Heartbleed Bug Online security breach is described as 'catastrophic'

Internet users told to change ALL passwords in security alert over 'catastrophic' Heartbleed bug

• Online security breach is described as 'catastrophic'

• Alert is result of internet bug Heartbleed being uncovered

• Heartbleed is able to bypass websites' security measures to access passwords and personal information

By Rebecca Evans and Tania Steere

Published: 17:33 EST, 9 April 2014 | Updated: 17:57 EST, 9 April 2014

Internet users have been warned to change all their computer and phone passwords following what could be a ‘catastrophic’ security breach.

Major technology firms have urged the public to immediately update their online security.

The alert is the result of the discovery of an internet bug called ‘Heartbleed’, which is able to bypass computer security settings.

LastPass Heartbleed Checker warns if a website may be at risk. It also reveals websites that aren't affected

HOW TO BEAT THE BUG

If a password is in any dictionary in any language then it will take just three minutes to crack, warned computer expert Tony McDowell.

The worst passwords are the likes of ‘password’, ‘123456’, ‘qwerty’, or your child’s name. Using the same password for every site can leave you even more vulnerable to hackers, he added.
His advice is to use a phrase rather than a word. For example, use ‘nameisabella’ rather than just ‘Isabella’ – and use a mixture of letters and numbers.

A password of ‘name!saBe1la’ would take a year to crack, said Mr McDowell, managing director of Encription Ltd.

‘Most hackers give up after 24 hours unless it is something they really want to gain access to,’ he added.

WHICH MAJOR SITES ARE AT RISK?

Potentially vulnerable sites:

Facebook, Twitter, Tumblr, Instagram, Google, Gmail, Lloyds TSB, Nationwide, Santander

Safe sites:

Bing, Yahoo, Flickr, LastPass, DuckDuck Go, Natwest, GitHub

The tool is a guide to affected services; it is not a definitive list.

Sites listed as vulnerable may use unreported servers, meaning their status can't be officially verified.

As a result, personal information such as passwords and credit card details has been accessible.


Read More Here

.....

Heartbleed test

......

Optic Nerve: millions of Yahoo webcam images intercepted by GCHQ

• 1.8m users targeted by UK agency in six-month period alone
• Optic Nerve program collected Yahoo webcam images in bulk
• Yahoo: 'A whole new level of violation of our users' privacy'
• Material included large quantity of sexually explicit images

• Spencer Ackerman and James Ball
• 
  
• The Guardian, Thursday 27 February 2014

The GCHQ program saved one image every five minutes from the users' feeds. Photograph: Chris Jackson/Getty Images

Britain's surveillance agency GCHQ, with aid from the US National Security Agency, intercepted and stored the webcam images of millions of internet users not suspected of wrongdoing, secret documents reveal.
GCHQ files dating between 2008 and 2010 explicitly state that a surveillance program codenamed Optic Nerve collected still images of Yahoo webcam chats in bulk and saved them to agency databases, regardless of whether individual users were an intelligence target or not.
In one six-month period in 2008 alone, the agency collected webcam imagery – including substantial quantities of sexually explicit communications – from more than 1.8 million Yahoo user accounts globally.
Yahoo reacted furiously to the webcam interception when approached by the Guardian. The company denied any prior knowledge of the program, accusing the agencies of "a whole new level of violation of our users' privacy".
GCHQ does not have the technical means to make sure no images of UK or US citizens are collected and stored by the system, and there are no restrictions under UK law to prevent Americans' images being accessed by British analysts without an individual warrant.
The documents also chronicle GCHQ's sustained struggle to keep the large store of sexually explicit imagery collected by Optic Nerve away from the eyes of its staff, though there is little discussion about the privacy implications of storing this material in the first place.

Optic Nerve, the documents provided by NSA whistleblower Edward Snowden show, began as a prototype in 2008 and was still active in 2012, according to an internal GCHQ wiki page accessed that year.
The system, eerily reminiscent of the telescreens evoked in George Orwell's 1984, was used for experiments in automated facial recognition, to monitor GCHQ's existing targets, and to discover new targets of interest. Such searches could be used to try to find terror suspects or criminals making use of multiple, anonymous user IDs.
Rather than collecting webcam chats in their entirety, the program saved one image every five minutes from the users' feeds, partly to comply with human rights legislation, and also to avoid overloading GCHQ's servers. The documents describe these users as "unselected" – intelligence agency parlance for bulk rather than targeted collection.
One document even likened the program's "bulk access to Yahoo webcam images/events" to a massive digital police mugbook of previously arrested individuals.
"Face detection has the potential to aid selection of useful images for 'mugshots' or even for face recognition by assessing the angle of the face," it reads. "The best images are ones where the person is facing the camera with their face upright."
The agency did make efforts to limit analysts' ability to see webcam images, restricting bulk searches to metadata only.
However, analysts were shown the faces of people with similar usernames to surveillance targets, potentially dragging in large numbers of innocent people. One document tells agency staff they were allowed to display "webcam images associated with similar Yahoo identifiers to your known target".
Optic Nerve was based on collecting information from GCHQ's huge network of internet cable taps, which was then processed and fed into systems provided by the NSA. Webcam information was fed into NSA's XKeyscore search tool, and NSA research was used to build the tool which identified Yahoo's webcam traffic.
Bulk surveillance on Yahoo users was begun, the documents said, because "Yahoo webcam is known to be used by GCHQ targets".

