So, I was at a gathering of friends and one of them asked me: “I keep hearing about the “Cloud”, but I don’t understand it. What is the Cloud?” It’s an interesting question, because like it’s meteorological namesake, its existence is ephemeral and changing all the time.
Let’s start with the name: Cloud. Like many things in technology, the name is largely a marketing term. It’s a marketing term that had its genesis in the technical realm. For years, my colleagues and I used the picture of a cloud in architecture diagrams to indicate network paths and services. Sorta like: I’m in Boston communicating with you in Palo Alto and between us I’d show a cloud to indicate: There are messaging services here, but exactly how the messaging happens is not important to the overall architecture of our work. A few years ago the term cloud was co-opted to mean any storage and services being delivered in the network, usually in the Internet. Again, the “how” is not as important as the “what”.
So, what is the Cloud (with a capital “C”)?
It’s an all-encompassing metaphor for any and all services that are delivered via the Internet (note: There are Intranet cloud services, but let’s focus on what the average consumer sees). As the figure above shows, these services can run the realm of computing services that in the past might have been run on local computers. More specifically, if you use Gmail, Dropbox, on-line photo storage, on-line backup (e.g., Mozy or Quicken on-line backup), synchronization of your address book with your devices and computers, you are leveraging the Cloud. Continue reading
So, it’s been about a week since the bombshell of TrueCrypt’s demise and I thought it would be useful to present an update.
First and foremost, it doesn’t appear that the sites have been hacked and that the developers have simply decided to abandon the project. The note that TrueCrypt is insecure is theoretically correct in that if problems are found, the software will not be updated. Said another way: The longer you use it, the higher the probability someone will find a weakness in the code that can be exploited.
There are some sites popping up that provide downloads of the last full version of TrueCrypt (version 7.1a), but like my previous warning, I’d not use them at this time. There is nothing to prevent someone from bundling some malware with the installation kit.
The outfit performing the security audit of TrueCrypt has pledged to continue that work. See the twitter feed for the OpenCryptoAudit project.
James Lyne authored the following article in Forbes that provides some thoughts about TrueCrypt going forward entitled TrueCrypt is Back, but Should it be? It’s an interesting read, though still speculative.
So, my advice remains: If you’re using TrueCrypt now, you should be able to continue to use it until you move to another solution. The good news is that solutions exist for specific operating systems:
If you are using Windows 7 or 8, you can encrypt files and directories in-line with the file system using Encrypted File System or EFS. For directions on how to use EFS, see the following Groovy Post article. To encrypt an entire drive, including your “C:” drive, use BitLocker.
If you are using MacOS, then use the Disk Utility to encrypt your files and directories. For directions on this, see the following Indigo article. For entire drives, including your “Macintosh HD”, use FileVault2.
Finally, there are several 3rd party solutions that should provide some cross-platform use.
The open-source encryption offering TrueCrypt has been abruptly and (apparently) permanently been pulled off the market. Their website www.truecrypt.org is redirecting to their sourceforge download site, which has a warning that the product isn’t secure and offers help in migrating from TrueCrypt to BitLocker on Windows systems. I’d recommend that if you’re using TrueCrypt to migrate to the encryption package that is integrated in your OS, BitLocker for Windows and FileVault for the Mac. There are also commercial encryption packages available from Symantec among others.
I’ve been a proponent of TrueCrypt in the past and use it myself. I like the ease-of-use and multi-platform support of TrueCrypt, especially since I run all three major OS platforms: Windows, MacOS and Linux. This allows me to easily share encrypted data on all three platforms. Also, I advocated that TrueCrypt be used for an emergency thumb drive, since there was a portable app build that would allow the software to reside on the drive. It also had a very desirable price-point of $0.
The problem with the current situation is not everyone has access to an integrated encryption solution. Only Windows Vista/7/8 Pro and Enterprise have the package, leaving a very large contingent out of luck. MacOS users have it, but not all Linux packages have encryption offerings.
Also, it’s important to note that though this appears to be permanent, there is a small (but dwindling) chance that their website was hacked and there is something more nefarious going on here. The next few days should help clarify this.
