Posts tagged Security

Protect Yourself Against Heartbleed, The Web’s Security Disaster

The recently discovered Heartbleed bug exposed a gaping hole in the security software that’s supposed to keep your information private while shopping, managing your finances or sending and reading email. While there still aren’t any signs that the bug has actually led to eavesdropping or theft—financial, identity or otherwise—it’s probably only a matter of time.

The good news is that there are ways you can protect your information from thieves and snoops. The bad news is that they’re simple but not necessarily easy.

Why Heartbleed Is A Big Deal

First, some quick background. The Heartbleed bug allows potential attackers to sidestep the cryptographic security that normally protects Web communications on sites that use an open-source version called OpenSSL. In essence, the bug allowed attackers to grab random bits of information from Web servers—information that could include usernames and passwords, the cryptographic “keys” that shield traffic from prying eyes, or even the coded “certificates” that websites use to verify that they are who they say they are.

In the worst case, exposure of that information could allow attackers to read all traffic to and from a given site, or even to impersonate the site itself—which could be, let’s just say, bad if the site in question happens to be a malign copy of your bank. (For a deeper technical breakdown of Heartbleed, check out ReadWrite’s FAQ here.)

Heartbleed went undetected for the past two years, and no one knows who might have known about it during that time or what they might have been doing. Now that it’s out in the open, up to a half million widely trusted websites—including many that people use every day, such as the popular and much-maligned Yahoo Mail—have been scrambling to patch the flaw and update their security protocols to protect users. 

But that’s just a first step. Because it’s impossible to tell if anyone has exploited the bug, you won’t know if you’ve been victimized until it’s too late. Worse, if an attacker has recorded any of your encrypted Web traffic over the past few years, they might now be able to retroactively decrypt that information. Because of Heartbleed’s staggering unknowns and its possible future consequences, security expert and veteran cryptographer Bruce Schneier calls the bug “catastrophic,” adding that “on the scale of 1 to 10, this is an 11.”

It’s also not simple for companies to fix. Any affected site will have to patch the OpenSSL bug, then revoke their existing digital certificates and re-issue them. Then its managers get to start combing though their systems for other traces that could indicate whether anything was compromised.

What You Need To Do

Here’s your basic checklist as a user:

  • Check to see whether sites you use regularly were vulnerable to Heartbleed in the first place
  • Change your passwords on those sites immediately
  • Monitor those sites to determine if they’ve patched the bug and reissued their digital certificates
  • When one does, change your password again

Remember how I said protecting yourself is simple but not easy? That’s what I was getting at. Now let’s go through all that in detail.

Check Sites For Vulnerability

Not sure if your data is safe with your favorite site? Treat it to the Heartbleed test, a tool devised by an Italian programmer named Filippo Valsorda that determines whether or not a site was affected by Heartbleed. If it was, it’s probably best to go ahead and change your password even if the site hasn’t fixed things up yet. It won’t fully protect you because your new password will still be vulnerable to theft, but it might slow down a hypothetical data scammer.

Another, more hardcore SSL server test on Qualys provides an in-depth analysis of security encryption configuration and grades websites on their security strengths. It might give you a little more peace of mind than Valsorda’s quick-and-dirty test. The test takes about a minute and tests various security protocols including certificate and cipher strength, key exchange, and protocol support.

CNET has posted a list of the Heartbleed status of the Web’s top 100 sites. The password manager LastPass also offers a simple Heartbleed checker that not only tells you if a site uses OpenSSL, but when the SSL certificate was regenerated, providing additional insight into what companies are doing to protect users. 

If you use the Google Chrome web browser, you can install the Chromebleed Chrome extension. Once installed, you’ll receive a warning any time you visit a site that was affected by Heartbleed.

Change Your Passwords

Pro tip: Change your passwords immediately, but then change them again when an affected site has been determined to be safe from Heartbleed. You’ll know you’re safe by doing a manual check using the tools above, or when you receive an email from the company that has been affected. I would suggest doing your own check, however. 

Late Wednesday I received an email from IFTTT—the productivity tool that simplifies sharing and automation across the Web—letting me know the bug was fixed and that I should change my password not just on the site, but anywhere else I store secure information. It’s very likely most companies that have been compromised will send similar emails. 

Keep Checking

You won’t really be done until every site you use regularly has patched OpenSSL and reissued its digital certificates. It’s going to be a pain to stay on top of all that, no question. If you want to live dangerously, you could just wait a few days and then change your passwords—but there’s no guarantee that someone won’t be sniffing out your data in the meantime.

