The ePickpocketer

The great EMV migration has been here with us for a while and everybody is excited with the new innovations of cashless payment (especially matatu industry) which brought a lot of excitement even though still trying to trace its tracks to be adopted industry-wide. This is because no other industry Kenyans detest like the matatu industry. Most Kenyans detest matatu drivers (because of careless driving) and conductor due to their crooked and dishonest behavior. No-wonder we use disgraced names like “Makanga”,”Concordi / Konkodi (Local Swahili slang for pickpocket-er)” etc to refer to conductors since there aim is to con us the meager shillings by increasing the fares or refusing to handover change. 

As the saying goes, “The more things cange, the more they remain the same”  ~Jean-Baptiste Alphonse Karr. Contactless / radio-frequency identification chips (RFID) / Near Field Communication (NFC) chips bring in new paradigm of IT risk profile revolutionizing ‘ Concordi (Konkodi)’ to ePickpocketer. Continue reading The ePickpocketer

The OpenSSL Vulnerability – CVE-2015-1793

Severity: High     

What is OpenSSL?
OpenSSL is a general purpose cryptography library that implements a cryptographic security protocol called TLS/SSL, and puts the “S” in HTTPS for many websites.

The Vulnerability
Hackers can lure or misdirect a user to a bogus website/ email server, and any other internet service using TLS/SSL for its secure communication so as to trick the user into thinking that they are somewhere legitimate and secure.

Effects of the bug
A hacker may be able to create a certificate in someone else’s name, and then to sneak it past OpenSSL’s certificate verifcation process without triggering a warning, even though the certificate isn’t signed by a trusted CA.

How big is the risk?
Four OpenSSL versions are affected:
• Versions 1.0.2b and 1.0.2c need updating to 1.0.2d. (The -a sub-version is immune.)
• Versions 1.0.1n and 1.0.1o need updating to 1.0.1p. (Sub-versions up to and including -n are immune.)
• All 0.9.8 versions are immune.
• All 1..0 versions are immune.

What to do?
If you are using any of the above OpenSSL versions you need to update.

References
https://www.openssl.org/news/secadv_20150709.txt