About #Poodle #Hack of #SSLv3 and How to Secure Online Business

Poodle Hack of SSLv3New Security Vulnerability Named POODLE was discovered recently.

 

  • What is poodle stand for sslv3 hack?

    Padding Oracle On Downgraded Legacy Encryption
  • Poodle, which stands for Padding Oracle On Downgraded Legacy Encryption (PDF), is a problem because it’s used by both websites and Web browsers. Both must be reconfigured to prevent using SSL 3.0, and Poodle will remain a problem as long as SSL 3.0 is supported.
  • Google exposes ‘Poodle’ flaw in Web encryption standard …

 

POODLE Vulnerability: Frequently Asked Questions.

What is the SSLv3 POODLE Vulnerability?
On October 15 Google published details of vulnerability in the design of SSL version 3.0. This vulnerability
allows the plaintext of secure connections to be calculated by a network attacker. The new vulnerability,
named ‘POODLE’, compromises encryption, by forcing a browser or client to use the less secure SSLv3
encryption protocols instead of TLS protocols (eg TLSv1.2). It then carries out a BEAST (Browser Exploit
Against SSL/TLS) attack to obtain information from the encrypted stream.
Is This Really Such a Big Issue?
Yes. Although SSL 3.0 is nearly fifteen years old, support for it remains widespread. Most importantly, nearly all
browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections
with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures,
they can trigger the use of SSL 3.0 and then exploit this issue.

Who does Poodle Affect?
Any merchant using Internet Explorer 6 (IE6) to access secure online payment gateways system pages or any merchant whose site or solution uses SSLv3 to post transactions to Authorize.Net.

What should I tell my customers if they ask about POODLE?

You can instruct any concerned customers to visit https://zmap.io/sslv3/ to confirm if their browser supports SSLv3. It includes instructions on how to disable SSLv3 for all modern browsers.

What to do if i Use Internet Explorer 6?

If you are using a version of Internet Explorer older than 7.0, please visit http://www.microsoft.com/en-us/download/internet-explorer.aspx to upgrade.

Firefox, Safari and Chrome users should not be affected.

Important announcement about POODLE and payment security.

In general I see 3 area where fix needed

1) Server – big or not so big computer called server, where your personal or business website is hosted.

2) Web site, online shopping cart, CMS’s script

3) End user computer’s “user agent” which Browsers.

Ex: Chrome, Firefox, Internet Explorer, Opera, Safari and whatever else you may use.
Most of them need to be fixed manually or you need to wait for provider’s update. While waiting for update you are at rick of being sending unsecured personal information over SSLv3 – in very simple words

1) Server side.

While on server level cpanel, WHM you suggested use this fix:
http://www.liquidweb.com/kb/how-to-disable-sslv3-and-protect-your-whmcpanel-server-from-poodle

2)  eCommerce, Shopping Card fixes.

Depend on the online store scripting you need to find line where it say something like this:

curl_setopt ($ch, CURLOPT_SSLVERSION, 3);

and comment it in php code:

//curl_setopt ($ch, CURLOPT_SSLVERSION, 3);

in zen-cart depend on releases it can be in different places

http://www.zen-cart.com/showthread.php?214916-Important-announcement-about-POODLE-and-payment-security

if you have early releases you may also find it here:

modules/payment/linkpoint_api/class.linkpoint_api.php

between bunch of curl_setopt statmenrts like those:

  curl_setopt ($ch, CURLOPT_SSLCERT, $key);
  curl_setopt ($ch, CURLOPT_CAINFO, $key);
  curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, false);
  curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, false);
  curl_setopt ($ch, CURLOPT_SSLVERSION, 3);
  curl_setopt ($ch, CURLOPT_RETURNTRANSFER, true);
Affected files depend on your software releases:
 /includes/modules/payment/paypal/paypal_curl.php around line 58
 /includes/modules/payment/authorizenet_aim.php around line 600
 /includes/modules/payment/authorizenet_echeck.php around line 589
 /includes/modules/payment/paypaldp.php around line 2342
 /includes/modules/payment/linkpoint_api/class.linkpoint_api.php around line 309
 
 (Line numbers may differ depending on what Zen Cart version you're using)

in x-cart

func/func.https_libcurl.php

modules/XPayments_Connector/xpc_func.php

and others depend on activated modules and releases of your shopping cart.

3) What to tell customers about Browsers on end user computer, “user agent”.

