Posts tagged Security

Why Elle’s Profile Of Google’s “Security Princess” Made Me Roll My Eyes

I wish I had been able to read about women in tech in fashion magazines when I was a teenager. Maybe then I would have decided to become a woman in tech, too.

That was my first thought on reading Elle Magazine’s profile of Parisa Tabriz, “Meet Google’s Security Princess.” Tabriz, a white hat hacker who predicts how criminals will try to break into Google’s data centers, is no stranger to technology and business publications. But for her to appear in a woman’s magazine is a novelty.

To its credit, Elle’s profile of Tabriz is lengthy, nuanced and portrays her as an intelligent and capable security engineer. But parts of it also made me cringe. To see what I mean, join me for a close reading.

The Woman For The Job

Congratulations, Elle writer Clare Malone! You’ve scored an interview with a top Google security official. So why not make sure your readers know all about her hair, clothes and (lack of) makeup?

Sure, I get that clothes are a quick way to describe a profile subject to an audience. And there’s certainly nothing wrong with a woman who rocks her own personal style. But Tabriz’s all-black wardrobe and the fact that she eschews makeup suggest that appearance is not a very important part of her personality. There’s more than one way to practice femininity, after all. 

I also get that Elle has an audience to cater to, one that cares a great deal about fashion. But when the same magazine did an interview with actor, tech investor and Steve Jobs portrayer Ashton Kutcher last year, it only briefly mentioned what he was wearing (“faded jeans and a gray T-shirt”) and that he used to model professionally.

Moving on.

“I didn’t touch computers up until college,” Tabriz tells her interviewer, demolishing the notion that women aren’t qualified for technical positions since they didn’t start early enough.

Of course, the last guy to say “women haven’t been hacking for the last ten years” by way of explaining why he didn’t fund their startups, Paul Graham of Y Combinator, had to say he’d been misquoted and make a very big show of it.

Tabriz doesn’t perceive gender as a negative for her, though she thinks she “may be a little more pushy than the [female] stereotype.”

So much of this profile focuses on Tabriz’s unique characteristics: her skill at math and science, her competitive nature, her driven curiosity about her compromised college website that her to determine the hacker’s modus operandi. And that’s what’s important.

Of course Tabriz isn’t the “female stereotype.” No woman on Earth is. But to separate her in such a way to imply that she’s “not like the other girls” makes it seem like Tabriz didn’t succeed because of her motivation or skill, but because she’s somehow better at being a woman.

Also, FYI:

Getting Technical

Easily the best snippets of this profile are the sections in which Malone describes the nitty gritty of Tabriz’s work as a white hat hacker for a lay audience.

Of course, some women in technology might find it a little condescending to read Malone likening black-hat hackers to thugs who swipe expensive handbags: “not only do they swipe the Birkin, but they rifle through the crocodile-skin datebook to find new victims.” But let’s give the magazine the benefit of the doubt here, given its very specific audience.

Tabriz herself supplies quotes that make the highly technical nature of her work extremely approachable to a non-techie audience. For instance, she describes steganography, the craft of writing coded messages that are hidden in plain sight, by its very low-tech history:

A Greek emperor would shave a slave’s head, tattoo a message on it, let his hair grow back, and then say, “Go over to that other emperor.”

Further allusions to Tabriz’s skill at “think[ing] like a criminal,” make it clear what Tabriz does every day—even if you only know about hackers from the movies.

Let’s Talk About Gender

Still, you can easily write a profile of a man in tech without discussing how his gender affected his career, either as a stand-in for a personality trait or as a hurdle to overcome. A high-profile woman in tech? Not so much.

Malone aptly notes that when it comes to a woman in a male dominated field, to not discuss gender in the workplace would be to miss out on half the story. In Tabriz’s role at Google, gender is a daily consideration.

“If you have ambitions to create technology for the whole world, you need to represent the whole world, and the whole world is not just white men,” she told Malone.

Gender issues at Google, of course, have been grist for discussion for a while. Former Google vice president Sheryl Sandberg noted in her book, Lean In, that male Google engineers nominated themselves for promotions far more frequently than women.

