JEWISH KING JESUS IS COMING AT THE RAPTURE FOR US IN THE CLOUDS-DON'T MISS IT FOR THE WORLD.THE BIBLE TAKEN LITERALLY- WHEN THE PLAIN SENSE MAKES GOOD SENSE-SEEK NO OTHER SENSE-LEST YOU END UP IN NONSENSE.
ISN'T THIS INTERESTING.MICROSOFT YESTERDAY STOPPED PROTECTING WINDOWS XP.AND THEN THIS CYBER BUG HEARTBLEED BUG SUDDENLY TURNS UP YESTERDAY.DO WE SEE CONNECTIONS HERE.MICROSOFT CAN GRAB ALL OUR INFORMATION UNDER THE GUISE OF THIS CYBER BUG.THIS BUG IS AFFECTING CANADAS INCOMETAX DATA AND ALL AROUND THE WORLDS COMPUTERS. CANADAS INcomeTAX SITE IS CLOSED AS A RESULT ONLINE.
Heartbleed’ Bug Exposes Passwords, Web Site Encryption Keys
facebooktwittergoogle_plusredditpinterestlinkedinmail
Researchers have uncovered an extremely critical vulnerability in recent versions of OpenSSL, a technology that allows millions of Web sites to encrypt communications with visitors. Complicating matters further is the release of a simple exploit that can be used to steal usernames and passwords from vulnerable sites, as well as private keys that sites use to encrypt and decrypt sensitive data.“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.”An advisory from Carnegie Mellon University’s CERT notes that the vulnerability is present in sites powered by OpenSSL versions 1.0.1 through 1.0.1f. According to Netcraft, a company that monitors the technology used by various Web sites, more than a half million sites are currently vulnerable. As of this morning, that included Yahoo.com, and — ironically — the Web site of openssl.org. This list at Github appears to be a relatively recent test for the presence of this vulnerability in the top 1,000 sites as indexed by Web-ranking firm Alexa.An easy-to-use exploit that is being widely traded online allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL “libssl” library in chunks of 64kb at a time. As CERT notes, an attacker can repeatedly leverage the vulnerability to retrieve as many 64k chunks of memory as are necessary to retrieve the intended secrets.Jamie Blasco, director of AlienVault Labs, said this bug has “epic repercussions” because not only does it expose passwords and cryptographic keys, but in order to ensure that attackers won’t be able to use any data that does get compromised by this flaw, affected providers have to replace the private keys and certificates after patching the vulnerable OpenSSL service for each of the services that are using the OpenSSL library [full disclosure: AlienVault is an advertiser on this blog].It is likely that a great many Internet users will be asked to change their passwords this week (I hope). Meantime, companies and organizations running vulnerable versions should upgrade to the latest iteration of OpenSSL - OpenSSL 1.0.1g — as quickly as possible.Update, 2:26 p.m.: It appears that this Github page allows visitors to test whether a site is vulnerable to this bug (hat tip to Sandro Süffert).
Tax services may be offline until weekend because of Heartbleed bug-TU THANH HA, BILL CURRY And ADRIAN MORROW-The Globe and Mail-Wednesday, Apr. 09 2014, 4:35 PM EDT
The Canada Revenue Agency probably won’t have tax services back online until at least the weekend after shutting down public access on Tuesday evening in response to a major international security glitch.The agency made the move just three weeks ahead of the April 30 deadline for filing personal income tax returns.Private security researchers announced on Monday the discovery of Heartbleed, a massive Internet encryption flaw that exposed millions of passwords and had been undetected for more than two years.“We are currently working on a remedy for restoring online services and, at this time, anticipate that services will resume over the weekend,” the agency said in an updated statement posted at 3 p.m. Wednesday.“The CRA recognizes that this problem may represent a significant inconvenience for individual Canadians who count on the CRA for online information and services. Recognizing this, the Minister of National Revenue has confirmed that individual taxpayers will not be penalized for this service interruption,” the agency said.The impact of the bug could soon lead to a much wider shutdown of federal government services. A government official told The Globe and Mail that other federal departments are “on an urgent basis” deciding whether they should follow the CRA in pulling its online options.The official described the bug as one of the most serious security flaws uncovered in recent years and said Heartbleed has the capacity to reveal the sensitive contents of a server’s memory.The federal government is likely going through its inventory of servers to decide which websites need to be dealt with first, said cybersecurity expert Raymond Vankrimpen “They’ve obviously identified this CRA website as a critical one to take offline. But I have no doubt that there are other government websites that use SSL technology,” said Mr. Vankrimpen, a partner at the financial advisory firm Richter.“They’re probably triaging everything.”
WHAT IS HEARTBLEED?
