Superfish CA + Komodia vulnerability test This test has been retired in favor of the badssl.com Dashboard. You can still find Superfish removal instructions here. Test disabled. YES, it looks like you have a Komodia proxy running (but not Superfish). Unfortunately there aren't detailed removal instructions at the moment, but you can follow the Superfish ones with the name of the software you installed instead of "Superfish". Here is an incomplete list of known affected softwares: "Keep My Family Secure", "Kurupira", "Qustodio", "Staffcop", "Easy hide IP Classic", "Lavasoft Ad-aware Web Companion". YES, you have a big problem - even if it's not Komodia. Apparently no certificates checks are happening. This might be due to the browser you are using (if it's not a major one) or to software you are running, like PrivDog. See here for instructions on removal. Also no other SSL-disabling product was detected on your system. What's this about?
NSA Said to Exploit Heartbleed Bug for Intelligence for Years The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said. The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts. Heartbleed appears to be one of the biggest glitches in the Internet’s history, a flaw in the basic security of as many as two-thirds of the world’s websites. Related: Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Controversial Practice Vanee Vines, an NSA spokeswoman, declined to comment on the agency’s knowledge or use of the bug. Free Code Serious Flaws Flawed Protocol Ordinary Data
24 HOURS AFTER HEARTBLEED, 368 CLOUD PROVIDERS STILL VULNERABLE April 10, 2014 | Leave a Comment By Harold Byun, Skyhigh Networks Over the past weeks, security teams across country have been grappling with end of life for Windows XP, which is still running on 3 out of 10 computers. That issue has been completely overshadowed with news of the Heartbleed vulnerability in OpenSSL, which is used extensively to secure transactions and data on the web. Heartbleed makes the SSL encryption layer used by millions of websites and thousands of cloud providers vulnerable. Many cloud services are still vulnerable Skyhigh’s Service Intelligence Team tracks vulnerabilities and security breaches across thousands of cloud providers, including the Heartbleed vulnerability. The average company uses 626 cloud services, making the likelihood they use at least one affected services extremely high. What actions you can take In order to close the vulnerability, cloud providers need to update OpenSSL and reissue their certificates that could be used to impersonate the service.
Defense in depth (computing) Defense in depth is an information assurance (IA) concept in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited that can cover aspects of personnel, procedural, technical and physical for the duration of the system's life cycle. The idea behind the defense in depth approach is to defend a system against any particular attack using several independent methods. It is a layering tactic, conceived by the National Security Agency (NSA) as a comprehensive approach to information and electronic security.[1][2] Defense in depth is originally a military strategy that seeks to delay, rather than prevent, the advance of an attacker by yielding space in order to buy time. Using more than one of the following layers constitutes defense in depth.
Heartbleed Bug 24 Hours After Heartbleed, 368 Cloud Providers Still Vulnerable | Skyhigh Networks Over the past weeks, security teams across country have been grappling with end of life for Windows XP, which is still running on 3 out of 10 computers. That issue has been completely overshadowed with news of the Heartbleed vulnerability in OpenSSL, which is used extensively to secure transactions and data on the web. Heartbleed makes the SSL encryption layer used by millions of websites and thousands of cloud providers vulnerable. Many cloud services are still vulnerable Skyhigh’s Service Intelligence Team tracks vulnerabilities and security breaches across thousands of cloud providers, including the Heartbleed vulnerability. The average company uses 626 cloud services, making the likelihood they use at least one affected service extremely high. What actions you can take In order to close the vulnerability, cloud providers need to update OpenSSL and reissue their certificates that could be used to impersonate the service.
DigiCert SSL Certificate Discovery Tool With the SSL Discovery Tool you can perform manual and automatic scans. Manual scanning lets you search your network by a list of hosts or IP ranges or by a Host Group. Auto scanning allows you to schedule periodic scans at specified intervals (daily, weekly, or monthly) in order to detect and be notified of changes to your active certificate inventory. Both manual and automatic scans give you a detailed report of their findings. The report will show all the certificates found in the scan, which CA issued the certs, their expiration dates, and other information such as certificate key size, certificate type, common name, SAN names, and organization information. SSL Certificates are supposed to make life easier, so don't let managing them make your life more difficult.
