That cloud may be darker than you expect.

With “cloud computing” the hot word in today’s tech circles it pays to look at what others have encountered and the end results after the coolness factor has worn off.

In all but the smallest of IT departments, moving to the cloud for real world workloads simply costs more than purchasing the hardware in-house and allowing it to depreciate over time. While the upfront costs may be lower the total ownership costs over time may be many times the what it could have been.

Please contact us before you take that dive!

Read the story below for more insight.

Why Some Startups Say the Cloud Is a Waste of Money

 

Big-name sites hit by rash of malicious ads spreading crypto ransomware

teslacrypt

Mainstream websites, including those published by The New York Times, the BBC, MSN, and AOL, are falling victim to a new rash of malicious ads that attempt to surreptitiously install crypto ransomware and other malware on the computers of unsuspecting visitors, security firms warned.

The tainted ads may have exposed tens of thousands of people over the past 24 hours alone, according to a blog post published Monday by Trend Micro. The new campaign started last week when “Angler,” a toolkit that sells exploits for Adobe Flash, Microsoft Silverlight, and other widely used Internet software, started pushing laced banner ads through a compromised ad network.

According to a separate blog post from Trustwave’s SpiderLabs group, one JSON-based file being served in the ads has more than 12,000 lines of heavily obfuscated code. When researchers deciphered the code, they discovered it enumerated a long list of security products and tools it avoided in an attempt to remain undetected.

“If the code doesn’t find any of these programs, it continues with the flow and appends an iframe to the body of the html that leads to Angler EK [exploit kit] landing page,” SpiderLabs researchers Daniel Chechik, Simon Kenin, and Rami Kogan wrote. “Upon successful exploitation, Angler infects the poor victim with both the Bedep trojan and the TeslaCrypt ransomware–double the trouble.”

Update: According to a just-published post from Malwarebytes, a flurry of malvertising appeared over the weekend, almost out of the blue. It hit some of the biggest publishers in the business, including msn.com, nytimes.com, bbc.com, aol.com, my.xfinity.com, nfl.com, realtor.com, theweathernetwork.com, thehill.com, and newsweek.com. Affected networks included those owned by Google, AppNexis, AOL, and Rubicon. The attacks are flowing from two suspicious domains, including trackmytraffic[c],biz and talk915[.]pw.

The ads are also spreading on sites including answers.com, zerohedge.com, and infolinks.com, according to SpiderLabs. Legitimate mainstream sites receive the malware from domain names that are associated with compromised ad networks. The most widely seen domain name in the current campaign is brentsmedia[.]com. Whois records show it was owned by an online marketer until January 1, when the address expired. It was snapped up by its current owner on March 6, a day before the malicious ad onslaught started.
Other domain names being used in the current campaign include evangmedia[.]com and shangjiamedia[.]com. The SpiderLabs researchers speculate the people pushing the bad ads are on the lookout for expired domains containing the word “media” to capitalize on the reputation they may enjoy as a legitimate address.

The campaign underscores the vital role that smart browsing plays in staying secure online. One of the most important things users can do is to decrease what researchers refer to as their “attack surface.” That means uninstalling things like Adobe Flash, Oracle Java, Microsoft Silverlight, and other third-party browser extensions unless absolutely required. The other crucial ingredient in safe browsing is installing updates as soon as they become available and using the 64-bit version of Chrome for browsing when possible. Windows users would also do well to install Windows 10 and use Microsoft’s Enhanced Mitigation Experience Toolkit.

The posts didn’t elaborate on the crypto ransomware being spread in the campaigns, except for the mention by SpiderLabs that it included TeslaCrypt, which so far is known to infect only Windows computers. With last week’s discovery of Mac-based ransomware, users of all computing platforms should take the threat seriously.

Why Nobody Should Ever Search The Ashley Madison Data

ashley_madison

1. Your Computer Will Almost Certainly Get Infected With A Virus If You Do

This is an unfortunate, but true, fact. Most websites purporting to have the Ashley Madison data available for download or search are in fact fakes set up by cyber criminals. Even clicking through to such a site from a Google search is nearly certain to infect your computer with serious malware that could harvest your bank account codes, credit card details and all your personal data, download masses of offensive pornography onto your machine without your knowledge, use it for illegal peer-to-peer sharing of pirated files and plunge you into a lifelong identity-theft nightmare. For this reason alone it is extremely unwise even to go looking for the Ashley Madison data.

2. Just Searching The Data Could Add Your Name To An Online List Of Likely Ashley Madison Users

It sounds crazy, but it’s true. Large numbers of unscrupulous companies are offering webpages or sites which purportedly allow you to search through what they say is the leaked Ashley Madison data. But they themselves will log your details as you use their service, and put these details on a list, which of course can then in turn appear on the internet.

This would then inevitably lead people seeing you on that list to assume you were checking whether your details were on Ashley Madison, and to assume you have a guilty conscience. Even if a search service appears to take no personal details from you, it will almost certainly be logging your “IP address” and placing “cookies” on your computer. This will inevitably reveal you to the world as a guilty Ashley Madison user even if you had never even heard of the website before the recent media firestorm.

Be safe – be sure – simply don’t even click on any site or service that claims to allow access to the Ashley Madison data.

3. The Mere Fact That Someone’s Details Are In The Ashley Madison Data Means Absolutely Nothing At All

The fact of the matter is that the vast majority of people whose details were held by Ashley Madison had absolutely no intention whatever of having any sort of illicit affair. Many profiles were created using people’s details – for instance their names, photographs nude and/or dressed, email addresses etc – without their knowledge by other persons for a huge variety of reasons.

These things are easily harvested from the internet. Even where someone’s credit card details are found in the Ashley Madison data, in almost all cases those card numbers will have been stolen by criminals – perhaps by hacking a completely legitimate online store or other website – and used fraudulently without the owner’s knowledge.

Even where this has not occurred and someone appears to have really registered with the site of their own volition, again this means nothing. Most Ashley Madison users were motivated by innocent curiosity: and in many cases they may have had no interest in having an affair but instead bona-fide work reasons to be registered with the site.

This is especially true of professional journalists, the great majority of whom were registered with the site in order to do essential research into prospective articles on web security, lifestyle features or literally dozens of other valid journalism areas.

It’s important to be aware that such articles often take a long time to prepare, or may be rejected by editors, or for many other journalism reasons will probably not have actually been published prior to the Ashley Madison hack – but nonetheless a good deal of valid work-related research will normally have been carried out on the site.

