30 October 2014

Why Microsoft loves Linux

Summary: Bill Gates and Steve Ballmer may have hated Linux, but new Microsoft CEO Satya Nadella says Microsoft loves Linux. What changed Microsoft's mind?

By Steven J. Vaughan-Nichols for Linux and Open Source |  October 29, 2014 -- 19:44 GMT (12:44 PDT). Source: ZDNet.




Some things don't go together: Cats and dogs, New York Yankee and Boston Red Sox fans, Linux and Windows... or do they? In San Francisco, Microsoft CEO Satya Nadella said, and I quote, "Microsoft loves Linux."

Wow.

That's a heck of a long way from Steve Ballmer proclaiming back in 2001 that "Linux is a cancer." In the years since then Microsoft certainly attacked Linux like it was a cancer — doing everything from sponsoring SCO's copyright attack on Linux to claiming that Linux violated unnamed Microsoft patents to endless FUD assaults.

So, how did we get from Linux as Microsoft enemy number one to "love"?

Nadella actually told us the heart of the story, which I can boil down to that classic detective approach: "Follow the money."

Nadella told Wired that he's not interested in fighting old battles — especially, when, like it or not, Linux has become a vital part of today's business technology. "If you don’t jump on the new,” he said, you don’t survive."

There's nothing new about Linux, which at 22 is old enough to drink. But two things are new: First, Microsoft's fortunes now lie not with the desktop or desktop programs, but with its Azure cloud and cloud-based programs such as Office 365. Second, Linux, even on the Azure cloud, is used by businesses large and small.

Read more...

14 July 2014

svn-find: Which version did we do that in?


The following is a bash script which works with svn (subversion) to allow you to look at one particular file, and find the revision in which a certain text first (or last) appears in it.

It is in the form of a bash function: running the code below will cause the function to become available in your current environment, so that you can call it later with the command "svn-find".

You need to provide either two or three parameters: 
  1. the relative path to and name of the file you want to search, 
  2. the text you want to search for, 
  3. and optionally the URL to the repository.
For example:

svn-find path/to/file searchtext

if you are in a subversion working directory, or

svn-find path/to/file searchtext https://url.of/repository

if you want to use it on repostories for which you don't have a current working directory open on your machine.

The output of the command will be (if successful) the log outputs from two adjacent revisions of the file -- one of which contains the search text, and one which does not.

For example, if the file in question contained the search text right up to and including version XXXX, but from then on (starting with version YYYY) did not contain that text, then the output will be something like:

rXXXX has 'this is the text'
 
------------------------------------------------------------------------
rXXXX | developer | 2012-08-01 15:21:32 +0100 (Wed, 01 Aug 2012) | 1 line

Log entry of last revision containing text
------------------------------------------------------------------------

===============================================
rYYYY does not

------------------------------------------------------------------------
rYYYY | developer-who-removed-it | 2012-09-15 01:05:14 +0100 (Sat, 15 Sep 2012) | 1 line

Log entry which might indicate why it was removed
------------------------------------------------------------------------


Conversely, if the current up-to-date verion of the file does contain the search text, then svn-find will search back to show you the revision in which the text first appeared, followed by the revision immediately preceding it, i.e. the last revision which did not contain the text.

If not successful, svn-find may report instead either that the text is found in every single revision of the file, or that it does not appear in any of them.


Note that the current implementation will only find the most recent transition between the existence/non-existence of the search text. If you have a certain string that you keep adding to a file and then in later revisions removing from it, and then later adding back in and so forth, you should feel free to adapt the script so that it doesn't stop searching as soon as it finds the first transition.

 
The script begins below this line of ======================

function svn-find()
{
    local file="$1"
    local text="$2"
    local url="$3"
    local y
    local n
    local r

    if ! svn info $url &> /dev/null
    then
        if [ "$url" != "" ]
        then
            echo "Sorry, $url is not under version control"
        else
            echo "Sorry, this directory is not under version control"
        fi
        return 1
    fi

    if [ "$url" != "" ]
    then
        local url=$url/
    fi

    for r in $(svn log -q $url $file | awk '/r[0-9]+ /{print $1}')
    do
        if svn cat -$r $url$file | grep -q "$text"
        then
            y=$r
            if [ "$n" != "" ]
            then
                echo "$y has '$text'"
                echo
                svn log $url -$y
                echo
                echo "==============================================="
                echo
                  echo "$n does not"
                echo
                svn log $url -$n
                echo
                  return
            fi
        else
            n=$r
            if [ "$y" != "" ]
            then
                echo "$y has '$text'"
                echo
                svn log $url -$y
                echo
                echo "==============================================="
                echo
                  echo "$n does not"
                echo
                svn log $url -$n
                echo
                  return
            fi
        fi
    done

    if [ "$y" != "" ]
    then
        echo "All revisions have '$text'"
    else
        echo "No revision has '$text'"
    fi
}

13 June 2014

Add indent capability to your Google Drive spreadsheets

This addition to your Google Drive script repository allows you to indent and outdent text within a cell or multiples cells of a Drive spreadsheet.

