If Obama declared he was in favor of oxygen, they would all hold their breaths.
Most of the coverage of the Heartbleed bug has focused on the security problems for websites, but there’s another avenue of attack now being exploited by hackers: the Virtual Private Network (VPN) systems used by many large and small businesses.
Security firm Mandiant reports that it is has observed a Heartbleed attack occurring “in the wild.” The attack targeted a Virtual Private Network service at an unnamed organization, gaining access to its internal corporate network — and it shows that hackers are finding the parts of the internet are least likely to have been updated to protect against Heartbleed.
The attack worked like this. When a user logs into a VPN service, it issues a “session token,” a temporary credential that is supposed to prove that a user has already been authenticated. By stealing the authentication token from the server’s memory, the attacker can impersonate the legitimate user and hijack her connection to the server, gaining access to the organization’s internal network.
This disastrous security hole in OpenSSL may have more effect on these kinds of semi-closed systems than on easily upgraded web servers, because the people who use VPNs and other types of networking applications and devices may not even realize they’re relying on the buggy versions of OpenSSL, and it may be difficult (or even impossible in some cases) to update the software.
But web servers are still a big problem as well; the Washington Post’s Brian Fung points out that we may be seeing some large scale disruptions of the Internet in the not too distant future: Heartbleed Is About to Get Worse, and It Will Slow the Internet to a Crawl.
Estimates of the severity of the bug’s damage have mounted almost daily since researchers announced the discovery of Heartbleed last week. What initially seemed like an inconvenient matter of changing passwords for protection now appears much more serious. New revelations suggest that skilled hackers can use the bug to create fake Web sites that mimic legitimate ones to trick consumers into handing over valuable personal information.
The sheer scale of the work required to fix this aspect of the bug — which makes it possible to steal the “security certificates” that verify that a Web site is authentic — could overwhelm the systems designed to keep the Internet trustworthy.
“Imagine if we found out all at once that all the doors everybody uses are all vulnerable — they can all get broken into,” said Jason Healey, a cybersecurity scholar at the Washington-based Atlantic Council. “The kinds of bad things it enables is largely limited only by the imagination of the bad guys.”
Please note! We got out in front of the rush to revoke/reissue our SSL certificates right away, the day the bug was announced, so Little Green Footballs is not vulnerable to the problem described in the Washington Post article.
The Sydney Morning Herald has a piece on the man who made a lot of Internet system administrators’ lives miserable this week, the German programmer who introduced the Heartbleed bug into the OpenSSL code.
There’s been way too much embarrassing noobish speculation from some quarters of the journalistic arena that the NSA might have planted this bug deliberately, years ago, and has been spying on their emails and cat pictures ever since, but no — developer Robin Seggelmann says it was “a simple programming error,” as I had assumed.
The type of programming mistake he describes is known as a “bounds checking error.” They’re depressingly common and are often the cause of serious security problems.
Mr Seggelmann, of Münster in Germany, said the bug which introduced the flaw was “unfortunately” missed by him and a reviewer when it was introduced into the open source OpenSSL encryption protocol over two years ago.
“I was working on improving OpenSSL and submitted numerous bug fixes and added new features,” he said.
“In one of the new features, unfortunately, I missed validating a variable containing a length.”
And about that noobish speculation:
A number of conspiracy theorists have speculated the bug was inserted maliciously.
Mr Seggelmann said it was “tempting” to assume this, especially after the disclosure by Edward Snowden of the spying activities conducted by the US National Security Agency and others.
“But in this case, it was a simple programming error in a new feature, which unfortunately occurred in a security relevant area,” he said. “It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project.”
Despite denying he put the bug into the code intentionally, he said it was entirely possible intelligence agencies had been making use of it over the past two years.
“It is a possibility, and it’s always better to assume the worst than best case in security matters, but since I didn’t know the bug until it was released and [I am] not affiliated with any agency,” Mr Seggelmann said.
Seggelmann is correct on that last point; the really awful part of Heartbleed is that it leaves almost no trace it grabbed everything in your web server’s memory. (And I only say “almost no trace” because at this point I don’t believe anyone has a system for detecting it, but it might be possible by analyzing server logs.)
Since the bug has been deployed in the OpenSSL service on countless web servers for more than two years, it’s not wild speculation to think it’s probably already been exploited, and national security services are usually among the first to find these things; but I’m less worried about the NSA than I am about criminal hacking gangs who operate with tacit approval from the Russian and Chinese governments.
And this is a great time to remind everyone that it would be an excellent idea to change your LGF password now (and don’t reuse a password you’ve used somewhere else!), because we have completed all the necessary steps to make sure our servers are no longer vulnerable to this exploit.
The tiny padlock icon that sits next to many web addresses, suggesting protection of users’ most sensitive information — like passwords, stored files, bank details, even Social Security numbers — is broken.
A flaw has been discovered in one of the Internet’s key encryption methods, potentially forcing a wide swath of websites to swap out the virtual keys that generate private connections between the sites and their customers.
On Tuesday afternoon, many organizations were heeding the warning. Companies like Lastpass, the password manager, and Tumblr, the social network owned by Yahoo, said they had issued fixes and warned users to immediately swap out their usernames and passwords.
Slate magazine reports on a new psychology paper from researchers at the University of Manitoba, which sought to investigate whether people who engage in trolling were characterized by personality traits that fall in the so-called Dark Tetrad:
- Machiavellianism (willingness to manipulate and deceive others),
- narcissism (egotism and self-obsession),
- psychopathy (the lack of remorse and empathy), and
- sadism (pleasure in the suffering of others).
It is hard to underplay the results: The study found correlations, sometimes quite significant, between these traits and trolling behavior. What’s more, it also found a relationship between all Dark Tetrad traits (except for narcissism) and the overall time that an individual spent, per day, commenting on the Internet.
