Spam calendar invites from 16700700.com

Anyone else’s calendar getting completely spammed with invites from 16700700.com or 35700700.com ?

screen-shot-2016-11-09-at-15-02-48

 

If you are, you are not alone – my calendar has been absolutely crammed with them. As far as I can tell there is no malware or anything security-wise that I have done to allow access to my calendar, it would appear that anyone can invite themselves to any calendar – an obvious security issue.

screen-shot-2016-11-09-at-15-06-45

Its easy to remove them, by right-clicking and choosing Decline, but shortly after doing this for a single item on my calendar it was absolutely inundated with them, so don’t do that! By declining you notify the person that it is a valid email address for the calendar.

 

Update: 14th November 2016 – Apple engineers have got back to me letting me know that they are working to resolve the issue as it is a huge issue affecting lots of Apple iCloud accounts and that they have seen a sudden increase in the requests over the past 2 weeks. On other more worrying news I now have bogus photos requests too.

The most important things you should do is: Change your iCloud password to something new, and turn on 2-factor authentication for your account.

Essential viewing for web developers

Every now and again I come across some amazing videos on YouTube that I think are relevant to all web developers. One author (video blogger? – not sure what they are called) who is particularly brilliant is Tom Scott. He wonderfully articulates how web technologies and their exploits happen, and how to ensure that you don’t fall in to the same traps as many systems/sites out there.

One of Tom’s most brilliant videos is his explanation of how a self-re-tweeting tweet worked and how to ensure that you don’t have the same issues on your text boxes when writing their contents back out to the screen.

Essential viewing videos for development teams:

Tom Scott – Cracking Websites with Cross Site Scripting – Computerphile

Tom Scott – Hacking Websites with SQL Injection – Computerphile

Dr Mike Pound – Advanced SQL Injection

Tom Scott – Cross Site Request Forgery – Computerphile

Tom Scott – How Not To Store Passwords

Tom Scott – Hashing Algorithms and Security

 

If you are a developer, and have any suggestions of videos that should be added to this list, please add a comment with the URL!

Firefox browser now blocks Adobe Flash by default

mozilla_firefox_logo

Adobe Flash is now blocked by default on all Windows and Mac versions of the Mozilla Firefox web browser. Is it high time that Adobe finally consigns Flash to the outdated technologies bin? Is this one security flaw too far? How great would it be if Adobe instead devoted their efforts to developing tools for HTML 5 and CSS to achieve similar moving vector functionality that attracted web developers to use Flash in the first place.

Following in the footsteps of Apple (in which Steve Jobs wrote a then controversial open letter in 2010), Mozilla is yet another company who has publicly raised serious concerns with the lack of security and widely documented bugs in Flash.

Mozilla has unearthed evidence showing that the bugs in Flash were being actively used by criminal groups to exploit users and install malware and ransomware on their machines. At present the exploits were limited to FireFox installed on Windows PC’s.

Flash Plugin Blocked

On their support pages Mozilla said that the block would remain until Adobe releases an updated version to address known critical security issues. A similar block has been built in to the Apple Safari browser since version 7 in 2013.

My verdict: It’s time to pull the plug on Flash once and for all. Come on Adobe, think to the future instead of frantically patching the past!

WordPress critical bug on versions 4.2 and earlier

If your website runs on WordPress, you need to be aware that WordPress versions 4.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise your website.

WordPress 4.2.2 includes a comprehensive fix for this issue.

Please ensure that you update all instances of WordPress to 4.2.2 as soon as possible. You can do this by logging into your WordPress Dashboard and clicking “Update now” from the “Updates” option in the menu.

If your website has been hosted by ISArc, they have already done this for you, your website will already be running on WordPress 4.2.2!

For more information visit https://wordpress.org/news/

ISArc-Web-Sponsor-[728x90]

OpenSSL HeartBleed Bug – Explanation and fix

Heartbleed is a recently discovered small bug that relates to the OpenSSL’s implementation of the TLS ‘heartbeat’ mechanism.

The bug is present only in the OpenSSL versions 1.0.1 through 1.0.1f!

By exploiting this bug, an attacker can request that a running TLS server hand over a relatively large slice (up to 64KB) of its private memory space. Since this is the same memory space where OpenSSL also stores the server’s private key material, an attacker can potentially obtain data such as:

1) private keys
2) TLS session keys
3) confidential data
4) session ticket keys.

The remedy

You can test if a given server is vulnerable using this tool: http://filippo.io/Heartbleed/ (enter your domain as for example: yourdomain.name:443)

To check the OpenSSL version running on your server, use the following command via SSH:

CentOS

# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

Ubuntu

# dpkg -s openssl | grep Version
Version: 1.0.1-4ubuntu5.6

Having identified a problem, the first step is to patch OpenSSL. Fortunately this is relatively easy. The 1.0.1g version is not vulnerable, and Debian has a patch. You can also recompile OpenSSL with the -DOPENSSL_NO_HEARTBEATS option.

