6
Nov

Thomas Cook’s arm to acquire 49% stake in MFXchange Holdings

This marks Ikya Group’s entry into IT services and solutions segment in North America. Read more

6
Nov

Google Releases Nogotofail Tool to Test Network Security

The last year has produced a rogues’ gallery of vulnerabilities in transport layer security implementations and new attacks on the key protocols, from Heartbleed to the Apple gotofail flaw to the recent POODLE attack. To help developers and security researchers identify applications that are vulnerable to known SSL/TLS attacks and configuration problems, Google is releasing a tool that checks for these problems.

The tool, called nogotofail, allows developers to set up an infrastructure through which they can run known attacks against the target application. It has the ability to execute various attacks that require man-in-the-middle position, which is one of the key components of many of the known attacks on SSL/TLS, including POODLE, BEAST and others.

“The core of nogotofail is the on path network MiTM named nogotofail.mitm that intercepts TCP traffic. It is designed to primarily run on path and centers around a set of handlers for each connection which are responsible for actively modifying traffic to test for vulnerabilities or passively look for issues. nogotofail is completely port agnostic and instead detects vulnerable traffic using DPI instead of based on port numbers. Additionally, because it uses DPI, it is capable of testing TLS/SSL traffic in protocols that use STARTTLS,” the tool’s documentation says.

Google’s security team designed nogotofail to work on essentially any client that connects to the Internet.

“The Android Security Team has built a tool, called nogotofail, that provides an easy way to confirm that the devices or applications you are using are safe against known TLS/SSL vulnerabilities and misconfigurations. Nogotofail works for Android, iOS, Linux, Windows, Chrome OS, OSX, in fact any device you use to connect to the Internet. There’s an easy-to-use client to configure the settings and get notifications on Android and Linux, as well as the attack engine itself which can be deployed as a router, VPN server, or proxy,” Chad Brubaker of the Android security team wrote in a blog post. 

Transport layer security protocols such as SSL and TLS are designed to protect the confidentiality of information in transit. The SSL protocol is old and and has been the target of a number of attacks in recent years. TLS is the successor to SSL and is considered more robust and resistant to attack, but the newer versions of TLS are not as widely supported as much older versions of SSL are.

One of the things that makes attacks on SSL/TLS so problematic is that users typically don’t know that the attacks are taking place. An online banking or shopping connection that a user thinks is secure can be compromised quietly by an attacker, who can steal confidential data, such as credentials or payment card information. The Google nogotofail tool will help developers identify the weak spots in their applications’ implementations before an attacker can take advantage.

“We’ve been using this tool ourselves for some time and have worked with many developers to improve the security of their apps. But we want the use of TLS/SSL to advance as quickly as possible,” Brubaker wrote.

The nogotofail tool is on GitHub as an open source project.

About Dennis Fisher

Dennis Fisher is a journalist with more than 13 years of experience covering information security.

– See more at: http://threatpost.com/google-releases-nogotofail-tool-to-test-network-security/109143#sthash.EXHMI2fk.dpuf

3
Nov

Infosys pulls out of software development centre near Bengaluru International airport

Software giant Infosys [BSE 0.82 %] has pulled out of its proposed software development centre at an information technology park near the Bengaluru international airport. Read more

27
Oct

Amazon full-time staffing tops 1,000 with more seasonal hiring in the works

The Amazon warehouse under construction in Robbinsville on Friday, May 23, 2014. Mercer County officials expect the Amazon warehouse to have a soft opening in June and slowly ramp up employment through the rest of the year. The county is trying to get a federal Job Access Reverse commute grant which, combined with $10,000 from both the county and Amazon, would go towards setting up a shuttle.
Read more

12
Dec

Network Solutions for Hospitality – Menger Hotel

Dlink – building networks for people at Merger Hotel Read more

1
Nov

How 4 Management Consultants Broke Into Fashion

BoF talks to four former management consultants, now working in top positions in fashion, about their unconventional career paths. Read more