Detailed Discussion

 https://productforums.google.com/forum/#!topic/docs/lUI-yFixCjw

Procedure

Open up the spreadsheet and select menu item "Tools" --> "Script Editor"
Once the script editor opens copy and paste the following code into the "Code.gs" window:


/**
 * Adds indent capability to Drive spreadsheets. 
 * More at https://productforums.google.com/forum/#!topic/docs/lUI-yFixCjw

 */

var ss = SpreadsheetApp.getActiveSpreadsheet();


function moveText(direction) {
  var values = ss.getActiveRange().getValues();
  var cols = ss.getActiveRange().getNumColumns();
  var rows = ss.getActiveRange().getNumRows();

  
  var newValues = new Array();

    
  for (x = 1; x <= rows; x++) {
    for (y = 1; y <= cols; y++) {
      var cell = ss.getActiveRange().getCell(x, y);
      var value = cell.getValue();
      var formula = (direction == ">>>") ? '=CONCAT(REPT( CHAR( 160 ), 5),"' + value + '")'
      : '=IF(TRIM(LEFT("' + value + '", 5))=CONCAT(REPT( CHAR( 160 ), 5),""), MID("' + value + '", 6, LEN("' + value + '")), TRIM("' + value + '"))';
      
      if (value != '') {
        cell.setFormula([formula]);
        cell.setValue(cell.getValue());
      } else {
        cell.setValue(['']);
      }
    }
  }
};


function indentText() {
  moveText(">>>");
};


function flushLeft() {
  moveText("<<<");

};


function onOpen() {
  var sheet = SpreadsheetApp.getActiveSpreadsheet();

  var entries = [{
    name : ">>>",
    functionName : "indentText"
  },{
    name : "<<<",
    functionName : "flushLeft"

  }];
  sheet.addMenu("Indent Text", entries);
};


Go to menu "File" --> "Save"
Return to your spreadsheet and reload the browser.  You should now see a new menu item called "Indent Text" to the right of the "Help" menu.

What this code does is add a menu to the spreadsheet document called "Indent Text".
Within this menu it will create a menu item called "Indent Text".
When the "indent Text" menu item is selected any cells within a single column selection will be indented by 5 spaces.

You can increase or decrease the number of spaces the text is indented by changing the line below so that the "5" is changed to a larger or smaller number (depending on your preference)

      newValues.push(['=CONCAT(REPT( CHAR( 160 ), 5),"' + values[i][0] + '")']);

This code will work on multiple cells so you can select an entire column and indent in bulk.

Note that I have included the modified version of code (by andyrau) that allows you to "unindent," rather than the original code by leighelliott78. Thanks to both leighelliott78 and andyrau for this helpful script!


GameOver Zeus & CryptoLocker are expected to cause problems soon

So what is GameOver Zeus & CryptoLocker?

They are two types of attacks that work together being propagated from some of the largest global cybercrime networks. Normally spread as an innocent and official looking link or email attachment, Gameover Zeus silently monitors data and intercepts communications with online banking sites in order to steal login details and passwords.

Whether or not it succeeds, it will launch the second attack, Cryptolocker, which encrypts the files on a computer and extorts a heavy ransom from the user to regain control of their machine. Once infected, the machine then becomes part of the network spreading the attack. Over $100 million have already been stolen.




Why such a short window to act?

On the 2nd June, the FBI, Europol and the UK’s National Crime Agency announced they had
temporarily disrupted the network of machines spreading the infection, and warned users they have a two-week window to ensure their computers are secure. That deadline is when they expect the
cybercriminal behind the attack to regain control of the network and potentially
unleash a large scale cyber-attack.



