Last Monday, news broke about a key vulnerability in the primary encryption method used to ensure the security of the web sites we use. If your eyes just glazed over during that last sentence, it’s time to put a pot of coffee and see why this is a potential threat for you…and what you can do about.
The Story and the Danger
If you do Internet shopping, banking, and web-based email, you have made use of a “https” connection. This connection, also known as a SSL/TLS (Secure Socket Layer/Transport Layer Security) connection is designed to insure the privacy and security of your interaction.
The key provider of SSL/TLS is OpenSSL, an open-source project. As a majority of web servers, routers, and other network connection make use of OpenSSL, potential for stolen passwords and other critical data is high, especially since software designed to exploit this vulnerability has also been discovered.
While the vulnerability is limited to a couple of recent versions of OpenSSL, the pervasiveness of the protocol improves the chance your information can be stolen and used.
How does this affect me?
Unlike the hacks at Target and other companies, this is not a localized threat. Using encrypted connections is at the heart of our Internet commerce and communication. Since we all use credit cards, communicate with banks, and share passwords and other personal data over SSL/TSL connections, that data could have been at risk.
The challenge in this case is that unless you encounter signs of theft (card card use, account hacking, identity theft), there is no way to determine whether your data has been compromised. In security blogger Brian Kreb’s story on this topic, he quoted Jonathan Sander of Stealthbits Technologies as saying, “Heartbleed is like finding a faulty car part used in nearly every make and model, but you can’t recall the Internet and all the data you put out on it.”
This sounds awful scary…
Yes, it does, largely because of the uncertainties involved. There have been a lot of people who manage web sites working very hard to correct this problem. Sites like Tumbler, Facebook, Instagram, Pinterest, Dropbox, Intuit (Turbotax, Quicken) and Google announced their sites are now patched to prevent future incursions. The Canada Revenue agency shutdown its taxpayer sites until servers could be patched or features with the vulnerability are disabled.
Other sites that have NOT be affected according to company statements include Twitter, Microsoft services, Paypal, Amazon, AOL, and LinkedIn. Most major US banks and brokerages, according to Mashable.com are also safe from Heartbleed attacks, as a number of regular retailers, including Target.
…but is getting better.
Over the last week, web sites that have been affected have been fixing Heartbleed so they are no longer vulnerable. A scan of the top 10,000 web sites on April 8th, one day after the public announcement showed 630 still vulnerable to attack. A follow up scan on April10th showed this number at 137. By the 11th, this was down to 104 sites. This is a service set up by Filippo Valsorda, an Italian security expert.
So, one part of this problem, current vulnerability, is being addressed, by most web site owners. That window of vulnerability is closing.
However, the danger isn’t over until you take some actions. After all, this bug was in place for two years and there is a chance that your passwords and other personal information have already been taken for use or sale. You now need to reduce your own vulnerability.
What should I be doing?
Be prepared to change passwords on the affected web sites…once you know that the site has been able to correct the problem. It’s important to confirm that the site is now safe before changing passwords.
Key questions to answer:
Determine if the web site is affected by the vulnerability There are a few ways to figure this out if the web site that concerns you was not listed above.
Look for a notice on your website regarding OpenSSL or Heartbleed. Search for news accounts of your site and press releases it might have made. Many sites have sent emails over the last few days advising their customers about the site’s vulnerability or need to change passwords. Check your Spam or Junk Mail folder in case the message was diverted there.
Besides Mashable’s list, you can look on this comparison list Filippo Valsorda built using his lists of the top ten thousand web sites to see if your web site was listed as vulnerable. Filippo has listed site that were vulnerable earlier in the week and whether they are is still vulnerable.
Lastly Filippo has a test site at http://filippo.io/Heartbleed/. If your site passes, it is either because the vulnerability has been fixed or it wasn’t affected at all.
Change passwords on any sites that you believe had the vulnerability once the bug has been eliminated. The point of changing passwords is to eliminate further access to information using passwords acquired prior to the bug being fixed.
