SuperFish, Remembering Passwords, Securing Remote Access and SSL Certificates

SuperFish, Remembering Passwords, Securing Remote Access and SSL certificates are the four things that have been occupying our brains for the last couple of weeks and we’ve reached some conclusions that I want to tell you about.

SuperFish: SuperFish is an application that Lenovo installs on their consumer branded computers. These are the ones that you don’t buy from us but rather get from a retail or web location like Best Buy, CostCo, Office Depot, etc. It’s always confusing for our clients to figure out which computer is a better value and why. One of the reasons why consumer computers are less expensive than business computers is because of the software they contain. They are subsidized by other companies. In this latest example, SuperFish is a behind the scenes application that places additional advertising into web pages you visit. It also tracks your web history so it can place ads that you are more likely to click on. But that’s not the worst part. Because some of the sites you visit are protected by SSL certificates and Superfish wants to be able to monitor all of your activity, it places itself in the middle and acts as a proxy to the Internet for you. What this allows it to do is read your SSL secured information, like your username and passwords for any account. So let’s say you do some online banking. For privacy, your bank uses an SSL certificate secured website. This makes sure that all of the information sent between you and the bank (your account numbers, balances, ability to use the website to make transactions) is encrypted and not readable until it reaches you. But since Superfish is running, it reaches Superfish first. Superfish reads it, uploads it into their databases and then sends it along to you. Now Superfish has your most valuable information. Do you trust Superfish and everyone who works there with your bank account? Not likely. This is why we recommend against purchasing home computers for business use. Yes, they are a little less expensive but they come with a load of software you really don’t want. We do our best to clean out this junk when we set them up for you (which eats up time and billable hours) but there are things that are purposely hidden like this Superfish evil that we can’t do anything about until they are exposed by security researchers. For Lenovo’s part they are said to be working on an uninstaller for this application that will be published soon.

Remembering Passwords: What if you didn’t have to remember any more passwords and didn’t have to keep a spreadsheet or sticky notes of them anymore? And what if they could all be unique and wildly complex but you would never have to type them in? Wouldn’t that be nice? Well we’re working on it. We’ve narrowed down our research to two tools. Tomorrow we make our decision and unless something earth shattering is discovered in the next 24 hours, I think that we’re going to be recommending both. We like them both but they are very different. We’re thinking that some of you will get the most out of one of them and some you will like the other better. If you are a visual person and tend to visit the same sites over and over again then you’ll like the one that has you start from a portal of company predefined icons to which you can add your specific sites. Click the icon, and go. I like this one myself. If you are a person that has to track many, many websites then you’ll probably like the other one. It’s more invasive about integrating itself into your browsers. It also has a nice import feature so if you’ve been using your browsers remember me setting it’ll pull that information out and populate it into a toolbar list, sort of like your Internet favorites. Both of these are corporate programs so when an employee leaves you don’t lose access to your accounts because they were the only person that handled your transactions in that website. And both allow you to share your website credentials without letting the other person know the password. This will be handy for your confidential sites and let’s people do the work they need to do without spreading your password around unintentionally. Now you might be thinking, like I did, that you don’t have that many different sites that you go to. But you probably have a lot more than you think you do. My import revealed 150+ sites where I have a username and password. I would have sworn the number was between 20 and 30. Imagine my surprise! Now I don’t use those everyday but still I have an account there. It surprised me. I think it will surprise you too. Of course there’s an annual fee for using these applications but it’s small in the big scheme of things and I think well worth the expense. There is a bit of user training that needs to happen in order for people to understand how it works and we’ll need to work with you to setup some initial shared site credentials. So do plan on the training part. I don’t think that these software packages will work for anyone without some introduction.

Securing Remote Access: We’ve seen a frightening increase in attacks on remote access servers. These would be your Multipoint, terminal servers and also any computers that you might be allowing direct access to over the Internet using a remote desktop client.  What they are doing is sending thousands of requests to common usernames with common passwords. They are, for example, looking for Wendy, Aiden, then Wendy, Evelyn trying passwords of popular child and pet names until something hits. Once something hits, then what? Then they login and start doing the same from the inside to gather more usernames and passwords. They’ll use these to add to the list that they try when hitting your bank website, credit card websites, shopping websites, etc.They’ll also try the credentials on your accounting package, see what’s there of value. Things that have value are names, addresses, SS#, credit card numbers, account names and passwords. They have applications that run to scan for these things so it goes pretty quick. They don’t care about your files. When they are done they might install an application to scan to the Internet for the next company to infiltrate. That’s called a bot. Actually bots (short for robots) run the whole thing. A criminal sets it into action and then waits for the results. Bots can target thousands or even millions of companies at one time. We’re seeing a HUGE increase in this type of activity. Small businesses are the #1 target now. So we need to make some changes. If your remote access servers are not locked down, we need to lock them down now. We can do this several ways depending on how you use them. Please let my techs talk to you about securing your server. It’s very important.

SSL Certificates: There are some changes afoot in how browsers are going to start treating websites. Some of these are in the wake of Poodle, a flaw discovered in SSL technology, and some are the natural progression of trying to make things more difficult for malware. As a result we’ll be running a scan against your SSL certificate and the website that it (or they) protect. This will tell us what settings need to be adjusted to meet the new standards. To meet the new standard it is likely that every site you have protected with an SSL certificate will need some tweaking. Ours did too. In addition, at some point we’re going to be telling you that your companies website needs to be SSL protected too. Google has announced that search results are going to start preferring https sites (those are the SSL protected ones) over http “sometime soon”. That means that if we don’t change your website over to a secured site that it will fall in the search rankings and potential customers will have a harder time finding you. Eventually Google says that they will drop http from search results all together. We’re not in a rush to make this particular change but we do want you to be aware that it’s coming.

…and as I’m writing this the news just broke on how the NSA has hacked into the SIM card manufacturing process to install a listening backdoor. This same manufacturer also produces most of the new CHIPs in credit cards. This news item was exposed in an additional release of documents that Snowden stole. It just keeps getting weirder out there.

Stay safe,

Amy, Harbor Computer Services

Leave a comment

Your email address will not be published. Required fields are marked *