Tag Archive: Computer Repair Abbotsford


The Heartbleed bug: Am I at risk and do I really have to change my password?

The discovery of Heartbleed, a flaw in one of the most widespread encryption standards used online, has panicked webmasters and users alike.

The bug has gone unnoticed for more than two years and could have potentially given hackers access to an unlimited array of secure data — everything from passwords and login details to credit card numbers and addresses.

Although it’s difficult to say exactly how many websites have been exposed, the lower estimates are around 500 million with a large number of major web companies (Google, Facebook, Yahoo, etc) all forced to update their software to protect against the bug.

However, there have been quite a lot of mixed messages as to whether or not users should change their passwords, with some outlets urging that you should create new ones immediately while others are advising that you wait.

To add to the confusion there’s also been reports of hackers sending out phishing emails related to Heartbleed — in order to trick users into giving up passwords that have yet to be compromised. Be on the look out for these and don’t follow any links in suspicious looking emails – if you want to change a password go to the site directly.

Which sites are affected?
Most Google sites and services (including Gmail and YouTube – but not Chrome) were affected, as were sites maintained by Yahoo (including Tumblr and Flickr). Facebook was also hit by the bug although Twitter and LinkedIn were not.

Other big sites that have confirmed that they weren’t affected include Amazon, Hotmail and Outlook, eBay, PayPal and all of Apple’s properties — including iCloud and iTunes. If you want to check whether or not a site you use is still affected then you can do so here — just enter the URL.

Another big worry is for online banking, but thankfully we have some good news in that department. Lloyds, HSBC, RBS, Natwest, Santander and the Co-Op have all confirmed that they were not affected by the bug (they were using different encryption standards). Barclays has yet to issue a statement.

However, this does not mean that your credit card details are completely safe — as they could have been compromised via your Gmail or another third-party site. The security of mobile banking apps is still a developing situation as well.

So do I need to change my passwords?
In a word: Yes. For the sites we’ve listed above as being affected (including Gmail, Yahoo, Tumblr, Flickr, Facebook) it definitely won’t hurt to change your password some time in the next couple of weeks.

Although security experts have warned that you shouldn’t be too quick to change passwords, this is because not all website have patched their servers and changing your password before this happens could make matters worse. The sites we’ve listed above have patched their servers and if you want to check one we’ve not mentioned — click here and enter the URL.

Unfortunately, some sites (including Google) have specifically said that users don’t need to change their passwords. While it’s true that some sites are confident that they fixed the bug a while back, as most of us are guilty of changing our passwords less frequently than we should do (aka never) we think that this is as good an opportunity as ever to be a bit more security-conscious.

What should my new password be?
In lists of the most frequently used passwords online there’s some obvious clangers that we know you’re too smart to use (these include old standbys such as ‘123456’ and ‘password’ itself) but just because a password doesn’t look obvious to you that doesn’t make it safe.

This means that you shouldn’t really use any single words that are found in the dictionary, any words connected to you (place of birth or pets’ names), nor should you use any obvious ‘substitutions’ (eg pa55w0rd — more complicated variations are required) or patterns derived from your keyboard layout (eg ‘1qaz2wsx’ or ‘zxcvbnm’).

It’s wise to use a variety of characters in your password (including upper and lower case as well as numbers) but an easy way to get more secure is to start thinking of your password as a passphrase.

The easiest way of increasing the difficulty of a password is by simply making it longer — so try combining multiple words together and then adding in numbers between them.

You could pick a number of some significance to you (for example a loved one’s birthday, ie 12/08/1970) and then splicing this with a nonsensical phrase (‘shoesplittingwatchwizard’) to get a suitably difficulty password: Shoe12Splitting08Watch1970Wizard.

Other suggested methods for making a strong and memorable password include taking a sentence or a favourite line from a song as a starting point. So you might take the line “When you call my name it’s like a little prayer” and turn it into wuCmNilaLP. Madonna is optional of course, but we think this a fun method — especially if you can work in numbers somewhere.

You should also use different passwords for your different accounts (perhaps the most difficult piece of advice to follow of all) and if you want to be really secure you should also set up two-step authentication where available.

Ryan says: I recommend everyone on any of the sites mentioned in this article to change their passwords ASAP.

Apple finally fixes App Store flaw by turning on encryption

Apple has finally fixed a security flaw in its application store that for years has allowed attackers to steal passwords and install unwanted or extremely expensive applications.