Likewise, in the Elle article Tabriz mentions that the young women she mentors at Google sometimes have trouble asserting themselves. The impetus is on women to make their own opportunities, and if they fail, they’re not leaning in far enough.

One way to help women in tech? Make them more visible, just like this profile does. (Though they might stand out even more without all the overt nods to gender.) Then maybe a young woman flipping through her fashion magazine, like I used to do, will discover a tough, capable role model taking a career path she’d never considered.

Lead image used with permission from Parisa Tabriz 

View full post on ReadWrite

TweetDeck Hacked And Temporarily Taken Offline Today Following Security Breach by @mattsouthern

Twitter took its desktop Twitter client, TweetDeck, offline today following what is reported to be a massive security breach. We've temporarily taken TweetDeck services down to assess today's earlier security issue. We'll update when services are back up. — TweetDeck (@TweetDeck) June 11, 2014 When news first broke, TweetDeck recommended that all users remove access to their accounts immediately. Then TweetDeck went a step further to protect its users when major accounts started spreading malicious code by completely shutting the service down. There have been multiple reports so far of malicious code emanating from a few major accounts, including politicians […]

The post TweetDeck Hacked And Temporarily Taken Offline Today Following Security Breach by @mattsouthern appeared first on Search Engine Journal.

View full post on Search Engine Journal

WordPress Plugin All In One SEO Pack has Security Vulnerability – Tech Void

WordPress Plugin All In One SEO Pack has Security Vulnerability
Tech Void
If you own a WordPress site and use All In One SEO Pack plugin for your search optimization, listen up. Yesterday, an update was released by the plugin developers to patch several security vulnerabilities. The update was influenced by the cyber

View full post on SEO – Google News

Serious security hole found in SEO plugin used by millions of WordPress users … – Graham Cluley Security News

Serious security hole found in SEO plugin used by millions of WordPress users
Graham Cluley Security News
If so, you need to update the plugin as soon as possible to the latest version. The All in One SEO Pack plugin is a very popular choice for webmasters who wish to boost their WordPress-powered site's position in search engine rankings. Indeed, over 18 …

View full post on SEO – Google News

Post-Heartbleed, Open Source Gets A New Security Attitude

The Internet may not agree on much. But if there’s one idea its citizens can get behind, it’s that nothing like the Heartbleed bug should ever happen again.

And so the Linux Foundation—backed by Google, Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, IBM, Intel, Microsoft, NetApp, Rackspace and VMware—is launching a new Core Infrastructure Initiative that aims to bolster open-source projects critical to the Internet and other crucial information systems. Many such projects are starved for funding and development resources, despite their importance to Internet communications and commerce. 

The initiative is brand new—the steering committee hasn’t even had a meeting yet—so there aren’t many details as to how this will all work at the moment. 

It’s hard not to applaud such an important development, even if the promise seems somewhat vague. Of course, the details do matter; no one wants to lull a post-Heartbleed world into a false sense of security. The Heartbleed bug tarnished the image of open source. Another serious failure could erode support for it.

That would be a shame—mostly because, despite the hard knock it’s taken from Heartbleed, open-source software really is more solid than proprietary code.

Heartbleed: The Truth Is Stranger Than Fiction

One of the biggest arguments in favor of open source—which typically depends on volunteers to add and refine programs and tools—is that projects with many eyes on them are less prone to serious bugs.

Often enough, that’s exactly how it works out. A recent report from software-testing outfit Coverity found that the quality of open-source code surpassed that of proprietary software. Shocked? You shouldn’t be. Popular open-source projects can have hundreds or thousands of developers contributing and reviewing code, while in-house corporate teams are usually far smaller and frequently hobbled by strict confidentiality to boot.

Unfortunately, not all open-source projects work like that. OpenSSL—yes, the communications-security protocol that fell prey to Heartbleed—was one such project. 

This potentially huge security hole started out as a mistake made by a single developer, a German researcher named Robin Seggelmann. Normally, revised code gets checked before going out, and his work on OpenSSL’s “heartbeat” extension did go through a review—by a security expert named Stephen Henson. Who also missed the error.

So Heartbleed started with two people—but even involving the entire OpenSSL team might not have helped much. There are only two other people listed on that core team, and just a handful more to flesh out the development team. What’s more, this crucial but non-commercial project makes do on just $2,000 in annual donations.

