InfoSec Links April 24, 2014

April 24, 2014

Heartbleed disclosure timeline: who knew what and when - Ben Grubb - The Sydney Morning Herald

A pretty good breakdown of the Heartbleed timeline. Google’s security team was the one that found the bug and they’ve recently begun to take some flak on not notifying people more quickly.

Ephermal Apps - Bruce Schneier - Schneier on Security

I am beginning to question everything in my life and you should to. Case in point, Snapchat says pictures are a one and done, but are they really? The recipient could screenshot the communication and Snapchat could be storing those images on an internal server.

States: Spike in Tax Fraud Against Doctors - Brian Krebs - Krebs on Security

Just another reason to get your taxes done as soon as possible. If you don't like doing taxes and you procrastinate until the April 15 deadline then you just may find that other people have filed taxes on your behalf. In this link it appears doctors are being targeted, but they're far from the only target.

This post first appeared on Exploring Information Security.

OpenSSL Heartbleed Links April 12, 2014

April 12, 2014

Trying to protect yourself from Heartbleed could land you in jail - Chris Smith - BGR

There are laws in place that say testing a website's security without permissions is illegal. This would include running checks using Heartbleed websites or the Heartbleed Chrome app i linked to in Friday's post. They would have to enforce the law first, but technically you're still breaking the law when you do it. Which just further highlights how far behind the law is when it comes to the internet.

NSA Denies Knowing About Heartbleed Bug - Denver Nicks - Times

It was only a matter of time before the NSA was going to be thrown under the Heartbleed Bug Bus. The NSA has two directives to gather intelligence from it's enemies AND defend the country. Knowing about the bug in OpenSSL and not reporting it would be a massive epic fail for the NSA.

How The Heartbleed Bug Works - xkcd

A very well done, yet simple, visualization of how the Heartbleed bug works.

This post first appeared on Exploring Information Security.

OpenSSL Heartbleed Links April 10, 2014

April 11, 2014

This is really serious stuff people. If you haven't been paying attention to the Heartbleed bug news, now is the time. Below are some links to get you started.

Everything you need to know about the Heartbleed Bug - Timothy B. Lee - Vox

Pretty good description and intuitive layout to get to know everything about the Heartbleed Bug.

Heartbleed - Codenomicon

This site is kind of, sort of, the official site of the Heartbleed bug. It was up very quickly and gives a lot of detail on the latest vulnerability to rock the internet.

Heartbleed Bug: What Can You Do? - Brian Krebs - Krebs On Security

If you're wondering what you should be doing in regards to this vulnerability, Brian lays it out clearly in this post. Get ready to reset a lot of passwords.

The Heartbleed Hit List: The Passwords You Need to Change - Mashable

Okay so the full title is "The Passwords You Need to Change Right Now," which is being a little melodramatic (it's a ratings based site, they're looking for the clicks). Before you go running to change passwords make sure the websites that have been vulnerable have fixed the vulnerability. There is no sense in changing a password if they're still vulnerable because your new password would be immediately vulnerable. If a site offers two-factor authentication, turn it on (Google has it). To check websites there are a number of sites (and Chrome addons) you can use. Here are the ones I've used:

Heartbleed test

SSL Server Test - Qualys

This post first appeared on Exploring Information Security.