Do Your Own Security Check Up

Now is a great time to do a little security spring cleaning. Unfortunately it took a critical bug to remind us all our data is never as secure as we think it is. If nothing else, Heartbleed should prompt us to rethink our security measures.

So take a minute to make sure your username and password are strong, and that you don’t notice any malicious activity in your accounts.

Password managers like LastPass can help users maintain tough security measures. The password manager lets you generate and save passwords for all your favorite sites, and requires only one login to access them all. (The LastPass site itself was affected by Heartbleed, but the service says no user data was at risk because it doesn’t hold the keys to the encrypted information it stores.)

Once all websites impacted by Heartbleed are patched, regularly access those affected accounts and make sure all the only updates, conversations or purchases registered on the site were indeed made by you. This is a good habit to get into, even on sites that are, in theory, secure. 

Updated: This story was updated to include a reference to the Chromebleed extension. 

Lead image courtesy of Sarah on Flickr. Heartbleed logo courtesy of Heartbleed.com

View full post on ReadWrite

Google Beefs Up Android Security In Wake Of Fake App Scam

Google’s Android security bouncer is packing on some extra pounds for the spring.

Earlier this week, Android users were rocked when they discovered a hot new app that had rocketed to the top of the Google Play charts was a total fake. The app—Virus Shield—promised security protection for apps that users had downloaded on their Android devices. The problem? Virus Shield didn’t actually do anything. It was a paid app ($3.99) that didn’t do what it claimed to do. Google has since pulled it from the Google Play store.

Android users have a natural—if not totally justified—fear for the security of the apps they download on their devices. In the wake of the NSA’s spying scandal, reports of poor security on Android and more recently Heartbleed, Internet users have developed a semi-rational paranoia about whether or not apps and websites do exactly what they say they do.

To reassure Android users that security is still a primary focus at Google, the company today announced a new update to its “Verify Apps” program that continuously scans apps both on Google Play and on users devices to ensure they’re behaving in the way they are supposed to, even after the app has already been downloaded.

The benefits of continual security monitoring are obvious. Apps sometimes change permissions (like the ability to read your messages, access your calendar, etc.) with new updates or request permissions they don’t necessarily need. Continuous app scanning from Google’s Android Verify Apps program should keep users safe by providing a check on apps that are behaving badly.

That being said, Verify Apps will not protect users from apps that still do what they promise to do, but use the information for nefarious purposes or fail to secure users’ information properly.

Verify Apps is the extension and maturation of Google’s Android “bouncer” program that was released in February 2012. Bouncer scans every app in Google Play against a list of known malware bugs and vulnerabilities, so if an app is flagged as malicious, a user will be warned not to install the app, or else Google will block the installation itself.

The Verify Apps feature is automatically enabled for any Android users running version 4.2 Jelly Bean or higher, and can be accessed in the security settings of Android devices. 

Google claims that Verify Apps, in the last year, has been used 4 billion times to scan apps at the time of install. According to the company, only 0.18% of installations result in warnings for users; despite how Google presents those figures, however, that’s still 7.2 million warnings. The Android maker would probably like those numbers to drop, but considering Android’s continued global expansion, the company will likely need to reassess its security measures to ensure the ecosystem stays open but also safe.

View full post on ReadWrite

3 Security Tips For Every User From NSA Whistleblower Edward Snowden

Editor’s note: This post was originally published by our partners at PopSugar Tech.

Edward Snowden is one of the most wanted men in America. The NSA-tapping whistle-blower fled to Russia for fear of arrest but risked exposing his location to speak to the crowd at South by Southwest.

Snowden appeared live via Google Hangouts to discuss the future of cybersecurity alongside privacy advocates and security gurus Ben Wizner and Christopher Soghoian of the ACLU. His revelations about the American government agency’s mass surveillance tactics shocked the world in June 2013 and exposed the security weaknesses of Google, Apple, Facebook, and many of the other services cybercitizens use every day.

During the conversation at SXSW, Edward shared his advice on protecting your information from surveillance, which we lay out in nonhacker lingo below.

Snowden’s Security Tips  

  • Full disk encryption—This protects your hardware, meaning your physical computer. TrueCrypt is a good free option. It is open-source encryption for Macs, Windows 7/Vista/XP, and Linux. 
  • Network encryption—Browser plug-ins and SSL (Secure Sockets Layer) will suffice. Block Prism for Chrome secures Facebook messaging. NoScript for Firefox, ScriptSafe for Chrome, and Disconnect for Safari are viable plug-ins.
  • TorTor is a more dramatic step you can take to stay secure. It’s a network of virtual tunnels (a mix routing network) that sends your ISP to a cloud through a network of routers, making it impossible for your telecommunications provider to spy on you by default. Learn more at TorProject.org.

