Trails End Computer Club

Bulletin for the month of MAY 2014


MEETINGS WILL

 CONTINUE

IN THE FALL


SPECIAL INTEREST GROUPS:

If you would like to meet in a small group to discuss special computer related subjects or form a Special Interest Group lets discuss it.

Our bulletin is also available on line by visiting tecc.apcug.org and clicking on bulletin.


tecc.apcug.org

See Bulletin Selector, Lessons Selector, 
Top Downloads, Top Web Sites & APCUG Benefits.

It's loaded with ideas, how  to's, learning and
Education sites.

Upcoming Events

Wednesday DECEMBER 3, 2014 Meeting
  Thanks for making the 2013/2014 season a success. The Computer Club will continue with meetings in December. In the meantime there will be a monthly e-mail and bulletin. Near the end of each month the email announcement will be sent out with a link to the bulletin that is published on the Computer Club web site www.tecc.apcug.org.


hariodEarly April 2014, if you saw in the news the scary presentations about HEARTBLEED and the effects it could have on the secure web sites you may visit on the web. Now that the air is clearing and the experts are reporting more about the event, they are reporting that the news people reported as if it was a crisis. At the time of the initial report, there was not proof that it has been initiated by hackers. That some older software used by secure web sights could be compromised that could return some personal data to the hacker.
To protect yourself it is recommended that you change your password on secure sites you visit if the site could have been compromised by hackers after the site updates their security software.
Harold

Ira

Heartbleed Vulnerability and Your Passwords

by Ira Wilsker

 

WEBSITES:

http://krebsonsecurity.com/2014/04/heartbleed-bug-what-can-you-do/

https://lastpass.com/heartbleed/

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/ 

http://www.cnet.com/news/heartbleed-bug-what-you-need-to-know-faq/

http://www.cnet.com/news/heartbleed-bug-undoes-web-encryption-reveals-user-passwords/

http://www.techsupportalert.com/content/how-check-if-website-has-been-affected-heartbleed.htm

http://www.infoworld.com/t/security/5-no-bull-facts-you-need-know-about-heartbleed-right-now-240269

http://consumerist.com/2014/04/11/regulators-warn-banks-to-plug-any-heartbleed-security-holes-asap/

https://addons.mozilla.org/en-us/firefox/addon/heartbleed-checker/

https://ssl-tools.net/heartbleed-test

 

            In recent days, the media has been heavily reporting a bug in the code that is supposed to encrypt our personal information as it travels between our browsers and its intended destination.  This coding error, now known as the Heartbleed encryption bug might allow hackers to access the encryption keys or "Secure Sockets Layer - SSL" or "HTTPS" used on supposedly secure internet links, potentially giving hackers access to the personal information being transmitted.  Despite media hyperbole, as of this typing, there have been no documented and confirmed cases of hackers obtaining passwords and other personal data through this security hole in the commonly used encryption software utilized by most of the globe's commercial servers.  What the mass media has done with its extensive publicity of this programming bug is to alert miscreants of a potential security vulnerability in our internet connections, giving them a virtual invitation to "come and take it!"

            According to a report on the popular online technology news source cNet, "'Heartbleed' bug undoes Web encryption, reveals Yahoo passwords" dated April 8, " "The problem, disclosed Monday night (April 7), is in open-source software called OpenSSL that's widely used to encrypt Web communications. Heartbleed can reveal the contents of a server's memory, where the most sensitive of data is stored. That includes private data such as usernames, passwords, and credit card numbers. It also means an attacker can get copies of a server's digital keys then use that to impersonate servers or to decrypt communications from the past or potentially the future, too."  In this cNet story there were some allegations that some Yahoo! users were tricked into logging on to bogus websites, disclosing their usernames and passwords, but there is some debate as to whether or not this was due to the Heartbleed vulnerability or another identity theft technique.

            Some of the pundits interviewed in the media warned that it was imperative for all users to immediately change all of their online passwords, and possibly even their usernames, or face imminent peril of identity theft.  While it is a good security practice for users to periodically change passwords, and not use the same password on multiple online accounts, this immediacy may be premature.  If a web server is currently insecure, and your password has already been compromised through this Heartbleed vulnerability (unlikely), changing your password may only give you a false sense of security as the potential hacker will likely also get your new password as well.  If a particular web server where the user has an account has not been compromised by Heartbleed, there is no immediate need to change passwords, other than as a routine and regular security procedure.  If a web server that had been vulnerable to Heartbleed has already been patched to close this security hole, then it may indeed be appropriate to change passwords.  In fact, many of the major web services, banks, and online merchants have already announced that users should change passwords after they are notified that the Heartbleed vulnerability has been rectified.

            It is fairly easy for users to determine if the websites that they visit are vulnerable to the Heartbleed bug; a variety of free utilities and browser plug-ins have been quickly developed that will alert the user of any potential risks.  I have predominately been using the Firefox browser on all of my computers, and now there are add-ons that will instantly alert Firefox users if a website being loaded is vulnerable to the Heartbleed bug.  I am currently using "Heartbleed-Ext 3.0", published by proactiveRISK as a Firefox plug-in.  According to its author, "Whilst some servers have been patched already, many remain that have not been patched. Heartbleed uses a web service developed by Filippo Valsorda and checks the URL of the page you have just loaded. If it is affected by <sic> a Firefox notification will be displayed. It's as simple as that GREEN GOOD / RED BAD" (addons.mozilla.org/en-us/firefox/addon/heartbleed-checker).

