Why are Passwords like Kleenex®?

Our lives are full of passwords, lots and lots of passwords… for everything. These necessary evils protect our personal information from thieves, but how do our trusted instruments of security become agents for hackers? When we are betrayed by a much loved userid and password pair.

Passwords have become a necessary part of our lives; many websites, from the mundane coupon-clipping site to your bank, use passwords for account tracking, and of course every credit card, bank account and ATM transaction requires a password or PIN code. Daunted by the option of creating a new userid and password when signing up for a new service, many people take the easy path and use the same userid and password for all of their online activity. This is like using the same tissue over and over, yuck!

Recent data breaches at national retailers have exposed millions of userid and password combinations. Hackers take these userid and password combinations and try them at other popular websites, hoping a reused combination will work so they can steal user information (SSNs), financial information (checking account numbers, or money, in the case of ATM PINs) or personal information (useful for blackmail). The easy answer is to use unique userid’s AND passwords in every instance, but it would be a herculean task to keep more than a handful of passwords straight. Thankfully, there is a way to keep hundreds or even thousands of unique userid’s and passwords organized and safe. Enter the password manager.

Password managers are de rigueur for the computer geeks among us, but are still a new concept for the majority of users. This category of software applications replaces the bevy of Post-it® notes surrounding our computer displays, looking like little yellow flags for the country of Jibberish. I would be willing to bet that you have at least one note on your computer display either at home or work with some sort of hard to remember bit of information on it. It’s okay to write down passwords until you can remember them, but it’s not a good idea to keep them on the notepad under your mattress forever nor store them right next to the computer for any length of time. What do you think would happen if someone broke into your home or place of work and stole your computer, taking that special little Post-it with it? Right, it would be very bad.

How bad? See these links:

http://money.cnn.com/2014/05/28/technology/security/hack-data-breach/

http://krebsonsecurity.com/2014/09/banks-credit-card-breach-at-home-depot/

Password managers have a number of unique features: the ability to generate complex passwords, create a rank ordered list of passwords by age, show you how many times a password has been used, insert the password for a website directly into the field on the webpage, self-destruct if someone enters the wrong password too many times, sync the password file across multiple devices, and automatically backing up the password file. Oh, and before I forget, Microsoft Excel® is NOT a password manager, it doesn’t do any of these things automatically; stop using a spreadsheet to manage your passwords... immediately!

So how do password managers work? They are, basically, database applications that allow the user to create categories of sensitive information and then create records, or entries, within those categories for credit cards, websites, Social Security Numbers, or other classes of sensitive information. The password manager then locks all those bits of sensitive data with a password that then encrypts the entire database using strong encryption. The file that contains this sensitive information is then stored in a location accessible by all your devices, usually a cloud service like Dropbox or iCloud.

The most important rule for using a password manager is to use a very long and complicated password to protect the password manager itself, so even if a hacker gets their hands on the file containing the encrypted passwords, they will not be able to crack it in a short amount of time. You will have to memorize this password. The second rule is use the password manager to routinely change all your passwords (usually every 3 months), so even if a hacker tries to use brute compute force to find a password, the passwords will all be changed before they can unencrypt the file. Let’s be very clear, ALL passwords can be broken. The third rule is to use the password manager to create complex, hard to crack passwords, this will give you time to change your passwords before the hacker can finish his dastardly work.

So to sum up, 1) use a password manager, locking it with a complex password, 2) create unique, complex passwords for EVERYTHING, and 3) change your passwords on a periodic basis. Remember, passwords are like Kleenex, they are one time use.

To illustrate the use of unique userid's and passwords, here is an example of a random userid yuT4pAj9iC7N@email.com
… and complex password riB@Veej^heer>yal*Rirr)uG.

Yes, you can use random numbers and letters for an email address and yes, you really do need a 25 character password, especially for cloud storage and financial accounts. PLEASE DO NOT USE THESE EXAMPLES! As complex as they look, these userid and password examples are no longer secret. I created both of these examples using the password generator built into 1Password.

Here are some good examples of password managers:

Next post I’ll take a look at online cloud storage and how to protect your information from theft.

Kevin

To upgrade, or not to upgrade, that is the question.

“To upgrade, or not to upgrade, that is the question.” Though upgrades aren’t usually life and death matters, as my paraphrase of Hamlet’s famous dolorous soliloquy might suggest, I have been known to bang my head on the wall after a botched software patch clobbered my system.

