≡ Menu

Heartbleed blah blah blah – What does it mean for me?

Question Mark

I’ve read a lot about Heartbleed lately but I don’t really understand it. What does it mean for my family?

A friend texted me this question yesterday and I’m going to do my best to answer this question in non-tech talk because I feel like the message to normal folk is getting lost in technical language and there are likely more friends and family wondering the same thing.

 

Heartbleed is a bug in the code that many sites use to secure websites. The webcomic xkcd actually did a great job of explaining it

Heartbleed explained by XKCD

Heartbleed explained by XKCD

Heartbleed is going to affect you in 2 primary ways.

Lots of password changes

Every account you have with a website that used OpenSSL should be considered compromised and you need to go change your password. Thankfully many sites are sending out emails and publishing blog posts to notify their users. This password reset is to prevent any unauthorized access (folks other than you) from logging in to the site or app just in case your password might have been exposed using Heartbleed.

What sites are affected? Mashable has a very good list but don’t go changing everything just yet. Websites really need to take 2-steps to fix the problem before you change the password (more on that in a bit). Without these changes the new password might be exposed. It’s akin to having your phone tapped and giving out your new number to anyone eavesdropping.

So how do you know a site is fixed and is ready for you to change your password? Well there isn’t a single good answer. Check the website of the company, ask them via Twitter do a bit of research. If you are a user of Lastpass then they did their users a huge favor and added a feature to their security check to show every account saved in Lastpass that may be affected and indicating whether it was now safe to change your password or not. Don’t you wish you used an incredible service like Lastpass :)

Facebook, Pinterest, Tumblr, Soundcloud, Yahoo and most of the big sites are safe know so you can change those passwords anytime.  Some of the notable sites that aren’t secure as of this writing are Imgur, Instagram, and Flipboard.

Malicious Websites using a stolen “valid” certificate

Let’s start with an oversimplified explanation of Secure Websites.

When you login to your bank the little lock in your browser means that your bank bought a certificate from the web trusts and is using it to encrypt your data so other folks at the coffee shop don’t get a peek at your password. That security lock means 2 things: 1) you are really dealing with your bank and 2) information submitted through that webpage is secure and only visible to your bank. That is what SSL technology does in a nutshell. You can see that when that system is compromised its a big problem. Welcome to Heartbleed.

If you are familiar with phishing then you know that attackers will craft an email or website to look similar enough to your bank, google, yahoo etc… to fool you into typing in your username and password. If you fall for it then you’ve handed your account over to an attacker. This OpenSSL bug opens the door for attackers to not only impersonate website but now they might be able to steal that websites certificate and make their forgery even more convincing.

I mentioned before that websites have 2 steps to secure themselves. 1) Apply the OpenSSL patch which fixes the bug 2) Get a new certificate and revoke the old one that marks it as bad.

Once they mark the old certificate is marked as bad your web browser should flag you that the certificate used on this website is no longer valid. The only catch? Chrome and Firefox don’t do this by default. Follow the instructions here to change those settings to check for revoked certificates in Chrome and Firefox.

Final thoughts

Its difficult to predict the fallout of Heartbleed. It will be learning process for both the security community and everyone involved from Certificate authorities to browser vendors.

TL;DR The best you can do is to change your passwords, use something complex and unique to that site (don’t reuse passwords, seriously— don’t) and make sure your web browser settings give you the most security and to keep your wits. If something looks off or strange don’t type in your password.

