Roj Bash Kurdistan

[Piling]

Why not ? Chinese do it !

[Anthea]

9 April

It has been lovely here today - warm sunshine - fresh air - bliss

My friends keep trying to get me to move closer to London WHY

Where they live on the outskirts of London - the nearest they get to lamb is in their kebabs

[Anthea]

10 April

For obvious security reasons I am limiting the sites I visit - so will not be passing on much news for the next few days

I hope that everyone else is being as cautious

The "Heartbleed" bug has shown how vulnerable to attack the internet is - however strongly and diligently we try to protect our computers and our on-line security - there is little we can do to protect ourselves from server based bugs

SUGGESTIONS:

Protect your computer as much as possible

Protect your personal details at all times

NEVER use on-line banking

Have 2 separate bank accounts

a) 1 main account that is never used for any on-line banking or purchases

b) 1 unconnected account containing only limited amount of money to enable on-line purchases

Use several unconnected email addresses

The best on-line security comes from using a live distro such as tails

There is much advice in the computer section of this forum I would suggest people study it

[Anthea]

Heartbleed

http://heartbleed.com/



Heartbleed Bug Causes Major Security Headache

http://abcnews.go.com/Technology/wireSt ... d-23247031

CNNTech

The 'Heartbleed' security flaw that affects most of the Internet

http://www.cnn.com/2014/04/08/tech/web/ ... index.html



Little Internet users can do to thwart 'Heartbleed' bug

http://www.reuters.com/article/2014/04/ ... 4U20140409

[Piling]

Well, I have changed my yahoo, tumblr and amazon password. It seems that google and apple have recited quickly to the danger.

What else could be done ? just wait for the stones falling from the sky.

[Anthea]

Well, I have changed my yahoo, tumblr and amazon password. It seems that google and apple have recited quickly to the danger.

What else could be done ? just wait for the stones falling from the sky.

I hate to tell you but until the fault has been fixed you will be better off staying away from most of the sites

Even though you have changed your passwords if the site has not been fixed your new password is also at risk

And now that the weakness has become so well known several THOUSAND hackers are trying to make use of the flaw

I recommend doing what I am doing and staying away from most of the sites for at least the next week

[Piling]

I hate to tell you but until the fault has been fixed you will be better off staying away from most of the sites

Ha ha ! Impossible ! I take the risk.

[Anthea]

I suggest that everyone go to the following link:

Everything you need to know about Heartbleed bug

viewtopic.php?f=9&t=14998

[Piling]

Did you got the Vanly's copy ? Or CIA intercepted it ?

[Anthea]

Did you got the Vanly's copy ? Or CIA intercepted it ?

You gave me one link which I am sure I thanked you for - not sure about second link been staying off the internet for a few days

I will have to check

[Anthea]

11 April

I am still avoiding most internet sites due to the large number of hackers now trying to make use of the bug - I am not prepared to take too many risks and also I am very busy

[Piling]

Not a link, I sent the pdf by mail but surely CIA has intercepted it and now is seeking for this dangerous agent called Ismet Cheriff

[Anthea]

Not a link, I sent the pdf by mail but surely CIA has intercepted it and now is seeking for this dangerous agent called Ismet Cheriff

I apologise I had been avoiding my emails for the past few days due to the bug

Thank you for the link

I will read it over the next few days but what I have seen looks very interesting and a little shocking

[Anthea]

12 April

I wonder if it is safe to use the internet again

Still no fix for Heartbleed

[Anthea]

It may be ILLEGAL to run Heartbleed health checks – IT lawyer

Websites and tools that have sprung up to check whether servers are vulnerable to OpenSSL's mega-vulnerability Heartbleed have thrown up anomalies in computer crime law on both sides of the Atlantic.

Both the US Computer Fraud and Abuse Act and its UK equivalent the Computer Misuse Act make it an offence to test the security of third-party websites without permission.

Testing to see what version of OpenSSL a site is running, and whether it is also supports the vulnerable Heartbeat protocol, would be legal. But doing anything more active – without permission from website owners – would take security researchers onto the wrong side of the law.

Chris Wysopal, co-founder of Veracode and former member of the celebrated Boston-based hacking crew L0pht, was among the first security researchers to raise the issue:

Does probing for the #heartbleed vuln without a website owners permission violate the #CFAA? Are the testing sites legal?
— Chris Wysopal (@WeldPond) April 10, 2014

"I would say it would certainly contravene the Computer Misuse Act in the UK," said computer security researcher David Litchfield, a celebrated expert in database security issues. "This is no different than say testing to see if a site is vulnerable to SQL injection. It's not legal without permission."

Unauthorised security probing is illegal under section 3 of the UK's Computer Misuse Act 1990, whatever the intent, as case law has established.

IT lawyer Dai Davis, a solicitor at Percy Crow Davis & Co , told El Reg that actively scanning for the Heartbleed vulnerability would violate the UK computer crime laws, even though this "violation" is unlikely to be enforced.

"Under UK law you could argue running scans is just about criminal," Davis told El Reg. "It's not in the spirit of the law but the Computer Misuse Act is badly written."

Some security researchers argued that there ought to be an exemption to these laws if the activity is "helpful", while others say that this aspect of computer crime law is not being enforced or is, in any case, being ignored.

"It’s not legal, but vast numbers of otherwise ethical security professionals are testing every site on the internet," tweeted Martin McKeay, a security researcher at Akamai.

Heartbleed is a pretty bad bug in widely used OpenSSL that creates a means for attackers to lift passwords, crypto-keys and other sensitive data from the memory of secure server software, 64KB at a time.

The mega-vulnerability was patched earlier this week, and software should be updated to use the new version, 1.0.1g. But to fully clean up the problem, admins of at-risk servers should generate new public-private key pairs, destroy their session cookies, and update their SSL certificates before telling users to change every potentially compromised password on the vulnerable systems.