Spam calendar invites from 16700700.com

Anyone else’s calendar getting completely spammed with invites from 16700700.com or 35700700.com ?

screen-shot-2016-11-09-at-15-02-48

 

If you are, you are not alone – my calendar has been absolutely crammed with them. As far as I can tell there is no malware or anything security-wise that I have done to allow access to my calendar, it would appear that anyone can invite themselves to any calendar – an obvious security issue.

screen-shot-2016-11-09-at-15-06-45

Its easy to remove them, by right-clicking and choosing Decline, but shortly after doing this for a single item on my calendar it was absolutely inundated with them, so don’t do that! By declining you notify the person that it is a valid email address for the calendar.

 

Update: 14th November 2016 – Apple engineers have got back to me letting me know that they are working to resolve the issue as it is a huge issue affecting lots of Apple iCloud accounts and that they have seen a sudden increase in the requests over the past 2 weeks. On other more worrying news I now have bogus photos requests too.

The most important things you should do is: Change your iCloud password to something new, and turn on 2-factor authentication for your account.

Essential viewing for web developers

Every now and again I come across some amazing videos on YouTube that I think are relevant to all web developers. One author (video blogger? – not sure what they are called) who is particularly brilliant is Tom Scott. He wonderfully articulates how web technologies and their exploits happen, and how to ensure that you don’t fall in to the same traps as many systems/sites out there.

One of Tom’s most brilliant videos is his explanation of how a self-re-tweeting tweet worked and how to ensure that you don’t have the same issues on your text boxes when writing their contents back out to the screen.

Essential viewing videos for development teams:

Tom Scott – Cracking Websites with Cross Site Scripting – Computerphile

Tom Scott – Hacking Websites with SQL Injection – Computerphile

Dr Mike Pound – Advanced SQL Injection

Tom Scott – Cross Site Request Forgery – Computerphile

Tom Scott – How Not To Store Passwords

Tom Scott – Hashing Algorithms and Security

 

If you are a developer, and have any suggestions of videos that should be added to this list, please add a comment with the URL!

Firefox browser now blocks Adobe Flash by default

mozilla_firefox_logo

Adobe Flash is now blocked by default on all Windows and Mac versions of the Mozilla Firefox web browser. Is it high time that Adobe finally consigns Flash to the outdated technologies bin? Is this one security flaw too far? How great would it be if Adobe instead devoted their efforts to developing tools for HTML 5 and CSS to achieve similar moving vector functionality that attracted web developers to use Flash in the first place.

Following in the footsteps of Apple (in which Steve Jobs wrote a then controversial open letter in 2010), Mozilla is yet another company who has publicly raised serious concerns with the lack of security and widely documented bugs in Flash.

Mozilla has unearthed evidence showing that the bugs in Flash were being actively used by criminal groups to exploit users and install malware and ransomware on their machines. At present the exploits were limited to FireFox installed on Windows PC’s.

Flash Plugin Blocked

On their support pages Mozilla said that the block would remain until Adobe releases an updated version to address known critical security issues. A similar block has been built in to the Apple Safari browser since version 7 in 2013.

My verdict: It’s time to pull the plug on Flash once and for all. Come on Adobe, think to the future instead of frantically patching the past!

Security Flaw Puts Millions Of Samsung Galaxy Phones At Risk

If you are a Samsung Galaxy owner, there is yet another worrying announcement – there is a security flaw that lets attackers install malware on to your device or, alternatively, eavesdrop on your phone calls.

Chicago-based security firm NowSecure has published a report that claims the bug lives in the SwiftKey keyboard software (The SDK Version only), which is installed on more than 600 million Samsung devices. It states the bug can allow a remote attacker, which is capable of controlling a user’s network traffic, to execute an arbitrary code on the user’s phone.

Samsung Galaxy Phone

The security flaw concerns the SwiftKey keyboard software, which comes installed by default. More worrying is that there is no option to uninstall the SwiftKey keyboard, if it’s there, it’s there for good.

