Tagged: Security

When heartbleed leads to heartache, what’s a person to do?

Image

By now, there’s a good chance you’ve heard about the so-called “Heartbleed” vulnerability recently discovered in the software that is responsible for creating the secure connections between us web users and the sites we interact with.

No? Well here’s a quick re-cap.

Turns out that every time you’ve seen that little yellow lock icon and the "https://" in your address bar over the last two years, your private and confidential info wasn’t as secure as you’ve been led to believe. Around two years ago, the group that is responsible for updating OpenSSL (the free software that tons of sites use to enable encryption), made a small change to the way that software handles secure connections. A small change with huge consequences. That change not only made it possible for a 3rd party– and I mean any 3rd party– to listen in on your secure session, it also made it possible to decode what was being said and from that info they could glean usernames, passwords and potentially credit card and other data too. Yup, it’s as bad as it sounds.

Worse still, OpenSSL isn’t just installed on a few small websites. By all accounts, it’s been implemented on a third of all secure websites, including some monsters like Yahoo and even a few of Google’s too. Revenue Canada was one of them.

Now I know what you’re thinking: Goddamn it. Yet another threat to my personal info. What’s with these companies that they can’t take security more seriously? And you’re right, this is yet another instance of our personal info being exposed thanks to insufficient measures being taken by the companies we trust.

But before we hop on a plane, pitchforks in hand, to show our displeasure to these groups who opened us up to such a deep invasion of our privacy, let’s take a second and consider a few things.

First, even though this flaw has been a part of OpenSSL for nearly two years, it was only in the last week that security researchers were able to identify it and exploit it (that last part being frighteningly easy to accomplish). But as easy as it was to exploit, it was not easy to find. That means that if you’re concerned about your personal info having been stolen during this period, you can probably relax a little. The nature of the exploit is such that only the information that was transmitted during a small window of time prior to someone “listening in,” would be available to an attacker. So unless we’re talking about a very sophisticated group of thieves with the resources to set up 24-hour “surveillance” of vulnerable sites (something that has a few folks screaming “NSA!!”) statistically it’s not all that likely that your info was taken.

But I realize that’s cold comfort. Especially now that the flaw has been exposed and no doubt every hacker worth their salt will be trying it out. But there’s some good news.

Because the flaw is a fairly “real-time” vulnerability, meaning it can only be exploited within a few moments of a secure transaction taking place, if you stay away from vulnerable sites until they’ve had a chance to seal up the hole, you aren’t increasing the risk of your info being taken (assuming it hasn’t been taken already).

So hold tight, and check your favourite sites for news that they’ve taken the necessary steps. How? Here’s a simple tool that lets you input the URL and get the results.

Once you’re fairly convinced that the site has got the fix in place, go and change your password as soon as possible. I know I said the risk wasn’t high, but why take chances? But here’s the part you’re going to hate: Don’t just change all of you passwords to the same, new password. Use a different one for each site. Yes, it’s a total drag but I have two suggestions to ease the pain.

1) Sign up for and use a password service like LastPass. It costs money and it takes a bit of a change of habit to use, but these services create very strong, unique passwords for each site and you only have to remember one (hopefully very strong) password to access everything.

2) If LastPass isn’t your cup of tea (or you simply distrust all of your passwords being kept in one place no matter how much like Fort Knox it may be protected), create your own password template and use it for each site. Here’s an example: Come up with a base for the password, e.g. IronM@nIsCool3rThanTh0r (yes that’s kind of long, but when it comes to passwords, longer is always better). Now, figure out a two or three character way of identifying the site you’re on. For instance Amazon.ca could be “Ama” or “Amz”. You’ll have to figure out which three characters to use, but it’s not that hard. Then throw these characters into your base like so: IronM@nIsCool3rAmaThanTh0r

The idea here is that even if Amazon were to be compromised, the attacker would have to find your username and password and then go about the process of figuring out which of the characters you changed on all of the other sites. This is difficult stuff, best done by humans instead of machines, and most hackers just don’t care enough to try – they’ll be plenty busy trying out passwords that actually work because they’re the same on every site.

Lastly, wherever possible, turn on two-factor authentication. Yes, it’s another painful step in an already painful security environment but this one really does make it tough on the thieves. You can give your mobile phone number to sites and then when you go to log in, they’ll text you a code to your phone. If the thief doesn’t have your phone, they won’t be getting into that site.

Good luck!

 

Advertisements

BlackBerry Balance is the PlayBook's killer app

RIM’s PlayBook is without a doubt, one of the most misunderstood and under-appreciated devices ever launched.

From its poorly planned debut and lacklustre feature set, to the dearth of available apps (compared to other platforms) and a lack of cellular data at launch, the PlayBook has had a rough ride.

But RIM isn’t giving up on the PlayBook –  as evidenced by the newest 4G/LTE version – and neither should folks who want to use their tablet for work and play.

