If you don’t follow the tech Twitter-verse as obsessively as we do, you may not be aware that a major data breach at Cloudflare has put user passwords, messages and other information at risk all over the internet.
Cloudflare provides web security and performance services for companies like Uber and OkCupid, among many, many others. A significant chunk of web traffic flows through Cloudflare, and the data breach now known as Cloudbleed dates back to last September, according to New York magazine’s Select All blog—though Cloudflare didn’t disclose it publicly until Thursday.
While all the typical security advice applies in this situation—it’s probably a good idea to update your passwords, and enable two-factor authentication on your accounts when possible—what strikes us about the Cloudbleed debacle is how so much havoc was wreaked based on what Gizmodo describes as a simple, one-character coding error.
Apparently, the company’s switch to a new HTML parser led to what’s known as a buffer overrun vulnerability. Instead of being stored temporarily in a buffer, user data from some sites was leaked into another, insecure location. It could then be returned under certain circumstances in response to an HTTP request, including from search engines.
“I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings,” wrote Tavis Ormandy, the Google security expert who discovered the breach, in a bug report. … Read more
With Java SE reportedly installed on 850 million PCs, the “Java Update Available” popup has become a well known nuisance. But keeping software up-to-date is supposed to help protect us. According to the FTC, Java updates might be an exception to that rule.
The key issue is that Java updates have not always removed older versions of Java when installing the newer patch. This leaves the vulnerable versions still accessible on your PC. Oracle has just settled charges brought by the FTC for knowingly leaving user’s PCs vulnerable by offering to warn users of the insecurity of keeping older versions and providing tools to help remove old versions from affected PCs.
“When a company’s software is on hundreds of millions of computers, it is vital that its statements are true and its security updates actually provide security for the software,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “The FTC’s settlement requires Oracle to give Java users the tools and information they need to protect their computers.” — FTC Press Release
To make matters worse, the FTC claims that Oracle has known about this issue for some time and have been intentionally deceiving customers.
… Read more
In 2011, according to the FTC’s complaint, Oracle was aware of the insufficiency of its update process.
Microsoft has released a public preview for their new Azure Active Directory Domain Services feature in Azure Active Directory. This feature allows you to establish virtual network domains in Azure.
Azure AD Domain Services is an entirely new concept. It’s a cloud based service which gives you a fully Windows Server Active Directory compatible set of API’s and protocols, delivered as a managed Azure service. This means as part of Azure AD you can now turn on support for all the critical directory capabilities your application and server VM’s need, including Kerberos, NTLM, Group Policy and LDAP. — Active Directory Blog
This service is targeted toward providing standard domain services for Azure hosted VMs and applications, not desktops. The service includes domain join and group policy features and works with on-premise AD via Azure AD Connect. Using Azure AD Domain Services will enable legacy application users to use the same logins as other cloud based services such as Office 365.
The upcoming SQL Server 2016 release promises many new features including a “Stretch” feature which allows you to automatically archive older data to the cloud, enhanced in-memory OLTP functionality, and several new enhancements in security. One of the most interesting new security features is Always On Encryption. Here are 6 things you should know about this feature.
With recent revelations from the RSA Security Conference highlighting gaping security holes in iOS8 as well as pointing out that many Android apps don’t perform proper SSL validation, one has to wonder is their mobile data safe anywhere?
Amit Yoran, President of the RSA kicked off their company’s annual conference with a scathing commentary on the current state of security in the software industry calling our current mindset “Living in the Dark Ages”.
We are living in the Dark Ages of security. We cling to outmoded world views and rely on tools and tactics from the past, and yet we are surprised to find ourselves living in an era of chaos and violence. We must cast off the past and enter an Age of Enlightenment by pursuing greater visibility into and understanding of our digital world. — RSA Conference Keynote
According to the Computer Emergency Response Team, 22,000 Apps on Google’s Play Store including Kaspersky and Webroot don’t validate the authenticity of certificates that they use to secure communications to back-end servers. This means that millions of users are vulnerable to certificate spoofing or using certificates that have been revoked by trusted certificate issuers. To make matters worse, the checking of validation for SSL certificates is turned ON by default by Google and has to be turned off by developers. … Read more
No, this isn’t a cleverly disguised double entendre, we really mean it. Keep your software off our hardware! The recent reports of Lenovo preloading Adware Superfish onto their laptops is only one of several recent indications that hardware suppliers may not have our best interests at heart.
Earlier this week it was announced that Lenovo had infected its own computers with an Adware product called Superfish. This software injects itself into search results provided by other providers like Google and Bing to provide additional revenue opportunities to Superfish advertisers. Lenovo claims “The intent was to supplement the shopping experience.” but it was really to supplement income through ad sales. But this gross invasion of our privacy was made worse by the fact that the adware interfered with SSL encryption making everything else the user did in the browser, ANY browser, insecure. Hackers could pick off bank account numbers, SSNs, or anything else sent from infected PCs directly off the wire.
But Lenovo’s sleazy back-door attempt to sell us products we don’t want was only the most recent invasion of our hardware. Security experts at Kaspersky also recently announced that the NSA has the ability to infect hard drive firmware to implant spyware directly onto our systems for surveillance purposes. … Read more
Get ready to put your best foot forward with these geek tips for starting the new year right.
As 2014 draws to a close, we begin look ahead for what lies in store for the next year. While most New Year’s resolutions seldom see February 1st, these tech tips can be implemented so fast you won’t have time to lose your initiative.
The past several months have certainly shown the havoc that can be wrought by unscrupulous jerks with access to other people’s data. Taking the time to reset your passwords is a great start, but you should also be thinking how you’re going to manage your security credentials for the new year. Here are some things to consider.… Read more
Security firm TrendMicro has released a new report that states that 75% of users are vulnerable to multiple attacks.
In their latest Quarterly Security Roundup, TrendLabs calls out several key vulnerabilities in recent Android OS including the FakeID issue and Android Browser flaws. The FakeID vulnerability was originally discovered earlier this year by BlueBox Labs and allows malicious apps to impersonate legitimate applications that are trusted by the OS.
… Read more
This is a widespread vulnerability dating back to the January 2010 release of Android 2.1 and affecting all devices that are not patched for Google bug 13678484, disclosed to Google and released for patching in April 2014. All devices prior to Android 4.4 (“KitKat”) are vulnerable to the Adobe System webview plugin privilege escalation, which allows a malicious application to inject Trojan horse code (in the form of a webview plugin) into other apps, which leads to taking control of the entire app, all of the apps’s data, and being able to do anything the app is allowed to do. Android 4.4 is vulnerable to Fake ID, but not specifically to the Adobe System webview plugin due to a change in the webview component (the switch from webkit to Chromium moved away from the vulnerable Adobe-centric plugin code).