Security alert for Apple device users

There is a news report I have been monitoring for a couple of days—a group of hackers claims to have access to millions Apple ID accounts. They are threatening to remotely erase hundreds of millions of Apple on April 7th if Apple doesn’t pay them a ransom. Apple emphatically denies that they have been hacked, but theoretically (if highly unlikely) the group could have obtained the account credentials through some other service’s security breach. IT security experts are almost universally skeptical about the group’s claims. Still, it wouldn’t be a bad idea to take some precautions before April 7th. This Malwarebytes article offers some excellent step-by-step advice: Hackers threaten to wipe Apple devices.

A few other articles:

Motherboard: Hackers: We Will Remotely Wipe iPhones Unless Apple Pays Ransom

MacRumors: Apple Responds to Hack Threats, Says There Were No iCloud or Apple ID Breaches

Business Insider: People are talking about hackers ‘ransoming’ Apple — here’s what’s actually going on

Tom’s Guide: No One’s Hacking Apple Accounts — But Protect Yours Anyway

Fortune: Apple Responds to Hacker’s Threat to Wipe Hundreds of Millions of iPhones

Enable Click-to-Play in Adobe Flash (Do It Now!)

Criminals often exploit vulnerabilities in Adobe Flash to deliver malware to computers. Adobe updates Flash regularly to plug newly discovered security holes, but it can be difficult for end users to keep up with them all. Recently, for example, Adobe released an emergency patch to fix a security hole that enabled criminals to deliver ransomware, even though Flash had just been updated the previous week.

A great way for users to protect themselves is to enable click-to-play in their web browsers. When click-to-play is enabled, Flash content doesn’t play automatically–it only plays when the user gives it permission to run. In this article, the always excellent Graham Cluley (@gcluley) explains how to enable click-to-play in Chrome, Firefox, Internet Explorer, Opera, and Safari.

If you can live without Flash, I recommend uninstalling it altogether. If you need Flash, make sure that you keep it up-to-date and that click-to play is enabled. Enabling click-to-play is not a substitute for keeping Flash updated, but it does give the user an extra layer of protection.

Heartbleed Bug Info

Many of you have heard the news about the recently discovered “Heartbleed” bug that affects certain versions of OpenSSL, the software that many websites use to encrypt your communications with their servers. We have all thought that we were secure if the webpage had a lock icon by the web address and the address began with https, but Heartbleed makes it possible to obtain content (like user names, passwords, and credit card numbers) from many websites that appear to be secure. Even scarier, the vulnerability makes it possible for an attacker to steal information from websites without leaving a trace.

I have been asked if we should change all of our passwords in response to this news. The short answer is “yes,” but the longer answer is more complicated:

1. The bug only affects certain versions of OpenSSL. Websites using older or newer versions of OpenSSL are not vulnerable. Websites that are secured by other means than OpenSSL are not vulnerable.
2. Here is a link to test results of a Heartbleed vulnerability scan; the list shows whether or not many websites were vulnerable as of April 8^th. If you have logged into one of the vulnerable sites in the last couple of months, I would go ahead and change my password.
3. The test results only show whether or not those websites were vulnerable at the moment the scan was performed. A website may be listed as not vulnerable, but it could have been upgraded to a newer version of OpenSSL just five minutes before the scan was performed. Such a website may have been vulnerable for several weeks before the scan.
4. There is no evidence at this time that anyone has exploited this vulnerability for nefarious purposes, but we really don’t know. Lindsey Bever writes for the Washington Post, “It’s as if someone went on vacation not knowing the lock on the front door was broken. Could someone walk in? Yes. Will they? Did they? Who knows.”

So again, I would recommend changing your passwords. But please note that if you change your password on a website that is still vulnerable, that new password is still compromised. Under no circumstances would I give any new information to, or do business with, a vulnerable website. You can use the this link to test whether or not any particular website currently is vulnerable, but keep in mind that just because a website is not vulnerable now does not necessarily mean that it was not vulnerable last week. I also would suggest that you keep an eye on your credit card statements and your credit report, which I am sure you do anyway.

If you would like more information, lots of Heartbleed information is available online. I would especially recommend the following:

Lifehacker: What the “Heartbleed” Security Bug Means For You

Gizmodo: Heartbleed: Why the Internet’s Gaping Security Hole Is So Scary

Heartbleed.com

TechCrunch: What Is Heartbleed? The Video (Khan Academy-style video)

Washington Post: Heartbleed: What You Should Know

 

UPDATE 1: CNet has compiled a helpful chart of the web’s top 100 sites. The chart shows the results of each site’s Qualys SSL Server Test and whether or not the site was ever vulnerable.

CNet: Which sites have patched the Heartbleed bug

UPDATE 2: Mashable has created a great chart that shows even more websites and how they were affected. The chart also recommends whether or not a password change is needed for each site.

