OpenSSL Patches Denial of Service Flaws

The OpenSSL Project has issued patches to fix flaws that could leave secure servers open to denial of service attacks. These vulnerabilities have been fixed in OpenSSL 0.9.6m and 0.9.7d, available from the project's web site.

OpenSSL is an open source toolkit implementing the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, and is used in security products from numerous vendors. Cisco has already released an advisory for customers, while Oracle and Symantec say none of their OpenSSL-based products are affected. OpenSSL is also used in products from IBM, FreeBSD, Red Hat, SUSE and others. The advisory from UK's National Infrastructure Security Co-ordination Centre (NISCC) includes an updated list of vendor responses.

Last summer the NISCC identified several similar vulnerabilities in OpenSSL. In December, Oracle issued a critical update to address security holes in its implementation of OpenSSL.

Phishing Scam Spoofs U.S. Government Site

Phishing scams are now spoofing a web site operated by the U.S. government, using the Bush administration's information-gathering initiatives as cover for a scam to capture credit card and banking data. The fraud mimicks the web site, and has triggered a consumer alert from the Federal Trade Commission.

The scam employs e-mails with subject lines reading "Official information" or "Urgent information to all credit card holders," and asserts that a new law requires Internet users to identify themselves to the government to "create a secure and safer Internet community." The e-mail links to a Web site masquerading as and asks readers to provide personal financial information.

Continue reading

DDoS Counterstrikes Prompt Debate

How far can companies go to defend their web sites against distributed denial of service (DDoS) attacks? The question was hotly debated in security circles this week after Symbiot Inc. announced an upcoming product that can launch "counterstrikes" against DDoS perpetrators.

The notion of retaliatory attacks was panned by security analysts and network operators, who say such actions would congest networks, damage innocent parties and violate acceptable use policies - if not the law. Such tactics are unlikely avenues for corporate DDoS victims such as Microsoft or The SCO Group.

But they may be of interest to subjects of "DDoS blackmail" schemes, which in recent months have targeted online gambling sites. Several online casinos have admitted making payments to cyber-extortionists. Some who have refused to pay, including the Irish bookmaker Paddy Power, say their operations were subsequently disrupted by DDoS attacks.

Continue reading Cites Security Breach Information Act in Disclosing Successful Attack

When Allegiance Telecom's unit informed 4,000 web hosting customers last week that their passwords had been compromised by crackers, the company said it was "the correct thing to do." But Allegiance also said a new California law obligated it to disclose the security breach.

The California Security Breach Information Act (full text here), which took effect on July 1, requires companies with customers in California to notify them whenever their personal information may have been compromised. "You want to make sure there's full and complete disclosure as required by law," Allegiance spokesman Jerry Ostergaard told Security Focus, which first reported the incident.

Continue reading

cPanel Vulnerability Disclosed

A vulnerability has been discovered in cPanel's WebHost Manager reseller control panel, which could be exploited to allow malicious users to run some commands as root (superuser).

The exploit affects a feature in WebHost Manager through which resellers can let their users retrieve lost or forgotten passwords via email. The setting, found in WebHost Manager in the "Tweak Settings" section, "is built into all compiled cPanel binaries and as such can not be patched," according to an advisory on the BugTraq mailing list, which includes instructions on addressing the vulnerability.

cPanel is found on about 1.4 million hostnames worldwide. The software is widely used by many large hosting companies, especially those offering dedicated servers. Its user-friendly interface automates many elements of web site management for resellers and customers. The issue affects versions up to 9.1.0 build 34. All builds released after that have been fixed.

Go Daddy Now An SSL Certificate Authority

Domain registrar Go Daddy Inc. is bringing its price-cutting ways to the market for Secure Sockets Layer (SSL) certificates for e-commerce sites. On Monday, the company began selling 128-bit SSL certificates through its Starfield Technologies subsidiary.

With its huge customer base and reseller network, Go Daddy is positioned to make a sudden impact in the SSL market, where the vast majority of certificates are issued by three companies - VeriSign (which also owns Thawte), GeoTrust and The Comodo Group. "We're looking to become a major player in this particular industry," Go Daddy President and CEO Bob Parsons said in an interview yesterday. "We've spent about a year preparing for this."

The GoDaddy certificates are priced at $89.95, well below comparable products from GeoTrust ($149 a year) and VeriSign ($199 to $349 a year and up). Comodo's Pro SSL certificate sells for $69, but differs slightly from the others in that it relies upon a "chained" root owned by a third party, BeTrusted.

Continue reading