Keep an eye on your credit and accounts. Since we don’t know who, if anyone , might be affected during the two years this vulnerability was open, it’s a good idea to watch your credit card purchases and account information a little closer. If unusual activity occurs, report it promptly to the institution or site account manager
Why this bug is called Heartbleed
The bug is based in an extension of OpenSSL called HeartBeat. HeartBeat. that keeps the secure connection active, even when no data is being transmitted. Heartbleed allows someone to eavesdrop on communications and even impersonate services and users.
If you are interested is in how something like Heartbleed works, this comic rendition by Randall Munroe of xkcd.com does a great job of explaining it.
How bad is this, really?
From the Internet perspective, this is pretty bad and a lot people have been scrambling about to fix things. From your perspective, it could be bad if you haven’t changed passwords on vulnerable site once they are fixed.
In the long term, this is probably just a glitch from which we all will recover. In the meantime, taking the proper precautions will help it stay as a glitch for you.
Last week, I shared a graphic on the current market share for desktop operating system. Unfortunately, while the data I fed was accurate, the percentages listed on the chart were not accurate. My apologies.
This discrepancy did not affect the versions of Mac OS X more than a percentage point (the subject of my posting), but it did skew the percentages of Windows versions. Windows XP was listed at 24% and should have been 29 and a half percent. Windows 7 should have been over 47% but ended up at 39%. For the chart below, I updated last week’s worldwide usage chart to show March’s figures and the date of each OS release.
Errors or not, these figures do show there are still a lot of Windows XP users out there and Microsoft is ending support for the operating system in just a few days. It’s almost as if most of the townspeople of Windows XP has been evacuated to safer ground and nearly 3 out of ten folks have decided to stay in town..
Sticking It Out with Windows XP
(Illustration by Tony Auth)
There are a lot of reasons why people stay in their homes in the face of potential dangerA 2009 study in the journal Psychological Science of those who stayed in the Hurricane Katrina’s danger zone showed many of them felt they didn’t have a choice, either because of money, community roots, and other local considerations. While a Windows upgrade is not in the same league as Hurricane Katrina, many of the same motives keep people from upgrading:
Cost – While computer built in the last five years do well upgrading to Windows 7 or 8/8.1, computer sold in the first eight years are probably lacking in processor capability (single core), memory (one GB or less) or are simply too worn out to do an upgrade. That means buying a new computer. Though you can get a new and more advanced desktop system for same price the old one cost, it’s still an expense above and beyond others.
Dedicated Equipment – Some XP owners hang on to the OS because it is necessary to run older equipment that isn’t supported under a new OS. I have seen this in film recorders, plotters, or old printers. The reason is that the manufacturers of these devices either no longer exist to provide device drivers or they have chosen not do so. While Windows provides numerous ways through its Compatibility Mode or virtual machines to simulate a Windows XP environment for old software, a lack of available drivers can prevent an upgrade.
Fear and Uncertainty – The consequence of having an operating system around for 13 years is that people become unaccustomed to change in the face of all the other changes around them. For many consumers, Windows XP was the first operating system on their first computer. In that scenario, leap-frogging from XP over four versions to a different looking Windows 8.1 is terrifying. For businesses who spent thousands of dollars on the creation of internal business application around Internet Explorer 6 (Windows XP’s default web browser), the uncertainty and cost around retooling keeps the OS in business.
On April 8th, those folks staying in town with Windows XP will be tested along with users of Microsoft Office 2003 when Microsoft officially stops supporting these products. What can they do?
I talked a bit about this in February and have a few more insights today that might help the 27.69 percent-ers buy some additional time or at least put some plywood up for additional protection.
Things that will still work
- Windows XP will still be installable and automatically activated on a system
- Windows Update will still work and allow you to download currently available updates for Windows XP
- People who have Microsoft Security Essentials installed will still get anti-malware signature updates through July of next year.
