Thursday, September 25, 2014

Security vulnerability in bash

It was disclosed that Stephane Chazelas discovered a critical vulnerability in the GNU bash utility.
This problem is present on a vast majority of Unix and Linux systems. By using this vulnerability, any attacker can force the execution of arbitrary commands on an affected server. Although these commands may not run on root priviledges, a significant problem arises for future attacks on infected systems.

We immediately checked all our systems and updated nodes which were affected by the issue, to ensure the vulnerability is addressed.

Wednesday, June 4, 2014

Don’t rely on fake security.

What is the common denominator of the whole internet? You say the IP protocol or the Domain Name System? I say passwords.

It doesn’t matter whether you want to access your router, initiate a wire transfer, order a book, access your email or upload a photo—you need to authenticate with at least a password before you can do so.

And most password systems create a wrong sense of security.

Passwords are difficult.

Now think about your standard web service. When you created your account, they probably asked you to create a “secure” password, which is almost impossible because:
  • It’s hard to remember a different password for each account, users often have one or only a few passwords that they use for all services, which compromises multiple accounts when one password leaks.
  • Password rules differ widely (2 special characters here, capital letters there, no punctuation at another site) and are designed to make it hard for humans but easy for computers.

Passwords are open.

Of course, web services know that it’s impossible to remember all passwords, and that’s why they offer you an easy way to reset your password. Just click on the “forgot password” button, click on the link that they send to your email, and change your password.

Sounds easy, but it also makes any of your accounts no more secure than your email inbox!

And it gets even worse: The only information needed to change your password is sent over a medium that’s open like a postcard!

Maybe you use an encrypted connection to retrieve your email from your email provider (like Google, Yahoo or your company’s web server) but you have no control about how it got there, about which servers it traveled or whether the connections between them were encrypted or not. The opportunities for eavesdropping are virtually endless.

Why make it so complicated?

If passwords don’t really add to security anyway, can’t we just get rid of them? In fact, we can—by using one-time access tokens.

How it works is pretty simple: The system then sends a one-time token to your cell phone number (which was provided during sign-up)1. Entering this token grants access to the system.

This has a couple of benefits: The user doesn’t have to worry about finding a long and secure password, they don’t even have to remember a password at all. Even better: if an attacker gets to know one of the user’s access tokens, it’s useless to them because it cannot be used again.

[1] An alternative solution is to have a key generator (either as a software on your phone, e.g. Authy or Google Authenticator, or as hardware, e.g. RSA SecurId or YubiKey) which generates one-time codes which can only be used for 20 seconds after they’re issued and expire forever thereafter.

Wednesday, April 23, 2014

Recipe: Get your contacts back after you lost your phone

You lost your phone, and all your contacts are gone? Use rogr.io, to get them all back—hassle-free, and without having to piece together information from hundreds of emails, texts, and Facebook comments.

Create the fetch

  • Go to rogr.io and log in (or sign up if you don't have an account yet).
  • Click on the outbox and create a new fetch by clicking on the green plus symbol.
  • Skip the first section, and click on Basic Information to complete that section with a title and a short description for your contacts to see.
  • Now scroll down and click on the Data section. Fill it out similar to what is shown below—you can change the data elements (KPIs in rogr.io) to your liking. Maybe add a data element for the Skype user name?
    In case you added an element by mistake, remove it with the cross/trash symbol on the right-hand side.
  • Click on Go Fetch It at the top to finish your work. You should see the fetch in your workspace now. Now, we need to create an access link. Click on the title ("Felix' phone book" in my example) to open the fetch again.
  • Click on Public invite link to get a link. That's your public invite link for this fetch. Everybody who has the link can provide their data to you. Post it to your Facebook, for example.
Now, you can sit back and relax. Your friends can provide you their contact data, and they don't even have to create an account!

Get the results

    Whenever you're curious about the progress, just log in to rogr.io again, and open the fetch. You'll see the status of everybody who has replied. Click on Export to Excel (simple) to download it all and use it in your Android phone (Google Contacts), Outlook, or your iPhone.

    Tuesday, April 15, 2014

    Heartbleed

    What is the Heartbleed Bug?

    A bug is an programming error in software. This one is so relevant, that it got its own name, "heartbleed". It's a flaw in an encryption module that is used all over the internet. Many secure web servers use it to encrypt the communication with their users, and an estimated 17% of those public servers are vulnerable to the attack, allowing attackers to break the encryption and even get their hands on confidential information on those servers (including the servers' keys and certificates)—without leaving a trace.

    The bug was discovered on Apr 3, 2014 and publicly announced four days later, but it existed in the software since December of 2011.

    What are the consequences?

    There is a software update available to close the vulnerability, and many affected companies have already installed it. Nevertheless, your information on the affected servers could have been accessed by attackers for almost two years. Even after fixing the bug, attackers might have continued access to your data if they stole your password. Allegedly, the NSA has been using the exploit, there might be others.

    Is rogr.io affected?

    Yes, our service used the encryption module vulnerable by heartbleed. We've closed the bug on Apr 7, 2014 and are deploying new server certificates.

    What should I do?
    • Find out if the services you're using have been affected.
    • Change your passwords on the affected sites, but only after the bug has been fixed.
    • Enable 2-factor authentication wherever possible.

    In which order should I change my passwords?
    • Many services rely on your email to reset passwords or authenticate information. Therefore, first re-establish secure email access in case it was compromised (e.g., Gmail).
    • After this, change your passwords on affected sites, but, as mentioned before, only after the web site en question has fixed the heartbleed bug.
    • As a safety measure, we recommend the following two additional steps:
      • If you're using 2-factor authentication, disable it and then enable it again, forcing the server to store your credentials again.
      • Enable 2-factor authentication on all web sites that offer it (e.g., Google, Facebook, Outlook.com, AWS, Tumblr).


    Sources:
    1. http://heartbleed.com/
    2. http://techcrunch.com/2014/04/07/massive-security-bug-in-openssl-could-effect-a-huge-chunk-of-the-internet/
    3. http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html
    4. http://arstechnica.com/security/2014/04/private-crypto-keys-are-accessible-to-heartbleed-hackers-new-data-shows/
    5. http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
    6. http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
    7. http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html



    Created by

    Created by
    rogr.io