4. It Is Morally Wrong To Even Look At The Ashley Madison Data. If You Have Looked At It You Are The Truly Evil One – Far Worse Than An Adulterer – And Nobody Should Or Will Care What You Say Or Think

Here’s another hard, cold fact for all the judgemental Victorian moralistic prudes out there. Yes, a minority of Ashley Madison users do appear to have made use of the site to have sex outside their marriages or life partnerships. But the vast majority of this small minority were in fact totally justified in doing that.

Online comments all over the internet from such people prove conclusively that almost every single one of them was with a partner who was totally unwilling or unable to have any sex with them ever, despite every possible exertion by the AM user. Very often this was because of a serious and unforeseen medical condition (such as pregnancy or frigidity, for instance).

The huge majority of such AM users had been clearly and explicitly offered free permission by their spouses or partners to have sex outside the relationship. Almost without exception their testimony reveals that they have selflessly gone to great lengths to make sure that they did not contract a venereal disease from other AM users, even though they were not getting any sex whatsoever from their partners and therefore could not infect them, and nobody involved ever had more than one or two sexual partners who were for their part also in loving but open relationships.

Perhaps in a few cases some AM users may not have had permission from their spouses to play away, or their spouses may not have fully realised that they had implicitly, but nonetheless quite clearly, granted such permission.

But is it fair to selfishly deny a person sex? No. It is not, people have a right to have sex and if their spouses totally or somewhat-totally deny them that, they have every right to sleep with other people. Moralistic judgemental prudes may say that they should let their partner know clearly and unambiguously that they are doing so, but that is obvious bunk.

Many people are economically trapped in their loveless marriages, for instance, and won’t someone, for goodness’ sake, think of the children? Should a couple’s children be forced to suffer through the hell of divorce just because one of their parents has decided for whatever reason to more or less give up on sex? Obviously not. In such cases the right and moral thing to do is have an affair, and avoid hurting your family by telling them things they don’t want to know. After all, it’s well known that the less painful, easier path is generally the more righteous one.

So even the tiny minority of AM users who actually have had affairs behind their partners’ backs are GOOD people who have done NOTHING wrong. And yet their lives will be DESTROYED by people looking at the Ashley Madison data. They will lose their jobs – that’s a well established fact, moralising judgemental bosses will sack employees for being AM users unless they are stopped by law. The US military, for instance – which attaches ludicrous and outdated importance to its members’ abiding by their publicly sworn oaths – is conducting a vicious moralistic purge already.

So the truth is that looking at the Ashley Madison data is a far worse act than having an affair. What we actually need is a climate of moral outrage against the sort of judgemental Victorian prudes who would even look at it, not at the brave, righteous – and in many cases only tangentially or professionally involved – people identifiable in the AM data.

Lenovo caught with unremovable crapware

motherboard

Lenovo has sold laptops bundled with unremovable software that features a bonus exploitable security vulnerability.

If the crapware is deleted, or the hard drive wiped and Windows reinstalled from scratch, the laptop’s firmware will quietly and automatically reinstall Lenovo’s software on the next boot-up.

Built into the firmware on the laptops’ motherboard is a piece of code called the Lenovo Service Engine (LSE). If Windows is installed, the LSE is executed before the Microsoft operating system is launched.

The LSE makes sure C:\Windows\system32\autochk.exe is Lenovo’s variant of the autochk.exe file; if Microsoft’s official version is there, it is moved out of the way and replaced. The executable is run during startup, and is supposed to check the computer’s file system to make sure it’s free of any corruption.

Lenovo’s variant of this system file ensures LenovoUpdate.exe and LenovoCheck.exe are present in the operating system’s system32 directory, and if not, it will copy the executables into that directory during boot up. So if you uninstall or delete these programs, the LSE in the firmware will bring them back during the next power-on or reboot.

LenovoCheck and LenovoUpdate are executed on startup with full administrator access. Automatically, and rather rudely, they connect to the internet to download and install drivers, a system “optimizer”, and whatever else Lenovo wants on your computer. Lenovo’s software also phones home to the Chinese giant details of the running system.

To pull this off, the LSE exploits Microsoft’s Windows Platform Binary Table (WPBT) feature. This allows PC manufacturers and corporate IT to inject drivers, programs and other files into the Windows operating system from the motherboard firmware.

The WPBT is stored in the firmware, and tells Windows where in memory it can find an executable called a platform binary to run. Said executable will take care of the job of installing files before the operating system starts.

“During operating system initialization, Windows will read the WPBT to obtain the physical memory location of the platform binary,” Microsoft’s documentation states.

“The binary is required to be a native, user-mode application that is executed by the Windows Session Manager during operating system initialization. Windows will write the flat image to disk, and the Session Manager will launch the process.”

Crucially, the WPBT documentation stresses:

The primary purpose of WPBT is to allow critical software to persist even when the operating system has changed or been reinstalled in a “clean” configuration … Because this feature provides the ability to persistently execute system software in the context of Windows, it becomes critical that WPBT-based solutions are as secure as possible and do not expose Windows users to exploitable conditions.

After Lenovo learned of this bug in April, it dawned on the company that its LSE was falling foul of Microsoft’s security guidelines for using the powerful WPBT feature. Two months later, in June, it pulled the whole thing: the LSE software is no longer included in new laptops.

Lenovo has also pulled the LSE from new desktop machines. Incredibly, Lenovo was shipping desktop PCs that feature the LSE in their firmware. These models phone home system data, but do not install any extra software, and do not suffer from the aforementioned privilege-escalation vulnerability. The PC maker’s laptops definitely do, however.

A tool quietly released on July 31 will uninstall the engine if it is present in your machine: it is available here for notebooks, and available here for desktops.

On Tuesday this week, Lenovo published a full list of affected desktop and notebook models. Desktop machines built between October 23, 2014 and April 10, 2015, with Windows 8 preinstalled, have the LSE inside them.

“Lenovo Service Engine (LSE) is a utility in the BIOS that helps users download a program called OneKey Optimizer on certain Lenovo Notebook systems. The utility also sends non-personally identifiable system data to Lenovo servers,” the Chinese goliath explained. “Lenovo, Microsoft and an independent researcher have discovered possible ways this program could be exploited by an attacker, including a buffer overflow attack and an attempted connection to a Lenovo test server.”

LSE uses the Microsoft Windows Platform Binary Table (WPBT) capability. Microsoft has recently released updated security guidelines on how to best implement this feature. Lenovo’s use of LSE was not consistent with these guidelines and Lenovo recommends customers disable this utility by running a disabler program that disables LSE and removes the LSE files from the system.

The LSE functionality has been removed from newly manufactured systems.

Without this climbdown, it would have been virtually impossible for users to remove the rootkit-like engine from the firmware. El Reg hopes other manufacturers aren’t doing the same with the WPBT.

Suffice to say, netizens who have discovered this creepy code on their machines are not happy.

