Heartbleed 101

Posted on by .

The tech news the last week has been dominated by talk of the Heartbleed bug. While many articles have been published, I wanted to take a moment to review the basic facts about Heartbleed. Once we have the fact straight, we can plan a strategy to mitigate the potential harm.

  • What is Heartbleed?
    Heartbleed is a flaw in OpenSSL. Open SSL is a piece of software that many websites use to provide secure, encrypted communication between the website and your web browser. The flaw was introduced – accidentally – in April 2012 and it allows people to request and receive information from the website. OpenSSL includes a feature called a heartbeat that allows your browser to request confirmation that the website is still listening and waiting for requests from you. The design of this feature is that your browser requests and receives the data it had previously sent. However, the Heartbleed bug allows browsers to request up to 64KB of data. When they do, the server sends back whatever data happens to be in the websites memory at that time. This means that the request could return sensitive data such as the username and password of a previous user of the website. It could also include the keys used to encrypt data for the website. With these keys, a hacker could set up a malicious website and use a stolen key to assume the identity of the original site. if you want more detail, see this engadget article.
  • How does this affect my computer?
    In the strictest sense, this does not affect your PC or Mac (unless you are running an OpenSSL server). This flaw is primarily on web servers. However, because just about every computer these days lives at least part of its life on the Internet, how the web servers are affected directly affects us.
  • So what should I do?
    There are a number of steps everyone should take to address these issues. First, follow good Internet security. While this is not specifically tied to the Heartbleed vulnerability, it is a good opportunity to remind ourselves of the basics.
    1. Passwords
      1. Use unique passwords. If you use the same password on more that one website, it becomes that much easier for attackers to figure out the password for your bank if they learn the password for your favorite chat room.
      2. Use random passwords. Attackers often use dictionaries to guess common passwords. So, the password MyDogRover is pretty likely to fall to a hacker while t*LL&c^05WxV is less likely to.
      3. Use a password manager. A good password manager will provide you with the tools to do both of the above. I use and recommend LastPass. It includes integration into all Mac and PC browsers, tools to generate strong random passwords and many other features for free. For $12/year, their pro version adds support for mobile (iOS/Android/Windows Phone/Blackberry) and other useful features.
    2. Trust
      1. Trust no one. Meaning, if you are not sure what you are looking at, then assume it to be dangerous. If your mom sends you a YouTube link that you were not expecting, it could be a video of an adorable cat. Or, it could be a link to a malicious website.
  • What else?
    This is where it can get a little more complicated. Because this bug affects websites, fixing things on your end only helps with sites that have fixed the issue on theirs. So, the first thing to do is determine whether the sites you visit have fixed the issue. Many sites have proactively published status updates as they have fixed the bug. But, if you are not sure, use a website such as this one from LastPass to check. Once sites have fixed the issue, you should immediately change your password for that site.

If you have any questions, please feel free to email us at info@skyviewtech.shernicoff.com

What do I use? And why I use it!

Posted on by .

Technology is a personal choice. That is something I believe strongly. As a matter of fact, it is a guiding principle here at Skyview Technology. We believe that any technology that achieves what you want or need it to cannot be the wrong technology. Of course, if your technology does not enable what you need it to, it may be worth reevaluating whether it is the right technology. If you thinks this may be the case, please email us or call us at 718.306.9139.

For the moment, I do not want to talk about your technology. Rather, I would like to tell you about mine. Since I could probably write for hours about this topic, I will limit myself to computer, tablet and phone in this post. I will tell you about my home entertainment options in a future post.

While I do have a Windows PC, it has literally not been turned on in years. My primary computer is a 15″ MacBook Pro. I use it every day for everything from surfing the web to writing this blog to all manner of professional work. The Mac platform has been very enabling for me over the past ten years. I find that on a day to day basis, I get more done more easily than I can when using Windows. I have used Windows both at home and at work for most of that time. So, I feel like I have a basis for comparison. The biggest limitation that this choice has imposed on me is that I do not upgrade as frequently as I might with less expensive Windows options on the market. But, since my four year old computer is still doing fine, I don’t see a need to do so in the near future.

