It’s been pointed out that we haven’t updated this topic for awhile. In case you have been wondering, some interesting changes, and some interesting consistency, here:

https://www.nsslabs.com/reports/browser-security-comparative-analysis-report-socially-engineered-malware

For this key source of malware – Socially Engineered Malware, Internet Explorer remains at the very top, as it has been for some time, Chrome is a pretty good third place, and Firefox and Safari are, as they have been for several years, at the very bottom. Our recommendations for browser use are unchanged: use the most secure browser available on your platform, keep your operating system up to date, and use Norton Internet Security.

(Note: at this point we do not have enough information about the two new Chinese browsers to make a recommendation regarding them one way or another)

There has been a great deal of press about this vulnerability in recent days, and it’s difficult to determine exactly what an individual’s exposure is, reading through the coverage. Think of the Year 2000 issues but imagine if everyone had just realized the issue on December 31, 1999. On a smaller scale, that’s pretty close to the chaos that’s ensued since this was identified.

Generally, there is little a user of the internet can do directly to protect him/herself from this, since this exposure happens on a service provider’s serverand not on the user’s computer. Further, while many security vulnerabilities give the bad guys access to stored information (credit card numbers, passwords, account numbers, etc.), this one gives unauthorized access only to a snapshot of what happens to be in a server’s memory at a point in time. A subtle difference, but an important one when considering the exposure.

Our best advice: if you’re worried about a given password – either because it’s for a service that was affected, or because you use it in multiple places, or “just because”, then change it. Change it to a “good” password. One that is 8 or more characters long, and uses three of these four groups: upper case letters, lower case letters, numbers, special characters. Don’t use your name, or your dog’s name, or your birthday (or your dog’s birthday) in the password. If you use a word or number in the password, make sure it’s not one that can easily be tied back to you. For example, DAF!090657 technically would be a “strong” password, but it could be cracked, if I used it, in a fraction of a second by password cracking software. Passwords that are a random jumble of letters, numbers and special characters are best, but are hard to manage unless one uses a password manager like Roboform or LastPass.

Keep in mind that if a provider of service for you has identified but not yet patched this exposure, you’ll have to change the password again after the service is patched. If you use the same password (as you should not) for multiple online services, then you put yourself at additional risk for two reasons: 1) because a password mined using a vulnerability like this could be used to access your information at multiple online services, and 2) because, if you change your passwords now but one or more smaller services you use hasn’t patched this vulnerability yet, you’ll have to change them all again. You should never use the same password at multiple sites, for just these reasons. For now, changing your password at larger, affected sites, monitoring email traffic about online services, and monitoring credit card statements, is about as much as a user can do.

Broadly speaking, Amazon.com, Apple services (me.com, icloud.com), eBay, Evernote, LinkedIn, Microsoft services (msn.com, hotmail.com, outlook.com), PayPal, Twitter were not affected by this.

Broadly speaking, Amazon Web Services, Dropbox, Facebook, Twitter, Google/Gmail, and Yahoo were affected, and have patched their systems to eliminate the exposure. It would be a good idea to change your passwords at these services.

You’ll notice I mentioned Twitter in each group, above. See how hard it is to tell?

If you have a service provider that is not one of the big ones (a regional bank, or smaller provider of some service), you should contact that provider to determine its status.

From a service provider perspective, the services that are at the heart of what Interconnected Technologies uses and recommends for our clients were not and are not vulnerable to this issue. Zendesk (our helpdesk service), Freshbooks (our time tracking and billing service), PayPal and Stripe (our credit card processing service), Wells Fargo (our banking service) Rackspace (Exchange service), Jungledisk (backup service), Egnyte (file services) and all services from Microsoft were not affected by this issue.

Only one service widely used by some Interconnected Technologies clients, Google Apps, was vulnerable to this, since it’s based on Gmail. Google patched the vulnerability immediately, and so the cautious approach would be to change any Google / Gmail / Google Apps passwords now. Contact us if you have questions about this or need help doing this.

These are some reference sites for this issue. A quick look will show that things are still in a state of flux as of this writing:

• https://lastpass.com/heartbleed/
• https://filippo.io/Heartbleed/
• http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

This is a very fluid and murky situation in which we find ourselves. The outline above is a good general guide, but as always we stand ready to provide our clients with tailored advice and solutions for their unique situations and needs.

