WPA2 KRACK Wifi vulnerability

Some of you may have heard about a newly discovered Wifi vulnerability called “KRACK”, which stands for “Key Reinsertion attACK”.  This vulnerability exposes a flaw in the WPA2 security protocol that virtually all Wifi networks use to keep them secure and prevent unauthorized access to a password protected Wifi network.  Most of you are affected by this vulnerability.

Here are the bullet points on this issue:

  • Protocol flaw affecting all devices secured by WPA2.
  • Newly disclosed, no known exploits in the wild.  (not super dangerous at this time)
  • Two classes of remedy: “Client”, and “Router/AP”
  • ABN Contract clients will receive remediation as it becomes available under contract terms automatically.
  • Clients without ongoing monthly support contract with ABN must contact ABN for service to remedy this issue.
  • Microsoft has already released a fix for Windows computers through Windows Update.
  • Other manufacturers and software publishers have not yet published all required fixes at this time. 

Fortunately, the threat level of this vulnerability is not high, partly because it was caught before any exploits have come to light, which means that it was a secret to bad guys and good guys alike.

Now that it is known, vendors are working hard to close the hole in the WPA2 protocol implementation.  There are two general classes of fixes coming to us for this vulnerability.  The first is a class of “client” updates, which affect anything that connects to a wireless network.  This includes Wireless enabled PC’s, laptops, smartphones, tablets, printers, and other wireless devices such as security cameras, baby monitors, and the like.  The second class of fixes are for the Wireless Access Points and routers to which the clients connect.

The most critical class of updates is the clients class, and there is good news here.  Microsoft has already released a fix to their Wireless client software, and anyone remaining current on Microsoft updates through the Windows Update process will receive, or may have already received their update.  Apple is beta testing updates for iOS and MacOS, as is Google and the various smartphone manufacturers for Android.  So, anyone following the ABN standard procedure to maintain all device updates as current as possible will be well served to keep it up and make sure that everything you’ve got is up to date.  ABN performs this service for contract customers, so those of you in that position need not worry, and watch for us checking up on this issue as we go forward.

The less critical but equally important class of updates is for the Wireless Access Points and Routers.  To correct the protocol flaw on these devices, a device “firmware” update will be required, and we are receiving communication from our major vendors indicating that they are developing and testing firmware updates for their devices.  Again, as a matter of course, ABN updates device firmware on wireless access points and routers for our contract customers as part of the contract support entitlement.  As firmware updates become available for each of your various access points and routers, we will be contacting our contract customers to schedule a maintenance window to perform the firmware updates.

Those of you who are not contract customers of ABN, you will need to contact us and request a review of devices for remediation.  Please call our main support number to get this service scheduled.  At this time we can check Windows updates only.  As time goes on and more of our vendors have issued fixes for their devices, we will have more that we can do for you.

As a side note, we have received independent confirmation that companies served by managed service providers like ABN were almost unscathed by the WannaCry and Petya ransomware attacks.  This is partly because those attacks relied on out of-date-software on networked PC’s which had gone months and even years without regular updates.  We make sure that doesn’t happen.

DRAM and SSD Shortage

One of our primary vendors just sent us this message:  

"We wanted to alert you to an industry-wide Dynamic Random Access Memory (DRAM) and Solid State Drive (SSD) supply shortage that’s impacting pricing across all vendors. The shortage has caused a 50–105% pricing increase and is expected to continue through the first half of 2017.

"The shortage is related to the high demand of NAND flash in the PC, smartphone and tablet markets, which has caused a decrease in availability of SSD and DRAM products."

We wanted to make clients, partners, and others aware of this news because a surprising amount of our business in the last year has been upgrading systems by installing additional RAM memory and replacing spinning hard drives with SSD Drives.  It has made many computers that were manufactured since the release of Windows 7 fully adaptable to Windows 10 and newer applications that require more memory and demand faster disk storage access.  

If you have not upgraded to Windows 10, it may still be useful to look at DRAM and SSD upgrades as a way to avoid a premature computer purchase, even with the higher prices for these items.  Use our feedback page if you want more information or you operate a New Hampshire business that may benefit from these upgrades.

2016, the year of the Ransonmware exploit

On October 23, 2013, Steve Gibson reported on his weekly security podcast "Security Now" on the twit.tv podcast network, that about three weeks prior a new exploit called "Cryptolocker" had been discovered infecting computers at an alarming rate. 

