Mike's Mostly Tech blog

Microsoft takes Antivirus/Protection to a new level

I no longer use any ‘always on’ third party Antivirus software on any of my Operating systems, and I haven’t for some time. I rely heavily on my expertise, current systems, and applications setups and experience to keep my self as protected as possible.

I realize that most users do not have the extensive training and skills that I do. So I recommend most Windows users use Microsoft’s built-in Windows Defender AV – it is surprisingly good. AND doesn’t jack up as many systems as do nearly all paid solutions.

Microsoft is now REALLY stepping up the game in system protection.

The HowToGeek has a superb article on this. Check it out.

Facebook Scraping SMS and Call logs

In case you haven’t heard or know about this Facebook scraped (grabbed/uploaded and stored!) call, text message data for years from Android phones! [Read about it here – https://goo.gl/acrfJW]

[Many are saying that this didn’t/couldn’t happen on iPhones, but I believe that as much as I believe that Facebook when they say

“.. that the company keeps the data secure and does not sell it to third parties”.]

For years now, I have never used Facebook Messenger on any phones, ever; I tested the app security a couple times and during install it requested accesses to all kinds of stuff including sms and phone logs, contact information access to phone storage etc.. (I have a security extension (X Privacy – requires root) that lets you see EVERY process an application requests access to. I saw the permissions the application asked for and knew it would be bad. Looks like, I was right.

To access messenger messages I use a computer Browser or a web session on my phone set to use the ‘desktop agent’. I’ll explain that at the bottom of this post.

So what to do now if you’re one of those who have been snared:

On phone app:

How to manage contact uploading with the Facebook App.

Facebook will upload your contacts from your device if you have continuous uploading turned on. To turn off continuous uploading in the Facebook app:

Tap .
Tap App Settings.
Tap Continuous Contacts Upload to turn this setting on or off.

You can also tap Sync Your Call and Text History to turn this setting on or off. Syncing your call and text history makes it easier to connect you to your friends.

How do I delete contacts I uploaded to Facebook?

To delete contacts you’ve uploaded to Facebook:

Go to the Manage Invites and Imported Contacts page.
Tap the box next to the contacts you want to delete.
Tap Delete Selected.

You can view or remove your uploaded contacts on the Manage Invites and Imported Contacts page.

Now if you wish to view messages on your phone without the FB messenger you can login to your Facebook account with a browser (for that I use Opera) and set the ‘user agent’ option to desktop – this will tell the FB servers that you are connecting from a computer and not a phone. [Just make sure the address you type in the address bar is https://facebook.com and NOT m.facebook.com – the ‘m’ sets it to mobile.

Open Opera Mobile Browser:

Tap on Opera Menu and you’ll see Settings option, tap Settings

In the settings scroll down to the Content section and you’ll find the Default user Agent setting.

Tap that and you can set the agent to Desktop

Now when you open that Browser and go to a website you’ll see the ‘desktop’ version and not the mobile version. Like I said I use this for Facebook to check/send messages and also see differences in how FB presents things on my timeline based on the agent.

Meltdown And Spectre info

I’m sure many have heard of the recent MASSIVE security holes found in computer processors.

The threat is real so you should take notice. Here is a good description form Stu Sjourwerman of what it is and what to do.:

"Computer researchers have recently found out that the main chip in most modern computers—the CPU—has a hardware bug. It’s really a design flaw in the hardware that has been there for years. This is a big deal because it affects almost every computer on our network, including your workstation and all our servers.

This hardware bug allows malicious programs to steal data that is being processed in your computer memory. Normally, applications are not able to do that because they are isolated from each other and the operating system. This hardware bug breaks that isolation.

So, if the bad guys are able to get malicious software running on your computer, they can get access to your passwords stored in a password manager or browser, your emails, instant messages and even business-critical documents. Not good.”

So, What Can We Doing About This?

You need to update and patch all machines on your network. This could to take some time, some of the patches are not even available yet.

In the meantime, we need you to be extra vigilant, with security top of mind and Think Before You Click.

Here is a good site with an FAQ and videos about this SNAFU, that you can refer people to if they want to know more. For instance, antivirus does not protect against this vulnerability.

Another LastPass vulnerability

Because I have so very many usernames and passwords, I must use some sort of password database manager.
For sometime now I have been using KeePass – an open source password manager.
Though it using it ‘can’ be slightly more onerous than a completely ‘online’ password manager like LastPass, 1Password, Dashlane or the like, it provides for WAY more security by enabling you to ‘own’ the database AND a seed file. And being an IT security guy here is no way I’d put my passwords in the cloud.

KeePass is technically an offline password manager, but its database can be synced between computers with a service like Dropbox, Google Drive or the like. Of course, at that point, you’re putting your passwords back in the cloud. BUT if you have created a KeyFile and don’t place that in the cloud and use something that is not obvious. You eliminate the ability for someone to just steal your password database and start brute forcing it.

Okay so now some more bad news. LastPass, probably the most widely used online password keeper, is once again in the news for some VERY serious security flaws.

You might want to rethink your password manager solutions or go back to pen and paper.

