Heartbleed Bug: Public urged to reset all passwords
Posted by Steve Moffat (Optimum IT Support) on 09 April 2014 12:51 PM
Several tech firms are urging people to change all their passwords after the discovery of a major security flaw.
The Yahoo blogging platform Tumblr has advised the public to "change your passwords everywhere - especially your high-security services like email, file storage and banking".
Security advisers have given similar warnings about the Heartbleed Bug.
It follows news that a product used to safeguard data could be compromised to allow eavesdropping.
OpenSSL is a popular cryptographic library used to digitally scramble sensitive data as it passes to and from computer servers so that only the service provider and the intended recipients can make sense of it.
Bruce Schneier Security technologist
If an organisation employs OpenSSL, users see a padlock icon in their web browser - although this can also be triggered by rival products.
Those affected include Canada's tax collecting agency, which halted online services "to safeguard the integrity of the information we hold".Copied keys
Google Security and Codenomicon - a Finnish security company - revealed on Monday that a flaw had existed in OpenSSL for more than two years that could be used to expose the secret keys that identify service providers employing the code.
They said that if attackers made copies of these keys they could steal the names and passwords of people using the services, as well as take copies of their data and set up spoof sites that would appear legitimate because they used the stolen credentials.
Continue reading the main story
The University of Surrey's Prof Alan Woodward is among security experts to have suggested internet users should now update their login details.
He suggests the following rules should be observed when picking a new password.
Don't choose one obviously associated with you
Hackers can find out a lot about you from social media so if they are targeting you specifically and you choose, say, your pet's name you're in trouble.
Choose words that don't appear in a dictionary
Hackers can precalculate the encrypted forms of whole dictionaries and easily reverse engineer your password.
Use a mixture of unusual characters
You can use a word or phrase that you can easily remember but where characters are substituted, eg, Myd0gha2B1g3ars!
Have different passwords for different sites and systems
If hackers compromise one system you do not want them having the key to unlock all your other accounts.
Keep them safely
With multiple passwords it is tempting to write them down and carry them around with you. Better to use some form of secure password vault on your phone.
They nicknamed it the Heartbleed Bug because the flaw caused the "leak of memory contents" between servers and their clients.
It is not known whether the exploit had been used before the revelation, since doing so would not leave a trail - unless the hackers published their haul online.
"If people have logged into a service during the window of vulnerability then there is a chance that the password is already harvested," said Ari Takanen, Codenomicon's chief technology officer.
"In that sense it's a good idea to change the passwords on all the updated web portals."
Other security experts have been shocked by the revelation
"Catastrophic is the right word. On the scale of one to 10, this is an 11," blogged Bruce Schneier.
The BBC understands that Google warned a select number of organisations about the issue before making it public, so they could update their equipment to a new version of OpenSSL released at the start of the week.
However, it appears that Yahoo was not included on this list and tech site Cnet has reported that some people were able to obtain usernames and passwords from the company before it was able to apply the fix.
"Our team has successfully made the appropriate corrections across the main Yahoo properties - Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr and Tumblr - and we are working to implement the fix across the rest of our sites right now," said a spokeswoman for the company.
NCC Group - a cybersecurity company that advises many members of the FTSE 250 - described the situation as "grave".
"The level of knowledge now needed to exploit this vulnerability is substantially less than it was 36 hours ago," the company's associate director Ollie Whitehouse told the BBC.
"Someone with a moderate level of technical skills running their own scripts - the Raspberry Pi generation - would probably be able to launch attacks successfully and gain sensitive information.
"As long as service providers have patched their software it would now be a prudent step for the public to update their passwords."
However, there is no simple way to find out if they were vulnerable before.
Organisations that used Microsoft's Internet Information Services (IIS) web server software would not have been affected.
But Codenomicon has noted that more than 66% of the net's active sites rely on the open source alternatives Apache and Nginx, which do use OpenSSL.
Even so, some of these sites would have also employed a feature called "perfect forward secrecy" that would have limited the number of their communications that could have been hacked.'No rush'
A researcher at the University of Cambridge Computer Laboratory said it would be an overreaction to say everyone should drop what they are doing to reset all their passwords, but that those concerned should still act.
"I think there is a low to medium risk that any given password has been compromised," said Dr Steven Murdoch.
"It's not the same as previous breaches where there's been confirmed password lists posted to the internet. It's not as urgent as that.
"But changing your password is very easy. So it's not a bad idea but it's not something people have to rush out to do unless the service recommends you do so."
Read more »
Apple '10 years' behind Microsoft on security: Kaspersky
Posted by Steve Moffat (Optimum IT Support) on 25 April 2012 02:30 PM
Welcome to Microsoft's world, Eugene Kaspersky tells Apple
The recent Flashback/Flashfake malware outbreak targeting Apple's Mac computers is likely to be just the start of a new wave of attacks aimed at the system, according to Kaspersky founder and CEO Eugene Kaspersky.
