What should you do about “HeartBleed?”

The following was originally posted on the Shoreline Area News, March 13, 2014 as part of the Tech Talk series

Last Monday, news broke about a key vulnerability in the primary encryption method used to ensure the security of the web sites we use. If your eyes just glazed over during that last sentence, it’s time to put a pot of coffee and see why this is a potential threat for you…and what you can do about.

The Story and the Danger
If you do Internet shopping, banking, and web-based email, you have made use of a “https” connection. This connection, also known as a SSL/TLS (Secure Socket Layer/Transport Layer Security) connection is designed to insure the privacy and security of your interaction.

The key provider of SSL/TLS is OpenSSL, an open-source project. As a majority of web servers, routers, and other network connection make use of OpenSSL, potential for stolen passwords and other critical data is high, especially since software designed to exploit this vulnerability has also been discovered.

While the vulnerability is limited to a couple of recent versions of OpenSSL, the pervasiveness of the protocol improves the chance your information can be stolen and used.

How does this affect me?
Unlike the hacks at Target and other companies, this is not a localized threat. Using encrypted connections is at the heart of our Internet commerce and communication. Since we all use credit cards, communicate with banks, and share passwords and other personal data over SSL/TSL connections, that data could have been at risk.

The challenge in this case is that unless you encounter signs of theft (card card use, account hacking, identity theft), there is no way to determine whether your data has been compromised. In security blogger Brian Kreb’s story on this topic, he quoted Jonathan Sander of Stealthbits Technologies as saying, “Heartbleed is like finding a faulty car part used in nearly every make and model, but you can’t recall the Internet and all the data you put out on it.”

This sounds awful scary…
Yes, it does, largely because of the uncertainties involved. There have been a lot of people who manage web sites working very hard to correct this problem. Sites like Tumbler, Facebook, Instagram, Pinterest, Dropbox, Intuit (Turbotax, Quicken) and Google announced their sites are now patched to prevent future incursions. The Canada Revenue agency shutdown its taxpayer sites until servers could be patched or features with the vulnerability are disabled.

Other sites that have NOT be affected according to company statements include Twitter, Microsoft services, Paypal, Amazon, AOL, and LinkedIn. Most major US banks and brokerages, according to Mashable.com are also safe from Heartbleed attacks, as a number of regular retailers, including Target.

…but is getting better.
Over the last week, web sites that have been affected have been fixing Heartbleed so they are no longer vulnerable. A scan of the top 10,000 web sites on April 8th, one day after the public announcement showed 630 still vulnerable to attack. A follow up scan on April10th showed this number at 137. By the 11th, this was down to 104 sites. This is a service set up by Filippo Valsorda, an Italian security expert.

So, one part of this problem, current vulnerability, is being addressed, by most web site owners. That window of vulnerability is closing.

However, the danger isn’t over until you take some actions. After all, this bug was in place for two years and there is a chance that your passwords and other personal information have already been taken for use or sale. You now need to reduce your own vulnerability.

What should I be doing?
Be prepared to change passwords on the affected web sites…once you know that the site has been able to correct the problem. It’s important to confirm that the site is now safe before changing passwords.

Key questions to answer:

Determine if the web site is affected by the vulnerability There are a few ways to figure this out if the web site that concerns you was not listed above.

Look for a notice on your website regarding OpenSSL or Heartbleed. Search for news accounts of your site and press releases it might have made. Many sites have sent emails over the last few days advising their customers about the site’s vulnerability or need to change passwords. Check your Spam or Junk Mail folder in case the message was diverted there.
Besides Mashable’s list, you can look on this comparison list Filippo Valsorda built using his lists of the top ten thousand web sites to see if your web site was listed as vulnerable. Filippo has listed site that were vulnerable earlier in the week and whether they are is still vulnerable.

Lastly Filippo has a test site at http://filippo.io/Heartbleed/. If your site passes, it is either because the vulnerability has been fixed or it wasn’t affected at all.

Change passwords on any sites that you believe had the vulnerability once the bug has been eliminated. The point of changing passwords is to eliminate further access to information using passwords acquired prior to the bug being fixed.

