The Heartbleed Bug Is Mostly Fixed, But There Are Still More Than 20,000 Websites Vulnerable

You might have changed all your passwords in the days since you learned of the Heartbleed bug, but if you're one of millions of people using certain Android devices, you might still be vulnerable.

Numerous devices running older versions of Google’s Android operating system may be at risk of the high-profile bug, according to Marc Rogers, a security expert at the mobile security firm Lookout.

Rogers told The Huffington Post that people using Android version 4.1.1 should avoid sensitive transactions on their mobile devices because a hacker could exploit the Heartbleed bug to steal their data.

The Heartbleed bug, a newly discovered security vulnerability that puts users' passwords at many popular Web sites at risk, has upended the Web since it was disclosed earlier this week. It's an extremely serious issue, and as such, there's a lot of confusion about the bug and its implications as you use the Internet.

TechProceed.com has compiled a list of Frequently Asked Questions to help users learn more about the bug andprotect themselves. The Heartbleed situation is ongoing, and we'll update this FAQ as new issues arise. Check back for new information.

What is Heartbleed?

Heartbleed is a security vulnerability in OpenSSL software that lets a hacker access the memory of data servers. According to Netcraft, an Internet research firm, 500,000 Web sites could be affected. That means a user's sensitive personal data -- including usernames, passwords, and credit card information -- is potentially at risk of being intercepted.

The vulnerability also means an attacker could steal a server's digital keys that are used to encrypt communications and get access to a company's secret internal documents.

What is OpenSSL?

Let's start with SSL. That stands for Secure Sockets Layer, but it's also known by its new name, Transport Layer Security, or TLS. It's the most basic means of encrypting information on the Web, and it mitigates the potential of someone eavesdropping on you as you browse the Internet. (Notice the "https" in the URL of SSL-enabled sites like Gmail, instead of simply "http.")

OpenSSL is open-source software for SSL implementation across the Web. The versions with the vulnerability are 1.0.1 through 1.0.1f. OpenSSL also is used as part of the Linux operating system, and as a component of Apache and Nginx, two very widely used programs for running Web sites. Bottom line: Its use across the Web is vast.

Who discovered the bug?

Credit is given to security firm Codenomicon and Google researcher Neel Mehta, who both found the bug independently from each other, but on the same day.

Mehta donated the $15,000 bounty he was awarded for helping find the bug to the Freedom of the Press Foundation's campaign for the development of encryption tools for journalists to use when communicating with sources. Mehta is declining press interviews, but asked for comment, Google said, "The security of our users' information is a top priority. We proactively look for vulnerabilities and encourage others to report them precisely so that we are able to fix them before they are exploited."

Why is it called Heartbleed?

According to Vocativ, the term "Heartbleed" was coined by Ossi Herrala, a systems administrator at Codenomicon. It's got a nicer ring to it than its technical name, CVE-2014-0160, named for the line of code that contained the bug.

Heartbleed is a play on words referring to an extension on OpenSSL called "heartbeat." The protocol is used to keep connections open, even when data isn't being shared between those connections. Herrala "thought it was fitting to call it Heartbleed because it was bleeding out the important information from the memory," David Chartier, chief executive of Codenomicon, told Vocativ.

If the name sounds a bit too catchy for a security glitch, that's exactly the point. The team at Codenomicon wanted something press friendly that could spread quickly, to warn more people of the flaw. Soon after they named the bug, they bought the domain Heartbleed.com to educate the Web about the glitch.

Why are some sites not affected by Heartbleed?

Although OpenSSL is very popular, there are other SSL/TLS options. In addition, some Web sites use an earlier, unaffected version, and some didn't enable the "heartbeat" feature that was central to the vulnerability.

While it doesn't solve the problem, what mitigates the scope of the potential damage is the implementation of perfect forward secrecy, or PFS, a practice that makes sure encryption keys have a very short shelf life, and are not used forever. That means that if an attacker did get an encryption key out of a server's memory, the attacker wouldn't be able to decode all secure traffic from that server because keys use is very limited. While some tech giants, like Google and Facebook, have started to support PFS, not every company does.

How does the bug work?