“I had this happen to me a few weeks ago, on a new Lenovo laptop, doing a clean install with a new SSD, Windows 8 DVD and Wi-Fi turned off,” a Hacker News user called chuckup said on Tuesday, on noticing Lenovo’s bundleware suddenly appearing on his or her new computer.

“I couldn’t understand how a Lenovo service was installed and running. Delete the file and it reappears on reboot. I’ve never seen anything like this before. Something to think about before buying Lenovo.”

What is worrying is that all of this is pretty much what Microsoft intended. Its WPBT is engineered to allow manufacturers to painlessly inject drivers and programs into the operating system. It’s supposed to be used for things like anti-theft tools, so a system can be disabled via the internet if it’s stolen.

But it also turns rootkit development and installation into a painting-by-the-numbers exercise. Lenovo got caught because its engine had crap security. And it sounds as though Microsoft pressured Lenovo to kill it.

“Richard Stallman is sounding less and less crazy with discoveries like this,” noted another Hacker News poster, referring to the Free Software Foundation supremo who has warned for decades that we’re losing control of our computers.

“To think a manufacturer would essentially rootkit their own machines is testament to how bad things have become.”

This comes on the back of Lenovo’s Superfish scandal, in which the PC maker shipped laptops with adware on them that opened up people to man-in-the-middle eavesdropping. Miscreants could exploit the bundled crapware to snoop on victims’ encrypted connections to websites.

It’s Windows 10 day

It’s Windows 10 day. That means it’s time for a completely biased and in-no-way-even-remotely-objective assessment of Windows 10.

The internet is filled with people trying to act all objective about Microsoft and Windows 10, and explain what it all “means.” I’m forgoing all of that this round. This review is not from the standpoint of an administrator, or even much of a nerd.

This is the review of one Windows 10 user, evaluating it as the primary work operating system. It is the OS I have used for months, but is it the OS that I will trust my business to, or even want to use in my off hours? Get out the party hats and popcorn and let’s find out!
Okay, so Windows 10 isn’t exciting. In fact, it’s downright boring. The fanfare is strained and the changes are minor. Windows 10 is an evolution of its predecessor, and that’s absolutely fantastic.

For reasons Microsoft could never understand – but which I have tried to explain to them repeatedly – Windows Server 2012 and 2012 R2 have been greeted enthusiastically. Though they are essentially the same operating system, Windows 8 and Server 2012 were targeted at entirely different audiences that valued entirely different things.

Microsoft didn’t – and still doesn’t – understand what it is either group places value on. That’s okay, Microsoft has deep pockets and it can keep throwing things at the wall to see what sticks. History tells us Microsoft has a one in three chance of getting any given release right, and that’s more than enough to keep its coffers full.

So what’s up with Windows 10? Feedback from the nerdosphere has been all over the map. Many of the usual suspects are saying unusual things. Pro-Microsoft people are panning it. Anti-Microsoft people are praising it. What’s really going on is a bit more complicated.

Windows 10 is a bit crap, but only a bit. Truth be told, it’s actually quite a good operating system. I’ve been running it from the beginning of the open beta and it’s taken everything I can throw at it.

To be perfectly clear: I’m not kind to operating systems. I hibernate my PCs. I fill the RAM up. I hibernate my PCs with the RAM full. I play games the hardware doesn’t really like. I currently have more than 4,000 browser tabs open. Things like that.

Windows 10 takes everything and asks for more.

Windows 10 is faster on the same hardware than Windows 7. Noticeably so, especially if that hardware has an SSD. It’s less frustrating than Windows 8 – well, mostly – and almost as usable as Windows 7.

Thanks to Windows 8 Classic Shell has evolved rapidly over the years. Today, it solves almost all of my UI issues with Windows 10 and even manages to detect when Microsoft has reset things and sets about reinstalling itself and reapplying the settings in order to compensate. Bloody brilliant.

Best of all, Classic Shell is available as part of Ninite, so it just gets installed along with all the other default required third-party software whenever I build a system. Ninite Pro is a reasonably priced and fantastic way to keep all that third party software up to date.

Classic Shell gets rid of (most) of the stupidity Microsoft inflicted with Ribbon Bars in various bits of the UI and it replaces the completely broken, utterly useless and ridiculously poorly designed (probably by committee) abomination that is Windows 10’s Start Horror. Push button, receive mindspiders; this, at least, is solvable.

The Start Screen of Windows 8 is properly banished. The new notifications tray/basic settings widget thing is actually quite nice. Overall, most of the UI dings have been hammered out.

So the first crap part of Windows 10 is the above-mentioned Start Horror thing. It shouldn’t be. I cannot say enough mean things using enough colourful invectives. It’s awful. But, as mentioned above, it’s fixable.

Microsoft has mutated Windows Explorer into a Ribbonesque horror of additional awfulness. This is only partly fixable. It’s the worst bit and probably the thing that will drive most power users away, if anything ends up driving them away.

Settings in Windows are inconsistent. Some are in the “Settings” Metro app and some are in the Control Panel. It takes a few hours to sort out what’s where, but since there’s really only two places to look it’s honestly not that big of a deal.

The colour palette options are pretty broken. People who prefer “dark themes” are probably going to have trouble using Windows 10. If this is actually fixable, I haven’t figured out how yet. Windows 10’s customization capabilities seem strictly limited compared to previous versions of Windows.

There are some more specific issues that have irritated individual bloggers and tech journalists, but the above is the stuff I think the “average” user will notice and care about.

There are some potential deal breakers with Windows 10. To start off with, the VPN client is crap. It really does not like connecting to older VPN servers and its behaviour under many circumstances is inconsistent to the point of seeming non-deterministic. I’ve seen problems with it straight through to the release version.

Microsoft’s spying on you is pretty awful. Windows 10 calls home with essentially every last thing you do and search for by default. Finding and disarming all the different ways Microsoft spies on you is difficult at best, and a futile game of whack-a-mole at worst.

It is perhaps not fair to project the experiences of participating in the open beta onto the release version of Windows 10, but I did get pretty sick of having to go in and defang Microsoft’s creepy doll Cortana spymaster every time a major patch came out.

The NSA can go straight to hell, as can any company slurping up my info into data centres where that data can be easily “requisitioned”. I may not be able to keep the NSA out of my data, but I do intend to make the proxy whoresons work for it!

That leads us into the whole “forced patches” thing. I’m not a fan. I understand that some people feel this is the only way to make Aunt Tilly patch. They’re wrong. Aunt Tilly’s computer was shipped to her with Windows Updates enabled by default.

I prefer to not have to fight Microsoft to keep my computer from rebooting and annihilating all my open applications, thanks.

