What’s Heartbleed and Why Do You Care?

Heartbleed LogoYou know how you’re told to put your private social security number or credit card information only into sites that are secure?  Their site address is https:// instead of just http:// .   Your browser will display a lock icon, turn something green, or give you another indication that what you send in cannot be stolen by third parties?

Well, it turns out these https:// sites are not secure at all.

Monday one of the biggest suppliers of encryption code said that their widely used library has a flaw in it which allows anyone to look at 64,000 characters that is in the host server’s memory. Your retirement account username and password and social security number might be part of the 64kB of information a passing bad guy looked at. Or, the username and password to Gmail account could have been scraped and sent to Bad Guy Central.

And, the theft of your information would leave no trace on the victimized computer server at Wells Fargo, Bank of America, Chase, or wherever.

The Ugly

This bug has been named “Heartbleed” in a nerdy reference to the communications heartbeat code that it lives in.  Cute name, but I’ve seen statements that the seriousness of Heartbleed on a scale of 1 to 10 is 11.

The geek world is uniformly saying that this problem is very awful.

On the Other Hand

I cannot find a report from anyone anywhere that says this bug is the apparent source of any loss of data, money, or privacy.  The bug was discovered by honest programmers who notified the people responsible for the faulty code. A patch was immediately released, and most larger sites have already updated their servers.

2 Actions You Must Take!

Still, the Heartbleed problem is real, and there is a potential that some bad guys have broken into systems and have used, or have stored for future use, the information they stole. They could have broken into your bank just as you logged on, which would give them your username and password.  They could have done the same with your investment firm, credit card company, or many other places you enter data you want to keep private and secure.

So, you need to change your passwords for every secure site. Today.

I suggest using LastPass for creating strong new passwords and tracking them. (See this post for more information on why.)  But, whether your use LastPass or manage your passwords manually, at the very least add or change one character for all of your current passwords.

But, first, make sure that your secure service has patched its software. If not, change the password now, do not use the site for secure transactions, and check again tomorrow. Now that the bug is well known and easy to exploit, your chances of having your data stolen on an unpatched server is much, much greater than it was last week.

C/net recommends http://filippo.io/Heartbleed as a place to test whether the Heartbleed patch has been installed.   Use it!

Heartbleed patch test screenshot

References To Read

Here are sites I used for this post.  Check them out for more information.

Amazon Joins (Suddenly Leads?) the Streaming Video Race

This afternoon I went to Amazon to buy dog dental treats (why else??) and was greeted with the slash page announcement that Amazon now has its TV-connecting box for streaming NetFlix, Amazon, Huluplus, etc., etc.
Announcement for Amazon fire TV
Amazon fire TV takes voice commands, which might be fun, if it works, and I’m intrigued by its claim to buffer programs it thinks you’ll want before you hit play.

We love our old Roku, but if you haven’t taken the plunge to streaming video this looks pretty good.  Check out more info at Amazon.

More on the Death of XP

My opinion posted yesterday that people running Windows XP should either upgrade or unplug from the Internet has resulted in some excellent challenges.  I’ve been told that there is a reputable article published here or there that says that if you take some precautions you can keep running XP.

Windows XP SP3

The most common rebuttal has been that the writer is running an antivirus program and they say that will protect them.  And, the idea that an anti-virus program should keep you safe is very reasonable.

There are steps you can take that a consensus of experts say will give you good protection. However, I have not run across any expert that says simply using an anti-virus program is sufficient. I don’t understand the technical details, but apparently some holes in the operating system allow evil access in places/times  that anti-virus programs cannot guard.

Unfortunately, I think that most people are not tech savvy enough to follow the recommended safety steps.  Therefore, I believe the only solutions for most people are to upgrade or unplug.

The Tech Guy
Leo Laporte, the Tech Guy

If you’re feeling stampeded into upgrading and do not want to, here is a clear description of what you should do to protect your computer from The Tech Guy, Leo Laporte .

I don’t think the recommendations are easy enough for most non-IT folk to follow. I see people having problems running their computer without Administrator privileges which is Laporte’s top safety tip. You need to follow the recommendations to operate without Admin privileges so that any evil program you stumble into does not have the authority to actually plant itself in your PC.  Of course, when YOU want to install a new program or get an update for a program, you will need to re-logon your computer using a privileged account.  While this is not a difficult procedure, I think most non-nerds will find these procedures difficult to comply with.

Many non-geeks also use Internet Explorer (IE) as their browser.  IE is reknown for security problems, and older versions of IE — like those that came with Windows XP — are the worst of the worst. Changing to the more secure Chrome or Firefox can be done by downloading the browser (click on the link in this sentence to get the browser you want), installing it, starting it up, and making it your machine’s default browser (the browsers will ask if you want them to be the default).

I think people can switch browsers, but I worry that some won’t follow all the steps and Internet Explorer will still be used on the Internet some times. And, yes most people I know will run up-to-date antivirus programs.  They also know better than to open attachments in emails or to click on links in those emails.  But, almost everyone, me included, sometimes slips up and lets antivirus subscriptons expire and clicks when they shouldn’t.

You’re going to have to be perfect when you surf with XP after April 8th.  That’s an awful lot to ask!

Even the people who say it’s safe to keep using XP with protection don’t impress me with their confidence. USA Today’s reassurance that XP can be safe starts off in an unsettling way, … their first step in assuring safe operations is to make sure you have a complete backup of all your files.  That tells me that the author is not hugely confident that the recommended steps will actually protect you!

So, as disruptive and costly as it is, my best recommendation for non-techy folks with XP systems remains for them to upgrade or unplug come April 8th.