- The Malicious Software Removal Tool will still download via Windows Update through July of next year.
Things that will no longer be available
- New Windows XP Security or software updates after April 8th
- Downloads of the Microsoft Security Essentials program itself.
Things that might help
While upgrading to a new version of Windows and purchasing a new system are still the best options, there are still individual things that can be done to reduce risk. While has been speculation about zero day exploits happening after April 8th.
- Don’t access the Internet. Either unplug your network cable or turn off your computer’s wireless connection. If you must be online, don’t stay online more than necessary. Internet Explorer versions 6,7, and 8 for Windows XP will not be updated. You should download Google Chrome, Mozilla Firefox or Opera as they will at least be providing browser support on Windows XP for the next year.
- Avoid using the system for email. Email is a common entry point for phishing attacks. While some people argue that web-based email is safer, systems still get infected my clicking on content in webmail.
- Remove Java, if installed. Java has traditionally been an entry point for malware on Windows.
- Keep programs like Adobe Flash and Microsoft Office up-to-date so they don’t become an entry point as well.
- Avoid using removable drives. USB-base hard drives or flash drives are another common entry point for malware.
If this appears to be onerous or too-restrictive, you probably should look again at upgrading or a new computer purchase. It takes more work to stay safe in a tough neighborhood and the town of Windows XP is now in a real-tough neighborhood.
At Sunday’s Computer Q&A at the Commons, one of the participants shared her experience at a local Apple store while buying a new Mac. Multiple employees assured her that she didn’t need any anti-virus software. I was shocked that they told her the only reason they needed malware protection was if the system would also be booting Windows.
Yes, Macs can “dual-boot” between Apple’s OS X and Microsoft Windows if set up to do so. If you do that you should definitely add an anti-virus to your Windows installation if one is not already available.
However minimizing the risk of malware inflection on OS X itself is a kind of response I would have expected a few years ago, not in a contemporary Apple Store.
My Virus Roots
Ironically, the first virus I ever personally encountered was a Mac virus called WDEF in 1990. I was managing tech support for a small company making both Mac and PC software. Like most viruses of that period, WDEF’s primary goal was to simply keep replicating itself, hitching a ride on any available floppy disk to go to from Mac to Mac.
While WDEF did cause some specific Mac II models to crash, that was due more to bugs in the virus than any malicious intent. WDEF first made its appearance in 1989 amongst colleges and universities. It was accidentally shared through some disk-based computer magazines and some commercial software, including a version of Microsoft Excel for the Mac, released in 1990.
It made its way to our door through Grammatik, one of the first grammar-checking programs available for either the PC or the Mac. It was also easy to remove, thanks to one of the first commercial anti-virus programs available, Symantec AntiVirus for the Macintosh or SAM as it was more commonly known. This was about the time that Peter Norton’s company merged with Symantec but a good five years before Norton launched Norton Anti-Virus for Windows 95.
So Why Do People Think Macs are Immune to Viruses?
For people aware of the Mac’s viral past, they say that OS X’s multiuser functionality, improved component isolation and better security eliminated most technical concerns about viruses. Of course, that was the same argument used about the same time for Windows XP over earlier versions of Windows. While both OS X, Windows, and malware have continued to evolve, these opinions also continue to be shared as fact:
“OS X has fewer flaws than Windows”
A flaw is a general term, but if we narrow the definition to a vulnerability that can be exploited by malware, there are some good reasons why people might think this. Because of business customer needs, Microsoft has created a predictable and quite public monthly update time knows as Patch Tuesday to provide updates and security patches. This and regular press coverage of these security updates can give the impression of Windows as an extraordinarily flawed system.
Apple’s update and security patches are less predictable or publicized. Apple’s only security update this year was at the end of February. It lists 19 security fixes and one additional update for its Safari web browsers version to fix in recent versions of OS X. Microsoft’s total security updates this year for all Windows versions and Internet Explorer was two for January, seven in February, and four released in March, a total of 13.
