Heartbleed Bug: Public urged to reset all passwords

 

NOTE: The advice from technology companies, while valid is mistaken until the bug itself is fixed by systems or detection software can remove it. If you change passwords now and the bug is still active, you will need to do it again once the bug is fixed, since infected systems will continue to harvest your password data until the bug is removed.

The views expressed above are my own. The article text follows:

Several tech firms are urging people to change all their passwords after the discovery of a major security flaw.

The Yahoo blogging platform Tumblr has advised the public to “change your passwords everywhere – especially your high-security services like email, file storage and banking”.

Security advisers have given similar warnings about the Heartbleed Bug.

It follows news that a product used to safeguard data could be compromised to allow eavesdropping.

OpenSSL is a popular cryptographic library used to digitally scramble sensitive data as it passes to and from computer servers so that only the service provider and the intendedrecipients can make sense of it.

“Start Quote

On the scale of one to 10, this is an 11”

End Quote Bruce Schneier Security technologist

 

If an organisation employs OpenSSL, users see a padlock icon in their web browser – although this can also be triggered by rival products.

 

Those affected include Canada’s tax collecting agency, which halted online services “to safeguard the integrity of the information we hold”.

Copied keys

Google Security and Codenomicon – a Finnish security company – revealed on Monday that a flaw had existed in OpenSSL for more than two years that could be used to expose the secret keys that identify service providers employing the code.

 

They said that if attackers made copies of these keys they could steal the names and passwords of people using the services, as well as take copies of their data and set up spoof sites that would appear legitimate because they used the stolen credentials.

 

Password tips

The University of Surrey’s Prof Alan Woodward is among security experts to have suggested internet users should now update their login details.

He suggests the following rules should be observed when picking a new password.

Don’t choose one obviously associated with you

Hackers can find out a lot about you from social media so if they are targeting you specifically and you choose, say, your pet’s name you’re in trouble.

Choose words that don’t appear in a dictionary

Hackers can precalculate the encrypted forms of whole dictionaries and easily reverse engineer your password.

Use a mixture of unusual characters

You can use a word or phrase that you can easily remember but where characters are substituted, eg, Myd0gha2B1g3ars!

Have different passwords for different sites and systems

If hackers compromise one system you do not want them having the key to unlock all your other accounts.

Keep them safely

With multiple passwords it is tempting to write them down and carry them around with you. Better to use some form of secure password vault on your phone.

 

It is not known whether the exploit had been used before the revelation, since doing so would not leave a trail – unless the hackers published their haul online.

 

“If people have logged into a service during the window of vulnerability then there is a chance that the password is already harvested,” said Ari Takanen, Codenomicon’s chief technology officer.

 

“In that sense it’s a good idea to change the passwords on all the updated web portals.”

 

Other security experts have been shocked by the revelation

 

“Catastrophic is the right word. On the scale of one to 10, this is an 11,” blogged Bruce Schneier.

 

The BBC understands that Google warned a select number of organisations about the issue before making it public, so they could update their equipment to a new version of OpenSSL released at the start of the week.

 

However, it appears that Yahoo was not included on this list and tech site Cnet has reported that some people were able to obtain usernames and passwords from the company before it was able to apply the fix.

 

Heartbleed logo The bug has been called Heartbleed to reflect data leaking from computer servers

 

“Our team has successfully made the appropriate corrections across the main Yahoo properties – Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr and Tumblr – and we are working to implement the fix across the rest of our sites right now,” said a spokeswoman for the company.

 

New passwords

 

NCC Group – a cybersecurity company that advises many members of the FTSE 250 – described the situation as “grave”.

 

“The level of knowledge now needed to exploit this vulnerability is substantially less than it was 36 hours ago,” the company’s associate director Ollie Whitehouse told the BBC.

 

“Someone with a moderate level of technical skills running their own scripts – the Raspberry Pi generation – would probably be able to launch attacks successfully and gain sensitive information.

 

“As long as service providers have patched their software it would now be a prudent step for the public to update their passwords.”

 

Several securityfirms andindependent developershave published online tests to help the public discover if the services are still exposed.

 

However, there is no simple way to find out if they were vulnerable before.

 

Organisations that used Microsoft’s Internet Information Services (IIS) web server software would not have been affected.

 

But Codenomicon has noted that more than 66% of the net’s active sites rely on the open source alternatives Apache and Nginx, which do use OpenSSL.

 

Even so, some of these sites would have also employed a feature called “perfect forward secrecy” that would have limited the number of their communications that could have been hacked.

via BBC News – Heartbleed Bug: Public urged to reset all passwords.

MH370 – Search Chiefs Demeanour Says Weve Found It ….

Retired Air Chief Marshal Angus Houston is a military man, and military men deal in certainties. He wont commit himself to say they have found the plane. Not yet. Not until he sees some wreckage for his own eyes. “How confident are you?” he was asked by an Australian reporter. “50%, 70%, 90%?” He laughed it off. He wouldn’t be drawn. Of course he wouldn’t. He’s a military man. Certainties, certainties, certainties, remember?

There’s no “we think we’ve found it”. In his way of thinking, you’ve either found it or you haven’t.

