hardov - Slashdot User

Preventative Treatment For Heartbleed On Healthcare.gov 81

Posted by timothy on Saturday April 19, 2014 @09:59PM from the welcome-to-centralized-medicine-dot-gov dept.

As the San Francisco Chronicle reports, "People who have accounts on the enrollment website for President Barack Obama's signature health care law are being told to change their passwords following an administration-wide review of the government's vulnerability to the confounding Heartbleed Internet security flaw." Take note, though; the article goes on to immediately point out this does not mean that the HealthCare.gov site has been compromised: "Senior administration officials said there is no indication that the HealthCare.gov site has been compromised and the action is being taken out of an abundance of caution. The government's Heartbleed review is ongoing, the officials said, and users of other websites may also be told to change their passwords in the coming days, including those with accounts on the popular WhiteHouse.gov petitions page." Also at The Verge

Akamai Reissues All SSL Certificates After Admitting Heartbleed Patch Was Faulty 56

Posted by samzenpus on Monday April 14, 2014 @08:48AM from the try-it-again dept.

SpacemanukBEJY.53u (3309653) writes "It took security researcher Willem Pinckaers all of 15 minutes to spot a flaw in code created by Akamai that the company thought shielded most of its users from one of the pernicious aspects of the Heartbleed flaw in OpenSSL. More than a decade ago, Akamai modified parts of OpenSSL it felt were weak related to key storage. Akamai CTO Andy Ellis wrote last week that the modification protected most customers from having their private SSL stolen despite the Heartbleed bug. But on Sunday Ellis wrote Akamai was wrong after Pinckaers found several flaws in the code. Akamai is now reissuing all SSL certificates and keys to its customers."

Private Keys Stolen Within Hours From Heartbleed OpenSSL Site 151

Posted by samzenpus on Sunday April 13, 2014 @01:56PM from the that-didn't-take-long dept.

Billly Gates (198444) writes "It was reported when heartbleed was discovered that only passwords would be at risk and private keys were still safe. Not anymore. Cloudfare launched the heartbleed challenge on a new server with the openSSL vulnerability and offered a prize to whoever could gain the private keys. Within hours several researchers and a hacker got in and got the private signing keys. Expect many forged certificates and other login attempts to banks and other popular websites in the coming weeks unless the browser makers and CA's revoke all the old keys and certificates."

Obama Says He May Or May Not Let the NSA Exploit the Next Heartbleed 134

Posted by Soulskill on Sunday April 13, 2014 @08:25AM from the thanks-for-providing-zero-clarity dept.

An anonymous reader writes "The White House has joined the public debate about Heartbleed. The administration denied any prior knowledge of Heartbleed, and said the NSA should reveal such flaws once discovered. Unfortunately, this statement was hedged. The NSA should reveal these flaws unless 'a clear national security or law enforcement need' exists. Since that can be construed to apply to virtually any situation, we're left with the same dilemma as before: do we take them at their word or not? The use of such an exploit is certainly not without precedent: 'The NSA made use of four "zero day" vulnerabilities in its attack on Iran's nuclear enrichment sites. That operation, code-named "Olympic Games," managed to damage roughly 1,000 Iranian centrifuges, and by some accounts helped drive the country to the negotiating table.' A senior White House official is quoted saying, 'I can't imagine the president — any president — entirely giving up a technology that might enable him some day to take a covert action that could avoid a shooting war.'" Side note: CloudFlare has named several winners in its challenge to prove it was possible to steal private keys using the Heartbleed exploit.

NSA Allegedly Exploited Heartbleed 149

Posted by Soulskill on Friday April 11, 2014 @05:17PM from the according-to-somebody-who-may-or-may-not-be-a-person dept.

A user writes: "One question arose almost immediately upon the exposure of Heartbleed, the now-infamous OpenSSL exploit that can leak confidential information and even private keys to the Internet: Did the NSA know about it, and did they exploit if so? The answer, according to Bloomberg, is 'Yes.' 'The agency found the Heartbeat glitch shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency's toolkit for stealing account passwords and other common tasks.'" The NSA has denied this report. Nobody will believe them, but it's still a good idea to take it with a grain of salt until actual evidence is provided. CloudFlare did some testing and found it extremely difficult to extract private SSL keys. In fact, they weren't able to do it, though they stop short of claiming it's impossible. Dan Kaminsky has a post explaining the circumstances that led to Heartbleed, and today's xkcd has the "for dummies" depiction of how it works. Reader Goonie argues that the whole situation was a failure of risk analysis by the OpenSSL developers.