05 June 2014

Heartbleed Redux: Another Gaping Wound in Web Encryption Uncovered

By Andy Greenberg

Source: Wired 5-June-2014




The internet is still reeling from the discovery of the Heartbleed vulnerability, a software flaw exposed in April that broke most implementations of the widely used encryption protocol SSL. Now, before Heartbleed has even fully healed, another major bug has ripped off the scab.
On Thursday, the OpenSSL Foundation published an advisory warning to users to update their SSL yet again, this time to fix a previously unknown but more than decade-old bug in the software that allows any network eavesdropper to strip away its encryption. The non-profit foundation, whose encryption is used by the majority of the Web’s SSL servers, issued a patch and advised sites that use its software to upgrade immediately.
The new attack, found by Japanese researcher Masashi Kikuchi, takes advantage of a portion of OpenSSL’s “handshake” for establishing encrypted connections known as ChangeCipherSpec, allowing the attacker to force the PC and server performing the handshake to use weak keys that allows a “man-in-the-middle” snoop to decrypt and read the traffic.
“This vulnerability allows malicious intermediate nodes to intercept encrypted data and decrypt them while forcing SSL clients to use weak keys which are exposed to the malicious nodes,” reads an FAQ published by Kikuchi’s employer, the software firm Lepidum. Ashkan Soltani, a privacy researcher who has been involved in analyzing the Snowden NSA leaks for the NSA and closely tracked SSL’s woes, offers this translation: “Basically, as you and I are establishing a secure connection, an attacker injects a command that fools us to thinking we’re using a ‘private’ password whereas we’re actually using a public one.”
Unlike the Heartbleed flaw, which allowed anyone to directly attack any server using OpenSSL, the attacker exploiting this newly discovered bug would have to be located somewhere between the two computers communicating. But that still leaves open the possibility that anyone from an eavesdropper on your local Starbucks’ network to the NSA to strip away your Web connection’s encryption before it’s even initialized.
The new attack does have other limitations: It can only be used when both ends of a connection are running OpenSSL. Most browsers use other SSL implementations and so aren’t affected, says Ivan Ristic, director of engineering at the security firm Qualys, though he adds that Android web clients likely do use the vulnerable code. Among servers, only those using more recent versions of SSL are affected–about 24 percent of the 150,000 servers that Qualys has scanned. He also warns that many VPNs may use OpenSSL and thus be vulnerable. “VPNs are a very juicy target,” Ristic says. “People who really care about security use them, and there’s likely to be sensitive data there.”
According to a blog post by Kikuchi, the roots of the OpenSSL flaw have existed since the very first release of the software in 1998. He argues that despite the widespread dependence on the software and its recent scrutiny following the Heartbleed revelation, OpenSSL’s code still hasn’t received enough attention from security researchers. “The biggest reason why the bug hasn’t been found for over 16 years is that code reviews were insufficient, especially from experts who had experiences with TLS/SSL implementation,” he writes. “They could have detected the problem.”
The revelation of the bug on the one-year anniversary of the Guardian’s first publication of Snowden’s NSA leaks adds to that grim lesson, says security researcher Soltani. He points to efforts by privacy groups like Reset The Net that have used the Snowden revelations as inspiration to push Internet users and companies to implement more pervasive encryption. Those efforts are undermined, he points out, by the fact that some of the oldest and most widely used encryption protocols may still have fundamental flaws. “There are huge efforts by companies and activists to deploy tools that ‘add proven security,’” he says, quoting Reset The Net’s website. “Yet there’s very little actual work and support of the underlying tools that are being deployed, like OpenSSL. It’s pretty shameful that the core library that practically the entire internet relies on for transport security is maintained by a handful of under-resourced engineers.”

29 May 2014

Survey Says Mexican Firms Are Vulnerable to Cyber Attacks

Posted by: Narayan Ammachchi  in Infrastructure, IT Services, MEXICO, Nearshore ICT, News Briefs, North America 8 days ago



Nearly half of Mexican companies suffer minor or large-scale cyber attacks according to a survey conducted by global business consultancy firm Earnest and Young.  The most targeted sectors are finance, telecommunications, pharmaceutical, automotive and aerospace.

Attacks of this kind have caused thousands of dollars in losses for the companies involved. The study indicates that 45% of Mexican companies do not have effective mechanisms in place to identify how vulnerable they are to cyber attacks.

Several companies in the country have also faced penalties for their failure to comply with federal regulation on privacy.

As technology is advancing Mexican companies must take actions to protect themselves from cyber attacks, suggested the advisory firm, according to the Spanish publication Brujula Financiera, which published the report.

Businesses must realize that investing in cyber security is a strategic investment that will help them to avoid losing money in the event of an attack, said Christian Andreani, executive director of the advisory firm.

Most of the vulnerabilities detected by the enterprises were related to the use of mobile computing, social networking and cloud computing. In other words, most of the attacks are blamed on employees using their personally-owned devices for work-related activities.

Earnest Young said the issue of cyber attacks is no longer “child’s play” but an increasingly important strategic decision. The advisory firm said a significant number of companies in the country do not take cyber security seriously.

About 50% of adults worldwide are victims of cyber crime every year and the cost to the global economy is up to $500 billion annually, according to Microsoft.

Source: http://www.nearshoreamericas.com/mexico-lacks-mechanisms-bolster-cyber-security-survey/


28 May 2014

How to fix an excel spreadsheet with cells that have mysteriously changed to date format

Don't panic! When you open an excel spreadsheet and all (or most) of the cells have switched to Date Format, like so....



 You can quickly fix your spreadsheet to look like it should...


By following the instructions in this screencast:

How to fix an excel spreadsheet with cells that have mysteriously changed to date format

26 May 2014

Everything is broken

"Your average piece-of-shit Windows desktop is so complex that no one person on Earth really knows what all of it is doing, or how."




Once upon a time, a friend of mine accidentally took over thousands of computers. He had found a vulnerability in a piece of software and started playing with it. In the process, he figured out how to get total administration access over a network. He put it in a script, and ran it to see what would happen, then went to bed for about four hours. Next morning on the way to work he checked on it, and discovered he was now lord and master of about 50,000 computers. After nearly vomiting in fear he killed the whole thing and deleted all the files associated with it. In the end he said he threw the hard drive into a bonfire. I can’t tell you who he is because he doesn’t want to go to Federal prison, which is what could have happened if he’d told anyone that could do anything about the bug he’d found. Did that bug get fixed? Probably eventually, but not by my friend. This story isn’t extraordinary at all. Spend much time in the hacker and security scene, you’ll hear stories like this and worse.

It’s hard to explain to regular people how much technology barely works, how much the infrastructure of our lives is held together by the IT equivalent of baling wire.

Computers, and computing, are broken.

Read more...

09 May 2014

Gmail hotkeys...for you power (and not-so-power) users out there

From the Gmail web interface, click the "?" key and a list of all available keyboard shortcuts will be displayed.



