OpenSSL is an open source toolkit implementing the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, and is used in security products from numerous vendors. Cisco has already released an advisory for customers, while Oracle and Symantec say none of their OpenSSL-based products are affected. OpenSSL is also used in products from IBM, FreeBSD, Red Hat, SUSE and others. The advisory from UK's National Infrastructure Security Co-ordination Centre (NISCC) includes an updated list of vendor responses.
The scam employs e-mails with subject lines reading "Official information" or "Urgent information to all credit card holders," and asserts that a new law requires Internet users to identify themselves to the government to "create a secure and safer Internet community." The e-mail links to a Web site masquerading as regulations.gov and asks readers to provide personal financial information.Continue reading
The notion of retaliatory attacks was panned by security analysts and network operators, who say such actions would congest networks, damage innocent parties and violate acceptable use policies - if not the law. Such tactics are unlikely avenues for corporate DDoS victims such as Microsoft or The SCO Group.
But they may be of interest to subjects of "DDoS blackmail" schemes, which in recent months have targeted online gambling sites. Several online casinos have admitted making payments to cyber-extortionists. Some who have refused to pay, including the Irish bookmaker Paddy Power, say their operations were subsequently disrupted by DDoS attacks.Continue reading
The California Security Breach Information Act (full text here), which took effect on July 1, requires companies with customers in California to notify them whenever their personal information may have been compromised. "You want to make sure there's full and complete disclosure as required by law," Allegiance spokesman Jerry Ostergaard told Security Focus, which first reported the incident.Continue reading
The exploit affects a feature in WebHost Manager through which resellers can let their users retrieve lost or forgotten passwords via email. The setting, found in WebHost Manager in the "Tweak Settings" section, "is built into all compiled cPanel binaries and as such can not be patched," according to an advisory on the BugTraq mailing list, which includes instructions on addressing the vulnerability.
cPanel is found on about 1.4 million hostnames worldwide. The software is widely used by many large hosting companies, especially those offering dedicated servers. Its user-friendly interface automates many elements of web site management for resellers and customers. The issue affects versions up to 9.1.0 build 34. All builds released after that have been fixed.
With its huge customer base and reseller network, Go Daddy is positioned to make a sudden impact in the SSL market, where the vast majority of certificates are issued by three companies - VeriSign (which also owns Thawte), GeoTrust and The Comodo Group. "We're looking to become a major player in this particular industry," Go Daddy President and CEO Bob Parsons said in an interview yesterday. "We've spent about a year preparing for this."
The GoDaddy certificates are priced at $89.95, well below comparable products from GeoTrust ($149 a year) and VeriSign ($199 to $349 a year and up). Comodo's Pro SSL certificate sells for $69, but differs slightly from the others in that it relies upon a "chained" root owned by a third party, BeTrusted.Continue reading