My tablet is currently a 32GB iPad2. This iPad has gone back and forth between me and my wife over the almost three years we have had it. When she has had it, I have move among an iPad Mini, a Google Nexus 7 and another iPad Mini. In the end, I wanted the bigger screen and she the lighter weight so we swapped. I use the iPad for email, some web surfing and a lot of reading. It also is my backup computer. When I have traveled on business with a company (Windows) laptop, my iPad has been my personal computing device. Having used the Google tablet for about a year, I can say that I both appreciate the benefits of Android and understand some of it inherent limitations. I loved the fact that I could do a lot more to personalize the settings of my device with Android than I could with iOS. I resented the fact that such personalizations were needed for the device to meet my usability standards. But, in the end, the lack of tablet optimized apps was the biggest reason I chose to go back to the iPad.

Finally, the phone I use is an iPhone 5. You might think from what I just wrote that I might be more open to switching my phone to Android. But, I think I am actually less likely to switch from an iPhone. While I do see Android as a strong platform for phones based on my tablet experience, I think that the “it just works” philosophy that has guided Apple design over the years is more important for a phone than for a tablet or a computer. Of the three, the phone is the most personal. It is the most likely to be on my person at any given moment. That means that I am using it more, but in smaller spurts. And, if it does not work in that small spurt, it is a bigger pain point for me.

Seeing my list of devices probably makes you see me as an Apple fanboy. And, to a degree, I will plead guilty. But, I will also say that I do not see my Apple products through rose colored glass. In a perfect world, Apple would make its devices easier to customize like Android while maintaining their simplicity. It seems like an impossible goal. But, I am sure that it is one that will be achieved. The question I have is by whom.

Living with Windows XP Without Microsoft

Posted on by .

On April 8, 2014, Microsoft will publish its final security update for Windows XP – sort of. If you happen to be a big, wealthy company, Microsoft will continue to provide some support for you. But, since you likely are not one of those, let’s just assume that you will no longer be supported using Windows XP. For many people, the solution is to simply buy a new PC (or Mac)and let the old computer die alone. But, some people are not prepared to do that quite yet. Whether it is a matter of cost, preference or just plain stubbornness, it is still possible to use a Windows XP computer safely on the Internet. To learn how, read on.

  1. Run as a limited user.
    By default, your Windows XP user account is an Administrator. This means that it is easy for you to do all the things you might need to do to customize your PC such as changing settings and installing software. However, this also means that if malware gets onto your PC, it will be able to do those same things. By running as a limited user, both you and any malware will need you to give your express consent before any changes can be made. This alone will stop almost any malware. See here for the basics.
  2. Run with up to date security software
    If you do not already have one, get a good Internet security program. If you have one, be sure that is is up to date. These programs run as subscriptions. So, be aware if your subscription has expired or soon will. Check out this list of options.
  3. Stop using Microsoft Office
    At the minimum, move off of Office 2003 which Microsoft is also ending support for. There are a number of good, free alternatives that, unless you are a major power user, will more than meet your needs on a daily basis. The one I am using is call Libre Office. You can download it here. If you would rather continue with Microsoft Office, Be sure you are using 2007, 2010 or 2013.
  4. Ensure your software is up to date or remove it
    Do an hoest audit of the software on your computer. If you do not use it, uninstall it. If you do use it, be sure that you have the latest version. Also, visit the publisher’s web site to verify what level of support they will be providing for their software when used under Windows XP. If they won’t support it, look for an alternative.
  5. Be extra careful when on the internet
    Even with the steps above, it is still possible for bad things to happen. Whether you are using XP (with the advice provided), a newer version of Windows or eve Mac or Linux, it is always smart to be discrete in your web surfing and email habits. So, do not click on links you do not trust. Do not open attachments to emails you were not expecting. And, never give you banking information to a Nigerian prince.

If you need additional help or have any further questions, please do not hesitate to contact us at info@skyviewtech.shernicoff.com