The Heartbleed Hit List: The Passwords You Need to Change Right Now

UPDATE 3: Graham Cluley offers some excellent Heartbleed advice in this article. He points out that phishing attempts disguised as password reset requests will be on the rise in the wake of Heartbleed. Don’t fall for it!

Backup Your Data!

Food for thought…

This morning a teacher at one of my schools turned on her computer and heard the dreaded “click click click” sound from her hard drive—it was dead. I swapped out her hard drive and got her up and running, but everything on the hard drive was lost. Fortunately, she had the wisdom to have been backing up her data and she did not lose anything. Most hard drives have moving parts and failures will happen. If that had been your hard drive that died this morning, would you have lost anything?

Beware Malware! Part 3: How Does a Computer Get Malware?

This is the third part of the Beware Malware! series. This series will explore the various types of malware and how you as a computer user can avoid them. In the previous post we learned what malware is. In this post, I will try to answer the question “How does a computer get malware? Volumes could be written about all the types of malware and how they are spread. Common ways that computers become infected with malware include bundled software installations, peer-to-peer networking, drive-by downloads, email attachments, external devices, SEO poisoning, and social networking links.

Bundled software: Developers of free software often sell the rights to bundle other software with theirs; the free software itself may be useful and clean, but the end user may be in for a surprise if he accepts all of the default settings during installation. Bundled software typically will install things like registry cleaners¹ and “optimizers,” toolbars, and security scanners. Bundled software usually can be unchecked during the installation process.

Peer-to-peer networking: Software designed to link computers to peer-to-peer (P2P) networks can open up computers to malware. In a PCWorld article written in June 2013, Lucian Constantin noted that the number of malware samples that use P2P communications had increased fivefold in the previous 12 months. It also should be noted that many of the files that are exchanged through P2P (usually illegally) are infected with malware, and often the P2P software itself is bundled with malware.

Drive-by downloads: Occasionally when browsing the web, a message will pop up informing the user that his computer is infected with viruses and offering to remove them for free. Accepting the offer will install software that often will render a computer unusable and the software will demand payment. Some drive-by downloads even can execute without any user interaction. Drive-by downloads usually work in three ways:

1. They exploit vulnerabilities in the user’s web browser and/or plug-ins.
2. They are served through websites. Some these sites are set up by criminals, while others are legitimate websites that have been compromised. A site may serve malware for a long time without the site’s administrator even knowing about it.
3. They are served through advertising networks. Website administrators rarely place ads directly on their sites; the space is sold to an advertising network that places the ads. No reputable ad network knowingly sells ad space to cyber criminals, but sometimes things slip through the cracks.

Email attachments: Have you ever received a random email that purportedly was from UPS or FedEx? The email probably had an attachment supposedly containing information about a package, and if you open that attachment you will be in for a nasty surprise. The email attachments always should be treated with suspicion.

External devices: Devices like USB hard drives and flash drives can be infected with malware. Computers with auto-play enabled can be infected when these devices are plugged in.

SEO poisoning: There are methods that web site administrators can use to make their sites appear higher in search engine results. These methods are known as search engine optimization (SEO.) Cyber criminals use SEO to make their malware links appear high on a list of search results. This is known as SEO poisoning. These malware links appear search results for things like free iPads, free mp3s, free screensavers, and news stories about current events. Malware links increasingly are showing up in image search results.

Social networking links: Direct links to malware are not limited to search engines. Malware links also can be found through social media. Earlier today as I wrote this post, McAfee’s security blog published an article that demonstrates how one particular Facebook link leads to malware: Search for Lost Malaysian Airliner Can lead to Malware.

There are many ways to get malware and their effects can be devastating. In the next post we will examine clues that your computer is infected with malware.

¹Registry cleaners and optimizers usually are worthless at best, and they often are harmful. Safe exceptions might include CCleaner and Glary Utilities, but these still should be used with caution.

Beware Malware! Part 2: What Is Malware?

This is the second part of the Beware Malware! series. This series will explore the various types of malware and how you as a computer user can avoid it. In this post, I will try to answer the question “What Is Malware?”

People often think of malware as a virus, but viruses are only one type of malware. The term malware is short for malicious software, and includes (but is not limited to) viruses, trojan horses, spyware, ransomware, keyloggers, and rogue security software. Malware first began to appear in the 1980s. Early forms of malware generally were innocuous–malware creators wrote small snippets of code designed to play practical jokes on other computer users–but soon people began to see malware’s potential for more nefarious purposes. Some types of malware are created for the sole purpose of destroying data, but usually the malware creator has a larger purpose in mind, such as financial gain or making a political statement.

The kinds of damage done by the various forms of malware vary greatly. Some forms of malware erase data or destroy a computer’s master boot record. Other forms of malware capture information like mouse clicks and keystrokes and send that data to a remote location. These forms of malware can be very effective at stealing user names and passwords. Many forms of malware are resource hogs, using enormous amounts of the computer’s memory and processor and leaving few resources for the computer’s legitimate functions.  Still other forms of malware hijack the computer’s operating system or web browser, making them unusable.

