Heartbleed: CVE-2014-0160

OpenSSL Security Advisory [07 Apr 2014]
========================================

TLS heartbeat read overrun (CVE-2014-0160)
==========================================

A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Exploit Mitigation Techniques

Decent article on some exploit mitigation techniques that OpenBSD has integrated into their operating system.. straight from the horse's mouth:

Link: Exploit Mitigation Techniques

Turkey Hijacking IP Addresses for popular DNS providers

It all started last weekend when the Turkish president ordered the censorship of twitter.com. This started with a block of twitter by returning false twitter IP addresses by Turk Telekom DNS servers. Soon users in Turkey discovered that changing DNS providers to Google DNS or OpenDNS was a good method of bypassing the censorship.
But as of around 9am UTC today (Saturday March 29) this changed when Turk Telekom started to hijack the IP address for popular free and open DNS providers such as Google’s 8.8.8.8, OpenDNS’ 208.67.222.222 and Level3’s 4.2.2.2.

Tags: 

BlackBerry wins injunction, sales ban against 'Typo' iPhone keyboard

A U.S. district court judge on Friday granted BlackBerry a preliminary injunction against the Typo iPhone keyboard case for infringing on certain patents, effectively banning sales of the Ryan Seacrest-backed device.

In a ruling handed down by U.S. District Judge William Orrick, BlackBerry was able to establish a "likelihood" of proving that the Typo Bluetooth keyboard infringes on its patents, reports Reuters.

That knowledge, combined with Typo's inability to challenge BlackBerry's patents, is enough to slap the company with a preliminary injunction banning sales.

After outcry, Microsoft decides it won't access user data in theft probes

IDG News Service - Microsoft will no longer go through email messages and other personal data that users of its online services have stored on its servers, a decision taken after being sharply criticized for accessing a person's inbox as part of an internal investigation.

Tags: 

HTML5 Security Cheatsheet

This could come in handy for all you web developers: https://github.com/cure53/H5SC

Tags: 

End-to-end correlation for Tor connections using an active timing attack

This is a very simple implementation of an active timing attack on Tor. Please note that the Tor developers are aware of issues like this –

Tags: