Get ready for 1000% of your daily dose of Irony: America’s top surveillance outfit, the National Security Agency appears to have been hacked, according to announcements made by a group known as the “Shadow Brokers” and backed by a sample of data released as proof. Not only that, it may have happened as early as 2013, just days after NSA whistleblower Snowden went public. The spy agency has yet to comment on the matter, though given their usual taciturn stance on sharing information with the public, further enlightenment is unlikely to come from that source. Snowden himself weighed in on the issue shortly after this news became public, attributing the original hack as likely being the Russian government. In a further dose of irony, Snowden currently resides in Russia, presumably as part American exile and part Russian political trophy.
What this means for you:
Before you grab your bug-out bag and head for your internet-proof bunker, make sure you freak out for the right reasons. In this particular instance, the data for sale appears to be code, and not data on Americans (which they are assuredly collecting). Offered as proof of the deed, the Shadow Brokers posted source code of known malware apps the NSA is alleged (by Snowden and others) to have used to break firewalls and other security platforms in use by foreign nations, presumably to allow the install of other covert surveillance software on the computers behind those security measures. Security pundits, including industry vet Bruce Scheier, have evaluated the data released, and in light of the the current political climate between the US and Russia, are of the opinion that this might be a manuever by the Russian government in anticipation of criticism or accusations from the US about the DNC hacks. To put it in more understandable terms, we may be seeing the opening salvos in a new, thoroughly modern Cold War. Instead of warheads and undercover spies as pawns, this one may be waged via the internet through cyber warfare and social media. Ready to head to that bunker yet?
Researchers from security firm Check Point announced at this year’s DefCon security conference that up to 900 million smartphones may be vulnerable to a set of up to 4 vulnerabilities that appear in Qualcomm-powered devices. Discovered earlier this year and reported to the manufacturer, Qualcomm has since published fixes, but not all manufacturers have pushed these fixes to all the affected models, including Google’s own Nexus line which normally has a reputation for being kept more current than most Android devices.
What this means for you:
Based upon the affected Qualcomm chipset impacted by these four vulnerabilities, the following models are impacted:
- BlackBerry Priv
- Blackphone 1 and Blackphone 2
- Google Nexus 5X, Nexus 6 and Nexus 6P
- HTC One, HTC M9 and HTC 10
- LG G4, LG G5, and LG V10
- New Moto X by Motorola
- OnePlus One, OnePlus 2 and OnePlus 3
- Samsung Galaxy S7 and Samsung S7 Edge
- Sony Xperia Z Ultra
To find out if your phone is affected by the vulnerabilities, you can run this app on the Google Play Store: QuadRooter Scanner. Buyer beware: the app developer is very transparently marketing its mobile protection app through the publicity surrounding their discovery. I don’t begrudge them the opportunity – after all they did the hard work to discover these flaws, but I didn’t install their software as I am confident I can keep my device safe, and I’m sceptical of mobile security apps in general. If the app reports that you are vulnerable, it will state which CVE’s are still unpatched on your device. You have a few options at this point:
- Check to see if any outstanding OS updates are available to be installed on your device. Where this is shown will vary depending on your phone’s manufacturer, but typically it will be found in “Settings”
- Avoid “side-loading” apps from dodgy sources. Only install apps from the Google Play store and nowhere else. Even then, think twice and read the reviews on any new apps, especially ones that seem to be very new – hackers have been known to sneak malicious apps onto the Play Store for a short while before being detected and removed.
- As usual, avoid opening strange emails, URLs and attachments on your device.
- Send an email to your device manufacturer asking them when they plan to patch the vulnerabilities on your phone. The more people that write in, the more likely the manufacturer will move faster on deploying the fixes.
Just when you think Microsoft might have its act together security-wise, some clever/persistent security researcher will do their damndest to shatter your fledgling comfort with the latest exotic bug. In this case, the bug has been around since 1997 – it’s so old it’s officially Bug #4 in Internet Explorer. As in the fourth bug discovered in Internet Explorer, ever. And never fixed! Sadly, this negligence has arisen as a critical security flaw in both Windows 8 and 10, and could lead to your Microsoft Live account being exposed.
What this means for you:
This flaw does not affect the following:
- Windows 7,
- Windows 8 or 10 computers attached to a domain,
- Windows 8 or 10 computers accessed via local accounts,
- Windows 8/10 users who do not use Internet Explorer, Edge or any version of MS Outlook.
