
Vulnerability title: Denial of Service in PCNetSoftware RAC Server
CVE: CVE-2014-2597
Vendor: PCNetSoftware
Product: RAC Server
Affected version: 4.0.4, 4.0.5
Fixed version: N/A
Reported by: Kyriakos Economou
Details:
Latest and possibly earlier versions of RAC Server software are
vulnerable to lo
Are there actually any real-world attack scenarios for BEAST, CRIME, or
Lucky-thirteen?
Heartbleed has been used in actual legitimate attacks, but those earlier
attacks all seem pretty tame in comparison. Worth fixing, of course, but
they don't seem *as* critical to me.
Ron
On Wed, Apr 16, 2014
Am 16.04.2014 08:39, schrieb Davide Davini:
> YiFei Yang wrote:
>> It is a bug affecting IIS4/5 using CGI on Windows NT/2000. Microsoft is
>> aware of it and won't fix it.
>
> Is there any workaround this bug? I might be slow but I can't find any
just don't use unsupported OS versions if you car
On Wed, 16 Apr 2014 11:44:00 +0300
Georgi Guninski wrote:
> AFAICT weak DH keys can't be recognized
> since they can be well formed.
Yes, I'm aware of that, has recently been discussed on the TLS WG list
also. But clients could (and should imho) reject obviously bogus
parameters like 8 bit modul
YiFei Yang wrote:
> It is a bug affecting IIS4/5 using CGI on Windows NT/2000. Microsoft is
> aware of it and won't fix it.
Is there any workaround this bug? I might be slow but I can't find any.
___
Sent through the Full Disclosure mailing list
http:/
On 2014-04-15 12:33, Dotzero wrote:
On Tue, Apr 15, 2014 at 1:53 PM, Gabriel Brezi wrote:
I'm advising a client on auditing his systems for vulnerable OpenSSL
libs which may be included by 3rd-parties. Does anyone know of some
relatively simple tools that I can leverage to figure out what
appli
On Tue, Apr 15, 2014 at 09:20:11PM +0200, Hanno Böck wrote:
> On Tue, 15 Apr 2014 17:06:13 +0300
> Georgi Guninski wrote:
>
> > openssl accepts DSA (and probably DH) keys with
> > g=1 (or g= -1). Both are extremely weak, in
> > practice plaintext.
>
> openssl also accepts 15 as a prime for DH. I
After an exciting and crazy week. People are getting calm and plan or
already start to doing audit on their system. But there are something
you might miss. The older version of OpenSSL( like 0.9.8) might not
affected by heartbleed issue but it doesn't mean you are secure. Don't
forget the old OpenS
22 matches
Mail list logo