#1 – Melting Down Your Computer

SHOW NOTES

We have a great show today filled with simple things you can do to avoid the major hacks and attacks happening on the internet right now. No computer science degree necessary – just do it yourself!

Our guest is Shahid Buttar of the Electronic Frontier Foundation, speaking about net neutrality and privacy issues.

Also, we answer questions from our listeners. Plus, we have a packed list of news items, including:

– Meltdown and Spectre – a problem that could effect practically every computer, tablet and smartphone

– Problems with WD My Cloud products issue that are easy to fix

– an issue preventing Windows updates for people who don’t use Microsoft Defender

– an unusual hack involving SONOS and Bose

– A new product that Facebook is testing that everyone should avoid

– Something you need to know if you let your internet browser remember store your passwords

– a new low in personal data collection.

…and more!

Everyone that uses any computer – Meltdown and Spectre

MELTDOWN

TARGET – everyone

FIX – update software and OS

Much bigger problem for big companies, and IT people. You will hear IT people use ‘catastrophic.’ Don’t panic – just follow these steps. Home users, student, small business – you can handle this.

 

Fix – find updates for your software (not hardware) Will discuss how to safely update soon.

Priority – Stop what you are doing and update your browsers now. Then update other programs you use (word, adobe, everything)

Cost – expect your computer to run slower – approximately 5% to 30% slower.

 

What’s the problem.

  • Chips (a.k.a. processors) make your computer perform
  • Performance speed matters
  • Intel, AMD and ARM constantly trying to improve speed of performance.
  • Decades ago, chips started taking shortcuts. Processing code out-of-order, mapping or caching results of parts of the code, etc..
  • Research figured out how to EXPLOIT this:
    • Meltdown: Full local system compromise. Meaning all data can be accessed, which can include personal data and passwords.
  • Multiple experts have called this catastrophic, if you consider a 30% slowdown catastrophic.

 

Good news: It was discovered by researchers, not because anyone found active virus attacking computers (yet).

 

More good news: Software vendors were notified back in July, 2017, public announcement was January 3, 2018. Most OS vendors (apple, Microsoft, Linux) and browsers (chrome, explorer, firefox, and safari) used the time in between to fix most software.

 

WARNING: older products (Linux kernel, 4.14.1 or earlier) have not all updated as of this recording, so look for updates and run them as soon as you can. This link tells you how to check: https://www.howtogeek.com/338801/how-to-check-if-your-pc-is-protected-against-meltdown-and-spectre/

 

Next segment – how to update.

 

A Note About Spectre

Breaks down barriers between programs – one program could be tricked into divulging its memory and activity to a virus. It is harder for a hacker to use (good news) but it is also much harder to fix (bad news).

 

Gotta update, but not how you may think.

 

How to (safely) update your software:

  • Never, never, never click the friendly pop up box. Never.
  • Find “Check for updates’ in your program. Usually, you can click on “About” on most programs find the ‘check for update’ button. Or, click ‘help.’ May find button or search term.
  • All else fails, Google “How to check for update for [PROGRAM NAME].”

 

Western Digital (WD My Cloud)

FIX: update your software – update to version 2.30.174 or later

Hard-coded backdoor – unchangeable username and password written into the software that runs the device.

MUST make sure you are on version 2.30.174 or later

Google: “update wd my cloud”

https://support.wdc.com/knowledgebase/answer.aspx?ID=13193

 

Microsoft Users who use Antivirus software

If you are using windows without any antivirus software other than Security Essentials or Defender (default) – you will not get the updates. And you need the updates due to regular security patches. Disable 3rd party software.

SUNOS and Bose Internet Users – Hack that steals credentials

FIX: Update the firmware from app

Can steal log-in details for your internet music accounts

  • spotify
  • pandora

Anyone who uses a browser, and wants it to work faster

Firefox quantum – in settings you can change Tracking protection AND Do Not Track Signal to “always;” Chrome can’t/

 

Effectively an ad blocker for sites that honor do not track. Note: this will reduce advertising revenue.

