“HeartBleed” Hotel – The Encryption Bug that has Websites Scrambling

HeatbleedBy now, you have heard about this “Heartbleed” thing.. Most of us are not sure if it is a big thing to deal with or not, or if it even affects them. Let’s make sure we all understand this: it does.

It does because, we, as a rule, are very, very lazy when it comes to passwords. We tend to use 1 or 2 passwords for everything, INCLUDING banking information. In other words, if you get someone’s password to say, Facebook, chances are, you have the password to their Bank of America Account. (Keep in mind, most banks have 2 and 3 layers of security, but still .. )

So lets go over some basics.

First off: What is the Heartbleed Bug?

This is a flaw in the cryptography library (also known as a “bug”,) that allows an attacker to get information that would normally be unable to be read as it passes through the internet. This becomes an issue because while it generally doesn’t affect access to financial and banking sites (that we know of,) it does affect most everything else.

Second: Why does this affect me?

It affects you because it gets access to websites and systems like Facebook, Instagram, and others, allowing your attacker a better chance at getting the passwords to those banking and financial sites. (My guess is most users tend to use the SAME password for everything, but none of us do that here. RIGHT?)

Thirdly: Is there a list of sites that are affected?

I have a PARTIAL list of sites that were compromised either in reality or in theory.
Below is a table that goes through some of the sites affected..

Social Networks

Was it affected?

Is there a patch?

Do you need to change your password?

Facebook

Unclear

Yes

Yes

IFTTT

Yes

Yes

Yes

Instagram

Yes

Yes

Yes

LinkedIn

No

No

No

Pinterest

Yes

Yes

Yes

Tumblr

Yes

Yes

Yes

Twitter

No

Yes

Unclear

Other Companies

Was it affected?

Is there a patch?

Do you need to change your password?

Apple

No

No

No

Amazon

No

No

No

Google

Yes

Yes

Yes

Microsoft

No

No

No

Yahoo

Yes

Yes

Yes

Email

Was it affected?

Is there a patch?

Do you need to change your password?

AOL

No

No

No

Gmail

Yes

Yes

Yes

Hotmail / Outlook

No

No

No

Yahoo Mail

Yes

Yes

Yes

Stores and Commerce

Was it affected?

Is there a patch?

Do you need to change your password?

Amazon

No

No

No

Amazon Web Services (for website operators)

Yes

Yes

Yes

eBay

No

No

No

GoDaddy

Yes

Yes

Yes

Nordstrom

No

No

No

PayPal

No

No

No

Target

No

No

No

Walmart

No

No

No

Banks and Brokerages

Was it affected?

Is there a patch?

Do you need to change your password?

Bank of America

No

No

No

Capital One

No

No

No

Chase

No

No

No

Citigroup

No

No

No

E*Trade

No

No

No

Fidelity

No

No

No

PNC

No

No

No

Schwab

No

No

No

Scottrade

No

No

No

TD Ameritrade

No

No

No

TD Bank

No

No

No

U.S. Bank

No

No

No

Wells Fargo

No

No

No

Government and Taxes

Was it affected?

Is there a patch?

Do you need to change your password?

1040.com

No

No

No

FileYour Taxes.com

No

No

No

H&R Block

Unclear

No

Unclear

Healthcare .gov

No

No

No

Intuit (TurboTax)

Yes

Yes

Yes

IRS

Unclear

Unclear

Unclear

TaxACT

No

No

No

USAA

Yes

Yes

Yes

Other

Was it affected?

Is there a patch?

Do you need to change your password?

Box

Yes

Yes

Yes

Dropbox

Yes

Yes

Yes

Evernote

No

No

No

LastPass

Yes

Yes

No

Minecraft

Yes

Yes

Yes

Netflix

Unclear

Unclear

Unclear

OKCupid

Yes

Yes

Yes

SoundCloud

Yes

Yes

Yes

Spark Networks (JDate, Christian Mingle)

No

No

No

Wunderlist

Yes

Yes

Yes

 (this table and a more descriptive were pulled directly from here:

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/?utm_cid=mash-com-fb-main-link )

The big ones are on the top.

 

Finally: What do I need to do?

CHANGE YOUR PASSWORDS!! ALL OF THEM. Really – change them, even if you don’t have anything on the list. Learning new passwords is MUCH easier than dealing with a compromised account.

Make sure you stay on top of this. While a virus can be fixed, a hole like this, which had been out for a while, but not discovered until recently, can wreak havoc on your life.

Tales from the
“Crypt” – olocker …

If you haven’t heard about this by now, read on. There is a new, particularly nasty piece of software out there gaining speed, called “Cryptolocker.” Before we get into details, let me first explain a couple things. Cryptolocker is a type of malware. Malware is any program that doesn’t have your best interest at heart. Examples of this are viruses, adware, and this particular piece of work.