So how should one handle software upgrades to client and server systems used for business (or at home, for that matter)? Should you upgrade everything as soon as the update is available, or wait a bit? There is definitely a right way and a ‘risky way' to handling computer upgrades. Follow on intrepid reader, and let me explain the difference.

The single most important goal in all of computerdom is a stable system built upon the perfect golden image (‘image' here referring to an amalgamation of files, scripts and operating system bits that when booted, create “the computer”, complete with mouse pointer). A stable system requires considerable effort and can take a company hundreds of man-hours of testing to get the recipe right. When Microsoft or Apple release updates to their respective operating systems, the users who immediately apply the updates expect the manufacturer to have worked out all the kinks and it should “just work”. It does, most of the time, but sometimes the software updates don’t work, leaving your computer in a semi-functioning state. What follows is a real life example.

I was in the Apple Store a few years ago and overheard a customer berating the Apple Genius for a faulty OS X upgrade that rendered his iMac incapable of working with his scanner, or doctor’s office software, or perhaps it was a combination of the two (in Apple’s defense it was a new version release, not a minor ‘dot' release). Of course the doctor didn’t have the time to deal with this, which made the problem all the worse. Apparently in addition to having a degree in doctoring, he was also a DIY computer maintainer and explained in some detail to the Apple Genius how he dutifully upgraded all the Macs in his office. What he should have done, or better yet, paid an IT professional (like HL Gray!) to do for him, was to install the upgrade on one Mac and test the applications and workflow before installing the upgrade on all the rest. The same goes for Windows (the question of upgrades is even worse for Windows environments, but I digress).

The good doctor used the "risky way" of performing computer upgrades.

Here is a simple way to test an upgrade for a group of Macs (or a home computer) without breaking the bank:

  1. Buy an external USB drive formatted for a Mac (using the HFS+, Journaled file system).
  2. Attach it to the Mac via USB.
  3. Clone the boot drive from the Mac to the external drive, creating an exact copy of the current work environment.
  4. Select the newly minted USB drive from the Startup Disk preference pane in System Preferences, then press the ‘Restart’ button found in the Startup Disk pane.
  5. The Mac will then boot to the external drive you selected in the previous step.
  6. After the Mac boots to the external USB drive, check to make sure you have actually booted from the external drive by opening "About This Mac" from the Apple menu in the top left, the Startup Disk will be indicated on the panel that pops up. If the computer instead booted from the internal drive, perform step 4 again, being careful to select the external drive with your mouse.
  7. Once you've verified the external drive is the Startup Disk, perform the system upgrade by selecting Software Update from the Apple Menu in the top left of the screen.
  8. Once the update has been installed on the external drive and following a system reboot, test out the environment by going through the entire workflow, including retrieving, saving, and printing data files within your company’s business applications. Use all the applications as if you were entering customer orders, updating patient records, etc.
  9. To go one better, have one person in the office use this test machine for an entire week, this will help ferret out corner cases where the new image may not work. If the test machine proves unreliable, you can simply select System Preferences > Startup Disk and select the original startup disk inside your Mac and boot from it, returning the machine to its original, pre-update, operating environment.

This is the right way of doing upgrades. I use this same method for my personal Macs at home.

I did gloss over one bit that does take a little more work than the one sentence I dedicated to its description belies. Cloning a drive can be done with either of two utilities available for purchase, Super Duper (http://www.shirt-pocket.com/SuperDuper/superduperdescription.html) or Carbon Copy Cloner (http://bombich.com). I have used Carbon Copy Cloner for years and swear by it, I have also heard good things about Super Duper, but don’t have any personal experience with it.

The key here is not to apply system updates to an entire office the second the updates become available. Do your own test installation and while you are performing your tests, let the good people of the interwebs give it a go and report on their findings, if something is amiss it gets reported within a few hours. Even if there aren’t any howls of angst echoing down the wire, your particular environment may not be representative of the majority of users, therefore it falls to you, intrepid reader, or your chosen IT servicing agent, to verify that the upgrade works with your environment... DO NOT SKIP THIS STEP!

Many of the concepts I’ve discussed also apply to Windows systems, but the method is a little different since Microsoft does not officially sanction booting Windows from an external drive.

