Home Page
This Week's Edition
Archives
Search the Archives
Subscribe
Upcoming Classes
Contact Info
Legal

Like Us on Facebook

Take one of our computer classes at a library or community center. Click here for a list of upcoming classes

Hands-On Computer Classes right at your location. We can present any of our basic, intermediate, advanced or customized hands-on computer training classes for your business, group or organization, right at your location. Click here for more information.

 

To subscribe, enter your email address in the box below and click the Join Now button

Click here to print this page

Welcome to this week's edition of the Computer Kindergarten Newsletter.
Today is Sunday, April 13, 2014

We wish all of our readers a Happy Passover!

In this Issue:
Special Feature: Heartbleed
Special Feature: Clever Password Tricks Aren't Protecting You from Today's Hackers
Special Feature: Microsoft Support Has Ended For Windows XP
Special Feature: How to Keep Your XP PC Secure Without Microsoft Support
Special Feature: Install Windows 8.1 Update 1

 

Editor’s Note: Today’s special newsletter is all about security. Everyone has probably heard a lot about the Heartbleed bug; we’ll try to give you a good explanation (without all the media hype).

Microsoft has ended their support of Windows XP. If that’s the operating system you use, please read our very important articles below.

Microsoft has also released the second critical update to Windows 8. We’ve included an article and link to help you update your Windows 8 computer.

We’ll return to our regular format next week. Please forward this very important edition to your friends and family so they can keep their computers secure. And always, if you have questions, please feel free to email us: info@computerkindergarten.com

**********************************

Special Feature: Heartbleed

A very large number of websites web may have been compromised by a newly revealed security flaw. The bug, revealed on Monday by security researchers at Google and at an independent firm called Codenomicon, is called Heartbleed, and it compromises at least 66 percent of active websites, according to the team that discovered it.

What It Is and What It Does

So named by the researchers who discovered it, Heartbleed is a bug that affects an important Internet security protocol called SSL. Specifically, it affects one particular implementation of SSL called OpenSSL.

For context (and to understand how bad Heartbleed is), here's how SSL and OpenSSL work: Every time you log into a website, your login credentials are sent to that website's server. But in most cases those credentials aren't simply sent to the server in plain text -- they're encrypted using a protocol called Secure Sockets Layer, or SSL.

As with most protocols, different software makers have created different implementations of SSL. One of the most popular is an open-source implementation called OpenSSL, used by an estimated two thirds of currently active websites. Heartbleed is a bug in OpenSSL. Hackers can exploit Heartbleed to get raw text from emails, instant messages, passwords, even business documents -- anything a user sends to a vulnerable site's server.

In laymen’s terms, whenever data (passwords, usernames, etc.) is sent through the Internet, it gets encrypted, or turned into a code, so hackers can't access it. What makes the Heartbleed flaw truly scary is that it can allow hackers to break that encryption and access to your emails, passwords, documents and instant messages across such a large swath of the Internet.

And the scariest part? The Heartbleed security flaw existed for nearly two years before it was discovered by legitimate researchers. That's plenty of time for black-hat hackers to have discovered and exploited the bug.

In short, it's a nightmare. So how can you protect yourself now?

What You Should Do

Two sites that are known to have been impacted are Yahoo and Amazon, though both have said that they are in the process of fixing the vulnerability on their ends. (According to Valsorda's site, Yahoo and Amazon have already been patched.) OkCupid has also been affected by Heartbleed. If you use these sites, change your passwords.

What else should you do? Watch your bank and credit card statements for unusual activity, since that information could be accessed by hackers. Some sites, like the tech news outlet Ars Technica, are asking users to change their passwords.

Ultimately, it's up to the Internet companies we use and trust to fix the bug, so there's not a ton you can do on your own to combat it. "Service providers have to install the fix as it becomes available for the operating systems, networked appliances and software they use," Heartbleed.com, a site set up to explain the security flaw, reads. Until a site installs a fix, we're all left vulnerable.

The Heartbleed Hit List: The Passwords You Need to Change Right Now

It hasn't been clear which sites have been affected. Some Internet companies that were vulnerable to the bug have already updated their servers with a security patch to fix the issue. This means you'll need to go in and change your passwords immediately for these sites. Even that is no guarantee that your information wasn't already compromised, but there's also no indication that hackers knew about the exploit before this week. The companies that are advising customers to change their passwords are doing so as a precautionary measure.

Although changing your password regularly is always good practice, if a site or service hasn't yet patched the problem, your information will still be vulnerable.

You can and should check to see if websites you frequent have been impacted by the bug before you visit them again. You can go to this website,
http://filippo.io/Heartbleed/
to see if a website has been impacted. Just click in the box that says example.com and type in the address of the website you’re researching, for example, aol.com.