Snowden at SXSW: The Best Quotes

During the virtual conversation, all speakers had great insights on what security should look like in our future. The main takeaway was that developers need to think about turning on security right at the get-go and turn on security features by default for all web services.

Snowden said that companies could still collect the data necessary to perform an operation — but that these services need to relinquish and destroy this information once it’s no longer needed. All speakers also called for simpler, easier-to-use security tools, which are typically made “by geeks, for geeks,” according to researcher Soghoian, and are oftentimes overly complicated. 

More stories from PopSugar Tech:

3D-Printed Oreos: The Future Tastes Like Customized Cream Filling
Who Knew? 7 Reasons Shaq Is Literally the World’s Biggest Geek
The Fan-Funded Projects of Celebrity Kickstarter Campaigns
Game of Thrones + Oculus Rift = A Winning Combo
So Sweet: A Company Turns Your Relationship Texts Into the Best Gift Ever

View full post on ReadWrite

GnuTLS Bug: Linux Security Flaw Leaves Users Vulnerable To Hacks

A variety of Linux distributions are vulnerable to hacks because of a bug that allows people to bypass security protocols to intercept and disseminate encrypted information. A member of the Red Hat security team discovered a bug in the GnuTLS library that allows hackers to easily circumvent the Transport Layer Security (TLS) and secure sockets layer (SSL).

The vulnerability affects the certificate verification, meaning secure connections that are supposedly going through as secure, are not. Someone could compromise a secure connection by using a “man-in-the-middle” attack, acting as the server to intercept traffic, financial transactions or secure information.

Apple suffered its own flaw last week when researchers discovered a critical security vulnerability that allowed hackers to spoof servers and intercept supposedly secure data from Apple’s servers. In terms of numbers of users affected, the GnuTLS flaw is considerably smaller than Apple’s bug, which affected iOS and Mac devices alike, but patching the GnuTLS vulnerability for all Linux users will be harder.

A Red Hat representative offered a statement to ReadWrite:

Nikos Mavrogiannopoulos of the Red Hat Security Technologies Team and GnuTLS project discovered a certificate verification security issue affecting GnuTLS on February 19th, 2014 whilst auditing the code. We then used our standard processes to notify and work with other affected distributions in advance. Updates to correct this flaw were released on 3rd March 2014 from Red Hat, GnuTLS, and others.

Red Hat offers an advisory that explains how GnuTLS users can upgrade to packages that correct the issue.

According to Ars Technica, over 200 different operating systems or applications are vulnerable. The bug impacts a number of open source packages including Ubuntu, Debian and Red Hat distributions of Linux. It is still unconfirmed exactly how many systems or applications are vulnerable to the flaw.

Complaints as far back as 2008 point to insecurities in the GnuTLS code. One thread on an OpenLDAP forum, posted by the chief architect at software company Symas, suggested the GnuTLS code is broken, and “completely unsafe for handling binary data, and yet the nature of TLS processing is almost entirely dependent on secure handling of binary data.”

An advisory from GnuTLS tells users to update to the most recent version, or apply the patch listed on its site, to fix the problem. Debian also released an advisory about the bug, offering similar instructions. 

How It’s Worse Than Apple’s Security Flaw

After Apple discovered its SSL bug last week, the company quickly responded with emergency bug fixes for iOS and OS X shortly thereafter. Apple was, more or less, able to release fixes across its desktop and mobile ecosystems in one fell swoop—roughly about four days apart—but not before a man-in-the-middle proof of concept was published to take advantage of Apple’s iOS and OS X exploit.

Unlike Apple customers, Linux users don’t all run the same operating system that can easily be updated, and companies have to do more than test the patch on a handful of packages.

“It’s not just a matter of patching these bugs, but you have to go back and see how the software reacts to the patch—so many software packages in the scope of getting fixed,” said Casey Ellis, security researcher and CEO of the firm Bugcrowd. “Not only are there multiple software packages, but you have multiple clients and software packages on top of that.”

This goto fail; website determines whether your software is vulnerable to the Apple bug, and it now works for the GnuTLS bug, too. Ellis confirmed the website works for figuring out if client software is vulnerable, but it is not as reliable as it was for the Apple bug. A single “pass” might not be accurate since multiple software packages could be installed on a system.