            There are also several free utilities that can inform the user if a website is subject to the Heartbleed bug.  Gizmo's TechSupportAlert.com has posted an updated directory of web services (techsupportalert.com/content/how-check-if-website-has-been-affected-heartbleed.htm) that can inform the user if a particular website is safe or insecure, in terms of the Heartbleed vulnerability. 

            I used the utility provided by my password manager, LastPass Heartbleed Checker (lastpass.com/heartbleed) to check the merchant and banking websites that I frequently access; I was surprised to learn that my credit union server is "Probably" vulnerable.  LastPass Heartbleed Checker reported, "Probably (known use OpenSSL, but might be using a safe version).  SSL Certificate:  Possibly Unsafe (created 4 months ago at Dec 20 17:49:52 2013 GMT).  Assessment: It's not clear if it was vulnerable so wait for the company to say something publicly, if you used the same password on any other sites, update it now."  I then used the LastPass utility to check my primary email server, and found that it was vulnerable, but has since been fixed.  Specifically, LastPass Heartbleed Checker reported, "Site: mail.yahoo.com;

Server software:  ATS; Was vulnerable: Possibly (might use OpenSSL, but we can't tell); SSL Certificate: Now Safe (created 5 days ago at Apr 9 00:00:00 2014 GMT);  Assessment: Change your password on this site if your last password change was more than 5 days ago."  In consideration of this information, I immediately changed my email password, but will wait to change my credit union password until the credit union updates its online security.  Unlike Yahoo! or my credit union, I will not be promptly changing my Microsoft related passwords, as, according to LastPass, "Was Vulnerable: No (does not use OpenSSL)", but routine password changes are still recommended.  Registered users of the LastPass Password Manager (lastpass.com) can automatically check all of their frequently visited websites for the Heartbleed vulnerability, " LastPass users can do this by running the Security Check tool from their icon menu. LastPass will not only alert you to which sites are vulnerable, but also tell you the last time you updated your password for the site, when that site last updated their certificates and what action we recommend taking at this time."  A similar website checker is Qualsys SSL Server test at ssllabs.com/ssltest/index.html.

            Some websites have posted updated susceptibility assessments for the most widely used web services.  The website Mashable (mashable.com/2014/04/09/heartbleed-bug-websites-affected) has posted an extensive list of popular websites and their respective Heartbleed related security vulnerability. According to this frequently updates listing, while some of the popular websites were not vulnerable to this bug, others were, and most have patched their SSL software; those who have patched their software mostly are asking users to change their passwords.  Mashable broke down its extensive list into categories such as Social networks, Financial, and others.  Among the major web presences that were vulnerable, but now indicate that the security holes have been patched include Facebook, Instagram, Pinterest, Tunblr, Google, Yahoo!, Gmail, Yahoo! Mail (and its affiliates such as AT&T mail and SBCGlobal email), some Amazon Web Services (but not the Amazon.com shopping service), Etsy, GoDaddy, Flickr, Minecraft, Netflix, SoundCloud, YouTube (Google says that YouTube users do not need to change YouTube passwords), USAA, Box, Dropbox, GitHub, IFTTT, OKCupid, Wikipedia (registered users only must change passwords), and Wunderlist.  None of the major online financial services, stockbrokers, or password managers were ever threatened by Heartbleed, as they did not use the Open SSL software as a primary security tool.

            While it is a good practice to periodically change passwords to hard to guess passwords which are alphanumeric, and incorporate upper and lower case letters, as well as some allowable punctuation characters, it is only imperative now to change passwords to those websites that were vulnerable, but which have been recently patched.  The Mashable listing referenced above is a good source as to the Heartbleed status of the largest websites, but free Heartbleed checkers such as LastPass Heartbleed Checker can give the likely status of individual websites.  If in doubt, go ahead and change your passwords, but be aware that changing a password on a website subject to Heartbleed that has not yet been patched will necessitate another password change as soon as the patch is implemented.  Better safe than sorry.

 


APCUGThe Association of Personal Computer User Groups (APCUG) will hold its 2014 Annual Meeting on Saturday, May 3rd. The online meeting will start at 4:00 PM Eastern Time and is being held in conjunction with our 2014 Spring Virtual Technology Conference. Reports about your organization will be presented for your benefit. All member groups are urged to attend.

 To attend the Annual Meeting, you must register for the Virtual Technology Conference by clicking here to visit the free APCUG Eventbrite registration page. Follow the instructions to register for the conference.

 In addition to the Annual Meeting, you will also be registered to take part in the 2014 Spring Virtual Technology Conference where you will be able to attend presentations on subjects like Photoshop Elements, printers and printing, Windows 8.1 and more, given by leaders in the user group community. For more information on the conference, please click here.

 We look forward to you attending the meeting.

 David Steward

Secretary, APCUG


APCUG quarterly report is available to download and view in PDF format. It covers a lot of information about the national organization that we belong to as Trails End Computer Club, Activities of clubs throughout the country, finicial information, services available to us and information on its officers. SITE

Submit Your article; deadline for next bulletin is Tuesday noon each week. Only what you write may be published. We cannot publish other peoples work without written permission. Simply click here EDITOR AT TECC and paste your write-up to submit it.
Share your computer experiences with other members. We need articles to publish in the TECC Bulletin.

UPDATE YOUR MEMBERSHIP INFORMATION Change your e-mail address, unsubscribe to this bulletin, etc.  Use link below.
UPDATE YOUR MEMBERSHIP