Meltdown And Spectre info

I’m sure many have heard of the recent MASSIVE security holes found in computer processors.

The threat is real so you should take notice. Here is a good description  form Stu Sjourwerman of what it is and what to do.:

"Computer researchers have recently found out that the main chip in most modern computers—the CPU—has a hardware bug. It’s really a design flaw in the hardware that has been there for years. This is a big deal because it affects almost every computer on our network, including your workstation and all our servers.

This hardware bug allows malicious programs to steal data that is being processed in your computer memory. Normally, applications are not able to do that because they are isolated from each other and the operating system. This hardware bug breaks that isolation.

So, if the bad guys are able to get malicious software running on your computer, they can get access to your passwords stored in a password manager or browser, your emails, instant messages and even business-critical documents. Not good.”

So, What Can We Doing About This?

You need to update and patch all machines on your network. This could to take some time, some of the patches are not even available yet.

In the meantime, we need you to be extra vigilant, with security top of mind and Think Before You Click.

Here is a good site with an FAQ and videos about this SNAFU, that you can refer people to if they want to know more. For instance, antivirus does not protect against this vulnerability.

Let’s get backing up this New Year!

So another year is gone and a new one is upon us.
Many of us have received or purchased new computer systems for personal use, work or school or will be soon.
Nowadays many of us have a great deal of our lives – pictures of family, personal and legal documents and more stored digitally on our computers. And many do not have any backups of said systems.

I continually preach the benefits of using system images for backing up your computers. With imaging you can restore entire systems in case of hard disk failure, restore individual files and folders, upgrade/migrate to newer larger and faster HDDs (usually SSDs) and even move to completely new systems.

One of the first things everyone should know is that your digital system(s) WILL fail. And can at anytime. And if you have no recoverable backup your data will be gone forever. Please don’t let this happen to you.
One thing I do – because I am such a stickler on having my own stuff backed up, is have TWO full backups on SEPARATE disk drives. This allows for me to keep the two seperate full images in two different locations. And should one backup drive fail, I have another to go to. The likely hood that both would fail (along with my primary system) is remote and if I had that triple whammy I’d have to assume God needed me to lose it all.

External Hard Disk Drives can be had very inexpensively. For example here is a good deal on one from Amazon. And the cost of imaging software is under $100.00 US (often way less too). A VERY small price to pay for peace of mind and the security of knowing you’ll be able to recover your important files, pictures and entire system.

Here is a previous article I’ve written. All points valid still.

Here are the tools I regularly use:

Acronis – Acronis works on Mac and PC. I prefer the 1-time purchase option because I like to OWN my stuff and not ‘rent’ it. Check that out here. They have loads of tutorials in their knowledge base.

For Mac only there is Carbon Copy Cloner (CCC), my favorite. Or another good alternative SuperDuper.

Of course on Macs, you can use Apples built in Disk Utility to create an image but it is more onerous. And you can’t really make incremental backups. You can of course, create an image and use TimeMachine backups to make up the difference I guess.

As a free alternative for Windows 8.1 and 10 there is the built in backup utility which includes and imaging option. However I’ve had issues restoring images to differing hardware. Here is a very good article on how to do that.

Another very good option for PC is Macrium Reflect. They even have a free version (here) that works very well. I’ve used the latest version successfully a few times.

One more way I use to augment my backups is with the "Cloud".
Cloud storage sounds very nebulous, but is really just utilizing large storage pools made available by numerous internet service providers to augment their offerings and services.
Cloud storage is GREAT for storing a large amount of ‘nonproprietary’ information; things like most pictures many documents and files etc. I just make sure to not put up to the cloud any critical/personal/financial documents or other highly private information.
I pay a little extra to Google to have loads of extra Google drive space that I upload many pics and files to. [and of course Google provides for free unlimited photo storage with some gotchas on the having to do with photo size and quality].
I have Microsoft’s One Drive that came with my purchases of Microsoft Office and some Windows 10 devices; but that storage size has been cut down recently.
With my Amazon Prime account I also have unlimited picture storage too. 
And I also even have Dropbox.

So for plain mundane data storage you can see I use many of the available options in the cloud. But the ‘cloud’ does NOT enable you to recover your entire system should the drive or other major component fail. Or worse – burn up in a fire or get damaged by some other catastrophe.
So no matter what I store in the cloud I ALWAYS have copies on my own personal systems somewhere.

I may be a more than a little "tight" about keeping data. But decades of dealing with data losses in the corporate and personal world has made me so.

I hope that some of you take some time in this New Year to do some digital safe guarding. Like a fire extinguisher you need to have it on hand and ready before you have the fire.

OS X Mavericks Update and Security Fixes

apple-logo

I recently wrote about the major security whole in the latest version of OS X – read my last post. It appears Apple has released the fix finally. Although the ‘fix’ comes not in a simple ‘patch’ but in an entire Operating System upgrade!

After several months of testing, Apple has released OS X version 10.9.2. The MAJOR (and very dangerous) SSL bug isn’t mentioned in the release notes that appear in Software Update, but the bug is mentioned on Apple’s security page for the update. Seems Apple is being their usual shity selves when it comes to security – hide or lie about it, sort of hiding the fact that this is so important.