Overall, the authors found that the relationship between sadism and trolling was the strongest, and that indeed, sadists appear to troll because they find it pleasurable. “Both trolls and sadists feel sadistic glee at the distress of others,” they wrote. “Sadists just want to have fun … and the Internet is their playground!”
(So remember: When Charles breaks out the ban hammer, he’s not doing it to stifle discussion or debate — he’s merely showing the door to people who really have no interest in being part of the community.)
From Target’s Press Release:
Target today announced updates on its continuing investigation into the recent data breach and its expected fourth quarter financial performance.
As part of Target’s ongoing forensic investigation, it has been determined that certain guest information — separate from the payment card data previously disclosed — was taken during the data breach.
This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.
Much of this data is partial in nature, but in cases where Target has an email address, the Company will attempt to contact affected guests. This communication will be informational, including tips to guard against consumer scams. Target will not ask those guests to provide any personal information as part of that communication. In addition, guests can find the tips on our website.
“I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this,” said Gregg Steinhafel, chairman, president and chief executive officer, Target. “I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team.”
The NSA is a topic of discussion on social media tonight because of 60 Minutes, but here’s something I bet you didn’t know about the incredibly intrusive techniques Facebook uses to monitor everything you do on their site (and beyond): Facebook Self-Censorship: What Happens to the Posts You Don’t Publish?
We spend a lot of time thinking about what to post on Facebook. Should you argue that political point your high school friend made? Do your friends really want to see yet another photo of your cat (or baby)? Most of us have, at one time or another, started writing something and then, probably wisely, changed our minds.
Unfortunately, the code that powers Facebook still knows what you typed—even if you decide not to publish it. It turns out that the things you explicitly choose not to share aren’t entirely private.
Facebook calls these unposted thoughts “self-censorship,” and insights into how it collects these nonposts can be found in a recent paper written by two Facebookers. Sauvik Das, a Ph.D. student at Carnegie Mellon and summer software engineer intern at Facebook, and Adam Kramer, a Facebook data scientist, have put online an article presenting their study of the self-censorship behavior collected from 5 million English-speaking Facebook users. It reveals a lot about how Facebook monitors our unshared thoughts and what it thinks about them.
The study examined aborted status updates, posts on other people’s timelines, and comments on others’ posts. To collect the text you type, Facebook sends code to your browser. That code automatically analyzes what you type into any text box and reports metadata back to Facebook.
Yes, Facebook is actually keeping track of the things you don’t post. The stuff you delete because you thought better of it. The stuff you thought was gone forever, bits lost in the ether. The stuff you didn’t want anyone to see.
Facebook sees it, and records it, and analyzes it.
China’s new president, Xi Jinping, is showing signs of favoring even less freedom in China than his recent predecessor. He is distrustful of Western influences on the Chinese population, from all appearances. Universities are now forbidden to discuss “universal values,” like freedom of the press and democracy.
His latest target is the Internet, specifically, China’s version of Twitter, Sina Weibo. Xi, speaking tothe Communist Party’s propaganda chiefs, called on them to build “a strong army” to “seize the ground of new media”.
Sina Weibo is more free-wheeling than China’s Web-based blogs and websites, since tweets can become viral in a matter of seconds. Weibo users have used the service to criticize corrupt party officials, reveal hidden facts about disasters (like the 2011 high-speed rail crash in Wenzhou that killed 40 people), and discuss topics that are generally avoided in more traditional media.
The state calls such tweets “rumors,” and wants to squelch “rumor-mongering.”
Celebrities have Weibo followers in the millions, and have become the lightning rods for state censorship.
“The wording of his speech relayed in internal briefings is far stronger,” said a source. “The most impressive [point] is that Xi said the Communist Party should be combative, instead of being passive, and it should wage a war to win over public opinion. Xi also ordered the propaganda apparatus to form a strong internet army to seize the ground of new media,” he said.
The speech laid the ground for recent events that shook the new-media world.
On August 20, Beijing police detained several people connected with Beijing Erma Interactive Marketing and Planning, including internet celebrity Qin Huohuo , on suspicion of rumour-mongering.
On August 23, Chinese-American businessman Charles Xue Biqun , better known to his 12 million Sina Weibo followers as Xue Manzi , was detained on suspicion of soliciting prostitutes.
The New York Times website was offline for several hours today; Fox Business reported that it was due to a cyber attack, but that wasn’t true:
As you may know, our Web site was unavailable for a period of time earlier today. The outage occurred within seconds of a scheduled maintenance update, which we believe was the cause. We are working on fully restoring service and apologize for any inconvenience.
Today CBS News is confirming that reporter Sharyl Attkisson’s computer was hacked, and the entire right wing blogosphere is jumping to the conclusion that our evil President must be behind it, of course.
That investigation has reached the following conclusions, according to CBS News spokeswoman Sonya McNair:
“A cyber security firm hired by CBS News has determined through forensic analysis that Sharyl Attkisson’s computer was accessed by an unauthorized, external, unknown party on multiple occasions late in 2012. Evidence suggests this party performed all access remotely using Attkisson’s accounts. While no malicious code was found, forensic analysis revealed an intruder had executed commands that appeared to involve search and exfiltration of data.
This party also used sophisticated methods to remove all possible indications of unauthorized activity, and alter system times to cause further confusion.
CBS News is taking steps to identify the responsible party and their method of access.”
The Justice Department has issued a categorical denial that they had anything to do with the breach. But whether or not you’re inclined to believe them, it’s far more likely that Atkisson’s computer was compromised by much more prosaic means, the same way millions of other computers have been hacked — by a virus or a worm that gained access via Atkisson’s own insecure practices.