Posts tagged Security

New Security Flaws Render Shellshock Patch Ineffective

Your system is still vulnerable to the Shellshock bug, even if you’ve patched it. Security researchers have found new flaws in bash, rendering previous patches ineffective.

See also: How To Detect And Patch This Big, Bad Unix Bash Shellshock Bug

The bash shell is an omnipresent command-line interpreter used by default in Unix and Linux, and by extension, Apple’s OS X software. The shell itself is decades old, and it turns out the bug has been present for the last 22 years without detection.

Linux stewardship company Red Hat released a series of fixes to patch up the eight or so versions of bash that were vulnerable. On Friday, Red Hat released a second round of patches to resolve newly discovered security flaws, and those discoveries keep coming.

See also: The Bash Bug Makes Every Mac Vulnerable; Here’s How To Patch It

Google security researcher Michal “lcamtuf” Zalewski has been tweeting as he uncovers increasingly serious vulnerabilities in the bash shell. He recommends Red Hat security researcher Florian Weimer’s still-unofficial patch.

At the moment, the only people who need to worry about patching the Shellshock bug right away are system administrators and people with who have tweaked the advanced Unix settings on machines running OS X or Linux.

“The vast majority of OS X users are not at risk to recently reported bash vulnerabilities,” Apple said.

Photo via Shutterstock

View full post on ReadWrite

Apple To Increase iCloud Security Following Celebrity Photo Theft

Apple CEO Tim Cook

Apple said it will introduce more security alerts and better educate consumers about why and how to use iCloud in the wake of an iCloud breach in which hackers obtained personal and revealing pictures of female celebrities and posted them online.

CEO Tim Cook told the Wall Street Journal that the company will start alerting people through email and mobile push notifications when anyone tries to change a password on an Apple account, restore iCloud data to a device that isn’t yet registered with the account, or when a new device logs into iCloud.

See Also: How Apple Made Its Users Vulnerable To iCloud Theft

Cook also gave more information on what it originally said was a “highly targeted attack,” describing the way hackers correctly guessed the celebrities’ security question answers. 

Apart from beefing up security measures, Cook said the company needs to do a better job of providing information to consumers—it’s not just the tech that needs a boost. 

“When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece,” he told the newspaper. “I think we have a responsibility to ratchet that up. That’s not really an engineering thing.”

Cook said Apple will begin using push notifications to alert users within the next two weeks.

Lead image by Valery Marchive 

View full post on ReadWrite

LinkedIn Locks Down Security, But Opens Up Data Export

LinkedIn is offering new security features that give you new tools for securing and controlling your information on the professional-networking site.

For instance, LinkedIn will now alert you when your password changes—and will give you a sense of where that request originated as well. When you change your password, you’ll not only get an email notification, you’ll be able to see which browser and operating system was used, as well as the IP address and approximate location of the computer or device used to request the change.

That warning to “change your password right away” may look a little tardy, but it actually takes you to a password-reset form that requests your email address and then sends you instructions.

Another privacy safeguard shows you where else you’re logged into LinkedIn and lets you log out of sessions you’re not currently using. Additionally, the service now lets users export all their LinkedIn data—that is, your entire profile, and post history and a variety of other activity. You can export your information here.

It’s probably a good idea to do a cursory check of your privacy settings while exploring the new security features, especially if you haven’t updated them in a while. But thanks to new features, users will be more aware of where and how their data is accessed, which will help make users—and their data—more secure on the site.

Lead image by Coletivo Mambembe; screenshot courtesy of LinkedIn.