The vulnerability lets a hacker access up to 64 kilobytes of server memory, but perform the attack over and over again to get lots of information. That means an attacker could get not just usernames and passwords, but also "cookie" data that Web servers and browsers use to track individuals and ease log-in. According to the Electronic Frontier Foundation, doing the attack repeatedly could yield more serious information, like a site's private SSL key, used to encrypt traffic. With that key, someone could run a fake version of a Web site and use it to steal all other kinds of information, like credit card numbers or private messages.

Should I change my passwords?

For many Web sites, yes. BUT wait until you get confirmation from the Web site operator that the bug has been patched. It's a natural reaction to want to change all of your passwords immediately, but if the Web site's bug has not been fixed yet, making the change could be useless -- you're just potentially giving an attacker your new password.

How do I check if a Web site has been affected -- or fixed?

A few companies and developers have created testing sites to check which Web sites are vulnerable or safe. Two good ones are by LastPass, a company that makes password management software, andQualys, a security firm. While these test sites are a good preliminary check, continue to proceed with caution, even if the site gives you an all-clear indication. If you're given a red flag, however, avoid the site.

CNET is keeping a running list on the status of the top 100 Web sites, according to Alexa.com. Check back here for updates. Here's a list of sites that were still vulnerable as of Thursday afternoon,according to researchers at Zmap.

But the most prudent thing to do is to get confirmation from the site through one of its official channels. Lots of companies have been putting up blog posts and issuing statements about the health of their sites. Or you can email a site operator or customer service person directly.

The programmer who wrote the glitchy code was Robin Seggelmann, who worked for the OpenSSL project while getting his Ph.D. studies from 2008 to 2012. Adding to the drama of the situation, he submitted the code at 11:59 p.m. on New Year's Eve 2011, though he claims the timing has nothing to do with the bug. "I am responsible for the error," Seggelmann said. "Because I wrote the code and missed the necessary validation by an oversight."

Who was behind the bug?

Still, as an open-source project, it's hard to place the blame squarely on one person. As Zulfikar Ramzan, chief technology officer of cloud security startup Elastica, explained to The New York Times, there's so much complex code that people had been writing, and the particular protocol Heartbeat did not get enough scrutiny. "Heartbeat is not the main part of SSL. It's just one additional feature within SSL," he said. "So it's conceivable that nobody looked at that code as carefully because it was not part of the main line."

Is it true that the US government exploited Heartbleed before the world knew about it?

That's unclear at this time. One report said that the National Security Agency knew about the exploit before it was called Heartbleed and exploited it to gather intelligence, but the NSA denied the accusation. Whether the report is accurate, the fact remains that when left unpatched, Heartbleed is a major security risk.

Should I be worried about my bank account?

Most banks don't use OpenSSL, but instead use proprietary encryption software. But if you're unsure, contact your bank directly for confirmation that the Web site is secure. Still, John Miller, security research manager for security and compliance firm TrustWave, suggests keeping a close eye on financial statements for the next few days to make sure there are no unfamiliar charges.

How do I know if anyone has used the Heartbleed vulnerability to steal my information?

Unfortunately, exploiting the bug "leaves no traces of anything abnormal happening to the logs" of Web sites, according to Codenomicon.

What password managers can I try?

One thing the Heartbleed situation highlights is the value of a good password. In the aftermath of changing your old passwords, you might be wondering if there are other ways to make sure your accounts are secure. Password managers try to solve that problem by helping you generate random passwords for each account. You then control everything through one strong master password. Having all of your accounts under one manager may be too close for comfort for some users, but LastPass, one of those vendors, insists it's secure, and that users don't have to change their master passwords due to Heartbleed. It's even added a feature that automatically checks your saved sites for Heartbleed vulnerabilities. Other password manager options are RoboForm, Dashlane, and 1Password.

Another suggestion is enabling two-factor authentication when it is offered. (Gmail is one service that does so.) That means that in addition to a password, the service asks for another piece of identifying information, like a code that's been texted to you. That way, even if someone steals your password, it makes it harder for someone to falsely log in as you.

The all new HTC One (HTC M8) rumor round-up: camera, specs, release date and design pictures

The all new HTC One will be unveiled officially on March 25th, but three weeks before that date - Breaking a lot of the secrecy around HTC’s next big thing. Continue to read TechProceed.com's take on this:

Truth be told, there wasn’t all that much secrecy left, as leaked images had already surfaced from all places, revealing the more intense metal design of the new HTC One and its one key feature - a “Duo” camera on its back. There was some, though, as we had seen a lot of still images and a very short video, but nothing like a full-on video preview. Moreover, in the following days, more such short videos surfaced and we even saw a concise walkthrough of HTC's Sense 6.0 user interface.

