This topic is so important that I will cover it in both, German and English. Please scroll down, for the English version. And there will be no tl;dr! If you are too lazy to read on something that important, but keep on using the Internet, you probably deserve to be hacked! Please pay special attention on what to do and what don’t to do, if you aren’t interested about my media critics part!

Es herrscht doch einige Verunsicherung bezogen auf die Schwachstelle, welche sich Heartbleed nennt. Was soll das überhaupt sein? Ich nutze diese Software – OpenSSL – garnicht! Ich muss jetzt SOFORT alle Passwörter ändern! etc.

Gerade die viel gelesene SPON zeigt mal wieder, was unsere Medien am besten können: Panik machen! Anstatt aufzuklären geht es um Verschwörungstheorien, Fingerzeigen und schwachsinnigen Aufforderungen. SPON sei hier nur exemplarisch zu nehmen – auch wenn die meiner Meinung nach den Vogel mal wieder vollends abschießen.

Das Problem

Warum Heartbleed potentiell jeden betrifft? OpenSSL ist ein sogenanntes Framework, d.h. es ist Software, die dafür gedacht ist, dass sie von anderer Software eingebunden wird. Dies wird gemacht, da es zum einen blödsinn ist, wenn jeder das Rad neu erfindet. Gerade bei Sicherheitssoftware ist das auch schwer möglich, denn mathematisch sichere Verfahren sind sehr kompliziert und die wenigsten Firmen haben das Know-How, dass für so etwas notwendig ist. Und so nutzen nach Schätzungen 2/3 der Webdienste OpenSSL für die sichere Übertragung von Daten. Deswegen ist tatsächlich so gut wie jeder betroffen.

Continue reading

SERIOUS: Update your iDevice and don’t use Safari!

In case you haven’t heard: There is a SERIOUS Bug in iOS/OS X, which is affecting SSL/TSL and basically rendering it ineffective. SSL/TSL is used to encrypt and protect data send via secure connections, e.g. using HTTPS to shop with Amazon, or for your online banking, or sending your passwords encrypted to the networks, e.g. Mail passwords, etc. You are especially vulnerable if you’re outside your secured network (e.g. office or home network), i.e. in a shared network, such as wireless hotspots, mobile network, etc.

Both iOS and OS X are affected, for iOS Apple has already released patches, and they even include the devices that are officially not supported anymore, i.e. 3GS and iPod Touch. For those devices you are to UPDATE to version 6.1.6, all newer devices are to UPDATE to version 7.0.6.

Unfortunately for OS X the patch is still developed, so here you’ll want to check your software status regularly and untill then DO NOT use the Safari browser. You’ll be fine using Firefox, Opera or Chrome, which offer their own implementation of SSL/TSL.

Other applications affected are:

  • Calendar
  • Facetime
  • Keynote
  • Twitter
  • Mail
  • iBooks
  • Software Update

Or to put it short: all Apple software (and third-party software using the Apple Security Framework) that provides ways to connect to servers. It should be relatively safe using these applications at home, but UNDER NO CIRCUMSTANCES should you use them in wireless networks that other people can use as well, i.e. anywhere outside your secured home network.

For more information also read the article Why Apples Huge Security Flaw is so Scary!

GitHub introducing 2FA

Three days ago GitHub released what Battle.net users might already know: Two-factor Authentication (2FA). 2FA is an authentication method, that uses more than one of the three known authentication factors:

  • Knowledge
  • Possession
  • Inherence

Each of these factors describe a different mean of authenticating a person. The easiest and most spread way is knowledge, e.g. by using password authentication. A password is something that (ideally) only the user that is to be authenticated knows. Other examples include PINs or patterns (such as implemented by Android). Also pretty well-known are biometric scanners, e.g. for fingerprints, iris, voice recognition, etc. These are inherent features of a person, therefore they fall under the third group – you have to be the person to be authenticated. And then there is possession. These authentication methods include magnetic stripe cards, smart cards, RFID tags, but also physical keys. For computer systems, security tokens are becoming famous – a little device small enough to be used as key chain, that have a small displays showing a number that changes with time.

So, while most systems only issue one of these authentication factors, a 2FA system would use at least two of these factors. As mentioned above, Battle.net was one of the first (at least to my knowledge) that introduced a 2FA system as many Battle.net accounts are today worth a lot of money. Battle.net accounts have become a lucrative goal for skiddies – I witnessed this myself as my brothers Diablo II account was once hijacked letting him loose all his characters and probably a lot of money. The Battle.net Authenticator is either provided as a key chain device – or an App wich turns your mobile phone into a authentication device – that only the owner possesses.

Generally speaking, GitHub uses the same mechanism, though it offers more possibilities and uses an open source 2FA token generation, for wich there are many smart phone implementations – most famous being the Google Authenticator – which on server-side is offered by many service providers, including App.net (see instructions), Facebook(!!!) (instructions), Dropbox (instructions), Evernote (instructions) – and now also GitHub.

Continue reading