Poodle vulnerability—what to do

October 2014 brought with it a new cyber-attack method to the Internet: POODLE, the ‘Padding Oracle On Downgraded Legacy Encryption’ attack. The attack is against the SSLv3 protocol, which powers the HTTPS secure browsing system we’re all used to.

What can you do?

1. Check your browser:

https://dev.ssllabs.com/ssltest/viewMyClient.html

Then disable SSLv3 support in your browser(s):

https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/

Firefox was the easiest to change. Safari has no known fix yet, and Mac Chrome requires a command line tweak to modify.  Even the Chrome Canary build is still vulnerable.

 

2. Check to see if your web server is vulnerable:

https://www.tinfoilsecurity.com/poodle

Then ask your hosting company to disable SSLv3 on the server:

https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/

 

Surviving the Latest WordPress Brute Force Attack

If you have a blog, you need to install this plug-in immediately.

http://wordpress.org/extend/plugins/limit-login-attempts/

There is currently a major type of internet attack being waged by botnets against webservers running WordPress. These bots brute-force their way in past your password screen by making thousands of guesses until they gain entry. WordPress currently does not limit the number of incorrect password attempts. Until it does, you need a plug-in that provides the limiting.

There is currently a significant attack being launched at a large number of WordPress blogs across the Internet. The attacker is brute force attacking the WordPress administrative portals, using the username “admin” and trying thousands of passwords. It appears a botnet is being used to launch the attack and more than tens of thousands of unique IP addresses have been recorded attempting to hack WordPress installs.

One of the concerns of an attack like this is that the attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack. These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic. This is a similar tactic that was used to build the so-called itsoknoproblembro/Brobot botnet which, in the Fall of 2012, was behind the large attacks on US financial institutions.

Source: http://blog.cloudflare.com/patching-the-internet-fixing-the-wordpress-br

Is your smartphone vulnerable to the Tel URL attack?

A tech named Dylan Reeve has a test site to determine your phone’s vulnerability:

http://dylanreeve.com/phone.php

If your phone is vulnerable to the recently disclosed tel: URL attack then this website will cause your phone to open the dialler and display the IMEI code. With other USSD codes it could do any number of other things, including wipe all phone data.

You can find some more information and a simple workaround here: http://dylanreeve.posterous.com/remote-ussd-attack

What does it all mean?!
If visiting this page automatically causes your phone’s dialler application to pop up with *#06# displayed then you are not vulnerable. If, however, the dialler pops up and then you immediately see your phone IMEI number (a 14- or 16-digit number) then you are potentially vulnerable to attack.

A poster on the site made an app to solve the problem without changing dialers: Download his free, open-source app that can intercept these malicious URLs:

https://play.google.com/store/apps/details?id=net.thauvin.erik.android.noussd

https://lh4.ggpht.com/UF71xpCA3OVOD7yXnsyWduZHKOco47yjNP5J0r0sPjZ5pIr5yfUQUkkpqPeUkd6OEQ=w124

 

Yahoo – asking the wrong questions about its future

From a comment by the new CEO of Yahoo, Marissa Mayer:

Ms. Mayer may have the hardest time taking Yahoo into the mobile advertising arena, a market dominated by her former employer. Unlike Yahoo, Google and Apple dominate the mobile advertising space with hardware and software options.

And that’s where it runs headlong into its identity problem. “Yahoo is still mainly a media company. It doesn’t have an operating system. It doesn’t have the devices,” Mr. Hallerman, of eMarketer, said. “I don’t know if there’s room in the market for a fourth mobile platform.”

Asked whether she plans to run Yahoo as a media company or a technology company, Ms. Mayer said, “It’s not the right question. The most important thing is to give end users something valuable, inspiring and delightful that makes them want to come to Yahoo every day.”

Marissa Mayer is just 37 years old and has uncommon wisdom among the tech analysts and elite. Best of success to her!

Instead of closing the achievement gap, computers are widening the time-wasting gap

Modern digital time wasting has been studied extensively this past year… and the results are in: the “digital divide” between haves and have-nots has been closed, but people are using their new tools to waste more time.

“Despite the educational potential of computers, the reality is that their use for education or meaningful content creation is minuscule compared to their use for pure entertainment,” said Vicky Rideout, author of the decade-long Kaiser study. “Instead of closing the achievement gap, they’re widening the time-wasting gap.”

Danah Boyd, a researcher of digital culture, wrote:

“Access is not a panacea.” said Danah Boyd, a senior researcher at Microsoft. “Not only does it not solve problems, it mirrors and magnifies existing problems we’ve been ignoring.”

Like other researchers and policy makers, Ms. Boyd said the initial push to close the digital divide did not anticipate how computers would be used for entertainment.

“We failed to account for this ahead of the curve,” she said.

A study published in 2010 by the Kaiser Family Foundation found that children and teenagers whose parents do not have a college degree spent 90 minutes more per day exposed to media than children from higher socioeconomic families. In 1999, the difference was just 16 minutes.

Article source:  http://nyti.ms/KX7Jn2

 

Good News! AT&T withdraws its $39 billion bid to acquire T-Mobile

Analyst Tero Kuittinen said that T-Mobile “must now explore more creative opportunities — for instance, seeking partnerships with media giants like Amazon, Facebook or Google. T-Mobile’s spectrum, not its customer base, is its most valuable asset.”

A commenter on a forum noted:

As a long-time T-Mobile customer, I can only say I am relieved to read that this is over, at least for now. The mere thought of one of the highest-priced carriers with the lowest customer service rating would be taking over the one carrier with the lowest rates and best customer service made me shudder.

Too true!

T-Mobile is not “damaged” as AT&T claims… besides being four billion dollars richer, many T-Mobile customers were opposed to this deal, and are relieved that the company can once again focus on its customers.

Steve Jobs Life and Death

“Your time is limited, so don’t waste it living someone else’s life,” Jobs said. “Don’t be trapped by dogma — which is living with the results of other people’s thinking. Don’t let the noise of others’ opinions drown out your own inner voice. And most important, have the courage to follow your heart and intuition. They somehow already know what you truly want to become. Everything else is secondary.”

Steve Jobs passed away today at 56 years old.

Firefox 7 brings speed and UI annoyances

1.

For power users who need their address bar to show the “http://” in a web address, you can revert to the original, preferred behavior:

  1. Open a new window and type about:config into the address/URL bar
  2. Paste in this quick filter-field search: browser.urlbar.trimURLs
  3. Double click on the browser.urlbar.trimURLs field to change its value from true to false
  4. Close the window (or tab) and your URL protocols will be unhidden

Why would you want to do this? If you copy/paste web address routinely — say, to clients, via email — you don’t want to be manually adding back the protocol to every email you send or document you create, so that the URL can be clickable.

2.

Firefox 6 introduced a new “domain highlighting” feature, where the address bar grays-out any protocol (like http://  or https:// )  and the directory path in the URL, leaving just the domain in black. The thinking was that it would help inexperienced users easily catch phishing websites.

It is annoying to me, though. It makes the true path harder to see, and since I work with URLs on a regular basis — copy/pasting them to clients in emails and documents — I wanted to turn it off. Here’s how:

  1. Open a new window or tab, and type about:config into the location bar
  2. Search for browser.urlbar.formatting.enabled in the filter field; you can copy/paste it from here
  3. Double click on the browser.urlbar.formatting.enabled field to toggle the value to false
  4. Close the window (or tab) and your domain paths will be unhidden

That’s all there is to it! Now you can revert to a better way. :-)

firefox snapshot