The flaw arose because Apple neglected to use encryption when an iPhone or other mobile device tries to connect to the App Store, meaning an attacker can hijack the connection. In addition to a security flaw, the unencrypted connections also created a privacy vulnerability because the complete list of applications installed on the device are disclosed over Wi-Fi.

It also allows the installation of apps, including extremely expensive ones that top out at $999.99, without the user’s consent, which can create serious consequences because Apple doesn’t give refunds. To do this, an attacker needs to be on the same private or public Wi-Fi network, including, for example, a coffeeshop, hotel, or airport network.

Security researcher Elie Bursztein discovered the vulnerability and reported it to Apple last July. Apple fixed the problem in a recent update that said “content is now served over HTTPS by default.” Apple also thanked Bernhard Brehm of Recurity Labs and Rahul Iyer of Bejoi.

Bursztein, who works at Google, in Mountain View, Calif., but emphasized this was work done at home in his spare time, published a personal blog post today that described details about the App Store vulnerability and included videos of how an attacker was able to steal passwords or install unwanted apps.

Publicizing this flaw, Bursztein said, highlighted how necessary encrypted HTTPS connections were. “Many companies don’t realize that HTTPS is important for mobile apps,” he said. But if they rely on Web connections or Webviews, he added, they are vulnerable to attacks: “Providing a concrete example seems a good way to attract developer attention to the issue.”

As a postdoctoral researcher at Stanford University, Bursztein published research that included demonstrating flaws in Captchas and the Web interfaces of embedded devices. At the Defcon conference in Las Vegas two years ago, he demonstrated how to bypass Windows’ built-in encryption that Web browsers, instant messaging clients, and other programs used to store user passwords.

Bursztein’s blog post comes a day after Apple’s marketing chief, Phil Schiller, took a security-related swipe at Google on Twitter by pointing to a report on the rise of Android malware.

 

Source: CNET

Sophisticated botnet steals more than $47M by infecting PCs and phones

A new version of the Zeus trojan—a longtime favorite of criminals conducting online financial fraud—has been used in attacks on over 30,000 electronic banking customers in Europe, infecting both their personal computers and smartphones. The sophisticated attack is designed to circumvent banks’ use of two-factor authentication for transactions by intercepting messages sent by the bank to victims’ mobile phones.

The malware and botnet system, dubbed “Eurograbber” by security researchers from Check Point Software and Versafe, was first detected in Italy earlier this year. It has since spread throughout Europe. Eurograbber is responsible for more than $47 million in fraudulent transfers from victims’ bank accounts, stealing amounts from individual victims that range from 500 Euros (about $650) to 25,000 Euros (about $32,000), according to a report published Wednesday.

The malware attack begins when a victim clicks on a malicious link, possibly sent as part of a phishing attack. Clicking on the link directs them to a site that attempts to download one or more trojans: customized versions of Zeus and its SpyEye and CarBerp variants that allow attackers to record Web visits and then inject HTML and JavaScript into the victim’s browser. The next time the victim visits their bank website, the trojans capture their credentials and launch a JavaScript that spoofs a request for a “security upgrade” from the site, offering to protect their mobile device from attack. The JavaScript captures their phone number and their mobile operating system information—which are used in the second level of Eurograbber’s attack.

With the phone number and platform information, the attacker sends a text message to the victim’s phone with a link to a site that downloads what it says is “encryption software” for the device. But it is, in fact, “Zeus in the mobile” (ZITMO) malware—a Trojan crafted for the Android and BlackBerry mobile operating systems that injects itself between the user and the mobile browser and SMS messaging software. With both devices now compromised, the malware waits for the victim to access a bank account, and then immediately transfers a percentage of the victim’s balance to an account set up by the criminals running the botnet.

The malware then intercepts the confirmation text message sent by the bank, forwarding it to the trojan’s command and control server via a relay phone number. The server uses the message to confirm the transaction and withdraw the money. The same process happens every time the victim logs into their bank account, gradually withdrawing money without alerting the user.

Both Checkpoint and Versafe have added signature and behavior detection to their malware protection products that can block Eurograbber. Updating software that is a frequent target for Web “driveby download” exploits—such as Adobe Flash, Java, and Web browsers—can help prevent infection by the malware, as can a healthy amount of paranoia about clicking links in e-mails.