But they have found it, and he knows it.

You only need to read his demeanour and body posture in the press conferences, and how he has relaxed in recent days.

And he’s absolutely right not to commit himself. Because he wouldn’t just be making a judgement without the full facts, he would be sealing the fate of the 239 people who were on that plane, and he would be telling the families that any remaining hope was now lost.

He will have to do that at some point, in the coming days I suspect, but only when he is ready, only when he is sure.

And that’s right.

I think his media management has been top notch.

He has answered all the many detailed questions the media have asked, and built trust.

But there is one thing that has me wondering…

“We’re being transparent, we’re hiding nothing,” he said as he left the podium at the end of a recent press conference.

Well, I don’t quite believe him. There was something that led them to that spot in the Indian Ocean, some clue, some intelligence, something that meant Ocean Shield heard the first pings on the very day the black box batteries were due to start weakening.

Sure, Inmarsat has been recalculating its data and narrowing down the search area, but that alone can’t be enough.

They have found the plane’s black box, potentially 14,700 ft (4,500m) below the Ocean in the middle of nowhere, and not a single piece of wreckage has been picked up to guide them.

Something told them to look there…

via Search Chiefs Demeanour Says Weve Found It.

Wind Power Scotland

image

Wind power near Callendar on recent walk.

Independent newspaper for sale at the right price

INDI

The owner of the Independent, Evgeny Lebedev, says the newspaper could be for sale if somebody “offers the right price”.He qualified that by saying that he was “not actively trying to sell it”.Mr Lebedev also owns the London Evening Standard and the Independents sister newspaper, i.On Monday he launches London Live, a 24-hour television network dedicated to news, entertainment and culture in the capital.On The Andrew Marr Show Mr Lebedev said he hoped the TV channel would create jobs and be a platform to launch new talent. He has hired what he described as “YouTube sensations” and relative unknowns to present its programming.Another innovation Mr Lebedev highlighted was the broadcast of live plays.

via BBC News – Independent newspaper for sale at the right price.

 

BMW 2 Series Active Tourer MPV gets sporty with new M Sport trim | Auto Express

BMW M Sport package gives 2 Series Active Tourer aggressive edge, on sale November from around £24,500

These are the first official photos of BMW’s new 2 Series Active Tourer complete with M Sport package.

Updates introduced for the sportiest version of the Active Tourer MPV include 17- or 18-inch alloys, 10mm lower sports suspension and the M Aerodynamics package, which modifies the front air intakes giving the M Sport a more chiselled, streamlined appearance. Exclusive Estoril Blue paint and a high-gloss black finish for the double front kidney grilles are included, too.

Exterior changes are matched inside by the addition of an M-branded leather-wrap steering wheel and specially upholstered sports seats to the already luxurious BMW cabin.

Like the standard Active Tourer, the M Sport uses the same platform taken from the new MINI, stretching the wheelbase to a Mercedes B-Class-rivalling 2,670mm.

As we reported when the 2 Series Active Tourer debuted at Geneva last month, engines are also borrowed from the latest MINI, including a 134bhp turbocharged 1.5-litre three-cylinder petrol engine and a frugal 148bhp 2.0-litre diesel, returning a range-topping 68.9mpg.

The flagship 225i xDrive model, meanwhile, is powered by a 228bhp 2.0-litre turbo.

There’s currently no word from BMW about how much the Active Tourer will cost when it arrives here in November, although an M Sport 1-Series costs £1,685 more than the SE variant, so expect to see prices for the Active Tourer M Sport start at around £24,500.

via BMW 2 Series Active Tourer MPV gets sporty with new M Sport trim | Auto Express.

First drive: the new Audi S1 – BBC Top Gear

  

Hello. Havent we met before?

Well,there was an Audi S1 before. It stalked the WRC stages in the early 1980s, a Group B car in the era when rally cars really were from planet crazy. This isnt. Its a four-wheel-drive hot hatch. Its an Audi A1, its bonnet stuffed with an uprated version of the Golf GTIs two-litre turbo engine, revised front steering and suspension, and new rear suspension to accommodate the 4WD system. But what about the A1Quattro? My what an Audi obsessive you are. Yes,there was a limited-run A1 Quattro two years ago. They made just 333 ofthe wonderfully crazy cars in LHD-only. But there were differences from this S1. It used the slightly more powerful old EA113 engine, not the new, torquier,EA888. Since youre an obsessive youll already know that the EA888 haschain-driven camshafts and variable valve lift. Of course I did. How does it work in such a small car? As a means of kicking you down the road in any of the six gears, its mightily effective. Thank the towering mid-range torque. Youve got 273lb ft, and 231bhp at the top end. Thats slightly more than even the Golf GTI Performance Pack. The exhaust noise is a bit subdued, but with that muscle bursting out of a supermini you wont be left short of excitement. The good old 0-62 measure comes out at 5.8 seconds. Yet because the tra

via First drive: the new Audi S1 – BBC Top Gear.

New Jaguar saloon to be called XE | Auto Express

Jaguar

via New Jaguar saloon to be called XE | Auto Express.