I finally took the time and upgraded my MacBook Pro to the latest and greatest MacOS; Mavericks (10.9.2). I thought I’d share some of my experiences.
As I’ve noted in previous posts, the decision to upgrade to a major new version of an OS for a desktop or laptop computer shouldn’t be made lightly (minor or service packs should be applied as soon as available, since they typically have security fixes). It’s a traditional balance of features vs. cost (and risk) to upgrade.
Though Mavericks was released on October 22, 2013, I waited for roughly 6 months to allow some of the 3rd party applications and devices to catch up. In fact, though I was running Lion (10.7.x) on my laptop previously, I hadn’t updated to Mountain Lion (10.8.x) because the new features were not worth the potential issues with doing the upgrade (see my post on Mountain Lion). I have one device in particular that has been troublesome with MacOS upgrades, and that has largely inhibited me from upgrading. That device is a Network Attached Storage (NAS) device by LenovoEMC (formerly Iomega) and since EMC sold it to Lenovo, its clear that MacOS priority has dropped into a black hole, so I decided to work around this device.
So, on to the upgrade. First, some information about the upgrade itself, then I’ll have some initial impressions. Continue reading
When Heartbleed was announced, it was pretty clear that the issues were focused on various Cloud servers, like web servers and email servers. Which is to say, the vulnerability is on the servers that serve your computers and devices. It didn’t seem to be a vulnerability in consumer devices and computers. See FLASH: Heartbleed SSL vulnerability for more information.
Though this is largely true, there are some exceptions that you should be aware of. The exceptions are when your computer or device acts likes a server out to the Internet. In these cases, if your device or computer provides encrypted connections, it’s could trip over the OpenSSL issue.
Routers provide the interface between your home network and the world-wide, wild west Internet. The router provides the firewall between the Internet and your network, preventing connections from being made into your network from the outside (see my Security Primer for more detail).
However, you can configure your router to allow connections to be made from the Internet though to one or more computers on your home network. You can establish a single computer to be totally open to the net, or you can selectively open ports (e.g., port 25 for email) to selected computers in your network. The reason you might be doing this is to serve up web services or email out to the Internet. For example, I know folks who set up a email server to serve email to their families, bypassing the need for commercial or consumer email servers like gmail or yahoo.
If you’re providing web or email services from any computer on your home network to the outside and if you’ve configured the services to use encrypted connections, then you might have this issue. The good news here is that if you are serving these services from either Windows or MacOS, you should be OK. it turns out that MacOS uses OpenSSL, but its an older version that doesn’t have this vulnerability (Apple is notoriously slow to update open source components, to their benefit in this case). Windows IIS isn’t impacted either.
The only OS that is impacted are the various flavors of Linux. The primary web server that ships with Linux is Apache and its configured by default with OpenSSL.
Also, some routers are impacted by this issue, especially if they permit management of the router from the Internet. Again, this is typically via an encrypted connection. If you manage your network from the outside, check with your router manufacturer. I do know that some D-Link and Cisco routers are vulnerable. Linksys and Apple Airport routers are safe.
There is a new exploit that has been detected in the fundamental security protocol that enables secure communications between a company’s servers and your computer or device. The exploit has been dubbed “Heartbleed” (CVE-2014-0160), because it exploits a vulnerability in the the heartbeat of the OpenSSL version of Secure Sockets Layer (SSL) security protocol. The thing that makes this problem particularly serious is that while exploiting the weakness, the hackers leave no indication of their activities or whether it’s been exploited at all.
Before getting into this in more detail, here’s some background. SSL is the protocol that establishes a AES-256 encrypted connection between a computer/device and a web server (see the Encryption section of the Glossary for more information). There are several software packages available to companies that support SSL, though two of the most popular are from RSA and OpenSSL. Only specific versions of OpenSSL are at risk and there is no risk from non-OpenSSL packages. Though roughly 2/3 of servers use OpenSSL, it’s not clear how many are using the tainted versions. The tainted versions have been available for roughly 2 years. OpenSSL is preferred because (a) it’s cheaper and (b) it’s bundled with most Linux server software, which is the most commonly used OS for servers (again, because of its lower cost).
The “heartbeat” is a periodic data packet (64 KB in size) that one computer sends to another that says: “I’m still alive here, let’s keep the connection in place.” An “exploit” is a weakness in a server or computer that will allow a hacker to gain unauthorized data and/or control from a computer.
In this particular exploit, the heartbeat can be used to read unauthorized data from the web server’s memory in 64 KB chunks. This has the following implications:
- The data that is acquired is from the web server and not your computer or device.
- The data that is acquired is read from the server’s memory and not its disks or databases. Whatever data it acquires, is data that is currently active on the server. This means that for any of your personal data or login credentials to be at risk, the exploit needs to be occurring while you are connected to the server (or recently been connected to the server).