Updates are extremely important, especially in this day of viruses, zero-day exploits, and malware; without updates we would be overrun with botnets spewing spam and collecting credit card numbers, so please upgrade your computers, just do it the right way and save yourself a lot of grief. In a coming blog I will show you how you can use Apple’s Server.app to control and automate the upgrade process, it is really cool!

Kevin

 

OS X and Windows working together? Yes!

I’ve often been asked how can a company who has used Windows for years, or decades, change their client infrastructure? Well, it’s a lot easier than you think, let me explain.

Over the last 10 years, smaller servers have gained access to technology once only used by IBM mainframes, it is called virtualization. The principle is this: create software that makes another operating system think it is running in a physical server all by itself, when in fact it is running INSIDE of another server. The original problem IBM was trying to solve back in the early 70’s was how to leverage their very expensive and relatively scarce S/370 mainframe resources, so their programmers could test multiple software applications in one mainframe, instead of one application per system. Thus was born VM/370, or Virtual Machine Facility / 370.

Fast forward 30+ years and a little company called VMware (www.vmware.com) created a product that allowed an Intel server to host several operating systems, mimicking the features of VM/370 (albeit using a simpler method and not as robust). What used to require separate servers for each instance of an operating system, could now be done with one server with those OS instances taking up a portion of the machine resources. Not only could users make better use of their existing servers, they also could more easily move these compute resources around and “reinstall” them by simply duplicating the OS instance, which are in effect a big file (40GB, for example). No more mindless hours spent shoving CD’s into the machine when reinstalling the operating system!

Fast forward 10 more years and we now have virtualization software applications that allow us to install different operating systems on our laptops and PC’s at our desks! The same benefits apply here; by using one physical machine to house different operating systems, we can easily switch between environments, a boon to software developers that need to test their code for different platforms. This is also a timesaver when Windows decides to go belly up and nothing you do can resurrect it. Now you can simply copy over a new “virtual” Windows PC, apply your license key and personal settings and start again. This can easily save hours of work reinstalling Windows on a PC.

What I have found is that using products like Parallels (www.parallels.com) virtualization software on Apple Macs, allows customers to use Windows for the specific industry applications required to run their businesses, while letting the Mac take care of the rest of their workflow; email, browsing the internet, file and printer sharing, and all their office applications for word processing, spreadsheets and presentations run equally well on the Mac. This separation of duties reduces the opportunities for crashes in Windows. Another benefit is a big money saver; the applications Apple includes with each Mac have no additional licensing or maintenance fees, unlike Microsoft’s Office apps and their server software.

So yes, Apple Macs and Windows applications do play well together. Use Windows via Parallels for the key applications for your business, and let the Mac take care of everything else. You’ll find the stability and speed of OS X to be a big timesaver and I’ll bet you’ll find Windows is even quicker in a Parallels VM.

Let me help you set up one machine as a trial and see for yourself.

Kevin

New Macbook Airs! Joy!

Apple released an update to the Macbook Air line today, adding the latest Haswell processors and dropping $100 from the price in the process.

http://store.apple.com/us/buy-mac/macbook-air

Thanks to the new processors, the Macbook Airs gained a slight bump in performance and a little more battery life, making the 11 inch model capable of lasting 9 hours while watching iTunes movies and the 13 inch model can now run for a full 12 hours in movie mode.

Starting at $899 for the 11 inch 128GB model, these laptops are particularly attractive for students. So should you get an iPad Air with 128GB of storage for $799 ($929 with LTE) or a Macbook Air with 128GB of storage for $899? Tethering your iPhone with the Macbook Air gives you LTE network accessibility, so now things get really interesting. It’s a tough choice, but I think I might go with the Macbook Air.

Drop by your local Apple Store and check them out!

http://www.apple.com/retail/

HeartBleed and how to protect yourself

Before I start, please understand the information below is for general edification and not meant to be construed as a set of instructions for your particular environment. If you’d like help understanding what should be done for your company, please contact me, or another trusted IT consultant.

Now with the legalities out of the way, why all the heartache about HeartBleed?

The 2012-2014 editions of the OpenSSL https/SSL/TLS authentication and encryption protocols have a serious defect (named HeartBleed). On a 10-point scale, one respected security researcher rates HeartBleed 9:10. Yes, it is that bad.

Why? HeartBleed enables the mass theft of the security certificates (private keys) used to negotiate the authentication and encryption used between clients and servers.