If, as stated by many sources, attack works only on traffic sessions using SSLv3 then transaction with payment gateway cush as Verysign, Google checkout, Authorize.net…  may go throw in case without errors if 1) server side, and 2) CMS scripting level fixed.

But user may/will see unsecured massage on local computer browsers.

it is better then red Error massage Like this: “An error occurred when we tried to contact the payment processor. Please try again, select an alternate payment method, or contact the store owner for assistance. ()(35) error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

But still not peasant for user experience on your site.

as for online sellers it will be all over unless end user manually fix or will wait for Browsers to be updated.

Source: http://www.wired.com/2014/10/poodle-explained/
 

How to check your end user’s computer browser to make sure it is not vulnerable?

Open this link in all your browsers and see what it say:

https://www.poodletest.com/

vulnpoodle“If you see a poodle below, then your browser supports SSLv3 via block ciphers, and you may be vulnerable. If you see a Springfield Terrier below, your browser doesn’t support SSLv3, or only supports SSLv3 using stream ciphers.”

If vulnerable every single user may need to consider to manually fix it or being unsecured with all your online payment, form submitting proses.

How long to wait to update browser?

FireFox announce it will update by November 24-26 2014, some other browser next year, some did not announse SSLv3 at all, like Apple always does.

Poddle SSLv3 safesite

Poddle SSLv3 safesite

Random Notes for more read about Poodle Hack of SSLv3

Please notice underline some phrases which important to think about.

  • Vulnerability in SSL 3.0 Could Allow Information Disclosure

    List of affected Microsoft software: https://technet.microsoft.com/en-us/library/security/3009008.aspx

    One of the sugessted solutions form Microwoft is to “FIX” your local computer, which is only up to you and you can do it on your own rick.  I will do it after November 4 when some payment gateway processors will stop supporting SSLv3.
    If i will have problem i will try this solution:

    For Client Software

    You can disable support for the SSL 3.0 protocol on Windows by following these steps:

    1. Click Start, click Run, type regedt32 or type regedit, and then click OK.
    2. In Registry Editor, locate the following registry key:HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\ClientNote If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.
    3. On the Edit menu, click Add Value.
    4. In the Data Type list, click DWORD.
    5. In the Value Name box, type Enabled, and then click OK.Note If this value is present, double-click the value to edit its current value.
    6. In the Edit DWORD (32-bit) Value dialog box, type 0 .
    7. Click OK. Restart the computer.

    Note This workaround will disable SSL 3.0 for all client software installed on a system.

    Note After applying this workaround, client applications on this machine will not be able to communicate with other servers that only support SSL 3.0.

  • The attack works only on traffic sessions using SSLv3. Although this is an old protocol that has been replaced in many client and server configurations with TLS (Transport Layer Security), many browser clients and web servers that use TLS for connections still support SSLv3.
    Some products and browsers, like Internet Explorer 6 for Windows XP, only use SSLv3. There are also clients that support SSLv3 as an alternative to use whenever a TLS connection to a web server fails.
    An attacker could exploit this compatibility to downgrade a connection to SSLv3 and then conduct the POODLE attack to hijack your session.Google’s security team has recommended that systems administrators simply turn off support for SSLv3 to avoid the problem. But this will mean that some users trying to connect securely to a web server using SSLv3 will have trouble connecting if they’re using a client that only supports this protocol.
  • SSL 3.0 is nearly 18 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and,in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.

    “This attack is really against clients—you have to worry about it if you’re in a place like Starbucks,” says Rob Graham, CEO of Erratasec. “If you’re at home there’s probably no one man-in-the-middling you except the NSA. So as a home user, you don’t need to panic. As a server [administrator], you probably don’t need to panic if your customers are coming in over home connections. Only if they’re coming in over [something like] a Starbucks Wi-Fi.”…Source: http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html

More to come later

Find and Replace Text in MySQL Database

How to Find and Replace Text in MySQL Database using SQL query.

Find and Replace Text in MySQL Database

REPLACE is a function that returns the string text_string with all occurrences of the string from_string replaced by the string to_string, where matching is case-sensitive when searching for from_string.

text_string can be retrieved from the a field in the database table too. Most SQL command can be REPLACE() function, especially SELECT and UPDATE manipulation statement.

Example:

update TABLE_NAME set FIELD_NAME = replace(FIELD_NAME, ‘find this string’, ‘replace found string with this string’);

update customer_table set company_name = replace(company_name, ‘The Wolf of Wall Street”, ‘The Tiger of Wall Street’);

This MySql query/statement will replace all instances of ‘The Wolf of Wall Street’ to ‘The Tiger of Wall Street’ in the field of company_name of customer_table table.