So, what to do? First off, there is no need to panic. As long has you have a working version of TrueCrypt, you should be fine for now, though I’d recommend moving off it as soon as is practical. This is especially true if you’re using it for whole disk encryption. One should use the integrated solution for whole-disk encryption if available in any case.
If you don’t have a working version of TrueCrypt and you need to mount an encrypted volume, the sourceforge site provides a version of TrueCrypt for decrypting only. I’d highly recommend NOT downloading it at this time. We need better assurance that this isn’t a hack first.
I’ll post more information on this topic soon, including pointers to instructions for using other solutions. Stay tuned …
Here are a couple articles that provide some more detail:
- True Goodby: ‘Using TrueCrypt is not secure’ by Brian Krebs
- Open Source Crypto TrueCrypt Disappears With Suspicious Cloud Of Mystery by James Lyne in Forbes
- TrueCrypt now encouraging users to use Microsoft’s Bitlocker by Mark Hachman of PCWorld
The latest security breach has occurred, this time on ebay.com. In this particular case, it appears all the user identifiers and passwords have been compromised, but (as of this writing) not financial information or paypal.com accounts. For more information, see Brian Krebs blog post.
When I heard this, my first thought was: Hey, I don’t use eBay, so not a problem. My second thought was: Wait a minute, didn’t I buy a golf club on ebay a while back? Well, it turns out I do have an eBay account and after digging around to figure out my creds, I was indeed able to log in and reset my password.
That experience got me to thinking about how many accounts I really have on-line. I’ve been an active participant on the Internet since there were less than 1,000 sites worldwide and I’ve probably have hundreds of accounts. Some of these accounts are no longer valid for a variety of reasons, including the company failing. However, as I sit here, I could do a quick accounting and still miss some, probably by half.
This is truly concerning because I don’t think I could remember all of the accounts, even if I performed a deep-dive. I’ll bet you are in a similar place.
So, the best defense is to change up your passwords for the accounts you are aware of. Never reuse old passwords, nor play the “one-off” game, which means don’t have a single password that you change by incrementing a number (e.g. 1password -> 2password) or some such thing. Then change them periodically across the sites. This way, if you forget one, hackers don’t have a complete set of credentials.
I finally took the time and upgraded my MacBook Pro to the latest and greatest MacOS; Mavericks (10.9.2). I thought I’d share some of my experiences.
As I’ve noted in previous posts, the decision to upgrade to a major new version of an OS for a desktop or laptop computer shouldn’t be made lightly (minor or service packs should be applied as soon as available, since they typically have security fixes). It’s a traditional balance of features vs. cost (and risk) to upgrade.
Though Mavericks was released on October 22, 2013, I waited for roughly 6 months to allow some of the 3rd party applications and devices to catch up. In fact, though I was running Lion (10.7.x) on my laptop previously, I hadn’t updated to Mountain Lion (10.8.x) because the new features were not worth the potential issues with doing the upgrade (see my post on Mountain Lion). I have one device in particular that has been troublesome with MacOS upgrades, and that has largely inhibited me from upgrading. That device is a Network Attached Storage (NAS) device by LenovoEMC (formerly Iomega) and since EMC sold it to Lenovo, its clear that MacOS priority has dropped into a black hole, so I decided to work around this device.
So, on to the upgrade. First, some information about the upgrade itself, then I’ll have some initial impressions. Continue reading
When Heartbleed was announced, it was pretty clear that the issues were focused on various Cloud servers, like web servers and email servers. Which is to say, the vulnerability is on the servers that serve your computers and devices. It didn’t seem to be a vulnerability in consumer devices and computers. See FLASH: Heartbleed SSL vulnerability for more information.
Though this is largely true, there are some exceptions that you should be aware of. The exceptions are when your computer or device acts likes a server out to the Internet. In these cases, if your device or computer provides encrypted connections, it’s could trip over the OpenSSL issue.
Routers provide the interface between your home network and the world-wide, wild west Internet. The router provides the firewall between the Internet and your network, preventing connections from being made into your network from the outside (see my Security Primer for more detail).
