Get Tech Support Now - (818) 584-6021 - C2 Technology Partners, Inc.

Get Tech Support Now - (818) 584-6021 - C2 Technology Partners, Inc.

C2 provides technology services and consultation to businesses and individuals.

T (818) 584 6021
Email: [email protected]

C2 Technology Partners, Inc.
26500 Agoura Rd, Ste 102-576, Calabasas, CA 91302

Open in Google Maps
QUESTIONS? CALL: 818-584-6021
  • HOME
  • BLOG
  • SERVICES
    • Encryption
    • Backups
  • ABOUT
    • SMS Opt-In Form
    • Terms and Conditions
    • Privacy Policy
FREECONSULT

Heartbleed bug has a “sequel” – Shellshock

  • 0
admin
Saturday, 27 September 2014 / Published in Woo on Tech
Linux targeted

While the world is trying to mop up the mess that Heartbleed left behind, along comes another vulnerability that might be just as big. Dubbed “Shellshock” because it affects the Bash shell commonly found on Linux computers, and (this may surprise you) some Mac OS X servers. “Shells” are the technical term for the user interface of a computer, something you may know as a “GUI” (sometimes pronounced “gooey”, an acronym for graphical user interface). In this case, Bash is a text-based user interface that has been in use on Unix & Linux machines since 1989. What makes Shellshock so alarming is the ease of which could be exploited by hackers, the scope of hacks which could come from exploiting the weakness, and the number of machines potentially vulnerable to this bug.

What this means for you:

Unless you run a Linux or Mac OS X Server, most folks could be affected by this the same way they were exposed with Heartbleed – anyone who uses the internet has probably visited a site or used a service that is run on Linux-based webservers, and a large percentage of them probably use Bash. Security firms have already discovered attacks “in the wild” attempting to exploit un-patched servers, and due to the pervasive access a command line interface has to the computer’s operating system, any number of system compromises can be executed once the hacker has control of the Bash shell. In other words, if an internet service you use gets “Shellshocked”, any data they may be storing about you on their servers could be exposed. For now, unless you are a server administrator, there’s not much you can do, other than inquire with your critical providers whether they have taken steps to protect against the Shellshock vulnerability.

Applebashhearbleedlinuxmac os xsecurityshellshockunixvulnerability

Heartbleed security hemorrhaging continues

  • 0
admin
Tuesday, 15 April 2014 / Published in Woo on Tech
Heartbleed Bug

Heartbleed continues its rampage across the internet. There are too many stories to tell and too little time. Read on only if you have the stomach for it.

  • Networking companies Cisco and Juniper have revealed that several dozen models of their hardware devices are affected by the OpenSSL security flaw known as Heartbleed. To see if any of your networking products made this list, Cisco’s advisory can be found here, and Juniper’s here.
  • Two sources close to the NSA allege that the spy agency has exploited Heartbleed since it first appeared over 2 years ago.
  • Android smartphones and tablets running version 4.1.1 of the Google operating system are vulnerable to the bug. According to Google, this may affect less than 10% of all Android devices, but given that there are nearly 900 million Android OS devices, that still means millions.
  • The vulnerability was used to steal 900 taxpayer ID’s from Canada’s Revenue Agency.

What this means for you:

The security implications of the Heartbleed vulnerability are staggering and very difficult to encompass. Now, more than ever, you must keep a close eye on your digital assets and accounts. Confirm with your financial institutions whether or not they were impacted by the bug (most major, commercial banking institutions did NOT use OpenSSL), and if they were, wait until they confirm that they have fixed it before changing your password. Do NOT use any software or websites confirmed to be affected by Heartbleed until they patch the bug, even to change your password. If you do this while the vulnerability still exists, there is a good possibility that hackers can actually see you changing your password and record the new one. Right now, because of the spotlight on this hole, hackers are racing to exploit the panic and confusion, and you are more likely than ever to be hacked. Wait until your websites confirm they have patched the security hole before using them to change your password.

Keep in mind that many, many organizations are still working through the impact this bug has on their technology, and many are just as confused as you might be. There will continue to be a lot of uncertainty and possible panicky responses from company representatives who are ill-informed on their company’s official stance on Heartbleed. The vulnerability affects a technology that is sophisticated and not easily explained, and not even the most eloquent among technology professionals can convey the problem and solutions in easy-to-understand terms. During these uncertain times, constant vigilance is the only weapon many of us have at the moment, so keep your eyes open and your IT consultant on speed-dial!

 

 

 

AndroidbreachciscoGoogleheartbleedjunipernsasecurityvulnerability

Widespread Encryption Weakness Discovered After 2 Years

  • 0
admin
Wednesday, 09 April 2014 / Published in Woo on Tech
heartbleed.png

Researchers from Google and security firm Codenomicon released details yesterday on a staggering security hole in one of the fundamental security technologies used by hundreds of thousands of websites around the world. Dubbed the “Heartbleed Bug”, this vulnerability is found within a code library called OpenSSL – a tool almost universally used in Linux-based webservers, and it may have been in existence for as long as two years before being discovered this past weekend. In a nutshell, this weakness could theoretically allow a hacker to download critical bits of information that are literally the cryptological “keys to the kingdom” of a server affected by this bug. And unfortunately, there is no way to detect an exploit of this vulnerability, nor to determine what, if anything was stolen in the alleged attack.

What this means for you:

You would encounter OpenSSL through the familiar “HTTPS” protocol websites use to transact business online, and sadly, both small and large companies are affected by this bug. (Full Disclosure: C2’s own website had this bug up until late last night when the server was patched). And by large, I mean websites like Yahoo Mail. Essentially, the weakness could allow hackers to scrape a small segment of active, encrypted server memory and read the contents, which could contain just about anything at the time, up to and including passwords or actual cryptographic keys that can be used to decrypt encrypted data sent by the server itself. Alas, because there is no way to tell when or even if a Heartbleed bug exploit is occurring, there’s no way to tell if anyone, or everyone has been compromised in some form by this hole.

Fortunately, the media seems to be grasping the severity of this problem, and has broadcast this story across every website. Unfortunately, this may prove to be a double-edged sword as both server adminstrators and hackers scramble to get to the unprotected server memory first. For any online service you use that utilizes HTTPS or other forms of encryption, you will want to watch for announcements and news from that service: either acknowledging and fixing the bug, or assuring their customers that they are not affected by this weakness. Either way, it’s always a good idea to never use the same password more than once, and to always keep a close eye on your bank accounts and credit history for unusual activity. If you suspect a website may be unaware of this bug, and potentially at risk, send them an email asking about the Heartbleed Bug to make sure they are on top of this very serious issue.

bugheartbleedholehttpslinuxopensslsecurityvulnerabilityweaknesswebserver

XP Support ends April 8

  • 0
admin
Tuesday, 01 April 2014 / Published in Woo on Tech
Windows XP

In case you haven’t heard, about a third of the world’s computers are about lose official support from Microsoft on April 8. Any computer running Windows XP will no longer receive updates or fixes to any vulnerabilities discovered after the cutoff date. Microsoft will continue to provide limited support to its XP-compatible security products, like Security Essentials (their free anti-malware product), but that is set to end sometime in 2015. Most antivirus manufacturers have stated that they will continue to support XP-compatible versions of their apps into 2016, but without core patches to the XP operating system, their efforts will be merely fingers in a deteriorating dike.

What this means for you:

Though you may not know it, your company or the vendors that service you may be heavily reliant on XP. Case in point – one of my clients relies on XP workstations to monitor environmental-control equipment (think air-conditioning and heating) and building automation systems, and some of the computers running these applications haven’t been updated for years, and in some extreme cases, the hardware may be close to a decade old. Hardware failure aside, the lack of support for XP going forward will mean those computers will need to be replaced ASAP, and may be a cost you hadn’t considered in your 2014 or 2015 budget.

Windows XP powered computers are likely to show up in places where they are used regularly, but maybe not by a single individual and are thus overlooked during the part of the regular upgrade process: kiosks (lobby directories, ATMs, silent radios), point-of-sale systems, document scanning stations, etc. Make sure you comb through your organization’s infrastructure for these computers, as they will become vulnerability points for your entire operation and could lead to serious security breaches. Unfortunately, rectifying these obsoleted workstations won’t be cheap nor easy, especially if they power critical systems, but in some cases it may be possible to port XP-only applications to Windows 7 and run them in compatibility mode. Make sure you work closely with vendors who supply this older software to determine what, if any, plans they have to bring their platform to Windows 7, and if they have no plans, it may be time to consider a new vendor or service.

microsoftpatchingsecuritysupportupdatesvulnerabilitywindows xp

Serious Security Hole Revealed in iOS

  • 0
admin
Tuesday, 25 February 2014 / Published in Woo on Tech
Apple Logo

Usually Apple is able to sit on the sidelines of today’s technology security circus , enjoying a (debatable) reputation for being more secure than Windows and even Android. Unfortunately, it had to step into center stage this week and own up to a security flaw in its core networking code used in both iOS and OS X. And not just a little one either: this one affects how SSL-encrypted network traffic is handled, and it affects iPhones, iPads running iOS 6 or 7, and any computer running OS X 10.9 “Mavericks”.

What this means for you:

In a nutshell, the bug essentially prevents the affected device from verifying the identity of the certificate used to guarantee the SSL encryption. When your Apple device fires up a secure connection using SSL, the first thing it’s suppose to do is check the SSL certification of the destination by verifying it’s identity. Except, in the case of the bug, it doesn’t but reports back to the device that everything is OK. This would be the equivalent of putting a blind doorman in front of your bar to check ID’s. Apple has released a patch for iOS 6 and 7, but still has not issued a fix for the OS X platform.

For now, until you verify you’ve patched your mobile device with the latest security update for your version of iOS, I recommend against using any applications that transmit confidential data (your’s or your client’s) over the internet. On the desktop/laptop side, avoid using Safari until OS X is patched, and switch to a browser like Chrome or Firefox, both of which implement their own SSL code that is not affected by this flaw. To keep track of whether or not Apple has fixed this hole, you can visit: http://hasgotofailbeenfixedyet.com/

Update: As of Feb 25, Apple has issued a patch for OS X 10.9. Make sure your Apple devices update to the latest version of their corresponding operating system.

Appleconfidentialencryptionflawsafarisecuritysslvulnerability

Another Day, Another Zero-day IE Exploit in the Wild

  • 0
admin
Wednesday, 18 September 2013 / Published in Woo on Tech
IE Exploit

In case you were worried that Internet Explorer might be gaining ground as a secure web browser, security researchers have uncovered another zero-day vulnerability that is actively being exploited in version 8 and 9 of Internet Explorer. I’ll spare you the gory details but the gist of the hole is such that it can be exploited in a simple “drive-by” attack, and doesn’t even require interaction from the user. Sadly, this weakness seems to afflict all versions of Microsoft’s web browser, including the yet-to-be released version 11. Microsoft is aware of the issue, and is working to plug the hole, but could be weeks away from a formal fix.

