Bits from Bill

Technology thoughts leaking from the brain of "Bill Pytlovany"

Tuesday, April 29, 2014

Computer Security Will Never Be the Same

This has been a remarkable month and the impact on how I view computer security will never be the same. The last time anything like this occurred was in the 90’s when I was infected with a complex worm looking to steal AOL passwords. When customer support told me to format my hard drive it encouraged me to create WinPatrol. The concept used in WinPatrol had never been done before but since my programming skills were busy on other projects it remained just a side project.

aprilI started April 2014 making it clear what Microsoft’s lack of support for Windows XP would really mean. By the end of the month the worse case prediction appears to be coming true. Microsoft received details of an active zero-Day vulnerability from security platform developer,
FireEye.  Not only does this threat affect nearly all versions of Internet Explorer and Windows,  attacks using this vulnerability are currently being reported. 

The software  already “in the wild” uses a Flash(.swf) file to call JavaScript in Internet Explorer eventually accessing protected memory that had been randomized as a form of protection. The entry method has been a known flaw since last October but until now wasn’t found to trigger this kind of attack. Microsoft has posted a new security advisory at https://technet.microsoft.com/en-US/library/security/2963983. The Microsoft Security Response Center has been working through the weekend  testing a solution they hope to release soon.  Even though the flaw is in Internet Explorer if you’re using Windows XP you won’t receive an update. No matter how much you’re tempted to view a video you hear about on Facebook, Twitter or in your Email, don’t do it.

tvbleed

The other major concern in April was called Heartbleed.  While the media coverage was over the top, few really understood what this software failure meant.  You may have heard that 66% of the worlds web servers were affected. In fact, less than 7% were actually running a version of the program OpenSSL that allowed access to 64kb chucks of data belonging to others.  Even with this seemingly low number, Heartbleed opens up a couple of troubling issues. Problem #1: Data exposed by this flaw was raw and unencrypted. It was available to anyone no matter how secure you made your computer or how sophisticated the attack. The attacker didn’t need to know you to access your data.  Problem #2: This event demonstrated how defenseless we all are any time we use the Internet. This was the result of a programmer and reviewers missing a simple error. I can only imagine how much of the Internet uses software with existing backdoors created by design.

This year I’ve done a lot to make WinPatrol easier and useful to a wider audience. Given these serious threats my motivation hasn’t diminished.fontalert The basic concept of WinPatrol detecting changes continues to be a model that make sense. While some attacks may require the PLUS version we have one advantage. Ironically, WinPatrol isn’t always taken seriously so it continues to notify users while many popular Anti-Virus programs are disabled.

.

 

UPDATE 5/2/2014
Microsoft has released a security update on May 1st.  This update will repair the failure found in Microsoft Internet Explorer.
Security Garden: Out of Band Security Update for IE Zero-Day Vulnerability
The patch is available as a Windows Auto Update.   Microsoft surprised many by making this available on machines running Windows XP.
WinBeta: I’m sorry Windows XP users, but Microsoft shouldn’t have patched your OS

Labels: , , , , , , , , , , ,

Share on Facebook


Thursday, April 10, 2014

April Security News is Serious

Many of my friends have been asking for my opinion of a couple security issues which have been in the news.

The first is Windows XP which was launched in September of 2001. Microsoft announced last year that after April 8th, 2014 it would no longer provide support for Windows XP and Office 2003.

The second concern is for something known as HeartBleed. This could be dangerous to anyone who visits a website no matter what kind of device you use.

Microsoft Windows XP
I realize that many of you can not or will not upgrade your computer currently running Windows XP.  It may not happen today or even next month but it’s only a matter of time before your computer is infiltrated and is useless.  Start putting aside some money, backup your data regularly and look for alternates to programs you can’t do without.  I’m sorry but it’s only a matter of time.

If someone on your home or business network is using Windows XP, turn off their access. When their machine is attacked it will compromise your entire network.
mifihotspot[8]

If they really need Internet access consider getting them a separate connection perhaps through their phone or with a separate hotspot.