Source: Arstechnica

Google engineer finds British spyware on PCs and smartphones

Two security researchers have found new evidence that legitimate spyware sold by British firm Gamma International appears to be being used by some of the most repressive regimes in the world.

Google security engineer Morgan Marquis-Boire and Berkeley student Bill Marczak were investigating spyware found in email attachments to several Bahraini activists. In their analysis they identified the spyware infecting not only PCs but a broad range of smartphones, including iOS, Android, RIM, Symbian, and Windows Phone 7 handsets.

The spying software has the capability to monitor and report back on calls and GPS positions from mobile phones, as well as recording Skype sessions on a PC, logging keystrokes, and controlling any cameras and microphones that are installed.

They report the code appears to be FinSpy, a commercial spyware sold to countries for police criminal investigations. FinSpy was developed by the German conglomerate Gamma Group and sold via the UK subsidiary Gamma International. In a statement to Bloomberg, managing director Martin Muench denied the company had any involvement.

“As you know we don’t normally discuss our clients but given this unique situation it’s only fair to say that Gamma has never sold their products to Bahrain,” he said. “It is unlikely that it was an installed system used by one of our clients but rather that a copy of an old FinSpy demo version was made during a presentation and that this copy was modified and then used elsewhere.”

Parallel research by computer investigators at Rapid7 found command and control software servers for the FinSpy code running in Indonesia, Australia, Qatar, Ethiopia, the Czech Republic, Estonia, Mongolia, Latvia, and the United Arab Emirates, with another server in the US running on Amazon’s EC2 cloud systems. Less than 24 hours after the research was published, the team noted that several of these servers were shut down.

Gamma and FinSpy gained notoriety last year when documents apparently from the company were found in the Egyptian security service headquarters when it was ransacked by protestors after the fall of Hosni Mubarak. These appear to be a proposal that the Egyptian government buy a five-month license for the software for €287,000. Again Gamma denied involvement.

But Marquis-Boire and Marczak told The New York Times that they appear to have found a link to Gamma in these latest code samples. The malware for Symbian phones uses a code certificate issued to Cyan Engineering, whose website is registered to one Johnny Geds.

The same name is listed as Gamma Group’s sales contact on the FinSpy proposal uncovered in the raid on Egypt’s security headquarters. Muench has confirmed they do employ someone of that name in sales but declined to comment further.

Commercial spyware is an increasingly lucrative racket, as El Reg has pointed out, and there’s growing evidence that Britain is one of the leading players in the market. Privacy International has formally warned the British government that it will be taking legal action on the issue and this latest research only adds weight to the issue.

Source: The Register

Latest Java software opens PCs to hackers: experts

Computer security firms are urging PC users to disable Java software in their browsers, saying the widely installed, free software from Oracle Corp opens machines to hacker attacks and there is no way to defend against them.

The warnings, which began emerging over the weekend from Rapid7, AlienVault and other cyber security firms, are likely to unnerve a PC community scrambling to fend off growing security threats from hackers, viruses and malware.

Researchers have identified code that attacks machines by exploiting a newly discovered flaw in the latest version of Java. Once in, a second piece of software called “Poison Ivy” is released that lets hackers gain control of the infected computer, said Jaime Blasco, a research manager with AlienVault Labs.

Several security firms advised users to immediately disable Java software — installed in some form on the vast majority of personal computers around the world — in their Internet browsers. Oracle says that Java sits on 97 percent of enterprise desktops.

“If exploited, the attacker will be able to perform any action the victim can perform on the victim’s machine,” said Tod Beardsley, an engineering manager with Rapid7’s Metasploit division.

Computers can get infected without their users’ knowledge simply by a visit to any website that has been compromised by hackers, said Joshua Drake, a senior research scientist with the security firm Accuvant.

Java is a computer language that enables programmers to write one set of code to run on virtually any type of machine. It is widely used on the Internet so that Web developers can make their sites accessible from multiple browsers running on Microsoft Windows PCs or Macs from Apple Inc.

An Oracle spokeswoman said she could not immediately comment on the matter.

