Brian Krebs runs an excellent security blog called Krebs on Security.
One particularly useful post on Brian’s blog is Tools for a Safer PC, in which he presents his recommendations for securing your PC against various threats. There are numerous similar lists on the web, but this is one of the best, and I have no qualms at all in recommending it.
Back in 2011, the CEO of Atos expressed his frustration with the amount of time his employees were spending on email, and promised to eliminate email from the company within three years.
Fast-forward three years, and the Contact page on the Atos web site still sports email addresses. Not as easy as you thought, right? Maybe that’s because email has distinct advantages over other forms of online communication. In particular, email is far less likely to be overlooked by the recipient, than, say, a Facebook post.
Update 2022Oct14: Atos is still using email.
In case you were wondering, that headline is intentionally ironic. There’s nothing joyful about changing passwords in the wake of yet another breach.
One of the SANS ISC handlers posted an entertaining report on his recent password-changing experiences. The upshot is that many web sites still don’t make this easy… especially Facebook.
Security researchers recently discovered a flaw in DropBox that could allow access to users’ private documents in certain circumstances. DropBox responded quickly to fix the vulnerability. It’s not clear whether the vulnerability was known to – or exploited by – any nefarious persons.
If you use DropBox, you should review your Shared Links settings and restrict shared links to collaborators only.
This month’s Ouch! newsletter (PDF) provides some basic guidelines for determining whether your computer has been hacked. There’s also some help for dealing with hacks. Note that this information is aimed at regular users, so if you’re an IT professional, it’s unlikely to be useful.
And now, just because it’s really cool, here’s live video of the Earth from space…
Ars Technica’s monthly look at browser and O/S usage concludes by predicting that at the current rate of change, Windows XP use will remain significant for another two years.
The full extent of the damage caused by the Heartbleed vulnerability may not be known for months. New reports of compromised systems are appearing daily.
Ars Technica reports on a very unfortunate compromise of an OpenVPN installation. It’s particularly bad, because thousands of companies worldwide use VPN solutions to provide supposedly completely secure access to corporate networks from off-site. The potential for damage is enormous.
Also in Heartbleed news: apparently the recently-reported Heartbleed-based intrusion of the Canada Revenue Agency was the work of a teenaged computer science student. He’s been arrested. It seems clear that his motivation was curiosity rather than something more sinister, since he did absolutely nothing to conceal his identity.
Anyone who has filed a business or personal tax return online using the Canada Revenue Agency’s web-based tools should change their CRA passwords.
According to the RCMP, about 900 Social Insurance numbers were obtained from CRA systems by unknown persons over a six hour period around April 8. The affected account holders will be contacted by the CRA via registered mail.
The CRA systems’ vulnerability has now been patched, but the CRA is advising all account holders to change their passwords.
Fallout from the Heartbleed vulnerability continues.
The list of major web sites affected by this issue (and in most cases advising their users to change their passwords) is expanding rapidly. It includes Instagram, Tumblr, DropBox, and many others.
The list of affected software is also growing.
Ars Technica’s ongoing coverage includes the disturbing news that the Heartbleed vulnerability may have been exploited months before patch and Researchers find thousands of potential targets for Heartbleed OpenSSL bug.
Security researchers at the University of Michigan scanned the Internet looking for vulnerable web sites, and found plenty, which they list in their Heartbleed Bug Health Report.
Numerous tools for detecting Heartbleed vulnerability have appeared on the web, including this one at filippo.io. Use these tools with caution, since some will almost certainly turn out to be scams of some kind.
The XKCD web comic has joined in the fun:
boot13