View full post on ReadWrite

WordPress 3.9.2 Security Release Out, Immediate Update Recommended by @mattsouthern

WordPress 3.9.2 has just been rolled out as a security release for all previous versions. WordPress strongly recommends that you update your sites immediately. This release fixes a possible denial of service issue in PHP’s XML processing, reported by Nir Goldshlager of the Salesforce.com Product Security Team. It was fixed by Michael Adams and Andrew Nacin of the WordPress security team and David Rothstein of the Drupal security team. This is the first time our two projects have coordinated joint security releases. Other security changes in WordPress 3.9.2 include: Fixes a possible but unlikely code execution when processing widgets (WordPress […]

The post WordPress 3.9.2 Security Release Out, Immediate Update Recommended by @mattsouthern appeared first on Search Engine Journal.

View full post on Search Engine Journal

Why Elle’s Profile Of Google’s “Security Princess” Made Me Roll My Eyes

I wish I had been able to read about women in tech in fashion magazines when I was a teenager. Maybe then I would have decided to become a woman in tech, too.

That was my first thought on reading Elle Magazine’s profile of Parisa Tabriz, “Meet Google’s Security Princess.” Tabriz, a white hat hacker who predicts how criminals will try to break into Google’s data centers, is no stranger to technology and business publications. But for her to appear in a woman’s magazine is a novelty.

To its credit, Elle’s profile of Tabriz is lengthy, nuanced and portrays her as an intelligent and capable security engineer. But parts of it also made me cringe. To see what I mean, join me for a close reading.

The Woman For The Job

Congratulations, Elle writer Clare Malone! You’ve scored an interview with a top Google security official. So why not make sure your readers know all about her hair, clothes and (lack of) makeup?

Sure, I get that clothes are a quick way to describe a profile subject to an audience. And there’s certainly nothing wrong with a woman who rocks her own personal style. But Tabriz’s all-black wardrobe and the fact that she eschews makeup suggest that appearance is not a very important part of her personality. There’s more than one way to practice femininity, after all. 

I also get that Elle has an audience to cater to, one that cares a great deal about fashion. But when the same magazine did an interview with actor, tech investor and Steve Jobs portrayer Ashton Kutcher last year, it only briefly mentioned what he was wearing (“faded jeans and a gray T-shirt”) and that he used to model professionally.

Moving on.

“I didn’t touch computers up until college,” Tabriz tells her interviewer, demolishing the notion that women aren’t qualified for technical positions since they didn’t start early enough.

Of course, the last guy to say “women haven’t been hacking for the last ten years” by way of explaining why he didn’t fund their startups, Paul Graham of Y Combinator, had to say he’d been misquoted and make a very big show of it.

Tabriz doesn’t perceive gender as a negative for her, though she thinks she “may be a little more pushy than the [female] stereotype.”

So much of this profile focuses on Tabriz’s unique characteristics: her skill at math and science, her competitive nature, her driven curiosity about her compromised college website that her to determine the hacker’s modus operandi. And that’s what’s important.

Of course Tabriz isn’t the “female stereotype.” No woman on Earth is. But to separate her in such a way to imply that she’s “not like the other girls” makes it seem like Tabriz didn’t succeed because of her motivation or skill, but because she’s somehow better at being a woman.

Also, FYI:

Getting Technical

Easily the best snippets of this profile are the sections in which Malone describes the nitty gritty of Tabriz’s work as a white hat hacker for a lay audience.

Of course, some women in technology might find it a little condescending to read Malone likening black-hat hackers to thugs who swipe expensive handbags: “not only do they swipe the Birkin, but they rifle through the crocodile-skin datebook to find new victims.” But let’s give the magazine the benefit of the doubt here, given its very specific audience.

Tabriz herself supplies quotes that make the highly technical nature of her work extremely approachable to a non-techie audience. For instance, she describes steganography, the craft of writing coded messages that are hidden in plain sight, by its very low-tech history:

A Greek emperor would shave a slave’s head, tattoo a message on it, let his hair grow back, and then say, “Go over to that other emperor.”

Further allusions to Tabriz’s skill at “think[ing] like a criminal,” make it clear what Tabriz does every day—even if you only know about hackers from the movies.