What this means for you:

If you are using IE 8 (extremely likely if you are still using Windows XP), or IE 9 (also likely throughout much of the corporate world), there is a Microsoft Fixit that can be applied, and enterprise IT shops can address this centrally if they are running well-managed computer fleets. If you are leery of applying temporary patches and are not restricted to using Microsoft’s browser, you can give Chrome, Firefox or even Safari a try until Microsoft issues a formal patch for this exploit. At minimum, make sure your anti-malware is up to date and working, and watch carefully for suspicious behavior while surfing the internet, especially if you are visiting new/unfamiliar websites.

browserchromeexploitfirefoxinternet explorermicrosoftpatchsafarivulnerabilityzero day

Android App Flaws Revealed

  • 0
admin
Tuesday, 16 July 2013 / Published in Woo on Tech
Android_logo.png

Lest you think Facebook is the only security punching bag getting a beating lately, two significant flaws in the Android application platform have been revealed by overseas security teams. Without going into the gory details, each team has found a different way to create a trojanized APK (the file format in which Android apps are delivered) that is indistinguishable from the original. This would allow an app to appear and function normally, but also execute functions like transmitting your passwords, texts, emails on the sly. Google has already put together a fix and distributed a patch to OEM manufacturers, and supposedly they are able to detect this sort of exploit on the Google Play Store.

You need to worry if you “sideload” apps on your Android phone, which is to say you get apps from sources other than Google Play. Keep in mind, even Amazon’s App store counts as a sideloading source, and as of the moment, they aren’t scanning for this vulnerability.

What this means for you:

Even though Google has issued a fix for this particular vulnerability, they can’t force the update upon the millions of Android phones out there affected by this weakness, as that task lies with the phone manufacturers and the carriers. With the exception of avid power-users, most Android users are unaware that their Android OS may be months or years out of date, primarily because cellular carriers insist on selling phones that use a modified version of the OS that does not automatically get updated when Google updates the core version of Android. On top of this, the carriers are notoriously slow in issuing updates. If you are wondering what folks are talking about when they are discussing “Gingerbread”, “Honeycomb”, “Ice Cream Sandwich” and “Jelly Bean”, they are referring to the various versions of Android OS, where Jelly Bean is the latest. Supposedly this exploit exists as far back as “Donut” (ver 1.6).

Even worse, certain older models of Android phones may never get updated, as the carrier has essentially abandoned firmware updates for phones that are “retired” from active support. Users of these phones have essentially two options: root, unlock and update the phone with a custom version of the Android OS developed by the open source community, or buy a new phone. The former option is definitely not for technically-disinclined. Given the gravity of the vulnerability, the carriers may issue patches for the majority of its phones, but I wouldn’t hold your breath.

Until you are able to verify your Android smartphone is running a version of the OS that fixes this vulnerability, don’t sideload applications. If you want to be extra safe, avoid using smartphone apps that transmit sensitive information like banking passwords, pins and other sensitive personal information. As I’ve reiterated before, exercise caution before convenience, especially when it comes to protecting yourself.

AndroidexploitGoogleplay storesecuritysideloadingsmartphonetrojanvulnerability

Public Chargers Could Hack Your iPhone

  • 0
admin
Monday, 03 June 2013 / Published in Woo on Tech
Poisoned charger!

The upcomign Black Hat security conference features a topic that may give traveling iPhone users second thoughts about using a public charging station to juice up their phones. Three security researchers from Georgia Institute of Technology have built a prototype device that can hack an iPhone through the dock connector merely by being plugged in. Supposedly this hack can be accomplished on the latest iOS update, and does not require any interaction from the user, nor does it rely on the device being jailbroken.

What this means for you:

I’ve always viewed public charging stations as being rather sketchy to begin with, especially the ones that charge you for the service and offer “highspeed charging” which could easily fry your phone’s battery if not the device itself. I’d rather spend a few extra minutes locating a regular wall outlet and using my own equipment. Supposedly the prototype that will be demonstrated at the upcoming conference is too big to fit into a standard Apple-branded iPhone charger, but the designers of the device inferred that stealthier versions wouldn’t be hard to produce at all.

Most modern smartphones combine data and power in the same port (Android phones and most tablets also feature this same convenience) so it may not be just iPhones that will be vulnerable to this method of attack. For now, make sure you use chargers you know are safe regardless of what type of mobile device you use, and avoid public charging stations. This particular cow is well on its way out of that barn.