 

 

One more small and useful query.

Rename or change name of MySQL table.

To rename an existing MySQL table, with or without data in it, it is no problem. One simple command will change the table’s name:

RENAME TABLE mike TO ann;

you can find more here too: mydigitallife.info

Heartbleed Security Update

Originally posted on WordPress.com News:

Last week, a very serious bug in OpenSSL was disclosed.  OpenSSL, a set of open source tools to handle secure communication, is used by most Internet websites.  This bug, nicknamed Heartbleed, allowed an attacker to read sensitive information from vulnerable servers and possibly steal things like passwords, cookies, and encryption keys.

Was WordPress.com vulnerable to Heartbleed?

Yes. WordPress.com servers were running the latest version of OpenSSL, which was vulnerable. We generally run the latest version of OpenSSL to enable performance enhancements, such as SPDY, for our users. The non-vulnerable versions of OpenSSL were over two years old.

Has WordPress.com fixed the issue?

Yes. We patched all of our servers within a few hours of the public disclosure.

Has WordPress.com replaced all SSL certificates and private keys?

Yes. Out of an abundance of caution, we have replaced all of our SSL certificates, along with regenerating all of the associated…

View original 98 more words

How to Avoid Answering the Questions? 9 ТЕХНИК УХОДА ОТ ПРЯМОГО ВОПРОСА

How to Avoid Answering Questions You Cannot Answer

How to Avoid Answering Questions You Cannot Answer

1. Ask the person who asked you the question another question. They’ll respond to your question and hopefully forget about their own.

2.  Take your cell phone out and pretend you got a call. Try to become so involved with it, they’ll forget about the question, or get bored and decide to find somebody else to talk to.

3. Be honest. Simply say, “I’m not sure how to answer that.” If it’s somebody that really cares about you, they will drop the question.

 

9 ТЕХНИК УХОДА ОТ ПРЯМОГО ВОПРОСА

1. Можно задать встречный аналогичный вопрос или вопрос из совершенно другой области. Пусть вас посчитают плохо воспитанным – душевный комфорт дороже. Знаменитости и политики именно так поступают с навязчивыми вопросами репортеров.

2. Если вопрос не достаточно корректно поставлен, его можно оставить без ответа. Сделайте вид, что не расслышали или не поняли, о чем идет речь. Парируйте вопрос шуткой, юмор всегда уместен.

3. Если природа одарила вас даром красноречия, лейте воду. Чем больше слов, ни к чему вас не обязывающих, тем лучше. Отвечайте на прямой вопрос так, чтобы запутать собеседника. «Отзеркальте» вопрос, мысленно поставив собеседника на место.

4. На один вопрос задайте массу уточняющих вопросов. Делайте это с искренним выражением лица, чтобы убедить человека в заинтересованности. Это обескуражит оппонента.

5. Выясните, почему собеседник задает этот вопрос. Какую цель он преследует? Цели бывают благородными и низкими. Таким образом вы полностью переключите внимание на своего оппонента.

6. Если не хотите отвечать на прямой вопрос или не знаете ответ, польстите собеседнику, похвалив его за находчивость и ум. Между тем незаметно переведите разговор в другое русло.

7. Предложите обсудить постановку данного вопроса, переформулировав его и плавно переведя разговор из допроса в диспут.

8. Проигнорируйте неудобный вопрос или ответьте: «Не знаю, я не задумывался над этим». Нагло заявите собеседнику, что вам это не интересно и «Вместо этого поговорим о тебе».

9. Грубо оборвите собеседника, дав ему понять, что он переходит дозволенные границы приличия. В крайнем случае, можно повысить тон и пойти на конфликт – цель оправдывает средства.

Easy htaccess tricks

htaccess tricks .htaccess (hypertext access) file is a directory-level configuration file supported by several web servers, that allows for decentralized management of web server configuration. They are placed inside the web tree, and are able to override a subset of the server’s global configuration for the directory that they are in, and all sub-directories.

The original purpose of .htaccess—reflected in its name—was to allow per-directory access control, by for example requiring a password to access the content. Nowadays however, the .htaccess files can override many other configuration settings including content type and character set, CGI handlers, etc.

