Monday, April 28, 2014
Internet Explorer (the big blue e) has a serious defect that hasn't been fixed- and XP will NOT be fixed!
Rather than repeating the details, please see "Critical zero-day endangers all versions of Internet Explorer-- and XP isn't getting a fix." If you want to keep your computer and don't want to spend over $100 to get an operating system (Windows 8) that may be "too much" for your old computer, consider installing Ubuntu, or having me install it. See my blog on how to convert to the operating system called Ubuntu and keep your old XP.
Sunday, April 20, 2014
Heartbleed browser extension available
I've found an extension to browsers that let you know when a site was/is vulnerable to the Heartbleed defect. I don't have any opinion on its efficacy, but here is a link to a description of the chrome version. I'll revise this post if I develop an opinion.
Saturday, April 19, 2014
XP Used in the Restaurants/Stores/Healthcare, etc Near You
XP support ended April 8. Many (How many? Don't know!) businesses, restaurants, health providers, ATMs: any device used to process your transactions are still on XP. (background)There are some things these enterprises can do to mitigate risk, but I wouldn't trust any of them. You think you don't know all you need to know about security! The conditions where you should be concerned are:
I read this over and I say to myself, I guess many of my electronic transactions are at risk. So, what to do? Go all eTransactions? Heartbleed anyone? Truth is that us, as consumers, are at significant risk for the next several months. Reading suggestions from other blogs, I think the prudent approach is to "profile":
- XP is used somewhere in the path of a transaction (even if the clerk is recording your phone number or swiping your loyalty card) AND
- The information has a direct path, even through a firewall, to the outside, or the terminal and business do not protect against insertion of a usb flash drive in the XP computer.
I read this over and I say to myself, I guess many of my electronic transactions are at risk. So, what to do? Go all eTransactions? Heartbleed anyone? Truth is that us, as consumers, are at significant risk for the next several months. Reading suggestions from other blogs, I think the prudent approach is to "profile":
- Use cash in especially sensitive stores, such as independent gas stations and corner stores (I've also seen XP still in use in medical facilities, which may or may not be a problem.)
- Do NOT use a debit card unless you are confident the store or ATM has all made the change over AND has mitigated against the Heartbleed defect.
- Consider using "single use credit cards on line" Google "single use credit card" to see who offers these and the terms of use
- Your credit card should have a limit of $50 for unauthorized use and some companies will cancel any charges where "confirmed" fraud is involved. So use a credit card if you can't use cash.
Tuesday, April 15, 2014
Heartbleed: List of sites, showing those impacted and those not- be sure to look at this
The site mashable.com has a list of websites and companies impacted by the Heartbleed defect. Note that popular email providers we use are impacted. Also note that most banks are listed as not impacted. However, I showed in a previous post that, though Chase is listed as not impacted, Chase Credit has a notice on its landing page to change your password.
Someone asked me today why they should be concerned about, say Facebook, since they said there was no information of concern there. The answer has to do with the way many create passwords for different sites: they don't. The same password is used for most sites. One of the first procedures a crook will use when he gets a possible password is to electronically visit many, many sites and see if the same password works for any of those sites. More often than not, because people use the same password for most of their logons, the crooks will gain access to many sites, including ones that do have private information.
Someone asked me today why they should be concerned about, say Facebook, since they said there was no information of concern there. The answer has to do with the way many create passwords for different sites: they don't. The same password is used for most sites. One of the first procedures a crook will use when he gets a possible password is to electronically visit many, many sites and see if the same password works for any of those sites. More often than not, because people use the same password for most of their logons, the crooks will gain access to many sites, including ones that do have private information.
Monday, April 14, 2014
HeartBleed and Banks
The password manager Lastpass has added a function to test all the sites it manages and let you know what to do about that site with respect to the HeartBleed defect. When I ran that function I got back a list of a dozen or so sites, including banks, along with Lastpass's determination of whether or not the defect had been patched and whether or not the new certificate had been issued. I address this at more length in a subsequent blog entry. It did tell me that I should change the password for Barclays.
I went to the Barclays web site and, after logging in, found this on the left side of the main page:
I went to the Barclays web site and, after logging in, found this on the left side of the main page:
I clicked the link and the instructions were as follows:
Conclusion: we all have some work to do. Fortunately, I use Lastpass, so I have a list of all the sites where I have user ids and passwords. Plus Lastpass has offered this service to help me prioritize what I should be doing.