AndroidApplechargercharging stationHackingiPhonemactansmalwaresecuritysmartphonetabletvulnerability

Popular Consumer Router Vulnerable

  • 0
admin
Wednesday, 10 April 2013 / Published in Woo on Tech
linksys-ea2700.jpg

Security tester Phil Purviance has gone public with his findings on a popular router that widely sold to consumers and small businesses. He sums it up succinctly:

…any network with an EA2700 router on it is an insecure network! 

The router in question is commonly found at big box retailers like Fry’s Electronics, Best Buy and pretty much any retailer that sells consumer electronics. Purviance reported his findings to Cisco over a month ago, but the hardware giant has yet to comment or issue any fixes to the public.

What this means for you:

If you are using a Cisco Linksys EA2700 router for your internet connection, your device and any computer connected to the EA2700 is at risk. Seeing as most folks aren’t even aware that their routers have software/firmware that can be upgraded, it’s likely that even if Cisco were to fix all the vulnerabilities outlined by Purviance, those fixes are unlikely to be applied by most consumers and small businesses. At the moment, the only true fix for the EA2700 is to replace it with something else, but with what? Researchers are still playing catch-up in this space, as there are literally hundreds models of consumer-grade routers installed in the US alone.

As a business owner, you should consider upgrading to a business-class router from a major manufacturer like Dell, Cisco, Fortinet, etc. (Cisco’s business-class equipment, ironically, is typically considered a standard choice). At the very minimum, understand what you have installed, upgrade the firmware if possible, and check with your local IT professional (C2 is always there to answer your questions!) to determine if there are any widely known exploits published about your particular router model.

ciscoconsumer gradeea2700exploitsHackinghome routerlinksysrouterssecurityvulnerability

Java 7 Flaw Prompts Widespread Warnings

  • 0
admin
Sunday, 13 January 2013 / Published in Woo on Tech
java-logo.png

Carnegie Mellon University’s CERT and the Department of Homeland Security have issued a broad warning about using the latest version of the Java 7 plug-in for web browsers, and some browser manufacturers have already taken steps to disable Java application execution until the vulnerability can be fixed. The security flaw is already being exploited in the wild, and can be used to run malicious code without the victim’s permission or even awareness. Oracle is investigating, but has not indicated when the hole would be patched, aside from promising a fix “shortly.”

What this means for you:

Unless you have a really good reason to keep running it, you should probably disable Java until Oracle can fix this problem. Unlike other vulnerabilities that affect specific browsers (Internet Explorer has been notorious for flaws in the past), this particular problem affects all browsers that have a Java 7 plugin, including the Apple OS. Oracle has had problems in the past with providing quick patches for the Java platform, so until they do, the safest approach is to disable the plugin in your browser.

Click this link to see how to disable Java in your browser

browserchromeexploitfirefoxinternet explorerjavapluginsafarisecurityvulnerabilityzero day
  • 1
  • 2
  • 3

Recent Posts

  • mid year check-in

    Mid-Year IT Health Check: 10 Things Professional Services Firms Should Review Now

    Most firms set their technology priorities in J...
  • Cloud Migration for Professional Services: When It Makes Sense

    Cloud Migration for Professional Services: When It Makes Sense (And When It Doesn’t)

    Every vendor in the technology industry will te...
  • mid age man working on laptop while floating in the sea summer vacation

    Summer Vacation Security Checklist for Professional Services Firms

    Summer is the one time of year when professiona...
  • The $300 Laptop vs. The $1,300 Laptop: A Technology Investment Guide

    The $300 Laptop vs. The $1,300 Laptop: A Technology Investment Guide

    I have had this conversation more times than I ...
  • Remote Work Technology Setup: What Matters for Professional Services Firms

    Remote Work Technology Setup: What Matters for Professional Services Firms

    Remote work is no longer a temporary arrangemen...

Archives

  • GET SOCIAL
Get Tech Support Now - (818) 584-6021 - C2 Technology Partners, Inc.

© 2016 All rights reserved.

TOP