So what can we say now, what will the new HTC One look like? Read on to find out our recap of all its new features, a look at the “Duo” camera and what it could offer, as well as specs and release date.

“Duo” camera - two cameras on its back

The all new HTC One will be the first phone to feature two cameras on its back. We have actually already seen smartphones with dual rear cameras, but their goal was 3D photography, while the cameras on HTC’s new big thing are said to contribute to improving traditional 2D photography rather than 3D.

The actual process of taking a photograph on the new HTC One actually looks pretty much unchanged - you see a single image through the viewfinder and you tap on a button to capture a picture. The actual benefits of the dual camera become visible once you open a captured image, as you can apply “Duo effects” to the picture. We’d also guess that HTC has bundled in effects like post-capture focusing, a depth map and the possibility to erase objects from an image, but we are yet to see a confirmation about these features. The other changes in the actual shooting process should be in faster focusing and a more pronounced depth of field effect. We have also seen demonstrations showing how the two rear cameras can be used to achieve lossless zoom, but we don’t know whether the camera in the new HTC One will have this feature on board.

The camera interface is also overhauled, and now you can select from six main shooting modes. The regular camera and video modes are what most consumers will use most of the time, but there is also a “Zoe camera”, “Selfie”, “Dual capture” (recording simultaneously on your front and rear cameras), and a “Pan 360” (360-degree panorama) mode.

HTC is also said to still use UltraPixel technology, but in an improved form. That's good news, as we have found the current UltraPixel camera on the HTC One to be sub-par to its peers.

Design: more intense metal

With so many leaked images, it seems clear that the new HTC One will feature a design very similar to the HTC One, with two front-facing speakers and an aluminum unibody, but with an even more intense metal finish, with more pronounced metallic texture.

The all new One should feature a slightly larger, 5-inch display with a resolution of 1080 x 1920 pixels. Rather than having capacitive navigation keys below the display, the new flagship will sport on-screen buttons. All in all, the new design looks just a bit larger (both wider and taller) than the 2013 HTC One.

All new interface: Sense 6.0

The new HTC One is expected to ship with the latest Android 4.4 KitKat on board and a re-imagined Sense user interface on top of that. The new Sense is expected to carry the 6.x version, but it is not a huge change over the current one. The most interesting new feature seems to be the added support for 'Motion Launch gestures' like double-tap to wake the phone's display.

The BlinkFeed news aggregator is still a swipe away (but it’s been improved), and now you can swipe twice to see its contents by category. The overall visuals have not changed much either - you still have a vertically scrolling app drawer, dark backgrounds and a similar aesthetic. The two biggest changes are in the camera app and the settings menu. The camera app now has large, round icons that are easy to tap on, and in settings the icons have also been simplified, getting that trendy, flat styling.

Specs

Under the hood, the new HTC One is expected to ship with a quad-core Snapdragon 801 system chip (likely, the MSM8974-AB version of it) with 2GB RAM. This is the same chip that powers devices like the Samsung Galaxy S5 and the Sony Xperia Z2, (the Z2 has slightly more RAM - 3GB) so it should be more or less on par with the top performers. We’re yet to see detailed benchmarks, but it is only logical to assume that the handset will run even the most demanding of games with ease.

The new and exciting thing under the hood is the added support for expandable storage. The new HTC One should come with a microSD card expansion slot (the current model does not support microSD cards), so you can expand the storage freely.

Official announcement set for March 25th, coming to all carriers

HTC has already set the date for the official unveiling of its next flagship - it’s March 25th, with events simultaneously taking place in New York City and London. The new HTC One has also cleared FCC certification recently, and we have all reasons to believe it will arrive on all four major US carriers - Verizon, AT&T, Sprint and T-Mobile - as well as internationally. With all this information, do you feel ready to break the piggy bank and grab HTC's upcoming new big thing?