If this were a fictional premise, no one would believe it. A critical security project, limping along on a couple of thousand dollars a year, winds up in the hands of two people, whose apparently innocent mistake goes on to propagate all over the Internet.

The Core Infrastructure Initiative aims to ensure that OpenSSL and other major open-source projects don’t let serious bugs lie around unfixed. Its plan: Fill in the gaps with funding and staff.

Making Open Source Whole


 

Security for the Internet at large was practically built on OpenSSL. And yet, the open-source software never went though a meticulous security audit. There wasn’t money or manpower for one.

From the Linux Foundation’s perspective, that’s unacceptable. 

The Linux operating system may be the world’s leading open-source success story. Volunteers across the globe flock to Linus Torvalds’ software, contributing changes at a rate of nine per hour. That amounts to millions of lines of code that improve or fix various aspects of the operating system each year. And it draws roughly half a million dollars in annual donations. Some of those funds go to Torvalds, Linux’s creator, so he can dedicate himself to development full-time. 

The Linux Foundation likewise sees its Core Infrastructure Initiative becoming a benefactor of sorts to key software projects, one that can direct funds to hire full-time developers, arrange for code review and testing, and handle other issues so that major vulnerabilities like Heartbleed don’t slip through the cracks again. 

The first candidate is—you guessed it—OpenSSL. According to the press announcement, the project “could receive fellowship funding for key developers as well as other resources to assist the project in improving its security, enabling outside reviews, and improving responsiveness to patch requests.”

But OpenSSL is just the beginning. “I think in this crisis, the idea was to create something good out of it,” Jim Zemlin, executive director of the Linux Foundation, told me. “To be proactive about pooling resources, looking at projects that are underfunded, that are important, and providing some resources to them.”

Sounds like a great idea. Not only does the move address specific concerns about open-source development—like minimal staffing and non-existent funding—it would also reinforce the integrity of critical systems that hinge on it. 

It’s an ambitious plan, one that came together at lightning speed. Chris DiBona, Google’s director of engineering of open source, told me Zemlin called him just last week with the idea.

“We [at Google] were doing that whole, ‘Okay, we’ve been helping out open source. Are we helping them enough?’” said DiBona, who reminded me that it was a security engineer at his company who first found the Heartbleed bug. “And then Jim calls up and says, ‘You know, we should just figure out how to head this off at the pass before the next time this happens.’ And it’s like, ‘Yeah, you’re right. Let’s just do it. We’ll try to find a way’.” 

Over the next few days, other companies immediately jumped at the chance to help. “I think it’s a historical moment, when you have a collective response to what was a collective problem,” said Zemlin.

The Core Infrastructure initiative is still gaining new supporters. Just a few hours before I spoke with Zemlin and DiBona Wednesday evening, another backer signed on. As of this writing, 12 companies had officially joined the fold. Each is donating $100,000 per year for a minimum of three years, for a total of $3.6 million.

Those Pesky Details

Eventually, the details will have to be ironed out. There will be a steering committee made up of backers, experts, academics and members of the open-source community. And when they meet, they will need to make some big decisions—like determining criteria for deciding which projects get funded (or not). The committee will also need to figure out “what we consider to be a minimum level of security,” said DiBona. 

Zemlin is careful to note that he doesn’t want to fall into the trap of over-regulating or dictating so much that it would alter the spirit of open-source development. “Everyone who’s participating will respect the community norms for the various projects,” he said. “We don’t want to mess up the good things that happen by being prescriptive.”

He and his initiative will draw from the Linux Foundation’s experience powering Linux development. “We have 10 years of history showing that you can support these projects and certainly not slow down their development,” Zemlin said. And indeed, if anyone can figure it out, it could be him and his foundation. 

But it may not be easy, keeping the creative, free-spirited nature of open source alive in the face of serious core infrastructure concerns. Critical systems usually demand organization and regimented practices. And sometimes, to keep the heart from bleeding, a prescription might just be in order. 

Images courtesy of Flickr users John (feature image), Bennett (lonely developer), Chris Potter (money life preserver), Alex Gorzen (Linux Easter Egg).