22 April 2014

https, hsts, mitm and the reasons why we are converting all our sites to secure-only sites

We have converted one of our primary customer sites to https-only, and have configured the server to comply with the HSTS standard.

To get a sense of our motivation, the first thing to read is the following recent post from the EFF: https://www.eff.org/deeplinks/2014/02/websites-hsts

This is a pretty good idea, although as seen below, by itself it is unlikely to win the war. 

More worryingly, it is a standard which depends on universal browser adoption for it to be effective. It should not be a surprise to hear that Microsoft are dragging their feet on the issue, trailing behind the makers of browsers such as Chrome, Safari and Firefox, which have already adopted the standard.

(Based on past experience, it is sensible to suspect that Microsoft will be planning to provide IE with its own idiosyncratic version which will introduce a whole new layer of security flaws, while failing to work well side by side with HSTS, and obliging web developers to employ a slew of clumsy hacks to get it to work properly on their sites.)

Will HSTS be enough? The jury is still out. There seems to be only a gradual rising of awareness of how vulnerable our "secure" systems are to a man-in-the-middle (MITM) attack. On this subject, the following is required listening: 

http://player.vimeo.com/video/50018478

This presentation is 5 years old! It hardly bears thinking about how far on hackers will be from that point by now. And the industry is only just responding to this old news.

The section beginning at 42:15 is particularly worrying. Our "client" may be securely connected to https://paypal.com/uk/webapps/mpp/merchant/.iijk.cn with a valid security certificate, and believe they are securely connected to paypal, and about to log in.

In fact, they will be connected to paypal, and paypal will believe that it is securely connected to its client.

But between them is a MITM. In fact the client is directly connected to a site on the domain iijk.cn -- a site with a valid security certificate. The characters that look like / and . in the early part of the URL are actually IDN (international domain name) characters which only look like the ascii versions, and everything appearing before the .iijk.cn is just a long complicated subdomain with international characters.

What the MITM who is operating this domain does is to decrypt all the login information coming from the client, and then pass all the same information on to paypal, pretending to be the original client, via a secure connection to paypal. That is the reason why paypal believes that it is connected securely to its client.

The MITM passes all the information from paypal back to the real client, via the genuine secure connection to the iijk.cn domain. The browser is indeed securely connected to this domain, so it shows all the indications of being securely connected. There is almost nothing the client can see that will tip them off that there is anything dodgy about their connection.

And the trick only has to last long enough for the MITM to steal the login information, a matter of a few seconds. As soon as this has been recorded, the MITM bows out of the interaction, allowing the client to continue its communication with paypal, but directly, and carry out all the operations as though nothing had happened.

In the opinion of the presenter (again, the presentation was made in 2009, and provided the direct stimulus for the development of HSTS) there is really very little we can do about this vulnerability, short of making the whole internet secure.

This happens also to be the recommendation of Edward Snowden. On http://www.ted.com/talks/edward_snowden_here_s_how_we_take_back_the_internet, he says at 9:02:
The biggest thing that an Internet company in America can do today, right now, without consulting with lawyers, to protect the rights of users worldwide, is to enable SSL web encryption on every page you visit.
That is why we have converted our first site to pure https, including the HSTS standard, and plan to do the same with all the other sites we operate.




Instructions for implementing HSTS are available at: http://lowendtalk.com/discussion/10021/tutorial-http-strict-transport-security-setup-on-apache-nginx-and-lighttpd

10 April 2014

How to recover from Heartbleed

Summary: For companies, installing patched OpenSSL software is just the first step in fixing the Heartbleed security problem. End users face a long haul, too. A lot of work needs to be done before we're safe from Heartbleed.

By Steven J. Vaughan-Nichols April 9, 2014 -- 19:15 GMT (12:15 PDT)
Source: http://www.zdnet.com/how-to-recover-from-heartbleed-7000028253/?s_cid=e589&ttag=e589&ftag=TREc64629f

Here's the good news: The patches for the OpenSSL Heartbleed security hole are now available for all major operating systems. Here's the bad news: Simply installing the patch isn't enough to protect your servers and users from attackers. Here's the worst news: All your users—yes all of them—are going to need to reset every last one of their passwords.

heartbleed

You may want to ignore this problem. You don't dare do so. So long as you're running unpatched OpenSSL 1.01 or 1.02beta it will be  trivial for hackers to crack your security systems and access both your own server and your users information. Adding insult to injury, this hole has existed on any system using the latest version of OpenSSL since early 2012. Other SSL implementations, such as Microsoft's Azure SSL, are not affected by this bug.
This means that if you've been running a "secure" Apache or NGNIX Web server--about two-thirds of all Web sites--your site, potentially, has been open to attack for years. Indeed, if you've been running any network services that use OpenSSL for security, such as the Tor secure network, the Goldbug secure instant messenger, or many e-mail systems, includingYahoo Mail, it's possible that your information has been being silently harvested by attackers.
I doubt there have been massive data raids by criminals, though, simply because I think we'd all notice if billions of dollars of fake credit-card transactions started appearing on our bills. Now, what the NSA has been doing with SSL vulnerabilities is, of course, another question entirely.
But, now that everyone knows that the hole is out there, and that it's as wide-open as an interstate highway at 2 in the morning, you dare not wait a minute to update your OpenSSL software. But, after you're patched your servers, you're still not done.
Read more...


