Bring the world to your website with Twitter

Anatomy_of_twitter_website_card

You want the world to see your website, and we can help. Start targeting over 200 global markets* with a Website Card today:
Whether you have an eCommerce shop, a blog, or a landing page — Website Cards guide the right audience from their timeline to your site in a single click.

ZF2015-09: Potential Information Disclosure and Insufficient Entropy vulnerability in ZendCaptchaWord

ZF2015-09: Potential Information Disclosure and Insufficient Entropy vulnerability in ZendCaptchaWord

In Zend Framework, Zend_Captcha_Word (v1) and ZendCaptchaWord (v2)
generate a "word" for a CAPTCHA challenge by selecting a sequence of random
letters from a character set. Prior to this advisory, the selection was
performed using PHP’s internal array_rand() function. This function does not
generate sufficient entropy due to its usage of rand() instead of more
cryptographically secure methods such as openssl_pseudo_random_bytes(). This
could potentially lead to information disclosure should an attacker be able to
brute force the random number generation.

Action Taken

The code used to randomly select letters was updated as follows:

  • In Zend Framework 1.12.17, the methods randBytes() and randInteger() were
    added to Zend_Crypt_Math. Zend_Captcha_AbstractWord was updated to use
    Zend_Crypt_Math::randInteger() instead of array_rand() when selecting
    letters for the CAPTCHA word.
  • In the package zendframework/zend-captcha 2.4.9/2.5.2 and Zend Framework
    2.4.9, ZendCaptchaAbstractWord was updated to use
    ZendMathRand::getInteger() instead of array_rand() when selecting
    letters for the CAPTCHA word.

The following releases contain the fixes:

  • Zend Framework 1.12.17
  • Zend Framework 2.4.9
  • zend-captcha 2.4.9
  • zend-captcha 2.5.2

Recommendations

This patch is considered a security hardening patch, and as such, was not
assigned a CVE identifier.

Regardless, if you use one of the word-based CAPTCHA adapters in Zend Framework
1 or 2, we recommend upgrading to 1.12.17, 2.4.9, or zend-captcha 2.4.9/2.5.2.

Other Information

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and
working with us to help protect its users:

Source: Zend security feed

ZF2015-10: Potential Information Disclosure in ZendCryptPublicKeyRsaPublicKey

ZF2015-10: Potential Information Disclosure in ZendCryptPublicKeyRsaPublicKey

ZendCryptPublicKeyRsaPublicKey has a call to openssl_public_encrypt()
which uses PHP’s default $padding argument, which specifies
OPENSSL_PKCS1_PADDING, indicating usage of PKCS1v1.5 padding. This padding has
a known vulnerability, the Bleichenbacher’s chosen-ciphertext attack,
which can be used to decrypt arbitrary ciphertexts.

Action Taken

  • ZendCryptPublicKeyRsaPublicKey::encrypt() was updated to accept an
    additional argument, $padding; the default value for this argument was set
    to OPENSSL_PKCS1_OAEP_PADDING.
  • ZendCryptPublicKeyRsaPrivateKey::decrypt() was updated to accept an
    additional argument, $padding; the default value for this argument was set
    to OPENSSL_PKCS1_OAEP_PADDING.
  • ZendCryptPublicKeyRsa::encrypt() was updated to accept an additional
    optional argument, $padding, allowing the user to specify the padding to use
    with PublicKey::encrypt().
  • ZendCryptPublicKeyRsa::decrypt() was updated to accept an additional
    optional argument, $padding, allowing the user to specify the padding to use
    with PrivateKey::decrypt().

The above changes represent a backwards-compatibility break, but were necessary
to prevent the outlined vulnerability. If you were using
ZendCryptPublicKeyRsa previously, you will likely need to re-encrypt any
data you’ve previously encrypted to use the new padding. This can be done as
follows:

$decrypted = $rsa->decrypt($data, $key, $rsa::MODE_AUTO, OPENSSL_PKCS1_PADDING);
$encrypted = $rsa->encrypt($data, $key); // Encrypted using OPENSSL_PKCS1_OAEP_PADDING

The key may have a value of null in each of the examples above.

The following releases contain the fixes:

  • Zend Framework 2.4.9
  • zend-framework/zend-crypt 2.4.9
  • zend-framework/zend-crypt 2.5.2

This advisory was given the CVE identifier CVE-2015-7503

Recommendations

If you use zend-crypt via either Zend Framework 2 or the
zendframework/zend-crypt package, and are using the RSA public key
functionality, we recommend upgrading to 2.4.9/2.5.2 immediately.

Other Information

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and
working with us to help protect its users:

Source: Zend security feed

Introducing the Inspectlet API

inspectlet-api-docsThe Inspectlet API lets you retrieve and search your Inspectlet data via a JSON-based REST interface.

All requests to the API are signed with HTTP Basic Authentication, you just need an API token to get started. To get your API token, please login to your Inspectlet account and look under “API Credentials” on the Your Account page.

To learn more and get started, check out the full API documentation.

Codeanywhere Launches New Version v.6.0

codeanywhere

Codeanywhere v.6.0. is now Live

It has been in the making for a while, but the all new version of Codeanywhere is now live. There are a ton of new features, here is a list of the main things that have changed:

  • All new UI
  • Project based, separate your work logically and switch between your projects instantly.
  • Goto Anything, hit CMD+P (CTRL+P) to find anything, including commands.
  • GitHub/Bitbucket, repository import wizard.
  • Drag & drop files and folders from your desktop to Codeanywhere.
  • SSH terminal real-time collaboration.
  • Manage multiple containers in a project.
  • New preference options, configure every aspect of the interface globally or on a project basis.
  • Large file support, you can now open and save files with over 100,000 lines.
  • Upload files, you now have no limit to the size of a file you are uploading.
  • and many more

More protection. The most privacy. Only from Firefox.

firefox-private-browsing

Private Browsing

Firefox won’t save things like your browsing history, searches or cookies, but it will keep new bookmarks and files you download.

As you browse the web, Firefox remembers lots of information for you – like the sites you’ve visited. There may be times, however, when you don’t want people with access to your computer to see this information, such as when shopping for a present. Private Browsing allows you to browse the Internet without saving any information about which sites and pages you’ve visited.

HP Splits In Two New Industry-Leading Public Companies

hp-splits0in-two-companies

From 01.11.2015 HP is now two companies

Hewlett Packard Enterprise will define the next generation of technology infrastructure, software and services for the New Style of IT.

HP Inc. will be the leading personal systems and printing company delivering innovations that will empower people to create, interact and inspire like never before.

Lil’ ICYMI: Cute programmable security bird

•“In Case You Missed It” (aka #ICYMI) is a daily clip show designed to dig up the offbeat and interesting stories that get buried by the biggest headlines. We’ll bring you space and tech news, as well as internet lifestyle funk, and we’ll round out each week’s show with a headline blast to bring you the big stories you might have missed.

Get more ICYMI here:
www.engadget.com/icymi

1 2