Programs like Optic Nerve, which collect information in bulk from largely anonymous user IDs, are unable to filter out information from UK or US citizens. Unlike the NSA, GCHQ is not required by UK law to "minimize", or remove, domestic citizens' information from its databases. However, additional legal authorisations are required before analysts can search for the data of individuals likely to be in the British Isles at the time of the search.

Read More Here

Related articles

• Yahoo webcam images from millions of users intercepted by GCHQ
• Yahoo webcam images from millions of users intercepted by GCHQ
• Webcam spies get an eyeful of nudity
• Government Spies Hijacked Millions Of Yahoo Webcam User's Feeds
• SPYING: UK spy agency intercepted webcam images of millions of Yahoo users. "GCHQ files dating bet...
• UK spy agency collected millions of Yahoo webcam images, including 'sexually explicit' pictures
• Spy agency intercepts Yahoo webcam chats, nudes and all

CEO Marissa Mayer moves to calm privacy fears after reports US spy agency gained access to Google and Yahoo data centres

Yahoo to add encryption to all services in wake of NSA spying revelations

• Dominic Rushe in New York
• 
  
• theguardian.com, Monday 18 November 2013 13.53 EST

Yahoo recently announced it was beefing up security on its email service by introducing more encryption. Photograph: Michael Nelson/EPA

Yahoo will add encryption to all its products by spring 2014, chief Marissa Mayer has announced, in a bid to tackle users’ privacy fears in the wake of reports that the National Security Agency had accessed the tech firm's data centres.
In a blogpost on Monday, Mayer said: “We’ve worked hard over the years to earn our users’ trust and we fight hard to preserve it. As you know, there have been a number of reports over the last six months about the US government secretly accessing user data without the knowledge of tech companies, including Yahoo.
“I want to reiterate what we have said in the past: Yahoo has never given access to our data centers to the NSA or to any other government agency. Ever. There is nothing more important to us than protecting our users’ privacy.”
Mayer’s move comes after the Washington Post reported last month that the NSA had broken into the main communications links that connect Yahoo and Google data centres around the world.
According to documents obtained from former NSA contractor Edward Snowden and interviews with officials, the NSA, in partnership with its British counterpart GCHQ, has been copying large amounts of data as it flows across fibre-optic cables that carry information between the companies’ worldwide data centres.
After the story broke, Yahoo said government attempts to circumvent its online security systems offered “substantial potential for abuse”. Eric Schmidt, Google’s executive chairman, called the news “really outrageous”.

Read More Here

Related articles

• Marissa Mayer Takes Big Step To Protect People From NSA
• Yahoo expands security measures, promising to encrypt all personal data
• Yahoo to encrypt internal traffic following NSA revelations
• Yahoo to encrypt user data as standard in response to NSA allegations
• Yahoo to encrypt data centre traffic after spying worries
• Yahoo to encrypt data centre traffic following spying allegations

Silicon Valley Nerds Seek Revenge on NSA Spies With Coding

By Chris Strohm - Nov 15, 2013 10:42 AM CT
Google Inc., Facebook Inc. and Yahoo! Inc. are fighting back against the National Security Agency by using harder-to-crack code to shield their networks and online customer data from unauthorized U.S. spying.
The companies, burned by disclosures they’ve cooperated with U.S. surveillance programs, are protecting user e-mail and social-media posts with strengthened encryption that the U.S. government says won’t be easily broken until 2030.
Enlarge image

The National Security Agency headquarters in Fort Meade, Maryland. Photographer: NSA via Getty Images

Enlarge image

The NSA has tapped fiber-optic cables abroad in order to siphon off data from Google and Yahoo, circumvented or cracked encryption, and covertly introduced weaknesses and back doors into digital coding, according to reports in the Washington Post, the New York Times and the U.K.’s Guardian newspaper based on documents leaked by former NSA contractor Edward Snowden. Photographer: Krisztian Bocsi/Bloomberg

