Poodle vulnerability—what to do

October 2014 brought with it a new cyber-attack method to the Internet: POODLE, the ‘Padding Oracle On Downgraded Legacy Encryption’ attack. The attack is against the SSLv3 protocol, which powers the HTTPS secure browsing system we’re all used to.

What can you do?

1. Check your browser:

https://dev.ssllabs.com/ssltest/viewMyClient.html

Then disable SSLv3 support in your browser(s):

https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/

Firefox was the easiest to change. Safari has no known fix yet, and Mac Chrome requires a command line tweak to modify.  Even the Chrome Canary build is still vulnerable.

 

2. Check to see if your web server is vulnerable:

https://www.tinfoilsecurity.com/poodle

Then ask your hosting company to disable SSLv3 on the server:

https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/

 

Test for the Shellshock bug in BASH

From ArsTechnica:

There is an easy test to determine if a Linux or Unix system is vulnerable. To check your system, from a command line, type:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the system is vulnerable, the output will be:

vulnerable
 this is a test

An unaffected (or patched) system will output:

 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x'
 this is a test

The fix is an update to a patched version of the Bash shell. To be safe, administrators should do a blanket update of their versions of Bash in any case.

Visual Map of Internet Attacks

A computer security firm called Norse

has released a stunning data visualization map of internet attacks. It shows a fraction of the scope of constant threats affecting countries today. You can see penetration attempts in real time over services like http (web servers) and smtp (email servers), and more.

 

Norse visual map of internet attacks
Norse visual map of internet attacks

http://map.ipviking.com

via PC World from this article.

 

 

How to View Source in Safari on iPad

This bookmarklet is useful to view source in Safari on Apple’s iPad. There is no built-in menu tool to do this in iOS, unlike with all desktop browsers. Oh why, Apple, do you drift ever further from user-centric software development?

Here is the link to the article by Ole Michelsen.

http://ole.michelsen.dk/blog/view-source-on-the-ipad-and-iphone/

A fine solution is to create a bookmarklet, which is a piece of JavaScript saved as a bookmark. When you want to see the source of a web page, just click the bookmark and the source of the page is displayed. I was inspired by this bookmarklet by Rob Flaherty, but it has a few shortcomings. To improve upon the bookmarklet concept, I created my own version with a few more bells and whistles:

Be aware of the Heartbleed bug

On April 8 I was notified by WiredTree, our hosting company, that their servers had been patched against a newly discovered (and serious) flaw in the SSL encryption technology which underpins secure browsing over https.

It is called the Heartbleed bug.

Our servers were not affected, as they ran CentOS5 and did not use Litespeed. Other sites which did use LiteSpeed were affected.

Read more at:
http://heartbleed.com/
https://blog.cloudflare.com/staying-ahead-of-openssl-vulnerabilities

UPDATE

An article on Thursday explains how the bug crept in the Open Source software.

Heartbleed, a “catastrophic” security flaw in the OpenSSL cryptographic protocol that has affected two-thirds of the entire Internet’s communications, was committed at 10:59 pm on New Year’s Eve by Seggelmann, a 31-year-old Münster, Germany-based programmer.

That night, he made an error that has been compared to the misspelling of Mississippi, a careless but almost inevitable mistake that went undetected for over two years.

FOAP is a new way to get paid for your photos

Friend and colleague Bob Manley let me know about FOAP, a web service that is building a market for photographers to sell their local, real-live photos to companies looking for stock photography.

https://www.foap.com/

Foap-logo_market

 

The idea seems interesting; take a photo, achieve a minimum score of community votes, then its eligible for sale in the marketplace. You get $5 out of the $10 selling price.

Their website also has a good summary of Commercial vs Editorial license rules concerning people’s faces.

 

Target website hiding its data theft warning

Target’s had a big red target leveled at its data systems recently; the intrusion and theft of over 100 million consumer credit & debit card information is almost the largest in history.

It’s website features a notice to consumers; but strangely, 2 seconds after the home page loads, an ad overlay obscures the warning text and link.

Purposeful or by accident, it’s a big oops on top of the disaster.

See the site 1 second after load:

website shows theft message at page load
The Target website shows theft message at page load

And 2 seconds later:

Target homepage after 2 seconds; the warning is covered over
Target homepage after 2 seconds; the warning is covered over

Intentional or by accident?

Does the law require companies to disclose breaches?
As an aside, most States do not require the companies disclose successful network breaches to their customers. A law firm has published a useful chart to track State-by-State requirements.

http://www.perkinscoie.com/statebreachchart/

The write:

Perkins Coie’s Privacy & Security practice maintains a comprehensive chart that summarizes state laws regarding security breach notification.  The chart is for informational purposes only and is intended as an aid in understanding each state’s sometimes unique security breach notification requirements.  Lawyers, compliance professionals, and business owners have told us that the chart has been helpful when preparing for and responding to data breaches.

Maine has such a disclosure law on its book.

Do you dislike Apple Preview app’s auto-saving feature?

Apple has always decided what it thinks is the best experience for its Mac users, even against conventional wisdom or established, known user preference. This has been frustrating for power users through the years, from lack of two button mice to the latest reductionist “flat design” trend in iOS7.

The latest “we know better” feature is the automatic document auto-saving (with no warning) in its home-grown applications, like Preview, TextEdit or the iWork apps. I don’t want to recall how many original photos have been destroyed after a session of quick exposure experimentation.

Good news: you can completely disable the auto-saving via this terminal command:

defaults write com.apple.Preview ApplePersistence -bool no

This comes from a helpful topic on StackExchange.

http://apple.stackexchange.com/questions/27544/how-to-completely-disable-auto-save-and-versions-in-mac-os-x-lion