Lenovo Pre-Installs Adware That Breaks Security

In a move that defines the term “monumental stupidity”, Lenovo has been delivering laptops with pre-installed adware that totally exposes their customers data since last fall.

Built into Lenovo’s version of Windows is a piece of adware called “Superfish”.  This software intercepts advertising being delivered from pages you visit and replaces it with their own advertising.  Pretty scummy, but, that’s just the aggravating part of it.  The real problem is that a single self-signed root HTTPS certificate is used.  Think about this for a minute.

When you use that new Lenovo with Superfish installed a single password, to a single root HTTPS authority exposes everything that would normally be encrypted.  Passwords, Credit Card Numbers, etc.  And, that password has now been published online.

What to do?  Well, the only real way to clear the problem is to completely wipe the hard disk of your Lenovo.  Then reinstall Windows (NOT THE LENOVO VERSION).  And then, change every password to everything.

Need help with that?  Just give OPENRSM a call or email…

(SOURCES, ArsTechnica, Gizmodo, Slashdot,Errata Security)

Centurylink DSL Service Major Disruption

Centurylink is having issues in Missouri, Arkansas, and Illinois today…

Here’s the map:

Map Showing Centurylink DSL Network Down Event. Red is bad, nothing is good, yellow is partial down.

If You Use Time Warner You Might Not Be Able To Read This

There was (is) a huge outage on the Time Warner Internet Access Network this morning.  Starting around 4:30am a maintenance upgrade has gone horribly wrong.  Which is to say, if your on Time Warner Cable it’s likely you can’t read this (until your service is restored, anyway).

Here’s the constantly updating map of the Time Warner Network online status.  Just like weather radar…  Red is bad, green is good.

http://downdetector.com/status/time-warner-cable/map/

The cost of this?  Well, Time Warner won’t lose all that much money.  It’s not likely that they will give credits/refunds for a few hours of downtime.  But, if your business is on Time Warner, it could cost a ton of bucks.  Can’t process orders?  Credit Card and Check payments?  Access suppliers?  Put that big “one day” promotion online?  Can’t do that if your Internet is down.

Which brings us to the real purpose of this little screed about the incompetence that is Time Warner Cable’s latest faux pas…  If your business relies on the Internet (and few do not anymore), you really need to have a plan in place for when bad things happen.  It’s not always bringing in a competitive alternate Internet feed, either.

What you really need is a team of people that have “been there, done that” and work with them to make incidents out of your direct control nothing more than a minor hiccup…  Instead of a money draining loss.

Give OPENRSM a call (or email), and let’s get your business back online and have your business prepared for when bad things happen.

Microsoft Shows Us Why Automatic Updates Arn’t A Good Idea

Oh, don’t get us wrong..  We love being able to update systems at the click of a mouse!  But, having systems updates just “happen” is rarely a good idea.  And Microsoft has shown us all why in a big way.

This past “Patch Tuesday” update from Microsoft is causing Windows7, Windows8, and Server2013 systems to BSOD (blue screen of death).  It’s widespread enough that Microsoft has withdrawn the update!  For Microsoft, this is a huge deal.  But, not quite as huge as all the people whose computers were “bricked” by an Automatic Update!

Microsoft Patch Tuesday Update Creates BSOD

This is why you should NEVER have updates happen automatically.  And why businesses should have a company like OPENRSM do the updates for them.  Why?  Because their tested before being accepted.  Will that Java update break that required program your suppliers make you use?  Does that security update declare that your anti-virus program is a virus?  Will a general “patch fix” from Microsoft render your machine useless?  Well, if your simply accepting automatic updates for Windows, OSX, Java, Adobe, etc., you could have a very bad day.  Best to let people who test these things with the software you already use update your systems for you.  Only, after they are tested!

Change Your Passwords and UserNames Now

It appears that the “Russian Mob” has pulled off something big…  Stealing 1.2 Billion (yes, with a B) usernames and passwords from a wide range of sites.

Anytime something like this happens, OPENRSM suggests you change everything.  Including usernames, passwords, on all accounts and computers.

The New York Times has the story….

Just How Much Personal Info Are You Giving Away?

It’s pretty well known that many websites make an effort to track you online.  Even when your not on their site!  But, just how much tracking is going on?

We decided to do a “quick and dirty” look at a few popular websites to see just how many different trackers are deployed.  And, it’s not pretty.  In fact, it’s pretty ugly.

1. Drudgereport.com is by far the worst offender with at least 37 different cookies, trackers, advertising preference systems, etc. looking at you.
2. The Kansas City Star’s website, KansasCity.com has 13 peeking at what your doing.
3. KCTV5.com weighs in with 16. 
4. The popular humerous headline site Fark.com is a heavyweight with 19 different trackers.
5. And last, but not least, on our list is the popular fact checking site Snopes.com.  Which is using 28 different tools to see what your doing online.