- Since the exploit can be used to acquire a web site’s primary or secondary encryption key, it can allow the hacker to listen into communications (which of course has more wide-ranging implications).
So, this is a different type of exploit than the type where a hacker gets access to a company’s databases to download data from their customers. However, since it’s at the heart of secure communications, its even more serious diabolical.
So, what should I do?
As noted, though the exploit has been shown to be real and relatively easy to leverage, companies have been scrambling to identify servers at risk and fix them (there is a repaired version of OpenSSL available). Though there is evidence that the hacker community has known about the weakness, there is no evidence anything has been stolen.
There is a way to determine if a given website is clean of this exploit. Go to http://filippo.io/Heartbleed/ and enter in the URL of the site you’re concerned about. It will tell you if the site is clean or at risk. Be aware that you might get timeouts or other errors, which largely mean that they are rejecting or ignoring the heartbeat. I’ve done it with all the critical sites that I usually use, including Amazon.com and gmail.com. All sites were clean of the problem.
Do not log into a site that isn’t clean. So, for the foreseeable future, when attempting to use an encrypted site, check the URL first, then log in. BTW: Once you check the site, you don’t need to check it again.
Finally, once you know a site is clean, it’s a good idea to change your password. There is no test to determine whether a given site was infected and I suspect companies are not going to rush to provide notification. All normal password recommendations remain crucial going forward. See the change passwords section of my post Your technical New Year’s Resolutions for thoughts about passwords.
Keep an eye on financial transactions, your credit report and for any other anomalous activity that might indicate your data has been compromised.
For more information about this particular exploit, see the following sites:
- Heartbleed.com – A website put up specifically for information about this problem.
- CNET’s How to Protect yourself from the Heartbleed bug
- NY Times article on the exploit.
If I get any more pertinent information on this exploit, I’ll update this post. Be careful out there …
Since the first iPhone was released a few years ago, there has been a consistent issue that has upset users about the iPhone more than any other. That issue has been poor battery life.
Let’s put this into a little perspective first. The smart phone is a very powerful and feature rich computer. Start with the fact that its a cell phone first-and-foremost. Digital cellular telephony is a huge improvement over the original analog cellular telephony in every way including battery life. Analog phones would sap battery life very rapidly, especially when attempting to acquire a cellular signal. Today’s digital versions are much more power efficient, but they still are a big consumer of your battery’s precious power, especially in weak signal areas. Also, taking calls consumes significantly more power than standby. So, your mileage may vary.
Now layer on digital data network support using the aforementioned cellular signals as well as Wi-FI. Couple that with Bluetooth and the typical phone is running several radios that are usually active 24×7 (even if not all are needed). All of this is before a single app fires up. Continue reading
When I find topics to discuss on this blog, I typically send myself an email with links for background. If I haven’t blogged in a while, these emails languish and start to coalesce into a lonely bunch of ticklers. So, with that in mind, it’s time to clean out the digital cobwebs: Continue reading
I just received an email supposedly from the Clerk of the Court in Tacoma notifying me that I need to appear for a hearing on “my case”. It contains an attachment that supposedly contains the court notice on my case. There are several things wrong with the email, including the fact I’ve never been in Tacoma, the notice is a “zip” file, which is a method for shipping executables to get around virus checks (real documents would likely be a .pdf file). Finally, though some courts do send notices via emails, they would only do so if you have something pending and you explicitly give permission.
So, it turns out that this is the latest of a phishing attempt to get folks to install malware on their computers. The .zip file contains a Windows .exe executable that will attempt to install malware to join the victims computer to the Asprox botnet. This botnet uses an army of machines to attack various websites looking for vulnerabilities. It also allows others to have full access to your system.
The message that I received looks like this:
Subject: #Hearing of your case in Court N#0103-706
Notice to Appear, Hereby you are notified that you have been scheduled to appear for your hearing that will take place in the court of Tacoma in May 14, 2014 at 11:30 am. Please bring all documents and witnesses relating to this case with you to Court on your hearing date. The copy of the court notice is attached to this letter. Note: If you do not attend the hearing the judge may hear the case in your absence. Yours truly, MORROW WOOD Clerk to the Court.
As usual, the same rules apply:
- Never open a link or attachment unless you’re very sure that it’s legit. Even if it appears to come from a friend, it might be malware.
- Always look more carefully at messages to see if there is something “not quite right” about the message. Are there misspellings, poor grammar or odd URL domain names? If the message is from a friend, is the “tone” of the message in line with normal emails from that person?
- Is the request reasonable? Official notices are not typically delivered via email or instant messages.
- Cut-n-paste URLs into browsers, rather than clicking. Be sure that the address makes sense before hitting “return” (e.g., Fidelity’s URL will likely be fidelity.com). If not entirely sure, most legitimate notices can be located by going directly to the website without using the URL given (e.g., go to your banking site via your usual method and see if there is a message for you there.)
- Never install software unless you intend to. In this case, the executable might say that you need a special reader to read the message. Don’t do it.
If you click on such an email attachment, be sure to answer “no” if the OS pops up a message requesting permission to install something on your system.
If you have allowed this (or any) unplanned installations of software on you computer, be sure to run an updated anti-malware full scan on your machine.
Last week, many folks became aware of a messaging app called WhatsApp due to the announcement of Facebook intention to purchase it for a paltry $19B. Now there is a WhatsApp phishing scam circulating (actually its been around for several months, but seems to be making fresh rounds due to the acquisition announcement).
One receives an innocuous looking email from WhatsApp that says you have a new voice message. You click on the “Play” button and it says that you need to load an app, player or update a web browser. Commencing the download will load the malware on your phone or computer.
The primary target seems to be Android devices, since it’s difficult to load software onto iPhones and iPads outside the App Store. Note: if your iPhone has been jail broke, all bets are off (see my post on The Hazards of Jail Breaking.) Continue reading
A couple days ago, Apple issued new updates for the firmware that runs on iPhones, iPads, Apple TV and iPod Touch. The versions are:
- iOS 7.0.6 - iPhone 4 and later, iPod touch (5th generation), iPad 2 and later
- iOS 6.1.6 - iPhone 3GS, iPod touch (4th generation)
- Apple TV 6.0.2 - Apple TV 2nd generation and later
I strongly recommend that you apply these updates as soon as is practical. This update can be applied via iTunes or on-line. The update contains a critical bug fix to SSL, which is the technology that insures that the site you are attempting to establish a secure connection with is legitimate and secure.
It turns out that there is a coding error that effectively (and quietly) bypasses a test, which could allow another site to masquerade as the desired site. Though this appears to be a “day zero” bug, now that the weakness is known, it’s important to get it fixed pronto.
When I was gainfully employed, like most folks who depend upon technology in the workplace, I used a company supplied virtual private network (VPN) to remotely access the corporate network. Though the primary purpose was to securely access services within the corporate Intranet like email, it also provided a secure link between my computer and the entrance ramp onto the Internet, effectively locking out anyone trying to access my computer from the public Wi-Fi.
As I noted in my last post, Cyber Security at the Sochi Games, security is at best a crap shoot when using a public Wi-Fi and at a location like the Sochi Olympics almost a certainty that your device/computer will be attacked. Governmental access is also a concern when using a cellular connection. The way to better secure your device/computer is to use a VPN. Continue reading
With all the controversy about the Sochi Olympics, especially the concerns about terrorist threats, a new threat has emerged that is probably more menacing than potential violence. That threat is the cyber-hacking against the visitors and competitors at the games.
Richard Engel from NBC News reported on getting both his smart phone and computers hacked almost immediately upon arriving in Russia. Here’s his report. The report is alarming and the message is clear: Sochi is a cyber-cesspool and if you’re there, your electronics have certainly been compromised. The problem is that the assertion is false. Though there is a valid concern about cyber-hacking at the games, Engel’s report is highly misleading.
What they didn’t say was that they allowed malware to be downloaded to the devices. Also, they did the experiment in Moscow (not Sochi as was implied) against Olympic themed websites that contained malware and they were victims of phishing. In fact, they didn’t need to be in Moscow, they could have been in the NBC News offices in New York to achieve the same result. Basically, they were complicit in the hacking against their devices and laptops.
What ever happened to journalistic standards?
So, is there a legitimate issue? Yes there is, but sadly its kinda lost in the panicked message. What they’ve proven in their report is that one must do the things we always say to do. Don’t download any software that you didn’t explicit ask for. Don’t surf to questionable sites. Make sure all your software is up-to-date (esp. Adobe Flash, Oracle Java and anti-malware software). Be cautious about public WI-FIs (more on this below).
The real issue is that Sochi, like all high profile events are very rich targets for criminal activity. With all the visitors to Sochi, I’d not trust any public WI-FI (not that you should anyways). I’ve gotten to the point that I lean on my cellular signal more than ever. When using public WI-FI, it’s a crapshoot whether you’ll be hacked. At a high profile event, it is much more likely. This is complicated by concerns of state-sponsored hacking by the Russian government. Sadly, this could be via the local cellular provider. (Before you say it: Yes, the US government has been accused of the same thing. However, it doesn’t change the concern.)
So, whether you’re in Sochi or Seattle, you need to continue to exercise care in your use of the Internet and public networks. There are no guarantees, but if you remain diligent with your devices and computers, you should be OK, even at the Sochi games.
Here’s more information from the Business Insider about the problems with the report, along with NBC’s answer to the allegations.