that has plagued OpenSSL, the open-source
encryption protocol, has system administrators scrambling to patch the
back-end systems supporting many popular online services. Administrators
also are revoking keys associated with the digital certificates that
validate the authenticity of a website or service, according to Finnish
security testing firm Codenomicon, which has set up a thorough website
addressing the issue .
This can be found here:
http://heartbleed.com/
Users of online services need to take action as well, say security experts,
as hundreds of thousands of servers, including those that support Google,
Yahoo and Dropbox, may have been impacted. Many of those services are urging
users to change their passwords. Here are 10 of those services.
*2. Google Services, Gmail
Google issued a statement on its official Security Blog
outlining its progress in patching the vulnerability. The
firm has said it isn’t requiring users to change their passwords, but it is
gently prodding users to make a change as a matter of good practice.
Impacted services include Search, Gmail, YouTube, Wallet, Play, Apps and App
Engine. Google Chrome and Chrome OS are not affected, the company said.
Businesses that use the Google Search Appliance, Cloud SQL or the Google
Compute Engine also are impacted and must update their back-end systems to
the latest OpenSSL iteration.
*3. Android Smartphones
Google said the latest Android hardware that supports Android version 4.4
KitKat is immune to the vulnerability. However, users of Android 4.1.1
Jellybean are impacted, Google said. The company has distributed patching
instructions to Android partners, so users should keep an eye out for a
firmware update from their carrier.
*4. Tumblr Bloggers
Tumblr content management system users were impacted by Heartbleed. Tumblr
issued a warning to users
, urging
them to change their user account credentials. The company said users should
change the password “everywhere” it is used, especially for “high-security
services like email, file storage, and banking, which may have been
compromised by this bug.”
*5. Facebook
A Facebook spokesperson told ABC News that the company addressed the issue
before The Open SSL Project publicly disclosed the flaw. The popular social
network, which closely monitors its user accounts for anomalous activity
that could signal a problem, said it hasn’t detected any spikes in attacks
or hijacked accounts. The firm is still advising users to use a unique
password and follow good practices by updating to a new password.
*6. Yahoo Mail
Search engine giant Yahoo said it updated its services, which include
Tumblr. Yahoo is not urging users to change their passwords, but security
experts told CRN that a password change is necessary to greatly reduce the
risk of an account hijacking. Yahoo Mail has had previous account security
issues, being targeted in a coordinated attack campaign
by cybercriminals who gained access to user names and
passwords from a third-party database, the company said in January. It
didn’t acknowledge how many users were impacted.
*7. Amazon Web Services
Amazon Web Services issued a services update indicating that Heartbleed
affected all of its load-balancers and urged users to terminate their secure
services and rotate their SSL certificates. Amazon EC2 users need to take
action to patch the flaw themselves if they are using Linux images, the
company said. EC2 users also need to rotate any secrets or keys. Amazon
CloudFront content delivery service users also were impacted by the bug and
should rotate their SSL certificates.
*8. Intuit TurboTax Users
People who filed their taxes using the TurboTax preparation service are
being urged by security experts to change their passwords. The company
issued a press release indicating that it patched its back-end systems,
which were affected by the Heartbleed bug. “Taxpayers can be confident that
TurboTax websites are secure and their personal and financial information
are safe. They can file their return today with confidence,” said “Nat”
Rajesh Natarajan, the company’s chief technology officer and vice president
of product development product management, in a statement.
*9. Dropbox
Dropbox did not issue a statement, but told users through its Twitter
account that it patched its user-facing services to repair the OpenSSL bug.
A simple password change as a result of the affected service will bolster
security and is a standard, good practice, say security experts.
*10. LastPass
The back-end servers supporting the LastPass password management service
were impacted by the vulnerability, but the company said the encryption key
that enables users to gain access to their password database is stored
locally, meaning that the master password is not on its servers. Sensitive
data is never transmitted over SSL unencrypted because it is already
encrypted locally, the firm said.
“Because other websites may not be encrypting data the way LastPass does, we
recommend that LastPass users generate new passwords for their most critical
sites (such as email, banking, and social networks),” the company said in an
extensive blog post on the Heartbleed threat
.
