Helpful tips for January 2015

that has plagued OpenSSL, the open-source encryption protocol, has system administrators scrambling to patch the back-end systems supporting many popular online services. Administrators also are revoking keys associated with the digital certificates that validate the authenticity of a website or service, according to Finnish security testing firm Codenomicon, which has set up a thorough website addressing the issue . This can be found here: http://heartbleed.com/ Users of online services need to take action as well, say security experts, as hundreds of thousands of servers, including those that support Google, Yahoo and Dropbox, may have been impacted. Many of those services are urging users to change their passwords. Here are 10 of those services. *2. Google Services, Gmail Google issued a statement on its official Security Blog outlining its progress in patching the vulnerability. The firm has said it isn’t requiring users to change their passwords, but it is gently prodding users to make a change as a matter of good practice. Impacted services include Search, Gmail, YouTube, Wallet, Play, Apps and App Engine. Google Chrome and Chrome OS are not affected, the company said. Businesses that use the Google Search Appliance, Cloud SQL or the Google Compute Engine also are impacted and must update their back-end systems to the latest OpenSSL iteration. *3. Android Smartphones Google said the latest Android hardware that supports Android version 4.4 KitKat is immune to the vulnerability. However, users of Android 4.1.1 Jellybean are impacted, Google said. The company has distributed patching instructions to Android partners, so users should keep an eye out for a firmware update from their carrier. *4. Tumblr Bloggers Tumblr content management system users were impacted by Heartbleed. Tumblr issued a warning to users , urging them to change their user account credentials. The company said users should change the password “everywhere” it is used, especially for “high-security services like email, file storage, and banking, which may have been compromised by this bug.” *5. Facebook A Facebook spokesperson told ABC News that the company addressed the issue before The Open SSL Project publicly disclosed the flaw. The popular social network, which closely monitors its user accounts for anomalous activity that could signal a problem, said it hasn’t detected any spikes in attacks or hijacked accounts. The firm is still advising users to use a unique password and follow good practices by updating to a new password. *6. Yahoo Mail Search engine giant Yahoo said it updated its services, which include Tumblr. Yahoo is not urging users to change their passwords, but security experts told CRN that a password change is necessary to greatly reduce the risk of an account hijacking. Yahoo Mail has had previous account security issues, being targeted in a coordinated attack campaign by cybercriminals who gained access to user names and passwords from a third-party database, the company said in January. It didn’t acknowledge how many users were impacted. *7. Amazon Web Services Amazon Web Services issued a services update indicating that Heartbleed affected all of its load-balancers and urged users to terminate their secure services and rotate their SSL certificates. Amazon EC2 users need to take action to patch the flaw themselves if they are using Linux images, the company said. EC2 users also need to rotate any secrets or keys. Amazon CloudFront content delivery service users also were impacted by the bug and should rotate their SSL certificates. *8. Intuit TurboTax Users People who filed their taxes using the TurboTax preparation service are being urged by security experts to change their passwords. The company issued a press release indicating that it patched its back-end systems, which were affected by the Heartbleed bug. “Taxpayers can be confident that TurboTax websites are secure and their personal and financial information are safe. They can file their return today with confidence,” said “Nat” Rajesh Natarajan, the company’s chief technology officer and vice president of product development product management, in a statement. *9. Dropbox Dropbox did not issue a statement, but told users through its Twitter account that it patched its user-facing services to repair the OpenSSL bug. A simple password change as a result of the affected service will bolster security and is a standard, good practice, say security experts. *10. LastPass The back-end servers supporting the LastPass password management service were impacted by the vulnerability, but the company said the encryption key that enables users to gain access to their password database is stored locally, meaning that the master password is not on its servers. Sensitive data is never transmitted over SSL unencrypted because it is already encrypted