What makes this defect so insidious is that it lays bare the very interactions we want to keep most secure, namely financial and identity related interactions, like those between your laptop and your bank, online retailers and social media. It is urgent that you update your computer as well as any electronic devices that have internet access, such as:

  • Routers and Firewalls, 
  • Printers, 
  • Network attached storage, 
  • NEST thermostats, 
  • and any other devices similar to the ones listed above.

You should test your browser to ensure it correctly handles invalid certificates, the special electronic files that are digitally signed by a security authority proving the owner of a certificate is indeed who they say they are. Any company who uses OpenSSL as part of their infrastructure has requested new certificates from the granting authority to ensure a malicious 3rd party hasn’t intercepted their encrypted certificate, which was possible before the OpenSSL defect was found. If your browser handles invalid certificates properly, the bad actor won’t be able to fool your browser that they are your bank, fooling you into typing your userid and password into a false website masquerading as the real bank website.

First, test your browser by going to https://revoked.grc.com. You should get an error indicating the certificate has been revoked. If you get no error, then your browser needs to be updated immediately! Do not use it to connect to any sensitive site, such as a financial institution.

Secondly, if you don’t mind resetting your passwords in the process, test the websites you visit by going to https://www.ssllabs.com/ssltest/. Type in the website you want to check into the  Domain Name field and press Submit. Be aware that you might need to use your password during the test, so change it IMMEDIATELY after you finish the test.

What to do if your browser fails the test at revoked.grc.com? Check out the latest list of browsers below and their current state (as of 29 Apr 2014):

  • Firefox, v. 29.0 passes the test for Mac OS X and Windows 7. I did not test on Windows 8. 
  • Google Chrome Version 34.0.1847.131 (later versions should be retested to ensure no regression errors made their way back into the codebase) for Mac OS X and Windows 7 passes the test and indicates that the site certificate is invalid, but treats the error as a soft-fail, potentially putting you in danger.
  • Internet Explorer, all versions, fail, not just for HeartBleed, but for other reasons as well and need to be avoided at all costs. If you have to use Windows, use Firefox v.29.0. If you have an ActiveX application that requires IE, ask your developer for a version that does not require ActiveX.
  • Firefox on Android properly handles the revoked certificates, Chrome on Android does not.
  • Safari on iOS handles extended validation certificates properly, but fails on standard validation certificates. Let’s hope Apple get an update out soon to address this.

In short, use Firefox v.29.0 for Windows, OS X and Android until Chrome and Safari are updated. Use Safari on iOS if your sites support extended validation certificates, or use your laptop for banking until things get sorted.

UPDATE: There were no solutions that provided a fix for Heartbleed on Windows XP! If you're still using Windows XP, please upgrade to a Mac (or Windows 7 Pro) NOW! 

If you are a Sysadmin reading this, please update and patch all applications and middleware that rely on OpenSSL and update OpenSSL to the most current version (OpenSSH is not affected). Assume your encryption keys and security certificates have been compromised and get new ones, now, and revoke your old certificates as well. And while you’re doing this, go ahead and adopt extended validation certificates, this will protect iOS clients. EV certificates are more money, but who wants to explain to the Board of Directors why you couldn’t avoid a security breach? In addition to swapping out your certificates, go ahead and reset all passwords. And if you’re really intrepid, check out Perfect Forward Secrecy (Ephemeral Diffie-Hellman).

This isn’t meant to be a complete list of what could be done, but should give you a good place to start.

Welcome to HLGray!

Who, or what, is HLGray and Associates, you ask?  Well, we are a husband and wife team, located in beautiful Orlando, Florida, who are excited to bring our 25 years of IT talent to the small and medium sized businesses in the Central Florida area. We also specialize in the Motor Coach Transportation industry and its unique set of needs. Our current customers are part of the Trailways system (www.trailways.org), a national network of professional transportation companies headquartered in Reston, Virginia.

Our minority owned enterprise was founded by Heather Sambdman and she is the business brains behind what we do. She understands the needs of today's businesses and is committed to helping our customers succeed.  Kevin Sambdman is the technical muscle behind our solutions and has extensive experience helping businesses get the most out of their IT investments, whether it be in distributed systems, storage and IP networks, virtual server farms or mobile solutions.

We look forward  to helping you with your next project!