Now, what happens when you block most (if not all) of these different little logical spy devices?  When tested on a 1.5Mbs DSL connection (fast enough to get results, slow enough to calculate differentials) we got some significant results.  Here’s what we did:

• Blocked all advertising trackers.
• Left open all trackers that serve a useful purpose (live support, security checking, etc.).
• Loaded a predetermined set of websites and a Firefox Macro Script that would load each page in succession.  After one page fully loads, it loaded the next.

We cleared the system Cache between each test run (and we did 10 runs of the tests).

Well, go figure!  You can surf much faster with all that “spying into what your doing stuff” turned off!  Significantly faster (tests ranged from 10-14% faster).  And, we wern’t leaking all kinds of personal data, surfing history, etc. out to other people we just think have no business tracking us.

Want to protect your personal and business information?  Give us a call or email.  We can not only block out the “bad actors” that are tracking you and your employees every online move, it’ll get you a little bit more out of your existing Internet connection speed too.

AT&T Has Security Breach, Doesn’t Bother To Tell Customers

Another day, another sad story about a big company losing customers private information, and not telling anyone about it.

In April, AT&T confirms employees of an outside contractor hacked customers’ information including Social Security numbers.  The contractors employees attempted to unlock phones to put them on another network.  Did they sell the names/SSNs?  Nobody (including AT&T) has answered that question, yet.

You can see AT&Ts full response as posted by the California Attorney Generals Office by following This Link.

Who’s watching out for your Company’s and Employee’s Mobile Data?  Helping to create the policies, procedures, and infrastructure to protect your data?

Give OPENRSM a call…  We can make it easy for you to secure your information.

OPENRSM Advises Changing AppleID Passwords Immediately

It seems to be Apple’s turn in the data wars between “fast buck” artists and real companies.

Apple iPhones/Pads are locking up all over Australia and the UK and being held for ransom by a scammer that has managed to gain control of the devices.  Apple has yet to comment but incidents in the US can’t be far behind.  The “Find My iPhone” service seems to be the only link between the users whose iPhones and iPads are being “held hostage” by the scammers.

From an article in  The Telegraph: “Currently there is only speculation about how the attacks have been carried out. Apple has not yet responded officially,”… “With the possibility that this attack is linked to your ‘Apple ID’, affected users are advised to change your Apple ID password as soon as possible.”

And, so you should.

OPENRSM Advises All To Change Ebay and PayPal Passwords Immediatly

Last nite, an official PayPal blogpost contained nothing but a title…  “eBay, Inc. to Ask All eBay users to Change Passwords.”.  Which was quickly taken down only after being tweeted and posted to Facebook many times.  Later, Ebay reported on it’s own official blog that their corporate network security had been breached…  In late February and early March.

What to do?  Log on to your EBay account and change your password!  And do the same with your PayPal accounts (as PayPal is owned by EBay and data is shared between the two (i.e. sharing the same corporate network).

You can view the offical Ebay blogpost at: https://blog.ebay.com/ebay-inc-ask-ebay-users-change-passwords/

Kickstarter Hacked – Takes Three Days to Tell Anyone

The popular crowd source finance site Kickstarter was hacked!  In an email received today, Kickstarter CEO Yancey

Strickler stated “On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers’ data.”

Now, think about this for a second.  First, Kickstarter knew this past Wednesday that they had been hacked, and, only now are telling customers about it.  That’s three days that the hackers had to use the data they stole.  Second, Kickstarter had no idea they had been hacked.  They were told by “law enforcement officials” that they had been hacked.  I’ll bet their security people are having nightmares about theforthcoming pink slips about now.

But Wait!  There’s More!

Again, from the email Kickstarter sent to customers, “As a precaution, we have reset your Facebook login credentials to secure your account. No further action is necessary on your part.“.  Well, I do have to give it to Kickstarter for closing the hole (speculation here, but it looks like it’s in their FB Connect systems or related code).  But, it might not be a bad idea to change your Facebook account password about now.

Good News!  It Wasn’t A Total Loss!

Kickstarter also said that. “No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on your account.”.   I am happy that Kickstarter didn’t lose my credit card data.  But I think I’m changing my PIN anyway, and check the account a couple times a day for a while.  And my Kickstarter account is more than likely going to be totally reset as well.

What’s The Lesson?

The simple lesson is that nobody is safe.  Kickstarter is a good company, with a popular online product, and good people working for them.  And if they can get hacked, so can you.  What’s the Lesson?  Keep your security updated.  Make sure your anti-virus is backed up with an anti-malware system in addition to remote cloud backups.  Don’t go surfing strange sites.  And change your passwords on a regular basis.

Need help getting all that done?  Click on our Contact link (above) and let us know.