The Heartbleed bug is among the major security vulnerabilities we have seen in recent times. It's one of those cases where precaution is the order of the day. You could manually check sites or use Chromebleed, an extension that tells you if the site you're on was affected by the bug.
Chromebleed uses Filippo Valsorda’s little tool to test if the page was hit by Heartbleed and hasn’t issued a patch yet. You’re going to be safe on the bigger websites like Yahoo, but there’s a chance that some of the smaller sites haven’t yet patched their servers, so this little protection will help. If you do visit some such site, Chromebleed will throw a notification warning you, in which case it’s best to exit and notify the site’s developers to fix their issue.
Chromebleed Notifies You if a Visited Site was Hit by Heartbleed Bug.
This week, a giant security hole came to lightthat affects a large portion of the internet. As different sites recover, you'll need to change your passwords, and now LastPass tells you when to do so.
Due to the nature of the Heartbleed bug (read more here), you'll need to wait until affected sites update their infrastructure before you change your passwords. LastPass' ever-useful Security Check tool now includes recommendations for Heartbleed, letting you know which sites have closed the hole, when, and if you should update yet.
To run the tool, just click on the LastPass extension and head to Tools > Security Check. After running the tool, you'll get the results (shown above) so you know what passwords to change. Hit the link to read more.
LastPass Now Tells You Which Heartbleed-Affected Passwords to Change.
Some websites running SSL encryption, such as Airbnb, Pinterest, USMagazine.com, NASA, and Creative Commons, among others, were exposed to a major security bug called Heartbleed on Monday.
The bug was reportedly discovered by a member of Google's security team and a software security firm called Codenomicon.
A number of other websites may, according to a list being distributed on GitHub, be vulnerable to the bug as well.
The bug affects web servers running Apache and Nginx software, and it has the potential to expose private information users enter into websites, applications, web email and even instant messages.
And while most security experts advise that you always use websites and services offering SSL security encryption whenever possible, the Heartbleed bug has the ability to allow malicious operators to defeat this security layer and capture passwords as well as forge authentication cookies and obtain other private information.
A security patch for the bug was announced on Monday, but many websites are still playing catch up. That's why websites like the Tor Project are, only somewhat tongue-in-cheek, advising that you stay off the Internet this week if you really care about your security.
Widespread Encryption Bug, Heartbleed, Can Capture Your Passwords.
It looks like the message came through – as of 9am this morning (CET), Sintel is available on YouTube again. In case you missed it, there was an outcry on the internet this weekend as it was pulled by Sony after alleged copyright infringement.
To put things into perspective, these YouTube takedowns are massively automated. Software scans all the uploaded media and flags any material where they detect copyrighted material. Large corporations such as Sony have enough traction with YouTube that they can then also automatically take down these media (smaller companies have to manually submit a DMCA takedown notice).
So is there still a problem? You bet there is – we’re lucky to have a huge and vocal community behind us, that spread this story over the web in a couple of hours. The story was featured on Cartoon Brew, Boing Boing, Slashdot and Reddit (which nuked the BlenderNation server for a few hours). This helped revert the takedown. If you’re a small publisher however, you will find it nearly impossible to talk to anyone and get your video back up. These automated takedowns can destroy your project and leave you powerless.
Boing Boing hits the nail on the head with their comment:
While it’s probably a mistake, because this is so brain-meltingly obviously wrong, it’s also a very stark example of how sloppy, over-broad, and consequence-free enforcement of copyright can damage culture.
I don’t think there was any intent behind this particular takedown – just an unfair, unaccountable system. I’m glad we got Sintel back.
Sintel Restored on YouTube Editorial | BlenderNation.
If you have a domain of your own, especially one for a business, this is a must-read. If you have an easily guessable password, you DEFINITELY must read this.
For several days last week, RamshackleGlam.com –- the domain name that I have owned and operated since March of 2010 –- did not belong to me, but rather to a man who goes by the name “bahbouh” on an auction website called Flippa.com, and who was attempting to sell off the site to the highest bidder (with a “Buy It Now” price of $30,000.00). He promised the winner my traffic, my files, and my data, and suggested that I was available “for hire” to continue writing posts (alternatively, he was willing to provide the winner with “high-quality articles” and “SEO advice” to maintain the site’s traffic post-sale).
I learned that my site was stolen on a Saturday. Three days later I had it back, but only after the involvement of fifty or so employees of six different companies, middle-of-the-night conferences with lawyers, FBI intervention, and what amounted to a sting operation that probably should have starred Sandra Bullock instead of…well…me.
Blogger Pulls Off $30,000 Sting to Get Her Stolen Site Back.
The ICO’s investigation found that Kent Police had no guidance or procedures in place to makes sure personal information was securely removed from former premises. The problem was made worse due to an apparent breakdown in communications between the various departments involved in the move.<
ICO Head of Enforcement, Stephen Eckersley, said:
“If this information had fallen into the wrong hands the impact on people’s lives would have been enormous and damaging. These tapes and files included extremely sensitive and confidential information relating to individuals, many of whom had been involved in serious and violent crimes. How a police force could leave such information unattended in a basement for several years is difficult to understand.