 Cryptolocker is “ransomware.” This is because after it does damage to you (in this case encrypting files you might want), it will offer the “fix”… for a price (usually anywhere from $200 – $3000 or more). Pay, and most likely, you will get your precious data (pictures, databases, spreadsheets, and so on) back. Don’t pay, and you most likely won’t see them ever again.

Cryptolocker image

This is an example of what you would see if you get hit with Cryptolocker

Cryptolocker depends on you clicking on it, in some form or fashion, to gain access to your computer. You give it access by clicking on an “attachment” in an email sent to you that loads the program on your computer. The program then installs itself and looks for files that you most want to keep. Anything your computer doesn’t need to keep running and anything that is a true program is game. Then, using a VERY sophisticated level of encryption (2048 bit public/private key), the program scrambles those files. Music, spreadsheets, pictures, movies, and so on, are game.

 You get a notification with a countdown timer telling you that you have X number of hours to make a payment using nonstandard formats of currency to pay the required ransom. (The ransomers request payment in money-paks or Bitcoin currency. This payment won’t be cheap. In fact the numbers can range into the thousands. One Bitcoin is worth, as of this writing, about $360, and ransom tends to be in the 3-5 Bitcoin range.

The irritating thing here is that you can get rid of the virus easily enough. It is a simple trojan that delivers this program, so most every virus scanner can clean it off of your computer. The problem lies in the fact that the encryption keeping you from your files is so complex, that security experts around the world have not been able to crack it. Getting to the source is very hard because the criminals doing this do not want to be seen. The servers that communicate with your computer are hosted far away from the folks doing it, and the use of nonstandard currency makes the money trail VERY hard to follow. Add to this that copycats are beginning to pop up, making the guarantee of recovery dicey, because these folks know how to encrypt, but not how to repair. You are left with two options, pay or don’t. So what do you do? It depends on what you have done..

If you have recent backups that were stored off-line, then you can fall back on those. No need to worry. If you didn’t, well then, you have a decision to make: Pay and maybe get your files back, or don’t pay and most certainly lose everything encrypted. Considering that no security firm has figured out how to beat the encryption, chances are, if you elect not to pay, you have lost those files for good. (Keep in mind, every major security and antivirus company has urged everyone NOT to pay. I feel that it is an easy decision to advise when your files aren’t at stake.)

So .. what can one do to prevent this from happening? Three things: 1) don’t be so trusting, 2) prevent files from automatically being allowed to install on your computer, and 3) and most importantly, BACKUP, BACKUP, BACKUP!!! I can’t emphasize the third one enough. You need to backup your most important files early and often, to the point that if you change a file, you back it up.

OK… lets take these in turn.

 1) Don’t be so trusting.

Understand that the easiest  way this virus gets to you is when you click on an email out of the blue telling you that your Facebook password has been changed. It can be an email from Wells Fargo telling you that foreclosure proceedings have been started on your house… and you rent. The point I am trying to make is that you will invariably get an email about something that doesn’t seem right in your gut. DON’T OPEN IT!! Keep a couple things in mind: you will never get an attachment from an organization (especially one in a compressed format like .zip or .rar) without you requesting it. It just doesn’t happen. You can verify these emails by going directly to the website in your browser and logging in. If there is something to be aware of, you will see it there. At that point delete the message, or let the company know you have the email to help them get ahead of the situation.

 2) Prevent files from installing on your computer.

If this and many other malware programs, can’t install, they can’t get a foothold on your computer. So even if you do click they won’t install. This also means that it will probably prevent you from installing programs you want to install. Hate to say it, but that means you are going to have to learn more about how your computer works! There is a program that can do this for you, that is pretty good about making it easy to turn this off or on. It was developed by a company called Foolish IT, LLC. Their little program is free to use.  (They have a pay version that is much more robust, but you can look that up on the site), and easy to manage. You can get it by going to this site from here.

 http://www.foolishit.com/vb6-projects/cryptoprevent/ . (I know what it looks like, but it is a REAL site.)

(Shameless self-promotion, Bravotechpc can guide you through this and get you up to speed to minimize your exposure.)

3) BACKUP, BACKUP, BACKUP!

This is good for so many reasons. If you invest in a program like Dropbox (www.dropbox.com) you can get your files stored online with version control, which means that if your file gets encrypted and stored, then there is going to be a version of the file that ISN’T encrypted or otherwise compromised. You can make a daily copy of your files and there is good chance of protecting yourself from the worst. Make sure your backup cannot be accessed by your computer. (If your computer can get it, then so can malware.) Once again – this is something we at Bravotechpc can help you set up.

