Tag Archive: Ryans Computer Repairs


The Heartbleed bug: Am I at risk and do I really have to change my password?

The discovery of Heartbleed, a flaw in one of the most widespread encryption standards used online, has panicked webmasters and users alike.

The bug has gone unnoticed for more than two years and could have potentially given hackers access to an unlimited array of secure data — everything from passwords and login details to credit card numbers and addresses.

Although it’s difficult to say exactly how many websites have been exposed, the lower estimates are around 500 million with a large number of major web companies (Google, Facebook, Yahoo, etc) all forced to update their software to protect against the bug.

However, there have been quite a lot of mixed messages as to whether or not users should change their passwords, with some outlets urging that you should create new ones immediately while others are advising that you wait.

To add to the confusion there’s also been reports of hackers sending out phishing emails related to Heartbleed — in order to trick users into giving up passwords that have yet to be compromised. Be on the look out for these and don’t follow any links in suspicious looking emails – if you want to change a password go to the site directly.

Which sites are affected?
Most Google sites and services (including Gmail and YouTube – but not Chrome) were affected, as were sites maintained by Yahoo (including Tumblr and Flickr). Facebook was also hit by the bug although Twitter and LinkedIn were not.

Other big sites that have confirmed that they weren’t affected include Amazon, Hotmail and Outlook, eBay, PayPal and all of Apple’s properties — including iCloud and iTunes. If you want to check whether or not a site you use is still affected then you can do so here — just enter the URL.

Another big worry is for online banking, but thankfully we have some good news in that department. Lloyds, HSBC, RBS, Natwest, Santander and the Co-Op have all confirmed that they were not affected by the bug (they were using different encryption standards). Barclays has yet to issue a statement.

However, this does not mean that your credit card details are completely safe — as they could have been compromised via your Gmail or another third-party site. The security of mobile banking apps is still a developing situation as well.

So do I need to change my passwords?
In a word: Yes. For the sites we’ve listed above as being affected (including Gmail, Yahoo, Tumblr, Flickr, Facebook) it definitely won’t hurt to change your password some time in the next couple of weeks.

Although security experts have warned that you shouldn’t be too quick to change passwords, this is because not all website have patched their servers and changing your password before this happens could make matters worse. The sites we’ve listed above have patched their servers and if you want to check one we’ve not mentioned — click here and enter the URL.

Unfortunately, some sites (including Google) have specifically said that users don’t need to change their passwords. While it’s true that some sites are confident that they fixed the bug a while back, as most of us are guilty of changing our passwords less frequently than we should do (aka never) we think that this is as good an opportunity as ever to be a bit more security-conscious.

What should my new password be?
In lists of the most frequently used passwords online there’s some obvious clangers that we know you’re too smart to use (these include old standbys such as ‘123456’ and ‘password’ itself) but just because a password doesn’t look obvious to you that doesn’t make it safe.

This means that you shouldn’t really use any single words that are found in the dictionary, any words connected to you (place of birth or pets’ names), nor should you use any obvious ‘substitutions’ (eg pa55w0rd — more complicated variations are required) or patterns derived from your keyboard layout (eg ‘1qaz2wsx’ or ‘zxcvbnm’).

It’s wise to use a variety of characters in your password (including upper and lower case as well as numbers) but an easy way to get more secure is to start thinking of your password as a passphrase.

The easiest way of increasing the difficulty of a password is by simply making it longer — so try combining multiple words together and then adding in numbers between them.

You could pick a number of some significance to you (for example a loved one’s birthday, ie 12/08/1970) and then splicing this with a nonsensical phrase (‘shoesplittingwatchwizard’) to get a suitably difficulty password: Shoe12Splitting08Watch1970Wizard.

Other suggested methods for making a strong and memorable password include taking a sentence or a favourite line from a song as a starting point. So you might take the line “When you call my name it’s like a little prayer” and turn it into wuCmNilaLP. Madonna is optional of course, but we think this a fun method — especially if you can work in numbers somewhere.

You should also use different passwords for your different accounts (perhaps the most difficult piece of advice to follow of all) and if you want to be really secure you should also set up two-step authentication where available.

Ryan says: I recommend everyone on any of the sites mentioned in this article to change their passwords ASAP.

Researchers Say They Took Down World’s Third-Largest Botnet

On Wednesday, computer security experts took down Grum, the world’s third-largest botnet, a cluster of infected computers used by cybercriminals to send spam to millions of people. Grum, computer security experts say, was responsible for roughly 18 percent of global spam, or 18 billion spam messages a day.

Computer security experts blocked the botnet’s command and control servers in the Netherlands and Panama on Tuesday. But later that day, Grum’s architects had already set up seven new command and control centers in Russia and Ukraine. FireEye, a computer security company based in Milpitas, Calif., said it worked with its counterparts in Russia and with SpamHaus, a British organization that tracks and blocks spam, to take down those command and control centers Wednesday morning.

The researchers said they were able to vanquish the botnet by tracing Grum back to its servers and alerting Internet service providers to shut those computers down.

Technologists have taken the lead in combating digital crime rather than waiting for law enforcement authorities to act. Earlier this year, Microsoft employees assisted federal marshals in a raid on botnet servers in Pennsylvania and Illinois. Those servers were used by criminals to run Zeus, a botnet that siphoned people’s personal information, like online bank account passwords and credit card numbers, from infected computers. Almost simultaneously, a separate group of cybersecurity researchers in San Francisco were busy eliminating another botnet, called Kelihos.b, which was used to send spam.

While computer security companies are quick to publicize botnet takedowns, their gains tend to be temporary. The blocking of Kelihos.b lasted less than a week before a modified version of the botnet started infecting computers. Microsoft’s takedown of Waledac, another spam botnet in 2010, lasted only as long as the time it took its creators to modify its architecture slightly and create a new botnet.

So what’s to say Grum’s creators will not just run their botnet from a new command and control center tomorrow?

“It’s not about creating a new server. They’d have to start an entirely new campaign and infect hundreds of thousands of new machines to get something like Grum started again,” said Atif Mushtaq, a computer security specialist at FireEye.”They’d have to build from scratch. Because of how the malware was written for Grum, when the master server is dead, the infected machines can no longer send spam or communicate with a new server.”

Source: New York Times