An unscrupulous individual can secretly install malware on a user’s device, access the camera, microphone and GPS, and listen in on calls and messages, change the way other apps behave and even steal photos and text messages.

NowSecure also claims it notified Samsung on this problem towards the end of last year. Samsung did provide a patch to amend the problem to network operators earlier in 2015 but it’s not known if this patch was made available to many users by the networks.

Potentially affected devices include the Samsung Galaxy Edge, S6, S5, S4 and the S4 mini.

As the software can’t be uninstalled, NowSecure have said the best way to tackle the situation is to avoid unsecured wifi networks, which is really a completely impractical bit of advice for most phone owners.

“We supply Samsung with the core technology that powers the word predictions in their keyboard. It appears that the way this technology was integrated on Samsung devices introduced the security vulnerability.”
– SwiftKey CMO Joe Braidwood.

SwiftKey also confirmed that the problem doesn’t affect the version of the app that can be manually downloaded from the app store.

There are already lists of over half a million infected Android phones that you can connect to and turn on their camera remotely that are available on Tor, so keep an eye on your phone, and if you see the camera light coming on, turn the phone off immediately and report it to your local police.

OpenSSL HeartBleed Bug – Explanation and fix

Heartbleed is a recently discovered small bug that relates to the OpenSSL’s implementation of the TLS ‘heartbeat’ mechanism.

The bug is present only in the OpenSSL versions 1.0.1 through 1.0.1f!

By exploiting this bug, an attacker can request that a running TLS server hand over a relatively large slice (up to 64KB) of its private memory space. Since this is the same memory space where OpenSSL also stores the server’s private key material, an attacker can potentially obtain data such as:

1) private keys
2) TLS session keys
3) confidential data
4) session ticket keys.

The remedy

You can test if a given server is vulnerable using this tool: http://filippo.io/Heartbleed/ (enter your domain as for example: yourdomain.name:443)

To check the OpenSSL version running on your server, use the following command via SSH:

CentOS

# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

Ubuntu

# dpkg -s openssl | grep Version
Version: 1.0.1-4ubuntu5.6

Having identified a problem, the first step is to patch OpenSSL. Fortunately this is relatively easy. The 1.0.1g version is not vulnerable, and Debian has a patch. You can also recompile OpenSSL with the -DOPENSSL_NO_HEARTBEATS option.

Installing OpenSSL 1.0.1g on CentOS:

# cd /usr/local/src
# wget -N http://www.openssl.org/source/openssl-1.0.1g.tar.gz
# tar -xzvf openssl-1.0.1g.tar.gz
# cd openssl-1.0.1g
# ./config
# make
# make install
# alias cp=cp
# cp /usr/local/ssl/bin/openssl /usr/bin/openssl
# cd /usr/local/ssl/include
# ln -s /usr/local/ssl/include/openssl openssl

Once done, check the version again and restart the web server:

# openssl version
OpenSSL 1.0.1g 7 Apr 2014

Restart any services using SSL.

Installing OpenSSL 1.0.1g on Ubuntu:

# apt-get update
# apt-get install -y openssl libssl1.0.0

Restart any services using SSL.

What’s the TLS Heartbeat mechanism ?

The TLS Heartbeat mechanism is designed to keep connections alive even when no data is being transmitted. Heartbeat messages sent by one peer contain random data and a payload length. The other peer is suppose to respond with a mirror of exactly the same data.

If you want to read more about this, the best written article I’ve found on this topic can be found here: http://blog.cryptographyengineering.com/2014/04/attack-of-week-openssl-heartbleed.html

Check for server vunerabilities using a free web

We have many Windows Server 2008 R2 servers that host systems, and recently had been getting lots of failed logon attempts, so it was imperative that we investigated not only the source, but how to prevent them even trying.

This is a fantastic free web-based utility that scans the computer it is running on.

https://www.grc.com/x/ne.dll?bh0bkyd2