locally, the firm said. “Because other websites may not be encrypting data the way LastPass does, we recommend that LastPass users generate new passwords for their most critical sites (such as email, banking, and social networks),” the company said in an extensive blog post on the Heartbleed threat . Found at the link below. http://blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html +++++++++++++++ A Dan Thompson contribution Protect yourself from Flash attacks in Internet Explorer | ZDNet Source Link to article: http://www.zdnet.com/protect-yourself-from-flash-attacks-in-internet-explore r-7000003921/ Recently a friend asked why they were getting warning about flash attacks. A suggestion was given to stop the reminders and flash attacks altogether by getting rid of IE. I am running IE 11. After searching Google for awhile, I found the document below and carried out the steps provided for mouse users to a certain extent while using my screenreader. I used JAWS, WE, NVDA and System Access while completing these steps. However, after reaching a point of disabling the shock wave, I could not get any of my screenreaders to reach the list of several add-ons. The list did show shock wave is the option of “all add-ons” was chosen under the “filter” list as I explain below. So after this point I had to have a visual friend disable the shock wave add-on. However, I must add that I haven’t had any problems with flash player. But I was carrying out these steps to check out a solution for my friend. So first are the mouse directions that work and secondly the screenreader directions up to the point I mentioned. My Theory is if is it is not broken, don’t mess with it. However, in this situation I am experimenting for the bennifit of all. If anyone has a screenreader work around, please share. I am going to suggest to make shure this individual has IE 11 or higher. If all that doesn’t work to try the directions below. Sorry for sending out this sort of half finished set of keyboard directions. But maybe someone else has had this issue. The first set of directions is for mouse users. Secondly directions are marked with an asterisk and a roman numeral. *I. Mouse Users: Microsoft has chosen to delay shipping a critical update for the Flash Player code in Internet Explorer 10 until the General Availability of Windows 8. Those security fixes, which were delivered to users of all other modern browsers on August 21, 2012 are not available to Windows 8 users who use Internet Explorer 10. That means, if you are using Windows 8 in either a production environment or for evaluation purposes, you face an unacceptably high risk of being targeted by in-the-wild exploits aimed at those Flash vulnerabilities. So what can you do? The obvious alternatives are to stop using Internet Explorer 10 until that update is released, or to stop using Windows 8 altogether. If you choose to use an alternative browser, it is recommended that you disable the Shockwave Flash add-on in IE completely. (Other Windows-based browsers use the Flash plug-in, which is up to date. And the ActiveX-based Flash code in earlier versions of Windows, including IE9 in Windows 7, was updated in timely fashion.) To disable Flash completely, click the gear icon in the upper right corner of the IE 10 window and then click Manage add-ons from the menu: That opens the Manage Add-ons dialog box, If you need a visual representation, visit the link above to see these operations on screen. Next Select the Shockwave Flash Object add-on and note that it is identified as a Microsoft Windows 3rd party Component. Also note the file date, which is a month before the relevant security fixes were available: Click Disable, and then click Close. You are now safe from any exploits that rely on vulnerabilities in Flash. Any Flash-based code, legitimate or otherwise, will not run in Internet Explorer 10 when this add-on is disabled. But what if you prefer to use Internet Explorer, or if your evaluation requires you to test IE using real-world web sites? In that case, you can take advantage of an extremely effective security tool that’s built into Internet Explorer versions 9 and 10. The feature, called ActiveX Filtering, blocks all ActiveX controls on all domains in Internet Explorer. Because the built-in Flash Player in IE 10 is implemented as an ActiveX control, this feature disables it completely while still allowing you to decide, on a case-by-case basis, when you want to allow a trusted site to display Flash-based content. To turn on ActiveX Filtering, click the gear icon, click Safety, and then click ActiveX Filtering. The check mark to the left of this setting means it is enabled. When ActiveX Filtering is enabled, you’ll see a blue icon in the Internet Explorer address bar when you visit any site that uses the ActiveX-based Flash control: For sites that use Flash to deliver ads or