“OS X does not get viruses like Windows does”
Yes, OS X does not have the same technical “attack vectors” (as security experts call them) that Windows has. However, there are many similarities in how malware can infect Mac and Windows systems.
Third-party components like Oracle’s Java or Adobe Flash have been a popular vehicle for Mac malware. Mac are the only OS with this problem. Most of Windows 8.1 security updates have been to fix problems with Flash.
Social engineering is a prime cause of inflection on both the Windows and Mac systems. Anti-virus software not only monitors system vulnerabilities but protects users who may be deceived into installing something unknowingly harmful. Some people have argued that adding an anti-virus to a Mac will lead to a false sense of security. Telling people that Macs don’t get viruses could have the same result without any protection.
“OS X is a less attractive a target as Windows because of its small user base”
It is true that OS X Mac users make up only about 7.5 to 15 percent of the computer market, depending on who is counting (examples, NetMarketShare, StatCounter). While Windows has a bigger bull’s eye for malware developers and distributers to hit, it doesn’t mean that Mac users are more secure.
Some Apple employees discovered that first hand in February 2013 when their systems were inflected through flaws in a third-party plug-in. As security expert Charlie Miller said at the time, “The only thing that was making [a Mac system] safe before is that nobody bothered to attack it. That goes away if somebody bothers to attack it.”
Last year at their Worldwide Developers Conference, Apple announced its Mac install base had grown to 72 million machines. Though still a low percentage of system overall, if a majority of that installed base is not using anti-virus protection, it sounds like fertile ground for an attack.
So what can you do to protect your Mac?
Start with a greater awareness of how your system can be attacked from a technical and social standpoint.
- Update OS X promptly. Any system vulnerabilities for which Apple has released fixes need to patched as soon as possible. Otherwise Apple’s security update notices simply become a menu for how the bad guys can attack your system. If you are still running an earlier version of OS X, consider upgrading to Maverick as it will protect you better than previous OS version.
- Update or Eliminate third-party apps and plug-ins. Old versions of Java and Flash provide plenty of opportunities for malware infection. If you need them for programs you run or websites you visit, update them. If you don’t, remove them.In addition, unpatched applications like Microsoft Word 2008 can be susceptible to “boobytrapped” documents. Documents of this type were circulated amid allegations of abuse in Tibet, Syria and East Turkestan in the last year.
- Be mindful of what you install or consent to. With human factors a major input point for Mac malware, you need to be smart about your actions.Think twice about opening email attachments, especially if the sender is unknown to you or is something a known sender would not normally do.
- Know what you are actually clicking on in an email message or unusual web link.
- Avoid peer-to-peer networking connections like “torrents” as they can often contain malware.
- Add an anti-virus monitor. As in Windows installations, these are free tools like Sophos’ Antivirus for Mac or avast! Free Antivirus or paid versions like ESET Cyber Security or Kaspersky Internet Security. An added benefit of many of these tools is the ability to detect Windows –based malware and avoid passing them on to others.
Those of you who have heard me speak before on security know this is the same advice I share with Windows PC users. Since Windows and Mac users live in the same world, it makes sense to take the same precautions.
Even if statistically, Mac users are less likely to be infected, the distinction fades pretty quickly the moment you become that statistic. Protect yourself from that moment.
Brian! Glad I was able to reach you. I have a Mystery.”
“Hi, Dad. What’s the problem?”
“I was typing a letter and, suddenly everything disappeared!”
“Okay, I assume you were typing in Word then, right?”
“What were you typing when everything disappeared?”
“It was name of a airport. I am traveling again.”
“Let me guess…you were actually typing the word “Airport” at the time, the screen flashed and you were left with part of the word.”
“I don’t know about the flash, I was looking at the keyboard, but you are right about the rest. I only have the “ir” left. That’s when I noticed the rest missing.”
