My information Resource (blog.mir.net)

In the last few months we see a uptick in Big Web sites being hacked – We saw  last month AOL compromised. AOL Inc urged its tens of millions of email account holders to change their passwords and security questions, saying a cyber attack compromised about 2 percent of its accounts

Yesterday EBAY announced that attack carried months had compromised customer data. and EBAY  urged 145 million users of its online commerce platform to change their passwords.

You should NOT use the same password for all you sites, you need to use different password for your web sites. However when I say this to user, they say it to hard to do.

I have been a user of some technology for years that helps user accomplish this task. There are Password Manager application that will save all your password in an encrypted system and you just need to remember the master password.

While Password Manager applications will not stop web sited from being hacked they will limit the possibility of a user name/ password that you use on 1 site being used on another site.

You can have each site with very strong password that are unique to each application.

For the purpose of this Blog i will show you a product call Roboform.

to use Roboform you do the following steps

Step 1 Install software

Step 2 Create a Master Password –  Your Master Password is the one password you’ll need to remember. This password will encrypt and secure all of your RoboForm data and do not forget it.

Step 3  Go to a web site and add you login info RoboForm automatically offers to save your Login information. It’s that simple.

Step 4 Now when you go to the site again Roboform will enter the login and password automatically.

 

Some other features for you include

• RoboForm Identities feature to securely store your name, address, email, credit cards, and all your other information. Just click on your RoboForm Identity to fill entire web forms automatically.

• Generate really Strong Passwords that you can use 1 per site and not have to remember

You can find out more about Roboform Here

FYI I have nothing to do with Roboform, I do not sell it, i just use it

 

Active malware campaign Security researchers have uncovered an active malware campaign in the wild that steals the Apple ID credentials from jailbroken iPhones and iPads..

On the SophosLabs site there is an article about this new attack “Unflod Baby Panda”

This malware will do the following :

Hooks the SSLWrite function

When loaded and initialised, the Unflod library hooks the SSLWrite function, used when sending encrpyted data over a secure connection.

That means the malware gets to peek at confidential data before it is encryption for transmission.

then it  Watches out for the presence of AppleID credential data.

Uploads credential data it finds to one of two hardcoded IP addresses

What to do?

If you haven’t jailbroken your iOS device, you don’t need to worry.

If you are a jailbreaker and you have been circumspect in what you choose to install, you probably don’t need to worry.

Nevertheless, just in case, Sophos products detect this malware as iPh/PWS-CFX.

Of course, because a proper anti-virus isn’t possible on an unjailbroken iOS device (though, by the same token, malware is in general very unlikely on such devices), there isn’t such a thing as Sophos Anti-Virus for iOS.

So, if you want to scan your iPhone or iPad, you’ll need to install software that lets you access the files on iDevice remotely so you can scan them with an anti-virus on your desktop or laptop computer.

And to do that you’ll need to jailbreak your iDevice…

PS. If you allow remote access to your iDevice by installing the SSH daemon, don’t forget that Apple gives the accounts root and mobile the same password on all iDevices (it’s “alpine”, and yes, hard-wired passwords are a terrible idea). So if you enable sshd, you must change the password on those accounts, as explained here.

The full article is posted here

 

This is a new campaign from Microsoft that i think we need to remind people to THINK FIRST before you CLICK

 

Think before you click.

Only download software from websites you trust. For more information, see How do I know if I can trust a website?

Turn on automatic updating so that you’re always using the latest, most secure versions of the software installed on your computer.

Make sure you’re using antivirus software and keeping it up to date.

Use newer software whenever possible.

You can prevent most computer issues if you THINK FIRST

 

Source Microsoft 

Turn your PowerPoint presentation into an interactive online lesson. We call this a mix. Everything you need to create and share your mix is included. Add audio and video of yourself giving your presentation, write on slides as you talk to them, insert quizzes, practice exercises, and more – all from within PowerPoint. It’s like a screen cast, but better. This is a new Customer Preview

for the Add in Called Office MIX

Bring your PowerPoint presentations to life by adding interactive quizzes, online videos, and even web pages.

Check it out at https://mix.office.com/

to learn more about Office Mix go here

 

 

This book is about writing Windows Store apps using HTML, CSS, and JavaScript. Our primary focus will be on applying these web technologies within the Windows platform, where there are unique considerations, and not on exploring the details of those web technologies themselves.

