Feed aggregator

Heartbleed Used To Bypass 2-Factor Authentication, Hijack User Sessions

SlashDot - Sat, 04/19/2014 - 11:03
wiredmikey (1824622) writes "Security nightmares sparked by the Heartbleed OpenSSL vulnerability continue. According to Mandiant, now a unit of FireEye, an attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions. The attack bypassed both the organization's multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software. "Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users," Mandiant's Christopher Glyer explained. "With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated." After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said."

Read more of this story at Slashdot.








Heartbleed Used To Bypass 2-Factor Authentication, Hijack User Sessions

SlashDot - Sat, 04/19/2014 - 11:03
wiredmikey (1824622) writes "Security nightmares sparked by the Heartbleed OpenSSL vulnerability continue. According to Mandiant, now a unit of FireEye, an attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions. The attack bypassed both the organization's multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software. "Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users," Mandiant's Christopher Glyer explained. "With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated." After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said."

Read more of this story at Slashdot.








Heartbleed Used To Bypass 2-Factor Authentication, Hijack User Sessions

SlashDot - Sat, 04/19/2014 - 11:03
wiredmikey (1824622) writes "Security nightmares sparked by the Heartbleed OpenSSL vulnerability continue. According to Mandiant, now a unit of FireEye, an attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions. The attack bypassed both the organization's multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software. "Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users," Mandiant's Christopher Glyer explained. "With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated." After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said."

Read more of this story at Slashdot.








Heartbleed Used To Bypass 2-Factor Authentication, Hijack User Sessions

SlashDot - Sat, 04/19/2014 - 11:03
wiredmikey (1824622) writes "Security nightmares sparked by the Heartbleed OpenSSL vulnerability continue. According to Mandiant, now a unit of FireEye, an attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions. The attack bypassed both the organization's multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software. "Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users," Mandiant's Christopher Glyer explained. "With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated." After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said."

Read more of this story at Slashdot.








Heartbleed Used To Bypass 2-Factor Authentication, Hijack User Sessions

SlashDot - Sat, 04/19/2014 - 11:03
wiredmikey (1824622) writes "Security nightmares sparked by the Heartbleed OpenSSL vulnerability continue. According to Mandiant, now a unit of FireEye, an attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions. The attack bypassed both the organization's multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software. "Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users," Mandiant's Christopher Glyer explained. "With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated." After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said."

Read more of this story at Slashdot.








Heartbleed Used To Bypass 2-Factor Authentication, Hijack User Sessions

SlashDot - Sat, 04/19/2014 - 11:03
wiredmikey (1824622) writes "Security nightmares sparked by the Heartbleed OpenSSL vulnerability continue. According to Mandiant, now a unit of FireEye, an attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions. The attack bypassed both the organization's multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software. "Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users," Mandiant's Christopher Glyer explained. "With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated." After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said."

Read more of this story at Slashdot.








Play: The frantic, fun and infuriating Trials Fusion

EnGadget - Sat, 04/19/2014 - 11:00
Some games are so challenging, frustrating and physically draining that your controller could easily explode against the nearest wall at any second. Trials Fusion is one of those games: A repetitive, soul-destroying platformer that'll have you...

Survey: Americans aren't keen on drones, Google Glass-like devices

PC News - Sat, 04/19/2014 - 10:56

Let’s face it: A lot has changed in the past few years. Smartphones! 3D printers! Drones! Face computers! Self-driving cars! It almost feels as though we’re living in the future. According to a recent survey from the Pew Research Center, Americans expect this rapid pace of change to continue over the next 50 years.

And while most of those surveyed think all this new tech will be a good thing, there are a few things the populace is wary about.

The Pew survey found that 56 percent of respondents “are optimistic that coming technological and scientific changes will make life in the future better,” while 30 percent have a more dystopian view of the not-too-distant future.

To read this article in full or to leave a comment, please click here

7 things the Mazda Skyactiv Chassis tells us about the next Miata

CNET News - Sat, 04/19/2014 - 10:46
We take close look at the clues and attempt to unravel the mystery of the 2016 Mazda MX-5 Miata.