Security experts recommended that users not enable Java for universal use on their browsers. Instead, they said it was safest to allow use of Java browser plug-ins on a case-by-case basis when prompted for permission by trusted programs such as GoToMeeting, a Web-based collaboration tool from Citrix Systems Inc

Rapid7 has set up a web page that tells users whether their browser has a Java plug-in installed that is vulnerable to attack: www.isjavaexploitable.com

Source: Reuters

Ryan says: I would recommend updating to the latest version of Java.  The latest version of Java Runtime Environment JRE-64-bit is here. For users with older computers, try downloading the latest version in 32-bit.

Valve: Agree to not sue us or lose access to Steam

Gamers beware: Valve Software, the firm behind immensely popular gaming portal Steam, wants you to waive your right to sue before you continue gathering games using its digital distribution platform. The company has amended its subscriber agreement to stipulate that by subscribing to its service, users agree to not file lawsuits against the company. Gaming giants Microsoft (MSFT), Sony (SNE) and Electronic Arts (EA) have similar policies in place, Kotaku notes.

“It’s clear to us that in some situations, class actions have real benefits to customers,” Valve said in a statement. “In far too many cases however, class actions don’t provide any real benefit to users and instead impose unnecessary expense and delay, and are often designed to benefit the class action lawyers who craft and litigate these claims.”

The statement continued, ”Class actions like these do not benefit us or our communities. We think this new dispute resolution process is faster and better for you and Valve while avoiding unnecessary costs, and that it will therefore benefit the community as a whole.”

Source: Yahoo!

Researchers Say They Took Down World’s Third-Largest Botnet

On Wednesday, computer security experts took down Grum, the world’s third-largest botnet, a cluster of infected computers used by cybercriminals to send spam to millions of people. Grum, computer security experts say, was responsible for roughly 18 percent of global spam, or 18 billion spam messages a day.

Computer security experts blocked the botnet’s command and control servers in the Netherlands and Panama on Tuesday. But later that day, Grum’s architects had already set up seven new command and control centers in Russia and Ukraine. FireEye, a computer security company based in Milpitas, Calif., said it worked with its counterparts in Russia and with SpamHaus, a British organization that tracks and blocks spam, to take down those command and control centers Wednesday morning.

The researchers said they were able to vanquish the botnet by tracing Grum back to its servers and alerting Internet service providers to shut those computers down.

Technologists have taken the lead in combating digital crime rather than waiting for law enforcement authorities to act. Earlier this year, Microsoft employees assisted federal marshals in a raid on botnet servers in Pennsylvania and Illinois. Those servers were used by criminals to run Zeus, a botnet that siphoned people’s personal information, like online bank account passwords and credit card numbers, from infected computers. Almost simultaneously, a separate group of cybersecurity researchers in San Francisco were busy eliminating another botnet, called Kelihos.b, which was used to send spam.

While computer security companies are quick to publicize botnet takedowns, their gains tend to be temporary. The blocking of Kelihos.b lasted less than a week before a modified version of the botnet started infecting computers. Microsoft’s takedown of Waledac, another spam botnet in 2010, lasted only as long as the time it took its creators to modify its architecture slightly and create a new botnet.

So what’s to say Grum’s creators will not just run their botnet from a new command and control center tomorrow?

“It’s not about creating a new server. They’d have to start an entirely new campaign and infect hundreds of thousands of new machines to get something like Grum started again,” said Atif Mushtaq, a computer security specialist at FireEye.”They’d have to build from scratch. Because of how the malware was written for Grum, when the master server is dead, the infected machines can no longer send spam or communicate with a new server.”

Source: New York Times

Video: Microsoft responds to Pwn2Own IE hack

Just moments after researchers from VUPEN used two zero-day vulnerabilities to hack into the Internet Explorer 9 browser, I caught up with Mike Reavey, senior director in the Microsoft Security Response Center (MSRC) to get his response to the attack and some information on what happens next.

 

Microsoft Security Response Center (MSRC) director Mike Reavey talks about the CanSecWest Pwn2Own challenge that saw a successful exploit of two zero-day vulnerabilities in the Internet Explorer 9 browser.

Source: ZDNet

 

Microsoft removes ‘Start’ button from latest Windows 8 build

Do you like the Windows ‘Start’ button? Well, if you do, you’d better get used to it being gone in Windows 8 because it seems that Microsoft has removed it from the latest builds of the operating system.

Here’s a leaked screenshot from the near-final Windows 8 “Consumer Preview” version (build 8220) which comes to us via PCBeta.com:

Notice the absence of the traditional Start button? I’ve reached out to a few contacts who confirm to me that the button has indeed been removed and replaced with a hotspot in the corner that will duplicate the functionality offered by the old button.