Installing OpenSSL 1.0.1g on CentOS:

# cd /usr/local/src
# wget -N http://www.openssl.org/source/openssl-1.0.1g.tar.gz
# tar -xzvf openssl-1.0.1g.tar.gz
# cd openssl-1.0.1g
# ./config
# make
# make install
# alias cp=cp
# cp /usr/local/ssl/bin/openssl /usr/bin/openssl
# cd /usr/local/ssl/include
# ln -s /usr/local/ssl/include/openssl openssl

Once done, check the version again and restart the web server:

# openssl version
OpenSSL 1.0.1g 7 Apr 2014

Restart any services using SSL.

Installing OpenSSL 1.0.1g on Ubuntu:

# apt-get update
# apt-get install -y openssl libssl1.0.0

Restart any services using SSL.

What’s the TLS Heartbeat mechanism ?

The TLS Heartbeat mechanism is designed to keep connections alive even when no data is being transmitted. Heartbeat messages sent by one peer contain random data and a payload length. The other peer is suppose to respond with a mirror of exactly the same data.

If you want to read more about this, the best written article I’ve found on this topic can be found here: http://blog.cryptographyengineering.com/2014/04/attack-of-week-openssl-heartbleed.html

How to add an SSL certificate to IIS in Windows Server 2008 R2

Its something I do without really thinking about, just get another certificate and add it to the server so that the website can load with https:// instead of http://

I have used lots of different SSL providers, however I have found that the most reliable and easy to use is www.trustico.co.uk and their customer service and support is exceptional.

I will try to make this as step-by-step as I possibly can so that it’s easy to follow.

Part 1 – Creating the certificate request

1. Open the IIS (Internet Information Services) Manager

Screen Shot 2013-09-12 at 08.35.48

2. Click on the server name on the left hand side and then double-click on Server Certificates

Screen Shot 2013-09-12 at 08.37.10

 

3. On the right-hand-side of the server certificates section, click on Create Certificate Request

Screen Shot 2013-09-12 at 08.42.44

4. The Request Certificate wizard is displayed.  The Common Name is the website URL that you are going to make SSL. In this example, I am creating a certificate for one of our systems, Good Morning Pulse.

There are two main types of certificate, single and wildcard. A single certificate is for a single site (e.g. https://www.google.co.uk), a wildcard certificate is for multiple sub-domains at the same domain (e.g. https://maps.google.co.uk AND https://places.google.co.uk … and as many other sub-domains as you can think of) without having to purchase separate certificates for each sub-domain.

Screen Shot 2013-09-12 at 08.47.08

The only REALLY important part of this is the common name.

Click on Next to continue

 

 

5. Change the Bit length to 2048 or higher. A note of caution on this – if you change it to a really high bit length it means that the volume (size in kb) of all pages being sent to and from your website is significantly increased, but is more secure.

You should not choose any setting lower than 2048. As of October 2013, all 1024-bit certificates have been revoked and 2048 is the new standard.

Screen Shot 2013-09-12 at 08.50.36

6. Next we are choosing a place to put the certificate request (just a plain text file). I normally put this on the Windows Desktop for ease of accessing in a few steps time.

Screen Shot 2013-09-12 at 08.53.11

Click on the  button to choose the location

Screen Shot 2013-09-12 at 08.53.33

Give the file a name. I normally call it “certReq” (Certificate Request) just so I know what it is. If it already exists it will overwrite any existing file.

Click on the Open button to select the file (it will be created if it does not already exist)

Click on Finish to complete the certificate request process

Part 2 – Submitting and creating the SSL certificate

1. Open the certificate request file you created in Part 1

Screen Shot 2013-09-12 at 09.00.32

Select and copy the entire certificate (Ctrl + A or Cmd + A) and then Copy (Ctrl + C or Cmd + C) INCLUDING the —–BEGIN NEW CERTIFICATE REQUEST—— (and end) parts.

2. Visit www.trustico.co.uk

Screen Shot 2013-09-12 at 09.06.41

Click on the Buy Cheap RapidSSL green button

2. Choose the type of SSL certificate you want to order (In this case I am ordered a normal Rapid SSL Certificate for £9.99. Click on the green Order Now button.Screen Shot 2013-09-12 at 09.08.22

3. Choose the length of time you wish the certificate to be valid for. Unless you want to have to go through this process every 12 months (which gets very time-consuming when you have tens or hundreds to purchase), its best to go for the longest time-frame you can afford.

Screen Shot 2013-09-12 at 09.08.57

In this case, I am choosing 48 months, which is only £35.96 at the time of writing.

Issuance Insurance: its your decision whether to keep this or not, and depends on what you need. I always turn Issuance Insurance off, in this case it will save £48 off the bill. If you think you are going to move servers, then keep this on unless you know how to export certificates from one server to another (thats another tutorial in the future).