Keep an eye on your credit and accounts. Since we don’t know who, if anyone , might be affected during the two years this vulnerability was open, it’s a good idea to watch your credit card purchases and account information a little closer. If unusual activity occurs, report it promptly to the institution or site account manager

Why this bug is called Heartbleed
The bug is based in an extension of OpenSSL called HeartBeat. HeartBeat. that keeps the secure connection active, even when no data is being transmitted. Heartbleed allows someone to eavesdrop on communications and even impersonate services and users.

If you are interested is in how something like Heartbleed works, this comic rendition by Randall Munroe of xkcd.com does a great job of explaining it.

How bad is this, really?

From the Internet perspective, this is pretty bad and a lot people have been scrambling about to fix things. From your perspective, it could be bad if you haven’t changed passwords on vulnerable site once they are fixed.

In the long term, this is probably just a glitch from which we all will recover. In the meantime, taking the proper precautions will help it stay as a glitch for you.

Are You Using Your Lock Screen?

The following was originally posted on the Shoreline Area News, March 15, 2014 as part of the Tech Talk series.

Nearly all desktop, laptops, smartphones and tablets have a “lock screen.” But is it just an annoyance that you swipe or click away or is it actually locked with a pin or password?

An informal poll has been running at AndroidCentral.com for a couple of years, asking a similar question, “Do you use lockscreen security?” The answers are revealing:

According to the data, nearly 56% of respondents don’t use any form of lockscreen security. While this poll is clearly unscientific, it is also pretty alarming. The people who visit AndroidCentral are, according to their demographics well educated, technically connected, and largely within the ages of 24 to 34. That is the same age range that ProtectYourBubble.com reports are most likely to have their phones stolen.

It’s one of those common scenarios that happen to most mobile device users … setting down a smartphone or tablet and then not finding it. Back in 2011, Lookout.com presented a survey of the smartphones whose owners used the service to track their lost or stolen phones. The Seattle area ranked 2nd behind Philadelphia when it came to losing phones, averaging a twice a year per person.

Sometimes a lost phone is just a matter of forgetfulness. You often retrace your steps and find it. Other times it’s just gone, picked up by others curious about an unattended device or those simply intent on stealing it and its contents.

Why Its Contents?
Today’s smartphones hold a lot of information. Besides your email and contacts list, it might contain attachment with personal financial information, links to your favorite retail or banking websites, social networking sites. To be most efficient, most of us cache our access passwords to these sites so we don’t have to keep entering a password each time. It’s very convenient for us … and equally convenient for those who are interested in stealing our identity and defrauding our friends and family. That might not be the the person who snatched your phone, but it could be person who buys the your phone from them.

Symantec conducted a study called the “Symantec Honey Stick Project” in which they left 50 smartphones in publicly accessible areas like elevators, malls, and public transit in five major cities. Each phone was seeded with fake information, and apps installed tracked the activity on the phone and its location after it was “lost.”

The good news was that half of the smartphones lost were returned. The bad news was how much information on the each phone was accessed.

While accessing some pictures, social networking contacts, or email might have suggested an altruistic motive of contacting the phone owner, much of the access does not.

Can You Track Your Stolen Device?
Yes, it is possible. The key to tracking a device is that it can be tracked if it is connected to the web and the device’s hardware or software supports tracking.

Phones are easier to track because they are connected to a cellular network that regularly checks-in with local cell towers. This and GPS information is how 911 dispatch centers are able to track phone locations in an emergency. While most tablets and laptops are not on a cellular network, they do use Wi-Fi and can be tracked.

If you do authorize tracking software to use these technologies, it can allow you to track and remotely manipulate your phone, even allow you to wipe its contents. Apple laptops, tablets, and phones can use its Find My IPhone services to do this. Windows Phone provides these same services through My Windows Phone. If you have a Windows 8 tablet, look for the Locate My Tablet app in the Windows Store to tie your device to the My Windows Phone service.

For Android and other systems, there are a number of options. These range from a long-time open source project (Prey) to mainstream anti-virus makers (Norton, avast!, Kaspersky) to mobile-focused products (Lookout, Cerberus, Android Lost).

While all these systems can be very helpful, the best course of action is to protect yourself from losing your mobile device in the first place.

So How Do You Protect Yourself?
Start by changing how you handle your mobile device in public places. Lookout lists the types of places in the Seattle area you are most likely to lose a phone, typically eating or shopping locations.