Let’s Talk About Gender

Still, you can easily write a profile of a man in tech without discussing how his gender affected his career, either as a stand-in for a personality trait or as a hurdle to overcome. A high-profile woman in tech? Not so much.

Malone aptly notes that when it comes to a woman in a male dominated field, to not discuss gender in the workplace would be to miss out on half the story. In Tabriz’s role at Google, gender is a daily consideration.

“If you have ambitions to create technology for the whole world, you need to represent the whole world, and the whole world is not just white men,” she told Malone.

Gender issues at Google, of course, have been grist for discussion for a while. Former Google vice president Sheryl Sandberg noted in her book, Lean In, that male Google engineers nominated themselves for promotions far more frequently than women.

Likewise, in the Elle article Tabriz mentions that the young women she mentors at Google sometimes have trouble asserting themselves. The impetus is on women to make their own opportunities, and if they fail, they’re not leaning in far enough.

One way to help women in tech? Make them more visible, just like this profile does. (Though they might stand out even more without all the overt nods to gender.) Then maybe a young woman flipping through her fashion magazine, like I used to do, will discover a tough, capable role model taking a career path she’d never considered.

Lead image used with permission from Parisa Tabriz 

View full post on ReadWrite

TweetDeck Hacked And Temporarily Taken Offline Today Following Security Breach by @mattsouthern

Twitter took its desktop Twitter client, TweetDeck, offline today following what is reported to be a massive security breach. We've temporarily taken TweetDeck services down to assess today's earlier security issue. We'll update when services are back up. — TweetDeck (@TweetDeck) June 11, 2014 When news first broke, TweetDeck recommended that all users remove access to their accounts immediately. Then TweetDeck went a step further to protect its users when major accounts started spreading malicious code by completely shutting the service down. There have been multiple reports so far of malicious code emanating from a few major accounts, including politicians […]

The post TweetDeck Hacked And Temporarily Taken Offline Today Following Security Breach by @mattsouthern appeared first on Search Engine Journal.

View full post on Search Engine Journal

WordPress Plugin All In One SEO Pack has Security Vulnerability – Tech Void

WordPress Plugin All In One SEO Pack has Security Vulnerability
Tech Void
If you own a WordPress site and use All In One SEO Pack plugin for your search optimization, listen up. Yesterday, an update was released by the plugin developers to patch several security vulnerabilities. The update was influenced by the cyber

View full post on SEO – Google News

Serious security hole found in SEO plugin used by millions of WordPress users … – Graham Cluley Security News

Serious security hole found in SEO plugin used by millions of WordPress users
Graham Cluley Security News
If so, you need to update the plugin as soon as possible to the latest version. The All in One SEO Pack plugin is a very popular choice for webmasters who wish to boost their WordPress-powered site's position in search engine rankings. Indeed, over 18 …

View full post on SEO – Google News

Post-Heartbleed, Open Source Gets A New Security Attitude

The Internet may not agree on much. But if there’s one idea its citizens can get behind, it’s that nothing like the Heartbleed bug should ever happen again.

And so the Linux Foundation—backed by Google, Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, IBM, Intel, Microsoft, NetApp, Rackspace and VMware—is launching a new Core Infrastructure Initiative that aims to bolster open-source projects critical to the Internet and other crucial information systems. Many such projects are starved for funding and development resources, despite their importance to Internet communications and commerce. 

The initiative is brand new—the steering committee hasn’t even had a meeting yet—so there aren’t many details as to how this will all work at the moment. 

It’s hard not to applaud such an important development, even if the promise seems somewhat vague. Of course, the details do matter; no one wants to lull a post-Heartbleed world into a false sense of security. The Heartbleed bug tarnished the image of open source. Another serious failure could erode support for it.

That would be a shame—mostly because, despite the hard knock it’s taken from Heartbleed, open-source software really is more solid than proprietary code.