While the NSA may find ways around the barriers, the companies say they have to assure users their online connections are secure and data can’t be grabbed when transmitted over fiber-optic networks or digitally stored.
Microsoft Corp. is convinced it must “invest in protecting customers’ information from a wide range of threats, which if the allegations are true, include governments,” Matt Thomlinson, general manager of trustworthy computing, said in an e-mail. He didn’t provide details.
Internet companies including Google, Yahoo, Facebook, Microsoft and Apple Inc. are trying to distance themselves from news reports that they gave the agency data on electronic communications of Americans and foreigners or have lax security.
While the companies are trying to prevent the NSA from gaining unauthorized access to their data, they say they comply with legal court orders compelling them to provide the government information.
The NSA has tapped fiber-optic cables abroad in order to siphon off data from Google and Yahoo, circumvented or cracked encryption, and covertly introduced weaknesses and back doors into coding, according to reports in the Washington Post, the New York Times and the U.K.’s Guardian newspaper based on documents leaked by former NSA contractor Edward Snowden.

Game On

Companies are fighting back primarily by using increasingly complex encryption, which scrambles data using a mathematical formula that can be decoded only with a special digital key. The idea is to protect sensitive information like e-mails, Internet searches and digital calls.
Google has accelerated efforts to encrypt information flowing between its data centers, doubled the length of its digital keys and implemented measures to detect fraudulent certificates for verifying the authenticity of websites, according to a statement from the Mountain View, California-based company.
NSA spy programs have “the great potential for doing serious damage to the competitiveness” of U.S. companies, Richard Salgado, Google’s director of law enforcement and information security, told a Senate subcommittee Nov. 13.
“It’s very important that the users of our services understand that we are stewards of their data, we hold it responsibly, we treat it with respect,” Salgado said. “We’ve already seen impacts on the businesses.”

Government Threat

Google, Yahoo and Facebook generated $44.4 billion in advertising revenue so far in 2013 in part by mining users’ private data, according to Bloomberg Industries.
An Aug. 14 analysis by Forrester Research Inc. analyst James Staten found the U.S. cloud computing industry could lose as much as $180 billion by 2016 due to the spying disclosures.
Yahoo will make encrypted connections standard by January for all its Mail users with 2048-bit digital keys, Sarah Meron, a spokeswoman for the Sunnyvale, California-based company, said in an e-mail.
Facebook, in addition to moving toward 2048-bit encryption keys, is accelerating a tactic known as “perfect forward secrecy” that prevents the NSA from deciphering the communications of users if it obtains a security code, Jodi Seth, a company spokeswoman, said in an e-mail.
Read More Here
...........

Battle brews as tech companies attempt to fend off NSA hacking

Google, Facebook, Yahoo, and others are all improving their data encryption to discourage the NSA from accessing user information.

by Don Reisinger

November 15, 2013 8:20 AM PST

The NSA allegedly gathered millions of records from Google and Yahoo data centers around the world, but soon, the agency might have a much harder time trying to collect this type of data.
Google, Yahoo, Microsoft, Apple, and other prominent technology companies are investing heavily in stronger, 2048-bit encryption. Due to computing power constraints, it's expected to be more than a decade before this type of encryption can be easily overcome.
Google, one of the leaders in the effort, announced in May that it would switch over to 2,048-bit encryption keys by the end of 2013. Yahoo recently confirmed to Bloomberg, which spoke with several tech companies that are investing in new encryption, that it will make 2048-bit encryption standard by January 2014 for all its Mail users. Facebook also plans to move to 2048-bit encryption, a spokeswoman told Bloomberg, and will roll out "perfect forward secrecy," a feature that prevents snoopers from accessing user data even if they can access the company's security codes.
...........

Related articles

• Silicon Valley Nerds Seek Revenge on NSA Spies...
• Without their knowledge or permission, the National Security Agency has broken into the global data centers of Yahoo! and Google, the Washington Post is reporting on Wednesday. 'The NSA does not keep everything it collects, but it keeps a lot,' reports t
• How NSA/GCHQ Access Internal Google/Yahoo Cloud Data
• New NSA Slides Re: Corporate Partnerships to Access Fiber-Optic Cables
• 'We still don't encrypt server-to-server data' admits Microsoft to EU Committee
• Battle brews as tech companies attempt to fend off NSA hacking
• Go Away, NSA! Smartphone Apps Encrypt Calls, Texts