Let’s get backing up this New Year!

So another year is gone and a new one is upon us.
Many of us have received or purchased new computer systems for personal use, work or school or will be soon.
Nowadays many of us have a great deal of our lives – pictures of family, personal and legal documents and more stored digitally on our computers. And many do not have any backups of said systems.

I continually preach the benefits of using system images for backing up your computers. With imaging you can restore entire systems in case of hard disk failure, restore individual files and folders, upgrade/migrate to newer larger and faster HDDs (usually SSDs) and even move to completely new systems.

One of the first things everyone should know is that your digital system(s) WILL fail. And can at anytime. And if you have no recoverable backup your data will be gone forever. Please don’t let this happen to you.
One thing I do – because I am such a stickler on having my own stuff backed up, is have TWO full backups on SEPARATE disk drives. This allows for me to keep the two seperate full images in two different locations. And should one backup drive fail, I have another to go to. The likely hood that both would fail (along with my primary system) is remote and if I had that triple whammy I’d have to assume God needed me to lose it all.

External Hard Disk Drives can be had very inexpensively. For example here is a good deal on one from Amazon. And the cost of imaging software is under $100.00 US (often way less too). A VERY small price to pay for peace of mind and the security of knowing you’ll be able to recover your important files, pictures and entire system.

Here is a previous article I’ve written. All points valid still.

Here are the tools I regularly use:

Acronis – Acronis works on Mac and PC. I prefer the 1-time purchase option because I like to OWN my stuff and not ‘rent’ it. Check that out here. They have loads of tutorials in their knowledge base.

For Mac only there is Carbon Copy Cloner (CCC), my favorite. Or another good alternative SuperDuper.

Of course on Macs, you can use Apples built in Disk Utility to create an image but it is more onerous. And you can’t really make incremental backups. You can of course, create an image and use TimeMachine backups to make up the difference I guess.

As a free alternative for Windows 8.1 and 10 there is the built in backup utility which includes and imaging option. However I’ve had issues restoring images to differing hardware. Here is a very good article on how to do that.

Another very good option for PC is Macrium Reflect. They even have a free version (here) that works very well. I’ve used the latest version successfully a few times.

One more way I use to augment my backups is with the "Cloud".
Cloud storage sounds very nebulous, but is really just utilizing large storage pools made available by numerous internet service providers to augment their offerings and services.
Cloud storage is GREAT for storing a large amount of ‘nonproprietary’ information; things like most pictures many documents and files etc. I just make sure to not put up to the cloud any critical/personal/financial documents or other highly private information.
I pay a little extra to Google to have loads of extra Google drive space that I upload many pics and files to. [and of course Google provides for free unlimited photo storage with some gotchas on the having to do with photo size and quality].
I have Microsoft’s One Drive that came with my purchases of Microsoft Office and some Windows 10 devices; but that storage size has been cut down recently.
With my Amazon Prime account I also have unlimited picture storage too.
And I also even have Dropbox.

So for plain mundane data storage you can see I use many of the available options in the cloud. But the ‘cloud’ does NOT enable you to recover your entire system should the drive or other major component fail. Or worse – burn up in a fire or get damaged by some other catastrophe.
So no matter what I store in the cloud I ALWAYS have copies on my own personal systems somewhere.

I may be a more than a little "tight" about keeping data. But decades of dealing with data losses in the corporate and personal world has made me so.

I hope that some of you take some time in this New Year to do some digital safe guarding. Like a fire extinguisher you need to have it on hand and ready before you have the fire.

SERIOUS OpenID and OAth2.0 flaw revealed

Okay folks ANOTHER security issue you should be aware of.
A bug has been found in OpenID and OAuth 2.0, two authentication programs that let you log into web sites using your Google, Facebook, and other major accounts. Read here and here too

OAuth—and its alternative OpenID—let you log into sites or apps using your Google, Twitter, Facebook, or other credentials, without having to create yet another account or give the app more permission than necessary. OAuth and OpenID, in essence, authenticate you with the site or tell the site you are who you say you are and let you log in without having to enter a username and password.

For example; logging into LinkedIn you are asked if you’d like to use your Google or Facebook account credentials. Then you enter said credentials (FB or Google) and you can then get on because they then ‘authenticate/use’ your other credentials. You see this all the time on news sites and blogs – if you’d like to comment or post you’re asked for some sort of ‘authentication’ usually Google, Yahoo, Hotmail or Facebook etc..

THAT’S why I live by the mantra – use different credentials (username AND passwords) for EVERY site you login to!! AND NEVER ‘LINK’ ANY ACCOUNTS!
Though this may seem difficult given the amount of our lives that are now ‘online’ it is not that hard if you use an app/service like LastPass or KeePass. I NEVER use any ‘other’ account to login to any services – ever. Every account gets it’s own credentials. That way if one is compromised no other one will be.

Please be safe out there folks!

OS X Mavericks Update and Security Fixes

I recently wrote about the major security whole in the latest version of OS X – read my last post. It appears Apple has released the fix finally. Although the ‘fix’ comes not in a simple ‘patch’ but in an entire Operating System upgrade!