The New Home Security Threat (Heartbleed) and What You Should Do
When you use a secure web site the url starts with https:// The "s" stands for secure. When you correspond with this kind of site, your browser and the site's software cooperate to send and receive your messages in an "encrypted" format. Theoretically only you, ie your computer, and the receiving web server can "read" what you have set. This protects your message from being intercepted on its way from your computer to the target web server. (Did you know that your message bounces from one server to another before finally reaching its target. I've see my messages go back and forth between coasts, north and south, then Chicago, then Atlanta, and so on before reaching its final destination. Both the transmitted signal and the intermediate servers can be points where your message gets read and your identity stolen.)
The Heartbleed security flaw is making news because the defect, which potentially allows the message to be intercepted and read and all the information on a server to be harvested by criminals or governments, is in the software, OpenSSL, that performs the "s" function. This is/was a serious issue that probably impacts everyone who is reading this.
The best information I can find instructing you on what you should do is this:
Kim Komando's Article (with some info on password managers removed):
In case you missed it, the big news of the week is the “Heartbleed” bug that’s been exposing sensitive information on two-thirds of the websites on the Internet for the last two years. Yes, it’s as bad as it sounds. Earlier in the week, I wrote a tip describing how Heartbleed works and how to stay safe. If you missed it, click here to read it. However, I’ve gotten lots of questions asking for more detail on a specific suggestion I made for staying safe. So, here it is, in more detail. And this advice isn’t just for Heartbleed; every computer user needs to know how to do this one thing. I am, of course, talking about the right way to change your online passwords. Even if you think you know how, read on to make sure you aren’t missing an important step.
Controversy: There is still some debate about when you should change your online passwords in response to Heartbleed. If you change a password before Heartbleed is fixed on a site, hackers can get your new password and you’ll have to change it again. On the other hand, hackers might already have your information and could use it at any moment if you don’t change your password. So, it’s really up to you how you want to proceed. I think changing your password immediately is better, but I understand it makes things more difficult. Let’s be honest; Heartbleed is a very difficult problem, for all of us. Fortunately, most of the major sites have updated their servers at this point, so it should be fine to change your passwords. Click here to see which major sites were affected. For smaller sites, you can check to see if they’re still a threat with these sites.
I recommend the following process for dealing with Heartbleed:
1. CREATE A LIST OF SITES
2. PRIORITIZE
3. MAKE NEW PASSWORDS
4. CHANGE YOUR PASSWORDS
5. AVOID SCAMS
Start with a list of the websites where you have accounts. This is probably going to be a long list, but it can’t be helped.
Find out which sites Heartbleed affected from this list. That list sticks mostly to major sites, so for smaller sites use these tools to see if Heartbleed is still a problem. Move the most sensitive sites, like email and social media, to the top of the list and work your way down to the least important.
Note: Major bank sites didn’t have a problem with Heartbleed. However, if you used the same password for other accounts as you did for your banking account, you need to change that as well. (Editors note (DGL): I question this. I will create other blog entries that demonstrate that some major banks do have a problem, if not in the software itself, then in their hardware.)
If you’re changing your passwords, obviously you need to make new ones. Be sure they’re strong and unique for every site. Click here for my steps to creating strong, unique passwords that are easy to remember.
Bonus tip: Don’t forget to beef up your security questions while you’re at it.
Visit the first site on your list and log in to your account like you normally would. The option to change your password is usually under the Profile or Settings section. If you don’t remember your password or are having trouble finding where to change it, click the “Forgot password” link. This is usually near the sign-in area and will eventually land you on the page to set a new password.
Bonus tip:If the site is one you haven’t used in a while, think about if you actually need an account. If you don’t, close out your account or replace your information with junk information. A site like AccountKiller will tell you how to close your account on most major websites. Once you’ve changing a password, cross that account off your list and move on to the next one. Once you’re done, keep the list handy for reference in case a site you might have forgotten pops into your head later. You can check to see if you already hit it.
Warning: Scammers
Scammers are going to use this Heartbleed situation to try and trick you. Lots of real sites are sending out email asking you to change your password. Scammers are going to try slipping some fake email into your inbox as well. The ironclad rule is to never click on an email link to change your password (or for any other in an unsolicited email). Always go to the site yourself and follow the directions I gave above. Links in fake email will take you to malicious sites, or a page that looks like the legitimate site’s login page. If you put in your password, hackers will have full access to your real account. So, be careful. Want the latest on the Heartbleed virus and other new threats? Be sure to visit my blog regularly.
The Heartbleed security flaw is making news because the defect, which potentially allows the message to be intercepted and read and all the information on a server to be harvested by criminals or governments, is in the software, OpenSSL, that performs the "s" function. This is/was a serious issue that probably impacts everyone who is reading this.
