A major, critical security flaw in a key cryptographic program used by most flavors of GNU/Linux as well as other free/open operating systems has been reported. The bug, which appears in the Gnutls code, allows for undetectable man-in-the-middle attacks against affected systems. My operating system, Ubuntu, had an update waiting for it this morning that patched this. If you're running any flavor of Linux or BSD, you should immediately check for, and apply, any TLS patches offered through your distribution.
Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping
The bug is the result of commands in a section of the GnuTLS code that verify the authenticity of TLS certificates, which are often known simply as X509 certificates. The coding error, which may have been present in the code since 2005, causes critical verification checks to be terminated, drawing ironic parallels to the extremely critical "goto fail" flaw that for months put users of Apple's iOS and OS X operating systems at risk of surreptitious eavesdropping attacks. Apple developers have since patched the bug.
"It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification," an advisory issued by Red Hat warned. "An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker."
GnuTLS developers published this bare-bones advisory that urges all users to upgrade to version 3.2.12. The flaw, formally indexed as CVE-2014-0092, is described by a GnuTLS developer as "an important (and at the same time embarrassing) bug discovered during an audit for Red Hat." Debian's advisory is here.
[Dan Goodin/Ars Technica]
Mostly it’s your record locator and frequent flier number, but with that, an attacker can access the ticket record, see your future flights, your email address, and the details of the emergency contacts you’d added to the reservation.
Adam Conover latest “Adam Ruins Everything” is five depressingly hilarious minutes on aviation security, security theater, privacy, and ritual humiliation, with a guest-appearance by Bruce Schneier. If you didn’t laugh, you’d have to cry, although you can always do both, right?
In a new episode of the BBC’s Panorama, Edward Snowden describes the secret mobile phone malware developed by GCHQ and the NSA, which has the power to listen in through your phone’s mic and follow you around, even when your phone is switched off.
It’s time for a power upgrade — throw out that tired-out power strip and swap in this family-size USB charger, packed with 6 high-speed ports. With a built-in control chip, Kinkoo optimizes each port to ensure the fastest charging possible for all your devices. The Kinkoo is made from high-grade and durable materials so you […]
Watching Netflix, Hulu or other streaming services can unfortunately be difficult while traveling outside the US. Rather than bypass these restrictions with the help of a complex and slow VPN, choose a faster and simpler solution with Getflix. Instead of rerouting all your Internet traffic through a different server, this handy service only routes the […]
Shake, stir, and muddle your way to delicious homemade cocktails with this must-have bar set. Expect only the finest quality tools from MakersKit — enabling you to unleash your inner mixologist.Top 12 Favorite Things of 2014, Sunset MagazineQuart-size vintage-style Mason jar shakerRetro double jigger for accurate measurementsStrainer & spouts for a mixologist-style smooth pourHardwood muddler […]