Network Lighthouse

Somewhere in the region of 100 million credit cards numbers have been acquired from payment processor Heartland by cyber-criminals in what is likey to be the largest breach of its kind to date.

Payment Processor Breach May Be Largest Ever – Security Fix.

What makes this worse is that Heartland was PCI DSS compliant, having passed the audit April 2008.    Undoubtedly this will bring about even further debate about the validity of the PCI standard.

-Daniel

Almost a year after the very first release of the RAP4TB plugin and here we are with another version (this is actually beta release #7).   For the first time since the very early releases we have a significant new feature.

Now for for contacts that have profile pictures in facebook, myspace or a couple of other social sites, their profile picture now appears in Thunderbird next to the headers!!  By default Facebook is the preferred source (myspace can be set in the preferences), however if there’s not a picture available then an image from another site (if provided) will be used.

Other changes in this release:

• Emails in the format of name+specifier@host.com are rewritten as name@host.com.  As a side note, the + symbol is valid in an email address, the text after the + sign has no effect on email routing.
• When an email arrives from facebookmail.com, we now lookup the reply-to address instead as it is often more interesting.

Here it is: rap4tb-0.86

As always your feedback is welcome.

Have fun,

-Daniel

For a while now, it’s been known that the md5 hashing algorithm is susceptible to collisions, reducing the level of security it provides, although predominately in only a theoretical manner.

Now some enterprising researchers have used this vulnerability (along with 200 ps3’s) to create a fake certificate authority, ensentially allowing them to create certificates for any name that browsers will trust implicitly.

Schneier on Security: Forging SSL Certificates.

There are a couple of factors that mean the internet isn’t ‘broken’ by this:

• By itself it’s not particularly useful to have a certificate for “example.com”, I also need to convince someone that “example.com” is at my ip address. (Some of the recent dns vulnerabilities could be used for this)
• Most CA’s don’t use MD5 anymore, those that do are moving to more secure algorithms.

One comment that Bruce made in his blog (linked above) that I disagree with is about people ignoring SSL warning messages, I have never (and make sure my family and colleagues do the same) ignored SSL warnings,  they are there for a reason and I make sure if I see one I understand why I am seeing it before doing anything I wouldn’t want to be compromised.  I strongly recommend that SSL warnings (like all security messages) seriously.

-Daniel