Don’t publicize the presence of tablets or smartphones by setting them on counters or tables, or having them out while boarding public transit. This reduces the opportunity for thieves watching for opportunities to grab and run off with devices, especially when the user is near an exit.

Avoid displaying these devices or laptops in parked cars. If you must leave them in the car, discretely place them in the trunk. And, of course, don’t leave them unattended at any time.

And Lastly….

Make sure you add a PIN number or Password to that mobile devices lock screen. Here is how to do that:

  • Mac – To Set: Apple menu/ System Preferences, click Security & Privacy, and then click General, Select “Require password for sleep and screen saver.” To Use: Cntrl+Shift+Eject or Cntrl+Shift+Power to blank screen.
  • Windows Vista/7 – To Set: Windows XP-7: Start/Control Panel/User Accounts and Family Safety/User Account/ create a password for your account.
  • Windows 8 – To Set: (If not using a Microsoft Account) Settings Charm/Change PC Settings/Users/Create a Password or Create a PIN.
  • Windows 8.1 – To Set: (if not using a Microsoft Account) Settings Charm/Change PC.Settings/Accounts/Sign-In Options/Create Password or Add PIN.
  • Windows (All versions) – To Use: +L or Tap User Name/Lock (Windows 8/8.1).
  • Android – To Set: Settings/Lock Screen/Select screen lock/PIN or Password. To Use: Tap Power Button to blank screen.
  • IOS (iPhone/iPad) – To Set: Settings/General/Passcode Lock/ PIN or Passcode. To Use: Tap Power Button to blank screen.

New Approach with Microsoft Office Could Eliminate Competition

This article originally appeared in the Shoreline Area News on February 6, 2013.

New Office Logo

Microsoft’s Office 2013 officially launched this year after months of previews and promotions. With  this launches, the company has the developed a version of the product that could conquer its greatest competitor…itself. Many industry pundits are pointing to Google Apps or Google Drive as Office’s prime competitor. However, the biggest thorns in Microsoft’s side leading up to the release of Office 2013 is Office 2010, Office 2007, and Office 2003 for Windows (or Office 2011, Office 2008, or Office 2004 for the Mac), the versions you and I all use…and our desire to hold on to them.

The Paradox of Progress
We like the idea of progress; that new ideas and ways to do things will stimulate creativity, business, and prosperity. On the other hand, the changes that come with progress often bring chaos and a sense of instability. So we hang on to anchors and try to ride it out the best we can. Most people develop a enough expertise to get by, whether its laundry or letter writing. The hope is that the tools we use to do these things won’t evolve enough to disrupt our daily progress on other fronts and require our attention. Microsoft certainly saw this when it released Office 2007, eliminating menus for what it called a “ribbon-based” user interface. While the new interface exposed buried features and encouraged fuller use of the Office programs, many users clung to Office 2003’s menu system and the time they had invested in it. Today, over 1 out of every 10 Office users still use the ten-year-old version. Portion of the Office  2007 ribbon word_2003_new_pane

Subscribing to a New Model
The game changer for our reluctance to upgrade is the focus on its new online subscription version, Office 365 Home Premium. Instead of paying larger amounts every few years for a major upgrade, Microsoft would prefer an annual subscription of $99/year for Home Premium, covering 5 PC or Mac computers. It gives them a regular income source, provides you with a continually improved version of Office for multiple systems without the disruption of a major upgrade, and helps eliminate the competition with previous versions of its software.

The idea is not new. It’s been used for a few years both by Microsoft and other software makers with large and small businesses as a way to encourage stability on both sides. Businesses like regular subscriptions for which they can budget and software makers appreciate regular cash flow compared to the boom and bust of major software releases. While certain online software makers have used consumer subscriptions (anti-virus makers as an example), this is the first major manufacturer to do so.

A Future without Anchors?
Microsoft isn’t totally forsaking the traditional software paths. It will still offer Office 2013 in stores. With 90% of the market using Microsoft Office, it can’t afford to ignore regular retail channels right now. However, it’s possible that the disk-based version of Office 2013 could be our last anchor in the continuum of Microsoft Office…and its last major competitor. Pictures of boat anchor