After several months of testing, Apple has released OS X version 10.9.2. The MAJOR (and very dangerous) SSL bug isn’t mentioned in the release notes that appear in Software Update, but the bug is mentioned on Apple’s security page for the update. Seems Apple is being their usual shity selves when it comes to security – hide or lie about it, sort of hiding the fact that this is so important.

To be a ‘little’ fair, this update does add some features but over all is really a bug fix of many major issues with the new Operating System. In Windows terms it would be called a full Service Pack.

As with any large Operating System upgrade/update you should of course back up your system – Use Time Machine or any other method I’ve described in previous posts.

Run the Software Update to update your system to 10.9.2 and if any other software shows updates available, select them too. If you’d like you can grab the full Combo update here.

If you have Mountain Lion it too has an update available – run Software Update to get it.

Please make sure if you run an Apple desktop or laptop computer that you update as soon as possible.

Be safe, Peace.

Serious OS-X and iOS Security Vulnerability Completely Opens Up Your ALL Your Secure Communications

It had been know for MONTHS that there was a serious security flaw in iOS and possibly the latest version of OS X that could allow attackers to surreptitiously circumvent the most prevalent Internet security protocol – TLS/SSL and and Security Certificate validations. The issue is a “fundamental bug in Apple’s SSL implementation,” This can allow attackers to view ANY of your ‘secure’ Web communications. This includes e-mail, banking sites. Facebook etc..

Apple finally released an ‘emergency patch’ to the latest version of iOS last week, but it appears that the flaw affects more than just Apple’s mobile platforms. It actually affects the latest versions of OS X – Apples latest desktop Operating System too!!

If you have an iDevice I’d recommend backing it up; via iTunes or any of the other methods I’ve previously recommended. Then checking for any System Updates. Tap Settings > General > Software Update. Then download and Install to download the update. [Updates might download automatically while your device is connected to Wi-Fi and a power source.]

As for you Desktop computer, well there lies the rub. Apple appears to have at first done the usual – deny, then downplay, then finally admit there is a serious problem and ‘promise a quick fix/patch’. [It’s really crazy that they are able to get away with this so often; I guess those reporting are too busy licking Apple sack….but I digress]

So what to do..

If you use the Desktop Apple Operating System – OS X you should always use the latest versions of Chrome or Firefox for internet browsing to help mitigate some of the possible exposure. [I NEVER use Safari and always recommend to all my clients that they don’t either]. Even if you’ve take the latest update on your iDevice I’d still recommend I’d recommend Chrome for iOS.

Here one of the latest articles I’ve found with a VERY good explanation. You should at least read this! But I’d recommend hitting all my sources.

Be safe folks!

Sources to read 1, 2, 3

Zero Day Adobe and Microsoft Exploits

Adobe has released (for the second time this month) an emergency update for its widely used Flash Player to combat active attacks that exploit a previously unknown security bug that hackers are actively exploiting to surreptitiously install malware on end-user computers.

Attackers are already exploiting it!

Please apply this patch and stay secure.
If your version of Flash on Chrome (on either Windows, Mac or Linux) is not yet updated, you may just need to close and restart the browser. The version of Chrome that includes this fix is v. 33.0.1750.117 for Windows, Mac, and Linux. To learn what version of Chrome you have, click the stacked bars to the right at of the address bar, and select “About Google Chrome” from the drop down menu (the option to apply any pending updates should appear here as well).

The most recent versions of Flash are available from the Adobe download center here, but beware potentially unwanted add-ons, like McAfee Security Scan, Chrome browser etc..). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

AND..

Microsoft has released a stop-gap fix for a previously unknown zero-day vulnerability in Internet Explorer versions 9 and 10 to combat a separate zero-day campaign. IF possible (many users cannot because of other ‘line of business software’ that requires versions 9 or 10) to update to version 11 of IE, since it contains exploit mitigations not available in earlier releases. Those who are prevented from running version 11 should install the Microsoft fix as soon as possible.

Microsoft site explanation is here

Actual ‘Fix-It tool is here

If you run it make sure you ‘right-click’ on the file after it’s downloaded and ‘Run As Administrator’

Be safe folks, Peace.

BlackPOS breach

So here is a story about the recent MASSIVE thefts at Target Neiman Marcus and other retailers.

What is by far the most scary is this line,
“…said it was possible for Target and Neiman Marcus to be hacked after the software tried several easy passwords to remotely hack the stores’ registers, and added that the malware, called BlackPOS..”

We are finding out the breach occurred because of poor Security practices! Easily guessed or worse, standard passwords at the gates!

This is totally unacceptable and, in my opinion, everyone involved from the top to bottom of these IT chains should be fired and also be part of any litigation directed at the companies.

You know you hear it from me and just about everyone else: use complex Usernames and especially passwords. NEVER use a default username or password. Never use the same password for different accounts.

So I’ll say this again to everyone. Please change your passwords to something complex (that includes Upper and lower case letters, numbers AND symbols) and do NOT use that same password for different accounts.

Well that is all. Peace out.