The Heartbleed Hit List: The Passwords You Need to Change Right Now An encryption flaw called the Heartbleed bug is already being dubbed one of the biggest security threats the Internet has ever seen. The bug has affected many popular websites and services — ones you might use every day, like Gmail and Facebook — and could have quietly exposed your sensitive account information (such as passwords and credit card numbers) over the past two years. But it hasn't always been clear which sites have been affected. Mashable reached out to some of the most popular social, email, banking and commerce sites on the web. We've rounded up their responses below. Some Internet companies that were vulnerable to the bug have already updated their servers with a security patch to fix the issue. Although changing your password regularly is always good practice, if a site or service hasn't yet patched the problem, your information will still be vulnerable. We'll keep updating the list as new information comes in. Social Networks Other Companies Email Stores and Commerce Other
The Heartbleed Vulnerability: What It Is and How It Affects You - McAfee NOTE: McAfee has released a Heartbleed Checker tool to help consumers easily gauge their susceptibility to the potentially dangerous effects of the Heartbleed bug. You can access the tool at: Many of you may have been hearing the term “Heartbleed” over the past few days and wondering what exactly that is, and why people are so concerned about it. What is Heartbleed? It is important to understand that Heartbleed is not a virus, but rather a mistake written into OpenSSL—a security standard encrypting communications between you, the user, and the servers provided by a majority of online services. What Should I Do? The first thing you need to do is check to make sure your online services, like Yahoo and PayPal, have updated their servers in order to compensate for the Heartbleed vulnerability. How Do I Check For Heartbleed? Mashable has a list of popular websites affected by the Heartbleed vulnerability. A Deeper Look at Heartbleed
Speakeasy Speed Test Why do I get a “socket error” message? An error may result from having the speed test open in more than one browser tab or window. The test may fail to complete and display the following message: “A socket error occurred during the Upload test. Please try again later.” To prevent this error, and get the most accurate test results, close all other browser tabs and windows before running. If you continue to get a socket error message, or another type of error message, please provide feedback by emailing us at speedtestfeedback@fusionconnect.com. Why is the location I usually pick missing from the City list? A slow response can be caused by latency or packet-loss between the client and server, or particularly high Internet usage (during peak hours). In which browsers does the Speed Test work best? Why am I receiving “Could not connect to the Internet” errors when I am connected? Why didn’t the test choose the server location nearest me? Why is my speed lower than expected?
HeartBleed : une chance qu'OpenSSL soit un logiciel libre ! SSL/TLS, la base des communications chiffrées, pas si chiffrées que ça en fait Lorsque vous naviguez sur Internet, vous utilisez parfois sans le savoir des liaisons sécurisées. Ce sont en fait des liaisons chiffrées. C'est le cas lorsque vous vous connectez à votre webmail favori ou au site de votre banque. La majorité des serveurs sécurisés utilisent le protocole dit HTTPS. Le spectre de la NSA Il y a un point extrêmement gênant si on recroise avec l'affaire NSA/Prism. Le rôle du logiciel libre dans la gestion de HeartBleed Quelles leçons tirer de tout cela ? Les 4 libertés, l'accès direct à un correctif N'ayant pas accès au code-source, une personne qui aurait constaté un comportement anormal (ici, l'accès à une zone mémoire théoriquement inaccessible) n'aurait pas pu comprendre l'origine même du problème (ici une non-vérification d'une borne dans un tableau). Le logiciel libre, distribué mais organisé « Communauté », j'écris ton nom
9 Worst Cloud Security Threats Leading cloud security group lists the "Notorious Nine" top threats to cloud computing in 2013; most are already known but defy 100% solution. Shadow IT is a great thing until it runs into the security of cloud computing. All too often line-of-business users are establishing applications and moving data into the cloud without understanding all the security implications. The Cloud Security Alliance has put together a list of the nine most prevalent and serious security threats in cloud computing. The alliance bills its list as the "Notorious Nine: Cloud Computing Threats in 2013." The report was released in February and was composed by a group within the alliance, including co-chairs Rafal Los of HP, Dave Shackleford of Voodoo Security, and Bryan Sullivan of Microsoft. Here are the CSA's biggest concerns. 1. "It's every CIO's worst nightmare: the organization's sensitive internal data falls into the hands of their competitors," the report said. 2. 3. 4. 1 of 2 More Insights