Thursday, 10 April 2014

OpenSSL vulnerability allows hackers to read 64k of memory on target server

                                        

HeartBleed: A potentially critical security vulnerability in OpenSSL has been discovered that allows an attacker to read up to 64kilobytes of memory from the server running a vulnerable OpenSSL version. 

As a normal user, you may not aware what is OpenSSL.  It is cryptographic library which is used for encrypting communication between web server and users - used by plenty of websites including Google, Yahoo, Twitter. The bug( CVE-2014-0160), dubbed as 'HeartBleed', was independently discovered by Neel Mehta from Google Security team and Codenomicon.  The bug appropriately named HeartBleed because vulnerability is located in HeartBeat extension and it leads to memory leak.The attacker can read only up to 64k of memory during one iteration of the attack.  However, according to Heardbleed.com, an attacker can "keep reconnecting or during an active TLS connection keep requesting arbitrary number of 64 kilobyte chunks of memory content until enough secrets are revealed". An attacker can retrieve the private key used for encrypting the communication that will allow to read all information passed to server and user like it wasn't encrypted at all.

How to fix it? 

If your server is using OpenSSL 1.0.1 and 1.0.1f, then better upgrade to 1.0.1g. If you are using 1.0.0 and 0.9.8, you are not vulnerable to this bug.  As a temporary fix, users can remove HeartBeat extension by recompiling OpenSSL with -DOPENSSL_NO_HEARTBEATS

Check whether Your server is vulnerable or not:"http://filippo.io/Heartbleed/" allows to find whether your server is vulnerable to this bug or not.Details about the Bug:TLS Heartbeat extension is to ping from one end to another end - a specific message with size of it is being sent from client to server and server responds with the same message.But, if an attacker send a small size of data(Let's say 1 kilo byte) and claims it's large size(64k), then the server(running vulnerable OpenSSL) will respond with 1 kilo byte of attacker's data + 63 kilobytes of data read from memory of the server.Technical details of this bug can be found here .(read only if you are good in 'C' program).Here is POC script written in Python: https://gist.github.com/ixs/10116537 


SOURCE=> http://www.ehackingnews.com/

Posted by at No comments:
Labels:

BJP Junagadh website hacked by Pakistani hackers




Local news organizations reports that BJP Junagadh unit's website (bjpjunagadh.org) was hacked and defaced by some unknown hackers.
The hackers who defaced the website posted comments against BJP and RSS. The defacement also contains several images of people burning and standing on the Indian tricolor. We have referred some defacement-mirror websites, the hack appears to have taken place in February.  It is unclear whether these local reports referring this incident or the website got defaced again today. According to the defacement-mirror record(hxxp://dark-h.org/deface/id/12604), this website was defaced by a Pakistani hacker going by handle "Sniper haxXx" who is responsible for many Indian websites' hacks. "As soon as I reached office, our IT cell employees told me that someone has hacked our website http://www.bjpjunagadh.org and uploaded photographs and comments to malign reputation of BJP, RSS and Narendra Modi,"Indian Express quoted In-charge of BJP Junagadh office Raju Jivani as saying. A complaint has reportedly been lodged against the unknown hacker, police are trying to find the hacker who is responsible for the breach. Meanwhile, Gujarat Pradesh Congress Committee's President Arjun Modhwadia told reporters that "This is purely an attempt to get votes by playing the communal card ahead of the election".

 SOURCE=> http://www.ehackingnews.com/

Posted by at No comments:
Labels:

MAKE A SIMPLE CLOCK WITH JAVASCRIPT

                                                   

CODE=>

 <html>
<head>
</head>
<body>
<script type="text/javascript">
function printtime()
{
var now=new Date();   
var hours=now.getHours();
var mins=now.getMinutes();
var seconds=now.getSeconds();
document.write(hours+":"+mins+":"+seconds+"<br>");
}
setInterval("printtime()",1000);
</script>
</html>

HOW IT WORKS=>
1.We made a function printtime() having variables now,hours,mins and seconds.
2.Variable now will get the current date.
3.The variables hours,mins,seconds will get the hour,minutes and seconds of the current date.
4.setInterval will call the function printtime repeatedly after every one second.

OUTPUT=>




Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)