Doug Vitale Tech Blog

Latest IT news and commentary

Heartbleed Bug Patch Underway, But Was It Really the Problem?

IEEE Spectrum, 11 Apr 2014 – What makes Heartbleed so insidious is the fact that it can allow hackers to snatch data from a server’s memory 64 kilobytes at a time—even if the information is supposedly encrypted—without leaving a trace. While the end user takes comfort in the ability of SSL/TLS encryption to keep his or her data from prying eyes, the “https” in the URL and the closed padlock icon are a cruel trick. [More]


Heartbleed SSL Vulnerability Explained

CNN Money, 9 Apr 2014 – For more than two years now, Heartbleed has allowed outsiders to peek into the personal information that was supposed to be protected from snoopers. The bug allows potential hackers to take advantage of a feature that computers use to see if they’re still online, known as a “heartbeat extension.” But a malicious heartbeat signal could force a computer to divulge secret information stored in its memory. [More]
Related: Notable websites compromised by Heartbleed: Google, YouTube, Gmail, Facebook, Yahoo, Yahoo Mail, Tumblr, Flickr, OKCupid, Wikipedia.


Microsoft issues final Windows XP, Office 2003 patches

ZDnet, 8 Apr 2014 – Today Microsoft released four security updates for Windows and Microsoft Office. These will be the last publicly-released updates for Windows XP and Office 2003. A total of 11 vulnerabilities were addressed by these updates, including seven for Windows XP and four for Office 2003. [More]


‘Heartbleed’ bug in OpenSSL puts encrypted communications at risk

ITworld, 7 Apr 2014 – Computer security experts are advising administrators to patch a severe flaw in a software library used by millions of websites to encrypt sensitive communications. The flaw, nicknamed “Heartbleed,” is contained in several versions of OpenSSL, a cryptographic library that enables SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption. [More]


Microsoft sniffed blogger’s Hotmail account to trace leak

CNET, 20 Mar 2014 – Microsoft went through a blogger’s private Hotmail account in order to trace the identity of a source who allegedly leaked trade secrets. [More]


Doing the ICANN-can

The Economist, 20 Mar 2014 – America promises to release its grip on the Internet’s phone book — and opens up a debate on how to govern cyberspace. [More]


Important corrections re: U.S. announcement and IANA functions

ICANN, 20 Mar 2014 – On Friday, March 14 the U.S. Government announced its intention to transition its stewardship responsibilities of the Internet Assigned Numbers Authority (IANA) Functions to the global multistakeholder community — a key component of the Internet ecosystem. The IANA functions are the Internet’s technical identifiers, specifically, the top-level domain names of the Domain Name System, IP addresses, and protocol parameter registries. [More]


Google enhances encryption technology for email

Yahoo, 20 Mar 2014 – Google has enhanced the encryption technology for its flagship email service in ways that will make it harder for the National Security Agency to intercept messages moving among the company’s worldwide data centers. Among the most extraordinary disclosures in documents leaked by former NSA systems analyst Edward Snowden were reports that the NSA had secretly tapped into the main communications links that connect Yahoo and Google data centers around the world. [More]


RSA Conference 2014: 8 Top Computer Security Trends

Petri, 20 Mar 2014 – Snowden, the NSA, IT security skills shortage, cloud and mobile security, etc. [More]


25,000 Linux servers spread spam, drop malware and steal credentials

Tech Republic, 19 Mar 2014 – Security company ESET has released a new report, Operation Windigo – The vivisection of a large Linux server-side credential stealing malware campaign. The report talks about two well-known organizations that became victims of Windigo: “This operation has been ongoing since 2011 and has affected high-profile servers and companies, including cPanel and Linux Foundation’s kernel.org.” [More]


Compare the NSA’s Facebook Malware Denial to its Own Secret Documents

Intercept, 15 Mar 2014 – On Wednesday, Glenn Greenwald and I revealed new details about the National Security Agency’s efforts to radically expand its ability to hack into computers and networks across the world. The story has received a lot of attention, and one detail in particular has sparked controversy: specifically, that the NSA secretly pretended to be a Facebook server in order to covertly infect targets with malware “implants” used for surveillance. [More]


Who is winning the ‘crypto-war’?

BBC, 15 Mar 2014 – In the war over encryption between the NSA and privacy activists, who is winning? [More]


Are Russia and Ukraine on the Verge of an All-Out Cyberwar?

Mother Jones, 12 Mar 2014 – Ukraine’s top security agency — the National Security and Defense Council of Ukraine — announced at a briefing that it had been hit by severe denial-of-service (DDoS) attacks, “apparently aimed at hindering a response to the challenges faced by our state.” This comes on the heels of a number of alleged hacks involving Russian and Ukrainian targets, including attacks on news outlets and blocking reception to the cellphones of Ukrainian parliament members. [More]


NSA system designed to attack millions of computers

CNET, 12 Mar 2014 – Through an operation called Turbine, the NSA crafted an automated system designed to hack “millions” of computers, new documents from Edward Snowden’s leaks on government surveillance reveal. [More]


Researchers prove Wi-Fi at risk for malware attacks

Tech Republic, 12 Mar 2014 – Once Chameleon gains a foothold on one AP, it then attempts to infect other Wi-Fi access points. By focusing on the Wi-Fi portion of the network instead of computers and mobile devices, the malware is unlikely to be detected using current antimalware technology. [More]


Cyber Snake plagues Ukraine networks

Financial Times, 7 Mar 2014 – An aggressive cyber weapon called Snake has infected dozens of Ukrainian computer networks including government systems in one of the most sophisticated attacks of recent years. Also known as Ouroboros, after the serpent of Greek mythology that swallowed its own tail, experts say it is comparable in its complexity with Stuxnet, the malware that was found to have disrupted Iran’s uranium enrichment programme in 2010. [More]


Cyber Risk Is World’s Third Corporate-Risk Priority

Wall Street and Technology, 7 Mar 2014 – U.S. financial services companies lost on average $23.6 million from cybersecurity breaches in 2013, which represent the highest average loss across all industries according to the authors of Deloitte’s recent report, ‘Transforming cybersecurity – New approaches for an evolving threat landscape’. [More]


Tor hidden services – a safe haven for cybercriminals

SecureList, 5 Mar 2014 – Cybercriminals have started actively using Tor to host malicious infrastructure. We found Zeus with Tor capabilities, then we detected ChewBacca and finally we analyzed the first Tor Trojan for Android. A quick look at Tor network resources reveals lots of resources dedicated to malware – C&C servers, admin panels, etc. [More]


9 Must-Do’s if you stick with Windows XP

CSO Online, 5 Mar 2014 – Without updates after April 8 Windows XP is expected to fall prey to any number of zero-day attacks for which Microsoft will provide no defense, but there are some things die-hard XP users can do to make their machines safer. [More]


Top 10 IT Trends from the Microsoft Perspective

Petri, 3 Mar 2014 – Software-Defined Networking (SDNs), Software Definied Storage, Hybrid Cloud Services, and more. [More]


China Establishes Presidential Commission to Shore Up Its Cyberdefenses

IEEE Spectrum, 1 Mar 2014 – China revealed the extent of its concern over cybercrime when it announced that President Xi Jinping is chairing a new working group on cybersecurity and information security. Xi will have a direct hand in drafting national policies aimed at improving cyberdefenses. [More]


Archive (search for keywords with site search engine)

January – February 2014
November – December 2013
September – October 2013
July – August 2013
May – June 2013

Written by Doug Vitale

July 31, 2013 at 12:13 PM

%d bloggers like this: