Recently an emergency security advisory from the OpeSSL project was issued warning about a bug known as “Heartbleed” which revealed an encryption flaw that was quickly labeled as one of the biggest security threats the Internet has ever seen — despite the fact that the National Security Agency (NSA) has known about and allegedly exploited it since it was discovered (link: http://rt.com/usa/nsa-knew-heartbleed-hacking-years-004/) — that has affected an unknown number of popular websites and services, many of which you might use everyday like Gmail and Facebook. Visiting the breached sites may have quietly exposed your passwords and credit card numbers to those exploiting the vulnerability over the past two years.
The “Heartbleed” label sounds a little melodramatic, and was originally reported as having the potential to live up to the hype. The bug was reportedly named by an engineer at Codenomicon, a Cyber-security company with offices in Finland and Silicon Valley. Heartbleed was discovered separately and simultaneously by Google security researchers and engineers at Codenomicon. Both teams found that OpenSSL, an open-sourced security encryption program used by an estimated 66% of Internet servers, contained a flaw that allows any hacker using a simple script to gain access to treasure troves of personal information on those affected servers.
OpenSSL contains an extension called Heartbeat, which, when affected by the bug, bleeds out the important information from the memory. By running the exploit, a hacker could download countless emails, passwords, user IDs and loads of other personal information in a matter of seconds. An updated version of OpenSSL has been released so sites can use it to fix the bug, but in addition to updating OpenSSL, affected sites will need to update other pieces of their security protocols known as keys and certificates used to help them confirm the identity of their users. Companies relying on OpenSSL to safeguard consumer data are scrambling to fix the gaping hole that was reported on last week.
What hasn’t been clear since it was reported was which sites have been affected. Mashable and Github have compiled sites which appear to have been compromised. The Heartbleed bug has been known about for more than two years but it’s still not clear how long it has existed or how many sites are actually affected regardless of the doomsday scenarios that keep making headlines. In fact, it appears that the Heartbleed security flaw may not be as dangerous as thought.
As Facebook’s popularity and user base grows, Facebook puts its users at greater risk of identity theft and other crimes, and poses serious threats to its users privacy.
Joan Goodchild, senior editor of CSO (Chief Security Officer) Online says that Facebook’s 400 million users are not protected from prying eyes, scammers and unwanted marketers. She says your privacy may be at far greater risk of being violated than you know when you log into Facebook due to security gaffes or marketing efforts by the company.
Facebook has been coming under fire lately. 15 privacy and consumer protections organizations filed complaints with the Federal Trade Commission, charging, among other things, manipulation of privacy settings to make users’ personal information available for commercial use.
In a major security breach, some Facebook users found their private chats were accessible to everyone on their contact list, causing many to wonder just how secure Facebook really is.
Danish Security company Secunia reported that more than 9 out of 10 Windows users are susceptible to the Flash zero-day vulnerability — that Adobe has reportedly known about since the end of 2008 — that won’t be patched by Adobe until later this week.
Secunia says that over 90% of Windows PCs run the vulnerable version of Flash and 48% of Windows PCs have buggy Adobe PDF Readers.
92% of the 900,000 users who recently ran Secunia’s Personal Software Inspector (PSI) utility have Flash Player 10 running on their PCs and 31% have Flash Player 9 — some users have both versions so the total exceeds 100% — according to Secunia.
Secunia’s PSI tool scans your computer to see what applications are installed and then checks to see if you have the most current version. If it finds a newer version of a program, it offers you a link to get it.
The Better Business Bureau (BBB) has issued an alert on their website warning businesses and consumers across the United States and Canada of a phishing scam that uses the BBB name and a false BBB email address in attempt to make the email recipients click on potentially damaging hyperlinks.
A Kennesaw GA business was hacked and is now sending thousands of counterfeit messages to businesses and consumers, purporting to be a complaint filed with the BBB. The incident was reported to the BBB that serves Columbus GA and the surrounding area.
The phony email appears to come from email@example.com and contains a link citing a BBB complaint case number (such as documents for case #263621205…see the letter below).
Clicking on the link directs access to a subdirectory of the hacked website and asks users to download documents related to the complaint. The download is actually an executable file suspected to be some form of a computer virus.
Recipients of the phony email are being advised that any email from the firstname.lastname@example.org address does not come from the BBB and should be considered counterfeit. The BBB is strongly encouraging recipients of this message to delete the message immediately. DO NOT click on the “documents for case” links.
One day after the release of Microsoft’s 6 billion dollar operating system and there already reports from UK’s PC Advisor of the Windows Vista DRM being cracked by a canadian kernel developer.
On the eve of the Windows Vista launch numerous retailers opened their doors at midnight to sell it. Very few consumers decided to show up for the event. The excitement and hoopla surrounding the launch seems to have disappeared.
The Dallas Morning News and numerous other sources are reporting the luke warm response to the official Vista launch.
Upgrading to Windows Vista
Unless you’re running Windows 2000 or Windows XP you won’t be able to install upgrade versions of Windows Vista Home Basic, Premium and Starter Edition will not install on any PC unless Windows XP or Windows 2000 is already on the machine. Microsoft knowledge base article #930985 (kb930985) details upgrade installation key issues.
Vista’s EULA: Possible deletion of programs without user consent
Check the fine print on the EULA (end user license agreement) when you go to install or use Windows Vista. An article in the Toronto Star covers a few of the highlights from the EULA such as extensive provisions that grant Microsoft the right to regularly check the legitimacy, possibly deleting certain programs without a user’s knowledge, the right to revalidate the software or require the user to reactivate if they make changes to computer components.
