It might be believed that big companies have security teams but there are a number of security holes discoveries made by third parties instead of coming from the companies. In some cases it also took a significantly long time for some to patch these holes. Sql injection bug of sql server 2000 and Adobe acrobat pdf vulnerability comes to mind. It is nice that a lot of these big companies release patches to their products but the frequency of these happening is quite high, making me feel that they don't do sufficient security QA before product is released. On Apr 11, 2014 7:54 AM, "fooler mail" <[email protected]> wrote:
> big companies have their own security team who assess and protect > their proprietary products... from the start of code development.. > they integrated code scanner to see any vulnerabilities in the code > and other security tools till it reach to a complete product... > > their reputation is based not only on the quality of the product but > on the security side as well... > > fooler. > > On Thu, Apr 10, 2014 at 7:16 AM, Kelsey Hartigan Go > <[email protected]> wrote: > > On the other hand since this is open source someone is bound to find the > > hole. What about proprietary systems? > > > > On Apr 10, 2014 6:37 PM, "fooler mail" <[email protected]> wrote: > >> > >> pluggers, > >> > >> another action needed from you... if those sites listed in the link > >> below that you use their service, then you need to change your > >> password... > >> > >> > >> > http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/?utm_cid=mash-com-fb-main-link > >> > >> its time to realize why opensource is not secured as what others > >> claims to be... but of course... there are still plenty of > >> undiscovered security holes waiting to be discovered by security > >> engineers... when this heartbeat outbreak last Monday... I spoke to my > >> colleague yesterday as this is one of the projects of malaking brother > >> who paid opensource developer working with a specific application to > >> insert backdoor codes... ( I have to use other words para hindi makita > >> ni malaking brother scanner)... to my surprise.. he mentioned to me > >> that he worked at noviembre sierra alfa previously and he can > >> confirmed on that but he wont go into the details... I also said to > >> him that I saw one backdoor in Linux kernel until now it is still in > >> there... you cant see by a normal cli command but it is there sitting > >> innocently... > >> > >> I made a statement in ph-cyberview a year or so ago that we are not > >> safe anymore... much worse if you are inside china.... > >> > >> > >> fooler. > >> > >> On Wed, Apr 9, 2014 at 3:36 PM, fooler mail <[email protected]> > wrote: > >> > hi drexx, > >> > > >> > google security guy is the one who found the bug and google fixed > >> > their sites before sending the info to the community... > >> > > >> > below is the site to test the bug vulnerability.. > >> > > >> > http://packetstormsecurity.com/files/author/11160/ > >> > > >> > fooler. > >> > > >> > On Wed, Apr 9, 2014 at 9:06 AM, Drexx Laggui [personal] > >> > <[email protected]> wrote: > >> >> 09Apr2014 (UTC +8) > >> >> > >> >> Here's a quick test on your localhost, & you don't even need to be > >> >> root... > >> >> > >> >> > >> >> drexx@MACHINE:~$ echo -e "quit\n" | openssl s_client -connect > >> >> google.com:443 -tlsextdebug 2>&1 | grep 'TLS server extension > >> >> "heartbeat" (id=15), len=1' > >> >> > >> >> TLS server extension "heartbeat" (id=15), len=1 > >> >> > >> >> drexx@MACHINE:~$ date; > >> >> Wed Apr 9 21:02:58 PHT 2014 > >> >> > >> >> drexx@MACHINE:~$ uname -a > >> >> Linux MACHINE 3.11.0-19-generic #33~precise1-Ubuntu SMP Wed Mar 12 > >> >> 21:16:27 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux > >> >> > >> >> > >> >> Drexx Laggui -- CISA, CISSP, CFE Associate, ISO27001 LA, CCSI, CSA > >> >> http://www.laggui.com ( Manila & California ) > >> >> Computer forensics; Penetration testing; QMS & ISMS developers; > >> >> K-Transfer > >> >> PGP fingerprint = 0117 15C5 F3B1 6564 59EA 6013 1308 9A66 41A2 3F9B > >> >> > >> >> > >> >> On Wed, Apr 9, 2014 at 10:42 AM, Rudel Saldivar > >> >> <[email protected]> wrote: > >> >>> > >> >>> And I may add this link for the exact patch version since different > >> >>> package > >> >>> revision exist for different versions of Ubuntu - > >> >>> http://www.ubuntu.com/usn/usn-2165-1/ > >> >>> > >> >>> Ubuntu 13.10: > >> >>> libssl1.0.0 1.0.1e-3ubuntu1.2 > >> >>> Ubuntu 12.10: > >> >>> libssl1.0.0 1.0.1c-3ubuntu2.7 > >> >>> Ubuntu 12.04 LTS: > >> >>> libssl1.0.0 1.0.1-4ubuntu5.12 > >> >>> > >> >>> As for CentOS 6, they haven't release a patch version but the latest > >> >>> available in the update repo have the heartbeat feature disable, > >> >>> interim > >> >>> workaround so upgrade when you can: > >> >>> http://www.spinics.net/lists/centos-announce/msg04910.html > >> >>> http://www.spinics.net/lists/centos-announce/msg04910.html > >> >>> > >> >>> > >> >>> ----- > >> >>> > >> >>> -[ OpenSource, Open Ideas ]- > >> >>> > >> >>> > >> >>> On Wed, Apr 9, 2014 at 8:42 AM, fooler mail <[email protected]> > >> >>> wrote: > >> >>>> > >> >>>> pluggers, > >> >>>> > >> >>>> action needed from you if you are not aware with this serious > >> >>>> security > >> >>>> hole... > >> >>>> > >> >>>> http://www.openssl.org/news/secadv_20140407.txt > >> >>>> > >> >>>> update/patch your openssl package... create a new private key > using > >> >>>> updated/patched openssl... create a new CSR based on that new > private > >> >>>> key and update your https site(s) with a new signed certificate > (this > >> >>>> includes self-signed certificate as well) > >> >> _________________________________________________ > >> >> Philippine Linux Users' Group (PLUG) Mailing List > >> >> http://lists.linux.org.ph/mailman/listinfo/plug > >> >> Searchable Archives: http://archives.free.net.ph > >> _________________________________________________ > >> Philippine Linux Users' Group (PLUG) Mailing List > >> http://lists.linux.org.ph/mailman/listinfo/plug > >> Searchable Archives: http://archives.free.net.ph > > > > > > _________________________________________________ > > Philippine Linux Users' Group (PLUG) Mailing List > > http://lists.linux.org.ph/mailman/listinfo/plug > > Searchable Archives: http://archives.free.net.ph > _________________________________________________ > Philippine Linux Users' Group (PLUG) Mailing List > http://lists.linux.org.ph/mailman/listinfo/plug > Searchable Archives: http://archives.free.net.ph >
_________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