Redirect whole site except one directory – 301 Redirect for all pages to new site Except 1 directory


RewriteEngine on
RewriteCond %{REQUEST_URI} !^/keepthis-directory/
RewriteRule (.*) http://www.youneeditall.com/$1 [R=301,L]

If you get 500 Internal Error then double-check that you have a space between } and ! on the second line.you can even to sub and sub-sub directory

RewriteEngine on
RewriteCond %{REQUEST_URI} !^/keepthis-directory/andthis
RewriteRule (.*) http://www.youneeditall.com/$1 [R=301,L]


keepthis-directory - replace with name of your directory you would like to keep live without redirecting
andthis - name of sub-directory that also important to keep


Permanent – 301 and temporary redirect.

THIS WILL Permanently REDIRECT ONLY HOME PAGE to NEW site:
RedirectMatch 301 ^/$ http://www.youneeditall.com/

Below rules Will redirect All pages to new site
<IfModule mod_rewrite.c>
##RewriteEngine On
## RewriteCond %{HTTP_HOST} ^domainbuyitnow.com/$ [OR]
## RewriteCond %{HTTP_HOST} ^www.domainbuyitnow.com/$
##RewriteRule (.*)$ http://www.youneeditall.com/$1 [R=301,L]
<!–IfModule>

This allows you to redirect your entire website to any other domain

Redirect 301 / http://www.youneeditall.com/

Speedup your site rules

Compress output using GZIP

Add following snippet into your htaccess file and compress all the css, js, html files with GZip compression.

<IfModule mod_gzip.c>
    mod_gzip_on       Yes
    mod_gzip_dechunk  Yes
    mod_gzip_item_include file      \.(html?|txt|css|js|php|pl)$
    mod_gzip_item_include handler   ^cgi-script$
    mod_gzip_item_include mime      ^text/.*
    mod_gzip_item_include mime      ^application/x-javascript.*
    mod_gzip_item_exclude mime      ^image/.*
    mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
</IfModule>
code works only if mod_gzip module is enabled in your web-server.
ExpiresActive On
ExpiresByType image/jpg “access plus 1 year”
ExpiresByType image/jpeg “access plus 1 year”
ExpiresByType image/gif “access plus 1 year”
ExpiresByType image/png “access plus 1 year”
ExpiresByType text/css “access plus 1 month”
ExpiresByType application/pdf “access plus 1 month”
ExpiresByType text/x-javascript “access plus 1 month”
ExpiresByType application/x-shockwave-flash “access plus 1 month”
ExpiresByType image/x-icon “access plus 1 year”
ExpiresDefault “access plus 1 days”# Cache Headers
<ifmodule mod_headers.c>
# Cache specified files for 31 days
<filesmatch “\.(ico|flv|jpg|jpeg|png|gif|css|swf)$”>
Header set Cache-Control “max-age=2678400, public”
<!–filesmatch>
# Cache HTML files for a couple hours
<filesmatch “\.(html|htm)$”>
Header set Cache-Control “max-age=7200, private, must-revalidate”
<!–filesmatch>
# Cache PDFs for a day
<filesmatch “\.(<span=”” class=”hiddenSpellError” pre=””>pdf)$”>
Header set Cache-Control “max-age=86400, public”
</filesmatch>
# Cache Javascripts for 31 days
<filesmatch “\.(js)$”>
Header set Cache-Control “max-age=2678400, private”
</filesmatch>
</ifmodule>

You may want to add following snippet if your webserver provides mod_deflate support.
<Location>
    SetOutputFilter DEFLATE
      SetEnvIfNoCase Request_URI  \
        \.(?:gif|jpe?g|png)$ no-gzip dont-vary
    SetEnvIfNoCase Request_URI  \
        \.(?:exe|t?gz|zip|gz2|sit|rar)$ no-gzip dont-vary
</Location>
more to come later
check this out:

Google Custom Search Engine

 Google Site Search options.

Custom Search Engine (free) and Google Site Search (from $100/year).

What is  difference between  Search Engine for Site and Google Site Search?

Before I got answer from Google support I find it on the developers area.

Custom Search Engine comes in two flavors: Custom Search Engine (free) and Google Site Search (from $100/year).

Google Site Search lets you create search engines that do not include ads, remove Google branding (if you so choose). In addition, Google Site Search customers can retrieve results in XML, so that you have more control over how the results are presented to your users.

For Google Site Search customers only:

If you have a Google Site Search license, you can use the Google WebSearch service to retrieve and display Google search results on your own websites. The WebSearch service uses a simple HTTP-based protocol to serve search results. Google then returns search results in XML format.

View the XML reference guide.

More to come later…

 

For SEO Tips and Tricks From Nikolay Gul – Web Designer and Web Developer in Syracuse: http://www.youneeditall.com/search-engine-marketing/seo-tips.html