What Should You Do About the Heartbleed Bug?

heartbleed

Last week news broke about the Heartbleed bug, a vulnerability that affects the way secure websites communicate with your computer. Tech blog Mashable writes: “The bug has affected many popular websites and services — ones you might use every day, like Gmail and Facebook — and could have quietly exposed your sensitive account information (such as passwords and credit card numbers) over the past two years.”

Scary stuff, no doubt. You should check the freshly updated full list at their site, but here’s the glimmer of good news: all the banks and financial institutions Mashable reached out to (and that’s quite a few) were completely unaffected.

So what should you do? Change your passwords. And don’t just add one to the end of your current password. Make secure passwords, and use a database to keep them straight. My recommendation is for long, non-dictionary passwords. It’s a hassle, but it’s a price we ought to be willing to pay for the benefits of doing business on the internet. I use a secure program, 1Password*, to keep my existing passwords straight, and to generate new passwords when I make new online accounts. I’ve personally gotten to the point where I don’t know what most of my passwords are, but I know the one password I need to access them.

If you’d like help implementing a system like that, let me know. For now, check the Mashable database of affected sites, and change your passwords accordingly.

*1Password is just one of many apps like this. Lastpass is another good one, and Apple even has iCloud Keychain now, which is great, and is free!

UPDATE: Apple releases 10.9.2, closes SSL Security hole

OSXmavericks

Today Apple released Mac OS X 10.9.2, which fixes the SSL vulnerability in OS X (discussed in detail previously). In addition to patching the security hole, OS 10.9.2 also fixes a number of bugs in OS X Mavericks. arstechnica.com writes,

Apple has included a large number of other fixes and features too. The most prominent is probably support for the FaceTime Audio feature originally introduced in iOS 7—as the name implies, it lets you use the FaceTime application to make voice calls as well as video calls. Call waiting support for FaceTime video and audio calls has also been added.

Run Software Update on your Mac now to update to 10.9.2 and solve the security vulnerability when connecting to SSL. You can also download the update directly here (for 10.9.1 users) and here (combo update for 10.9 or 10.9.1 users)

UPDATED: Apple’s SSL Vulnerability: How Does it Affect Me?

padlock

Apple recently released iOS 7.0.6, and 6.1.6 in order to address a dangerous security hole in the mobile operating system. If you haven’t updated your device yet, it’s important, do it now.

While Apple has fixed the issue for iPhone and iPad users, the vulnerability still exists in Mac OS X.
So, what exactly is the vulnerability; what data is at risk?
The vulnerability is in the way Apple’s software “handshakes” with secure servers on the internet. For a detailed explanation, the wikipedia article on SSL/TSL is excellent. To sum it up, SSL (and its successor, TSL) is a protocol that facilitates a virtual “handshake” between your computer and a server. If you go to http://www.google.com, your browser loads the non-secure version of google.com. If you change the URL to add an S to the “http” you get https://www.google.com, and your computer checks Google’s SSL credentials to verify the server’s identity. The visual cue you are viewing a secure site is a padlock, usually in the browser’s address bar.
This handshake is where Apple’s vulnerability becomes a problem. Apple’s software checks for the SSL credentials, but can be easily tricked into a “man in the middle” attack, whereby someone could fake SSL credentials and Apple’s software would think it was actually connected securely to the right server.
So what data is at risk? Theoretically, lots.
Which Apps should I stop using?
Only Apple’s own apps are in danger. If you use Google Chrome or Firefox for web browsing, you’re ok browsing the web.
BUT, Apple’s Mail program is vulnerable. Some people use SSL certificates to communicate securely via email. Mail’s secure communication is vulnerable until Apple releases an update to close the hole. Additionally, Apple’s Calendar app, FaceTime, Keynote, Twitter, and iBooks are all at risk.
Am I at risk all the time?
Honestly, if you’re practicing good internet security, you’re probably fairly safe.
In order the someone to take advantage of the security hole, they would have to be connected to the same local network as you. Meaning, they would have to be on your home or work wifi. To be safe online, limit work you do on networks other than your safe home or work network. If you’re at the coffee shop, airport, public library, or ANY NETWORK YOU’RE NOT CONFIDENT IS SECURE make sure you use Firefox or Chrome to access your email and calendar instead of Apple’s Mail and Calendar programs.
If you have a VPN connection to your work network, use it.
This security flaw is a great opportunity to think about network security. Is your home wifi protected? Have you changed the default passwords from when your network was originally installed? Is it worth it to set up a VPN connection, or invest in a VPN service? Have you applied all available software updates?
It’s becoming more and more important to have a grasp on good practices for keeping safe online. Never hesitate to reach out to someone (feel free to email me) who knows more about this if you’re unsure.
UPDATE 2/25/2014: Apple has released an update to fix this issue. Read more about it here.

iOS 7 – Apple’s Bright New Mobile Update

iPhone5SiOS7forweb

Wednesday, September 18, Apple releases iOS 7, a free update for iPhones 4, 4S, and 5, as well as for all iPads 2 and newer. After six weeks of using iOS 7 previews, I find there are some things I’m completely in love with about iOS 7 and some things I hope they fix soon.

In his great review “The perfect balance of ‘new’ and ‘now’” at BGR.com, Zach Epstein points out that one of the worst things about iOS 7 is one of the first things users will see, the new icons.

They’re hideous.

I have joked about the icons here on BGR and on my Twitter account as well, but in all seriousness, most of Apple’s iOS 7 icons are shockingly bad. Some are just kind of ugly while others are downright embarrassing. I’m really not sure how this could have happened.

It seems trivial, but it’s unbelievable to think that a company known for its designs created these Adult Swim-looking monstrosities. Reminders, Game Center and Newsstand are particularly atrocious.

 

I have to say I completely agree. The icons are my least favorite part of the redesign. They’re neon bright and visually jarring. On the other hand, once the shock of the bright icons wears off, it’s remarkable how familiar everything feels.

The look of the operating system has indeed undergone some major changes, as has every single Apple-built application. The look is flatter, the colors are brighter and many shapes have been smoothed out. The layouts of Apple’s various apps have for the most part remained unchanged, however, which means there is almost no learning curve for a user who is already familiar with iOS.

After using iOS 7 for a while now, I’ve come to really like it. I’ve come to rely on Control Center for quick access to settings, Airdrop has proven useful more than once, and I love the fit and finish of the animations.

If you’re on the fence about whether or not to upgrade, I suggest going for it (on your iPhone 4S or iPhone 5 — I’d choose not to upgrade if using an iPhone 4). Further recommended reading for you doubters here: at ZDNet.

How to Spot a Fake Email

For the last couple of weeks I have been receiving fake emails alerting me to an important message at either Facebook, Google, or iTunes.

 

"Phishing" emails "Phishing" email made to look like Googe

As you can see in the pictures, the emails look legitimate, and contain the correct email addresses and mailing addresses of Google and Facebook (and LinkedIn, Twitter, etc).

When we dig a little deeper though, we can see these emails are actually originating from completely different addresses. Take a look at the email that says it’s from Google Support. When you move the mouse to the “from” name, a tiny white drop down menu shows up.

select drop down

When that drop-down menu is clicked, Apple Mail shows us the actual email address sending the message, not just the displayed name.

Actual Gmail address

When social networking sites, banking sites, online retailers, and basically anyone entity that you have a username and password for emails you, I highly recommend verifying the email address in addition to the displayed name.

Another way to avoid giving these scammers your information is to verify this information by manually typing in “facebook.com” in your browser instead of following a link from an email.

These types of scams are very effective, but with a little knowledge they can be successfully thwarted.