OpenSSL site hack wasn't the result of vulnerability exploitation
Posted on 03 January 2014.
After a few days of speculations fuelled by a not clear enough explanation, the OpenSSL Foundation has confirmed that the late December defacement of its Openssl.org website happened because of insecure passwords, and not a vulnerability in VMware software.

The website was defaced on December 29 by a group of Turkish hackers who, as it seems, have changed the site's main page to prove that they could and to gain a reputation.

"Other than the modification to the index.html page no changes to the website were made," the latest notice by OpenSSL says. "No vulnerability in the OS or OpenSSL applications was used to perform this defacement. The source repositories were audited and they were not affected."

After the company initially stated that the attack was executed via a hypervisor, security experts feared that a zero-day vulnerability in VMware software was exploited.

But VMware was quick to react and reassure them by saying that "the VMware Security Response Center has actively investigated this incident with both the OpenSSL Foundation and their Hosting Provider," and that they "have no reason to believe that the OpenSSL website defacement is a result of a security vulnerability in any VMware products and that the defacement is a result of an operational security error."

"The OpenSSL server is a virtual server which shares a hypervisor with other customers of the same ISP," the OpenSSL Foundation finally confirmed on Friday. "Our investigation found that the attack was made through insecure passwords at the hosting provider, leading to control of the hypervisor management console, which then was used to manipulate our virtual server."

"Steps have been taken to protect against this means of attack in future," they added.









Spotlight

USBdriveby: Compromising computers with a $20 microcontroller

Posted on 19 December 2014.  |  Security researcher Samy Kamkar has devised a fast and easy way to compromise an unlocked computer and open a backdoor on it: a simple and cheap ($20) pre-programmed Teensy microcontroller.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Fri, Dec 19th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //