by Feynman Group
Posted on 2014-04-29 20:50:04
On the heels of ending service updates to Windows XP users on April 8th, warning of a security flaw within Internet Explorer could allow hackers to gain full user permissions over your computer. Although Microsoft states they are doing all they can to solve the issue, according to Symantec Corp., an internet security firm, researcher Christian Tripputi claims, “XP users are not safe anymore, and this is the first vulnerability that will be not patched for their system.” In other words, any user still with XP will be out of luck when it comes to security corrections from the big tech company, and are advised to stay away from Internet Explorer.
On the Brightside, there is still hope. Although post-XP users can expect a direct update from Microsoft within the next few weeks, in order to help mitigate corruption, there are still roundabout methods to avoid harm that can apply to everyone. The most prevalent method involves switching browsers. Both Firefox and Chrome are wonderful alternatives that still support Windows XP users. However, if using Internet Explorer is still a necessity, Microsoft is providing some more advanced methods to help mitigate damage, which can be found here. For additional resources and advice, it is highly advised to jump on over to Symantec.
by Feynman Group
Posted on 2014-04-11 18:07:49
Heartbleed is a bug in OpenSSL, a technology used by Internet services to encrypt and keep user data secure. OpenSSL is an open source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. Modern Web security relies heavily on these two protocols. The “Heartbleed” bug was first reported on Monday April 7th. It allows anyone with Internet access to read small pieces of memory from the systems using OpenSSL. Using this vulnerability, the attacker can get 64KB of memory from the server. This can be repeated many times, and with each try, the attacker can get a random 64KB piece of memory from the server. What this means is that the attacker can obtain virtually anything that’s in the server’s memory, including usernames, passwords, and SSL private keys. This is a major security risk.
Leaked private keys allow the attacker to decrypt any past and future traffic to the protected services, and impersonate the service at will. Any protection given by the encryption and the signatures in the certificates can be bypassed. Recovery from this leak requires patching the vulnerability, revocation of the compromised keys and reissuing and redistributing new keys. Even after going through these processes, the bug will leave any traffic intercepted by the attacker in the past still vulnerable to decryption.
This vulnerable code was introduced in OpenSSL in version 1.0.1 which was released in March 2012, which means that potentially some attackers have been eavesdropping SSL encrypted communications ever since. OpenSSL is used by some of the most popular server software such as Apache and nginx whose combined market share is over 66 percent, which makes this potentially a global problem.
It is impossible to know if you were ever a victim of this attack because it does not leave traces. The logs on the server will not show any malicious activity. You can however test and see if a site is vulnerable to this bug using one of these tools:
The bug mainly creates problems on Web and email servers, where system administrators should update to a version OpenSSL 1.0.1g or newer. PCs, Macs and mobile devices are not directly affected and antivirus software cannot help with Heartbleed.
There are a few things that every Internet user should do. Consider changing your passwords on your Yahoo, Flickr, and Tumblr accounts as security researchers were able to get usernames and passwords out of Yahoo’s servers using this bug right after it become public. Also, consider changing your Google, Facebook and Dropbox accounts as they also confirmed that those were vulnerable to this bug. There isn’t any news about people getting their accounts within these services hacked, but since this attack leaves no traces, there is a chance some of them were compromised.
On the bright side, most servers that run Microsoft software weren’t affected by Heartbleed, as well as plenty of other sites, including Apple, Amazon, eBay, PayPal and most major banks.
By: Mite Tashev