The people who fall into #2-4 are what I would call a “select” demographic, which is to say that it’s more likely you are using Windows 8 or 10 with a Live account. Via trivial exploit, a hacker could obtain your login and a hashed version of your password, and depending on how complex that password is, that hash could be cracked in less than a minute, meaning your Live account is now fully compromised. In case you weren’t sure what Live accounts can do, they give you a wide variety of access to Microsoft services including OneDrive, Skype, MS Office, and XBox Live to name a few, not to mention your actual computer, should the hacker somehow gain access to your local network or the device itself.
Before you start panicking, there is a (relatively) simple solution: change your password and switch your Live account to use 2-factor authentication. This won’t change how you log into your computer, but it will force anyone trying to use your credentials elsewhere online from using them without that second authorization that 2-factor provides, even if they manage to steal your password again. To really circumvent this bug from impacting you, switch to using a local account on your computer, or to stop using IE/Edge and Outlook until Microsoft fixes this ancient, but dangerous bug.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
It’s time for Decision 2016, but unfortunately not the decision most of us would rather get out of the way to get on with our lives…or is it? Microsoft is ending its year-long offer this Friday of a free upgrade for Windows 7 and 8 machines to Windows 10. Though I may say with no small amount of sarcasm that I’m surprised more people haven’t taken advantage of this offer (or been taken advantage of, depending on your vantage point), Microsoft is sticking to its guns and after Friday, Windows 10 Home upgrade will be $119. And the decision, in case it hasn’t already been made for you (sound familiar?), is whether or not you should upgrade to Windows 10. With nearly a year of watching people being flung into the upgrade abyss without warning, my answer hasn’t changed, and the release of the cost of taking the free road makes it easier for me to explain why. For every single trouble-free upgrade I’ve come across, I’ve come across 3 that are in varying degrees of dysfunction. If you like those odds, or value multiple hours of your time at less than $119, then push that button before Friday.
Dang it, Woo, why you gotta be such a Debbie Downer?
Windows 10 on a brand new machine runs great. It’s a nice evolution of the Windows operating system, and for the most part it runs just like Windows 7 with a little 8 for spice. The new OS isn’t the problem – the problem is your old computer and its years-old operating system. Even if it’s been professionally managed, kept squeaky clean and “barely used”, all Windows operating systems build up what I call “cruft” over time. With use, Windows computers builds up the technical equivalent of barnacles, but unlike ship hulls, we can’t dry-dock your PC and scrape it clean. If you want to upgrade your computer to Windows 10, the most trouble-free experience will only come if the computer hard drive is wiped clean and Windows 10 installed fresh. Even then, there are no guarantees that your computer (despite Microsoft’s insistence) is really ready for Windows 10. The most common, aggravating problems my clients have experienced have come from buggy drivers for their video cards, network interfaces and peripherals, as well as forced upgrades to Internet Explorer 11 which many times will render older corporate web apps unstable or unusable. The latter problem will be fixed (over time, maybe), but for some older hardware, there won’t be upgraded drivers, forcing you to upgrade the affected device, if you even can. Another inexplicable and (eventually) untreatable problem is a slow degrade in performance after your OS is upgraded. Windows 10 will run, but parts will frequently crash or just won’t open their interfaces. Your computer will take long pauses for no apparent reason, sometimes for Windows updates being applied with no notice, and many times just because.
If you really want to upgrade your computer to Windows 10, here is the recommended path:
- Backup your entire hard drive – sometimes called “imaging” or making a bootable copy
- Backup your data and settings separately.
- Make sure you have installation media/files for all your critical applications, including activation keys, codes, proof of purchase, etc.
- Let Microsoft upgrade your computer to Windows 10, and then activate your copy online when the upgrade is complete.
- Create Windows 10 installation media (either DVD or bootable thumb drive)
- WIPE THE DISK
- Reinstal Windows 10 from scratch
- Re-activate your install
- Restore your data and apps to your brand new Windows 10 computer.
- Have a much better day than your peers who stopped at step 4.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Seagate recently announced a new hard drive that can store up to 10TB of data on a standard 3.5″ hard drive designed for consumer-class devices, raising the bar by two terabytes from their previous models. If you are having trouble visualizing how much data that is, think of it in these terms: A single terabyte (1000 gigabytes) is equivalent to 1400 CD-ROMs of data, 2000 hours of CD-quality audio, 27,000 36mb photos (super high-res), or 85 million Word documents. And that’s just a tenth of this hard drive’s capacity. For large companies, 10 terabytes might be a number that was surpassed a few years ago (depending on the nature of their work), but the average home computer user rarely amassed more than 1-2 terabytes of data, even with lots of photos, music and backups.
What this means for you:
Unfortunately, hard drives are like closets, attics and rental storage: they will fill up with stuff, and at some point, it becomes nigh impossible to find the thing you are looking for without digging through a ton of old, mostly useless stuff. Unlike physical storage, hard drive storage is becoming increasingly easy (and cheap!) to expand. You don’t even need to buy hard drives if you don’t mind storing stuff “in the cloud” (which is just a bunch of hard drives somewhere else). Software is improving constantly to help us sort through this mountain of data, but the one technology that is still struggling to keep up with exploding data sizes are internet speeds, and accordingly, offsite backups are affected. On an average consumer broadband connection whose upstream maxes out at 5 megabits/second, backing up a single terabyte of data would take over 500 hours, and that’s at optimum speeds! If you happen to be one of the lucky few that have something like Google fiber, you could theoretically backup that same amount of data in 2 hours, but only if your backup service could even sustain that transfer rate (insider tip: it can’t). Long story short: just because space is available, don’t fill it up without some solid planning. Determine what data needs backing up and what you could easily replace. Examples of the latter include downloaded music, videos or audiobooks, applications and local copies of photos that are stored in the cloud.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Recently I wrote about why Windows 10 has been offered for free to the millions and millions of Windows 7 and 8 users: profit. Get ’em hooked on your shiny new OS, and then reel them in when it comes time to start upgrading your businesses, all who employ people who have become familiar with the new OS (whether they wanted to or not). But wait, Chris, isn’t Windows 10 free for businesses too? Maybe the small ones, but when you have more than a couple dozen computers, your Windows and Office applications are typically acquired through one of Microsoft’s myriad licensing programs. Up until now, one of the licensing options many businesses opted for was essentially a one time purchase of Windows for each computer, providing a license that did not need to be renewed (unless you wanted support directly from Microsoft), and in certain cases, was transferable from computer to computer as you upgraded. This model is changing with Windows 10 Enterprise, and presumably at some point in the future, for all flavors of Windows going forward. Starting this Fall, companies who want to upgrade their fleets of computers to 10 will pay $84/seat/year.
What this means for you:
With previous versions of Windows, Microsoft had committed to providing updates and patches essentially for the life of the product. You bought Windows once, presumably when you bought your computer, and never another dime to Microsoft after that. Though they haven’t outright said so, the subscription model for Windows implies that unless your subscription is maintained, updates and even certain functionality will cease when your subscription lapses. Any of you who have had your Office365 subscription lapse may have already experienced this: the software isn’t removed from your computer, but certain key functions are disabled, such as printing and saving, until your subscription is reactivated. This was a rude awakening for some who were used to the buy-it-once models of Office 2007 and 2010. Microsoft has gone on record stating that the Windows 10 licenses acquired through their free upgrade offer this past year will remain free for the “life of the machine” on which it is installed, but as you may have suspected, this free license is tied to that specific machine, and is not transferrable to a different computer. For the moment, the non-Enterprise versions of Windows 10 appear to be free of subscription hooks, but don’t count on it lasting much longer.
It wasn’t enough that one tech giant was making hot headlines because their products were literally a fire hazard, now computer manufacturer Lenovo is feeling the burn due to a recently disclosed vulnerability that could have a widespread impact on many of their computers. Dubbed “ThinkPwn” by its discoverer as a play on the popular Lenovo ThinkPad model, this particular weakness seems to impact the entire ThinkPad line going back several years as it’s a flaw embedded in the firmware of the chipset used in dozens of computer models, including, unfortunately, HP and motherboards made by component manufacturer Gigabyte, which are extremely popular amongst build-your-own PC enthusiasts. The ThinkPwn weakness appears within low-level code that provides core security infrastructure to the operating system that runs on top of it. If Microsoft Windows was your house, this code is a big crack in your foundation.
What this means for you:
Neither Lenovo or HP have disclosed which models are affected, but it seems widespread enough that Lenovo has issued an “industry-wide” warning. Presumably all affected manufacturers are working on security fixes, but none are available yet, so if you own an HP or Lenovo (or Gigabyte-powered PC), sit tight, make sure your antivirus is up to date, and remain vigilant.
How did this vulnerability come to impact so many computers? The hardware-layer code that powers the machine-OS interface (BIOS on older machines, UEFI on newer computers) is also written and updated by a small number of companies called Independent BIOS Vendors or IBVs, all of whom use a base set of code from chipset manufacturers like Intel and AMD. Like so many other widespread weakness, the proliferation of the flaw comes from everyone in the industry relying on a core set of code. Thank you, Mass Production!