In that podcast, Steve quoted another journalist, saying: "Dan Goodin at Ars Technica wrote said: 'You're infected. If you want to see your data again, pay us $300 in Bitcoins.' And the subhead was: 'Ransomware comes of age with unbreakable crypto and anonymous payments.' So, and if you want to [...] just put "CryptoLocker" into Google, and you will see, I mean, it is bad."

Three years later, what Steve and other security experts predicted about CryptoLocker and ransomware in general has come true.  It is the main malware threat concern of all Information Technology security personnel around the globe: how do I prevent my users from getting infected with ransomware, and how do I respond to it if they do?

We at ABN have prepared a 30 minute presentation to help IT managers and personnel at any company or organization become aware of ransomware, and to become better equipped to avoid the exploits of Internet ransomware threats.  This is available to our monthly contract customers for free with their support agreements, and for a small fee for anyone else. 
 

The Unbelievable Awesomeness of JunkEmailFilter.com

I have to take a moment to call out a really extraordinary service that I have done business with for several years.  The name of the business is "JunkEmailFilter.com", and it is run by one of the unknown soldiers for Internet integrity, Marc Perkel.

I became aware of this service because of the curmudgeonly rantings of John C. Dvorak, one of the most respected and longest running tech journalists still living.  He famously ranted "I GET NO SPAM" several years ago on my favorite tech podcast, TWIT (go to twit.tv for more on that), and I never quite forgot it.

As a result, when I was a bit frustrated with my efforts to control spam for clients who were using their own hosted email, mostly set up by me on Microsoft Exchange, I tracked Marc down and found that I was dealing with him personally in setting up service, and that he responded with lightning speed and perfect accuracy in setting up filtering service for my accounts.  The price for this service is amazingly low, and he can scale to whatever you need to support.

Furthermore, he is dedicated to our freedom and privacy on the Internet.  If you are not hosting your own email, but you want a completely secure and uncompromising email hosting service for yourself or your small business, then Marc is your man.  He provides that service also at similarly reasonable rates.

If you are still hosting email using Small Business Server or something similar like MDaemon, and you or your client cannot or will not migrate to a cloud service like Office 365 or Google Apps for Business, then you would be well served to put Marc's service in front of your own.  His is an extremely effective filter, and as I mentioned above, he works very hard to deliver service and support immediately via email.  It is very convenient to work with him.

Thanks to Marc for his help today, and lets hope that more like him step forward to eliminate spam and all of the nefarious cruft that crosses the Internet every day.

It Is Time To Choose a Password Manager

Dashlane and LastPass are the two major password keeper systems available, however there are quite a few and more coming every day.

I would recommend either Dashlane or Lastpass for the purpose of securely keeping your passwords in a reliable Internet based vault.   Here are my tips:

Dashlane seems to be oriented more toward Apple computer and device users.  David Pogue of Yahoo news recommends this service, and he has always been devoted to the Apple product side of things.

I found that the Dashlane program for Windows was a bit buggy, and LastPass wound up working better for me.  Both of them impose some adaptation on the user, so you should not expect totally smooth sailing in using either program.  Here are my main tips of the day for any of these programs:

1. Set a good strong password for the password manager and never, ever forget it. 

2. Make sure that you understand how password recovery works on your password manager in case you can't adhere to tip #1.

3. Make sure that you know how to go into the password manager vault and just look up your credentials for a website or service. 

Both programs are designed to automatically fill in user accounts and passwords for you, but sometimes they don't work with a particular website or service due to technical choices on the part of the service or website.  In those cases, you need to open up your Dashlane or LastPass program and copy and paste your user name and password into the site, or look it up and type it in. 

These are edge cases, and I don't have to do this often, but I know that if you just let LastPass or Dashlane take you along from their installation wizards, and you haven't really taken the time to learn to use them, you could be in for some frustration if they don't work on a site that you are under time pressure to log into.

Overall, they are great time savers, and both of them will generate new, very secure passwords for you that you would never have the ability to remember.  Both of them will import all of your saved passwords from your web browsers and store them in your vault when you install them.  After installation, they will ask if you want to do a security analysis, and they will offer to reset passwords for you that are heavily duplicated or very insecure (easy to hack/guess).  I would take it slow with that process so that you don't get locked out of anything if there is a problem.

Sneaky sneaky!

At this time, I use a very fine service called "LogMeIn".  Specifically, I use LogMeIn Central to manage remote desktops as part of my I.T. business.  When an end-user has a problem that we need to resolve, I can just jump directly onto their desktop using a LogMeIn remote access session, and interact directly with the user on their computer screen.  It is very nice.