But this is beyond personal preference. Microsoft has completely borked patches so many times during my career that I absolutely refuse to install any Windows patch on any computer I rely on without testing it first. Nope. thanks and bye.

Further adding to my nopeing over forced updates is that I simply do not trust Microsoft, even the littlest bit. Windows 10 is supposed to be on a brand new release lifecycle where major-ish updates will be pushed out with some regularity. I don’t trust Microsoft with this power.

Perhaps more to the point: I don’t trust Microsoft not to push out some horrific UI change or break applications like Classic Shell. Microsoft have broken my trust too many times and done absolutely nothing to earn it back.

Now I realise everything in this “dealbreaker” category won’t matter to everyone. In fact, there is a significant population to whom none of these issues with matter. I said above that this isn’t a particularly objective review of Windows 10. These are simply the issues that tweak my particular constellation of requirements and beliefs and prevent me from deploying it for my use cases.

For all my griping, Windows 10 is kinda not bad. My wife compares it to Canadian politicians. Everyone on offer is at least a little bit crap, but there’s usually one that meets “good enough” standards and probably will do as much good as they do harm. I think it’s an accurate comparison for Windows 10.

Most people don’t want their computers to radically change. They prefer slow, incremental evolution. They like stability. Business especially prefers this. For the most part, that’s Windows 10. It’s really not that much different than its predecessors, and that will make it usable by most.

But usable isn’t enjoyable. When Windows 7 came out there were a few complaints (give me back my up arrow, damn it!) but for the most part there was relief. At long last, here was salvation from Vista and a path forward from XP.

There’s none of that with Windows 10. It’s good enough to use if you have to. It’s definitely a step up from Windows 8. But if you have Windows 7 there’s no sane reason to move to Windows 10 as, ultimately, Windows 7 is still better.

If you don’t use VPNs except to very new servers, you trust Microsoft enough to let them force updates on you, and you’re okay with the digital creepy doll shouting everything you do back to the mothership, then Windows 10 is good enough.

Windows 10: it’s only a little bit crap. And really, that’s better than we could have hoped for.

Do NOT open that text message!

Frankly most people who get malware are asking for trouble. They open a suspicious file from a stranger, go to a skanky website, or download the movie or game that came out yesterday from BitTorrent. Then, there’s Stagefright. With malware based on this security hole all you need to do is to get a text on your unpatched Android device, and, bang, you’re hacked.

Android’s Stagefright security hole is scary, but you can avoid it. Stagefright can attack any Android smartphone, tablet, or other device running Android 2.2 or higher. In short, of the approximately 1-billion Android gadgets out there, Stagefright could, in theory, hit 95 percent of them.

Can you say bad news? I knew you could.

stagefright

Zimperium zLabs VP of Platform Research and Exploitation, Joshua J. Drake, who uncovered Stagefright claims that it’s among the “worst Android vulnerabilities discovered to date.” He’s got a point.

Stagefright holds up your device by being sent to you as a multimedia text message. For example, a short video of kittens playing could be used to put malware on your system.

The really sneaky part is you don’t need to watch the playful cats. If you’re using Google’s Hangouts app, you don’t even need to open your text message app. All the attacker needs to do is send a poisoned package to your phone number. It then opens up your device, and the attack starts. This can happen so fast that by the time your phone alerts you that a message has arrived, you’ve already been hacked. If, on the other hand, you’re using Android’s standard Messenger app you must open the text message — but not necessarily watch the video — to get hacked.

This security hijack works by taking advantage of Android’s built-in Stagefright media library. This media playback engine comes with software-based codecs for several popular media formats and is used for audio and video playback. Its security hole appears to be that to reduce video viewing lag time Stagefright automatically processes the video before you even think about watching it. Drake will reveal the full details of how Stagefright works at Black Hat in early August.

In the meantime, Zimperium informed Google of the problem in April. According to Drakem “Google acted promptly and applied the patches to internal code branches within 48 hours.”

A Google spokesperson added in an e-mail response that, “The security of Android users is extremely important to us, so we’ve already responded quickly to this issue by sending the fix for all Android devices to our partners.”

She added:
•Security is baked into Android: Android applications run in what we call an “Application Sandbox.” Just like the walls of a sandbox keep the sand from getting out, each application is housed within a virtual “sandbox” to keep it from accessing anything outside itself, meaning that even if a user were to accidentally install a piece of malware, it’s forbidden from accessing other parts of the device.
•The open ecosystem improves security and makes Android stronger: Android is open source. This means anyone can review it to understand how it works and to identify potential security risks. Anyone can conduct research and also make contributions to improve Android security.
•Google encourages security research: The Android Security Rewards Program, launched in 2015, and Google Patch Rewards program, launched in 2014, rewards the contributions of security researchers who invest their time and effort in helping make Android more secure.

So, with all this, what’s the fuss about? Yes, it’s really a bad security hole, but the fix is in… isn’t it?

Uh, well about that, you see Android has another bigger security problem. With the exception of the Nexus devices, Google provides the Android source code patches, but it’s up to the smartphone carriers and original equipment manufacturers (OEM)s to send it to users with updated firmware. As of July 27th, none of the major Android OEMs or carriers have announced plans to deliver the patch. With many older devices, patches may never be delivered.

According to Zimperium, SilentCircle’s Blackphone has been protected against this attack since the PrivatOS version 1.1.7. Mozilla’s Firefox has also included a fix for this issue since version 38. And, of course, Zimperium offers its own protection from Stagefright attacks with its mobile threat defense platform, zIPS,

What Zimperium doesn’t mention is that Android already has an excellent way of blocking most Stagefright assaults: Block all text messages from unknown senders.

To do this with Android Kitkat, the most popular Android version, you open the Messenger app and tap on the menu at the top right corner of the screen (the three vertical dots) and then tap on Settings. Once there, select Block Unknown Senders, and you’re done.

On Lollipop, where Hangouts is the default messaging app, there’s no default way to block unknown senders. You can, however, under Settings go to Multimedia messages and turn off Auto Retrieve for multimedia messages.

With Lollipop, and other versions of Android, I recommend turning to third party SMS blocker apps. For Android 2.3 to 4.3, I like Call and SMS Easy Blocker. If you’re using KitKat or above, where only one texting app can be active at a time, I like Postman, aka TEXT BLOCKER. This program works in conjunction with your favorite texting application to block unknown senders.

This isn’t perfect. A friend could always get infected and spread malware, but it’s a good start.

The short-term fix will be when the carriers and OEMs get off their duffs and push the fix to us. Considering their track record, I’m not going to be holding my breath and I am going to be blocking multimedia texts. The long-term solution will be when Android-using companies start working with Google to deliver important security patches as soon as possible all the time.

Cut the Cable!!

