Information about this breaking SSL attack is coming in from a variety of sources.  I will share some better links.

A couple of articles to get you started sent to me via Jan Schaumann (Twitter: @jschauma).  The Errata article describes browser settings you can apply to stop POODLE’s dead in their tracks.

Errata Security: Some POODLE Notes
Matthew Green: Attack of the Week, POODLE

Next, a link from Oona Räisänen (Twitter: @windyoona) for a POODLE test tool to check if your browser is vulnerable.

POODLE Test

For OS X users who would like to run Chrome or Firefox with command line options from the desktop read-on.

To easily click an open from your desktop, create a bash script, like the following.  Use VI, TextEdit, TextMate, TextWrangler, or your favorite text editor.

#!/bin/bash
#
open -a “Google Chrome” –args –ssl-version-min=tls1 &

Save the preceding to a file named, chrometls.command.  Open the directory where chrometls.command is stored, on my system I store scripts in ~/bin.   Next you need to make sure chometls.command is executable, run the following.

chmod +x chrometls.command

Now open up Finder and drop a copy of chrometls.command you created on your desktop.  Double-click this file on your desktop and OS X you will launch Chrome – bada bing, bada boom, your done!

If the terminated shell is messing with your OCD there is an option to automatically close shell windows once the command or script terminates.  Open a Terminal, from the Terminal preferences on the profile tab you will see a set of drop down options, “When the shell exits”.  Change the value to be, “close if the shell exited cleanly”.  After you launch the browse the shell will close automagically.  I write some shell scripts on occasion but not usually under OS X so I thought I would pass this along for those in need.

When I run Chrome in this way I see the Springfield Terrier, indicating I’m not vulnerable, the command line arguments from Errata work for me.

–Milton

Interesting article by Data Genetics on PIN Analysis sent via Bruno Borges (Twitter: @brunoborges).  I included one of their tables (photo to left).  As an example,  if an adversary chooses pin “1234” they will be correct about about 11% of the time.  This implies, if they steal 100 ATM cards and try 1234 for the pin number they will likely be successful on 11 cards.  Furthermore, 26.83% of all pins could be guessed choosing only numbers from the table – better odds than Vegas.  Readers will also learn how to choose better pin numbers among other interesting pin factoids.

–Milton


Great martian war from PLAZMA on Vimeo.

I don’t want to set off any War of Worlds hysteria, this video is total fabrication but entertaining and realistic looking.  Rare footage of the 1914 Marian conflict, from the History Channel, via Cory Doctorow and Boing Boing.  See Doctorow’s article for background.  Enjoy!

–Milton

Brian Krebs (Twitter: @briankrebs) of krebsonsecurity.com releases a new cyber security book, Spam Nation, on November 18, 2014 .  Bloomberg Businessweek provides an interesting teaser on the book’s Amazon page.  I don’t have the inside track or advanced copy on this book but Krebs is an talented writer, investigator, and presenter.  I’m sure it will make a great security book.  I have already pre-ordered my copy.

–Milton