View full post on ReadWrite

Open Source Gets A Security Patch, With A Little Help From Its Friends

The Internet may not agree on much. But if there’s one idea its citizens can get behind, it’s that nothing like the Heartbleed bug should ever happen again.

And so the Linux Foundation—backed by Google, Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, IBM, Intel, Microsoft, NetApp, Rackspace and VMware—is launching a new Core Infrastructure Initiative that aims to bolster open-source projects critical to the Internet and other crucial information systems. Many such projects are starved for funding and development resources, despite their importance to Internet communications and commerce. 

The initiative is brand new—the steering committee hasn’t even had a meeting yet—so there aren’t many details as to how this will all work at the moment. 

It’s hard not to applaud such an important development, even if the promise seems somewhat vague. Of course, the details do matter; no one wants to lull a post-Heartbleed world into a false sense of security. The Heartbleed bug tarnished the image of open source. Another serious failure could erode support for it.

That would be a shame—mostly because, despite the hard knock it’s taken from Heartbleed, open-source software really is more solid than proprietary code.

Heartbleed: The Truth Is Stranger Than Fiction

One of the biggest arguments in favor of open source—which typically depends on volunteers to add and refine programs and tools—is that projects with many eyes on them are less prone to serious bugs.

Often enough, that’s exactly how it works out. A recent report from software-testing outfit Coverity found that the quality of open-source code surpassed that of proprietary software. Shocked? You shouldn’t be. Popular open-source projects can have hundreds or thousands of developers contributing and reviewing code, while in-house corporate teams are usually far smaller and frequently hobbled by strict confidentiality to boot.

Unfortunately, not all open-source projects work like that. OpenSSL—yes, the communications-security protocol that fell prey to Heartbleed—was one such project. 

This potentially huge security hole started out as a mistake made by a single developer, a German researcher named Robin Seggelmann. Normally, revised code gets checked before going out, and his work on OpenSSL’s “heartbeat” extension did go through a review—by a security expert named Stephen Henson. Who also missed the error.

So Heartbleed started with two people—but even involving the entire OpenSSL team might not have helped much. There are only two other people listed on that core team, and just a handful more to flesh out the development team. What’s more, this crucial but non-commercial project makes do on just $2,000 in annual donations.

If this were a fictional premise, no one would believe it. A critical security project, limping along on a couple of thousand dollars a year, winds up in the hands of two people, whose apparently innocent mistake goes on to propagate all over the Internet.

The Core Infrastructure Initiative aims to ensure that OpenSSL and other major open-source projects don’t let serious bugs lie around unfixed. Its plan: Fill in the gaps with funding and staff.

Making Open Source Whole


 

Security for the Internet at large was practically built on OpenSSL. And yet, the open-source software never went though a meticulous security audit. There wasn’t money or manpower for one.

From the Linux Foundation’s perspective, that’s unacceptable. 

The Linux operating system may be the world’s leading open-source success story. Volunteers across the globe flock to Linus Torvalds’ software, contributing changes at a rate of nine per hour. That amounts to millions of lines of code that improve or fix various aspects of the operating system each year. And it draws roughly half a million dollars in annual donations. Some of those funds go to Torvalds, Linux’s creator, so he can dedicate himself to development full-time. 

The Linux Foundation likewise sees its Core Infrastructure Initiative becoming a benefactor of sorts to key software projects, one that can direct funds to hire full-time developers, arrange for code review and testing, and handle other issues so that major vulnerabilities like Heartbleed don’t slip through the cracks again. 

The first candidate is—you guessed it—OpenSSL. According to the press announcement, the project “could receive fellowship funding for key developers as well as other resources to assist the project in improving its security, enabling outside reviews, and improving responsiveness to patch requests.”

But OpenSSL is just the beginning. “I think in this crisis, the idea was to create something good out of it,” Jim Zemlin, executive director of the Linux Foundation, told me. “To be proactive about pooling resources, looking at projects that are underfunded, that are important, and providing some resources to them.”

Sounds like a great idea. Not only does the move address specific concerns about open-source development—like minimal staffing and non-existent funding—it would also reinforce the integrity of critical systems that hinge on it. 