We’ve posted this before – on April 8, 2014 support for Windows XP ends:

http://www.interconnected.com/interconnectnow/2013/12/14/hackerrsquos-playground.html

Here’s some more information which, if it comes to pass, could cause additional ripples. Stay tuned folks – should be interesting.

http://www.networkworld.com/community/blog/why-april-9th-might-be-its-worst-day-2014?t51hb 

And, of course, if you are an Interconnected Technologies client and have Windows XP machines, or have concerns about this event – ask us. If you’re a Managed Services client, we’re keeping on top of your computers. If not, we might want to talk about this in the first quarter!

Interconnected Technologies provides many of its clients remote access to their computers using the same secure service we use to provide remote support: LogMeIn.

Giving a client user access to his or her computer involves the creation and acceptance of an invitation. The invitation is sent to the user’s email address, which serves as that user’s LogMeIn userid:

Clicking on link under “To accept the invitation . . .” will take the new user to this screen, on which the user enters his/her name and chooses a password which only he or she will know:

Choosing a password that the system rates as “Strong” is essential, since this is, after all, providing access to one or more computers from “outside”. Strong passwords are those that are at least 6 characters long and contain upper and lower case letters, numbers and at least one special character, such as a hyphen or comma.

Once the user fills in the required information and presses the Create Account button, he/she will see the screen displaying the computer(s) to which the user account has been given access.

Subsequent access can be accomplished by visiting http://www.logmein.com, entering the email address and password. The same screen mentioned above will be displayed, allowing the user to access the computers to which the logged-iin account has access.

For more information on the next steps in this process, see:

http://www.interconnected.com/interconnectnow/2012/3/30/logmein-security.html.

And, as always, call us if you need additional assistance!

This should be an interesting year for personal computing. The Intel Ultrabook concept will come into its own, Apple will make the Pro and the Air and the iPad  is even better, Android tablets will finally come into their own with Ice Cream Sandwich . . . and the thing that could change the whole game: Windows 8. I’ve been using it for a couple of months and I have to say now that I’ve adjusted my thinking to it (yes, that had to happen) I have a hard time going back to Windows 7 or to Android, or to anything else. Why?

1. All the little things, yes. Touch screen handling is silky smooth edge to edge. Performance is snappy everywhere (even compared to Windows 7, and remember: this is a BETA I’m using). The preview apps for photos, news, finance, weather and more are beautiful, functional and informative. The cross-everything search function is nice. Internet Explorer 10 is amazing: it’s beautiful and snappy and all that, and there are lots of little things like underscored spell check in web forms (good by again, Firefox), swiping for forward and back (just like Tony Stark, but not in 3D), and on and on. And I've just scratched the surface.
2. The big thing: it’s still Windows, and it runs desktops, laptops and tablets.
3. Reflect on #2 for a moment. Windows 8 is still Windows. All my stuff that works on Windows 7 also works on Windows 8 (mostly – it’s still a Beta). That’s most of most people’s stuff, even now.
4. OK, it’s still Windows and runs my stuff; so what? What: it’s got a split personality: Metro and Aero. Aero is what Windows 7 looks like. Metro looks like the picture above. Now, there are lots of very famous and popular bloggers who complain about this. Why do we need both? It’s ugly and inconsistent! But I love it! I, along with millions of other computer users, have been using computers and tablets for awhile now. The computer is where the “work” gets done, mostly, and the tablet is where the “fun” happens, mostly. Do you see it? Metro is where the tablety ‘fun’ happens: read, look at pictures, browse, look at news, use apps. Aero is where the computery ‘work’ happens: Outlook, Word, time recording, photo editing, and so on. If you run this on a convertible tablet like the ThinkPad x220t on which I’m typing this (in Live Writer, under Aero – it’s "work", after all), it’s like having two devices in one: a computer and a tablet. But it’s a tablet. And it’s a computer. And it’s all on one device. No compromises.
5. Reflect on #4 for a moment. It’s the ultimate “two devices in one” with almost no compromises (other than having to get used to it).

I read an article recently (can't recall where, so can't attribute) that mentioned the concept of people having a laptop, getting a tablet to replace it, trying that for awhile, and ending up carrying around both devices because the tablet just couldn't cut it.

See?

That’s all for now. This thing’s going to be big!