The Start button was first introduced in Windows 95, and has been present in every version of Windows since.

Now here’s the real question … does Microsoft intend to permanently remove the Start button, or is this a trial balloon and Microsoft is looking to see what the feedback from users will be?

Source:  PCBeta

Windows 8: Dead Before Arrival?

On the cusp of an event for the Windows 8 app store, one research firm has dealt a painful blow to the forthcoming OS.

“Windows 8 will be largely irrelevant to the users of traditional PCs, and we expect effectively no upgrade activity from Windows 7 to Windows 8 in that form factor,” research firm IDC told Computerworld this week.

For its part, Microsoft  has been quite vocal about its goals for Windows 8, which primarily involve the tablet market. Microsoft, like most of the world, assumes that tablets – which are already encroaching on the desktop PC and laptop markets – will one day become the dominant player in personal computing. Personally, I do not think it will be quite that simple. Instead, I expect a wise manufacturer to combine the perfect tablet with the perfect laptop and make a computer no one can live without. It hasn’t happened yet, but we’re getting closer every day.

Still, for Microsoft to sacrifice Windows 8′s success on the PC just for the sake of tablet sales would be silly. According to Computerworld, Windows 7 has been licensed 450 million times. That’s enormous! The only way Apple (NASDAQ: AAPL) could ever top that number is if it licensed Mac OS to third-party PC manufacturers. But that will never (and should never) happen.

For new PC buyers, Windows 7 is still a fairly new OS. But Windows Vista proved to be so bad (and so draining to weak hardware) that people were eager to upgrade. Windows 7 also had the benefit of coming out at a time when laptops had finally reached a nice balance between cost, performance, and durability. Whereas in the past you could spend upwards of $1,000 for a decent Windows XP laptop, the average high-quality Windows 7 laptop retails for $700 to $900. And because Windows 7 machines tend to have at least two gigs of ram, a much larger hard drive, and a vastly superior dual-core processor, their functional value should last a little longer.

In my own personal experience, dual-core processor laptops tend to hold up better after three years of use (2008 to 2011) than laptops with a single-core processor (2005 to 2008).

Unfortunately for Microsoft, this could mean that there will be fewer consumers buying new laptops when Windows 8 arrives than there were when Windows Vista and Windows 7 were released.

However, I am not convinced that IDC’s assessment is accurate. Will the Windows 8 upgrade rate be lower than Windows 7? Probably. From a consumer standpoint, and especially a business standpoint, Windows 8 may not provide enough of a difference to justify a purchase. The layout is cool and inspired, and it may very well be an important step in the Windows evolution. But that’s true of XP, one of the better versions of the software. But did everyone upgrade to XP when it was released? Nope. Did everyone need to make the switch? Nope.

That is the bigger challenge Microsoft faces: convincing us that Windows 8 is must-own software.

Since the company is so determined to make a dent in the tablet market, Microsoft needs to ensure that when Windows 8 is released, there is at least one (preferably several) must-have tablets available. If the company launches a true iPad competitor – or better yet, a true iPad-killer – then there will be very little preventing Windows 8 from attaining long-term success.

Source: Forbes

Opera 11.60 For Windows, Mac & Linux Download Available. What’s New?

Opera has always impressed us. The browser has maintained its own innovation cycle and continued to set new standards for the competition for a long time now. Opera’s shiny new version 11.60 is now available for download on Windows, Linux and Mac platforms (download links below). Opera fanatics will be pleased to know that Opera 11.60 offers quite interesting updates. The first thing you will notice in the latest version is the revamped URL address field. The URL address field will now offer search engine suggestions and bookmarking will be easier with just a click of the star towards the end of the URL field.

We know Opera for its obsession with speed. Keeping with the philosophy of faster is better, the latest version offers revamped HTML5 rendering engine. This means all modern HTML5 coded websites will work better than ever before. Opera claims that the websites using SSL technology will load faster than ever before. It also allows vector graphics to be mixed with HTML; which would open new possibilities for web applications.

Those who love the Opera’s inbuilt mail client will love the redesigned look which is faster and cleaner as well. The mail client now features mail grouping which is very useful when you have an influx of email messages every day.

Download Links: Opera for WINDOWS | MAC | Linux.

Source: CrazyEngineers