The Heartbleed bug affects a common cryptographic program called OpenSSL, and specifically how OpenSSL is used in combination with a communication protocol called the RFC6520 heartbeat.Such “ heartbeats” help a remote user remain in touch after connecting with a website server, Mr. Vankrimpen said.Because of a coding flaw, a small chunk of the server’s memory content, about 64 kilobytes of memory, can leak out with each heartbeat.While 64 kilobytes doesn’t represent a large amount of memory content, it is large enough to hold a password or an encryption key, allowing an unscrupulous user to return to exploit the server further.“Once you have the encryption key, then you have the keys to the kingdom,” Mr. Vankrimpen said.Servers at the CRA run on a common hosting software called Apache, which uses OpenSSL, though it is not known if they rely on the RFC6520 heartbeat.
ANXIETY IN ONTARIO
The Ontario government confirmed that it uses OpenSSL, but it said it has not found that any information is at risk of getting hacked as a result of Heartbleed.“As of right now, we have not seen any data, personal information or servers compromised as a result of the software flaw that has affected the federal government,” said Jenna Mannone, a spokeswoman for Government Services Minister John Milloy, whose ministry oversees the collection of information for such things as health cards and drivers’ licences.She said IT staff are taking a close look at the system.“The Ontario government does use OpenSSL software and is aware of the reported software flaw,” Ms. Mannone wrote in an e-mail. “As a result, government IT experts immediately acted to look into the matter, and are working to ensure that all data and information remains protected.”
HOW IS THE CRA AFFECTED?
The CRA temporarily shut down public access to its online services late Tuesday evening and issued a public notice on its website Wednesday morning. The notice said that affected online services include EFILE, NETFILE and My Account, which taxpayers would normally access their account to track their refund or check their RRSP limit.The shutdown also affects business accounts.While promising to resume the online services as soon as possible, the CRA said that it would give consideration to taxpayers who are unable to meet filing deadlines.The shutdown will not affect appointments at the more than 1,000 Canadian offices of H&R Block, a leading tax preparer, according to the company’s senior tax analyst, Cleo Hamel.Ms. Hamel said tax returns will be prepared and then filed later when the electronic filing option is back online. If the shutdown turns out to be prolonged, other options would be used.“If we have to print them all off and take them into the CRA ourselves, we’ll do that,” she said. “I would anticipate within a couple of days or less this will get rectified.”Ms. Hamel noted that the CRA had a temporary shutdown during tax time in 2008 and it did not cause major problems.While Revenue Minister Kerry-Lynne Findlay said the agency is acting out of precaution, her U.S. counterpart is not making any changes in response to the bug.Bruce Friedland, a spokesman for the Internal Revenue Service, said the IRS continues to accept tax returns as normal as it approaches its April 15 tax deadline.“Our systems continue operating and are not affected by this virus, and we are not aware of any security vulnerabilities related to this situation. We continue to monitor the situation and remain in contact with our software partners. The IRS advises taxpayers to continue filing their tax returns as they normally would,” he said in an e-mail.
ISN'T THIS INTERESTING.MICROSOFT YESTERDAY STOPPED PROTECTING WINDOWS XP.AND THEN THIS CYBER BUG HEARTBLEED BUG SUDDENLY TURNS UP YESTERDAY.DO WE SEE CONNECTIONS HERE.MICROSOFT CAN GRAB ALL OUR INFORMATION UNDER THE GUISE OF THIS CYBER BUG.THIS BUG IS AFFECTING CANADAS INCOMETAX DATA AND ALL AROUND THE WORLDS COMPUTERS. CANADAS INcomeTAX SITE IS CLOSED AS A RESULT ONLINE.
Heartbleed’ Bug Exposes Passwords, Web Site Encryption Keys
facebooktwittergoogle_plusredditpinterestlinkedinmail
Researchers have uncovered an extremely critical vulnerability in recent versions of OpenSSL, a technology that allows millions of Web sites to encrypt communications with visitors. Complicating matters further is the release of a simple exploit that can be used to steal usernames and passwords from vulnerable sites, as well as private keys that sites use to encrypt and decrypt sensitive data.“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.”An advisory from Carnegie Mellon University’s CERT notes that the vulnerability is present in sites powered by OpenSSL versions 1.0.1 through 1.0.1f. According to Netcraft, a company that monitors the technology used by various Web sites, more than a half million sites are currently vulnerable. As of this morning, that included Yahoo.com, and — ironically — the Web site of openssl.org. This list at Github appears to be a relatively recent test for the presence of this vulnerability in the top 1,000 sites as indexed by Web-ranking firm Alexa.An easy-to-use exploit that is being widely traded online allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL “libssl” library in chunks of 64kb at a time. As CERT notes, an attacker can repeatedly leverage the vulnerability to retrieve as many 64k chunks of memory as are necessary to retrieve the intended secrets.Jamie Blasco, director of AlienVault Labs, said this bug has “epic repercussions” because not only does it expose passwords and cryptographic keys, but in order to ensure that attackers won’t be able to use any data that does get compromised by this flaw, affected providers have to replace the private keys and certificates after patching the vulnerable OpenSSL service for each of the services that are using the OpenSSL library [full disclosure: AlienVault is an advertiser on this blog].It is likely that a great many Internet users will be asked to change their passwords this week (I hope). Meantime, companies and organizations running vulnerable versions should upgrade to the latest iteration of OpenSSL - OpenSSL 1.0.1g — as quickly as possible.Update, 2:26 p.m.: It appears that this Github page allows visitors to test whether a site is vulnerable to this bug (hat tip to Sandro Süffert).
