Monday, April 14, 2014

Heart bleed bug (Watt Thoughts)

Last week Google and one other security firm announced they had found a major security bug on the Internet they called the Heart bleed bug. It is not known how much information has been stolen using the bug. The heart bleed bug is a bug and not malware. It is not something that spreads like a virus. This is a mistake that was made in the Open SSL program protocol several years ago that was just now discovered. Errors in computer programs are called bugs. Open SSL is used by web servers that use Apache and other open source web servers. Open source programs are programs that the source code (what the program is written in originally) is available for everyone (not just the compiled code) and usually is updated by lots of volunteers. Linux/UNIX servers use Apache as their web server. Android is basically a derivative of UNIX/Linux so it uses the same protocols. A protocol is a set of rules used to communicate by. This means that Windows web servers and Apple web servers are not affected. This is significant in that up to now Linux users have kept saying their machines are safe from most past malware, but possibly the biggest bug turns up on their machines. It does mean you can have had information stolen from a server you were connected to using Windows, just the problem is not on Windows end. The bug works from a simple approach that has a good purpose but released too much information. Basically when you connect to a secure web server (when the padlock appears in your browser or it uses https protocol it is encrypting the link between the server and you using SSL). On open source servers that use Apache they are using Open SSL. This is estimated to be 60% of the web servers. The encrypted conversation is established and information is sent back and forth. However if nothing is sent for a period one end will send a heartbeat message to the other end asking are you still there basically. The server responds. Unfortunately with this version of Open SSL it does not just send back just the answer but also sends what ever is in memory at that point. So if a different machine send a heartbeat to the server it sends back part of memory (the bleed part of the name) also for that machine. Sorta like you are on phone with someone and it is silence and you ask are you still there and instead of just answering yes they tell you their SSN, password to bank, etc. This means that someone may have gotten your passwords associated with accounts. The bug leaves no trail so there is no way to see what it gave out. You should be being notified by secure web sites you deal with whether they were affected and if they were if they have put updates in that fix the bug. Until fixes be are there you don't want to change passwords as they could still be stolen. It is not a bug that will be on your personal machine unless you are using one specific version of Android, as otherwise it is just on servers and your PCs, tablets, phones are clients. Android 4.1.1 (also called Jellybean) has the bug and you need to update to Android 4.1.2 if you are using 4.1.1. You can establish a secure connection using your Android phone is why it is affected on this version. Even though the bank or other secure site you use says they were not affected you should still consider changing passwords as you may have used that account at another site to get something and the password also somewhere. There appears to be a large impact on gaming as people use credit cards extensively there and most of those servers are Linux/Apache based. No one really knows the impact of this bug, but the potential is very large. This is based on my research of the Heart bleed bug and my knowledge of computer security. I am certified in MTA security and taught basic computer security for several years and recently took a cyber crime MOOC course thru Excelsior College and am currently taking a computer security course online with Cisco.

Windows XP and Office 2003 end of support

Microsoft is discontinuing support for Windows XP and Office 2003 today. Some of you are getting popup messages from Microsoft reminding you of that. This does not mean that Office 2003 and Windows XP will no longer work. They will keep on working. What it does mean is that Microsoft will no longer provide new upgrade, service patches, security patches and service packs to these products. Also they will no longer answer questions bout the software. However computer support people (those that fix PCs like me) will mostly continue to fix PCs with XP and answer questions. There are a few PC support people I know that will not work on anything but newest stuff. PC support people are like auto mechanics, we generally work on new and old machines and most often old as they are ones that start breaking I have seen a statistic this week that 35% of PCs still use Windows XP. I know people that still use Window 98 and 95 and those had support dropped years ago. People still us Windows 97 which has not ben supported in years. Wal-Mart check out terminals still use Windows XP in most cases and 90% of Bank ATMs the statistics say use Windows XP. You will be fine to keep on using Windows XP and Office 2003. Make sure you do keep a current antivirus program on your machine and that it stays updated. If you decide to get a new machine look at how Windows 8 looks and runs before you get a machine with it. It is a totally different interface (look) and many people do not like it. You can still buy computers with Windows 7 which is still supported by Microsoft. If you do get the pop-up warnings just ignore them and do not panic.