Feed aggregator

Heartbleed Used To Bypass 2-Factor Authentication, Hijack User Sessions

Slashdot - Sat, 19/04/2014 - 5:03pm
wiredmikey (1824622) writes "Security nightmares sparked by the Heartbleed OpenSSL vulnerability continue. According to Mandiant, now a unit of FireEye, an attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions. The attack bypassed both the organization's multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software. "Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users," Mandiant's Christopher Glyer explained. "With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated." After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said."

Read more of this story at Slashdot.








Heartbleed Used To Bypass 2-Factor Authentication, Hijack User Sessions

Slashdot - Sat, 19/04/2014 - 5:03pm
wiredmikey (1824622) writes "Security nightmares sparked by the Heartbleed OpenSSL vulnerability continue. According to Mandiant, now a unit of FireEye, an attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions. The attack bypassed both the organization's multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software. "Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users," Mandiant's Christopher Glyer explained. "With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated." After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said."

Read more of this story at Slashdot.








Heartbleed Used To Bypass 2-Factor Authentication, Hijack User Sessions

Slashdot - Sat, 19/04/2014 - 5:03pm
wiredmikey (1824622) writes "Security nightmares sparked by the Heartbleed OpenSSL vulnerability continue. According to Mandiant, now a unit of FireEye, an attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions. The attack bypassed both the organization's multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software. "Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users," Mandiant's Christopher Glyer explained. "With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated." After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said."

Read more of this story at Slashdot.








Heartbleed Used To Bypass 2-Factor Authentication, Hijack User Sessions

Slashdot - Sat, 19/04/2014 - 5:03pm
wiredmikey (1824622) writes "Security nightmares sparked by the Heartbleed OpenSSL vulnerability continue. According to Mandiant, now a unit of FireEye, an attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions. The attack bypassed both the organization's multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software. "Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users," Mandiant's Christopher Glyer explained. "With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated." After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said."

Read more of this story at Slashdot.








Heartbleed Used To Bypass 2-Factor Authentication, Hijack User Sessions

Slashdot - Sat, 19/04/2014 - 5:03pm
wiredmikey (1824622) writes "Security nightmares sparked by the Heartbleed OpenSSL vulnerability continue. According to Mandiant, now a unit of FireEye, an attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions. The attack bypassed both the organization's multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software. "Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users," Mandiant's Christopher Glyer explained. "With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated." After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said."

Read more of this story at Slashdot.








Heartbleed Used To Bypass 2-Factor Authentication, Hijack User Sessions

Slashdot - Sat, 19/04/2014 - 5:03pm
wiredmikey (1824622) writes "Security nightmares sparked by the Heartbleed OpenSSL vulnerability continue. According to Mandiant, now a unit of FireEye, an attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions. The attack bypassed both the organization's multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software. "Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users," Mandiant's Christopher Glyer explained. "With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated." After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said."

Read more of this story at Slashdot.








Heartbleed Used To Bypass 2-Factor Authentication, Hijack User Sessions

Slashdot - Sat, 19/04/2014 - 5:03pm
wiredmikey (1824622) writes "Security nightmares sparked by the Heartbleed OpenSSL vulnerability continue. According to Mandiant, now a unit of FireEye, an attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions. The attack bypassed both the organization's multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software. "Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users," Mandiant's Christopher Glyer explained. "With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated." After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said."

Read more of this story at Slashdot.








Heartbleed Used To Bypass 2-Factor Authentication, Hijack User Sessions

Slashdot - Sat, 19/04/2014 - 5:03pm
wiredmikey (1824622) writes "Security nightmares sparked by the Heartbleed OpenSSL vulnerability continue. According to Mandiant, now a unit of FireEye, an attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions. The attack bypassed both the organization's multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software. "Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users," Mandiant's Christopher Glyer explained. "With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated." After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said."

Read more of this story at Slashdot.








Heartbleed Used To Bypass 2-Factor Authentication, Hijack User Sessions

Slashdot - Sat, 19/04/2014 - 5:03pm
wiredmikey (1824622) writes "Security nightmares sparked by the Heartbleed OpenSSL vulnerability continue. According to Mandiant, now a unit of FireEye, an attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions. The attack bypassed both the organization's multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software. "Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users," Mandiant's Christopher Glyer explained. "With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated." After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said."

Read more of this story at Slashdot.








Heartbleed Used To Bypass 2-Factor Authentication, Hijack User Sessions

Slashdot - Sat, 19/04/2014 - 5:03pm
wiredmikey (1824622) writes "Security nightmares sparked by the Heartbleed OpenSSL vulnerability continue. According to Mandiant, now a unit of FireEye, an attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions. The attack bypassed both the organization's multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software. "Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users," Mandiant's Christopher Glyer explained. "With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated." After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said."

Read more of this story at Slashdot.








Heartbleed Used To Bypass 2-Factor Authentication, Hijack User Sessions

Slashdot - Sat, 19/04/2014 - 5:03pm
wiredmikey (1824622) writes "Security nightmares sparked by the Heartbleed OpenSSL vulnerability continue. According to Mandiant, now a unit of FireEye, an attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions. The attack bypassed both the organization's multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software. "Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users," Mandiant's Christopher Glyer explained. "With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated." After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said."

Read more of this story at Slashdot.