The best information I can find instructing you on what you should do is this:
- Understand that every site where https: is used has potentially been compromized, but not all sites.
- Understand that all network-oriented hardware, from routers to smartphones, can be compromised, but not all.
- The compromised sites and manufacturers must identify the impact, update the OpenSSL software to plug the hole, and reissue new "certificates." Without reissuing certificates, even the fixed software is compromised.
- Once the new certificates are issued, the compromised sites and companies should notify you to change your password. (If you are very concerned about a site or company, you can change your password now, even before a new certificate is issued. However, when the new certificate is issued, you will need to change your password again.)
Kim Komando's Article (with some info on password managers removed):
In case you missed it, the big news of the week is the “Heartbleed” bug that’s been exposing sensitive information on two-thirds of the websites on the Internet for the last two years. Yes, it’s as bad as it sounds. Earlier in the week, I wrote a tip describing how Heartbleed works and how to stay safe. If you missed it, click here to read it. However, I’ve gotten lots of questions asking for more detail on a specific suggestion I made for staying safe. So, here it is, in more detail. And this advice isn’t just for Heartbleed; every computer user needs to know how to do this one thing. I am, of course, talking about the right way to change your online passwords. Even if you think you know how, read on to make sure you aren’t missing an important step.
Controversy: There is still some debate about when you should change your online passwords in response to Heartbleed. If you change a password before Heartbleed is fixed on a site, hackers can get your new password and you’ll have to change it again. On the other hand, hackers might already have your information and could use it at any moment if you don’t change your password. So, it’s really up to you how you want to proceed. I think changing your password immediately is better, but I understand it makes things more difficult. Let’s be honest; Heartbleed is a very difficult problem, for all of us. Fortunately, most of the major sites have updated their servers at this point, so it should be fine to change your passwords. Click here to see which major sites were affected. For smaller sites, you can check to see if they’re still a threat with these sites.
I recommend the following process for dealing with Heartbleed:
1. CREATE A LIST OF SITES
2. PRIORITIZE
3. MAKE NEW PASSWORDS
4. CHANGE YOUR PASSWORDS
5. AVOID SCAMS
Start with a list of the websites where you have accounts. This is probably going to be a long list, but it can’t be helped.
Find out which sites Heartbleed affected from this list. That list sticks mostly to major sites, so for smaller sites use these tools to see if Heartbleed is still a problem. Move the most sensitive sites, like email and social media, to the top of the list and work your way down to the least important.
Note: Major bank sites didn’t have a problem with Heartbleed. However, if you used the same password for other accounts as you did for your banking account, you need to change that as well. (Editors note (DGL): I question this. I will create other blog entries that demonstrate that some major banks do have a problem, if not in the software itself, then in their hardware.)
If you’re changing your passwords, obviously you need to make new ones. Be sure they’re strong and unique for every site. Click here for my steps to creating strong, unique passwords that are easy to remember.
Bonus tip: Don’t forget to beef up your security questions while you’re at it.
Visit the first site on your list and log in to your account like you normally would. The option to change your password is usually under the Profile or Settings section. If you don’t remember your password or are having trouble finding where to change it, click the “Forgot password” link. This is usually near the sign-in area and will eventually land you on the page to set a new password.
Bonus tip:If the site is one you haven’t used in a while, think about if you actually need an account. If you don’t, close out your account or replace your information with junk information. A site like AccountKiller will tell you how to close your account on most major websites. Once you’ve changing a password, cross that account off your list and move on to the next one. Once you’re done, keep the list handy for reference in case a site you might have forgotten pops into your head later. You can check to see if you already hit it.
Warning: Scammers
Scammers are going to use this Heartbleed situation to try and trick you. Lots of real sites are sending out email asking you to change your password. Scammers are going to try slipping some fake email into your inbox as well. The ironclad rule is to never click on an email link to change your password (or for any other in an unsolicited email). Always go to the site yourself and follow the directions I gave above. Links in fake email will take you to malicious sites, or a page that looks like the legitimate site’s login page. If you put in your password, hackers will have full access to your real account. So, be careful. Want the latest on the Heartbleed virus and other new threats? Be sure to visit my blog regularly.
Thursday, April 10, 2014
My Antivirus/Antimalware program found an infection and its name starts with PUP: Is that a problem?
PUP is an abbreviation for "Potentially Unwanted Program." This abbreviation is industry-standard. The definition is: "A potentially unwanted application is a program that contains adware, installs toolbars or has other unclear objectives."
Subscribe to:
Posts (Atom)
Printfriendly