Found at the link below.
http://blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html
+++++++++++++++
A Dan Thompson contribution
Protect yourself from Flash attacks in Internet Explorer | ZDNet
Source Link to article:
http://www.zdnet.com/protect-yourself-from-flash-attacks-in-internet-explore
r-7000003921/
Recently a friend asked why they were getting warning about flash attacks.
A suggestion was given to stop the reminders and flash attacks altogether by
getting rid of IE.
I am running IE 11.
After searching Google for awhile, I found the document below and carried
out the steps provided for mouse users to a certain extent while using my
screenreader. I used JAWS, WE, NVDA and System Access while completing
these steps.
However, after reaching a point of disabling the shock wave, I could not get
any of my screenreaders to reach the list of several add-ons. The list did
show shock wave is the option of “all add-ons” was chosen under the “filter”
list as I explain below. So after this point I had to have a visual friend
disable the shock wave add-on.
However, I must add that I haven’t had any problems with flash player. But
I was carrying out these steps to check out a solution for my friend.
So first are the mouse directions that work and secondly the screenreader
directions up to the point I mentioned.
My Theory is if is it is not broken, don’t mess with it. However, in this
situation I am experimenting for the bennifit of all.
If anyone has a screenreader work around, please share. I am going to
suggest to make shure this individual has IE 11 or higher. If all that
doesn’t work to try the directions below.
Sorry for sending out this sort of half finished set of keyboard directions.
But maybe someone else has had this issue.
The first set of directions is for mouse users. Secondly directions are
marked with an asterisk and a roman numeral.
*I. Mouse Users:
Microsoft has chosen to
delay shipping a critical update for the Flash
Player code in Internet Explorer 10 until the General Availability of
Windows 8. Those security fixes, which were delivered to users of all other
modern browsers on August 21, 2012 are not available to Windows 8 users who
use Internet Explorer 10.
That means, if you are using Windows 8 in either a production environment or
for evaluation purposes, you face an unacceptably high risk of being
targeted by in-the-wild exploits aimed at those Flash vulnerabilities.
So what can you do? The obvious alternatives are to stop using Internet
Explorer 10 until that update is released, or to stop using Windows 8
altogether. If you choose to use an alternative browser, it is recommended
that you disable the Shockwave Flash add-on in IE completely. (Other
Windows-based browsers use the Flash plug-in, which is up to date. And the
ActiveX-based Flash code in earlier versions of Windows, including IE9 in
Windows 7, was updated in timely fashion.)
To disable Flash completely, click the gear icon in the upper right corner
of the IE 10 window and then click Manage add-ons from the menu:
That opens the Manage Add-ons dialog box, If you need a visual
representation, visit the link above to see these operations on screen.
Next Select the Shockwave Flash Object add-on and note that it is identified
as a Microsoft Windows 3rd party Component. Also note the file date, which
is a month before the relevant security fixes were available:
Click Disable, and then click Close. You are now safe from any exploits that
rely on vulnerabilities in Flash. Any Flash-based code, legitimate or
otherwise, will not run in Internet Explorer 10 when this add-on is
disabled.
But what if you prefer to use Internet Explorer, or if your evaluation
requires you to test IE using real-world web sites? In that case, you can
take advantage of an extremely effective security tool that’s built into
Internet Explorer versions 9 and 10.
The feature, called ActiveX Filtering, blocks all ActiveX controls on all
domains in Internet Explorer. Because the built-in Flash Player in IE 10 is
implemented as an ActiveX control, this feature disables it completely while
still allowing you to decide, on a case-by-case basis, when you want to
allow a trusted site to display Flash-based content.
To turn on ActiveX Filtering, click the gear icon, click Safety, and then
click ActiveX Filtering. The check mark to the left of this setting means it
is enabled.
When ActiveX Filtering is enabled, you’ll see a blue icon in the Internet
Explorer address bar when you visit any site that uses the ActiveX-based
Flash control:
For sites that use Flash to deliver ads or other non-essential content, you
can go about your business securely. If you encounter a site that uses Flash
to do something meaningful and you trust that site, click the blue icon to
display this box.