Heartbleed Used To Bypass 2-Factor Authentication, Hijack User Sessions

Slashdot - Sat, 19/04/2014 - 5:03pm
wiredmikey (1824622) writes "Security nightmares sparked by the Heartbleed OpenSSL vulnerability continue. According to Mandiant, now a unit of FireEye, an attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions. The attack bypassed both the organization's multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software. "Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users," Mandiant's Christopher Glyer explained. "With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated." After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said."

Read more of this story at Slashdot.








Heartbleed Used To Bypass 2-Factor Authentication, Hijack User Sessions

Slashdot - Sat, 19/04/2014 - 5:03pm
wiredmikey (1824622) writes "Security nightmares sparked by the Heartbleed OpenSSL vulnerability continue. According to Mandiant, now a unit of FireEye, an attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions. The attack bypassed both the organization's multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software. "Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users," Mandiant's Christopher Glyer explained. "With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated." After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said."

Read more of this story at Slashdot.








OpenMandriva Lx 2014.0 RC1 Released

Phoronix - Sat, 19/04/2014 - 4:48pm
The first release candidate to the upcoming OpenMandriva Lx 2014.0 release has now taken place...

Russia Writes Off 90 Percent of North Korea Debt

Slashdot - Sat, 19/04/2014 - 3:47pm
jones_supa (887896) writes "In Russia, the State Duma (lower house) on Friday ratified a 2012 agreement to write off the bulk of North Korea's debt. It said the total debt stood at $10.96 billion as of Sept. 17, 2012. Russia sees this lucrative in advancing the plans to build a gas pipe and railroad through North to South Korea. The rest of the debt, $1.09 billion, would be redeemed during the next 20 years, to be paid in equal installments every six months. The outstanding debt owed by North Korea will be managed by Russia's state development bank, Vnesheconombank. Moscow has been trying to diversify its energy sales to Asia away from Europe, which, in its turn, wants to cut its dependence on oil and gas from the erstwhile Cold War foe. Russia's state-owned top natural producer Gazprom is dreaming shipping 10 billion cubic meters of gas annually through the Koreas. Russia has written off debts to a number of impoverished Soviet-era allies, including Cuba. North Korea's struggling communist economy is just 2 percent of the size of neighboring South's."

Read more of this story at Slashdot.








ReactOS Working On A Community Windows OS

Phoronix - Sat, 19/04/2014 - 3:44pm
A few months after ReactOS announced plans for a Cloud OS, the open-source project aiming for binary compatibility with Microsoft Windows platforms, is now trying to spin a community edition of its operating system...

How Much Video RAM Is Needed For Catalyst R3 Graphics?

Phoronix - Sat, 19/04/2014 - 3:16pm
For those wondering how much video memory you should allocate from your system RAM for the Radeon R3 Graphics with the new AM1 APUs, we have up some new Linux OpenGL benchmarks of the AMD Athlon 5350 performance with varying amounts of video memory available.

The Design Flaw That Almost Wiped Out an NYC Skyscraper

Slashdot - Sat, 19/04/2014 - 2:45pm
Hugh Pickens DOT Com (2995471) writes "Joel Werner writes in Slate that when Citicorp Center was built in 1977 it was, at 59 stories, the seventh-tallest building in the world but no one figured out until after it was built that although the chief structural engineer, William LeMessurier, had properly accounted for perpendicular winds, the building was particularly vulnerable to quartering winds — in part due to cost-saving changes made to the original plan by the contractor. "According to LeMessurier, in 1978 an undergraduate architecture student contacted him with a bold claim about LeMessurier's building: that Citicorp Center could blow over in the wind," writes Werner. "LeMessurier realized that a major storm could cause a blackout and render the tuned mass damper inoperable. Without the tuned mass damper, LeMessurier calculated that a storm powerful enough to take out the building hit New York every 16 years." In other words, for every year Citicorp Center was standing, there was about a 1-in-16 chance that it would collapse." (Read on for more.)

Read more of this story at Slashdot.








Declassified Papers Hint US Uranium May Have Ended Up In Israeli Arms

Slashdot - Sat, 19/04/2014 - 1:35pm
Lasrick (2629253) writes "Victor Gilinsky and Roger J. Mattson update their story on the NUMEC affair to take into account the recent release of hundreds of classified documents that shed additional light on the story. In the 1960s, the Nuclear Materials and Equipment Corporation (NUMEC) was found to be missing about a 100 pounds of bomb-grade uranium. Based on available evidence, Gilinsky and Mattson are convinced that the material ended up in Israel nuclear bombs. The newly release documents add more to the story, and Gilinsky and Mattson are calling on President Obama to declassify the remainder of the file."

Read more of this story at Slashdot.








Declassified Papers Hint US Uranium May Have Ended Up In Israeli Arms

Slashdot - Sat, 19/04/2014 - 1:35pm
Lasrick (2629253) writes "Victor Gilinsky and Roger J. Mattson update their story on the NUMEC affair to take into account the recent release of hundreds of classified documents that shed additional light on the story. In the 1960s, the Nuclear Materials and Equipment Corporation (NUMEC) was found to be missing about a 100 pounds of bomb-grade uranium. Based on available evidence, Gilinsky and Mattson are convinced that the material ended up in Israel nuclear bombs. The newly release documents add more to the story, and Gilinsky and Mattson are calling on President Obama to declassify the remainder of the file."

Read more of this story at Slashdot.








Syndicate content