You Have Two Weeks to Replace Your Windows XP PC

Windows XP LogoIf you are running Windows XP on your computer you absolutely must upgrade it by April 8th or stay completely off the Internet.

If you use a Mac or have a PC running Windows 7 or Windows 8, you can click back to Facebook or Google yak breeding in New Zealand. This post doesn’t concern you.

For Windows XP users: This is not a drill!

Here’s why.

Microsoft has announced that it is discontinuing support for the Windows XP operating system on April 8th.  Computers with XP will continue to run, but Microsoft won’t write any more code or offer any more fixes for that operating system.

That doesn’t sound very alarming.  Your old computer will still work.  The operating system has been around for a long time, it’s stable, and it’s unlikely that suddenly some function will break.

The problem is that the bad guys of the world are waiting for Microsoft to stop updating XP so they can unleash code on websites and in emails that will exploit security holes in the XP operating system.

Every week since XP came out in October, 2001, Microsoft has responded to discovered security problems by issuing patches through Windows Update.  Bad guys kept finding new obscure security holes to attack your system, and Microsoft has kept filling the holes.

On April 8th, those weekly security patches will stop.  But, the bad guys won’t quit searching for new flaws. And, they will find them.  In fact, most IT gurus suspect that hackers are not acting on the flaws they have discovered recently;  they are waiting until after April 8th to unleash them on the Internet where they will flourish unchallenged.

Worse, many flaws deep in the Windows code are in routines written originally for Windows XP which also have been used by the newer Windows 7 and 8.  Windows 7 and 8 will continue to be updated, and hackers are going to watch carefully for what is patched by Microsoft.  These evil coders will see if routines fixed in Windows 7 and 8 are also present in Windows XP.  In effect, the weekly updates to the recent operating systems will point out to bad guys where they should attack XP systems.

Microsoft UpgradeAnti-virus and anti-malware programs won’t be able to protect you against all of the attacks which are based on exploiting flaws in the operating system.

The attacks typically come from email attachments and scripts embedded on sleazy web pages you’re tricked into going to or which you’ve gotten to because you’ve mistyped the web address.  It’s hard to never typo www.ammazon.com instead of www.amazon.com! It’s easy to get fooled into clicking to open an email attachment or to visit a site that’s supposed to let you download a video but instead tries to send you a malicious program.

Once on your computer, the evil applications can monitor your keystrokes to get your bank username and password and then send off the information to the program’s authors in Russia.  Or, the program can encrypt everything on your disk and demand that you send cash to a blackmailer if you want the key to decrypt your photos, financial information, and documents. Or, … whatever!

In my opinion, you should not use a Windows XP computer on the Internet after April 8th.  It’s just too dangerous.

If you’re running XP now, you have two choices.

One is to update the computer’s operating system to Windows 7 or 8.  However, many old computers do not have the minimum resources required for these new operating systems.  And, even if they can run a newer version of Windows, they will do so very slowly.

Microsoft PC Discount DealTherefore,  I recommend that you purchase a new computer. Hardware prices are less than 1/3 of what they were in 2002, according to Microsoft (1). Plus, Microsoft is offering a $100 “instant savings” on computers you buy through them to replace an XP box.

Whether you go through Microsoft, pick up a new PC at Costco, or switch to a Mac, you’ll be okay. But, please, do not keep running XP!  I really don’t want to spend the rest of 2014 helping people who kept using XP thinking that they’d be okay because they don’t view porn, shop online, or do anything stupid.

No matter how careful you are, your XP computer will be vulnerable after April 8th.  Please, update!

Kickstarter Hacked — User Data Stolen

Kickstarter Email
Kickstarter Email sent February 15, 2014

I just received email from Kickstarter warning us that bad guys had hacked their site and stolen user data.

Kickstarter is doing the responsible thing by notifying its users, and it’s reassuring that credit card data was not taken.

The one gotcha is that encrypted account passwords were stolen.  Kickstartser says that with enough time, the bad guys could break the encryption, copy your password, and try signing on to other sites on the Internet using your email address and the de-crypted password stolen from Kickstarter.

Fortunately, if Kickstarter used reasonable encryption technology, it’s not likely that bad guys would be able to easily or quickly break the encryption and get your password in a readable form.  But, Kickstarter’s message provides a concrete example of the security mumbo-jumbo we are given every day.

  • You should use unique passwords for every site, especially sites like banking or ordering sites which remember your credit card number.  When you use unique passwords, if a site is broken into you have to change your password for that one site.  If you share passwords among sites, you have to change that password on every site it’s used when it’s compromised on any of the sites.

Remembering and managing passwords can be a pain, I know. The solution is to use  a  password management tool that learns and remembers your passwords as you type them online.

I use LastPass, and recommend it highly. The basic service is free, and the premiem features are $1/month.

LastPass has browser plugins for Chrome, Internet Explorer, and Firefox… the browsers I use.  They have plugins for other browsers, too. These plugins watch for me to enter usernames and passwords, and they they ask me if LastPass should remember the data. If I say yes, LastPass stores the information securely, and I can have LastPass enter the username and password for me next time I visit the site.

Moreover, the information LastPass captures in Chrome is available to me in Firefox and on other computers.  I just sign on to LastPass when I start my browser and all of my usernames and passwords are available for retrieval.

As far as my Kickstarter password, it was a unique nonsense series of numbers, letters, and special characters which was itself generated by LastPass. I am feeling very smug.  I logged on to Kickstarter, had LastPass generate a new password there, and was done.

So, if you are a Kickstarter user, go to their site and change your password.  Maybe start using LastPass while you do it!  And, if used the Kickstarter password at other sites, then definitely visit all those sites and replace the common password with the random bits that LastPass will generate.