Put up an antenna.

tv-antenna

Many people are not aware that in 1996 the FCC had issued a Federal Rule that prevents HOA’s, CCR’s and other private entities from stopping the installation of TV antennas.

In just about any situation, you can put up an outdoor antenna to receive over the air broadcasts, and no rules or regulations can stop you, within reason.

224813_ts

Take the time to read and share the FCC’s Federal Regulations – OTARD – Over The Air Reception Devices.

As directed by Congress in Section 207 of the Telecommunications Act of 1996, the Federal Communications Commission adopted the Over-the-Air Reception Devices (“OTARD”) rule concerning governmental and nongovernmental restrictions on viewers’ ability to receive video programming signals from direct broadcast satellites (“DBS”), broadband radio service providers (formerly multichannel multipoint distribution service or MMDS), and television broadcast stations (“TVBS”).
The rule (47 C.F.R. Section 1.4000) has been in effect since October 1996, and it prohibits restrictions that impair the installation, maintenance or use of antennas used to receive video programming.  The rule applies to video antennas including direct-to-home satellite dishes that are less than one meter (39.37″) in diameter (or of any size in Alaska), TV antennas, and wireless cable antennas.  The rule prohibits most restrictions that: (1) unreasonably delay or prevent installation, maintenance or use; (2) unreasonably increase the cost of installation, maintenance or use; or (3) preclude reception of an acceptable quality signal.

 

LINK https://www.fcc.gov/guides/over-air-reception-devices-rule

Who is watching you?

Who is watching you?

More and more, government is spying on its citizens. Not just our government, but all governments. If you remember a couple of weeks ago intrusions into former CBS News correspondent Sharyl Attkisson’s computers constituted the narrative spine of the new book she has authored.

Governments all around the world use malware and spyware to keep tabs on people, from visitors to residents. But now there is hope. A security researcher’s has come up with a tool that can now determine if your computer is infected with spyware.

The Detekt tool was developed by Berlin-based security researcher Claudio Guarnieri and supported by several human-rights groups. Detekt checks for malware that is often used against journalists, activists and other people frequently targeted by governments.

The app is available as a free download. Detekt is primarily a scanner; its primary purpose is to warn users if they’re being spied on, not to remove that spyware. If Detekt does detect spyware, the researchers recommend users disconnect that computer from the Internet and stop using it immediately. Then, users should contact an expert via a computer they don’t normally use.

Detekt is currently compatible with Windows XP, Vista, 7, 8, NOT  8.1. It’s available in English, German, Italian, Spanish, Arabic and Amharic, the national language of Ethiopia.

According to Amnesty International, one of Detekt’s co-sponsors, an early version of the tool was used to investigate surveillance practices in several countries. Detekt discovered that several human-rights lawyers and activists in Bahrain were being spied on with a commercial piece of spyware called FinSpy.

Amnesty International warns that Detekt can’t magically detect all spyware; rather, it is designed to recognize some of the most commonly used and encountered commercial spyware. The developers will continue to update Detekt as the spyware it targets evolves and changes.

“The growing trend in indiscriminate mass surveillance on a global scale was laid bare by the Edward Snowden disclosures,” writes Amnesty International. “Following the lead of the USA and other industrialized countries, governments everywhere now justify the use of such surveillance. This has a chilling effect on the rights to freedom of expression and peaceful assembly in countries across the world.”

Creep factor on high. An open window to your home,WITHOUT you knowing…..

Yesterday I stumbled onto a site indexing 73,011 locations with unsecured security cameras in 256 countries …unsecured as in “secured” with default usernames and passwords. The site, with an IP address from Russia, is further broken down into insecure security cameras by the manufacturers Foscam, Linksys, Panasonic, some listed only as “IP cameras,” as well as AvTech and Hikvision DVRs. 11,046 of the links were to U.S. locations, more than any other country; one link could have up to 8 or 16 channels, meaning that’s how many different security camera views were displayed on one page.

1

Truthfully, I was torn about linking to the site, which claims to be “designed in order to show the importance of security settings;” the purpose of the site is supposedly to show how not changing the default password means that the security surveillance system is “available for all Internet users” to view. Change the defaults to secure the camera to make it private and it disappears from the index. According to FAQs, people who choose not to secure their cameras can write the site administrator and ask for the URL to be removed. But that requires knowing the site exists.5

There are 40,746 pages of unsecured cameras just in the first 10 country listings: 11,046 in the U.S.; 6,536 in South Korea; 4,770 in China; 3,359 in Mexico; 3,285 in France; 2,870 in Italy; 2,422 in the U.K.; 2,268 in the Netherlands; 2,220 in Columbia; and 1,970 in India. Like the site said, you can see into “bedrooms of all countries of the world.” There are 256 countries listed plus one directory not sorted into country categories.4

The last big peeping Tom paradise listing had about 400 links to vulnerable cameras on Pastebin and a Google map of vulnerable TRENDnet cameras; this newest collection of 73,011 total links makes that seem puny in comparison. A year ago, in the first action of its kind, the FTC brought down the hammer on TRENDnet for the company’s “lax security practices that exposed the private lives of hundreds of consumers to public viewing on the Internet.”3

Security cameras are supposed to offer security, not provide surveillance footage for anyone to view. Businesses may be fine with that, but cameras that are not truly locked down in homes invite privacy invasions. In this case, it’s not just one manufacturer. Sure, a geek could Google Dork or use Shodan to end up with the same results, but that doesn’t mean the unsecured surveillance footage would be aggregated into one place that’s bound to be popular among voyeurs.2

There were lots of businesses, stores, malls, warehouses and parking lots, but I was horrified by the sheer number of baby cribs, bedrooms, living rooms and kitchens; all of those were within homes where people should be safest, but were awaiting some creeper to turn the “security surveillance footage” meant for protection into an invasion of privacy.

Randomly clicking around revealed an elderly woman sitting but a few feet away from a camera in Scotland. In Virginia, a woman sat on the floor playing with a baby; the camera manufacturer was Linksys. There was a baby sleeping in a crib in Canada, courtesy of an unsecured Foscam camera, the brand of camera most commonly listed when pointing down at cribs. So many cameras are setup to look down into cribs that it was sickening; it became like a mission to help people secure them before a baby cam “hacker” yelled at the babies.6

I wanted to warn and help people who unwittingly opened a digital window to view into their homes, so I tried to track down some security camera owners with the hopes of helping them change the default username and password. It is their lives and their cameras to do with as they think best, but “best” surely doesn’t include using a default username and password on those cameras so that families provide peep shows to any creep who wants to watch.