OnePlus One phone and its swappable covers leak out in new pictures

EnGadget - Sat, 04/19/2014 - 10:33
Former Oppo exec Pete Lau announced his plans to make "the perfect smartphone" a few months ago, and now the OnePlus One is almost here. Its launch is scheduled for April 23rd, but Android Authority points out these pictures posted on a forum that...

Ouya, we hardly knew ya

CNET News - Sat, 04/19/2014 - 10:19
Ouya's shift from game-console hardware freed it up to target a wider range of TV-connected devices. But it may have jumped from the frying pan into the Fire TV.






The Biggest Thing At The New York Auto Show Was Not A Car

Gizmodo - Sat, 04/19/2014 - 10:00

The easiest way to determine "hype," whatever that is, for a product is to measure the size of its media scrum. New Mustang? Meh. How about a Mercedes? Borrrrring. But Honda just enthralled everybody with a 14-year old robot.

Read more...


How To Pass a Urine Test (Or At Least Stand a Fighting Chance)

Gizmodo - Sat, 04/19/2014 - 10:00

You've got enough to worry about for that upcoming job interview without stressing over whether or not you'll be judged by what you pee into a cup. And sometimes it's just too late to go all the way straight-and-narrow. Fortunately there are ways of maximizing the chance that your future employment won't be sidetracked by Friday night's doobie. Here's what you need to know to have your best chance at passing a urinalysis test.

Read more...








Russia Writes Off 90 Percent of North Korea Debt

SlashDot - Sat, 04/19/2014 - 09:47
jones_supa (887896) writes "In Russia, the State Duma (lower house) on Friday ratified a 2012 agreement to write off the bulk of North Korea's debt. It said the total debt stood at $10.96 billion as of Sept. 17, 2012. Russia sees this lucrative in advancing the plans to build a gas pipe and railroad through North to South Korea. The rest of the debt, $1.09 billion, would be redeemed during the next 20 years, to be paid in equal installments every six months. The outstanding debt owed by North Korea will be managed by Russia's state development bank, Vnesheconombank. Moscow has been trying to diversify its energy sales to Asia away from Europe, which, in its turn, wants to cut its dependence on oil and gas from the erstwhile Cold War foe. Russia's state-owned top natural producer Gazprom is dreaming shipping 10 billion cubic meters of gas annually through the Koreas. Russia has written off debts to a number of impoverished Soviet-era allies, including Cuba. North Korea's struggling communist economy is just 2 percent of the size of neighboring South's."

Read more of this story at Slashdot.








Pot speakers, hemp cars: Mark 4/20 with ganja-inspired tech

CNET News - Sat, 04/19/2014 - 09:39
April 20 has turned into an unofficial celebration of all things marijuana. The tech world isn't immune to the reefer madness, finding inspiration in hemp materials and high-tech vaporizers.






Tech takes a toke with pot-inspired gadgets (pictures)

CNET News - Sat, 04/19/2014 - 09:22
Observe the unofficial 4/20 holiday with a series of tech items inspired by, made with, or dedicated to marijuana and hemp.

SpaceX launches Falcon 9 rocket carrying crucial cargo to ISS

CNET News - Sat, 04/19/2014 - 09:16
After numerous delays, the space transport company sends its Falcon 9 rocket and Dragon spacecraft into orbit to carry cargo to the International Space Station. Next up: get that rocket back.






Exclusive: Nike fires majority of FuelBand team, will stop making wearable hardware

CNET News - Sat, 04/19/2014 - 09:14
The sportswear company has decided that only software has a future in Nike’s technology vision. That means cutting the FuelBand, including a slimmer version planned for the fall.






Why Vinyl Is the Only Worthwhile Way to Own Music

Gizmodo - Sat, 04/19/2014 - 09:00

On any given Tuesday in the 90s, I would hustle to the record store after school to gawk at the new releases. Occasionally, I would take a CD home, greedily tear it open, pop it into my boombox, and listen while I pretended to do my homework. This wonderful experience has no value any more. It's obsolete.

Read more...








AllCast's screen-mirroring magic arrives on Amazon's Fire TV App Store

EnGadget - Sat, 04/19/2014 - 08:46
Been putting off sideloading AllCast's SDK to your brand new Amazon Fire TV? Well, friend, your procrastination has paid off. Now, all you have to do to install the casting and screen-mirroring app is download it straight from the Amazon App Store....
Syndicate content