09 April 2014

LastPass Now Checks If Your Sites Are Affected by Heartbleed

From the LastPass blog at: http://blog.lastpass.com/2014/04/lastpass-now-checks-if-your-sites-are.html

Yesterday we informed our community of the Heartbleed OpenSSL bug. In our blog post, we explained how this security issue impacted our service and what our users should know about the situation. We also built a tool to help our users start checking to see if their sites and services had reissued their certificates, so that users would know if it was safe to start updating passwords for those sites: https://lastpass.com/heartbleed

To help our users take action and protect themselves in the wake of Heartbleed, we've added a feature to our Security Check tool. LastPass users can now run the LastPass Security Check to automatically see if any of their stored sites and services were 1) Affected by Heartbleed, and 2) Should update their passwords for those accounts at this time.

The LastPass Security Check can be run from the LastPass Icon menu, under the Tools submenu. 

In the Security Check results, we alert you to sites affected by Heartbleed:



We will continue to update the Security Check recommendations based on which sites we have seen take action and where it is safe to update your passwords. We'll monitor the situation in general and keep our community posted. 

If you're not using LastPass yet, now is the time to get started with organizing and managing your passwords, and use our tools to generate new passwords for your online accounts.

User comments at: http://blog.lastpass.com/2014/04/lastpass-now-checks-if-your-sites-are.html

Change all your online passwords!


This is it, folks. This is the hack, the security breach, the vulnerability that you've all been expecting...and dreading. The Big One. Armageddon is now.

Okay, so perhaps I'm exaggerating, but security experts are hollering loudly about CVE-2014-0160, also known as the Heartbleed Bug. I think we should listen. Here's a compendium of highlights I've gathered from a bit of googling early today.

Executive Summary


If you're not a techie and/or you can't be bothered with reading all the mumbo-jumbo, here's the bottom line: 

You should seriously consider changing all your online passwords. 

But you may want to wait to change some of them, in case the website/online service for the password you're changing has not upgraded their servers to patch this vulnerability. Or, better yet, change your passwords now and then change them again in the near future. It's never a bad idea to change a password.

If you are a techie or a server administrator, read on.

The "Heartbleed Bug"

An alarming lapse in Internet security has exposed millions of passwords, credit card numbers and other sensitive bits of information to potential theft by computer hackers who may have been secretly exploiting the problem before its discovery. Security researchers who uncovered the threat, known as "Heartbleed," are particularly worried about the breach because it went undetected for more than two years. [2]
Dubbed the Heart Bleed Bug, the flaw was jointly discovered by a team of security engineers at Codenomicon and Neel Mehta of Google Security. [3]
Security vulnerabilities come and go, but this one is extremely serious. Not only does it require significant change at Web sites, it could require anybody who's used them to change passwords too, because they could have been intercepted. That's a big problem as more and more of people's lives move online, with passwords recycled from one site to the next and people not always going through the hassles of changing them. [1]
Yahoo Inc., which boasts more than 800 million users worldwide, is among the Internet services that could be potentially hurt by Heartbleed. The Sunnyvale, Calif., company said most of its most popular services — including sports, finance and Tumblr — had been fixed, but work was still being done on other products that it didn't identify in a statement Tuesday. [2]
"Heartbleed is massive. Check your OpenSSL!" tweeted Nginx in a warning Tuesday. [1]
But the larger problem is that many SSL certificates could be compromised now, as the secret key that protects a given certificate could be disclosed in an attack on this vulnerability. The process of revoking and reissuing those certificates could go on for a long time, depending upon how many organizations realize their sites are vulnerable and how quickly they respond. [5
“It’s a nightmare vulnerability, since it potentially leaks your long term secret key — the one that corresponds with your server certificate. Worse, there’s no way to tell if you’ve been exploited. That means the prudent thing to do now is revoke your certificate and get a new one. We’ll see how many people do that,” said cryptographer Matthew Green, a professor at Johns Hopkins University. [5]

Excuse me? "The Main FBI site?" 

Some high-profile sites, including Yahoo Mail, Lastpass, the OpenSSL site and the main FBI site have been confirmed to leak certain information via the bug. There also is a proof-of-concept exploit for the flaw posted on Github. Lastpass officials said that they patched the vulnerability Tuesday morning, and that user data was never at risk. The company was running a vulnerable version of OpenSSL, but had other security measures in place that mitigated the risk. [5] (See more on LastPass below.)
It's puzzling that such a fuss is being made about Yahoo and LastPass, but the fact that the main FBI site has been breached by this vulnerability is mentioned almost as a footnote. One would have expected the headlines to read "FBI Website Breached by Hackers!" Sigh.
Chartier and other computer security experts are advising people to consider changing all their online passwords. "I would change every password everywhere because it's possible something was sniffed out," said Wolfgang Kandek, chief technology officer for Qualys, a maker of security-analysis software. "You don't know because an attack wouldn't have left a distinct footprint." [2
But maybe changing passwords won't help. See Change Your Passwords below.

