Editor's News

A number of companies have begun to issue “all clear” messages in regard to the Heartbleed flaw.   Following an issue regarding Akamai, where it issued an update where it admitted to having a bug where it could protect only three parts of a six-part RSA key, technology vendors have now begun issuing statements where they are stating that they have checked, certified and clarified that there are no issues.   In its statement, Dell...

The Heartbleed vulnerability is affecting devices as well as websites, with reports claiming that both routers and mobile devices could be affected by the flaw.   According to the Guardian, Cisco has confirmed that a number of its products are vulnerable, including desktop phones, video conferencing hardware and VPN software, while Belkin said that its routers, as well as those of its Linksys subsidiary, while neither Netgear nor BT have spoken publicly about whether or not their...

Tools being used to detect the OpenSSL vulnerability often contain bugs too.   According to research by CNS Security, methods for detecting whether your systems are affected have bugs themselves which is leading to false negative results.   Adrian Hayter, blogger and penetration tester at CNS Security, said: “I was called upon to perform checks against numerous systems during the week, and I noticed that some of the scripts would find a vulnerability whilst others...

The Heartbleed story took a major turn last night, as it was revealed that at least two websites have suffered breaches as a result of the vulnerability.   Canada’s CBC news reported that hundreds of Canadians had their social insurance numbers stolen from the revenue website due to the OpenSSL flaw, but it waited until Monday to make it public. “The Canada Revenue Agency contacted our office last Friday afternoon to notify us about the...

Despite claims by the US Government that it was not aware of the Heartbleed vulnerability until it was made public, a news piece has claimed that the NSA knew about Heartbleed for at least two years.   The NSA tweeted a statement on Friday evening, saying that it “was not aware of the recently identified Heartbleed vulnerability until it was made public”. However Bloomberg said that the NSA knew about Heartbleed and regularly used it...

The line-ups for the European Security Blogger awards and BSides London have been announced.   Taking place on Tuesday 29th April at Kensington and Chelsea Town Hall, tickets for the fourth BSides London will be held under the banner of “Connecting People & Agents of All Kinds”.   Following the content for presentation voting process, confirmed speakers include KPMG’s Stephen Bonner, analysts Aaron Finnon and Graham Sutherland and Jericho Forum and Global Identity Foundation co-founder...

Cloud services may be the beneficiary of the Heartbleed flaw, according to DOSarrest CTO Jag Bains.   Bains said that while the magnitude of this event is larger than any previous event, it illustrates how cloud services have been able to significantly reduce exposure for those who use it.   “By concentrating their web technologies to leverage a cloud provider, enterprises were able to focus on whether their cloud service provider were vulnerable or not,...

Thanks should be given to those people who disclose vulnerabilities, not jail time.   Speaking to IT Security Guru, security researcher Joe Grand, who was in the Boston hacker space L0pht as member Kingpin, said that the people who publicly release research should be thanked and treated as beneficial to the community, instead of putting them in jail.   The L0pht was known for finding vulnerabilities in software and reporting them to the affected companies....

Canadian banks are not affected by the Heartbleed bug, according to its representative body.   According to CBC, the OpenSSL flaw is no threat to the bank websites in Canada. The Canadian Bankers Association, said: “The online banking applications of Canadian banks have not been affected by the Heartbleed bug. Canadians can continue to bank with confidence."   “Banks have sophisticated security systems in place to protect customers' personal and financial information, including encryption and...

Bug bounties encourage researchers to be motivated by money rather than pushing for a safer environment.   Speaking to IT Security Guru, Cris Thomas, technical manager at Tenable and former L0pht member Spacerogue, said that the group’s efforts were in an aim to get security right and get things fixed. Asked if he felt that the introduction of bug bounties has made things better, he said he “wouldn’t call it better now”.   He said:...