Click Turn off ActiveX Filtering to allow Flash to work on the current
domain. Note that this setting applies to the entire domain and is
persistent. If you turn off ActiveX Filtering for example.com, you’ll be
able to use Flash-based content on all pages on that domain, in the current
session and in future sessions. For sites you don’t anticipate visiting
again, you can click the blue icon in the address bar again to re-enable
ActiveX Filtering for that domain.
(Of course, ActiveX Filtering blocks all ActiveX controls, not just Flash.
That’s a benefit, for the most part, but it might be an issue if you use a
corporate server that has proprietary ActiveX controls, or if you use Office
365 or other web services that use Office ActiveX controls.)
If you’re comfortable exploring the registry, you can inspect (and edit) the
list of sites that are subject to ActiveX Filtering. Open Registry Editor
(Regedit.exe) and look in HKCU\Software\Microsoft\Internet
Explorer\Safety\ActiveXFilterExceptions.
This doesn’t have to be a short-term workaround. Given the steady stream of
security issues associated with Flash, it might be a prudent strategy for
everyday browsing, even after Microsoft finally gets its Flash-patching
issues sorted out.
*II. Screenreader Users:
I am using Window Seven for this example. It should also work in Windows-XP.
1. Open Internet Explorer.
2. Press alt plus alt plus the letter t to reach “tools.”Press 3. Press
the letter o for “options.”
4. Press control plus tab until reaching “programs.”
5. Press alt plus the letter m to open “manage add-ons.”
If you prefer to tab to the same button, tab once to “manage add-ons” and
press the space bar.
6. You are laced into a list of five radio buttons:
a. tool bars and connections
b. search providers
c. accelerators
d. tracking protection
e. spelling correct
7. Leave the first one “tool bars and extentions” selected.
8. Tab once to the filter list.
9. The cursor is placed on “currently add-ons.” In order to make all
add-ons show up visually,
Press the letter a to select “all add-ons.”
10.. Now is where I can not access the next panel to the right that
contains the shock wave add-on mentioned.
I thought if one left the “current add-ons” selected, the shock wave would
be disabled. However, my visual helper said it does not disable it. One
must click on disable with the mouse. This is frustrating when one can
almost get there but can make the final leap so to speak.
Anyway that is were I am stopped. But if you have visual help and are
having this issue, relyon the mouse directiions above and maybe we may get
keyboard access guidance from someone.
The sorce link with visual representataion of everything is also above.
_________________________
From the pages of Donna’s travel diary
Traveling to New Westminster
In 2009 I traveled to New Westminster, a pretty little city in British
Columbia Canada to attend the annual general meeting of the Alliance for
Equality of Blind Canadians. This was the first time that I had been to
this city so I was quite curious to see how things would be. Granted, that
since then things would have probably changed but suffice it to say that it
was a very enjoyable visit.
I was there to give the keynote speech at the AEBC’s AGM and ended up being
elected as second vice president to the National Board of the AEBc.
I stayed at a beautiful little hotel on the lake called the New West Quay.
The room was very comfortable, lots of amenities in my room, and the meeting
rooms were just terrific. The staff was friendly and helpful and the
restaurant at the hotel was more than just nice. In addition, staff at the
restaurant were extremely accommodating to guide dogs.
This AGM was held from May 01 to 03 and the weather out in New Westminster
was extremely pleasant. New Westminster is about 30 minutes drive from the
Vancouver International airport and its size is not too small and not too
large.
I would definitely recommend the New West Quay hotel to anyone thinking of
visiting New Westminster. Folks of New Westminster are very friendly. Lots
of nice restaurants and lots of good food to sample. I really enjoyed my
visit to this lovely little city.
I’m Donna J. Jodhan enjoying my travels.
On your next trip you could enrich your down time with some of my audio
mysteries. Take them with you wherever you go!
In the car, on the plane, on the bus or train, at the beach, anywhere!
Affordable, portable, (computer or i device) and you could either purchase
or Subscribe for unlimited access to my library at
www.donnajodhan.com/store.html
and you can now take advantage of our free downloads here.]]>
Related