 

Special thanks to contributing writers Betsy Isaacson and Alexis Kleinman of huffingtonpost.com, Samantha Murphy Kelly, Lorenzo Francheschi-Bicchierai, Seth Fiegerman, Adario Strange and Kurt Wagner of mashable.com.

**********************************

Special Feature: Clever Password Tricks Aren't Protecting You from Today's Hackers

By Melanie Pinola of lifehacker.com

Security breaches happen so often nowadays, you're probably sick of hearing about them and all the ways you should beef up your accounts. Even if you think you've heard it all already, though, today's password-cracking tools are more advanced and cut through the clever password tricks many of us use. Here's what's changed and what you should do about it.

Background: Passwords Are Easier To Crack Than Ever

Our passwords are much less secure than they were just a few years ago, thanks to faster hardware and new techniques used by password crackers. Ars Technica explains that inexpensive graphics processors enable password-cracking programs to try billions of password combinations in a second; what would have taken years to crack now may take only months or maybe days.

Making matters much worse is hackers know a lot more about our passwords than they used to. All the recent password leaks have helped hackers identify the patterns we use when creating passwords, so hackers can now use rules and algorithms to crack passwords more quickly than they could through simple common-word attacks.

Take the password "Sup3rThinkers"—a password which would pass most password strength tests because of its 13-character length and use of mixed case and a number. Web site How Secure Is My Password? estimates it would take a desktop computer about a million years to crack, with a 4 billion calculations-per-second estimate. It would take a hacker just a couple of months now, Ars says:

Passwords such as "mustacheehcatsum" (that's "mustache" spelled forward and then backward) may give the appearance of strong security, but they're easily cracked by isolating their patterns, then writing rules that augment the words contained in the [2009 hack of online games service] RockYou and similar lists. For [security penetration tester] Redman to crack "Sup3rThinkers", he employed rules that directed his software to try not just "super" but also "Super", "sup3r", "Sup3r", "super!!!" and similar modifications. It then tried each of those words in combination with "thinkers", "Thinkers", "think3rs", and "Think3rs".

In other words, hackers are totally on to us!

What You Can Do: Strengthen Your Passwords By Making Them Unique and Completely Unpredictable

We've suggested plenty of strong password tips over the years, but in light of the faster and newer cracking capabilities, these are worth reviewing.

1. Avoid Predictable Password Formulas

The biggest problem is we're all padding our passwords the same way (partly because most companies limit your password length and require certain types of characters). When required to use mix of upper- and lower-case letters, numbers, and symbols, most of us:

Use a name, place, or common word as the seed, e.g., "fido" (Women tend to use personal names and men tend to use hobbies)
Capitalize the first letter: "Fido"
Add a number, most likely 1 or 2, at the end: "Fido1"
Add one of the most common symbols (~, !, @, #, $, %, &, ?) at the end: "Fido1!"

Not only are these patterns obvious to professional password guessers, even substituting vowels for numbers ("F1d01!") or appending another word ("G00dF1d01!") wouldn't help much, since hackers are using the patterns against us and appending words from the master crack lists together.

Other clever obfuscation techniques, such as shifting keys to the left or right or using other keyboard patterns are also now sniffed out by hacking tools. As one commenter wrote in the Ars Technica article, hackers use keyword walk generators to emulate millions of keyboard patterns.

The solution: Don't do what everyone else is doing. Avoid the patterns above and remember the basics: don't use a single dictionary word, names, or dates in your password; use a mix of character types (including spaces); and make your passwords as long as possible. If you have a template for how you create memorable passwords, it's only secure if no one else is using that rule.

Check out IT security pro Mark Burnett's collection of the top 10,000 most common passwords, which he says represents 99.8% of all user passwords from leaked databases, or this list of 500 most common passwords in one page. http://tinyurl.com/ljkfnrv

2. Use a Unique Password for Each Site

We'll get back to password creation in a minute, but first: this is the most important security strategy of all. Use a different password for each site. This limits the damage that can be done if/when there's a security breach.

If you use the same password for everything, and someone gets a hold of your Facebook password, they have your password for every site you visit. If you have a different password for every site, they only have access to your Facebook account—so at least all your other accounts are protected.

4. Use Truly Random Passwords

You've probably heard that a random, four-word passphrase is more secure and more memorable than complicated but shorter passwords, as web comic xkcd pointed last year. This is true, but often irrelevant, because like we said: you need to use a different password for every account. If you can remember 100 different four-word passwords, be my guest. But for most of us, it doesn't matter how easy your passwords are to remember—there's just too many of them. (Though the passphrase approach might be good for, say, your computer login or the few cases you need to remember your password.)