Further Security Tips

  1. Passwords: You can’t remember complex 22 character passwords. Use a password manager like Lastpass. Stop using passwords and start using passphrases 4 words add punctuation. BlueElephantlovesYanni! is an incredible password and you can remember it.
  2. Enable 2-Factor Authentication: This is an extra step and uses your mobile phone as a 2nd form of authentication. Use it on Google, Apple, Yahoo, and many more. Start with this article Here’s Everywhere You Should Enable Two-Factor Authentication Right Now, I use the Authy App on my phone to keep track of all my 2-factor enabled accounts
/image credit ryanmilani

Heartbleed and your web browser

heartbleed_sad_browsers

There is a very nasty vulnerability known as Heartbleed that has been discovered within OpenSSL. While you may not be familiar with OpenSSL you are familiar with the hundreds of thousands of sites that use it to protect your passwords and encrypt your data. It is estimated to be implemented on a 1/3 of all secured webservers and it is used by sites like Yahoo, Imgur, and many others.

The vulnerability allows an attacker to gain plaintext chunks of text in 64k segments. These segments have been proven to expose visitor cookies, user passwords, and perhaps most worrisome the private keys of Web Server SSL Certs. In laymans terms that means I not only broke into your house but I changed the locks. (infosec folks please don’t take the analogy too far, I realize it is more akin to being able to spoof locks but I digress). Because of this potential key compromise Yahoo and many other companies are going through the process of revoking and regenerating their SSL certificates.

Why should you care?

If an attacker has gained the private key of a certificate they can then use that certificate to make themselves appear legitimate unless your web browser checks for certificate revocation. Chrome nor Firefox do this by default. (they should and I’m hopeful they will).

You can manually enable this feature and I would suggest that you do so. It is not a cure-all nor fool proof but the fall out from heartbleed is going to be significant and honestly this future should be enabled at all times.

How to change your browser settings:

Chrome – go to settings, click “Show Advanced” and find this setting

ChromeRevocationSetting1

ChromeRevocationSetting2
Firefox – settings, advanced, Validation, then check both boxes

FirefoxRevocationSetting1

2014-04-09_1152_001

IE – I believe these are on by default but to be sure, go to settings, advanced and find these settings

IERevocationSetting1

Further Reading

For further reading regarding Heartbleed:

Time to Patch Java

love_coffee_not_java

Java Patch Released

As you may have heard there is a significant security vulnerability in Java that is currently being exploited widely on the internet. This bug can be used to silently install keyloggers or other types of malicious software from compromised websites. Oracle has released a patch that you should install as soon as possible on all your computers and servers.

In addition, security researchers are recommending that you disable Java functionality in your web browser after installing the patch. This will help limit your exposure to bugs that will be exploited in the future.

You can download the patch here and then read below for instructions on how to disable java in your web browser.

Chrome

  1. Click on the Chrome menu, and then select Settings.
  2. At the bottom of Settings window, click Show advanced settings
  3. Scroll down to the Privacy section and click on Content Settings.
  4. In the Content Settings panel, scroll down to the Plug-ins section.
  5. Under the Plug-ins section, click Disable individual plug-ins.
  6. In the Plugins panel, scroll to the Java section. Click Disable to disable the Java Plug-in.
  7. Close and restart the browser to enable the changes.

Note: Alternatively, you can access the Plug-ins settings by typing about:plugins in the browser address bar.

Firefox

  1. Click on the Firefox tab and then select Add-ons
  2. In the Add-ons Manager window, select Plugins
  3. Click Java (TM) Platform plugin to select it
  4. Click Disable (if the button displays Enable then Java is already disabled)

Safari

  1. Choose Safari Preferences
  2. Choose the Security option
  3. Deselect Enable Java
  4. Close Safari Preferences window

Internet Explorer

  1. Open Internet Explorer. (See Screenshots below for help)
  2. Type ALT + T to activate the Tools menu and choose Manage add-ons. Choose “All items” from the Show drop-down menu. Disable “Java Plug-in –version number–.” It is safe to simply disable all of the items that begin with Java, but be sure to get this one. Close Internet Explorer.
  3. Type WINDOWS + R and type regedit (approve UAC prompt if necessary). Browse to HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\{version}\UseJava2IExplorer and change (Default) to 0. 64-bit Windows users will need to change HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Plug-in\{version}\UseJava2IExplorer to 0.
  4. Download this text file, open it and save as disablejava.reg, run it to disable Java completely in IE.