A tool by Filippo Valsorda to test for Heartbeed vulnerability (see How to Detect a Heartbleed below) showed that "Google, Microsoft, Twitter, Facebook, Dropbox, and several other major Web sites to be unaffected -- but not Yahoo. Other Web sites shown as vulnerable by Valsorda's tool include Imgur, OKCupid, and Eventbrite." [1]

The Good News


Older servers/systems are safer, ironically.
The severity of the problem is lower for Web sites and others that implemented a feature called perfect forward secrecy, which changes security keys so that past and future traffic can't be decrypted even when a particular security key is obtained. Although big Net companies are embracing perfect forward secrecy, it's far from common. [1]
Despite the worries raised by Heartbleed, Codenomicon said many large consumer sites aren't likely to be affected because of their "conservative choice" of equipment and software. "Ironically, smaller and more progressive services or those who have upgraded to (the) latest and best encryption will be affected most," the security firm said in a blog post. [2]
Adam Langley, a Google security expert who helped close the OpenSSL hole, said his testing didn't reveal information as sensitive as secret keys. "When testing the OpenSSL heartbeat (sic) fix I never got key material from servers, only old connection buffers. (That includes cookies though.)," Langley said on Twitter. [1]

LastPass


It's not clear what LastPass users should do. Should they change all their passwords or not?
One of the companies affected by the vulnerability was password manager LastPass, but the company upgraded its servers as of 5:47 a.m. PT Tuesday, spokesman Joe Siegrist said. "LastPass is quite unique in that nearly all your data is also encrypted with a key that LastPass servers never get -- so this bug could not have exposed customer's encrypted data," Siegrist added. [5
“LastPass is unique in that your data is also encrypted with a key that LastPass servers don’t have access to. Your sensitive data is never transmitted over SSL unencrypted – it’s already encrypted when it is transmitted, with a key LastPass never receives. While this bug is still very serious, it could not expose LastPass customers’ encrypted data due to our extra layers of protection. On the majority of the web, user data is not encrypted before being transmitted over SSL, hence the widespread concern,” the company said in a blog post. [5
“Also, LastPass has employed a feature called “perfect forward secrecy”. This ensures that when security keys are changed, past and future traffic also can’t be decrypted even when a particular security key is compromised. ” [5]
LastPass has used perfect forward secrecy for the last six months, but is assuming its certificates could have been compromised before that. "This bug has been out there a long time," Siegrist said. "We have to assume our private keys were compromised, and we will be reissuing a certificate today." [1]

How to Detect a Heartbleed

link to tool for testing for heartbleed vulnerability
An online tool, which allows for testing of any server by its hostname for CVE-2014-0160 bug is already in place. [6]  Developer and cryptography consultant Filippo Valsorda published a tool that lets people check Web sites for Heartbleed vulnerability. Valsorda's test uses Heartbleed to detect the words "yellow submarine" in a Web server's memory after an interaction using those words. [1]

What to Do If You Own Servers

How to stop the leak? As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use. [4]
There is no word (yet) on how widely the flaw might have been exploited so far. However, the vulnerable OpenSSL 1.0.1 was released in March 2012. Whoever might have learned about the security flaw in question could have been eavesdropping any TSL/SSL-encrypted communications ever since. This makes the problem a potentially global one: OpenSSL is used by very popular server software such as Apache and nginx. Their combined market share is over 66%, according to Netcraft’s April 2014 Web Server Survey, and they are commonly used by businesses of all sizes. [6
As of today, a number of Nix*-like operating systems are affected too, since they are packaged with vulnerable OpenSSL [6]:
* Debian Wheezy (Stable), OpenSSL 1.0.1e-2+deb7u4)
* Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11)
* CentOS 6.5, OpenSSL 1.0.1e-15)
* Fedora 18, OpenSSL 1.0.1e-4
* OpenBSD 5.3 (OpenSSL 1.0.1c) и 5.4 (OpenSSL 1.0.1c)
* FreeBSD 8.4 (OpenSSL 1.0.1e) и 9.1 (OpenSSL 1.0.1c)
* NetBSD 5.0.2 (OpenSSL 1.0.1e)
* OpenSUSE 12.2 (OpenSSL 1.0.1c) 
Packages with older OpenSSL versions – Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14, SUSE Linux Enterprise Server – are free of this flaw. [6]

Change Your Passwords


The information online is not clear as to whether changing passwords will help. That is to say, it's never a bad idea to change one's passwords, and frequently, in terms of security. However, some are saying that to do so now before your service has upgraded their systems to plug this hole will be a waste of time.
Changing the passwords won't do any good, these experts said, until the affected services install the software released Monday to fix the problem. That puts the onus on the Internet services affected by Heartbleed to alert their users to the potential risks and let them know when the Heartbleed fix has been installed so they can change their passwords. [2]
 "This still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit," Tumblr said. "This might be a good day to call in sick and take some time to change your passwords everywhere — especially your high-security services like email, file storage, and banking, which may have been compromised by this bug." [2]

Conclusion


This is serious. Very serious. How should you respond? If you manage servers, you need to jump right on it and make sure your systems are covered, either by verifying that they are too old to have been affecting (a rare case of procrastination being a good thing) or not quite new enough, as in needing to have the new patches/upgrades installed.