Using a variation on the same password for each site isn't a good idea, either. Say you have a password like ro7CSfac2V3p1 for Facebook, and you use the variation ro7CSlif2V3p1 for Lifehacker, and so on for all your other sites. If a hacker gains access to one of those passwords, they can easily guess the others by replacing "fac" with the letters that might match other sites (or figuring out whatever your algorithm is). It's more difficult, but far from impossible, and it isn't secure enough to rely on—if you can remember it, someone else can probably figure it out.

So: The most secure option is to use a password generator and manager. If you want to keep your accounts safe, you need to use a truly random, long, and complex password, and use a completely different one for each account. How do you accomplish this? Use a password manager like LastPass (https://lastpass.com/), KeePass (http://keepass.info/), or 1Password (https://agilebits.com/). Not only will they save all your passwords for you, but they can generate random passwords for you. It's easier to use and set up than you may think.

**********************************

Special Feature: Microsoft Support Has Ended For Windows XP

From Microsoft.com

What is Windows XP End of Support?

Microsoft has provided support for Windows XP for the past 12 years. But now the time has come for us, along with our hardware and software partners, to invest our resources toward supporting more recent technologies so that we can continue to deliver great new experiences.

As a result, after April 8, 2014, technical assistance for Windows XP will no longer be available, including automatic updates that help protect your PC. Microsoft will also stop providing Microsoft Security Essentials for download on Windows XP on this date. (If you already have Microsoft Security Essentials installed, you will continue to receive antimalware signature updates for a limited time, but this does not mean that your PC will be secure because Microsoft will no longer be providing security updates to help protect your PC.)

If you continue to use Windows XP after support ends, your computer will still work but it might become more vulnerable to security risks and viruses. Also, as more software and hardware manufacturers continue to optimize for more recent versions of Windows, you can expect to encounter greater numbers of apps and devices that do not work with Windows XP.

Which Windows Operating System Am I Running?

The easiest way to tell if you have Windows XP is by the Start button, usually found in the bottom left corner. If it has the word Start on it, you have Windows XP.

What Does It Mean If My Version Of Windows Is No Longer Supported?

An unsupported version of Windows will no longer receive software updates from Windows Update. These include security updates that can help protect your PC from harmful viruses, spyware, and other malicious software, which can steal your personal information. Windows Update also installs the latest software updates to improve the reliability of Windows—new drivers for your hardware and more.

**********************************

Special Feature: How to Keep Your XP PC Secure Without Microsoft Support

By Chris Hoffman of pcworld.com

Look, let’s be honest. You should upgrade from Windows XP right now if at all possible—but not everyone can cut the XP cord so completely. If you can’t upgrade, there are some things you can do to protect yourself. Make no mistake: These tricks are like sticking your finger in a leaking dam. They’ll help a bit, but the dam is crumbling and it’s time to get out of the way.

Understand the Risks

When Microsoft says it’s ending support for Windows XP, that means it will no longer produce security patches for critical vulnerabilities in the operating system. As time goes on, more and more critical security holes will be found, and attackers will have free reign to exploit them. Large organizations can pay exorbitant fees for continued custom Windows XP support, but those updates will never trickle out to everyday users or small businesses.

Smart attackers are likely waiting to exploit holes they already know about. They’ll unleash their attacks when Microsoft has moved on. The problems will never be fixed, so they can continue to attack them until the last Windows XP system vanishes from the Internet.

Other software developers will eventually stop supporting Windows XP, just as they no longer support Windows 98, creating even more attack vectors. This won’t happen overnight, but Windows XP will gradually be abandoned by everyone.

Choose your Software Wisely

If you use Microsoft’s Internet Explorer, it’s time to let go. Internet Explorer 8, the most recent version available for Windows XP, is already several generations old and will no longer receive security patches. Google Chrome will continue supporting Windows XP until at least April 2015, while Mozilla Firefox has no announced plans to stop supporting Windows XP. So switch to Chrome or Firefox and you’ll have a secure, modern browser.

Most antivirus solutions will still continue supporting Windows XP. Even Microsoft’s own Microsoft Security Essentials will support Windows XP until July 14, 2015. Antivirus-testing company AV-TEST asked 30 different antivirus companies about their plans for Windows XP support and all of them committed to support Windows XP until at least April 8, 2015. Most committed to supporting it for even longer, into at least 2016.

Be sure you’re using an antivirus program that’s actually receiving updates, though, because that expired copy of Norton isn’t going to help you. An antivirus app isn’t a foolproof solution, and Microsoft warns, “Our research shows that the effectiveness of anti-malware solutions on out-of-support operating systems is limited.” Still, having some type of third-party protection certainly won’t hurt.