Speaking to CBR at Info Security 2012, Kaspersky told us that Apple is a long way behind Microsoft when it comes to security and will have to change the ways it approaches updates following the recent malware attacks.
"I think they are ten years behind Microsoft in terms of security," Kaspersky told us. "For many years I've been saying that from a security point of view there is no big difference between Mac and Windows. It's always been possible to develop Mac malware, but this one was a bit different. For example it was asking questions about being installed on the system and, using vulnerabilities, it was able to get to the user mode without any alarms."
Kaspersky added that his company is seeing more and more malware aimed at Macs, which is unsurprising given the huge number of devices being sold. Its most recent quarter revealed Mac sales of 4 million, a 7% rise on the year ago quarter. These figures are still dwarfed by PC sales of course, and Kaspersky said Windows will remain the primary target for cyber criminals.
However he added an increase in Mac malware was, "just a question of time and market share. Cyber criminals have now recognised that Mac is an interesting area. Now we have more, it's not just Flashback or Flashfake. Welcome to Microsoft's world, Mac. It's full of malware."
"Apple is now entering the same world as Microsoft has been in for more than 10 years: updates, security patches and so on," he added. "We now expect to see more and more because cyber criminals learn from success and this was the first successful one."
This will mean that Apple will have to change the way it approaches its update cycle for patches, Kaspersky added. The company had previously criticised the speed of Apple's response to the outbreak and accused it of leaving its users vulnerable for three months.
That approach will have to change if Apple wants to keep its users protected.
"They will understand very soon that they have the same problems Microsoft had ten or 12 years ago. They will have to make changes in terms of the cycle of updates and so on and will be forced to invest more into their security audits for the software," Kaspersky told CBR.
"That's what Microsoft did in the past after so many incidents like Blaster and the more complicated worms that infected millions of computers in a short time. They had to do a lot of work to check the code to find mistakes and vulnerabilities. Now it's time for Apple [to do that]," he added.
Read more »
Private cloud is the only secure future for big companies
Posted by Steve Moffat (Optimum IT Support) on 08 January 2012 11:26 AM
Security threats for virtualisation and cloud are the same, says IDC21 Nov 2011 : Businesses looking for a secure virtual environment will only consider the private cloud in the near future, according to analyst IDC.
This is because the private cloud, rather than a public or hybrid cloud, bears the closest resemblance to the virtualised infrastructure that IT departments have implemented and where they are able to maintain control.
"The decision in the next year or two will only be about the private cloud," Eric Domage, programme manager for EMEA software and service group at IDC, told the analyst's Virtualisation and Cloud Security Conference in London.
"The bigger the company, the more they will consider the private cloud. The enterprise cloud is locked down and totally managed. It is the closest replication of virtualisation."
The lack of privacy in the public, cloud is a significant issue, Domage said, pointing out that most hacking incidents happen in the consumer cloud.
Domage could not say definitively if businesses should leverage virtualisation security for cloud computing, but he said: "We should give it a try."
He described virtualisation as "safe" and "compliant" and said that virtualisation security "should" ensure the adoption of cloud computing. However, IDC believes that there is a still a gap between the security many end-user organisations need and the vendors' ability to provide cloud security. "Today, there is no end-to-end encryption possible in the cloud," Domage said.
He urged delegates to the conference to "please consider more private cloud than public cloud."
According to Domage, businesses should try to apply the security principles they have used in virtualisation for their cloud operations. With cloud adoption often being driven by the business, rather than IT decision makers, and with cloud being used for small business processes or short term projects or workloads, it is important for IT to assert basic management and security principles, he added.
Read more »
Apple Lion OS Suffers From A Major Security Issue
Posted by Steve Moffat (Optimum IT Support) on 21 September 2011 11:21 AM
Apple’s Lion OS X stores passwords insecurely, with the updated OS appearing to be more vulnerable than its previous Snow Leopard and Leopard versions, according to a BetaNews report.
Apple's OS X passwords can only be changed by a computer's administrator. The OS encrypts them and then stores them as "shadow files" on the disk drive in what should be a secure location.
However it's even easier to steal computer passwords in Lion.
In previous versions of OS X, administrator privileges were needed to make the hack work. In Lion, any user can search the directory for the hash file, which is the file needed to decode the encryption.
"It appears in the redesign of OS X Lion's authentication scheme a critical step has been overlooked," Defence in Depth's Patrick Dunstan wrote.
Dunstan recognised that users without admin clearance won't be able to access the hash file directory, but it isn't needed when the hash data is accessible from directory services.