 

Many Thanks to Naked Security and Shashi.co for these instructions

Type "Alt+T" then "Alt+A" to open Manage Add-Ons

Type “Alt+T” then “Alt+A” to open Manage Add-Ons

Show all addons

Show all addons

Select Java and choose disable

Select Java and choose disable

More Info

For further reading about this vulnerability I suggest:

Is your Multifunction Copier a Security Risk?

mfp_security_risk

I consider myself to be fairly well informed on issues concerning data security and privacy and I found this to be absolutely astonishing. Could your Multi-function Copier be on the of the most high value data targets in your organization?

I discovered this 2010 CBS News Investigative report this morning via my friend @pulrich. It’s quite disturbing.

 

Before I contribute to uninformed alarmism it should be noted that CBS made quite a splash with this investigative report and at least to a degree the industry has responded.

Several of the major MFP manufacturers have published security portals or papers that outline how they are addressing these issues.

What should you do?

ASK QUESTIONS

If you are a business with an MFP or considering an MFP ask questions of our Print Services provider or account rep. Don’t let them try to dazzle you with standards, ask clear questions about automatic wiping or encryption and then ask for certification documentation.

If you are evaluating a new printer I’d suggest starting with this list of Common Criteria Certified Products, (Click on Multi-Function Devices)

HAVE A POLICY

Before you sell or end the lease of your current MFP have a procedure to wipe the Hard Drive and clear the NVRAM. If the MFP is end-of-life yank the data storage components and use a secure destruction service to dispose of them.

 

 

DNSsvc.com bill is fake

If you’ve reached this page via Google you deserve an attaboy. Your instincts are correct – the “bill” you received from DNSsvc.com is not a bill.

I’ve highlighted in orange on the image below the portion that keeps them from being sued but is still deceptive marketing.

DNSsvc_bill_fake

Pretty shady stuff. Hope I helped someone save $65.00.  I’m not sure it will change anything but I encourage you to file a complaint with the BBB. It will take 3min and I’ve already found the direct report link for you.

Media Destruction Services for Good

Media Destruction Little Rock

I’m often asked about trustworthy methods to destroy hard-drives, backup tapes, and external drives so when I heard about this service I just had to share.

The United Cerebral Palsy of Arkansas offers media destruction services. It’s a full service offering and not only do you get great value you also know that you helped support the UCP.

For more information contact: Dan Leslie, 501-228-3814, [email protected]

Per Unit Pricing:

 0.8 cubic foot Carton $18.00
1.2 cubic foot Carton $21.60
1.8 cubic foot Carton $36.00
2.4 cubic foot Carton $48.60
3.6 cubic foot Carton $72.00
Shrink-Wrapped Pallet or Gaylord $707.00
32 Gallon Security Console $45.90
65 Gallon Container $90.35
175 Gallon Container $228.60
Per stop charge (applicable for multiple-stop routes) $50.00
Minimum charge (applicable if combination of transportation and destruction charges is <$50.00) $50.00
Vendor Container delivery charge during non-scheduled route or Regular (non-DTS) Transportation Pickup Charge $25.00
Vendor Container delivered during normal scheduled shred service route or bin swap service. $0.00
Hourly Labor Charge (Special projects, labor to palletize cartons upon request, etc.) $30.00
Hard Drive Destruction $5.00

Transportation Fees (based on round-trip mileage):

0-30 miles $141.00
31-60 miles $225.00
61-90 miles $280.00
91-120 miles $390.00
121-150 miles $450.00
151-180 miles $500.00
181-210 miles $650.00
211-240 miles $825.00

Easy Email Campaigns

easy_email_campaign_management

Many Facebook page owners are discovering the importance of building communication with customers and supporters on channels you control, namely Websites and Email Campaigns. (I’ll say a few more words about this toward the end of the post.) If you are new to managing email lists and sending campaigns here are a few platforms to help you get started.