To be a ‘little’ fair, this update does add some features but over all is really a bug fix of many major issues with the new Operating System. In Windows terms it would be called a full Service Pack.

As with any large Operating System upgrade/update you should of course back up your system – Use Time Machine or any other method I’ve described in previous posts.

Run the Software Update to update your system to 10.9.2 and if any other software shows updates available, select them too. If you’d like you can grab the full Combo update here.

If you have Mountain Lion it too has an update available – run Software Update to get it.

Please make sure if you run an Apple desktop or laptop computer that you update as soon as possible.

Be safe, Peace.

Serious OS-X and iOS Security Vulnerability Completely Opens Up Your ALL Your Secure Communications

Rotten_plus_GreenApple

It had been know for MONTHS that there was a serious security flaw in iOS and possibly the latest version of OS X that could allow attackers to surreptitiously circumvent the most prevalent Internet security protocol – TLS/SSL and and Security Certificate validations. The issue is a “fundamental bug in Apple’s SSL implementation,” This can allow attackers to view ANY of your ‘secure’ Web communications. This includes e-mail, banking sites. Facebook etc..

Apple finally released an ‘emergency patch’ to the latest version of iOS last week, but it appears that the flaw affects more than just Apple’s mobile platforms. It actually affects the latest versions of OS X – Apples latest desktop Operating System too!!

If you have an iDevice I’d recommend backing it up; via iTunes or any of the other methods I’ve previously recommended. Then checking for any System Updates. Tap Settings > General > Software Update. Then download and Install to download the update. [Updates might download automatically while your device is connected to Wi-Fi and a power source.]

As for you Desktop computer, well there lies the rub. Apple appears to have at first done the usual – deny, then downplay, then finally admit there is a serious problem and ‘promise a quick fix/patch’. [It’s really crazy that they are able to get away with this so often; I guess those reporting are too busy licking Apple sack….but I digress]

So what to do..

If you use the Desktop Apple Operating System – OS X you should always use the latest versions of Chrome or Firefox for internet browsing to help mitigate some of the possible exposure. [I NEVER use Safari and always recommend to all my clients that they don’t either]. Even if you’ve take the latest update on your iDevice I’d still recommend I’d recommend Chrome for iOS.

Here one of the latest articles I’ve found with a VERY good explanation. You should at least read this! But I’d recommend hitting all my sources.

Be safe folks!

Sources to read 1, 2, 3

Zero Day Adobe and Microsoft Exploits

Adobe has released (for the second time this month) an emergency update for its widely used Flash Player to combat active attacks that exploit a previously unknown security bug that hackers are actively exploiting to surreptitiously install malware on end-user computers.

Attackers are already exploiting it!

Please apply this patch and stay secure.
If your version of Flash on Chrome (on either Windows, Mac or Linux) is not yet updated, you may just need to close and restart the browser. The version of Chrome that includes this fix is v. 33.0.1750.117 for Windows, Mac, and Linux. To learn what version of Chrome you have, click the stacked bars to the right at of the address bar, and select “About Google Chrome” from the drop down menu (the option to apply any pending updates should appear here as well).

The most recent versions of Flash are available from the Adobe download center here, but beware potentially unwanted add-ons, like McAfee Security Scan, Chrome browser etc..). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

AND..

Microsoft has released a stop-gap fix for a previously unknown zero-day vulnerability in Internet Explorer versions 9 and 10 to combat a separate zero-day campaign. IF possible (many users cannot because of other ‘line of business software’ that requires versions 9 or 10) to update to version 11 of IE, since it contains exploit mitigations not available in earlier releases. Those who are prevented from running version 11 should install the Microsoft fix as soon as possible.

Microsoft site explanation is here

Actual ‘Fix-It tool is here

If you run it make sure you ‘right-click’ on the file after it’s downloaded and ‘Run As Administrator’

Be safe folks, Peace.

Using Google’s Two Step Verification

If you don’t know what 2-Step Verification is here is a simple explanation: The two-step system uses both a password and a numerical code tied to your mobile phone, which can be sent by Google via SMS or generated by a smartphone app. Either way, it means a prospective hacker would need to obtain both your password and your phone to access your account.

I’ve been aware of Google’s two-step verification system for some time, but I felt my very strong password, the fact that I don’t use that password anywhere else and that it could not be ascertained by usual social engineering methods, was more than adequate protection. I was also concerned the system might be a hassle to use since I routinely sign in from so many different computers and locations. I already do use a password manager (KeePass) that requires not only a master password but I also use a key file too. [There are other very effective password managers out there I suggest you use one. Ars has a good article about that here.]
But with the massive increase in hacking and high jacking of information and the advancement of brute force cracking technologies and techniques I felt it was time to get onto the 2-step wagon.

Also I suggest that if you use Yahoo mail for anything you migrate towards Gmail or some other ISP. Yahoo has one of the worst records for email security. They are  hacked all the time! One recent article is here.
And for petesake please do NOT ‘link’ your Facebook account with Yahoo – that too is a major source of hacked Facebook account activity. If you currently have it linked I suggest you separate it. You can read how here and here.