Heartbleed: The Truth Is Stranger Than Fiction

One of the biggest arguments in favor of open source—which typically depends on volunteers to add and refine programs and tools—is that projects with many eyes on them are less prone to serious bugs.

Often enough, that’s exactly how it works out. A recent report from software-testing outfit Coverity found that the quality of open-source code surpassed that of proprietary software. Shocked? You shouldn’t be. Popular open-source projects can have hundreds or thousands of developers contributing and reviewing code, while in-house corporate teams are usually far smaller and frequently hobbled by strict confidentiality to boot.

Unfortunately, not all open-source projects work like that. OpenSSL—yes, the communications-security protocol that fell prey to Heartbleed—was one such project. 

This potentially huge security hole started out as a mistake made by a single developer, a German researcher named Robin Seggelmann. Normally, revised code gets checked before going out, and his work on OpenSSL’s “heartbeat” extension did go through a review—by a security expert named Stephen Henson. Who also missed the error.

So Heartbleed started with two people—but even involving the entire OpenSSL team might not have helped much. There are only two other people listed on that core team, and just a handful more to flesh out the development team. What’s more, this crucial but non-commercial project makes do on just $2,000 in annual donations.

If this were a fictional premise, no one would believe it. A critical security project, limping along on a couple of thousand dollars a year, winds up in the hands of two people, whose apparently innocent mistake goes on to propagate all over the Internet.

The Core Infrastructure Initiative aims to ensure that OpenSSL and other major open-source projects don’t let serious bugs lie around unfixed. Its plan: Fill in the gaps with funding and staff.

Making Open Source Whole


 

Security for the Internet at large was practically built on OpenSSL. And yet, the open-source software never went though a meticulous security audit. There wasn’t money or manpower for one.

From the Linux Foundation’s perspective, that’s unacceptable. 

The Linux operating system may be the world’s leading open-source success story. Volunteers across the globe flock to Linus Torvalds’ software, contributing changes at a rate of nine per hour. That amounts to millions of lines of code that improve or fix various aspects of the operating system each year. And it draws roughly half a million dollars in annual donations. Some of those funds go to Torvalds, Linux’s creator, so he can dedicate himself to development full-time. 

The Linux Foundation likewise sees its Core Infrastructure Initiative becoming a benefactor of sorts to key software projects, one that can direct funds to hire full-time developers, arrange for code review and testing, and handle other issues so that major vulnerabilities like Heartbleed don’t slip through the cracks again. 

The first candidate is—you guessed it—OpenSSL. According to the press announcement, the project “could receive fellowship funding for key developers as well as other resources to assist the project in improving its security, enabling outside reviews, and improving responsiveness to patch requests.”

But OpenSSL is just the beginning. “I think in this crisis, the idea was to create something good out of it,” Jim Zemlin, executive director of the Linux Foundation, told me. “To be proactive about pooling resources, looking at projects that are underfunded, that are important, and providing some resources to them.”

Sounds like a great idea. Not only does the move address specific concerns about open-source development—like minimal staffing and non-existent funding—it would also reinforce the integrity of critical systems that hinge on it. 

It’s an ambitious plan, one that came together at lightning speed. Chris DiBona, Google’s director of engineering of open source, told me Zemlin called him just last week with the idea.

“We [at Google] were doing that whole, ‘Okay, we’ve been helping out open source. Are we helping them enough?’” said DiBona, who reminded me that it was a security engineer at his company who first found the Heartbleed bug. “And then Jim calls up and says, ‘You know, we should just figure out how to head this off at the pass before the next time this happens.’ And it’s like, ‘Yeah, you’re right. Let’s just do it. We’ll try to find a way’.” 

Over the next few days, other companies immediately jumped at the chance to help. “I think it’s a historical moment, when you have a collective response to what was a collective problem,” said Zemlin.

The Core Infrastructure initiative is still gaining new supporters. Just a few hours before I spoke with Zemlin and DiBona Wednesday evening, another backer signed on. As of this writing, 12 companies had officially joined the fold. Each is donating $100,000 per year for a minimum of three years, for a total of $3.6 million.

