Category Archives: Internet

Internet, Linux, Patches and updates, Privacy, Security

Extremely critical security bug affects most of the Internet

1 Comment

A bug in the OpenSSL cryptography software running on most of the world’s servers has opened a window into random server data that was never meant to be exposed.

This newly-discovered vulnerability – now known as ‘Heartbleed’ – has apparently existed for at least two years. It’s unclear whether the bug was known to (and used by) nefarious persons to gather supposedly secure information during that time.

Patches for affected operating systems and other software that uses OpenSSL were made available almost immediately after the bug was discovered by researchers. Anyone running a Linux server is strongly advised to update the OpenSSL library ASAP.

Services that use OpenSSL to provide security are separately assessing the risk to their customers and issuing their own advisories and recommendations. For instance, Yahoo Mail is known to be vulnerable. Mojang, makers of the popular game Minecraft, advise all players to change their passwords. Ars Technica is also advising all its users to change their passwords.

This bug is so important that it has its own web page, which provides an overview of the issue and makes general recommendations.

Update 2014Apr10: The LastPass web site has some helpful information about major sites that have been affected by Heartbleed and recommends changing your passwords for those sites. They also provide a site check that allows you to determine whether a particular site was affected by Heartbleed.

Internet, Microsoft, Privacy

Microsoft steps in a huge steaming pile of privacy issues

Leave a comment

In yet another of the endless examples of why companies shouldn’t let lawyers make decisions, Microsoft has undone whatever goodwill they might have had from customers who value the privacy of their email.

A Microsoft employee apparently leaked Windows 8 information to a reporter. In typical big-corporation fashion, this leak caused the software giant to go into full-on freakout mode. Ignoring common sense entirely, they dug into the reporter’s Hotmail account, looking for clues to the identity of the leaker. Apparently the lawyers were consulted, and the lawyers said, “Go right ahead and look! The Terms of Service for Hotmail mean the law is on our side.” And they’re right. But that doesn’t mean it was a good idea. Now that this incident has come to light, the public backlash is just beginning for Microsoft.

Of course, this problem is not limited to Microsoft. Almost all email services operate this way. Whoever provides the service can access any part of it at any time, even if it’s encrypted as part of the service. The only way to get around this exposure while using a typical email service is to add your own encryption – on both ends of every email exchange – commonly referred to as end-to-end encryption. Lavabit was one of the few email services to offer this kind of security, and they closed down recently rather than comply with access requests from the NSA.

Update 2014Mar29: Microsoft, in damage control mode, has made changes to its privacy policies. A statement by Microsoft General Counsel Brad Smith on the ‘Microsoft on the Issues’ blog makes it clear that they will no longer look at customer data in situations like this. Smith also states that Microsoft will work with the EFF and other digital rights organizations to help avoid problems like this in the future.

Internet, Security

Yahoo email accounts compromised

Leave a comment

Yahoo announced yesterday that some Yahoo Mail account addresses and passwords were being used in a coordinated attempt to gain access to those accounts. The source of the account information remains unclear, but Yahoo claims that it was not obtained from Yahoo’s services directly.

Yahoo is resetting the passwords of affected accounts and informing the associated account holders.

Since it’s difficult to know, at this point, the full extent of this problem, anyone with a Yahoo Mail account is advised to immediately change its password.

Internet, Security

How well do popular sites protect your passwords?

Leave a comment

According to a recent study by Dashlane, makers of a web-oriented password manager, Apple.com does the best job of protecting your passwords online.

The study ranked one hundred of the most popular web sites on their ability to encourage or require the use of strong passwords, to assist users in selecting strong passwords, and on their policies in relation to storing and displaying or emailing passwords. Microsoft and NewEgg scored highly, and Major League Baseball scored worst.

Internet, Malware

If you needed another reason not to visit yahoo.com…

Leave a comment

Advertisements containing malware started appearing on yahoo.com on December 30, 2013 – or possibly even earlier. Anyone visiting the site with a browser running an unpatched version of Java risked infecting their computer. If that includes you, a full malware scan of the computer you used should be your next task. One of the following (or both) should do the trick:

Internet

ISP horror stories

Leave a comment

There’s an interesting hilarious horrifying post over at Ars Technica with some examples of the kind of service we’ve all come to expect in the competition-free world of Internet Service Providers.

Those stories make our ISP (Shaw) look pretty good by comparison with Comcast, Verizon, and Time Warner. Still, our WAN connection has been up and down during the last few days, and I’m still waiting for a service call. It’s up now, but it’s been down for a total of 34 hours in the last week.

Internet, Privacy, Security

Ouch! newsletter: How to shop online securely

Leave a comment

The latest installment of the Ouch! newsletter (PDF) from SANS provides tips for safely and securely shopping on the web. Learn how to identify shady web stores and avoid them, how to keep your credit card information secure, and what to do if you suspect fraud.

The Ouch! newsletter is aimed at regular users and the security challenges they face daily. Highly recommended, but if you’re a computing professional, you may not find much there you didn’t already know.

Internet, Malware, Privacy, Security

NSA-Themed Ransomware

Leave a comment

Any time something catches the attention of huge numbers of Internet users, there’s a possibility that nefarious persons will try to make money from it. A famous actor has their phone hacked, a celebrity dies, or a whistleblower exposes the extent of NSA snooping, and the spam in your inbox suddenly has a new flavour… or worse.

Zscaler and other security researchers are reporting an increase in ransomware threats that are built on recent revelations of the NSA’s activities.

Ransomware works like this: you visit a web site that has been compromised and is serving malicious code. The code infects your computer, after which it becomes impossible to use your computer. Instead you see a full page threat from what appears to be the NSA, claiming that you have participated in unlawful activities (usually downloading copyrighted materials). You are told that you can pay up or face legal action.

If this happens to you, do not follow any of the instructions shown by the ransomware. Hire a professional to remove the malware or reinstall your operating system.

How to determine whether a warning is fake and ransomware:

  • No legitimate agency would use this tactic (at least not yet).
  • Awkward language and spelling mistakes in the warning.
  • Payment methods use third-party services.

Techdirt has additional details.