Apple Developer Website is Down

Apple Developer LogoIt is never a good sign when you visit a website and see “We’ll be back soon” at the top of the page. Sometimes, it can mean that the site is going through normally scheduled maintenance and truly will be back online in a little while. Not so with the Apple Developer website!

To clarify, the website (at the time I am writing this blog) actually does say “We’ll be back soon”. It also says that it was taken down on Thursday, July 18, 2013. When will it return? At the moment, that is unknown. The situation is undoubtedly causing frustration for developers who need to access the website.

Here are some key points of the message that currently sits on the Apple Developer website:

Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email address may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.

It goes on to say that they are going to be completely overhauling their developer systems, including updating their server software and rebuilding the entire database. If you are a developer who needs that website, all you can do is be patient and wait for the overhauling to be completed.

On the positive side of things, Apple says that if you are a developer, and your program membership was set to expire while this overhaul is happening, not to worry. They will extend your membership and your app will remain on the App Store.

Tumblr had a Security Glitch

tumblr logoTumblr users might want to change their password. The official Tumblr feed announced an important security update for people who were using Tumblr on an iPhone or iPad.

If that describes you, Tumblr suggests that you download an update. There is a link on the Tumblr announcement page that you can click to download the update.

In addition to the update, Tumblr also suggests that you change your password if you have been using either the iPad or iPhone apps to access Tumblr. The reason for the update (and the suggestion that you change your password) is in response to a security issue. Something in the iPad and iPhone Tumblr apps allowed passwords to be compromised “in certain circumstances”.

It appears that if you only access Tumblr from their website that you won’t need to download the update. It also sounds like people who used the Android app to access Tumblr are unaffected by this security glitch.

I just started using Tumblr fairly recently, but I realize it has been around for quite a while. The biggest benefit I’m seeing so far is that I can “follow” the Tumblr accounts of my friends directly through Tumblr. For me, this means I can take their Tumblr accounts out of the Reader I’m using (FeedWizard). It’s much easier just to check them out through Tumblr itself.

Avast cites unsecured WiFi usage as reason to release new VPN client

Computer securityVPN (virtual private network) clients have been around for sometime, and are utilized by many corporations. It is a technology that individual users should also take advantage of. Avast hope to make that security option a trend with a new effort to help the average user be more secure when using a laptop or other mobile device at the local Starbucks.

Citing a survey the company carried out, Avast has announced it is now releasing its own VPN client, called SecureLine. The company claims that it polled 340,000 users and 46 percent of worldwide respondents connect via public WiFi. The security firm also listed such numbers as “29 percent in the UK perform security-sensitive transactions such as shopping or online banking despite the risk of hackers accessing their credentials”.

To answer this growing need, Avast announces “We developed SecureLine due to growing demand from our customers”. According to the company’s Chief Executive Officer Vincent Steckler, “half of PC users in the US access unsecured WiFi hotspots. And, about a third of them perform security-sensitive transactions – such as shopping, banking, or anything requiring a password”

SecureLine is now seamlessly integrated into all of Avast’s free and premium products, and when customers connect to unsecured WiFi, they will receive a message that provides them with some insight into the risks of using public and unsecured WiFi, as well as the choice of a secure VPN connection — at a cost of $7.99 per month.

With Avast now claiming usage on more than 184 million computers worldwide, the addition of more secure connections could make a noticeable difference, but it comes down to customer behavior and habits to really make a major impact. That, I am afraid, will not be improving anytime soon.

Photo Credit: BigStock

PayPal is hackable, denies teenager bounty for finding the bug

paypalPayPal, the popular online payment transfer service owned by Ebay, is currently under fire on two fronts. The banking service is vulnerable to attck, thanks to a bug in its system, and also is refusing to pay its standard bounty to the person who found said vulnerability, citing that security researches must be at least 18 years of age, leaving the 17 year old out in the cold.

German Robert Kugler, the security researcher behind the bug, posted details about the vulnerability on the Full Disclosure mailing list Friday.