However, as CloudWeaver founder and CTO Carlo Daffara points out, the GnuTLS bug isn’t nearly as big a deal as Apple’s SSL bug.

The exact number of users affected by the GnuTLS bug is unclear, and unlike Apple’s proprietary software, open source updates are optional. So, if there is a vulnerability on one server, each server represents thousands of users that could potentially be affected. But at least the GnuTLS bug fix out there already—now it’s just up to people to upgrade.

“The Apple bug was a big deal because it affected [millions] of mobile consumers, but the scope of people affected by [the GnuTLS vulnerability] is probably smaller,” Ellis said. “It’s worse because it will take a lot longer to clean up. In terms of being messy and difficult to recover from, it’s worse.”

Image courtesy of Home of Chaos on Flickr

View full post on ReadWrite

Belkin WeMo Home Automation Products Are Not Safe, Security Researchers Claim

Security firm IOActive issued a surprise advisory Tuesday urging Belkin WeMo customers to halt use of their smart home products, thanks to its discovery of several vulnerabilities hackers could use to infiltrate home networks and connected home appliances, including thermostats, lights and other devices. 

According to a report by Ars Technica, multiple notifications were sent to Belkin from IOActive as well as the U.S. Computer Emergency Readiness Team (US-CERT), but its failure to respond or address the holes—which include insufficient data encryption, insecure delivery of software updates and other issues—compelled the security researchers to issue the stern warning. 

Update Feb 19, 2014 10:00AM PST: According to a ZDNet report, Belkin issued a statement late Tuesday indicating that the company had been in touch with IOActive before the advisory went out and patched five security holes. 

ReadWrite reached out to Belkin via email, and the company said it has already addressed security flaws in its WeMo API server, WeMo firmware and WeMo apps, and that products with the recent firmware release (version 3949) are not vulnerable to malicious firmware attacks, including remote control or unauthorized monitoring of WeMo devices.

The company provided the following information: 

Belkin has corrected the list of five potential vulnerabilities affecting the WeMo line of home automation solutions that was published in a CERT advisory on February 18. Belkin was in contact with the security researchers prior to the publication of the advisory, and, as of February 18, had already issued fixes for each of the noted potential vulnerabilities via in-app notifications and updates. Users with the most recent firmware release (version 3949) are not at risk for malicious firmware attacks or remote control or monitoring of WeMo devices from unauthorized devices as described in the report. Belkin urges such users to download the latest app from the App Store (version 1.4.2) or Google Play Store (version 1.1.2) and then upgrade the firmware version through the app.

Specific fixes Belkin has issued include:

1) An update to the WeMo API server on November 5, 2013 that prevents an XML injection attack from gaining access to other WeMo devices.

2) An update to the WeMo firmware, published on January 24, 2014, that adds SSL encryption and validation to the WeMo firmware distribution feed, eliminates storage of the signing key on the device, and password protects the serial port interface to prevent a malicious firmware attack

3) An update to the WeMo app for both iOS (published on January 24, 2014) and Android (published on February 10, 2014) that contains the most recent firmware update

The post will be updated if more information becomes available. 

View full post on ReadWrite

Home Automation Products From Belkin WeMo Are Not Safe, Security Researchers Claim

Security firm IOActive issued a surprise advisory Tuesday urging Belkin WeMo customers to halt use of their smart home products, thanks to its discovery of several vulnerabilities hackers could use to infiltrate home networks and connected home appliances, including thermostats, lights and other devices. 

According to a report by Ars Technica, multiple notifications were sent to Belkin, but its failure to respond or address the holes—which include insufficient data encryption, insecure delivery of software updates and other issues—compelled the security researchers to issue the stern warning. 

View full post on ReadWrite

Yahoo Suffers Mail Security Breach

Yahoo said it has been the target of a security attack aimed at Yahoo Mail users. Yahoo identified a coordinated effort to gain control of email accounts. Yahoo did not specify how many users or accounts were affected.

The Yahoo Mail usernames and passwords used in the hack were likely collected from a compromised third-party database, the company said in a blog post. Yahoo is resetting passwords of affected accounts and using two step authentication, including SMS notifications to to further secure accounts. 

The company said it is working with federal law enforcement to determine who was responsible for the hack.

View full post on ReadWrite

Security Is The Least Of Hadoop’s Concerns

Hadoop is a big deal, but its adoption is still stuck in first gear, despite what the media or vendors are telling you.