It’s an ambitious plan, one that came together at lightning speed. Chris DiBona, Google’s director of engineering of open source, told me Zemlin called him just last week with the idea.

“We [at Google] were doing that whole, ‘Okay, we’ve been helping out open source. Are we helping them enough?’” said DiBona, who reminded me that it was a security engineer at his company who first found the Heartbleed bug. “And then Jim calls up and says, ‘You know, we should just figure out how to head this off at the pass before the next time this happens.’ And it’s like, ‘Yeah, you’re right. Let’s just do it. We’ll try to find a way’.” 

Over the next few days, other companies immediately jumped at the chance to help. “I think it’s a historical moment, when you have a collective response to what was a collective problem,” said Zemlin.

The Core Infrastructure initiative is still gaining new supporters. Just a few hours before I spoke with Zemlin and DiBona Wednesday evening, another backer signed on. As of this writing, 12 companies had officially joined the fold. Each is donating $100,000 per year for a minimum of three years, for a total of $3.6 million.

Those Pesky Details

Eventually, the details will have to be ironed out. There will be a steering committee made up of backers, experts, academics and members of the open-source community. And when they meet, they will need to make some big decisions—like determining criteria for deciding which projects get funded (or not). The committee will also need to figure out “what we consider to be a minimum level of security,” said DiBona. 

Zemlin is careful to note that he doesn’t want to fall into the trap of over-regulating or dictating so much that it would alter the spirit of open-source development. “Everyone who’s participating will respect the community norms for the various projects,” he said. “We don’t want to mess up the good things that happen by being prescriptive.”

He and his initiative will draw from the Linux Foundation’s experience powering Linux development. “We have 10 years of history showing that you can support these projects and certainly not slow down their development,” Zemlin said. And indeed, if anyone can figure it out, it could be him and his foundation. 

But it may not be easy, keeping the creative, free-spirited nature of open source alive in the face of serious core infrastructure concerns. Critical systems usually demand organization and regimented practices. And sometimes, to keep the heart from bleeding, a prescription might just be in order. 

Images courtesy of Flickr users John (feature image), Bennett (lonely developer), Chris Potter (money life preserver), Alex Gorzen (Linux Easter Egg).

View full post on ReadWrite

Protect Yourself Against Heartbleed, The Web’s Security Disaster

The recently discovered Heartbleed bug exposed a gaping hole in the security software that’s supposed to keep your information private while shopping, managing your finances or sending and reading email. While there still aren’t any signs that the bug has actually led to eavesdropping or theft—financial, identity or otherwise—it’s probably only a matter of time.

The good news is that there are ways you can protect your information from thieves and snoops. The bad news is that they’re simple but not necessarily easy.

Why Heartbleed Is A Big Deal

First, some quick background. The Heartbleed bug allows potential attackers to sidestep the cryptographic security that normally protects Web communications on sites that use an open-source version called OpenSSL. In essence, the bug allowed attackers to grab random bits of information from Web servers—information that could include usernames and passwords, the cryptographic “keys” that shield traffic from prying eyes, or even the coded “certificates” that websites use to verify that they are who they say they are.

In the worst case, exposure of that information could allow attackers to read all traffic to and from a given site, or even to impersonate the site itself—which could be, let’s just say, bad if the site in question happens to be a malign copy of your bank. (For a deeper technical breakdown of Heartbleed, check out ReadWrite’s FAQ here.)

Heartbleed went undetected for the past two years, and no one knows who might have known about it during that time or what they might have been doing. Now that it’s out in the open, up to a half million widely trusted websites—including many that people use every day, such as the popular and much-maligned Yahoo Mail—have been scrambling to patch the flaw and update their security protocols to protect users. 

But that’s just a first step. Because it’s impossible to tell if anyone has exploited the bug, you won’t know if you’ve been victimized until it’s too late. Worse, if an attacker has recorded any of your encrypted Web traffic over the past few years, they might now be able to retroactively decrypt that information. Because of Heartbleed’s staggering unknowns and its possible future consequences, security expert and veteran cryptographer Bruce Schneier calls the bug “catastrophic,” adding that “on the scale of 1 to 10, this is an 11.”