The issue would be much worse if the data could be accessed remotely, with hackers easily stealing catalogues of security passwords. Still, the fact the passwords are accessible locally is a big issue for Apple's OS, considering the security prone software is meant to be "the world's most advanced desktop operating system" according to Apple.
In the meantime, Mac users should disable all guest accounts and automatic login, so the computer requires an admin password at each start up.
Read more »
Mac Malware Gets Even More Dangerous
Posted by Steve Moffat (Optimum IT Support) on 31 May 2011 04:57 PM
Makers Of Mac Defender Release New Malware
Apple has promised to take care of the Mac Defender malware that has spread across users' computers. But the makers of the original have created a new version that's even more of a threat as it doesn't require a password to install itself.
Intego, the security firm that found the first Mac Defender, identified the new malware, which, like the previous version tries to trick users into giving up their credit card information by presenting false antivirus software.
After a user visits an infected webpage, the computer automatically downloads a file that runs an installer for a program called MacGuard. The install does not require a username and password. Apple's instructions to prevent the Mac Defender attack asks users not to enter administrative passwords--but they are no longer necessary.
At this point, the false anti-virus software installs, and claims to find malware threats on the Mac, asking users to register. Here, the program then instructs users to give their credit card number to buy the program.
Intego gave the following information regarding protection against this malware:
The first thing to do is make sure that when seeing a web page that looks like a Finder window, and purports to be scanning your Mac, you know that this is bogus. Leave the page, and quit your web browser. If anything has downloaded, and the Installer application has opened, quit it right away; look in your Downloads folder for the file, then delete it. Next, users should uncheck the "Open 'safe' files after downloading" option in Safari's General preferences.
Apple has not yet responded to this new malware, though its next OS X update will resolve problems from the previous Mac Defender attack.
Read more »
Homemade cyberweapon worries federal officials
Posted by Steve Moffat (Optimum IT Support) on 26 May 2011 12:05 PM
Capable of crippling key industrial controls.
Two security researchers, working at home in their spare time, have created a cyberweapon similar to the sophisticated Stuxnet computer worm that was discovered last year to have disrupted computer systems running Iran’s nuclear program.
The private efforts by Dillon Beresford and Brian Meixell are raising concerns among U.S. government officials that hackers will launch copycat cyber-attacks that could cripple computer controls at industrial sites such as refineries, dams and power plants.
Officials at the Department of Homeland Security were so distressed by the researchers’ findings that they asked the two men to cancel a planned presentation at a computer security conference in Dallas last week called TakeDownCon.
“They requested that I not share the data, but it was absolutely my decision to cancel,” Mr. Beresford told The Washington Times. Homeland Security “in no way tried to censor the presentation, and the conference organizers were very supportive. … We did the right thing.”
Initial analysis of the 2009 Stuxnet attack on Iran suggested that replicating it would require the resources of a nation-state or large organization and detailed information on how the target computer system was set up. The origin of Stuxnet has not been discovered.
But Mr. Beresford said he developed the cyberweapon “in my bedroom, on my laptop” in 2 1/2 months. The malicious software, or malware, was tested on equipment made by Siemens, the German-based industrial giant that makes the system that was attacked by the Stuxnet worm.
Siemens products - known as industrial control systems - are used in thousands of power stations, chemical plants and other industrial settings worldwide. Stuxnet was designed to make the machinery controlled by an industrial control system destroy itself.
Once Siemens saw Mr. Beresford’s presentation, the company renewed laboratory work on software patches for controllers that were developed after Stuxnet, Mr. Beresford said. He said he worked last week with officials from a special Homeland Security unit in charge of protecting industrial computer programs but was becoming impatient with Siemens‘ response.
“This is another egregious example of a vendor trying to minimize the impact of multiple security vulnerabilities in their products and being somewhat evasive about the truth,” he said, noting that the company tried to downplay concern in its public statements and had yet to publish a fix for the flaws he had found.
“The clock is ticking, and time is of the essence. I expect more from a company worth $80 billion, and so do [their] customers,” Mr. Beresford said.
Siemens spokesman Robert Bartels told The Times that the company is testing fixes and expects to release them “within the next few weeks.”
Homeland Security Department officials asked the researchers to delay their presentation until special repair measures aimed at patching security holes they identified are fully developed. They praised the researchers for postponing public release of data that hackers could use to attack computers that control critical infrastructure around the world.
“Responsible disclosure … does not encourage the release of sensitive vulnerability information without also validating and releasing a solution,” a Homeland Security official said in an email.
The disclosure that independent researchers could replicate Stuxnet - which security specialists said at the time likely required a large design team to produce and an industrial plant for testing - will increase concerns about the proliferation of advanced cyberweapons that could cause large-scale death and destruction if unleashed by terrorist groups, criminal gangs or foreign governments.
Read more »