So here is a brief explanation of how to enable 2-step verification. I will also link to some other resources on how to enable and use it at the bottom. If you find this too complicated or too much of a hassle you can always disable it very easily.

So let’s get started. Login to your account and go to Account then. Security

image

In the Security list you’ll see 2-step verification. This is where you can ‘turn it on’ and edit the settings.

image

Printable backup codes. Warning: If your phone is unavailable, these codes will be the only way to sign in to your account. Keep them someplace accessible, like your wallet, desk drawer or other safe place. Printable backup codes.

image

Here click on ‘Show backup Codes’

image

I printed out a set and put them someplace safe. I also saved them to a text file and imported and copied that text file of codes into my Password management application – KeePass.

If you click on the Application Specific Passwords you can create them for you other applications like Outlook, iMail, ThunderBird etc. Just give it some useful name, click on ‘Generate Password’ and then make sure to copy (or right down) that password – it is only shown once! I just copied each one to a text file so I could then paste them into the proper field (password) on my Outlook/configuration setups.

image

Some other links and info.

Here’s Google’s info page. And more here.

Setting up Mac Mail.

Setting up Outlook.

One more thing to consider if you’re a paranoid guy like me. I have all my browsers set to delete Internet history, cache and cookies when I close my Browsers AND I also run CCleaner many times a day to clean out temp files. Doing this will clear out the 2-Step ‘security token’ so you must manually enter some specific cookies to NOT be deleted in your browser and/or CCleaner.

To create ‘safe cookies’ in Firefox here is a good article. For Chrome go here and read the ‘Make exceptions for cookies for specific websites. The method is just about the same for InternetExplorer and Safari.

For CCleaner you can add the cookies to keep manually. Read here.

The actual cookie names you need to keep are here:

accounts.google.com
accounts.youtube.com
google.com
mail.google.com
apis.google.com
0.docs.google.com
docs.google.com

Hope this helps some. Peace out.

Java update April 2013

If you haven’t installed Oracle’s most recent Java patch, you should do so now!

Nefarious folks are hacking those that have not patched their systems.
You can find the latest Java here for Mac OSX, Windows or Linux.

I know many folks have taken to removing or disabling Java all together over security concerns. While that may be a solution to some, it is not for all of us. Especially those of us in IT that rely on application/tools that require Java.

There are also a whole lot of interactive and multimedia Internet applications that also require Java.

So IF you have Java installed on your PC – be it Mac, Linux or Window, PLEASE update your system.

One thing I’d like to warn you about while doing this update.

WHILE GOING THROUGH THE INSTALL PROCESS – DO NOT INSTALL ANY TOOLBARS (LIKE ‘ASK TOOLBAR’ ETC.) OR ADDITIONAL SOFTWARE (FREE VIRUS SCANS, BROWSERS ETC.)!!

This whole SCAM of installing crapware, and worse, while simply trying to update plug-ins is getting WAY out of hand. I wish there were some way to stop it but it seems impossible. Seems virtually every plugin-addon tries to install more stuff than you need and should want. Very frustrating.

But if you’re diligent and careful you can keep yourself from being essentially tricked into installing crapware.

So be safe out there folks.

Disable UPnP to Protect Yourself from New Security Hole Found in Wi-Fi Routers.

If you don’t know. And most of you probably don’t. There is a major security flaw that has been recently aggressively exploited. It could allow people with malicious intent access your system(s). Mac, Windows PC and Linux, all are vulnerable because this is NOT a OS flaw, but a router flaw! So please don’t think you are safe just because you by into the belief (very wrong by the way) that ‘your’ type of Operating System ‘doesn’t get infected…’.  Scans from security companies have shown about 50 MILLION vulnerable access points already.

It is strongly suggest that end users, companies, and ISPs take immediate action to identify and disable any internet-exposed UPnP endpoints in their environments.
UPnP is pervasive – it is enabled by default on many home gateways, nearly all network printers, and devices ranging from IP cameras to network storage servers.

Rapid7.com has an online tool here  that can check the external interface of your router and let you know if you are vulnerable.

To fix/resolve this issue all you need to disable UPnP on your wireless router.
Since each router is different, you’ll need to login to your wireless router’s admin panel (use the manual to figure that out), and then find the UPnP setting. This may require someone with more skills (like your teenager) or an IT professional (preferred method) to turn this off for you you. But however you do it, please do it.

Be safe. Smile

Tech power and input deals.

For those with laptop/portable computers you know what it’s like to always have to pack everything in your bag for each trip.

Why not keep have an extra power supply so that you can have one at home AND the office (or in your bag) always waiting? No constantly having to reach and dig behind the desk to unplug the power supply. And then do the same when you get to the office.

Here is a super solution. And right now this is on sale for only $19.99 w/free shipping at Newegg.com.
Rosewill RMNA-11001 Universal automatic Notebook Power Adapter 90W
http://bit.ly/KSUOpD

And while your at it how about an additional mouse? I use this one on PCs and Macs. Works great. I have a few of these too – home, office and travel bag.
http://bit.ly/UBT2ib

Just thought I’d pass this on.