“Unfortunately PayPal disqualified me from receiving any bounty payment because of being 17 years old” Kugler, who turns 18 next March, wrote on Seclists.

The bug bounty program has been in effect since June of 2012. Other companies, including Firefox and Mozilla have similar programs and PayPal does not list any age requirement in the literature for its standards of this.

As for the flaw, it is in XSS (cross-site scripting) and the company plans to fix the issue, but is refusing comment on the failure to pay the bounty. GNC earlier sent an email to the service, but has received no reply.

Did DHS leak your personal data?

bigstock-Security-word-on-white-keyboar-27134375

This week the U.S. Department of Homeland Security (DHS), an organization we rely on the protect us and keep the country safe, revealed that, perhaps, it has not protected its own employees. According to the security report issued by ThreatPost, the organization has begun the notification process about a possible information leak.

“The Department of Homeland Security this week began notifying up to tens of thousands of employees, contractors and others with a DHS security clearance that their personal data may be at risk” writes TP’s Anne Saita.

In a statement to it’s web site, DHS announced “The Department of Homeland Security (DHS) has recently learned of a vulnerability that existed in the software used by a DHS vendor to process personnel security investigations”. Not exactly the news any employee wishes to hear.

Those impacted included employees, contractors who submitted background investigation information and anyone else seeking a DHS clearance between July 2009 and May 2013, employees at headquarters, Customs and Border Protection and Immigration and Customs Enforcement.

The DHS stresses that it has no indication that data was accessed by any third-party, but is still recommending that those affected, which is thousands, take proper precautions.

Photo Credit: BigstockSecurity word on white keyboard

SpyEye hacker extradited to the U.S.

bigstock-Computer-Hacker-in-suit-and-ti-31750772

The United States has had little luck with landing Kim Dotcom or Julian Assange, but it has managed to grab a hacker. Hamza Bendelladj, known online as Bx1 is an Algerian hacker who was captured and extradited from Thailand. He was arrested back in January while moving through the Bangkok airport on his way from Malaysia.

Bendelladj stands accused of hijacking customer accounts at more than 200 financial institutions using the SpyEye program. Alleged totals of more than 100 million USD over the past five years have been indicated. SpyEye allowed the attacker to alter web pages displayed in a person’s web browser and trick them into entering personal data.

Variants of both SpyEye and Zeus have been used by criminals to automate the process of transferring money.  Bendelladj faces 23 charges from a 2011 indictment. He arrived in Atlanta on Thursday and was arraigned on Friday. He faces up to 30 years in prison and as much as a 14 million USD fine. Security researcher Brian Krebs has posted a PDF of the indictment on his site.

Image: Computer Hacker by BigStock

Java updated last week, still vulnerable today

java downloads

Oracle’s Java platform seems to be in an endless battle with Adobe Flash to see which can take the crown as the most compromised platform on your computer. Last week Oracle rolled out 42 patches for known security holes — and this was just another day for the oft-attacked software.

Now Security Explorations of Poland has announced it has found a new Reflection API vulnerability that affects all Java versions, including 7u21, which was just released last Tuesday. “It can be used to achieve a complete Java security sandbox bypass on a target system,” Gowdiak wrote on the Full Disclosure mailing list on Monday.

Attackers can exploit this latest vulnerability to achieve a complete Java security sandbox escape, Gowdiak says, adding that he also sent proof-of-concept code to Oracle demonstrating an exploit.

There is no telling when Oracle will patch this latest flaw, but the company generally follows a Microsoft-like approach, rolling out updates in one big release.

Really, the best solution is to simply uninstall Java if you have no need for the service.  Also, do not confuse Java with Javascript, which is mostly safe. Java can also be disabled within your browser —  a move I recommend you making.

VUDU had a Break-In – Informs Customers 18 Days Later

VUDU logoThose of you who have been using VUDU to watch movies may have received a rather scary email recently. No, the company didn’t get hacked. Instead, what happened was a physical break-in to their offices. Whoever did it walked away with multiple hard drives that contained important data such as customer names, encrypted passwords, addresses, and phone numbers. In other words, the hard drives had some of the personal information that most people would not want a random stranger to get a hold of.