“I think we can get it back, Dad. Hold down the Cntrl key and tap “Z” a few times while watching the screen. Once the “ir” disappears, your text should reappear. You are reversing your keystrokes.”
“Its back! You are a miracle worker. I see everything back, highlighted.”
“Good. Make sure you click outside the highlighted selection before you type again.
Otherwise you might lose it again.”
“Great! Thanks son.”
“Happy to help, Dad.”
Mysteries are a Gift
I love mysteries. Whether it’s technical troubleshooting or a TV murder to solve, I enjoy the process of un-wrapping the situation and working back from an event to find the cause, and, hopefully, a solution.
My Dad’s mystery was actually one we have been through a few times before, though he usually didn’t remember the detail. It also helped that I had experienced the same situation and had the benefit of seeing the “flash” I mentioned. Lastly, I had the benefit of knowing what likely was happening behind the scenes.
His problem was rooted is the position of the Ctrl key just below the Shift key on PC keyboards. It’s very easy to hit Ctrl instead of Shift when you intend to capitalize a letter, like that “A” in Airport.
What’s Going on?
The result of the Ctrl+A keyboard combination on the Mac would be to move the typing cursor to the beginning of the line. Ctrl key combinations on the Mac center around moving the cursor; the same the convention used by UNIX, the operating system on which the Mac operating system, OSX, was based.
While moving the cursor suddenly can provide some confusion if unintended, the result of Ctrl+A on Windows PC’s is a bit more dramatic. The key combination generates a “Select-All” option. For most Windows applications including Microsoft Word, this selects all text and other objects (pictures, charts, shapes). It’s a great alternative to dragging your mouse down a page or multiple pages to highlight everything.
The “OOPs” Sequence
Unfortunately, if you haven’t intended to Select All, it can cause your text to disappear with the next keystroke. Here’s the sequence:
- You are typing madly away without a care in the world
- You hold down the Ctrl key and tap “A” instead of the Shift key to capitalize the letter. All document contents are now selected. You continue to type the word “Airport.”
- All selected items disappear, replaced by by “I” or “irport,” depending on how long you type before looking up and notice everything else is gone.
The Solution to the OOPs Sequence
Ctrl keys on the Windows’ Keyboards are focused on text formatting, document retrieval and storage. Fortunately one of those keys lets you undo a previous operation. Ctrl+Z is known as the “Undo Key.”
How far back you can “undo” actions depends entirely on the program and memory it has allocated for undo operations. Fortunately Word has multiple undo levels. Unless you save the file (removing the undo levels), rolling back is pretty straight-forward. Word also has undo and redo options on which you can click in the document’s title bar.
Mac’s have an Undo key as well, Command+Z. You will find many of the Windows Ctrl key combinations become Command key combinations on on the Mac. Fortunately, The Mac Ctrl key is farther away from the Shift key than the PC Ctrl key so our problem is less likely to occur.
All is well. Time to reflect and…Excuse me, I should be probably take this call.
“Hi, Dad, What’s the problem?…”
Nearly all desktop, laptops, smartphones and tablets have a “lock screen.” But is it just an annoyance that you swipe or click away or is it actually locked with a pin or password?
An informal poll has been running at AndroidCentral.com for a couple of years, asking a similar question, “Do you use lockscreen security?” The answers are revealing:
According to the data, nearly 56% of respondents don’t use any form of lockscreen security. While this poll is clearly unscientific, it is also pretty alarming. The people who visit AndroidCentral are, according to their demographics well educated, technically connected, and largely within the ages of 24 to 34. That is the same age range that ProtectYourBubble.com reports are most likely to have their phones stolen.
It’s one of those common scenarios that happen to most mobile device users … setting down a smartphone or tablet and then not finding it. Back in 2011, Lookout.com presented a survey of the smartphones whose owners used the service to track their lost or stolen phones. The Seattle area ranked 2nd behind Philadelphia when it came to losing phones, averaging a twice a year per person.