Those Pesky Details

Eventually, the details will have to be ironed out. There will be a steering committee made up of backers, experts, academics and members of the open-source community. And when they meet, they will need to make some big decisions—like determining criteria for deciding which projects get funded (or not). The committee will also need to figure out “what we consider to be a minimum level of security,” said DiBona. 

Zemlin is careful to note that he doesn’t want to fall into the trap of over-regulating or dictating so much that it would alter the spirit of open-source development. “Everyone who’s participating will respect the community norms for the various projects,” he said. “We don’t want to mess up the good things that happen by being prescriptive.”

He and his initiative will draw from the Linux Foundation’s experience powering Linux development. “We have 10 years of history showing that you can support these projects and certainly not slow down their development,” Zemlin said. And indeed, if anyone can figure it out, it could be him and his foundation. 

But it may not be easy, keeping the creative, free-spirited nature of open source alive in the face of serious core infrastructure concerns. Critical systems usually demand organization and regimented practices. And sometimes, to keep the heart from bleeding, a prescription might just be in order. 

Images courtesy of Flickr users John (feature image), Bennett (lonely developer), Chris Potter (money life preserver), Alex Gorzen (Linux Easter Egg).

View full post on ReadWrite

Open Source Gets A Security Patch, With A Little Help From Its Friends

The Internet may not agree on much. But if there’s one idea its citizens can get behind, it’s that nothing like the Heartbleed bug should ever happen again.

And so the Linux Foundation—backed by Google, Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, IBM, Intel, Microsoft, NetApp, Rackspace and VMware—is launching a new Core Infrastructure Initiative that aims to bolster open-source projects critical to the Internet and other crucial information systems. Many such projects are starved for funding and development resources, despite their importance to Internet communications and commerce. 

The initiative is brand new—the steering committee hasn’t even had a meeting yet—so there aren’t many details as to how this will all work at the moment. 

It’s hard not to applaud such an important development, even if the promise seems somewhat vague. Of course, the details do matter; no one wants to lull a post-Heartbleed world into a false sense of security. The Heartbleed bug tarnished the image of open source. Another serious failure could erode support for it.

That would be a shame—mostly because, despite the hard knock it’s taken from Heartbleed, open-source software really is more solid than proprietary code.

Heartbleed: The Truth Is Stranger Than Fiction

One of the biggest arguments in favor of open source—which typically depends on volunteers to add and refine programs and tools—is that projects with many eyes on them are less prone to serious bugs.

Often enough, that’s exactly how it works out. A recent report from software-testing outfit Coverity found that the quality of open-source code surpassed that of proprietary software. Shocked? You shouldn’t be. Popular open-source projects can have hundreds or thousands of developers contributing and reviewing code, while in-house corporate teams are usually far smaller and frequently hobbled by strict confidentiality to boot.

Unfortunately, not all open-source projects work like that. OpenSSL—yes, the communications-security protocol that fell prey to Heartbleed—was one such project. 

This potentially huge security hole started out as a mistake made by a single developer, a German researcher named Robin Seggelmann. Normally, revised code gets checked before going out, and his work on OpenSSL’s “heartbeat” extension did go through a review—by a security expert named Stephen Henson. Who also missed the error.

So Heartbleed started with two people—but even involving the entire OpenSSL team might not have helped much. There are only two other people listed on that core team, and just a handful more to flesh out the development team. What’s more, this crucial but non-commercial project makes do on just $2,000 in annual donations.

If this were a fictional premise, no one would believe it. A critical security project, limping along on a couple of thousand dollars a year, winds up in the hands of two people, whose apparently innocent mistake goes on to propagate all over the Internet.

The Core Infrastructure Initiative aims to ensure that OpenSSL and other major open-source projects don’t let serious bugs lie around unfixed. Its plan: Fill in the gaps with funding and staff.