The site lists the camera manufacturer, default login and password, time zone, city and state. The results for each camera are also theoretically pinpointed with longitude and latitude on Google Maps. That can be opened in another browser window, zoomed into, converted to Google Earth, then Street View in hopes of seeing an address to take into a reverse phone look-up. It’s slightly easier if it’s a business and you see a name on a building. There may be an easier way, as it was slow and frustrating.

I’m unwilling to say how many calls I made, or else you might think I enjoy banging my head against the wall. It was basically how I spent my day yesterday. Too many times the location couldn’t be determined, led to apartments, or the address wasn’t listed in a reverse phone search. After too many times in a row like that, I’d switch to a business as it is much easier to pinpoint and contact.

One call was to a military installation. Since the view was of beautiful fall foliage, it seemed like a “safe” thing to find out if that camera was left with the default password on purpose. Searching for a contact number led to a site that was potentially under attack and resulted in a “privacy error.” Peachy. Then I had two things to relay, but no one answered the phone. After finding another contact number and discussing both issues at length, I was told to call the Pentagon! Holy cow and yikes!

ALWAYS, ALWAYS, ALWAYS change the default passwords on your equipment, routers, cameras, etc. If you are unsure on how to do this please contact us to regain that peace of mind.

The largest-scale attack of its kind on Apple devices

A pernicious piece of Apple focused malware reared its ugly head this week. It may have infected as many as 356,000 users.

The malware first infects Mac OS X machines, from standard desktop Macs to MacBooks, and then infiltrates all other iDevices, from iPhones to iPads, by installing rogue apps on them when they’re connected by USB. And unlike previous strains of iOS malware, it doesn’t need the device to be jailbroken. Palo Alto Networks, the company that has investigated and given a name to WireLurker, calls it a “new breed of threat to all iOS devices”.A developer at Tencent, initially observed WireLurker at the start of June.

It’s little surprise so many downloaded WireLurker, given it was packaged inside seemingly legitimate apps, including some big name games – Sims 3, Pro Evolution Soccer 2014 and Angry Birds to name a few. They were unofficial, pirated versions of the games, however. And those who did get infected, who were only trying to get knock off copies of those titles, likely had various pieces of data stolen from their Apple devices, including the machine’s ID number and Wi-Fi addresses it used.

Herein lies the intriguing element to this nasty piece of kit. The malware seems to be more concerned about identifying the device owners rather than stealing much data. “In other words, WireLurker seems to be targeting the identities of software pirates,” noted Jonathan Zdziarski, an iOS security expert. On jailbroken iPhones, the malware does seek to acquire more information, including SMS messages.

Could WireLurker be a law enforcement tool? If it is, then it’s another sign that the NSA isn’t phased by Apple’s attempts to keep its users secure and private. Just last month, it was accused of trying to intercept iCloud users passwords, which it subsequently denied.

WireLurker was able to get malicious apps onto iOS devices by abusing “enterprise provisioning”. This allows apps not in Apple’s official stores to be downloaded as long as they are signed by an enterprise certificate, which Apple could revoke (though Zdziarski notes additional certificates could be issued and fresh copies of the malware installed). Users should always fear Apple’s requests for confirmation to open a third-party application, unless certain of its authenticity.

Zdziarski thinks that WireLurker looks primitive, yet shows up a major security hole in Apple’s pairing mechanism between its PCs and mobile devices. “The real issue is that the design of iOS’ pairing mechanism allows for more sophisticated variants of this approach to easily be weaponized,” he added. “While WireLurker appears fairly amateur, an NSA or a GCHQ, or any other sophisticated attacker could easily incorporate a much more effective (and dangerous) attack like this.”

Apple, Google encryption good news… for TERRORISTS says EU top cop.

People don’t know the difference between privacy and anonymity, says EU top cop Troels Oerting: they want the former, but the latter will make life too easy for criminals.

ecryption

The Europol Assistant Director and head of European Cybercrime Centre (EC3) was joining a chorus of lawmakers and law enforcers reacting to news that Apple and Google will soon make all smartphone data encrypted by default.

In a move that was welcomed by digital civil liberties organizations, Apple announced that it would not hold the keys to iOS 8 data encryption, and so couldn’t pass on users’ data no matter how much law enforcers might want it.

Outgoing US attorney general Eric Holder, speaking on the same subject, asked people to think of the children, saying child predators could use the encryption settings in mobile platforms to evade authorities and hide illegal images and content on their devices from law enforcement. FBI Director James Comey, meanwhile, was so upset by the move that he said it would make it impossible to save children from kidnappers. He also bemoaned the fact that law enforcement would not be able to get access to gain access to “a terrorist’s device”.

Oerting was more measured: “The problem right now is, that there seems to be a confusion between anonymity and privacy. We all want and need privacy, but this doesn’t mean anonymity.”

But still raised the warning flag: “Irreversible encryption will make it very difficult – maybe even impossible – for law enforcement to obtain evidence and I am not sure this reality is clear to all,” he said.

“In any democratic society we need to provide law enforcement with a right to obtain information authorized by a judge, based on a clear suspicion, in cases involving serious crime or terrorism. This applies to the offline world and should also apply to the online world.

“Full encryption of communication and storage online will make life very easy for the criminals and terrorists and very difficult for law enforcement and law abiding citizens. We have to find the right balance between security and freedom – and this balance has to be set by citizens in a political and ethical discussion on the trade-offs,” said Oerting.

That won’t cut much ice with activists who are clamoring for privacy – and Apple, Google et al are well aware that this is a selling point. “On devices running iOS 8, your personal data such as photos, messages (including attachments), email, contacts, call history, iTunes content, notes, and reminders is placed under the protection of your passcode,” said Apple’s official statement on its encryption plans. “Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data. So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.”

This will draw a line, not gray and not thin, between privacy rights and those that seek to exploit them.

While I do believe in security and protecting private data, the issue is still there regarding illegal activities.

The yet to be discussed point is that data encryption has been around for a long time and has only gotten better and stronger. To raise the red flag over concerns now is a moot point and will only drive a wedge between the advocates and opponents.

 

Between Comcast, Youtube, Amazon and Yahoo, you are bound to get infected.

Announcements by security firms indicate that the above listed companies are exposing your systems to unnecessary risk of malware infections to boost the bottom line. (Links below)

images
Case in point: My daughter, while attempting to watch a youtube video, was redirected to a malicious flash player download. This download installed a rootkit on her system that played audio ads in the background continuously. While not harmful to the system, they rendered it pretty much useless for any audio applications due to the audio ads constantly playing in the background. The only fix was a total system wipe and OS reload.

Is there a solution to this problem? Short answer is no. While many commercial antivirus applications (AV) do their best to block these, there is not a 100% fix for prevention. This is due to the fact that the code writers for these things far outnumber the ones trying to stop it. As fast as the AV companies deploy a fix the bad guys change the code in a never ending battle.