Dropbox

Dropbox is a free service (2 Gigabytes to start) that will allow you to save versions of your files automatically.

Computer use in the modern age requires that you protect yourself. It isn’t any different from locking your doors at night or not leaving cash out in a public place. If you take steps to prevent yourself from being a target, then you will most certainly keep your exposure to this kind of heartache at a minimum.

Blogging for Business

Blogging for Business

or – Testing how much you paid attention in English Class ..

This is the inaugural post for the the Bravotechpc Blog Page. So the inevitable question is, why? What good does a blog do? The answers are both simple and complex. I will start with the simple one: A blog allows you to be seen not only as a professional in your industry, but also as a potential trusted resource.

Now the longer explanation:

Human Consumption

Blogs are great not only for human eyes but for

business team concept

electronic ones as well. On the human side, you have to remember that you are trying to provide a service in exchange for consideration as a top-of-mind resource for anything your client might be interested in. If you sell widgets, you want to write a blog about widgets in the workplace, possibly with advertising reminding your potential clients that you have widgets for sale.

Blogs allow you to push product, services, concepts, and ideas with a pretty wrapping that allows readers to be educated and not “sold”. The upside for the writer is that contacts coming FROM the blog are generally interested in you more than someone you may have prospected. Considering that blogs work the same schedule as business websites, (all the time), you have a sales rep working on your behalf 100% of every day!

A good blog tells your reader that, ultimately, you are the best in the business. If you are writing for a nonprofit, you tell your reader that your cause is “most just.” A well written blog can be a powerful ally in your quest to gain more attention.

I emphasized “well written” for a reason. A great concept or product can go completely to waste if your reader is turned off by your language. This doesn’t mean that you have to use the “Queen’s English,” or have a Master’s Degree in English or Composition, but you do have to 1) be understandable, 2) use correct spelling and grammar and, 3) use language that best suits your audience. Every computer has a spell checker; and most writers use it. What they tend NOT to check for is proper use of language. There is a monumental difference between “to,” “two,” and “too.”   Additionally, you would be well served to have some third person view and edit your document before you post. What sounds good in your head, doesn’t always come out the right way in public. To help minimize those errors, it would be good to plan your document using an outline. That way you know you have a beginning, middle and end. Once the outline is to the proper standards, you can move on to filling it in.

A well written and well developed blog not only gives your human readers a clear picture of what you are trying to get to them, but it also helps build your electronic presence in the internet.

Electronic Visibility

Electronic Visibility refers to the collection of search engines on the internet. Content, as far as as these programs, (Google, Bing, and so on,) are concerned, is golden. As you write more and more, your content becomes visible to these search engines. The benefit of this lies in the fact that when a potential customer looks up information related to your endeavors, you have a better chance of being seen near or at the top of the screen. This additional exposure gives you a better chance of being picked by the seeker.

Making yourself visible to these engines is, at the basic level, easy; write a lot of good content. Be aware that you don’t want to “stuff” your blog with key words, or you may find yourself penalized from Google, often considered the standard-bearer of this group. Google has put out algorithms, known as “Penguin,” and “Panda,” that specifically look for sites that try to abuse the system. The end result is often a loss in search ranking that is hard to recover from. (You can learn more about Penguin and Panda.)

Systems like Penguin and Panda deal with a lot more than just content, but the essential thing to remember is this; write a good and useful blog, and for the most part you should be ok. There are ways, however to increase your visibility without invoking the “wrath of the vengeful and vindictive search monster,” but that gets a little more complex, and falls outside the scope of this article.logoBox

[Shameless Plug: This is where having a provider like  Bravotechpc comes in handy. We specialize in hosting and helping you build and maintain your website and Blog. If you feel like you might need some help getting this up and running, don’t be afraid to contact us!]

If you can master the art of key words, link building, metadata, and page rankings, you can harness your blog to gain more and more eyes. As additional income generators, you can add links to your page that will allow you extra income, just because someone comes through your page. This starts to get into complicated territory; I will address it in the future. For now, just be aware that aside from the obvious, there are other opportunities for your blog to repay you for your effort.

What to expect from Bravotechpc’s Blog in the future

In future posts, you will find articles on building the best home office, the use of social media in business, developing a cohesive computer use policy, as well as a number of other subjects in many technological and sociological fields. I will also periodically answer questions from our readers, as well as occasionally promote our customers.

[Bravotechpc.com is a full service technical support company that caters to small and mid sized businesses, as well as the remote and home office worker. We build and support office networks, internet websites, and custom solutions to help save time and money.]