This week, I received three messages that appeared to be from LogMeIn.  The first email was thanking me for my LogMeIn renewal payment of $999, which contained a Microsoft Word Document attachment named "receipt", or something like that.

I actually started to open the document before I thought about it because I was so upset by this message.  You see, LogMeIn has undergone a significant restructuring in the pricing in the last couple of years, and I reacted emotionally because I was keyed in to this information that has been discussed heatedly in user forums and elsewhere.

Then my senses came about me and I inspected the technical headers of the email to confirm where it came from, and sure enough, it was a phishing attack.  So, I filed it in my "Scams" folder and went about my business.

A week later, I got a message with the same reply address that indicated that my credit card on file at LogMeIn had expired and that my service would be terminated in 72 hours.  At that point, I second guessed my first conclusion because I DO have an expired credit card on file at LogMeIn, because I knew that at some point I would be using a less expensive service to replace LogMeIn.

So, I began to pro-actively migrate to the new service, but before I got to the tedious phase of updating my 200 supported computers with different remote support software, I took one last look at the last LogMeIn email.  The technical headers revealed that the originating server was HLERHGFWZ (41.158.9.115), and the originating sender was peremptorilyhrs79@rexhongkong.com.  So, after doing the smart thing and logging back into LogMeIn Central and checking my subscription status, I concluded that this was a sequential phishing attack with a very clever strategy.  Knowing that there were many users like me out there who were playing out the string on their LogMeIn Central accounts, they used a 1-2 punch to try and get us to click on their malicious email attachment. 

These are days to be wary, my friends, and pay attention to your mal-ware protections.  The stakes are continually being raised, and even the experts can be played.

My phone, the mighty Moto-X.

https://www.motorola.com/us/motomaker?pid=FLEXR2

This is my long-awaited review of the Moto-X, second generation phone, with some words about my experience with the first generation Moto-X, and the general effort that Google is making with this class of phones.

First let me say that the Moto-X is my phone.  I am an ex-iPhone user, and although I miss aspects of the iOS environment and the lovely hardware design and execution, I am not really looking back until someone answers this post anywhere with a complete user experience that matches or exceeds my results with Moto-X in the areas that I consider most important.

So, next let me state the priorities.  My smartphone is a business tool that I happen to enjoy when I am not using it for business.  There are many of us who approach this device this way.  Most of us like me are not teenagers or even in our twenties.  So to sum up my objective: I want a comprehensive communication tool with maximum Darwin award avoidance.

Communications: Texts, Phone calls, Emails, Tweets, WhatsApp messages, Instagram messages, Facebook posts, LinkedIn updates, weather alerts, news alerts, sports app alerts, and anything else the world wants to throw at me.  My job is to capture them all, sort them out by importance and respond to the ones that matter.  My hope is to enjoy a few of them that may not be important but provide fun or entertainment.  This is the marvel of the smartphone which makes them so interesting to manage. 

By the way, if you want my opinion of BYOD and how to control the smartphone in the workplace, here it is:  Manage the person, not the device.  Look for results and energy in your business enterprise from your employee/partner/associate.  Make no attempt to control what they are doing with their smartphone other than to thank them for their service and take it away from them when you have fired them for not getting the results you expect.  If the phone is theirs, make sure you have the right to wipe it and own the backup.

Back to Moto-X, I am dead serious about cell phone safety.  Since the early nineties I have had a cell phone in my car, and I consider the whole point of mobile communications to be my ability to respond quickly to an opportunity or concern.  Since I am an Information Technology provider, I spend too much time in my car to be cut off the whole time from communications, yet it has become abundantly clear that most forms of smartphone communication are lethal when driving, and sadly we have subjected this next generation to that experiment with some disastrous results.  I am determined not to add to those statistics, but realistically, I am going to know what is coming and going on my phone when I am behind the wheel.  That is where the Moto-X absolutely stands out.