other non-essential content, you can go about your business securely. If you encounter a site that uses Flash to do something meaningful and you trust that site, click the blue icon to display this box. Click Turn off ActiveX Filtering to allow Flash to work on the current domain. Note that this setting applies to the entire domain and is persistent. If you turn off ActiveX Filtering for example.com, you’ll be able to use Flash-based content on all pages on that domain, in the current session and in future sessions. For sites you don’t anticipate visiting again, you can click the blue icon in the address bar again to re-enable ActiveX Filtering for that domain. (Of course, ActiveX Filtering blocks all ActiveX controls, not just Flash. That’s a benefit, for the most part, but it might be an issue if you use a corporate server that has proprietary ActiveX controls, or if you use Office 365 or other web services that use Office ActiveX controls.) If you’re comfortable exploring the registry, you can inspect (and edit) the list of sites that are subject to ActiveX Filtering. Open Registry Editor (Regedit.exe) and look in HKCU\Software\Microsoft\Internet Explorer\Safety\ActiveXFilterExceptions. This doesn’t have to be a short-term workaround. Given the steady stream of security issues associated with Flash, it might be a prudent strategy for everyday browsing, even after Microsoft finally gets its Flash-patching issues sorted out. *II. Screenreader Users: I am using Window Seven for this example. It should also work in Windows-XP. 1. Open Internet Explorer. 2. Press alt plus alt plus the letter t to reach “tools.”Press 3. Press the letter o for “options.” 4. Press control plus tab until reaching “programs.” 5. Press alt plus the letter m to open “manage add-ons.” If you prefer to tab to the same button, tab once to “manage add-ons” and press the space bar. 6. You are laced into a list of five radio buttons: a. tool bars and connections b. search providers c. accelerators d. tracking protection e. spelling correct 7. Leave the first one “tool bars and extentions” selected. 8. Tab once to the filter list. 9. The cursor is placed on “currently add-ons.” In order to make all add-ons show up visually, Press the letter a to select “all add-ons.” 10.. Now is where I can not access the next panel to the right that contains the shock wave add-on mentioned. I thought if one left the “current add-ons” selected, the shock wave would be disabled. However, my visual helper said it does not disable it. One must click on disable with the mouse. This is frustrating when one can almost get there but can make the final leap so to speak. Anyway that is were I am stopped. But if you have visual help and are having this issue, relyon the mouse directiions above and maybe we may get keyboard access guidance from someone. The sorce link with visual representataion of everything is also above. _________________________ From the pages of Donna’s travel diary Traveling to New Westminster In 2009 I traveled to New Westminster, a pretty little city in British Columbia Canada to attend the annual general meeting of the Alliance for Equality of Blind Canadians. This was the first time that I had been to this city so I was quite curious to see how things would be. Granted, that since then things would have probably changed but suffice it to say that it was a very enjoyable visit. I was there to give the keynote speech at the AEBC’s AGM and ended up being elected as second vice president to the National Board of the AEBc. I stayed at a beautiful little hotel on the lake called the New West Quay. The room was very comfortable, lots of amenities in my room, and the meeting rooms were just terrific. The staff was friendly and helpful and the restaurant at the hotel was more than just nice. In addition, staff at the restaurant were extremely accommodating to guide dogs. This AGM was held from May 01 to 03 and the weather out in New Westminster was extremely pleasant. New Westminster is about 30 minutes drive from the Vancouver International airport and its size is not too small and not too large. I would definitely recommend the New West Quay hotel to anyone thinking of visiting New Westminster. Folks of New Westminster are very friendly. Lots of nice restaurants and lots of good food to sample. I really enjoyed my visit to this lovely little city. I’m Donna J. Jodhan enjoying my travels. On your next trip you could enrich your down time with some of my audio mysteries. Take them with you wherever you go! In the car, on the plane, on the bus or train, at the beach, anywhere! Affordable, portable, (computer or i device) and you could either purchase or Subscribe for unlimited access to my library at www.donnajodhan.com/store.html and you can now take advantage of our free downloads here.]]>

This entry was posted in Uncategorized. Bookmark the permalink.