What can you do? For starters, keep your AV up to date. Many charge for this but Microsoft also provides a free one (Security Essentials/ Window Defender) that is much less intrusive and less demanding on your system. You may go the paid route but keep in mind that just because you pay for it does not make it any better than the free one and in many cases those may drag performance down in the name of protection.

The Yahoo, Youtube, Amazon story:  http://www.theregister.co.uk/2014/09/10/big_names_caught_in_kyle_and_stan_malicious_ad_attack/

The Comcast story:  http://www.theregister.co.uk/2014/09/10/comcast_using_javascript_to_inject_advertising_from_wifi_hotspots/

A magical visit from the software fairy (or how you just got robbed).

So there is a new icon on your desktop or some strange bar along the top on your internet browser….
You wonder if the software fairy has visited you in the middle of the night!
Coupon-Buddy-adware

Probably not; you are one of the billions that are infected by malware, spyware, adware, creepware, ransomware, etc.

If you did not intentionally load that software, or you thought you were installing something else, you are at risk for data loss or worse: Identity theft! Yes, many of these items have the potential to route data, internet traffic, key strokes (Everything you type) to the not so nice guys of the world. Even more so, they may have access to your personal information stored on your pc.malware-bell-adware
Just recently, a young lady fell prey to one these malcontent’s online. Miss Teen USA 2013 Cassidy Wolf found out the hard way. Her system was hacked and the hacker was able to access her webcam, using it to take private, personal pictures of her then using them to extort even more from her.

While the hacker was found and is serving time, that does not help the victim here.

Closer to home, my daughter was watching a youtube video and was infected by a rootkit that required wiping her system clean to remove.

Even PC Security, while looking official and legitimate is really the bad guys at work.
PC_Security_2009_warning
Protect yourself, if you have even the slightest thought that your system is compromised with malicious software, get it check out NOW. The longer it is online and you are using it the greater the chances that you could be the next victim.

Ebay attack affects 223 million users.

Online auction site eBay has been blasted for an ‘inexcusable delay’ in taking action after it was revealed that its servers were hacked three months ago.
The email, home addresses, passwords, phone numbers and birth dates of every eBay account holder – 233 million worldwide –  are now in the hands of the hackers.
The company has told users to urgently change their passwords amid the biggest criminal raid ever carried out online.
eBay is requesting that all users change their passwords. Earlier today, a message was posted under the headline ‘eBay Inc. To Ask All eBay Users To Change Passwords’. The only text in the body of the post was ‘placeholder text.’ It was taken down within hours.

1

WHAT DO WE KNOW ABOUT THE CYBER ATTACK?
The eBay database was hacked between late February and early March.
It gave hackers access to encrypted passwords and other non-financial data.
This included eBay customers’ name, encrypted password, email address, home address, phone number and date of birth.

However, the database did not contain financial information or other confidential personal data.

Cyber attackers accessed the information after obtaining ‘a small number of employee login credentials’.
The online market place added that it had no evidence of there being unauthorized activity on its members’ accounts.
But security experts are warning hackers could still use personal details to commit identity fraud.
eBay became aware of the hack a fortnight ago but is still unsure exactly how it happened.

It is unclear why it has taken eBay so long to make users aware of breach.

. Often consumers use their eBay password for a host of other websites, including their banks, so they may also need to make changes to these to protect their accounts from being hijacked.
Paul Martini, the chief executive at iboss Network Security, said that the online auction site was the ‘golden goose of hacking targets’  due to the sheer amount of information which is held.  they may be using personal information to target other sites.

An eBay spokesman said: ‘We discovered unauthorized access to our corporate network earlier in May and immediately began a forensic investigation which discovered this issue leading to yesterday’s announcement.

The company owns and runs the internet payment system PayPal, but claimed that this was not involved in the raid, saying: ‘PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted.’

The firm has 128million active users and accounted for £126billion worth of commerce in 2013. Shares in the web giant, which has more than 14million active users in the UK, fell by 3.2 per cent in early trading yesterday amid fears that the company will lose the trust of their customers, leading to a downturn in trade and profits.

A spokesman added: ‘Working with law enforcement and security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.

‘Information security and customer data protection are of paramount importance to eBay Inc, and eBay regrets any inconvenience or concern that this password reset may cause our customers.’

The cyber attack was made between late February and early March, giving hackers access to eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. The firm said it will be emailing users later today to inform them of the breach
‘Our customers are our highest priority; and to ensure they continue to have a safe, secure and trusted experience on eBay, we will be asking all users to change their passwords.

‘There is no evidence that any financial information was accessed or compromised; but we are taking every precaution.’

But Graham Cluley, independent security expert, said: ‘Obviously they’ve got hold of names, addresses and dates of birth. All of this can be used to commit identity fraud.
‘If they have your password, and you have the same password for other websites, hackers could access your email, your Amazon account and who knows what else.’
And internet security expert Paul Martini said: ‘eBay users must act and follow the advice to change their passwords. But the damage could have already been done, as the time lag is months between the cyber breach and the discovery of the breach.
‘It could well have been viewed as the golden goose of hacking targets. Its popularity means that it holds personal details, making its a potential gold mine.’
He added: ‘Cyberhackers may not hit the obvious target of siphoning money or goods out of eBay; they may take the personal information gained from the database and target other popular sites.’

HOW DOES THE EBAY HACK AFFECT YOU? WHAT YOU NEED TO KNOW.

What personal details were stolen?
Hackers gained access to eBay customers’ names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth.
It is unclear whether all, or any, of the details were taken but security experts are warning people to assume the worst.

Are my credit cards details safe?
The firm said that the infiltrated part of the network did not contain any financial details, so in theory, yes.

Will changing my password solve the problem?
Changing passwords will stop hackers from being able to use any login details that were stolen.
However, they could still use names, addresses and birth dates to commit identity fraud.
It’s a good idea to change passwords following any attack such as this. It’s also important to update login details on any sites that use the same password.
If a hacker has your password and email address they could use it to attempt to access other sites that use the same combination.
As a rule, the same password should never be used across different sites.

Should I change my PayPal password as well?
PayPal, which owns eBay, has confirmed its accounts and customers have not been affected by this cyber attack.
However, as a matter of course, it’s good practice to change all related passwords across different sites, including PayPal.

Which countries are affected?
At the moment, we can assume that all eBay customers worldwide will be affected by this breach, until eBay says otherwise.

Is this hack a result of the Heartbleed bug?
When Heartbleed was exposed, eBay announced its customer’s account were secure and had not been affected. This suggests the latest hack is a separate attack.

How did hackers steal the information?
It is unclear how the hackers got hold of the information but eBay said it is working with forensic teams to get an answer to this question.