When cleaning malware from computers, the users often tell me that they have no idea how their computers became infected. How do computers get malware? That is the question we will answer in the next post.

Beware Malware! Part 1: Introduction

I am working at my computer and I hear the sound that signals a new email in my inbox. The email is from a teacher who needs help with her computer; her computer has acted strangely for the past couple of days and she can’t figure out what is wrong. She keeps getting popup messages telling her that her computer has thousands of viruses. Her web browser keeps taking her to a site she has never seen before. Many web sites just do not work as they should. I leave my office to go check her computer, but I already know what the problem is: her computer is infested with malware.

In my work as a public school technology specialist, I have found that a significant portion of the computer problems I deal with are caused by malware. Malware can be disruptive to one’s productivity, and even can make a computer completely unusable. Malware often is very difficult for the average computer user to remove. Malware doesn’t have to be as big of a problem as it is, however. Careful web browsing habits and good security software can eliminate malware entirely.

Today I begin a series of posts about malware. I am planning six parts for this series:

Part 1: Introduction
Part 2: What Is Malware?
Part 3: How Does a Computer Get Malware?
Part 4: Clues That Your Computer Has Malware
Part 5: How to Get Rid of malware
Part 6: How to Avoid Malware

I invite you to follow this series and to learn how to protect your computer from malware. I am sure that some of you will have some great suggestions that I have not thought of–if so, I welcome your comments.

Still Running XP? You Had Better Make Some Plans.

Windows XP has been Microsoft’s most popular version of Windows. XP was quickly adopted both by consumers and the corporate world soon after its release twelve years ago, and it has remained the standard even after newer releases of Windows.  After April 8, 2014, however, Microsoft will send Windows XP off into the sunset; support will be discontinued after that date. Microsoft no longer will offer technical support for Windows XP; PC users who continue to run XP will be on their own when they have trouble with their operating system (OS.) More important, Microsoft no longer will issue security updates for Windows XP. All of those XP security updates that downloaded and installed on the second Tuesday of every month will be a thing of the past, and security holes will go unpatched. XP soon will become vulnerable to all sorts of attacks. PC users who currently are running XP will need to take action before Microsoft’s support ends.

What kind of action should be taken depends on how powerful the PC is. The system requirements for Windows 7 are:

• 1 gigahertz (GHz) or faster 32-bit (x86) or 64-bit (x64) processor
• 1 gigabyte (GB) RAM (32-bit) or 2 GB RAM (64-bit)
• 16 GB available hard disk space (32-bit) or 20 GB (64-bit)
• DirectX 9 graphics device with WDDM 1.0 or higher driver

These requirements are not very high; most computers newer than five years or so should be fine. I even have installed Windows 7 successfully on an old Dell laptop with 512 MB of RAM. It ran very slowly, but it ran. The system requirements for Windows 8 are very similar. If your computer meets these requirements you have three basic options: (1) install Windows 7, (2) install Windows 8, or (3) install a Linux operating system.

As its name would suggest, Windows 8 is the newer version of Windows. Its performance is great and there are some desirable new features, but the user experience is much different than previous versions of Windows. Some people have adjusted to Windows 8 without any problems, but for others the difference has proven to be too extreme. Either version of Windows may be purchased from retailers like Amazon and Newegg.

One thing to consider before installing Windows 7 or 8: Windows XP cannot be upgraded directly to Windows 7 or 8, and clean install will be required. All of the settings, printers, etc. will need to be reconfigured. Also, you will need the software to reinstall any programs like Microsoft Office.

Another option would be to install a Linux operating system. Linux is available for free download and installation, and it usually includes an Office suite. (If it isn’t included, LibreOffice can be installed for free.) There are many quality varieties of Linux, but Zorin OS and Linux Mint look and feel very much like Windows. The advantages to Linux are that it is free and its performance usually is fantastic. The disadvantages to Linux are that while some varieties have a Windows feel, they are not Windows, and users who are used to Windows might have difficulty figuring out how to do certain things in Linux. Also, the architecture of a Linux OS is completely different from Windows, and Linux won’t run Windows software without a little bit of know-how.

If your computer is old and does not meet the minimum requirements for Windows 7 or 8, your options are more limited: install Linux or disconnect the PC. There are versions of Linux, like Peppermint OS and Lubuntu, that run well on older hardware. I have read that Linux Mint also will run on some older systems. If you use your computer  exclusively for offline activities like games and word processing, you could completely disconnect your PC from the Internet and continue to use Windows XP, but I would not recommend this course. All it would take is one infected USB drive to bring your system down and wipe out all of your files.

Generally speaking, those are your options. The one option not available to you is the status quo; that would be asking for disaster.