Otherwise, if you're a "regular person" with online passwords -- and who isn't these days? -- then it's advisable to change all your passwords. But you may want to investigate the various sites/services you subscribe to, because if they have not updated their services to plug the vulnerability to Heartbleed, you may have to change your passwords again when they do.

Sources:

1. http://www.cnet.com/news/heartbleed-bug-undoes-web-encryption-reveals-user-passwords/
2. http://abcnews.go.com/Technology/wireStory/passwords-vulnerable-security-flaw-found-23247031
3. http://beforeitsnews.com/business/2014/04/heart-bleed-bug-could-compromise-large-part-of-the-internet-2612796.html
4. http://heartbleed.com/
5. http://threatpost.com/seriousness-of-openssl-heartbleed-bug-sets-in/105309
6. http://business.kaspersky.com/the-heart-is-bleeding-out-a-new-critical-bug-found-in-openssl/

16 March 2014

Greenshot screen capture



Today I want to pitch a tool that I discovered a few months ago which has become an invaluable part of my arsenal. It's an open-source app called Greenshot that allows you take screen snaps of any part of your screen, even outside of browsers, making it superior to Chrome and FF-based screenshot plug-ins. 

You can capture a window with one click (without having to click and drag a capture box around it), you can capture full screen (of course), you can capture a region by just clicking the Prnt Scrn button and clicking/dragging (my most common use of it), and you capture the last region you captured, which is a surprisingly useful feature when you're taking lots of screenshots of the same page. The hot-keys are modifiable.


You can copy your capture to the clipboard to paste into an application, like Gmail or Word, you can save the capture as a jpg, png, bmp, gif, or tiff file, or you can open it in an editor, which is a very cool feature. And there are various other output options:


Greenshot's image editor is not feature-heavy, but it's very effective for making quick annotations -- using circles, boxes, arrows, lines, text, and highlights -- with tools to obfuscate text for security reasons, rotate, and crop your image.

You can open existing images in a wide number of formats and modify them using the editor. You can also save an in-progress image (if you're adding lots of annotations, for example) as a .greenshot file and open it later with ability to edit all your previously create graphic objects.

Greenshot is much faster and easier to use than doing a full-screen capture and then editing it in Photoshop or other graphic editor. On top of that, it's free, easy to install, and it is in constant development. I like it so much that I have donated to the developers, and will continue to support them.

Check it out -- I think you'll find it a valuable tool, as well.


22 February 2014

UberConference Chrome App prevents Gmail from logging out automatically


I discovered this week that the UberConference Chrome app suppresses auto-logout of Gmail when I close my browser (Chrome Version 33.0.1750.117 m on Windows 7).

The UberConference app seems to cause a problem with Chrome's "Continue where I left off" feature, and Gmail remains logged in when I close Chrome, which is potentially a major security issue. When I turn off the UberConference Google App and close my browser, Gmail prompts for password when Chrome is restarted, as it should.

I have notified UberConference tech support of the problem.

15 February 2014

Window Problem Steps Recorder

This looks like an extremely useful feature in Windows 7 that I can't believe I've never heard of until now! If it works as this tutorial states, it would be very effective for helping clients and friends remotely.


10 February 2014

Washington Post, Guardian links used to infect The Mask malware victims

Summary: Kaspersky's security research team today revealed "one of the most advanced" cyber-espionage malware threats "The Mask" (aka Careto). Victims including government institutions, private equity firms and high-profile activists are exploited.

By Violet Blue for Zero Day | February 10, 2014 -- 18:03 GMT (10:03 PST)

PUNTA CANA, Dominican Republic — Kaspersky Lab security research team just released details about "The Mask" (aka Careto) cyber-espionage malware, calling it "one of the most advanced threats at the moment" at the 2014 Kaspersky Security Analyst Summit.

Researchers told attendees The Mask is an extremely sophisticated nation-state spying tool and believe it to have been in operation since 2007.

Read more...


03 February 2014

Which Social Networks Should You Care About in 2014?

by Jeremy Waite

It’s hard to believe that Facebook will be ten years old this February and yet social media still seems new to many of us. Brands are struggling as much as they ever have done to understand what to do with it, and which networks actually have any real value. I noticed a number of social challenges that brands faced in 2013 but probably the two most common questions I got asked were:

  • Which social networks should I focus on?
  • How much of my time and resources should I allocate to each one?

The answers to these questions are not as complicated as people often think, but neither is there correct answer to either of them. Read more...


29 January 2014

QWERTY top row word list

I came across this list of QWERTY home row words and thought a top row list would be useful as well. I created the following using Iterative Anagram Solver.