If you’re still using the now-defunct Outlook Express, you should stop using it right now. If you really love the Outlook experience, switch to the full version of Outlook included in Microsoft Office. Mozilla is still supporting Mozilla Thunderbird with security patches, though it’s unclear how long they’ll support Thunderbird on older operating system. Of course, you can always just use a web-based email service in Chrome or Firefox.

Microsoft will also stop supporting Office 2003 on April 8, 2014. If you’re still using Office 2003—or, even worse, Office XP— you should update to a newer, supported version of Office for improved security. Yes, this means only ribbon-ified versions of Office will be supported.

Remove Insecure Software

The Java browser plug-in is extremely exploit-prone on any operating system. Unless you really need Java for a specific purpose, you should uninstall it. If you do need it, be sure to disable the browser plug-in and keep it up-to-date.

Other browser plug-ins are also frequently targeted by attackers. Adobe Flash and Adobe Reader are particularly crucial, so keep them up-to-date. Modern versions update themselves automatically, but older versions didn’t even check for updates. If you don’t need these applications, you should probably uninstall them to lock down your XP system as much as possible.

Move On

Let’s say you have a trusty old Windows XP PC that works okay for browsing the web and you just don’t want to buy a new PC or a new version of Windows. To stay secure, you can try installing Ubuntu Linux (http://tinyurl.com/cqhwasa). We have guides to ease the transition and make Ubuntu look like Windows 7 (http://tinyurl.com/bhvkk7h). These completely free operating systems are designed to work well on older hardware, and will be supported with security patches for years to come.

If you’re ready to upgrade to a new version of Windows but Windows 8 puts you off, you can still upgrade to Windows 7. It’ll be supported until 2020. New copies of Windows 7 or 8 cost nearly $100, however, and they might not run on hardware from the XP era, so you could be better off just buying a new computer and getting a modern version of Windows included.

Sure, Microsoft just wants to sell you a new Windows license, but it has been 12 years. Even if you have to use Windows XP for a bit longer, you should really be making plans to move on. You don’t have to go to Windows 8, but you can’t stay here—not for long, at least.

**********************************

Special Feature: Install Windows 8.1 Update 1

From microsoft.com

Important: You will not be able to install Windows 8.1 Update 1 if you have not upgraded from Windows 8 to Windows 8.1. To do this, please visit the Microsoft website for step by step instructions:
http://tinyurl.com/mv5mlyu

Windows 8.1 Update and Windows RT 8.1 Update (also known as KB 2919355) include improvements that make your favorite apps and settings easier to find and use, and provide more familiar mouse and keyboard options. For more info, see What's new in Windows 8.1 Update and Windows RT 8.1 Update?

Here’s what you need to know about installing this important update.

It might already be installed

If you’re running Windows 8.1 or Windows RT 8.1 and you get updates automatically, you don’t need to do anything: Windows Update will download and install the update for you within the next few weeks. It won’t interrupt what you’re doing except to tell you that you need to restart your PC to finish the installation.

To check if the update is already installed, go to the Start screen. If you see a Search button near your account name at the top of the Start screen, you already have the update.

After the update, the Search button appears on the Start screen.

The update is gradually rolling out to everyone with a PC running Windows 8.1 or Windows RT 8.1 over a period of several weeks. If you get automatic updates but you don't see the update yet, wait a few days and check again.

Install the Update Manually

If you’re running Windows 8.1 or Windows RT 8.1 and you don’t have the update yet, you can manually check for and install the update by following these steps:

Make sure your PC is plugged in and connected to the Internet using a non-metered connection. Don’t disconnect, unplug, or turn off your PC while the update is being installed.

Swipe in from the right edge of the screen, tap Settings, and then tap Change PC settings.
(If you're using a mouse, point to the lower-right corner of the screen, move the mouse pointer up, click Settings, and then click Change PC settings.)

Tap or click Update and recovery, and then tap or click Windows Update.

Tap or click Check now.

If updates are found, tap or click View details.

In the list of updates, select the update containing KB 2919355, and then tap or click Install.

If you're prompted for an administrator password or confirmation, enter the password or provide confirmation.

After the installation is complete, restart your PC and sign in.

Note: If you don’t see KB 2919355 in the list of available updates, you might be missing one or more required updates. Follow the previous steps to check for updates, install all important updates, particularly KB 2919442, restart your PC, and then check for KB 2919355 again.

Why you should install this update

We strongly recommend that you install Windows 8.1 Update or Windows RT 8.1 Update (KB 2919355). This is a critical update that is required for future updates to Windows. If you prevent it from installing or you uninstall it, you won’t get some future bug fixes, security updates, and new features. In some cases, if you uninstall this update from a new PC after signing in with a Microsoft account, OneDrive might not work as expected.