It’s also not simple for companies to fix. Any affected site will have to patch the OpenSSL bug, then revoke their existing digital certificates and re-issue them. Then its managers get to start combing though their systems for other traces that could indicate whether anything was compromised.

What You Need To Do

Here’s your basic checklist as a user:

  • Check to see whether sites you use regularly were vulnerable to Heartbleed in the first place
  • Change your passwords on those sites immediately
  • Monitor those sites to determine if they’ve patched the bug and reissued their digital certificates
  • When one does, change your password again

Remember how I said protecting yourself is simple but not easy? That’s what I was getting at. Now let’s go through all that in detail.

Check Sites For Vulnerability

Not sure if your data is safe with your favorite site? Treat it to the Heartbleed test, a tool devised by an Italian programmer named Filippo Valsorda that determines whether or not a site was affected by Heartbleed. If it was, it’s probably best to go ahead and change your password even if the site hasn’t fixed things up yet. It won’t fully protect you because your new password will still be vulnerable to theft, but it might slow down a hypothetical data scammer.

Another, more hardcore SSL server test on Qualys provides an in-depth analysis of security encryption configuration and grades websites on their security strengths. It might give you a little more peace of mind than Valsorda’s quick-and-dirty test. The test takes about a minute and tests various security protocols including certificate and cipher strength, key exchange, and protocol support.

CNET has posted a list of the Heartbleed status of the Web’s top 100 sites. The password manager LastPass also offers a simple Heartbleed checker that not only tells you if a site uses OpenSSL, but when the SSL certificate was regenerated, providing additional insight into what companies are doing to protect users. 

If you use the Google Chrome web browser, you can install the Chromebleed Chrome extension. Once installed, you’ll receive a warning any time you visit a site that was affected by Heartbleed.

Change Your Passwords

Pro tip: Change your passwords immediately, but then change them again when an affected site has been determined to be safe from Heartbleed. You’ll know you’re safe by doing a manual check using the tools above, or when you receive an email from the company that has been affected. I would suggest doing your own check, however. 

Late Wednesday I received an email from IFTTT—the productivity tool that simplifies sharing and automation across the Web—letting me know the bug was fixed and that I should change my password not just on the site, but anywhere else I store secure information. It’s very likely most companies that have been compromised will send similar emails. 

Keep Checking

You won’t really be done until every site you use regularly has patched OpenSSL and reissued its digital certificates. It’s going to be a pain to stay on top of all that, no question. If you want to live dangerously, you could just wait a few days and then change your passwords—but there’s no guarantee that someone won’t be sniffing out your data in the meantime.

Do Your Own Security Check Up

Now is a great time to do a little security spring cleaning. Unfortunately it took a critical bug to remind us all our data is never as secure as we think it is. If nothing else, Heartbleed should prompt us to rethink our security measures.

So take a minute to make sure your username and password are strong, and that you don’t notice any malicious activity in your accounts.

Password managers like LastPass can help users maintain tough security measures. The password manager lets you generate and save passwords for all your favorite sites, and requires only one login to access them all. (The LastPass site itself was affected by Heartbleed, but the service says no user data was at risk because it doesn’t hold the keys to the encrypted information it stores.)

Once all websites impacted by Heartbleed are patched, regularly access those affected accounts and make sure all the only updates, conversations or purchases registered on the site were indeed made by you. This is a good habit to get into, even on sites that are, in theory, secure. 

Updated: This story was updated to include a reference to the Chromebleed extension. 

Lead image courtesy of Sarah on Flickr. Heartbleed logo courtesy of Heartbleed.com

View full post on ReadWrite

Google Beefs Up Android Security In Wake Of Fake App Scam

Google’s Android security bouncer is packing on some extra pounds for the spring.

Earlier this week, Android users were rocked when they discovered a hot new app that had rocketed to the top of the Google Play charts was a total fake. The app—Virus Shield—promised security protection for apps that users had downloaded on their Android devices. The problem? Virus Shield didn’t actually do anything. It was a paid app ($3.99) that didn’t do what it claimed to do. Google has since pulled it from the Google Play store.