“Ultimately, this breach was a result of a clear lack of oversight, information governance and guidance from Kent Police which led to sensitive information being abandoned. It is only good fortune that the mistake was uncovered when it was and the information hasn’t fallen into the wrong hands.”
Kent Police fined £100,000 after interview tapes abandoned at former station | ICO news release.
I’ve started looking at the iptables function within the Linux kernel, and found out, that with a bit of tinkering, you can use the IBLOCK lists to do a machine-wide block based on IP. You use pipes (gotta love ‘em) to route them into ipset which allows you to create a set of IP addresses/ranges which then reference in the iptables. You can use wget or curl. If you use wget, you might need to use the quiet switch. You can use xargs to multi-download lists and concatenate. I’m tinkering with my download script at the moment.
First, create the set. Here, I have used a high maxelem number because I use a lot of IBLOCK’s lists. The “maxelem 1048576” can be omitted or the number reduced if you are only using one or a small number of IBLOCK lists.
ipset create IBLOCK hash:net maxelem 1048576
Second, download and add to the set if it doesn’t already exist. You can chain multiple lists into the wget or use xargs. For this example, I’m only using one.
wget -q "[list.iblocklist.com](http://list.iblocklist.com/?list=bt_level1&fileformat=p2p&archiveformat=gz)" -O- |
gunzip |
cut -d: -f2 |
grep -E "^[-0-9.]+$" |
gawk '{print "add IBLOCK "$1}' |
ipset restore -exist
Finally, add rules into the iptables to drop package to and from IP addresses that exist in the set. This means that packets coming in from external IPs that match IP addresses in the set will not be answered.
iptables -I INPUT -m set --match-set IBLOCK src -j DROP
iptables -I OUTPUT -m set --match-set IBLOCK dst -j DROP
When I tried this with my IBLOCK download script, it seemed to kill TOR functionality as well, which I suspect means that IBLOCK have included the TOR IP range in one or more of their lists, so I’ll need to determine which one(s) they are and exclude them, as I do use TOR actively.
As with most things, there’s more than one way to do this, and this is one of many ways you could implement blocking behaviour.
Source: Dustin C. Hatch, Using PeerBlock lists on Linux
Remember when you used to only open the door when a certain pattern of knocks was heard? You can do the same with ports - the so-called “Port Knocking”. It provides another layer of security to your system as ports are not opened until the correct knocking pattern is received.
Haven’t installed or tried this myself, but may do over the weekend.
www.boynux.com/how-to-en…
en.wikipedia.org/wiki/Port…
http://www.microhowto.info/howto/implement_port_knocking_using_iptables.html
https://wiki.archlinux.org/index.php/Port_Knocking
http://www.debian-administration.org/articles/268
http://www.zeroflux.org/projects/knock/
Some software bugs are infinitely subtle and complicated. Others are comprehensible almost at a glance to anyone who dabbled in BASIC as a kid. The iOS 7 bug is in the latter group.
Did you see it? This function is called when a iPhone connects to an encrypted site over SSL: it’s meant to verify that the encryption key is being vouched for — digitally signed — by the operator of the website.
But notice the two “goto fail” lines, one after the other. The first one belongs there. The second is a typo. That extra, duplicative line diverts the program’s execution, like a bypass stent, right past a critical authentication check. The part where the digital signature is actually checked is dead code, never reached.
Behind iPhone’s Critical Security Bug, a Single Bad ‘Goto’ | Threat Level | Wired.com.
Why Apple’s Recent Security Flaw Is So Scary.
On Friday, Apple quietly released iOS 7.0.6, explaining in a brief release note that it fixed a bug in which "an attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS." That's the understated version. Another way to put it? Update your iPhoneright now.
Oh, and by the way,OS X has the same issues—except there's no fix out yet.
In simple terms, someone can intercept traffic between you and the site your accessing, and pull of a "Man in the Middle" attack:
I could make all manner of snarky comments on this, but I won’t.
In October, the tech industry's biggest companies petitioned congress to reform the US Government's surveillance policies. Now, the firms are taking their pleas global. Microsoft, Apple, Facebook, Google, LinkedIn, Yahoo and AOL (Engadget's parent company) have banded together to ask the world's governments to reassess its intelligence practices. This time, however, the firms are presenting more than a strongly worded letter - they've laid out five core reform principals, detailed both on an official website and in full-page ads in national publications.
The breakdown is fairly straightforward; the group asks that government’s authority be imposed with “sensible limitations on their ability to compel service providers to disclose user data,” and that they give more consideration to the link between privacy and trust required by technology providers and their users. The group is also demanding increased oversight, accountability and transparency, outlining a system that allows companies to publish the nature and frequency of user information requests and attached to a “clear legal framework” with “strong checks and balances.” Governments outside of the US are encouraged to work together too, to create a “robust, principled and transparent framework” to guide requests for data across jurisdictions. The group of tech giants also wants these changes to respect the flow of information, and ensure that service providers are able to build infrastructure on a global scale, without needing to store data inside the country for the sake of national government inquiries.