However, you can configure your router to allow connections to be made from the Internet though to one or more computers on your home network. You can establish a single computer to be totally open to the net, or you can selectively open ports (e.g., port 25 for email) to selected computers in your network. The reason you might be doing this is to serve up web services or email out to the Internet. For example, I know folks who set up a email server to serve email to their families, bypassing the need for commercial or consumer email servers like gmail or yahoo.
If you’re providing web or email services from any computer on your home network to the outside and if you’ve configured the services to use encrypted connections, then you might have this issue. The good news here is that if you are serving these services from either Windows or MacOS, you should be OK. it turns out that MacOS uses OpenSSL, but its an older version that doesn’t have this vulnerability (Apple is notoriously slow to update open source components, to their benefit in this case). Windows IIS isn’t impacted either.
The only OS that is impacted are the various flavors of Linux. The primary web server that ships with Linux is Apache and its configured by default with OpenSSL.
Also, some routers are impacted by this issue, especially if they permit management of the router from the Internet. Again, this is typically via an encrypted connection. If you manage your network from the outside, check with your router manufacturer. I do know that some D-Link and Cisco routers are vulnerable. Linksys and Apple Airport routers are safe.
There is a new exploit that has been detected in the fundamental security protocol that enables secure communications between a company’s servers and your computer or device. The exploit has been dubbed “Heartbleed” (CVE-2014-0160), because it exploits a vulnerability in the the heartbeat of the OpenSSL version of Secure Sockets Layer (SSL) security protocol. The thing that makes this problem particularly serious is that while exploiting the weakness, the hackers leave no indication of their activities or whether it’s been exploited at all.
Before getting into this in more detail, here’s some background. SSL is the protocol that establishes a AES-256 encrypted connection between a computer/device and a web server (see the Encryption section of the Glossary for more information). There are several software packages available to companies that support SSL, though two of the most popular are from RSA and OpenSSL. Only specific versions of OpenSSL are at risk and there is no risk from non-OpenSSL packages. Though roughly 2/3 of servers use OpenSSL, it’s not clear how many are using the tainted versions. The tainted versions have been available for roughly 2 years. OpenSSL is preferred because (a) it’s cheaper and (b) it’s bundled with most Linux server software, which is the most commonly used OS for servers (again, because of its lower cost).
The “heartbeat” is a periodic data packet (64 KB in size) that one computer sends to another that says: “I’m still alive here, let’s keep the connection in place.” An “exploit” is a weakness in a server or computer that will allow a hacker to gain unauthorized data and/or control from a computer.
In this particular exploit, the heartbeat can be used to read unauthorized data from the web server’s memory in 64 KB chunks. This has the following implications:
- The data that is acquired is from the web server and not your computer or device.
- The data that is acquired is read from the server’s memory and not its disks or databases. Whatever data it acquires, is data that is currently active on the server. This means that for any of your personal data or login credentials to be at risk, the exploit needs to be occurring while you are connected to the server (or recently been connected to the server).
- Since the exploit can be used to acquire a web site’s primary or secondary encryption key, it can allow the hacker to listen into communications (which of course has more wide-ranging implications).
So, this is a different type of exploit than the type where a hacker gets access to a company’s databases to download data from their customers. However, since it’s at the heart of secure communications, its even more serious diabolical.
So, what should I do?
As noted, though the exploit has been shown to be real and relatively easy to leverage, companies have been scrambling to identify servers at risk and fix them (there is a repaired version of OpenSSL available). Though there is evidence that the hacker community has known about the weakness, there is no evidence anything has been stolen.
There is a way to determine if a given website is clean of this exploit. Go to http://filippo.io/Heartbleed/ and enter in the URL of the site you’re concerned about. It will tell you if the site is clean or at risk. Be aware that you might get timeouts or other errors, which largely mean that they are rejecting or ignoring the heartbeat. I’ve done it with all the critical sites that I usually use, including Amazon.com and gmail.com. All sites were clean of the problem.
Do not log into a site that isn’t clean. So, for the foreseeable future, when attempting to use an encrypted site, check the URL first, then log in. BTW: Once you check the site, you don’t need to check it again.