Primary Extended and Logical Partitions

There is always a lot of confusion about partitions and partition numbers. So let us try to shed some light:

There are three types of partitions:

1. Primary Partitions 
2. Extended Partitions 
3. Logical Partitions 

Primary and extended partitions are the main disk divisions; one hard disk may contain up to four primary partitions, or three primary partitions and one extended partition. The extended partition can then be further divided into any number of logical partitions.

The illustration below shows a hard disk that contains four main partitions: three primary partitions and one extended partition. The extended partition has been further divided into two logical partitions. Each primary partition has been formatted to use a different file system (FAT and NTFS). The two logical partitions have both been formatted to use the FAT file system. 

Primary Partitions

A primary partition may contain an operating system along with any number of data files (for example, program files, user files, and so forth). Before an OS is installed, the primary partition must be logically formatted with a file system compatible to the OS.

If you have multiple primary partitions on your hard disk, only one primary partition may be visible and active at a time. The active partition is the partition from which an OS is booted at computer startup. Primary partitions other than the active partition are hidden, preventing their data from being accessed. Thus, the data in a primary partition can be accessed (for all practical purposes) only by the OS installed on that partition.

If you plan to install more than one operating system on your hard disk, you probably need to create multiple primary partitions; most operating systems can be booted only from a primary partition.

Extended Partitions

The extended partition was invented as a way of getting around the arbitrary four-partition limit. An extended partition is essentially a container in which you can further physically divide your disk space by creating an unlimited number of logical partitions.

An extended partition does not directly hold data. You must create logical partitions within the extended partition in order to store data. Once created, logical partitions must be logically formatted, but each can use a different file system.

Logical Partitions

Logical partitions may exist only within an extended partition and are meant to contain only data files and OSs that can be booted from a logical partition (for example, Linux, Windows NT, and so forth).

On an IDE drive, the first drive is called hda, and the partitions are shown as hda1, hda2 . . . . etc. etc. Your second drive is called hdb.

On a SCSI drive, the first drive is called sda, the partitions are sda1, sda2 . . The second drive is called sdb. 

Now that was relatively simple, but now comes the more complicated part, I took parts of this from a post of Jason Wallwork ( Linuxdude32 ) because he was able to explain it better then I can:

QUOTE

An extended partition is the only kind of partition that can have multiple partitions inside. Think of it like a box that contains other boxes, the logical partitions. The extended partition can't store anything, it's just a holder for logical partitions.  The extended partitions is a way to get around the fact you can only have four primary partitions on a drive. You can put lots of logical partitions inside it.  hda is the whole drive hda1 is a primary partition hda2 is a primary partition hda4 is an extended partition hda5 is an logical partition hda6 is an logical partition You will never see hda4 mounted, just hda5 and hda6, in this case. Note that Linux numbers primary partitions 1-4, logical partitions start at 5 and up, even if there are less than 4 primary partitions.

NOTE: On an IDE drive you can have up to 63 partitions, 3 primary and 60 logical ( contained in one extended partition ) 

On a SCSI drive the maximum number of partitions is 15 

So, in a nutshell: if you start out with one HD that has windows C: and D: You will see them in Linux as hda1 and hda2 . . . then as you add a distro and let it automatically use the free space on that drive ( if that distro has that option like Mandrake ) it will make an extended partition and set up a partition for / and a partition for /swap plus a /home partition and call them hda5, hda6 and hda7 ( in that order ). You will see that if you make the partitions yourself, using preferably a Linux tool to make the partitions, the result will be more or less the same, only in that case you will be able to make even more partitions . . . for extra storage, backups, or additional distros 

You will only need one swap partition as that can be shared by the various distros. 

Oops, I forgot:

May I suggest using one partition for the OS(active primary) and the rest will reside in an extended(primary) as logical partitions. The extended partition will be hidden(this doesn't matter, as it's only the container for the logicals), but all of the logical partitions will be visible. 

I hope this makes sense.

Online IRCTC Tatkal Tickets Booking Quickly

Booking tickets from IRCTC is the most hectic process for every Indian passenger who wants to travel through Trains. Because IRCTC is the only official website to book train tickets in India, that’s why it takes much time to book a train ticket. This will be double while booking tatkal tickets because most of the people book tickets suddenly by using tatkal scheme. IRCTC website have 12 million unique visitors per month and most of the people will be on website between 10AM to 12 PM. Because it is the time to book tatkal tickets online, actually most of the tickets sold within one hour.