When I am driving, if my wife texts me, my podcast pauses and my phone says to me "new text from Salma Hayek".  (It actually says something else, but I don't think Salma will mind helping save a few more lives, and my wife didn't have the cash to be included in this post).  Then the phone says "do you want me to read it to you?", and I say loudly and clearly "yes".  Then the phone says "OK, Salma Hayak says: thanks for the lovely evening last night, I particularly like the way it ended.  Let's do it again!"  (This is the kind of text I receive after we have spent the evening cleaning out the goat pen.  It's really fun and we just fall into bed exhausted!)  Then the phone says "Do you want to reply to Salma Hayek?", and I say loudly and clearly "yes", and the phone says "OK, tell me what you want me to send to Salma Hayak", and I say loudly and clearly, "Me too, let's do it again tonight exclamation point", and then the phone says "OK, I think you said "Me too, let's do it again tonight!", is that correct?, and I say "yes", and then the phone says "OK, sending text to Salma Hayek", and I have just taken care of a text while I was on the road driving my car.

OK, I am going to acknowledge some of the criticism that I am inevitably going to get about this last paragraph.  I hear you saying, "but Nate, ANY distracted driving is not appropriate, you should have 100% of your attention on your driving."  I am glad that you can't see my face right now.  The expression on it would offend you, but there is nothing I can do about that.  I have been driving for 41 years, and I have certainly averaged well over 20,000 miles per year over that lifetime of driving.  I am going to make an assertion here:  "All driving is distracted driving".  In my view, if there is a way that I can dispose of my distractions while keeping both eyes on the road and both hands on the steering wheel, then I am light-years ahead of those who are trapped in their distractions, unable to dispose of them and return their full attention to their driving.

Let's face it, if we all required ourselves to focus 100% on our driving, we would purchase cars equipped like taxicabs so that our passengers could be kept separate from us.  Mothers would not talk to their children on the way to school or soccer practice.  It's ridiculous.  We must seek the most reasonable, expedient and effective compromise that we can find, and I find the Moto-X to be exactly that compromise.

There are so many other subtle features of this phone that impress me and make me love it.  Most of them fall under the control of an app that they now call "Moto", and those features include "Assist", which I have been describing here, "Actions" when I wave my hand over the phone, or open the camera with a shake.  "Voice" is the voice response system of the phone with is so much better than Siri that there is not room or time for that expression of distain here.  With the new version, you can pick your own "Activation Phrase", which causes the phone to listen for your words and respond, so you could activate your phone with something iconic like "Frankly my dear, I don't give a Damn", or "Say hello to my stinky little friend".  "Display" scavenges battery life by illuminating only the portion of the OLED display required to show the time, or a key alert.

Another unique app is "Connect", which I believe might have saved the whole Windows phone/Windows 8 fiasco for Microsoft if they had just focused on it and introduced it four years ago.  Connect puts your phone activity on your computer screen via a Chrome browser plugin.  

Beyond these, there is the whole Google-verse of apps and ecosystem which I enjoy and find effective.  As I said above, there is some subtle integration that is unique to the Moto-X phones, the first one of which I got after it came out last spring on Verizon, and then having loved it so much upgraded to the right-sized 5.2 inch Moto-X 2nd gen phone.  I am partial to the Nexus Android experience, which is unchanged from that which is spawned directly from the software engineers at Google, and you get that Nexus experience on the Moto-X phone.  Interestingly, the giant Nexus 6 is made by Motorola and looks like a six inch Moto-X, yet it does not have the same processor and sensor architecture of the Moto-X phones, so it cannot do all of the same tricks.

When I had the original Moto-X phone, I bought a cool little add-on called "Skip" from Motorola, which allowed a small magnetic garment clip with an RFID chip in it to unlock the phone.  I do keep a lock code on my phone because I don't want a phone thief to be able to get directly in to my personal information, so Skip was a real time saver, but it is not compatible with the 2nd gen phone, about which I am a little bitter.  Something about the new NFC communications being incompatible with the old.  NFC is "Near Field Communications", which is a technology to allow smartphones to interact intelligently with objects nearby that contain NFC compliant RFID chips.  This is an emerging technology, and I thought Skip was a great use of it.

So, as a final note, the only downside for me about the Moto-X is that we have no way of gauging Google's enthusiasm for this phone, although we can say that it is successful enough that it was one of the five or six top smartphones of 2014 by most reckonings, and the only one that came directly from Google via their subsidiary, Motorola.  But wait, Google has sold Motorola to Lenovo, which means this could be all completely up in the air, except that if Lenovo and Google don't continue to partner on the development of the Moto-X phone brand and functions, it will drop out of the top six, and why would Lenovo or Google want to let that happen?  Google is a very tricky company to read because everything they do is a massive play on Internet traffic and search, the mother of all their businesses, and ostensibly the mother of all businesses.  I feel that I have no choice but to still bet on the Moto-X, my mobile friend.