Month: April 2014

 

 

This book is about writing Windows Store apps using HTML, CSS, and JavaScript. Our primary focus will be on applying these web technologies within the Windows platform, where there are unique considerations, and not on exploring the details of those web technologies themselves.

 

Creating a Password

bird

Sorry the password must be more that 8 characters

bird house

Sorry the password must contain 1 numerical space

1 bird house

Sorry the password cannot have blank spaces

1birdhouseisthisok

Sorry the password must contain at least one upper case character

1birdhouseisthisokNOW

Sorry the password can not use more that one upper case character consecutively

11birdhouseisthisokNowjerk

Sorry the password can not use more that 2 numbers consecutively

11birdhouseisthisokNowjerkfine!

Sorry the password cannot contain punctuation

1birdhouseisthisokNowjerkfineonow

Sorry the password can not use words in the Dictionary

P@ssw0rd

Sorry that  password is already in use and now you need to wait 24 hour to change your password

Officials are telling that the Healthcare.gov  website account holders to reset their passwords, following revelations of a bug that could allow hackers to steal data.

Officials earlier said the site HealthCare.gov, were safe from the risks surrounding Heartbleed — faulty code recently found in a widely-used encryption tool. 

But, this weekend, the homepage directs users to change their login information.  

“While there’s no indication that any personal information has ever been at risk, we have taken steps to address Heartbleed issues and reset consumers’ passwords out of an abundance of caution,” HealthCare.gov states. 

This is  what the Site says to do

Recently, you may have heard about a new internet security weakness, known as Heartbleed, which is impacting some websites. HealthCare.gov uses many layers of protections to secure your information. While there’s no indication that any personal information has ever been at risk, we have taken steps to address Heartbleed issues and reset consumers’ passwords out of an abundance of caution. This means the next time you visit the website, you’ll need to create a new password. We strongly recommend you create a unique password – not one that you’ve already used on other websites.

How to reset your password

1. Use the online Forgot Password feature
2. Enter your username and click “Send email”
3. Wait for the “Forgot Marketplace Password” email we’ll send you to create a new password for your account
4. Follow the link in the email and answer the 3 security questions you chose when you first created your account
5. Create and confirm your new password
6. Click “Reset Password”
7. Wait for the message that your password was successfully reset
8. Log in with your new password

If you get a message that we couldn’t process your password reset request, you’ll need to try again. Click on “Return to log in page” and select the “Forgot your password?” link to get a new email with a new link to try again. If this doesn’t work, call the Marketplace call center at 1-800-318-2596 for help.

Is my information at risk?

There’s no indication that Heartbleed has been used against HealthCare.gov or that any personal information has ever been at risk. However, we’re resetting current passwords out of an abundance of caution, to ensure the protection of your information.

Additional password tips and information about managing your HealthCare.gov account is located at https://www.healthcare.gov/help/i-am-having-trouble-logging-in-to-my-marketplace-account/.

 

Original release date: April 08, 2014

 

Systems Affected

• OpenSSL 1.0.1 through 1.0.1f
• OpenSSL 1.0.2-beta

Overview

A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys, through incorrect memory handling in the TLS heartbeat extension.

Description

OpenSSL versions 1.0.1 through 1.0.1f contain a flaw in its implementation of the TLS/DTLS heartbeat functionality. This flaw allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL library in chunks of 64k at a time. Note that an attacker can repeatedly leverage the vulnerability to retrieve as many 64k chunks of memory as are necessary to retrieve the intended secrets. The sensitive information that may be retrieved using this vulnerability include:

• Primary key material (secret keys)
• Secondary key material (user names and passwords used by vulnerable services)
• Protected content (sensitive data used by vulnerable services)
• Collateral (memory addresses and content that can be leveraged to bypass exploit mitigations)

Exploit code is publicly available for this vulnerability.  Additional details may be found in CERT/CC Vulnerability Note VU#720951.

Impact

This flaw allows a remote attacker to retrieve private memory of an application that uses the vulnerable OpenSSL library in chunks of 64k at a time.

Solution

OpenSSL 1.0.1g has been released to address this vulnerability.  Any keys generated with a vulnerable version of OpenSSL should be considered compromised and regenerated and deployed after the patch has been applied.

US-CERT recommends system administrators consider implementing Perfect Forward Secrecy to mitigate the damage that may be caused by future private key disclosures.

References

• OpenSSL Security Advisory
• The Heartbleed Bug
• CERT/CC Vulnerability Note VU#720951
• Perfect Forward Secrecy
• RFC2409 Section 8 Perfect Forward Secrecy

Revisions

• Initial Publication

This is copied from the DHS Site as a public service

Introducing Microsoft SQL Server 2014

In this book, the authors explain how SQL Server 2014 incorporates in-memory technology to boost performance in online transactional processing (OLTP) and data-warehouse solutions. They also describe how it eases the transition from on-premises solutions to the cloud with added support for hybrid environments.

 Download the PDF