Screen Shot 2013-09-12 at 09.13.04

Click on Continue

4. Enter all your contact information. Make sure you have access to the email address supplied at this stage otherwise you wont get the certificate at the end. (I have not entered all my details in the screen-shot below yet)

Screen Shot 2013-09-12 at 09.15.40

Click on Continue

5. Click on Submit newly generated certificate signing request (I don’t know why they think every word needs a capital letter, but anyway)

Paste in your certificate that you copied in Step 1

Screen Shot 2013-09-12 at 09.19.39

Click on Continue

6. You are asked to verify the information. Click on Continue

Screen Shot 2013-09-12 at 09.22.02

7. Next you have to confirm that you own the domain name by receiving an email at the domain. If you don’t have a mail server set up, the easiest way to do this is to simply set up a mail forwarder to your own email address (very easy and free if you registered your domain with www.123-reg.co.uk )

Choose the email address to send the approver email to, and click on Continue

Screen Shot 2013-09-12 at 09.25.43

8. Read the subscriber agreement (has anyone ever read these?) Click on Continue

Screen Shot 2013-09-12 at 09.26.16

9. The confirmation details of what you are ordering is shown. Scroll down and click on Continue

10. Pay for the certificate. I always use PayPal, which makes the certificate issuing process very fast indeed. No matter how you pay, it always says thanks for your credit card payment.

Screen Shot 2013-09-12 at 09.31.29

Thats the online (web) part done for now.

11. Check your email (or the email address you choose at step 7 above if it doesnt forward to your own email address). You will have an email from [email protected] that asks you to visit a URL and Approve the certificate. Click on the link and click I APPROVE

12. Go get a cup of tea, coffee or coke, check your email, play Minecraft or whatever takes your fancy. It takes about 10 minutes for your certificate to be created and it is then emailed to you.

 

 Part 3 – Installing the certificate on the server

1. You should have an email from TrustICO (in this example it took 12 minutes to get to me) with the subject RapidSSL Fulfillment E-Mail [certificate name]

Scroll down the email until you get to the —-BEGIN CERTIFICATE—– part. I have (obviously) hashed out my certificate for security reasons.

Screen Shot 2013-09-12 at 09.50.58

Select the whole certificate (including the begin and end lines) and Copy it to the clipboard (Ctrl + C or Cmd+C).

Go back to the server (or if you are already on it, get to the desktop)

2. On the server, Open Notepad

3. Paste in the certificate

Screen Shot 2013-09-12 at 10.02.13

4. Click on FileSave As and choose the Desktop again (or if like me you have a lot of certificates, create a folder to put them all in)

Give the certificate a name you will remember (I always put the years in so that I can distinguish between different years worth of certificates).

IMPORTANT – there MUST be the extension .cer at the end.

IMPORTANT – change the “Save As Type” to All Files (if you forget, it will add a .txt at the end of the file name, which you then have to remove to make it work)

Screen Shot 2013-09-12 at 10.05.38

Click on Save

5. You should now see a certificate on your desktop (or the folder where you saved it)

Screen Shot 2013-09-12 at 10.10.03

6. Open IIS and go to the Server Certificates item

Screen Shot 2013-09-12 at 08.35.48 Screen Shot 2013-09-12 at 08.37.10

 

7. Click on Complete Certificate Request on the right hand side

Screen Shot 2013-09-12 at 08.42.44

8. Choose your certificate for the File Name box

IMPORTANT – Friendly Name – if you ordered a wildcard certificate it is REALLY IMPORTANT that you put the common name of the certificate as the friendly name (e.g. *.goodmorningpulse.co.uk)

In this case, as it was a single certificate, not a wildcard its good to give it a name so that you know which is which on the list.

Screen Shot 2013-09-12 at 10.15.15

Click on OK

IIS Parses the request, and if successful (which it always should be if you have created the certificate correctly) then it will add the certificate to your list.

 Part 4 – Binding the certificate to the website

So you have your certificate on the server, and you now need to tell your website to use it.

1. In IIS, expand the Sites item on the left hand side

2. Right-click on the site you wish to use the SSL certificate for, and click on Edit Bindings

Screen Shot 2013-09-12 at 10.24.35

3. The site bindings are displayed. Click on Add

4. Change the type to https and then Choose your new certificate

Screen Shot 2013-09-12 at 10.25.48

Click on OK and then Click on Close

5. The site will now allow https connections! Its that simple!

 

Success!

If you want to make your site exclusively SSL (re-directing automatically from http to https) then check out this post.

Make your site exclusively SSL (re-directing automatically from http to https) on Windows Server

If you have an SSL certificate on your website, how do you automatically re-direct ALL visitors to the SSL version? Its easy, and with no code required.

1. Open IIS

2. Click on the site you wish to change

Screen Shot 2013-09-12 at 10.31.12

3. Double-click on SSL Settings

4. Check the box Require SSL

Screen Shot 2013-09-12 at 10.33.34

5. Click on Apply (on the top right hand side)

6. Click on Error Pages

7. Double-click on the item with status code 403

Screen Shot 2013-09-12 at 10.37.06

8.  Choose the item to Respond with a 302 redirect and enter the https address

9. Click on OK

10. Stop and re-start the website and hey-presto, anyone who visits (for example) http://www.mywebsitetest.co.uk will be automatically redirected to https://www.mywebsitetest.co.uk