Security Corner

Security Corner – A Quick Guide to Meltdown and Spectre Vulnerabilities

Security Corner – A Quick Guide to Meltdown and Spectre Vulnerabilities

Simply Clog Spectre and Meltdown Hack

Confused by the recent tech babble about “speculative execution vulnerabilities in ARM-based and Intel CPUs”? Here are the basic facts you should know as a user of Apple products.

What’s all the fuss about?

Researchers recently discovered two major security problems with the modern chips made by Intel, ARM and others. Since these chips are at the heart of most processors manufactured in the past twenty years, nearly all computing devices and operating systems are affected. Apple has confirmed this includes all Mac systems (iMac, MacBook), iOS devices (iPhone, iPad, iPod) and the Apple TV. The Apple Watch is unaffected by both Meltdown and Spectre.

What’s the problem?

Modern computers improve processing speed by employing shortcuts, known as “speculative execution.” Unfortunately, As it turns out these can be exploited to access data from the chip’s memory. Thus, a hacker could gain access to the passwords, encryption keys and other sensitive data stored on your personal devices. If you use a cloud or other online services, your data kept there is also vulnerable on their servers. The two security vulnerabilities have been dubbed “Meltdown” and “Spectre.” Spectre is considered the more worrisome flaw. Although it’s harder to exploit, it’s more challenging for manufacturers to solve with some experts believing a hardware redesign will be required. Spectre could also potentially affect more people as the chips involved are more widely-used.

Have I been hacked?

Apple has given assurances that no known exploits have yet affected its customers. Expert-level knowledge would be required to prepare and initiate an attack. However, now that these vulnerabilities are widely known, who can predict whether criminals or maybe “big brother“ will hasten their efforts before these loopholes are closed?

What can I do to protect my devices?

Simply Computing Hacker Spectre and Me Tech companies usually wait until they’ve solved a problem before announcing it, but this time the cat got out of the bag early. Although scrambling a bit, the industry is working hard to develop and disseminate security updates as soon as possible. For Meltdown, Apple already released mitigations for iOS, macOS and tvOS in December. For Spectre, there is a new Safari update for iOS and macOS as of January 8th. If you use one or more of these operating systems, you should immediately download and install the updates. Apple reports no measurable reduction in speed because of the security updates. Other experts, however, say devices older than 5 years may be slowed.

As of January 8, 2018, Apple is still working on Security Updates to mitigate the impact of Spectre. Apple will continue to develop and test further mitigations and will release them in upcoming updates of iOS, macOS, and tvOS. To avoid missing these, consider setting yourself a Google alert as the releases are sure to be reported in the news and discussed on technology websites. Again, download and install any updates immediately.

Since a malicious app is required to exploit both Meltdown and Spectre, Apple also recommends only downloading software from trusted sources, including the Apple App Store. Untrustworthy websites, especially those using JavaScript, should also be avoided.

For a more detailed explanation of these exploits, you can read the official Apple release on this issue here.

That’s it from the Simply Blog for now! Stay tuned for more security tips!

By Danica Wong.

Five Things You Should Never Do with Passwords (and Three You Should)

Passwords are the bane of our modern existence. Nearly anything you want to do, it seems, calls for a password. As the Internet’s reach extends beyond computers and into phones, TVs, appliances, and even toys, we have to enter passwords with increasing frequency and in ever more annoying ways.

To make dealing with passwords easier and more secure, everyone should use a password manager like 1Password or LastPass. Such apps generate random long passwords like kD*SSDcCl7^6FN*F, store those passwords securely, and automatically enter them for you when you need to log in to a Web site. They are essential in today’s world.

Simply Computing Passwords blog

Creating Strong Passwords

You’ll still need a few passwords you can remember and type manually—for instance, the master password for your password manager and your Apple ID password. Make sure those passwords are at least 12 characters, and we recommend going to at least 16 characters.

If you’re unsure of the best way to create a strong password, try taking the first letter of each word in a sentence you can remember, and also change a few words to digits. Then “Now is the time for all good men to come to the aid of the party!” becomes a password along the lines of Nitt4agm2c2ta0tp!. So that no eavesdroppers learn your password, avoid saying your sentence out loud whenever you enter it! Or, combine four or five unrelated dictionary words, like correct-horse-battery-staple, that add up to at least 28 characters. (Don’t use the examples in this paragraph!)

Two Step Verification

When possible, take advantage of two-factor authentication on sites like Apple, Google, Dropbox, Facebook, Twitter, and more. Accounts protected by two-factor authentication essentially require that you enter a second, time-expiring password as part of the login process. You’ll get that second password via text message, authenticator app, or other notification method when you log in.