MailChimp

MailChimp has all the bells and whistles and may seem a bit complicated at first but MailChimp’s documentation is very well done. Basically you’ll create a List, (e.g. Subscribers”) and publish a sign-up form for people to subscribe. Over time you might delve into creating sharp templates but to get started I highly recommend using their “Email Beamer” to send an update to your list directly from your email client. In other words you can send an email to all of your subscribers just as easy as you send an email to a friend. Here’s how:

  1. Send an email to your list’s unique email address (this is automatically created when you create the list)
  2. Mailchimp will reply with a confirmation that a draft has been created.
  3. Reply to the confirmation with the word “Send” and voila it will deliver.

Start with reviewing MailChimp’s Getting Started guide and then read about the Email Beamer feature.

I love Mailchimp and highly recommend them. If you have fewer than 2000 subscribers you can send up to 12,000 emails per month completely FREE. If you sign up for their service I’d appreciate you using my affiliate link to sign-up.

TinyLetter

TinyLetter, which is now part of the MailChimp family, is the no fuss method of sending email newsletters. It’s very simple to use and free to setup. I haven’t used it extensively so I don’t know the limitations of the product but knowing its pedigree I think you’ll be very pleased with this stripped-down email campaign tool.

Letter.ly

Letter.ly is similar to TinyLetter but focused on newsletters that charge a subscription fee. It’s fairly widely used and beyond simple to setup so if you want to charge a few dollars for access to the newsletter this is the fastest way to get up and running.

A word on Facebook Page Posts and visibility

If you manage a Facebook Page you are no doubt aware that your posts are no longer reaching as wide of an audience. Through edge rank algorithms and the introduction of promoted posts you probably feel like you’ve encountered a bait-and-switch. Here is the hones truth… Facebook doesn’t charge you for pages and they don’t owe you anything. Social networks can be an invaluable tool but realize that you are always at their mercy.

It is essential that you tie your community and communication to channels that you can control, (i.e. your website, your email database).

For further discussion on the subject I recommend reading these touchstone posts by @copyblogger:

In closing

There are many sites email campaign manager tools available (e.g. ConstantContact, Aweber) but Mailchimp is what I prefer, use and recommend. If you know of other email tools that focus on simple and easy email newsletters I’d love to hear about them. If you need help with Mailchimp feel free to contact me. I help a number of clients in the setup and management of Mailchimp and I’d be glad to help you as well.

Happy Emailing

 

 

Be Prepared: Tweeting without Internet

telegraph_your_tweets

Every natural disaster these days proves how useful Twitter in particular has become. The problem of course is these disasters usually mean your internet service and/or mobile data service is offline. So how do you stay connected and informed?

Twitter via Text Messaging (SMS)

You’ve probably heard that Twitter was initially built as an SMS service and because of that pedigree it maintains serious functionality through the lowly text message. However many of us don’t use twitter via text message enough to be adept at its syntax.

So here’s is one little tip that could really help – Save the Twitter SMS Commands PDF to your smartphone to have all the commands at your fingertips regardless of your internet connection.

Scan the QR code to open the PDF directly on your smartphone.

Try using iBooks, Evernote, or Dropbox to save a copy of this PDF if you aren’t familiar with this feature.

By the way you’ll need to link your cell phone to your Twitter account via the web at http://twitter.com/devices or you can do this via text message as well.

How to add your phone to your existing Twitter account via SMS:

  1. Send a text to your Twitter code with the word START.
  2. We’ll reply and ask you to text YES to the Twitter short code.
  3. Text your username to the same number. Do not use the @ symbol or quotation marks. Send your username ONLY, for example: larrybird
  4. Next, text your password. This is case sensitive, so be sure you are sending your password correctly.
  5. That’s it! You’re ready to go

This won’t take you 1 minutes of time and it might just help keep you connected in a time when you need it most.