“Unchecked, undisclosed government surveillance inhibits the free flow of information.” Twitter CEO Dick Costolo writes on the movement’s website. “The principles we advance today would reform the current system to appropriately balance the needs of security and privacy while safeguarding the essential human right of free expression.”
An open letter to Washington underlines the campaign, noting that “the balance in many countries has tipped too far in favor of the state and away from the rights of the individual.” The companies pledge to keep user data secure with encryption technology and by fighting unreasonable government requests, but change needs to start from within. “Reports about government surveillance have shown there is a real need for greater disclosure and new limits on how governments collect information.” Mark Zuckerberg stated. “The US government should take this opportunity to lead this reform effort and make things right.” Indeed, the letter asks that Congress do just that: “take lead and make reforms” that would bring the proposed changes to fruition.
While the firms openly acknowledge the government’s need to take certain actions for the public good, it clearly states that the current laws governing surveillance are no good, and may even be hurting future adoption of new technologies. Microsoft’s Brad Smith puts it best, “People won’t use technology they don’t trust. Governments have put this trust at risk, and governments need to help restore it."
Microsoft and Google lead coalition demanding limits on government surveillance.
Facebook has long been associated with all manner of negative connotations, from murder, rape, party-crashing, yet, when one person tries to point out a security hole, they getting the virtual equivalent of a f**k off, denial that it is a bug, and a metaphorical middle finger? So the hacker then takes it higher and gets suspended for violating T+Cs? Why am I not surprised by Facebook's behaviour? Because that is what I have come to expect of Facebook.
I am thankful I have no Facebook account. I used to many moons ago, and terminating it was probably the best decision of my life.
Facebook: We Failed Timeline Hacker.
Internet Explorer, a malicious hacker’s dream. Am I the only one to think that as long as you have it installed, you’ve got a hole in your system?
LastPass Passwords Exposed for Some Internet Explorer Users.
Evidently, unfriending people on Facebook won’t stop them posting on your timeline, as this article proves. And the surprising thing (or unsurprising, depending on your perspective), is that Facebook refused to acknowledge it was a bug, so the whitehat went all the way to the top and posted on Zuckerberg’s wall.
Hacker posts Facebook bug report on Zuckerberg’s wall — RT News.
Is your Credit/Debit/ATM card PIN in this list? Change it – NOW.
- 1234
- 1111
- 0000
- 1212
- 7777
- 1004
- 2000
- 4444
- 2222
- 6969
Do you have the dumbest PIN in ATM history?- MSN Money.
As a result of the Ubuntu Forums hack recently, I’ve now had to spend several hours going through all my internet logins accounts to see whether or not I have used the same password anywhere else. Not surprising, I have so I have to go through and change them all. Fortunately, LastPass allows me to generate secure passwords which I can use to replace other passwords. The only real place where I would be concerned if they have access would by emails, but I have 2-factor authentication turned on there, and have had it turned on for many months, and they need my email address, password AND phone to get into my account. Even my backup codes are stored on a TrueCrypt volume stored on a LUKS partition on my laptop so they would need two passwords to get at those.
Mind you, it IS good that these forums were hacked, it’s given me a reason to go through my accounts and see which ones I still use and which ones I can delete.
Hello,
You are receiving this message because you have an account registered with this address on ubuntuforums.org.
The Ubuntu forums software was compromised by an external attacker. As a result, the attacker has gained access to read your username, email address and an encrypted copy of your password from the forum database.
If you have used this password and email address to authenticate at any other website, you are urged to reset the password on those accounts immediately as the attacker may be able to use the compromised personal information to access these other accounts. It is important to have a distinct password for different accounts.
The ubuntuforums.org website is currently offline and we are working to restore this service. Please take the time to change your ubuntuforums.org account password when service is restored.
We apologize for any inconvenience to the Ubuntu community, thank you for your understanding.
The Canonical Sysadmins.
Just got this in the email from Google Wallet:
Hello,
As you may know from your existing banking relationships, European law requires that payments providers take steps to verify the identities of their customers. Google has designed procedures to comply with those requirements while protecting and respecting the confidentiality of your personal information.
Please be aware that your account has been temporarily suspended and will remain so until you have completed our verification process. To learn how to resolve this issue, please visit the following link within three business days:
http://support.google.com/wallet/bin/request.py?hl=en&contact_type=bvid
Please note that failure to provide the requested verification documents may result in account closure.
Sincerely,
The Google Wallet Team
Google Payment Ltd is authorised and regulated by the Financial Services Authority.
Google Payment Ltd is a company registered in England and Wales with company number 5903713. Its registered address is Belgrave House, 76 Buckingham Palace Road, London SW1W 9TQ.
Sincerely,
The Google Wallet Account
Checking the link (which isn't phished by the looks of it) says they want a scan of two forms of ID. One of:
- Identification cannot be expired.
- Driver's license
- Passport information page
- National identification card
- State-issued identification
- Permanent residence card
- A different form of government-issued identification
and one of:
- Bank statement
- Credit/debit card statement with the first 12 digits blacked out (Do not send an image of your credit card).
- Utility bill
There is NO WAY I'm going to upload scans of my ID to any company unless its required for things such as security clearance or country visas, or required for work-related purposes.
Clicked on “Report Phishing” :)
