OpenSSL has released a software update to fix a flaw that could make it easier for hackers to attack secure web servers. The security issue could allow attackers to force an SSL-enabled site to use the outdated and potentially insecure SSL version 2.0 protocol.
Some secure web sites allow visitors to connect using earlier versions of SSL, an option which can be enabled by OpenSSL's SSL_OP_ALL setting. Normally, web servers will default to the most current encryption protocol supported by the user's browser, usually TLS or SSL version 3. But a flaw in the SSL_OP_ALL implementation could allow an attacker to trick the server into using SSL 2.0.
"An attacker acting as a 'man in the middle' can force a client and a server to negotiate the SSL 2.0 protocol even if these parties both support SSL 3.0 or TLS 1.0," notes the advisory from OpenSSL. "The SSL 2.0 protocol is known to have severe cryptographic weaknesses and is supported as a fallback only." The OpenSSL Project is advising users to either upgrade their server software with the latest version or disable SSL 2.0 entirely.
Paypal will implement strengthened anti-phishing measures for up to 1 million users next year through a deal announced yesterday between VeriSign and eBay, which operates Paypal. While most of the headlines focused on eBay's purchase of VeriSign's payment processing unit for $370 million, the most widely-felt benefit of the deal will likely be the enhanced security for Paypal, which has been relentlessly targeted by phishing scams.
The agreement calls for eBay to buy up to 1 million two-factor authentication tokens from VeriSign. eBay and PayPal plan to begin the rollout of two-factor authentication to customers in 2006, including marketing and security programs designed to "promote customer adoption."
VeriSign has acquired Weblogs.com, the primary weblog "ping" service tracking how often weblogs are updated. The deal capped a wild Thursday in the blogosphere, which started with the announcement that America Online has bought Weblogs Inc., one of the most prominent blogging networks.
While the AOL-Weblogs Inc. deal is focused on content, VeriSign's purchase of Weblogs.com from founder Dave Winer is all about infrastructure. "For a long time, ping servers could be stood up as a single box running on a fast business DSL connection," noted VeriSign's Mike Graves on the company's Infrablog. "Those days have passed at least for the popular ping servers; pings are well on their way to requiring serious infrastructure. That’s where VeriSign comes in."
Are phishing crews paying more attention to virtual worlds? Phishing attacks on massively multiplayer online role-playing games (MMORPGs) have been around since at least 2002, and perhaps earlier. But some observers of online games say the growing market for virtual currency and player accounts may be attracting fresh attention from phishing scams, which are mass-mailing "bait" e-mails seeking to capture gamers' account logins.
Phishing attacks most commonly target banks, credit card companies and payment sites such as Paypal. This year phishers have expanded their target list to include smaller regional banks and credit unions. While phishing attacks on online games aren't new, they may represent a logical area of expansion for these scams, given the growing value of player accounts, the youthful demographics of online gaming, and a recent influx of new players due to the popularity of World of Warcraft.
A recent phishing attack targeting users of EVE Online was reported by Terra Nova, a blog that follows trends in virtual worlds. The bait email purports to be from the game's security team, investigating unusual account activity and sending victims to a spoof site at a server in Spain.
Security researchers say they have found weaknesses in Cisco's Internet Operating System (IOS) which may enable an Internet worm to spread between Cisco routers. But Arhont Ltd. denied reports that such a worm had actually been developed.
In a post to the Bugtraq mailing list, Arhont's Andrei Mikhailovsky said his firm had discovered weaknesses in the way IOS uses the Enhanced Interior Gateway Routing Protocol (EIGRP), which handles information exchange between routers. "Among the discovered issues are multiple vulnerabilities in EIGRP implementation," Mikhailovsky wrote. "Also, authors have addressed the _theoretical_ aspects of an algorithm for a cross-platform worm that could spread in IOS based devices." EIGRP supports the AppleTalk and IPX (Novell Netware) networking protocols in addition to IP, allowing cross-platform routing. Arhont offered no additional details, but said it is preparing an advisory for Cisco's Product Security Incident Response Team (PSIRT).
A vulnerability has been reported in Firefox which could allow malicious sites to compromise computers running the browser. The security hole, which is rated highly critical by Secunia, affects all versions, including Firefox 1.0.6 and earlier and the just-released beta version of Firefox 1.5. An attack can be created using a specially-crafted URL, which will cause a buffer overflow in Firefox that results in a denial of service and, in some cases, remote code execution.
The flaw was discovered by researcher Tom Ferris of Security Protocols, who found an error in the way Firefox handles URLs (see description here). The vulnerability has been reported to the Mozilla Foundation, which is preparing a fix. There have been 86 million downloads of the Firefox browser, with recent estimates placing its market share at about 9 percent of Internet users.