VUDU says that the passwords that were on the hard drives were encrypted, so there’s that. The company also says that there were no full credit card numbers on the hard drives that were stolen. Even so, VUDU has reset customer’s passwords. They posted a blog about the situation that says:

There was a break-in at the VUDU offices on March 24, 2013, and a number of items were stolen, including hard drives. Our investigation thus far indicates that these hard drives contained customer information, including names, email addresses, postal addresses, phone numbers, account activity, dates of birth, and the last four digits of some credit card numbers. It’s important to note that the drives did NOT contain full credit card numbers, as we do not store that information. If you have never set a password on the VUDU site and have only logged in through another site, your password was not on the hard drives. While stolen drives included VUDU account passwords, those passwords were encrypted. We believe it would be difficult to break the password encryption, but we can’t rule out that possibility given the circumstances of this theft. Therefore, we have reset all customer passwords.

March 24, 2013 was…. let’s see… 18 days ago! That’s a really long time to wait before letting customers know that their personal information may, potentially, be in the hands of whomever broke into the VUDU offices and stole the hard drives! Their blog goes on to say:

We are still in the process of sending email messages.

This means that there could very well be some VUDU customers who have not yet been informed about the break-in. That’s rather shocking! Typically, the sooner a company lets customer’s know that their data may be in the hands of thieves, the better. I feel bad for the people who are going to read a blog about the break-in before VUDU contacts them about it. Why did they wait so long? Again, their blog has an answer:

We notified law enforcement immediately when the break-in was discovered, and have worked closely with them on the investigation. We have also worked to reconstruct the information that was included on the drives to ensure we had an accurate assessment.

Perhaps the company is aware of the potential damage customers may face due to the break-in and the length of time VUDU waited before letting people know about it. They have made arrangements for customers to be automatically eligible to receive identity protection services from AllClear ID. You can find out more about the AllClear service, what it provides, and how to enroll on VUDU’s blog. It doesn’t mention if the service is free or if there will be a charge for using it (only that customers are “eligible”).

Evernote User Passwords have been Compromised

Evernote logoUsers of Evernote were recently sent an email that said that the company had decided to implement a password reset. It required 50 million users to reset their passwords. Why? The answer is the usual one when a company urges users to change their passwords – Evernote got hacked over the weekend.

This explains the difficulties that my husband and I had when we went grocery shopping. He uses Evernote to create grocery lists (instead of writing it down on paper). Usually, this works really well. However, when we got to the store and he tried to open Evernote, it wasn’t functioning as he expected it to. Oh, no! Could hackers be reading our grocery lists? If so, then they must be awfully bored.

The email Evernote sent to its users says:

Evernote’s Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.

It goes on to say that this is the reason why they are implementing a password reset. So, if you opened Evernote today, and wondered why it was asking you to reset your password, now you know. Evernote says that they have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed. It also says:

The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted).

There are helpful suggestions on the Evernote website (where the email it sent to users was posted) that give advice about how to create a more secure password. It also points out that you should not click on “reset password” requests in emails, and should instead go directly to the service itself to do that.

Abine shows off better web security

abine logoAbine is a start-up based in Boston that is aiming to enhance the online security of everyday users with things like privacy, encryption and more.

There is a lot involved here and you will likely need to watch the video to understand where Abine is going – alias phone numbers, which the mobile app can block on a per-caller basis. The company also offers Do Not Track, Delete and Encryption services. Some portions of the service Abine runs are free, while others are paid services.

Interview by Jeffrey Powers of Geekazine and Scott Ertz of F5 Live

Support our Show Sponsor:
30% off your new order @ GoDaddy:
gnc30
1.49 .com New or Renewal geek149
$1.00 / mo WordPress Hosting with a free domain! Promo Code: press4
$1.00 / mo Economy Hosting with a free domain! Promo Code: geeks12
GoDaddy Promo Codes always save you money, check out my Promo Codes Today

PlayPlay