A lot of the hoopla surrounding the new Windows Vista operating system (os) is based on it’s new multimedia capabilities. However, people purchasing it to use these enhanced multimedia capabilities to watch high definition or blu-ray dvds or to listen to some audio cds may be in for a very upsetting surprise.
In a disturbing albeit eye-opening white paper detailing a cost analysis of Windows Vista Contect Protection, Peter Gutmann (a Department of Computer Science security engineering researcher at the University of Auckland, New Zealand) details the consequences of Microsoft’s new Digital Rights Management (DRM) cost in terms of system performance, system stability, technical support overhead, and hardware and software costs and their affect on Windows Vista users and the computer industry.
Basically the paper explains how a new kind of technology is built into Windows Vista that will take high-definition or blu-ray dvds you purchase as well as audio discs and degrade the play back quality drastically because of the content protection mechanism built in and the Microsoft requirements for drivers. At one point he refers to the new content protection scheme as suicidal.
Per the white paper the new operating system will limit the functionality of certain pieces of hardware such as video cards and monitors from viewing High Definition (HD) content, requires customized device drivers and it requires that vendors of the hardware get the ok from major movie studios such as MGM, 20th Century Fox and Disney.
On top of that, more additional costs will be incurred by vendors of the above mentioned devices because Microsoft disallows a one-size-fits-all design for devices in the new system and it bans the use of add-ons such as TV-out encoders, DVI circuitry and other add-ons since the new system disallows the feeding of unprotected video and audio to external components.
An article from a leaked email memo from APC Magazine has revealed that Microsoft is already rushing to rollout Windows Vista Service Pack 1 (SP1).
Microsoft has sent out emails to customers and partners to test and provide feedback on (SP1) to help prepare for it’s release in the second half of 2007. It took 11 months after the release of Windows XP for Microsoft to rollout the first service pack.
Specific details of the changes codenamed “Fiji” have not been released by Microsoft yet. Microsoft claims that regressions from Windows Vista and Windows XP, security, deployment blockers and other high impact issues are the primary focus for the service pack. The operating system hasn’t been released yet, but it has “high impact issues.”
Testers are enrolled in the Vista SP1 Technology Adoption Program (TAP) and must be willing to provide feedback and deploy pre-release builds into production environments.
Microsoft will be releasing Windows Vista, it’s newest (long awaited) operating system (OS) on January 30, 2007 to consumers. For those of you adventurous enough to purchase the new Windows OS, Microsoft has announced 3 methods to buy, upgrade or license multiple copies of Windows Vista once it’s released to provide customers with more flexibility obtaining the version that meets their needs: Windows anytime upgrade, Windows Vista family discount and Windows marketplace. Windows Vista is expected to retail for $100.00 to $400.00 depending on which version you get.
Windows Vista will be available in 6 versions:
- Windows Vista Home Basic – for basic home needs such as email and internet access
- Windows Vista Home Premium – for the best home computing and entertainment
- Windows Vista Business – for small and mid-sized organizations
- Windows Vista Ultimate – for work and entertainment, the most complete edition
- Windows Vista Enterprise Edition – designed to help global organizations and enterprises with complex IT infrastructures lower IT costs, reduce risk, and stay connected. It also provides higher levels of data protection using hardware-based encryption technology (only available to volume license customers with PCs covered by Microsoft Software Assurance)
- Windows Vista Starter – not currently scheduled to be available in the United States, Canada, the European Union, Australia, New Zealand, or other high income markets as defined by the World Bank.
Note: Windows Vista Enterprise and Starter editions are not part of Windows Anytime upgrade.
Sony has been fined $1.5 million in penalties and costs to reimburse Californians and Texans whose computers were affected by the illegally installed digital rights management software (antipiracy software) on some of their music CDs. Consumers will be reimbursed up to $175.00 to offset the cost of repairs incurred when removing the software. Consumers without proof of the cost of repairs are still eligible for $25.00.
To date there are 40 states that have settled the law suit with Sony. The total settlement amount is up to $5.75 million. For a list of the 40 states affected by the settlement see the Massachusetts Attorney Generals Office.
The CDs might contain XCP or MediaMax 5.0 designation on the CD label and some are labeled as “Content Protected” on the front upper-left corner. 52 CD titles were manufactured with the antipiracy software. A full list of the titles affected can be found here.
California Attorney General Bill Lockyer estimates that 450,000 Californians purchased Sony BMG CDs that used rootkit technologies. Texas estimates 130,000 people purchased the CDs. An estimated 12.6 million cds were sold between January 2005 and November 2005.
Now that the holiday season is rapidly approaching, it’s a good time for some quick reminders about safely purchasing items online. Armed with the proper knowledge and a little common sense, purchasing things online can be as safe as going to the store and purchasing it in person.
It’s getting easier to purchase items online from reputable companies. However, there are also several “companies” that want to steal your personal and financial information. Listed below are some suggestions for making your online shopping experience more enjoyable.
Is the sellers address and phone number listed in an easy to find location on their website? Reputable sellers will have their contact information on their website. Look for an address and phone number to call in case you have any questions or problems. If you question their authenticity, call the phone number to see if it works, or speak to them to get a sense of how they handle things. If you spot a lot of typos or grammatical errors, be very suspicious. Reliable online retailers should have very few if any typos and errors.