Heartbleed Coder: Bug In OpenSSL Was an Honest Mistake 447

Posted by samzenpus on Thursday April 10, 2014 @08:28PM from the only-human dept.

nk497 (1345219) writes "The Heartbleed bug in OpenSSL wasn't placed there deliberately, according to the coder responsible for the mistake — despite suspicions from many that security services may have been behind it. OpenSSL logs show that German developer Robin Seggelmann introduced the bug into OpenSSL when working on the open-source project two and a half years ago, according to an Australian newspaper. The change was logged on New Year's Eve 2011. 'I was working on improving OpenSSL and submitted numerous bug fixes and added new features,' Seggelmann told the Sydney Morning Herald. 'In one of the new features, unfortunately, I missed validating a variable containing a length.' His work was reviewed, but the reviewer also missed the error, and it was included in the released version of OpenSSL."

Canada Halts Online Tax Returns In Wake of Heartbleed 50

Posted by timothy on Thursday April 10, 2014 @09:28AM from the worse-than-a-syrup-heist dept.

alphadogg (971356) writes "Canada Revenue Agency has halted online filing of tax returns by the country's citizens following the disclosure of the Heartbleed security vulnerability that rocked the Internet this week. The country's Minister of National Revenue wrote in a Twitter message on Wednesday that interest and penalties will not be applied to those filing 2013 tax returns after April 30, the last date for filing the returns, for a period equal to the length of the service disruption. The agency has suspended public access to its online services as a preventive measure to protect the information it holds, while it investigates the potential impact on tax payer information, it said."

House Approves Extending the Warrantless Wiretapping Act 326

Posted by samzenpus on Wednesday September 12, 2012 @07:02PM from the listen-up dept.

wiedzmin writes "The U.S. House of Representatives voted 301-118 today, in favor of extending the FISA Amendments Act until December 31st, 2017, effectively reauthorizing the broad electronic eavesdropping powers that largely legalized the George W. Bush administration's warrantless wiretapping program."

FTC Worries About Consumers, Cloud Data, and Privacy 175

Posted by samzenpus on Wednesday January 06, 2010 @09:24PM from the what-worries-the-worriers dept.

pcause writes "Ars Techina has a nice article about the FTC's concern that consumers don't understand the implications of storing their data in the cloud. From the article: 'Data is now sitting on servers outside of your control, where it can be accessed far more easily by Google itself, hackers, and law enforcement than it ever could if kept within the device. Once data passes over the network, it gets much easier to access in realtime; once it is stored on a remote server, it gets much easier to access at any time. And those are just the phone settings. Google also has access to search history data, anything stored in Google Docs or Spreadsheets, complete schedules stored in Google Calendar, and recent Maps searches. Combine them all, and companies like Google become one-stop shops for authorities looking for personal information.' Do you think the average consumer even has a clue about this issue?"

Comment Re:profiles vs fast user switching (Score 1) 326

by hardov on Tuesday January 13, 2009 @12:34PM (#26434745) Attached to: Google Releases Chrome 2.0 Pre-Beta

We can have the email program have profiles too!

Pretty sure they already exist. They're called 'email addresses'.

Seriously, though, I don't see why these profiles couldn't evolve into something like email addresses, such that users can separate their different activities not only for the sake of convenience but also for privacy reasons.

It also makes sense from Google's perspective in that profiles could potentially help Google collect data on different users/profiles from the same computer. If Google doesn't know who is using the computer (i.e., if you don't log in to your GMail account), then how else will they personalize your Google experience?

The Second Coming of Virtual Worlds 117

Posted by ScuttleMonkey on Tuesday October 28, 2008 @03:28AM from the when-someone-asks-if-you're-a-god-you-say-yes dept.

An anonymous reader writes "Things have been a bit quiet on the virtual world front recently, but according to an article in Silicon.com, things are about to change. Apparently it's only now that virtual worlds are really going to become a force to be reckoned with. 'Now experts predict the virtual world phenomenon is entering a second phase in which businesses will become shrewder about their involvement in such environments and look more carefully at the tangible benefits they can realize. Emerging technology specialist at IBM, Robert Smart, is confident virtual worlds will become more important to businesses in the coming years.'"

Crime Wave Thwarted in Second Life 183

Posted by Zonk on Sunday December 02, 2007 @03:17AM from the watch-what-you-walk-near dept.

Ponca City, We Love You writes "The Mercury News reports that a vulnerability in the way Second Life protects a user's money has been identified. Risks for users are reportedly limited because the researchers say the flaw can be quickly patched. The flaw exploits a known problem with Apple's QuickTime - when a virtual character passes by an infected object planted by hackers, the Second Life software activates QuickTime so it can play the video or picture. Hackers can direct the Second Life software to a malicious Web site that then allows them to 'take over the user's avatar and force it to hand over its Linden cash. Second Life is recommending that users disable streaming video playback in the Second Life viewer except when you are attending a known and trusted venue.' The hack raises tough questions for operators of virtual worlds. Should they be as secure as banks and guarantee the safety of money and property that characters in the world possess?"

Slashdot Top Deals