Straight to the point here I mention few useful methods and some important tips to increase the chances of getting tatkal tickets before site getting down.
Magic Auto fill:

Magic Auto fill is a bookmarklet created by Amit Agarwal, founder of www.labnol.org website. This tool will be a handy thing to book tatkal tickets quickly. Actually this tool doesn’t book tickets but it helps you to complete the booking process lesser than before. Check here how it works.

1. First go to this website www.ctrlq.org/irctc and click on “fill reservation form” button and fill all details which are necessary while booking a ticket on irctc website.





2. By using this form you can book tickets for 6 adult passengers and 2 child passengers. Once you fill all the details, enter your mobile number at the end of form.





3. Now click on “I’m Feeling Lucky” button and you will get magic auto fill bookmarklet. Drag it into your browser bookmarks tab.

4. Now open IRCTC website and navigate to booking section, click on magic autofill bookmarklet to complete ticket booking. (Here you need to do things quickly because you’ll miss tickets in seconds of time).
User Agent Switcher:

As the name suggests user agent switcher changes the user agent of browser into desired format. Here we use this for tatkal ticket booking. This extension available for both chrome and Firefox browsers.

1. First of all you need to download user agent switcher extension from the below link and install it on your chrome browser.

Download User Agent Switcher



2. Once installed it will be placed beside the wrench menu of chrome browser. Click on that icon and change the user agent to any mobile platform. Here I use android mobile user agent.

3. Logic is simple, we have speed internet connection but it doesn’t work with IRCTC website. So we browse the same website through mobile platform to book tickets quickly.

4. Here we browse IRCTC website in mobile platform with pc internet connection.

I doesn’t guarantee about this method because it have 50-50 chance but you will give it a try.
Tips to Book Tatkal Tickets Quickly Online:

The main thing we consider while booking tickets from IRCTC website is you need to keep page active otherwise it shows a message session expired. So to prevent from these things you need to do some quick operations while perform ticket booking.

To keep session alive for long time you need to do one tricky thing that is copy the link from IRCTC website General Section and select “Terms and Conditions” and paste the link on another browser. For example if your book tickets on chrome then open the below link on Firefox browser and refresh that page for every 2 or 3 minutes.

Note down each and every information which are necessary while booking tatkal tickets. Noting down on paper is a time taken thing so you can take help of auto form filling add-ons and extensions from both browsers.

Latest Tips and Tricks for Booking Tatkal Tickets Online:

1. Install Ad Block on your Web browser:

Now days everyone shows the ads on their website, IRCIC also shows the ads on their site and also contain the images and maybe some Java scripts which slow your online Tatkal booking process.

You have to use Google Chrome or Mozilla Firefox browser because they are the fastest browser and take very less time load websites.

Please follow the below links to install Ad block on your Web browser.

Instal Google Chrome or Mozilla Firefox.

By following the above link install the Ad block on your web browser and block the ads and other Java scripts which slow the IRCTC website.

2. By installing Auto Refresh Plugin:

It is common that when we wants to book online Tatkal ticket on IRCTC we logged in IRCTC account before 10 AM, but when Tatkal booking started, we click on sites it shows session expired, It means you need to login again but now it’s very hard to Login during Tatkal timing.

IRCTC generally Logged out your account if you are not using it from last 3 minutes, So if you want to book tickets you have logged into your account before 10 AM and for the solution of “Session Expire Error” I will show you the fantastic way.

There is one plugin available named “Auto Refresh” on Google Chrome and Mozilla Firefox both web browser, This plugin refresh your web pages automatically according to your given time period. Follow the below steps to install the Auto Refresh Plugin.

For Google Chrome Browser:

1) Open your browser

2) Go to the link to install the Auto Refresh Plugin: Click Here

3) Now install the plugin by clicking on Add button

4) After that plugin will install automatically.

5) Now when you open the IRCTC website, you will see the one icon on address bar.

6) Simply click on that icon and set the auto refresh time (In seconds) and click on start.


That’s it after that you will never face the “Session Expire error on IRCTC”

Note:

While booking tatkal tickets from slow internet connection is not possible in future days also, even it is also a time taking process in fast internet connection too. So follow the above tips to book tickets from IRCTC website.