Android users have a natural—if not totally justified—fear for the security of the apps they download on their devices. In the wake of the NSA’s spying scandal, reports of poor security on Android and more recently Heartbleed, Internet users have developed a semi-rational paranoia about whether or not apps and websites do exactly what they say they do.

To reassure Android users that security is still a primary focus at Google, the company today announced a new update to its “Verify Apps” program that continuously scans apps both on Google Play and on users devices to ensure they’re behaving in the way they are supposed to, even after the app has already been downloaded.

The benefits of continual security monitoring are obvious. Apps sometimes change permissions (like the ability to read your messages, access your calendar, etc.) with new updates or request permissions they don’t necessarily need. Continuous app scanning from Google’s Android Verify Apps program should keep users safe by providing a check on apps that are behaving badly.

That being said, Verify Apps will not protect users from apps that still do what they promise to do, but use the information for nefarious purposes or fail to secure users’ information properly.

Verify Apps is the extension and maturation of Google’s Android “bouncer” program that was released in February 2012. Bouncer scans every app in Google Play against a list of known malware bugs and vulnerabilities, so if an app is flagged as malicious, a user will be warned not to install the app, or else Google will block the installation itself.

The Verify Apps feature is automatically enabled for any Android users running version 4.2 Jelly Bean or higher, and can be accessed in the security settings of Android devices. 

Google claims that Verify Apps, in the last year, has been used 4 billion times to scan apps at the time of install. According to the company, only 0.18% of installations result in warnings for users; despite how Google presents those figures, however, that’s still 7.2 million warnings. The Android maker would probably like those numbers to drop, but considering Android’s continued global expansion, the company will likely need to reassess its security measures to ensure the ecosystem stays open but also safe.

View full post on ReadWrite

3 Security Tips For Every User From NSA Whistleblower Edward Snowden

Editor’s note: This post was originally published by our partners at PopSugar Tech.

Edward Snowden is one of the most wanted men in America. The NSA-tapping whistle-blower fled to Russia for fear of arrest but risked exposing his location to speak to the crowd at South by Southwest.

Snowden appeared live via Google Hangouts to discuss the future of cybersecurity alongside privacy advocates and security gurus Ben Wizner and Christopher Soghoian of the ACLU. His revelations about the American government agency’s mass surveillance tactics shocked the world in June 2013 and exposed the security weaknesses of Google, Apple, Facebook, and many of the other services cybercitizens use every day.

During the conversation at SXSW, Edward shared his advice on protecting your information from surveillance, which we lay out in nonhacker lingo below.

Snowden’s Security Tips  

  • Full disk encryption—This protects your hardware, meaning your physical computer. TrueCrypt is a good free option. It is open-source encryption for Macs, Windows 7/Vista/XP, and Linux. 
  • Network encryption—Browser plug-ins and SSL (Secure Sockets Layer) will suffice. Block Prism for Chrome secures Facebook messaging. NoScript for Firefox, ScriptSafe for Chrome, and Disconnect for Safari are viable plug-ins.
  • TorTor is a more dramatic step you can take to stay secure. It’s a network of virtual tunnels (a mix routing network) that sends your ISP to a cloud through a network of routers, making it impossible for your telecommunications provider to spy on you by default. Learn more at TorProject.org.

Snowden at SXSW: The Best Quotes

During the virtual conversation, all speakers had great insights on what security should look like in our future. The main takeaway was that developers need to think about turning on security right at the get-go and turn on security features by default for all web services.

Snowden said that companies could still collect the data necessary to perform an operation — but that these services need to relinquish and destroy this information once it’s no longer needed. All speakers also called for simpler, easier-to-use security tools, which are typically made “by geeks, for geeks,” according to researcher Soghoian, and are oftentimes overly complicated. 

More stories from PopSugar Tech:

3D-Printed Oreos: The Future Tastes Like Customized Cream Filling
Who Knew? 7 Reasons Shaq Is Literally the World’s Biggest Geek
The Fan-Funded Projects of Celebrity Kickstarter Campaigns
Game of Thrones + Oculus Rift = A Winning Combo
So Sweet: A Company Turns Your Relationship Texts Into the Best Gift Ever

View full post on ReadWrite

GnuTLS Bug: Linux Security Flaw Leaves Users Vulnerable To Hacks

A variety of Linux distributions are vulnerable to hacks because of a bug that allows people to bypass security protocols to intercept and disseminate encrypted information. A member of the Red Hat security team discovered a bug in the GnuTLS library that allows hackers to easily circumvent the Transport Layer Security (TLS) and secure sockets layer (SSL).

