Thursday, April 10, 2014

Heartbleed

The Heartbleed bug is NOT a virus. 

It does not infect your PC.

It does reveal a flaw in the security systems used by secure website servers.

The problem started two years ago when a update to the secure socket layer contained a flaw (AKA Bug) in the code.
The flaw was only discovered a few days ago.

It allows anyone with a simple software tool to grab memory from a secure server and steal a copy of it.
The stolen information can includes any user logged into the site. Passwords, credit cards etc.
Notice that it steals stuff from MEMORY, not DISK. Information from users who have not logged in recently can NOT be accessed.

That's bad, but it gets worse.

However, even worse, the security keys that allow encrypting the data are in memory and can also be stolen. This means the thief can decode information sent to or from the server, in the past, now or in the future, at least until the web site is issued new secure encryption keys.

Heartbleed steals copies of  Keys

(The Bank Analogy)

Let's put this in simple terms. Stealing the encryption keys is like having someone steal copies of the keys to your bank, including a master key to all the banks safety deposit boxes. It is a tho a thief "borrowed" a ring of keys from the bank, copied them, and returned than before the bank realized they were missing. We don't even know when they were copied. The thief may have copied them two years ago and again the day after the bank changed all the locks.
This would mean that someone, for the past two years could examine everything you did at the bank, even the stuff in your safety deposit box. They will continue to be able to get into your box until the bank changes all the locks on the doors and the master key to the boxes. Changing the key to your deposit box does no good, because the thief can still enter the bank and unlock the box with the master key.

Securing the Master Keys

Fixing the Heartbleed problem by patching the server prevents someone from making copies of the security keys. That is like having the bank president check all the employees and securing every employee key so they can't be copied again. It does nothing about the copies of the keys the thief already has.

How to Protect Yourself

Wait a few days before you log into any secure site. That is like waiting for the bank to change all their keys and locks AND SECURING THE KEYS SO THEY CAN'T BE  COPIED AGAIN. On the internet, all secure encryption keys are changed once a year. Some sites like Microsoft and Google change the encryption keys randomly very often, sometimes several times a day. Sites that only change them once a year will need at least a few days to change their keys.

If you can, hold off a few days before you buy that next book or rent a movie over the web.

Keep an eye out for unauthorized bank or credit card charges, but play it safe, don't log into your bank's web site or use an ATM unless it is absolutely necessary. For the next few days renew your acquaintance with your friendly bank tellers.

Don't change your password unless the site has been fixed. That is like putting a new key in your safety deposit box while the thief with a master key is standing there watching you.

These Sites Are Safe to Use

This is a very short list of popular sites you are likely to visit.
There is no complete list yet.
There are two lists here;
1   These sites did NOT use the Secure Socket Layer code that Heartbleed exposes. There is no need to change your password or worry about your data.

1040.com
Amazon (retail store)
AOL
Capital One
Chase
E*Trade
Evernote
Fidelity
FileYour Taxes.com
Hotmail / Outlook
Microsoft
PayPal
PNC
Schwab
Scottrade
Spark Networks (JDate, Christian Mingle)
Target
TD Ameritrade
TD Bank
U.S. Bank
Walmart
Wells Fargo

These Sites Were Possibly Vulnerable, but are Now Fixed

These sites did  use the Secure Socket Layer code that Heartbleed exposes. They have been patched.
You should change your password as soon as possible on these sites. Data was possibly exposed but there is no evidence of that having happened yet. Changing your password now will prevent future exposure of you account on these sites.

Dropbox
Gmail
GoDaddy
Google
Intuit (TurboTax)
LastPass
Minecraft
OKCupid
SoundCloud
Wunderlist
Yahoo
Yahoo Mail

Any Site not listed above is suspect and you should wait or check before using.


Notes for Tallassee Alabama
 These are special precautions for the next few days.
Primesouthbank.com is OK to use, as the Heartbleed is blocked by the ISP
         Go to the bank or use their web site to check your account.
         Do NOT use non bank owned ATM's to withdraw money
          or check your balance. (At least for the next couple days)
          Be aware that SOME ATM's at SOME banks are NOT operated by the bank. Don't use them.

See Something, Say Something

If you see unusual transaction, report them immediately.

Be Careful, Check the Site

Before using any other site that uses a password, especially if it involves money, SS numbers, or personal information, check it with the following tool:
 http://filippo.io/Heartbleed/

Type in a site name like Twitter.com  then hit Go.
If it is red, do not use it
If it is green, read the green message, It will tell if the site has been patched or simply had some functions turned off as a way of preventing the Heartbleed.

Don't Panic

Don't rush to the web and start deleting personal information or closing accounts. You will be loading your information into the severs memory and exposing it to Heartbleed if the site is not patched.