QWERTY top row word list


1-Letter Words: i, o

2-Letter Words: er, et, it, oe, oi, op, or, ow, oy, pe, pi, qi, re, ti, to, up, ut, we, wo, ye, yo

3-Letter Words: ere, err, ewe, eye, ire, oot, ope, opt, ore, ort, our, out, owe, pee, pep, per, pet, pew, pie, pip, pit, piu, poi, poo, pop, pot, pow, pro, pry, pup, pur, put, pye, ree, rei, rep, ret, rip, roe, rot, row, rue, rut, rye, tee, tet, tew, tie, tip, tit, toe, too, top, tor, tot, tow, toy, try, tui, tup, tut, two, tye, upo, urp, ute, wee, wet, wit, woe, woo, wop, wot, wow, wry, wye, yep, yet, yew, yip, you, yow, yup

4-Letter Words: eery, epee, etui, euro, ewer, eyer, eyre, eyry, otto, oyer, peep, peer, pepo, pere, peri, perp, pert, pier, pipe, pipy, pity, poet, poop, poor, pope, pore, port, pour, pout, pree, prep, prey, prop, prow, ptui, pupu, pure, puri, purr, putt, pyre, pyro, quey, quip, quit, repo, repp, rete, riot, ripe, rite, root, rope, ropy, rote, roti, roto, roue, roup, rout, ruer, ryot, tier, tipi, tire, tiro, titi, toit, toot, tope, topi, topo, tore, tori, toro, torr, tort, tory, tote, tour, tout, towy, toyo, tree, tret, trey, trio, trip, trop, trot, trow, troy, true, tutu, twee, twit, tyee, tyer, type, typo, typp, typy, tyre, tyro, weep, weer, weet, weir, wept, were, wert, wipe, wire, wiry, wite, wore, wort, writ, wyte, yeti, yett, yipe, yirr, yore, your, yowe, yurt

5-Letter Words: eerie, equip, error, erupt, etwee, eyrie, eyrir, oorie, otter, ourie, outer, outre, peery, peppy, perry, peter, petit, petti, petto, petty, pewee, pewit, piety, piper, pipet, pipit, pique, poori, poppy, potto, potty, pouty, power, poyou, preop, prier, prior, pryer, puppy, puree, purer, purty, putti, putto, putty, queer, query, queue, quiet, quipu, quire, quirt, quite, quoit, quote, repot, repro, retie, retro, retry, rewet, riper, rooty, roper, ropey, roque, rotor, rotte, roupy, route, rower, rupee, rutty, tepee, tepoy, terry, tetri, tippy, titer, titre, titty, topee, toper, topoi, toque, torii, torot, torte, toter, tower, towie, toyer, trier, tripe, trite, troop, trope, trout, truer, tuque, tutee, tutor, tutti, tutty, tuyer, tweet, twerp, twier, twirp, twyer, typey, upper, uteri, utter, weepy, wiper, wirer, witty, wooer, worry, wrier, write, wrote, wryer, yowie, yuppy

6-Letter Words: eerier, epopee, equity, euripi, irrupt, orrery, output, outrow, outwit, peeper, peerie, peewee, peewit, pepper, periti, perter, petite, petter, pewter, peyote, pipier, piquet, pitier, poetry, poorer, popery, popper, poppet, porter, potpie, potter, pourer, pouter, powter, powwow, preppy, pretor, pretty, preyer, priory, proper, protei, prower, prutot, ptooey, puppet, purity, putout, puttee, putter, puttie, pyrite, pyrope, queuer, quippu, quippy, quoter, qwerty, report, repour, repute, retire, retore, retort, retype, rewire, rewore, rioter, ripper, ritter, rooter, ropery, ropier, roquet, rotter, roupet, router, teepee, teeter, terete, terret, territ, terror, tetter, tipper, tippet, tiptoe, tiptop, titter, tittie, tittup, tooter, topper, toquet, torero, torpor, torque, totter, toupee, tourer, touter, towery, trippy, triter, troupe, trouty, tryout, turret, tuyere, typier, uppity, upprop, uproot, uptore, ureter, weeper, weepie, weewee, wetter, wirier, worrit, writer, yippee, yippie, yuppie

7-Letter Words: epitope, equerry, outpity, outport, outpour, outroot, outtrot, outweep, outwept, outwore, outwrit, peppery, peppier, perique, pettier, pierrot, pipette, piroque, pottery, pottier, poutier, preppie, preriot, pretype, prewire, proette, purport, purpure, purtier, puttier, queerer, querier, quieter, quipper, quitter, quittor, reequip, repower, require, requite, reroute, retiree, retirer, reutter, rewrite, rewrote, rootier, roupier, rupture, ruttier, terrier, tippier, torquer, torture, tottery, towrope, treetop, tripper, trippet, trooper, trotter, trouper, tutoyer, tweeter, twitter, utterer, weepier, wipeout, wittier, worrier, yperite

8-Letter Words: equipper, outpower, outquote, outtower, outwrite, outwrote, peetweet, pepperer, peripety, peripter, pewterer, portiere, potterer, preppier, preterit, prettier, priority, properer, property, puppetry, putterer, quippier, reporter, requirer, requiter, retorter, rewriter, roquette, roturier, tippytoe, titterer, tittuppy, topotype, torturer, totterer, towerier, trippier, tripwire, troutier, twittery, uprooter

9-Letter Words: etiquette, eyepopper, outpourer, pirouette, potpourri, preterite, propretor, propriety, prototype, puppeteer, puttyroot, repertory, territory, twitterer, typewrite, typewrote

10-Letter Words: peppertree, perpetuity, prerequire, proprietor, repertoire, typewriter