Tax services may be offline until weekend because of Heartbleed bug-TU THANH HA, BILL CURRY And ADRIAN MORROW-The Globe and Mail-Wednesday, Apr. 09 2014, 4:35 PM EDT
The Canada Revenue Agency probably won’t have tax services back online until at least the weekend after shutting down public access on Tuesday evening in response to a major international security glitch.The agency made the move just three weeks ahead of the April 30 deadline for filing personal income tax returns.Private security researchers announced on Monday the discovery of Heartbleed, a massive Internet encryption flaw that exposed millions of passwords and had been undetected for more than two years.“We are currently working on a remedy for restoring online services and, at this time, anticipate that services will resume over the weekend,” the agency said in an updated statement posted at 3 p.m. Wednesday.“The CRA recognizes that this problem may represent a significant inconvenience for individual Canadians who count on the CRA for online information and services. Recognizing this, the Minister of National Revenue has confirmed that individual taxpayers will not be penalized for this service interruption,” the agency said.The impact of the bug could soon lead to a much wider shutdown of federal government services. A government official told The Globe and Mail that other federal departments are “on an urgent basis” deciding whether they should follow the CRA in pulling its online options.The official described the bug as one of the most serious security flaws uncovered in recent years and said Heartbleed has the capacity to reveal the sensitive contents of a server’s memory.The federal government is likely going through its inventory of servers to decide which websites need to be dealt with first, said cybersecurity expert Raymond Vankrimpen “They’ve obviously identified this CRA website as a critical one to take offline. But I have no doubt that there are other government websites that use SSL technology,” said Mr. Vankrimpen, a partner at the financial advisory firm Richter.“They’re probably triaging everything.”
WHAT IS HEARTBLEED?
The Heartbleed bug affects a common cryptographic program called OpenSSL, and specifically how OpenSSL is used in combination with a communication protocol called the RFC6520 heartbeat.Such “ heartbeats” help a remote user remain in touch after connecting with a website server, Mr. Vankrimpen said.Because of a coding flaw, a small chunk of the server’s memory content, about 64 kilobytes of memory, can leak out with each heartbeat.While 64 kilobytes doesn’t represent a large amount of memory content, it is large enough to hold a password or an encryption key, allowing an unscrupulous user to return to exploit the server further.“Once you have the encryption key, then you have the keys to the kingdom,” Mr. Vankrimpen said.Servers at the CRA run on a common hosting software called Apache, which uses OpenSSL, though it is not known if they rely on the RFC6520 heartbeat.
ANXIETY IN ONTARIO
The Ontario government confirmed that it uses OpenSSL, but it said it has not found that any information is at risk of getting hacked as a result of Heartbleed.“As of right now, we have not seen any data, personal information or servers compromised as a result of the software flaw that has affected the federal government,” said Jenna Mannone, a spokeswoman for Government Services Minister John Milloy, whose ministry oversees the collection of information for such things as health cards and drivers’ licences.She said IT staff are taking a close look at the system.“The Ontario government does use OpenSSL software and is aware of the reported software flaw,” Ms. Mannone wrote in an e-mail. “As a result, government IT experts immediately acted to look into the matter, and are working to ensure that all data and information remains protected.”
HOW IS THE CRA AFFECTED?
The CRA temporarily shut down public access to its online services late Tuesday evening and issued a public notice on its website Wednesday morning. The notice said that affected online services include EFILE, NETFILE and My Account, which taxpayers would normally access their account to track their refund or check their RRSP limit.The shutdown also affects business accounts.While promising to resume the online services as soon as possible, the CRA said that it would give consideration to taxpayers who are unable to meet filing deadlines.The shutdown will not affect appointments at the more than 1,000 Canadian offices of H&R Block, a leading tax preparer, according to the company’s senior tax analyst, Cleo Hamel.Ms. Hamel said tax returns will be prepared and then filed later when the electronic filing option is back online. If the shutdown turns out to be prolonged, other options would be used.“If we have to print them all off and take them into the CRA ourselves, we’ll do that,” she said. “I would anticipate within a couple of days or less this will get rectified.”Ms. Hamel noted that the CRA had a temporary shutdown during tax time in 2008 and it did not cause major problems.While Revenue Minister Kerry-Lynne Findlay said the agency is acting out of precaution, her U.S. counterpart is not making any changes in response to the bug.Bruce Friedland, a spokesman for the Internal Revenue Service, said the IRS continues to accept tax returns as normal as it approaches its April 15 tax deadline.“Our systems continue operating and are not affected by this virus, and we are not aware of any security vulnerabilities related to this situation. We continue to monitor the situation and remain in contact with our software partners. The IRS advises taxpayers to continue filing their tax returns as they normally would,” he said in an e-mail.