Making Open Source Whole


 

Security for the Internet at large was practically built on OpenSSL. And yet, the open-source software never went though a meticulous security audit. There wasn’t money or manpower for one.

From the Linux Foundation’s perspective, that’s unacceptable. 

The Linux operating system may be the world’s leading open-source success story. Volunteers across the globe flock to Linus Torvalds’ software, contributing changes at a rate of nine per hour. That amounts to millions of lines of code that improve or fix various aspects of the operating system each year. And it draws roughly half a million dollars in annual donations. Some of those funds go to Torvalds, Linux’s creator, so he can dedicate himself to development full-time. 

The Linux Foundation likewise sees its Core Infrastructure Initiative becoming a benefactor of sorts to key software projects, one that can direct funds to hire full-time developers, arrange for code review and testing, and handle other issues so that major vulnerabilities like Heartbleed don’t slip through the cracks again. 

The first candidate is—you guessed it—OpenSSL. According to the press announcement, the project “could receive fellowship funding for key developers as well as other resources to assist the project in improving its security, enabling outside reviews, and improving responsiveness to patch requests.”

But OpenSSL is just the beginning. “I think in this crisis, the idea was to create something good out of it,” Jim Zemlin, executive director of the Linux Foundation, told me. “To be proactive about pooling resources, looking at projects that are underfunded, that are important, and providing some resources to them.”

Sounds like a great idea. Not only does the move address specific concerns about open-source development—like minimal staffing and non-existent funding—it would also reinforce the integrity of critical systems that hinge on it. 

It’s an ambitious plan, one that came together at lightning speed. Chris DiBona, Google’s director of engineering of open source, told me Zemlin called him just last week with the idea.

“We [at Google] were doing that whole, ‘Okay, we’ve been helping out open source. Are we helping them enough?’” said DiBona, who reminded me that it was a security engineer at his company who first found the Heartbleed bug. “And then Jim calls up and says, ‘You know, we should just figure out how to head this off at the pass before the next time this happens.’ And it’s like, ‘Yeah, you’re right. Let’s just do it. We’ll try to find a way’.” 

Over the next few days, other companies immediately jumped at the chance to help. “I think it’s a historical moment, when you have a collective response to what was a collective problem,” said Zemlin.

The Core Infrastructure initiative is still gaining new supporters. Just a few hours before I spoke with Zemlin and DiBona Wednesday evening, another backer signed on. As of this writing, 12 companies had officially joined the fold. Each is donating $100,000 per year for a minimum of three years, for a total of $3.6 million.

Those Pesky Details

Eventually, the details will have to be ironed out. There will be a steering committee made up of backers, experts, academics and members of the open-source community. And when they meet, they will need to make some big decisions—like determining criteria for deciding which projects get funded (or not). The committee will also need to figure out “what we consider to be a minimum level of security,” said DiBona. 

Zemlin is careful to note that he doesn’t want to fall into the trap of over-regulating or dictating so much that it would alter the spirit of open-source development. “Everyone who’s participating will respect the community norms for the various projects,” he said. “We don’t want to mess up the good things that happen by being prescriptive.”

He and his initiative will draw from the Linux Foundation’s experience powering Linux development. “We have 10 years of history showing that you can support these projects and certainly not slow down their development,” Zemlin said. And indeed, if anyone can figure it out, it could be him and his foundation. 

But it may not be easy, keeping the creative, free-spirited nature of open source alive in the face of serious core infrastructure concerns. Critical systems usually demand organization and regimented practices. And sometimes, to keep the heart from bleeding, a prescription might just be in order. 

Images courtesy of Flickr users John (feature image), Bennett (lonely developer), Chris Potter (money life preserver), Alex Gorzen (Linux Easter Egg).

View full post on ReadWrite

Go to Top
Copyright © 1992-2014, DC2NET All rights reserved