Facebook Users (Australian)– with compromising photos

 

Don’t do it.

Change one pixel, and plan fails.

What if pic is compromised in transit?

If you have a pic, delete it. If you have a backup, delete that. If you boyfriend, girlfriend, spouse – anyone – has a pic of you that you don’t want to show up on Google images, do the best you can to delete all copies and backups.

Browsers’ Built-in Password manager

Anyone who uses their browser to store passwords.

Source: Freedom-to-tinker

More Info: Google “freedom tinker login”

https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/

Everyone online (you are the product)

Really disturbing profiles at AudienceInsights.net, which is run by Adthink.com. Using the password manager flaw.

 

On their website, they say they collect info like,

  • events related to your activity on the partner’s website (such as the number of pages viewed or your searches made on the partner’s website),
  • information provided by trusted partners that may include socio-demographic data such as age range.
  • We do not collect any personal information. We do not know who you are. We do not know your residential address, your email address, your phone number or any other personally identifiable information about you.
  • We do not collect sensitive information (such as medical condition, bank account…).

BUT – according to

https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/

 

They collect:

  • birth date
  • age
  • gender
  • nationality
  • height
  • weight
  • BMI (body mass index)
  • hair color
    • (black
    • brown
    • blond
    • auburn
    • chestnut
    • red
    • gray
    • white)
  • eye_color
    • (amber
    • blue
    • brown
    • grey
    • green)
  • education
  • occupation
  • net_income
  • raw_income
  • relationship states
  • seek_for_gender
    • m
    • f
    • transman
    • transwoman
    • couple
  • pets
  • location
  • loan
    • type
    • amount
    • duration
    • overindebted
  • insurance
    • (car
    • motorbike
    • home
    • pet
    • health
    • life)
  • card_risk
    • (chargeback
    • fraud_attempt)
  • has_car
    • make
    • model
    • type
    • registration
    • model year
    • fuel type
  • tobacco
  • alcohol
  • travel
    • (from
    • to
    • departure
    • return)
    • car_hire_driver_age
    • hotel_stars

 

How to opt out

Opt out through Audience Insights

On audience insights.com, about halfway down the page, click “check my status” then “click to opt out.”

 

How to block through your browser:

  • For Mozilla Firefox:
    • Select the “Tools” menu then “Options”
    • Click on the “Privacy” icon
    • Find the “Cookies” menu and select the options that suit you.
  • For Microsoft Internet Explorer:
    • Select the “Tools” menu, then “Internet Options”
    • Click on the “Privacy” tab
    • Select the desired level using the cursor.
  • For Google Chrome:
    • Click on the “wrench” icon in the browser’s tool bar
    • Select the “Options” menu then click on “Advanced Options”
    • Click on “Content settings” in the “Privacy” section
    • Click on the “Cookies” tab and select the appropriate options
  • For Opera 6.0 and beyond:
    • Select the “File” > “Preferences” menu
    • Privacy

 

General Info

To learn more about third party online advertising and to withdraw from this type of advertising, visit the following Web sites:

 

EDAA : http://www.youronlinechoices.com/uk/your-ad-choices

Digital Advertising Alliance: http://www.aboutads.info/choices/

Network Advertising Initiative: http://www.networkadvertising.org/managing/opt_out.asp

Published by

David W. Schropfer

David W. Schropfer is the CEO of AnchorID, Incorporated, a cybersecurity company in New York (www.AnchorID.com).  Every day, he and his team of professionals keep the people who use AnchorID safe from some of the most common traps, hacks and attacks that target computer systems of all sizes. David’s previous books, including The Smartphone Wallet and three industry whitepapers, predicted some of the biggest trends in the payments, mobile, and security industries.  Since graduating Boston College, David earned an Executive MBA from the University of Miami.