Saturday, April 12, 2014

Massive OpenSSL Bug 'Heartbleed' Threatens Sensitive Data:

An encryption tool used by a large chunk of the Internet is flawed, potentially exposing reams of data meant to be hidden from prying eyes. The bug, nicknamed Heartbleed by researchers at Google Inc. and cybersecurity firm Codenomicon, could have affected two-thirds of active websites when it was disclosed Monday, they said. On Tuesday, website operators, including Yahoo Inc., raced to fix the problem. Several researchers said earlier that they had been able to capture Yahoo usernames and passwords. Many other major websites, such as Google, Inc. and eBay Inc., appeared to be safe, based on a test created by a researcher for cybersecurity company Qualys Inc.

The bug exploits a problem in certain versions of OpenSSL, a free set of encryption tools used by much of the Internet. OpenSSL is managed by four core European programmers, only one of whom counts it as his full-time job. The limited resources behind the encryption code highlight a challenge for Web developers amid increased concern about hackers and government snoops. Websites increasingly use encryption to mask data such as usernames, passwords and credit-card numbers. That prevents a hacker lurking at a coffee shop from grabbing personal information out of the air as it travels to a wireless router. This type of encryption is called SSL, or secure sockets layer, or TLS, or transport layer security. Web servers that use the affected versions of the code store some data unprotected in memory.

Hackers can grab that data, and reconstruct information about users or keys that would allow them to monitor past or future encrypted traffic.

The National CyberThreat Level has been raised to HIGH. I can’t remember the last time that happened. 
·         Check to see if any websites you have accounts on are vulnerable:

"Heartbleed Hit List" ( a listing of some popular websites and their vulnerability status 

"Heartbleed Test" ( tool for checking status of individual websites 
·         Change passwords for all online accounts and e-mail, giving first priority to critical accounts.

·         Be alert for phishing scams. CIS received reports of phishing campaigns related to this vulnerability, attempting to lure victims to credential-stealing sites. If you need to change your password, type the URL of the organization in a browser and do not click on links in emails that ask you to reset your passwords

CAPT. Lloyd Bumanglag CAP

Wednesday, April 02, 2014

SQ 150 Safety Meeting 3 April 2014

It's that happy time of the month already. Attendance at this Thursday's meeting will garner an extension of members' safety currency. SM Mike wetsman will hold forth delivering the benedicition and then we will adjourn to an admin session whereby the folks who garnered their new (and re-treaded) ES ratings will lock them down into eServices.

On hand to help with this will be the Commander and the Senior ES officer. Look forward to seeign you all there.

W. H. Phinizy, Lt Col, CAP
Squadron Commander