The reason? As much as enterprises would like to make better use of their data to improve their businesses, they’re still trying to decipher the complexity of Hadoop and other Big Data tools. More fundamentally, according to a recent Gartner webinar, Hadoop’s biggest roadblock may well be that people can’t figure out what they’re supposed to do with it.

Hadoop proponents that make the platform out to be a magical, dancing unicorn, aren’t helping.

Pass The Instruction Manual, Please

It’s not like enterprises are sitting on their hands when it comes to Big Data. According to Gartner, while 31% of enterprises still have no plans to roll out a Big Data project (the same percentage as in 2012), 30% have invested in Big Data technology, including Hadoop and NoSQL databases, up from 27% in 2012. Fewer people are on the fence, too, with the percentage of those who “don’t know” if they’re going to invest in Big Data dropping from 11% in 2012 to 5% in 2013. 

That’s progress. But the news is being hobbled by confusion as to just what Big Data, and particularly Hadoop, is good for.

In the webinar, Gartner analysts Merv Adrian and Nick Heudecker walked through a few things needed in this next wave of Hadoop adoption, suggesting we’re entering an era when “adult supervision” is needed for proper governance and security in Hadoop and NoSQL. The analysts pointed to security, governance and enterprise data warehouse integration as priorities for enterprise integration, making new Big Data technologies fit within existing IT infrastructure.

But when the analysts asked webinar attendees the biggest barriers to Hadoop adoption, the results were surprising.  

Nearly 50% of attendees cited Hadoop’s lack of a clear value proposition as its biggest barrier to adoption. After this came its lack of integration with existing infrastructure, then the difficult acquisition of necessary Hadoop skills. Security, which normally tops the enterprise wish list, was cited by a mere 1% of attendees, which “amazed” Gartner.

Security As A Secondary Concern

Security matters when a technology has moved beyond the evaluation phase and is being embraced in earnest. Clearly Hadoop isn’t there yet. This isn’t to say that it won’t be, but rather Hadoop still has a range of questions to answer before it can go mainstream.

Like, where’s the “on” button?

As I’ve written before, we’re still in a vortex of Big Data hype and hope, and Hadoop plays a leading role in this. Enterprises are still trying to figure out what to do with their data:

Hadoop vendors, in particular, may not be helping with this. Hadoop vendors often fall into the trap of speaking optimistically of what Hadoop will be able to do as if it already can. For example, Cloudera executive and Hadoop founder Doug Cutting insists batch-oriented Hadoop will be able to do transactions and anything else an enterprise could want.

“My belief is the sky is the limit,” Cutting said. “It’s hard to imagine a kind of a workload that you can’t move to this platform.”

Actually, it’s easy to imagine all sorts of workloads that don’t fit Hadoop. In a call with IDC this week, the intelligence firm expressed serious doubts as to the ability to turn Hadoop into an online transaction processing (OLTP) system to facilitate data entry and commercial transactions. It’s not a thneed, in the Suessian sense:

A Thneed’s a Fine-Something-That-All-People-Need!

It’s a shirt.  It’s a sock.  It’s a glove.  It’s a hat.

But it has OTHER uses.  Yes, far beyond that.

You can use it for carpets.  For pillows!  For sheets!

Or curtains!  Or covers for bicycle seats!

Frankly, the Hadoop advocates may not be doing themselves—or their customers—any favors by spinning the Hadoop story in this way. As revealed by Gartner’s poll, enterprises are confused by the mysticism surrounding Hadoop. They’re concerned with its basic value proposition, not its ability to be everything to everyone. Indeed, that sort of marketing is almost certainly complicit in the confusion.

No Need To Hype Hadoop

Hadoop is extremely elaborate, but that doesn’t mean it’s not incredibly important technology. It is. For enterprises rolling out Big Data projects, Hadoop should definitely be one of the technologies they consider.

But Hadoop today is hard, and its proponents need to spend more time focusing on making it easy, not necessarily blowing it up into some mythical technology. As Jonathan Gray, founder and CEO of Continuuity, highlights, “Hadoop is a distributed system, and exposes itself as such, but most developers/operators are not distributed systems experts.” All the more reason, then, for companies like Cloudera and Hortonworks to help guide newbies, as called out by Justin Kestelyn, developer community advocate at Cloudera: “Hadoop is complex and the knowledge gaps are huge. Hence Cloudera!” (Or another, preferred vendor.)

This is the real, short-term opportunity for Hadoop vendors: To make it easier to understand. That’s far more important than making it magical. It also happens to be a huge opportunity.

View full post on ReadWrite

Go to Top
Copyright © 1992-2014, DC2NET All rights reserved