Finally, once you know a site is clean, it’s a good idea to change your password. There is no test to determine whether a given site was infected and I suspect companies are not going to rush to provide notification. All normal password recommendations remain crucial going forward. See the change passwords section of my post Your technical New Year’s Resolutions for thoughts about passwords.
Keep an eye on financial transactions, your credit report and for any other anomalous activity that might indicate your data has been compromised.
For more information about this particular exploit, see the following sites:
- Heartbleed.com – A website put up specifically for information about this problem.
- CNET’s How to Protect yourself from the Heartbleed bug
- NY Times article on the exploit.
If I get any more pertinent information on this exploit, I’ll update this post. Be careful out there …
Since the first iPhone was released a few years ago, there has been a consistent issue that has upset users about the iPhone more than any other. That issue has been poor battery life.
Let’s put this into a little perspective first. The smart phone is a very powerful and feature rich computer. Start with the fact that its a cell phone first-and-foremost. Digital cellular telephony is a huge improvement over the original analog cellular telephony in every way including battery life. Analog phones would sap battery life very rapidly, especially when attempting to acquire a cellular signal. Today’s digital versions are much more power efficient, but they still are a big consumer of your battery’s precious power, especially in weak signal areas. Also, taking calls consumes significantly more power than standby. So, your mileage may vary.
Now layer on digital data network support using the aforementioned cellular signals as well as Wi-FI. Couple that with Bluetooth and the typical phone is running several radios that are usually active 24×7 (even if not all are needed). All of this is before a single app fires up. Continue reading
When I find topics to discuss on this blog, I typically send myself an email with links for background. If I haven’t blogged in a while, these emails languish and start to coalesce into a lonely bunch of ticklers. So, with that in mind, it’s time to clean out the digital cobwebs: Continue reading
I just received an email supposedly from the Clerk of the Court in Tacoma notifying me that I need to appear for a hearing on “my case”. It contains an attachment that supposedly contains the court notice on my case. There are several things wrong with the email, including the fact I’ve never been in Tacoma, the notice is a “zip” file, which is a method for shipping executables to get around virus checks (real documents would likely be a .pdf file). Finally, though some courts do send notices via emails, they would only do so if you have something pending and you explicitly give permission.
So, it turns out that this is the latest of a phishing attempt to get folks to install malware on their computers. The .zip file contains a Windows .exe executable that will attempt to install malware to join the victims computer to the Asprox botnet. This botnet uses an army of machines to attack various websites looking for vulnerabilities. It also allows others to have full access to your system.
The message that I received looks like this:
Subject: #Hearing of your case in Court N#0103-706
Notice to Appear, Hereby you are notified that you have been scheduled to appear for your hearing that will take place in the court of Tacoma in May 14, 2014 at 11:30 am. Please bring all documents and witnesses relating to this case with you to Court on your hearing date. The copy of the court notice is attached to this letter. Note: If you do not attend the hearing the judge may hear the case in your absence. Yours truly, MORROW WOOD Clerk to the Court.
As usual, the same rules apply:
- Never open a link or attachment unless you’re very sure that it’s legit. Even if it appears to come from a friend, it might be malware.
- Always look more carefully at messages to see if there is something “not quite right” about the message. Are there misspellings, poor grammar or odd URL domain names? If the message is from a friend, is the “tone” of the message in line with normal emails from that person?
- Is the request reasonable? Official notices are not typically delivered via email or instant messages.
- Cut-n-paste URLs into browsers, rather than clicking. Be sure that the address makes sense before hitting “return” (e.g., Fidelity’s URL will likely be fidelity.com). If not entirely sure, most legitimate notices can be located by going directly to the website without using the URL given (e.g., go to your banking site via your usual method and see if there is a message for you there.)
- Never install software unless you intend to. In this case, the executable might say that you need a special reader to read the message. Don’t do it.
If you click on such an email attachment, be sure to answer “no” if the OS pops up a message requesting permission to install something on your system.
If you have allowed this (or any) unplanned installations of software on you computer, be sure to run an updated anti-malware full scan on your machine.