Sometimes a lost phone is just a matter of forgetfulness. You often retrace your steps and find it. Other times it’s just gone, picked up by others curious about an unattended device or those simply intent on stealing it and its contents.
Why Its Contents?
Today’s smartphones hold a lot of information. Besides your email and contacts list, it might contain attachment with personal financial information, links to your favorite retail or banking websites, social networking sites. To be most efficient, most of us cache our access passwords to these sites so we don’t have to keep entering a password each time. It’s very convenient for us … and equally convenient for those who are interested in stealing our identity and defrauding our friends and family. That might not be the the person who snatched your phone, but it could be person who buys the your phone from them.
Symantec conducted a study called the “Symantec Honey Stick Project” in which they left 50 smartphones in publicly accessible areas like elevators, malls, and public transit in five major cities. Each phone was seeded with fake information, and apps installed tracked the activity on the phone and its location after it was “lost.”
The good news was that half of the smartphones lost were returned. The bad news was how much information on the each phone was accessed.
While accessing some pictures, social networking contacts, or email might have suggested an altruistic motive of contacting the phone owner, much of the access does not.
Can You Track Your Stolen Device?
Yes, it is possible. The key to tracking a device is that it can be tracked if it is connected to the web and the device’s hardware or software supports tracking.
Phones are easier to track because they are connected to a cellular network that regularly checks-in with local cell towers. This and GPS information is how 911 dispatch centers are able to track phone locations in an emergency. While most tablets and laptops are not on a cellular network, they do use Wi-Fi and can be tracked.
If you do authorize tracking software to use these technologies, it can allow you to track and remotely manipulate your phone, even allow you to wipe its contents. Apple laptops, tablets, and phones can use its Find My IPhone services to do this. Windows Phone provides these same services through My Windows Phone. If you have a Windows 8 tablet, look for the Locate My Tablet app in the Windows Store to tie your device to the My Windows Phone service.
For Android and other systems, there are a number of options. These range from a long-time open source project (Prey) to mainstream anti-virus makers (Norton, avast!, Kaspersky) to mobile-focused products (Lookout, Cerberus, Android Lost).
While all these systems can be very helpful, the best course of action is to protect yourself from losing your mobile device in the first place.
So How Do You Protect Yourself?
Start by changing how you handle your mobile device in public places. Lookout lists the types of places in the Seattle area you are most likely to lose a phone, typically eating or shopping locations.
Don’t publicize the presence of tablets or smartphones by setting them on counters or tables, or having them out while boarding public transit. This reduces the opportunity for thieves watching for opportunities to grab and run off with devices, especially when the user is near an exit.
Avoid displaying these devices or laptops in parked cars. If you must leave them in the car, discretely place them in the trunk. And, of course, don’t leave them unattended at any time.
Make sure you add a PIN number or Password to that mobile devices lock screen. Here is how to do that:
- Mac – To Set: Apple menu/ System Preferences, click Security & Privacy, and then click General, Select “Require password for sleep and screen saver.” To Use: Cntrl+Shift+Eject or Cntrl+Shift+Power to blank screen.
- Windows Vista/7 – To Set: Windows XP-7: Start/Control Panel/User Accounts and Family Safety/User Account/ create a password for your account.
- Windows 8 – To Set: (If not using a Microsoft Account) Settings Charm/Change PC Settings/Users/Create a Password or Create a PIN.
- Windows 8.1 – To Set: (if not using a Microsoft Account) Settings Charm/Change PC.Settings/Accounts/Sign-In Options/Create Password or Add PIN.
- Windows (All versions) – To Use: +L or Tap User Name/Lock (Windows 8/8.1).
- Android – To Set: Settings/Lock Screen/Select screen lock/PIN or Password. To Use: Tap Power Button to blank screen.
- IOS (iPhone/iPad) – To Set: Settings/General/Passcode Lock/ PIN or Passcode. To Use: Tap Power Button to blank screen.