Of all the people I’ve talked to about surprise Windows 10 upgrades, very few were happy with the event even if the upgrade actually ended up in a functional computer (a good percentage don’t). One woman in California was angry enough to sue Microsoft over the unwanted upgrade, and actually prevailed. You’ll notice I didn’t say “won” as Microsoft admitted no wrongdoing on their part and dropped their planned appeal in order to avoid further litigation costs. Truth be told, I’m fairly certain Microsoft could have easily won by throwing their third-string litigation team at this case with microscopic impact on their finances, but perhaps some smart folks got in front of the lawyers to prevent what would surely have been a PR nightmare. Microsoft has been part bully/part implacable juggernaut when it comes to Windows 10 upgrades, and a lot of my clients have been asking why they are pushing so hard.
This is easily answered with one word: Money
But wait, isn’t Microsoft giving away Windows 10 for free? Absolutely, and it’s still available up until the end of July for the same low, low price of zero bucks. But just as your favorite aged relative is fond of saying, “Ain’t no such thing as a free lunch!” What many folks don’t know is that Microsoft is intending for Windows 10 to be their gravy train for the foreseeable future by converting the OS to a subscription model, just like they did with Office, which, by the way, is another big money-maker for them. It’s free for now, but at some point in the near future, the next upgrade won’t be. It will only be available for computers that have paid subscriptions to Windows 10. That’s right, your first “hit” was free, but now that you are hooked, you have to pay to support your “habit”.
That’s not the only hook. Some of you noticed that some of your favorite time-wasters like Freecell are now only available through the Windows Store, another “convenient” feature available in Windows 10. By pushing millions of Windows computers to their new operating system, Microsoft is hoping to create a new source of revenue that is sitting right on your start bar. If it sounds familiar, that’s because Microsoft has taken a page from Apple’s playbook, replicating the incredibly profitable app store model used on iOS devices. The forced Windows 10 upgrades will supply the demand, and the supply is handily built into their new OS.
In a list of things in life (blind dates, new sports cars, Spotify playlists, etc.) that should be “fire” (latest slang for “hot”) your laptop and its battery should not be named. Unfortunately, if you happened to have purchased certain HP laptop models between 2013 to 2015, you might be re-introduced to the literal definition of “fire”. Technology manufacturer HP announced a worldwide, voluntary recall of certain batches of batteries that “pose a fire and burn hazard” that have shipped from the factory in 35 different laptop models, and may have been installed after-market in 38 other HP and Compaq models. HP has a full listing of impacted models on their website, and offers both software and physical means to determine if your battery is affected by this recall.
What this means for you:
If you’ve purchased an HP laptop anytime between now and 2013, I recommend flipping it over and checking the battery’s serial number on HP’s site. While you’ve got it upside down, visually inspect the battery and laptop for warped plastic, bulging or discoloration of any surrounding materials. Carefully check if the battery is hot to the touch. Warm is OK, but if it’s too hot to touch with your finger, you may have a problem. Keep in mind that certain laptops may run quite hot during CPU-intensive activities, including working with very large documents, playing video games or watching streaming video, and more so if the laptop is resting on insulating materials like blankets, cushions or even your pants or dress. It may also get hot if vents on the sides or bottom of the laptop are blocked for even short periods of time. Don’t panic if your laptop doesn’t have vents – the manufacturer only puts them in if the design calls for it. If your battery is not part of this recall, shows no signs of warping or heat damage, but still seems unusually hot to the touch even after working with it on a cool, flat surface, consider replacing it, either under warranty if still applicable, or by purchasing a replacement, preferably from the same manufacturer as your laptop. Cheaper, off-brand batteries might be an option, but check reviews as the knock-offs tend to have more problems with reliability and longevity.
Though it’s been reported as being on death’s door for well over a year, Adobe Flash is still in wide use on the internet. Just as stubbornly, security problems continue to plague its undying existence, and the latest is already being exploited by an advanced persistent threat group dubbed StarCruft by security firm Kaspersky. Details are sketchy at the moment – Adobe isn’t publicizing any details on the loophole, and it won’t be patched until June 16 at the earliest.
What this means for you:
According to Kaspersky, the exploit is definitely being used to attack what they call “high value” targets – primarily large companies or organizations with data that would be prized either for criminal or political value, but that doesn’t mean anyone can rest easy. The patch from Adobe will most likely solve this particular vulnerability, but you can count on other exploits being discovered, as they always have in the past, and, as always, the fix is entirely dependent on people actually updating their software on a regular basis. Until you can confirm Flash has been patched on your workstation, avoid clicking strange links (as always), and make sure you have updated malware protection in place.