The vulnerability affects the certificate verification, meaning secure connections that are supposedly going through as secure, are not. Someone could compromise a secure connection by using a “man-in-the-middle” attack, acting as the server to intercept traffic, financial transactions or secure information.

Apple suffered its own flaw last week when researchers discovered a critical security vulnerability that allowed hackers to spoof servers and intercept supposedly secure data from Apple’s servers. In terms of numbers of users affected, the GnuTLS flaw is considerably smaller than Apple’s bug, which affected iOS and Mac devices alike, but patching the GnuTLS vulnerability for all Linux users will be harder.

A Red Hat representative offered a statement to ReadWrite:

Nikos Mavrogiannopoulos of the Red Hat Security Technologies Team and GnuTLS project discovered a certificate verification security issue affecting GnuTLS on February 19th, 2014 whilst auditing the code. We then used our standard processes to notify and work with other affected distributions in advance. Updates to correct this flaw were released on 3rd March 2014 from Red Hat, GnuTLS, and others.

Red Hat offers an advisory that explains how GnuTLS users can upgrade to packages that correct the issue.

According to Ars Technica, over 200 different operating systems or applications are vulnerable. The bug impacts a number of open source packages including Ubuntu, Debian and Red Hat distributions of Linux. It is still unconfirmed exactly how many systems or applications are vulnerable to the flaw.

Complaints as far back as 2008 point to insecurities in the GnuTLS code. One thread on an OpenLDAP forum, posted by the chief architect at software company Symas, suggested the GnuTLS code is broken, and “completely unsafe for handling binary data, and yet the nature of TLS processing is almost entirely dependent on secure handling of binary data.”

An advisory from GnuTLS tells users to update to the most recent version, or apply the patch listed on its site, to fix the problem. Debian also released an advisory about the bug, offering similar instructions. 

How It’s Worse Than Apple’s Security Flaw

After Apple discovered its SSL bug last week, the company quickly responded with emergency bug fixes for iOS and OS X shortly thereafter. Apple was, more or less, able to release fixes across its desktop and mobile ecosystems in one fell swoop—roughly about four days apart—but not before a man-in-the-middle proof of concept was published to take advantage of Apple’s iOS and OS X exploit.

Unlike Apple customers, Linux users don’t all run the same operating system that can easily be updated, and companies have to do more than test the patch on a handful of packages.

“It’s not just a matter of patching these bugs, but you have to go back and see how the software reacts to the patch—so many software packages in the scope of getting fixed,” said Casey Ellis, security researcher and CEO of the firm Bugcrowd. “Not only are there multiple software packages, but you have multiple clients and software packages on top of that.”

This goto fail; website determines whether your software is vulnerable to the Apple bug, and it now works for the GnuTLS bug, too. Ellis confirmed the website works for figuring out if client software is vulnerable, but it is not as reliable as it was for the Apple bug. A single “pass” might not be accurate since multiple software packages could be installed on a system.

However, as CloudWeaver founder and CTO Carlo Daffara points out, the GnuTLS bug isn’t nearly as big a deal as Apple’s SSL bug.

The exact number of users affected by the GnuTLS bug is unclear, and unlike Apple’s proprietary software, open source updates are optional. So, if there is a vulnerability on one server, each server represents thousands of users that could potentially be affected. But at least the GnuTLS bug fix out there already—now it’s just up to people to upgrade.

“The Apple bug was a big deal because it affected [millions] of mobile consumers, but the scope of people affected by [the GnuTLS vulnerability] is probably smaller,” Ellis said. “It’s worse because it will take a lot longer to clean up. In terms of being messy and difficult to recover from, it’s worse.”

Image courtesy of Home of Chaos on Flickr

View full post on ReadWrite

Go to Top
Copyright © 1992-2014, DC2NET All rights reserved