..it seems that Jelly Bean devices are simply too old to support -- supporting old software versions is fairly unusual, after all. But in this case, he asks Google to reconsider, due to the wider consequences this security flaw could potentially unravel. Until then, however, it might be a good idea to upgrade to Android 4.4, or perhaps get a new phone altogether.
I am seriously considering studying for a CEH (Certified Ethical Hacker) certification. Given the recent spate of cyber attacks, being able to lock-down and test the security of your own network is proving to be more and more crucial…
Virtualisation, Sandboxes, Containers. All terms and technologies used for various reasons. Security is not always the main reason, but considering the details in this article, it is a valid point. It is simple enough to setup a container in your machine. LXC/Linux Containers for example, don’t have as much overhead as a VirtualBox or VMWare virtual machine and can run almost, if not just as fast as a native installation (I’m using LXC for my Docker.io build script), but conceptually, if you use a container, and it is infected with malware, you can drop and rebuild the container, or roll back to a snapshot much more easily than reimaging your machine.
Right now I run three different containers – one is my main Ubuntu Studio, which is not a container, but my core OS. the second is my Docker.io build LXC, which I rebuild everytime I compile (and I now have that tied into Jenkins, so I might put up regular builds somehow), and the final one is a VirtualBox virtual machine that runs Windows 7 so I don’t have to dual boot.
Then your version of bash is vulnerable to shellshock. Most distributions have already pushed out a new version of bash. My Ubuntu machines updated yesterday.
If you use Cygwin, then you need to check there to. Cygwin bash 4.1.10 is definitely vulnerable, but 4.1.11 is not.
If your version of bash is not vulnerable the output will be:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello
The National Security Agency has some of the brightest minds working on its sophisticated surveillance programs, including its metadata collection efforts. But a new chat program designed by a middle-school dropout in his spare time may turn out to be one of the best solutions to thwart those efforts.
In particular, use of the Private directory is the simplest setup as it encrypts stuff inside a known folder, leaving it in a scrambled state when you are not logged in, so that no-one can get at it.
If you only need access to those files on an occasional basis, then using the mount option is better.
With the NSA spying scandal, all eyes are on ways to stop the surveillance and protect privacy. Campaigns such as Reset the Net have been used to encourage and push sites and people to amp up their security methods. Disasters such as Heartbleed shows what happens if security is compromised, whether intentionally or accidentally
I used to use TrueCrypt to allocate a virtual hard disk and put my private files in that. One of the benefits of this was that TrueCrypt also supported full disk encryption and Plausible Deniability (e.g. hiding an OS within another OS). However, one of the most frustrating parts of TrueCrypt is that you allocate space and any space you do not use is lost. e.g. if you allocate 10GB, but use only 1GB, there is still 9GB left that allocated to the TrueCrypt volume, but cannot be used by the unencrypted space.
Unfortunately, I recently found out that TrueCrypt shut down, under very suspicious and mysterious circumstances. (check the related articles section below). Sure, you could use LUKS instead, or VeraCrypt (but I haven’t tried VeraCrypt), but considering I only want to encrypt a subset of my files, and not the whole partition, that might be a little overkill.
So, I investigated the ecryptfs. Details can be found on the Wikipedia page, but in short, it allows you to mount directories (it comes with a wrapper to the mount command), but unlike other mount wrappers, you are allowed to mount on top of the same directory. In other words, you can do:
sudo mount.ecryptfs ~/SecuredData ~/SecuredData
And this will take the data stored in the directory and transparently decrypt it when you try to access the directory.
If you copy data into the directory, ecrypt will encrypt it and store it in the underlying directory in an encrypted manner. When you unmount the directory, only the encrypted data is visible. If you combine the mounting process with the optional Filename Encryption, then all you see are files with garbled filenames.
ecrypt supports various encryption methods, from AES and Blowfish, to 3DES and Twofish. Obviously, the higher you choose the encryption level, the slower the access. 3DES encryption resulted in a transfer rate of 7MB/s for me, when copying to the encrypted space, and AES was 16MB/s, so balance your requirement of high encryption vs slow access.
Feedly has gone down again, as a result of another DDoS
7:26am PST: We are currently being targeted by a second DDoS attack and are working with our service providers to mitigate the issue.
As with yesterday’s attack, your data is safe. We apologize for the inconvenience and will update this blog post as more information is available or the situation changes.
Feedly is up now, but some sites still haven’t updated their articles yet:
Popular note-taking app Evernote and RSS reader Feedly have been hit with major cyberattacks as hackers demand ransom from the latter site to get it back online.
Both Evernote and Feedly, two services that work together, confirmed they suffered DDoS (distributed denial of service) attacks, a type of cybercrime that kicks sites offline and is meant to disrupt usage (not steal user data). But Feedly, which is still down, detailed in a blog post that hackers are holding the site up for ransom. It’s unknown as of now if the cyber criminals asked for ransom from Evernote too.
Feedly is being hit by a DDoS. Feedly was touted as the replacement to Google Reader when Google decided to pull the plug on it. And a lot of people moved over to Feedly as a result. I was one of them.
Criminals are attacking feedly with a distributed denial of service attack (DDoS). The attacker is trying to extort us money to make it stop. We refused to give in and are working with our network providers to mitigate the attack as best as we can.
We are working in parallel with other victims of the same group and with law enforcement.
We want to apologize for the inconvenience. Please know that you data is safe and you will be able to re-access your feedly as soon as the attack is neutralized
The Information Commissioner’s Office (ICO) has criticised the Student Loans Company Limited after a series of data breaches involving customers’ records.
The business reported several incidents where information held about customers, including medical details and a psychological assessment, had been sent to the wrong people.
An ICO investigation found that not enough checks were carried out when documents were being scanned to add to customer accounts, and more sensitive documents actually received fewer checks.
A flaw in Microsoft's Internet Explorer which leaves users vulnerable to hackers has not been fixed, despite its discoverer giving the company six months grace to do so before publishing details.
Auction site eBay asked all its 233m users to change their passwords following a "cyber attack" that saw their names, email and postal addresses, phone numbers and dates of birth fall into the hands of hackers.
China believes that Windows 8 poses enough of a future security risk that it's banning government agencies from installing the operating system on any of its new computers.
Heartbleed certainly shook up a lot of companies, and whilst a lot of companies did their best to get system updated, doing so has caused users side effects, including me.
I use an extension for Chrome/Chromium called HTTPS Everywhere and this forces HTTPS connections to the site you’re visiting. However, since the patching of Heartbleed, some sites have started misbehaving and only work “properly” if I use either the Incognito mode (which means no extensions), or if I deactivate HTTPS Everywhere for the site in question. The side effect of this, unfortunately, means my net traffic to the site in question is exposed via non-secure HTTP. Fortunately, I have encountered only two sites so far which have this problem, neither of them I am too concerned (at the moment) about:
...when there is a need for a security patch or other bug fix, the person in control of implementation is…you. With closed source, you need to wait for the enterprise in control to fix the problem and make it available to users. For example, Akamai, one of the best, most sophisticated technology firms on the planet, is still working to address its Heartbleed vulnerabilities. Thus, users have no choice but to wait on Akamai for a complete fix. Open source users can do what they want with the code. They can use a patch that has been made available on Github, or can otherwise modify their code as they see fit. In fact, because Spree is open source and its users control their own code, they can choose to replace OpenSSL altogether if they so desire.