My Take on this Mess

Remember, the following is purely speculation on my part.

Nobody has explained why this happened. We know WHAT happened, but not WHY.
I find the following to be strange:

  1. This bug crept into code that is used by so many different server software providers. 
  2. That it was introduced into the wild by people who's main purpose is security.
  3. That a bug like this didn't just break the code, instead it enabled downloading any 64K block of memory.
  4. If it was an intentional back door the servers memory, then what hacker would wait two years without launching a massive credit card fraud? Once he had access to a few million accounts, why wait any longer for the payoff?

In the past, there have been bugs like this, ones that lie dormant for years before they do their damage.

  • The bug in the Iraq anti-aircraft defense system that cause the guns to fire randomly into the empty spaces between our bombers.
  • The bug that caused Iran's nuclear centrifuges to self destruct.

Those bugs, and others, were created by governments.
Did a government somewhere want to read all the encrypted data on the web? What about Iran? China? Or is there one closer to home?

I'll leave it to you to speculate.

Tuesday, March 11, 2014

Bob's Bytes Tuesday March 11th 2014

Buying a new PC?
Here is a great test you can do at the store on the PC's you might buy.
First try this on your old PC

Open the browser, and type thewildernessdowntown.com (or just click this link)
Type in Tallassee as the name of your town.
Notice that your mouse acts as a hawk as the birds fly around on the screen.
Verify that they scatter when your cursor gets close.
Watch the video and listen to the audio.
Do all the windows have video in them? Do scenes from Tallassee get incorporated into the video?
When asked, draw your name with the mouse, It will look better if you start at the bottom of each stroke when drawing. When you finish drawing, the birds will land in the trees you drew.
You might want to run it again using your street address instead of just Tallassee.

Didn't work on your old PC, Try it again using the chrome browser.
Now that you have seen what it does on your old PC you are ready to do some shopping.
Be sure to go to a store that has internet access.
launch the browser. (On Windows 8, use the desktop browser)

There should be no errors. Everything should be nice and smooth, Audio should not break up.
It should look much better than on your old PC. The birds should appear to fly from one window to another.

When comparing two PC's run this page side by side at the same time if possible.

I chose this page because it uses a lot of processor power. The speed of the internet does not matter, because the video is generated on the local PC. It uses all the latest features of the current generation of video cards. If the computer crashes, fails to display all the windows or seems sluggish, don't buy it. This should run on any NEW PC, even ones costing less than $300.00

Tuesday, January 28, 2014

Huntsville Alabama helps discover water in our solar system.

For the first time water is confirmed on another planet in our solar system. Alabama played an important part in the discovery.
At NASA, project Dawn confirmed that plumes of water are being ejected from the dwarf planet Ceres. Ceres orbits our sun between mars and Jupiter. It is the closest of the three dwarf planets in our solar system.
Project Dawn is part of NASA's Discovery Program, managed by the Marshall Space Flight Center in Huntsville, Ala.

An artist's conception shows water vapor being released from two spots on Ceres
Next year, NASA's Dawn spacecraft is due to go into orbit around Ceres.
The discovery leads to the possibility that microbial live might be found on Ceres, adding it to mars and Europa. as possible locations

Monday, January 13, 2014

Bob's Trivia Question For Tuesday January 14th 2013

I created a wallpaper for your desktop that is a great conversation starter. It's called the "Eye of the Earth" (or sometimes the Eye of the Sahara).
It was discover by the early astronauts during their first orbital flights. They thought it was a meteor crater. Photo's shows it was 30 miles in diameter. Being an unknown crater, geologist soon visited the location and found it wasn't a crater at all. Instead it was a mound with the center of the eye several hundred feet high. Instead of a big hole, it was shaped like a huge eye. Geologist named it the Richat Structure and still debate the exact origin of the Eye of the Earth.




Click on these small images to see the full size versions. Then right click the full size version to download it or set it as your desktop wallpaper.

Search Richat Structure on Google or Wikipedia so you can amaze you friends with the surprising history of the earth's eye.
I created these wallpapers from satellite images in several popular sizes to fit different monitors. I even included a wide version for dual monitor systems.
 
Linda Segrest from Community Hospice Care provided a very informative program today on Tallassee TV and WTLS. She filled in for the regular Community Hospital program. Hospice is specialized care available to persons experiencing a life limiting illness who desire to spend their remaining days in the comfort of their own home, surrounded by the people they love. The goal is helping each patient reach an acceptable level of physical, emotional and spiritual comfort while encouraging them to remain alert, active and independent for as long as possible. Linda covered a wide range of services including Pain Management,
videoMedications, Family Education and Training, Home Health Aide Care, Homemaker Services, Nutritional Counseling, Nursing Care and Symptom Control. You may contact Community Hospice Care at 334-283-4250.