Why did it take so long for eBay to inform customers of the breach?
Typically, following cyber attacks, a firm will investigate the breach to try and determine how many people are affected, and the severity of the attack, before issuing advice.

Heartbleed – Will you have a bleeding wound?

Heartbleed-logoAs the Heartbleed bug continues to make news as the full extent of the security loophole becomes known, some basic Internet security tips may help to keep computers safer. While these are no guarantee that the Heartbleed bug won’t affect you personally, these tips should keep your computer safer in general.

1. Be skeptical

The Heartbleed bug first became evident in many websites that we all considered secure when they had a security hole that could expose user data to hackers who could exploit it. As Mad-Eye Moody says in the Harry Potter book series, “Constant vigilance.” In other words, assume that you’ve come in contact with the Heartbleed bug.

2. Follow news of the Heartbleed bug

The Heartbleed bug is still a developing story. Following reports will let you know if any additional websites, software, or devices are affected.

3. Keep the security software on your computer up to date

Even if you have been not exposed to the Heartbleed bug or any other threat online, a secure firewall is the first line of defense for your PC or Mac against hackers. Use a reputable brand and check to make sure your subscription is up to date as well as any patches or updates to the software.

4. Check and recheck lists of affected websites

The chances you may have visited a website affected by the Heartbleed bug are pretty likely as several big websites like Yahoo, Facebook, and Google were all patched following news of the Heartbleed bug. Several technology websites are making lists of websites and if they are vulnerable to the bug. Mashable and CNET have extensive lists. (Warning: Not all lists are being updated.) Check more than one list to make sure the website is no longer affected.

Also if you are unable to find a website on any of the various lists, use a tool like this one built by Italian cryptology and security consultant Filippo Valsorda to check out a wesbite before logging in.

5. Passwords are like socks. Change both often

If you did visit a website that has been vulnerable — you won’t necessarily know if it’s been affected, due to the traceless nature of the bug — but is now patched or otherwise fixed, change your password. Generally a good password has uppercase letters, lowercase letters, numbers, and special characters.  Also, do not repeat passwords. If you will not remember multiple passwords, consider a password manager instead.

6.  Check your bank account, debit, and credit card balances often if you use them online

While Bank of America, Chase, Wells Fargo, PayPal, and Capital One did not use the OpenSSL encryption where the Heartbleed bug hid, it’s a good idea to keep an eye on any financial account you use online for security and personal finance reasons. Netflix, which requires an online payment, had to be patched, making it a good idea to keep a close eye on whatever card you use to enable Netflix binges.

If you rarely shop or pay for services online, viruses and identity theft are good reasons to check your accounts often anyway, even if the Heartbleed bug might not have been able to go after your bank.

File encryption, it is a MUST.

Tech tip:

With the news awash regarding the NSA snooping scandal and a rash of data thefts the most secure way to keep info safe is to encrypt it.

My personal favorite tool for this is truecrypt.  http://www.truecrypt.org/   As  of 12/1/15 Truecrypt announced a security flaw but no real details. In light if that check out VeraCrypt at https://veracrypt.codeplex.com/  It works the same as TrueCrypt with enhanced encryption methods.

 

Encryption: In its simplest form, is encrypting a file, folder or drive by means of locking the data so that only the correct passphrase will unlock it.

DO NOT FORGET YOUR PASSPHRASE!!

TrueCrypt’s site claims the software has been downloaded more than 13 million times. This has to be put into perspective. Compression tools like WinZip are mainstream and universal. They get massive download rates because everybody uses them. Encryption is still in the outer orbit of mainstream awareness. Relatively few people use encryption. It’s one of those things that most folks don’t seriously consider until they’ve been burnt by not employing it. So, 13 million TrueCrypt downloads is really a telling sign of this software’s popularity.

There are a few things to consider before deploying TrueCrypt. First, TrueCrypt doesn’t offer any way to recover your encrypted partition if you lose your passphrase. The only option would be a brute force or side channel attack, but if all the governments of the world can’t crack AES-256, your odds are pretty slim. TrueCrypt also allows for the creation of hidden partitions and even denying their existence. You could create two encrypted system partitions and hide one of them. The visible one works as a decoy, which you could use regularly to give off the impression that it’s your active system. Whether you boot the hidden system or the decoy is decided by the passphrase you type at startup.

Now if you think the above statement regarding the government’s inability to decrypt a drive is false, take a moment to read the case involving a woman in Colorado that is refusing to decrypt her drive so that prosecutors can build a case against her. Update 2/15/17 – Not defending the worthless Muslims that committed but this is a good example of why encryption is needed. http://www.reuters.com/article/us-california-shooting-encryption-idUSKCN0VI22A

DO NOT FORGET YOUR PASSPHRASE!!

Now, back to our tip.

First, using encryption software, you can create an encrypted container, then save files, folders, etc in said container. With darn near certainty, you can rest assured that no one other than yourself will ever be able to read those files.

Second, using the above method, you can email the encrypted container just as you would any other file and be free from the fear of others snooping on your emails.

You could then tell the receiving person the passphrase, preferably in person and in private and at a whisper and on a deserted island. 🙂

Now, it would be unfair and untrue to say that encryption is unbreakable, but let’s do some math and estimate how long it would take to break 256bit AES encryption.

The power of 256-bit AES encryption is awesome. To explain just how powerful it is takes numbers far larger than we can really make sense of to our brains… but it’s worth a try.

The “256-bit” part of the name means that the key which provides access to the protected content is 256 bits in length – that is, it is one of 2^256 possible combinations.

So imagine you have a file encrypted using 256-bit AES, and that you can sit just trying combinations to crack it open.

Let’s pick a crazy-high number: say you can try a million million million combinations every millisecond. At that rate, it would take about 3 million million million million million million million million years to try every combination. That’s older than your grandma.

It’s more combinations than there are atoms on the whole planet. About 70,000,000,000,000,000,000,000,000 times more to be precise.

For it to take “only” as long as the age of the universe to crack, you’d need to type in about 2.8 x 1059 combinations per second – that’s 280,000 with 9 “millions” after it.

That’s why AES is considered, for now, an unbeatable encryption. The NSA have approved it to protect information classified as “top secret” – and that is genuinely the top endorsement possible.

I said “darn near certainty” above because of this: If you ever write down or share in anyway the passphrase, you have weakened the security. But that aside, if it forever remains in your noggin, no one in the current form of human evolution will ever read your data, short of reading your mind.

Do not forget newer operating systems include encryption that works very well, this will prevent access to your system and files but not so when sending information as mentioned above.

Did I mention, the most important point to remember here is: DO NOT FORGET YOUR PASSPHRASE!!