What Not To Do

But what we really want to talk about today is what you should not do with passwords. Follow these tips to avoid making mistakes that can undermine even the security provided by a password manager.

  1. Don’t use the same password twice. This is key, because if the bad guys get your password—no matter how strong—for one site, they’ll try it on other sites.
  2. Don’t share passwords with anyone you don’t trust completely. That’s especially true of passwords to accounts that contain sensitive information or that can be used to impersonate you, like email and social media. However, sometimes you have to share a password, such as to a club blog with multiple authors. In that case…
  3. Don’t send passwords to shared sites via email or text message. If someone hacks into your recipient’s email or steals their phone, the password could be compromised. Instead, use a site like One-Time Secret to share a link that shows the password only once, after which the recipient should put the password into their password manager.
  4. Don’t write your passwords on sticky notes. Yeah, it’s a cliché, but people still do it. Similarly, don’t put all your passwords in a text file on your computer. That’s what password managers are for—if someone steals your computer, they can’t break into your password manager, whereas they could open that text file easily.
  5. Don’t change passwords regularly if you don’t have to. As long as every site has a strong, unique password, changing a password is a waste of time, especially if doing so makes you write down the password or communicate it insecurely. If you do have to update a password regularly, a password manager makes the task much easier.

We realize that it’s tempting to take the easy road and share a password with a friend via email or write a particularly gnarly one on a sticky note. But today’s easy road leads directly to identity theft and is paved with insecure password habits. You might think no one would pay attention to little old you, but times have changed. And organized crime is interested in any Internet account that can be cracked.

By Dan Daly

How to avoid phishing scams

We’ve noticed a huge increase in fraud recently, as more individuals are targeted both over the phone and the computer.

Most of these attempts are based on tricking you into providing personal information or letting the bad guys through the cyber door. Listed below are some common examples of what to look out for in deceptive communication.

  • You may get phone calls claiming to be from big companies such as Apple or Microsoft, or a support firm that will refer you to their company page containing official looking receipts and account notes. They’ll tell you that your computer is infected and spreading viruses, and that the bank has asked them to contact you and clean up the problem, for a fee. They will offer to set up an account, with the full intention of obtaining your credit card number for theft.
  • Other common stories include the “police” needing access to your computer to “help catch a crook”, or the “tax department” demanding access to your computer remotely. In any case, it is best to approach these calls rationally. Fraudulent calls thrive off of quick decision making, and their time sensitive narratives are designed to hinder questions or analysis. By remaining calm and thinking about just what exactly the caller is asking, it will help you to distinguish fact from fiction. Remember that calls asking for access to personal information over telecommunication systems are fake.
  • At other times, you’ll be working along and suddenly your computer crashes – or seems to, a message pops up on the screen with all sorts of dire warnings about viruses and network problems. If you phone the number provided or click on a link, you’ll be convinced into letting someone into your computer remotely. They’ll sign you up for a support package and move some files around on your screen, delete some harmless ones, and tell you that they were damaged or dangerous-and then charge you a few hundred dollars. Sometimes they leave a little “time bomb” on your computer that will make your computer act up in a few weeks, with the intention that you’ll have to phone them back to get the problem fixed again.
  • Crooks may phone or email you, asking for some information, then assemble little bits of data they’ve acquired and use this to rack up huge loans under your name or create fake or stolen IDs. This is called phishing, as in “fishing” for information. You’ll get calls claiming to be a relative in need of money due to a car accident or legal problem. If you ask them for a phone number they usually hang up or give you excuses as to why they can’t give you a number. Again, this is a phony call.
  • You may also get emails claiming to be from the bank or other large businesses that you may have accounts with. These official looking forms are usually asking for account information, passwords, your mother’s maiden name, and so on. Sometimes they take the form of a bill or rental form to convince you to call or email and dispute the charge. Never reply to emails like this, or call the phone numbers that they provide as you will just be contacting the scammers.

Many of these claims are skillfully planned out so it is understandable why people fall victim to hoax. It is important to remain cautious whenever dealing with personal information and to be clear on the major indicator signs. Demographics that are more often susceptible to fraud, such as elderly individuals or extremely young adults, are at a particular risk. By staying informed and educating friends and family on the signs of fraud, there is a better chance that everyone will be protected.

If you ever question that something may be fraud, it is best to contact the company or individual directly with a reliable phone or email address, in order to distinguish the truth.