 

Creating a Password

bird

Sorry the password must be more that 8 characters

bird house

Sorry the password must contain 1 numerical space

1 bird house

Sorry the password cannot have blank spaces

1birdhouseisthisok

Sorry the password must contain at least one upper case character

1birdhouseisthisokNOW

Sorry the password can not use more that one upper case character consecutively

11birdhouseisthisokNowjerk

Sorry the password can not use more that 2 numbers consecutively

11birdhouseisthisokNowjerkfine!

Sorry the password cannot contain punctuation

1birdhouseisthisokNowjerkfineonow

Sorry the password can not use words in the Dictionary

P@ssw0rd

Sorry that  password is already in use and now you need to wait 24 hour to change your password

Officials are telling that the Healthcare.gov  website account holders to reset their passwords, following revelations of a bug that could allow hackers to steal data.

Officials earlier said the site HealthCare.gov, were safe from the risks surrounding Heartbleed — faulty code recently found in a widely-used encryption tool. 

But, this weekend, the homepage directs users to change their login information.  

“While there’s no indication that any personal information has ever been at risk, we have taken steps to address Heartbleed issues and reset consumers’ passwords out of an abundance of caution,” HealthCare.gov states. 

This is  what the Site says to do

Recently, you may have heard about a new internet security weakness, known as Heartbleed, which is impacting some websites. HealthCare.gov uses many layers of protections to secure your information. While there’s no indication that any personal information has ever been at risk, we have taken steps to address Heartbleed issues and reset consumers’ passwords out of an abundance of caution. This means the next time you visit the website, you’ll need to create a new password. We strongly recommend you create a unique password – not one that you’ve already used on other websites.

How to reset your password

1. Use the online Forgot Password feature
2. Enter your username and click “Send email”
3. Wait for the “Forgot Marketplace Password” email we’ll send you to create a new password for your account
4. Follow the link in the email and answer the 3 security questions you chose when you first created your account
5. Create and confirm your new password
6. Click “Reset Password”
7. Wait for the message that your password was successfully reset
8. Log in with your new password

If you get a message that we couldn’t process your password reset request, you’ll need to try again. Click on “Return to log in page” and select the “Forgot your password?” link to get a new email with a new link to try again. If this doesn’t work, call the Marketplace call center at 1-800-318-2596 for help.

Is my information at risk?

There’s no indication that Heartbleed has been used against HealthCare.gov or that any personal information has ever been at risk. However, we’re resetting current passwords out of an abundance of caution, to ensure the protection of your information.

Additional password tips and information about managing your HealthCare.gov account is located at https://www.healthcare.gov/help/i-am-having-trouble-logging-in-to-my-marketplace-account/.

 

Original release date: April 08, 2014

 

Systems Affected

• OpenSSL 1.0.1 through 1.0.1f
• OpenSSL 1.0.2-beta

Overview

A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys, through incorrect memory handling in the TLS heartbeat extension.

Description

OpenSSL versions 1.0.1 through 1.0.1f contain a flaw in its implementation of the TLS/DTLS heartbeat functionality. This flaw allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL library in chunks of 64k at a time. Note that an attacker can repeatedly leverage the vulnerability to retrieve as many 64k chunks of memory as are necessary to retrieve the intended secrets. The sensitive information that may be retrieved using this vulnerability include:

• Primary key material (secret keys)
• Secondary key material (user names and passwords used by vulnerable services)
• Protected content (sensitive data used by vulnerable services)
• Collateral (memory addresses and content that can be leveraged to bypass exploit mitigations)

Exploit code is publicly available for this vulnerability.  Additional details may be found in CERT/CC Vulnerability Note VU#720951.

Impact

This flaw allows a remote attacker to retrieve private memory of an application that uses the vulnerable OpenSSL library in chunks of 64k at a time.

Solution

OpenSSL 1.0.1g has been released to address this vulnerability.  Any keys generated with a vulnerable version of OpenSSL should be considered compromised and regenerated and deployed after the patch has been applied.

US-CERT recommends system administrators consider implementing Perfect Forward Secrecy to mitigate the damage that may be caused by future private key disclosures.

References

• OpenSSL Security Advisory
• The Heartbleed Bug
• CERT/CC Vulnerability Note VU#720951
• Perfect Forward Secrecy
• RFC2409 Section 8 Perfect Forward Secrecy

Revisions

• Initial Publication

This is copied from the DHS Site as a public service

Introducing Microsoft SQL Server 2014

In this book, the authors explain how SQL Server 2014 incorporates in-memory technology to boost performance in online transactional processing (OLTP) and data-warehouse solutions. They also describe how it eases the transition from on-premises solutions to the cloud with added support for hybrid environments.

 Download the PDF