Despite its shortcomings, which incidentally are fewer and fewer as time goes by, the BlackBerry PlayBook possesses two features that make it unique in the tablet landscape. One of those features is the ability to tether your BlackBerry smartphone to the PlayBook, giving you full access to your BlackBerry’s features but on a much bigger screen.

BlackBerry Balance locked on a RIM PlayBook

Using BlackBerry Balance you can lock your work apps while maintaining access to all of the other PlayBook functions. Click for larger image.

The second is BlackBerry Balance. Balance lets you create a complete separation between work and personal tasks on the PlayBook, a truly outstanding feature that neither Apple’s iOS or Google’s Android platforms have been able to deliver.

Sure, you can enable parental controls on these devices, but these restrictions disable apps completely instead of creating a virtual wall between work and personal apps. It’s the baby-sitter or nanny approach to control.

With BlackBerry Balance, once you’ve indicated that you want to create a “work” container, you can lock the Messages, Contacts, Calendar and Work Browser with a single password. Once locked, these applications are no longer accessible, but the rest of the tablet’s apps remain available – even a secondary instance of the web browser for personal browsing.

This ability to put all of your sensitive work-related info behind a locked door is a boon to families and anyone else who finds that their tablet ends up being passed from one person to another. RIM’s realization that our tablets – even more than our phones –  are becoming shared devices, is a brilliant insight.

BlackBerry Balance running on a PlayBook

When BlackBerry Balance is locked, you can still see that work apps are running, but you need to unlock them in order to see their full screens. Click for larger image.

It’s not without flaws, however. The first being that in order to use BlackBerry Balance, you need to connect your PlayBook to an enterprise email account which is running RIM’s proprietary software on the back-end. If you just use a blackberry.net email address, or a POP email account like the one give to you by your ISP, the feature isn’t available to you.

Balance also plays somewhat heavy-handedly with your locked apps. For instance, if you have a work account and a personal account set up in the Messages app, once locked, you can’t access either. RIM needs to (and claims to have plans to) find a way to only lock that which is work-related, leaving all personal data accessible.

These limitations notwithstanding, BlackBerry Balance is easily the most compelling and unique feature on the PlayBook. I doubt it will be long before Google and Apple catch up, but in the meantime, RIM has a killer app on their hands.

At a time when the company is holding its breath for the next 4-5 months until it can release the promised line of BlackBerry 10 devices, it needs all of the help it can get.

Stuxnet removal tool is malware too

stuxnet-virusW32 Stuxnet is a virus that first appeared earlier this year and has gained a fair share of infamy and media attention for its alleged attacks on industrial installations, the most publicized being a nuclear power plant in Iran.

The virus works by first infecting a computer running the Windows operating system. Programmers in commercial environments – say an assembly line – use these computers to upload code to devices known as Programmable Logic Controllers or PLCs. The problem comes when the Stuxnet virus hijacks this uploaded code and from then on resides in the PLC itself where it can alter the function of these devices.

Unfortunately, we’re not talking about a robot making incorrect welds on a Ford F-150, though that would be bad. Much worse is the theoretical threat that Symantec has outlinedin one of their blogs about Stuxnet. They detail an even that took place when malicious code infected the PLC governing the operation of a pipeline:

Code was secretly “Trojanized” to function properly and only some time after installation instruct the host system to increase the pipeline’s pressure beyond its capacity. This resulted in a three kiloton explosion, about 1/5 the size of the Hiroshima bomb.

Though this incident was not caused by Stuxnet, Symantec is pointing out the way in which it could be used, which is why Stuxnet has been labeled by some as the first “cyber super weapon“.

Needless to say, there are a lot of panicky people out there who anxious to rid themselves of this virus, even if they aren’t in the business of programming PLCs. But Symantec has a warning for anyone out there looking for a quick fix: the cure may be worse than the virus.

Apparently there is a tool circulating the web right now – mainly in forums that discuss the Stuxnet virus –  that promises to get rid of Stuxnet for you, and even claims to be from Microsoft. Neither could be further from the truth.

Well, almost. The supposedly helpful “tool” will rid your PC of Stuxnet if you have it, but it doesn’t discriminate one type of file from another and within a few minutes of running the program, your entire C drive is wiped clean. Stuxnet is gone. And so is everything else.

Typically Microsoft does not issue removal tools for individual security threats like Stuxnet, instead relying on a single Malicious Software Removal Tool, which is updated regularly to identify and remove a whole list of nasty bugs, including Stuxnet.

If you think you are already infected, running this tool should take care of it for you. If you haven’t been infected, but are concerned that you might be vulnerable, here are some suggestions:

  • Install and then regularly update an anti-virus tool such as Norton, Bell Internet Security or the freely available AVG.
  • Turn on Microsoft Windows Update and make sure you install all recommended updates. The most recent update, released on Tuesday, fixes the hole in Windows that allows Stuxnet to do its damage.
  • Surf with caution: Avoid links in emails from people you don’t know. Be wary when when using file sharing services. Never open attachments that you weren’t expecting.