Many of you asked about using WinPatrol which is a great idea but doesn’t address the big picture. The security guru’s at Microsoft spend a lot of attention on flaws or vulnerabilities in software.  When they find a hole that lets hackers in, they create a patch. After a great deal of testing they release fixes on what we called “Patch Tuesday."

WinPatrol will continue to notify you of regular changes to your computer but the ability to patch vulnerabilities isn’t its specialty. What I will be doing is paying attention to what I hear from hackers. When possible, we will notify WinPatrol users if a particular file or ActiveX component is found to have a vulnerability. WinPatrol PLUS will allow you to disable ActiveX components by setting their Kill Bit. This is the most we can do and will require quick action.

OpenSSL - Heartbleed
On Monday researchers disclosed a serious flaw in a open source program used by almost half the web servers around the globe. A version of the program called OpenSSL allowed hackers to grab a chuck of recently active protected memory.  This memory could contain anything from names and passwords to someone’s grocery list to decoded government or industrial secrets.  Any kind of data that is communicated could be snatched. After collecting unlimited chucks of data a hacker could make a game out of figuring out what segments could be valuable. Each chunk was 64K like the total addressable memory of the Commodore 64.

Some media outlets like the BBC have repeated the advise to change every password you have. There is no trustworthy list of up-to-date/time safe computers but a list created yesterday claims to have tested 10,000 popular sites. Most have been updated by now but you’ll want to be sure before changing any password or even signing on.  An updated list should be available soon.

A number of tools for consumers have sprang up allowing you to verify in real-time if a website is currently safe. I found the following to run my own tests.

 

heartbleed
Click image to test your favorite site

My web sites have been hosted by the company, Verio and I was pleased to see my information was safe It doesn’t mean it was always safe but if not, at least Verio was quick to apply a fix. I can confirm no personal or financial customer data is stored on our web servers.

I wouldn’t necessarily advise you to change all your passwords. Before you do, you’ll certainly want to be sure the company is aware of Heartbleed and has updated their security.  Over 56.8% of the companies on the list of 10,000 are listed as safe because they don’t even use OpenSSL.  Another 36.9% tested safe yesterday. That leaves only 6.3% were vulnerable when the news was announced.

I have changed some of my more important passwords but I regularly changes passwords anyway. I did change my Yahoo passwords since they were mentioned in many news reports and acknowledged using OpenSSL.  Considering Google was involved in disclosing this bug it’s interesting that Yahoo was used as an example. Many friends of Google were notified so they could update their version of  OpenSSL before the information was made public.


While you may notice my tone is not meant to create panic, I personally consider this failure as devastating. I started developing online services for consumers 30+ years ago and this is the “utmost cock-up”.  I don’t fear the damage caused by this threat as much as I worry about what this general lack of  oversight represents.


You can find more details online from our favorite security investigator,
Brian KrebsonSecurity  and official reports sponsored by Homeland Security on the Carnegie Mellon CERT database.   The list of 10,000 is located at
https://github.com/musalbas/heartbleed-masstest/blob/master/top10000.txt

Labels: , , , , , , , , ,

Share on Facebook


Sunday, April 06, 2014

Give a Gift of WinPatrol PLUS

I often receive email from long time WinPatrol users asking how they can give a lifetime PLUS upgrade to one of their friends. I feel a special bond with our loyal PLUS members. They send me kind messages saying that WinPatrol is their must-have program and the first they install on new or rebuilt computers.

Giving the gift of WinPatrol PLUS is easy and even recommended by USA TODAY when tech writer Byron Acohido suggested that “WinPatrol may be one of the best kept secrets in computer security.”
usatodaygift
Click on the image above for the full article or click the image below to learn how to give WinPatrol PLUS to someone who could benefit from our PLUS features.
gift

Click to go to
http://www.winpatrol.com/gift.html


If your friend isn’t worth $29.95 you can also recommend our free version of WinPatrol. Installing WinPatrol is fast and easy but our free license does include one restriction. If you install WinPatrol to protect your friend they must be informed and educated on how WinPatrol works. I have received Emails and threats from folks who had WinPatrol installed by well intended friends without their knowledge.

Share on Facebook