This MacMedics Blog post was written by Brent Amersbach a MacMedics Engineer from our Baltimore office:
Update 4-15-14: Worried about Heartbleed? Here’s a master list of what passwords need changing and what is safe. Click here for the current list.
Update 4-11-14: Need help figuring out how Heartbleed works? Check out this easy to understand cartoon that explains it quite well. http://xkcd.com/1354/
There’s a lot of fuss about the Heartbleed vulnerability today. People are freaking out, and I think it’s important we understand what exactly it is and what it means.
Background: The IP protocol uses two types of transport protocols to move data: TCP and UDP. TCP provides a persistent connection that maintains state, and assures all packets ultimately reach their destination (retransmitting if necessary). UDP just fires packets off and hopes they get where they need to go. It’s used for quick exchanges (like a DNS lookup), or for realtime communications where a retransmitted late packet is useless (like VOIP or streaming video). When you layer SSL/TLS security on top, TCP has a clear way to terminate the connection via a RST (reset) or FIN (finish) packet. UDP does not, and so it was recognized that if we wanted to secure UDP we needed a way to tell the endpoints when it was OK to deallocate resources and “close” the connection. This was accomplished through the implementation of a “heartbeat” in the UDP version of TLS (DTLS).
The Exploit: OpenSSL is a library used to add SSL/TLS support to web servers and other Internet services. As of versions 1.0.1 and 1.0.2 beta, there is a flaw that can cause the server to transmit a random 64k chunk of its memory as part of the heartbeat. This can be used to try and find private keys, passwords, or other private info currently stored in RAM. This vulnerability was introduced two years ago when the heartbeat was added to OpenSSL, and has been out there this whole time. It is not a flaw in SSL/TLS itself, nor does it affect any other SSL/TLS implementation (such as Microsoft IIS). Older versions of OpenSSL are also not vulnerable. The flaw is fixed in OpenSSL 1.0.1g
What it can do: The most worrying thing that could leak is the private key for the server’s SSL/TLS certificate. This certificate is used by your browser to verify the website’s identity. An attacker who obtained the certificate’s private key would be able to clone the certificate and use it to impersonate that site in a later man in the middle or phishing attack. It’s also possible that user passwords could be captured should they currently be in memory and the attacker happens to get that particular 64k chunk. Harvesting passwords would be a much more time consuming process, and the attacker would have to catch your password while you’re in the process of logging in.
What you need to do: Most likely, end users do not need to do anything. You may want to avoid using vulnerable websites for the next couple days until it settles down, but since it’s difficult to know what sites are affected, that essentially means not using the Internet. That isn’t really practical for most of us. The responsibility for this is on any website administrator using OpenSSL to get themselves updated. In order for you to be affected by a compromised certificate, you would need to be the victim of somebody interfering with your Internet connection. This would be either by inserting themselves between you and the Internet, or by changing the DNS servers your computer uses to find websites on the Internet. Standard good practices apply. Do no click links in email even if they seem to be coming from valid senders, do not install software you did not specifically go looking for (as in from ads and popups), and be wary of using secure websites when you’re on public WiFi hotspots. Generally the targets of these attacks will be sites an attacker would want to impersonate (like banks or major online retailers). Small private web and email servers are less likely to be a target, but if you are administering such a server it wouldn’t be a bad idea to keep an eye on server logs for any suspicious activity in case one of your users’ password was captured.
Major websites are already in the process of patching the problem (if they had it to begin with), and have been since Monday. While the exploit is bad, it is not something it does the average Internet user much good to be concerned about. Administrators of smaller web and email servers should be moderately concerned, but are likely not the target. Administrators of major websites whose certificates and user passwords are desirable to hackers know who they are and are already fixing the problem.
Security Now episode 450 (Discussion of Heartbleed starts at about 44:15): http://twit.tv/show/security-now/450
A New/Old MacMedics Client Has This To Say: First of all, I have three things to say: “use them”, “use them”, “use them”.
It’s no secret that MacMedics can handle pretty much anything our clients can come up with (even when other service or consulting firms can’t).
Here’s a recent MacMedics review a customer left for us. He had been to see us 20 years ago, and when he ran into a tough problem he remembered us and came back. He also got to witness our data recovery skills and customer service for another client who happened to visit MacMedics in Millersville, Maryland at the same time he did.
“My MacBook from 2009 stopped working with Quicken. I went to an online Quicken specialist, supposedly, and after 5 hours of working on my computer, they couldn’t fix the issue. I remember a company that I used 20 years ago, and called to see if they were still around – they were. When I brought my computer to them, after a day of working on my computer, like they said, they had the problem fixed!
First of all, I have three things to say: “use them”, “use them”, “use them”.
Initially I spoke with their technician, Chris over the phone, who encouraged me to use their in-house lab services, costing $199. After having my computer fixed, I bought additional memory, by my request for $85. One thing that was reassuring was Chris’s people skills. He assured me that they will find a solution and that they could take care of the problem. During the repair process, Chris stayed in touch and told me his game plan, this wasn’t a simple fix; especially since another company wasn’t successful in resolving my problem.
Side note: After having my problem fixed – A college kid came in disheartened, having her hard drive quit. Watching Chris at work, reassuring by giving her a plan of action and a worst case scenario – you could see the change of this client’s demeanor, to that of calm in a matter of seconds. I have no doubt that he had another happy client.
What can we do for you?
If you have a tough Macintosh service or repair problem, come visit us and let us put you at ease.
If you can’t get in touch with your Apple Consultant, Apple Reseller, or Apple Service Provider, then you need to call MacMedics, where we jump right in to solve your problems with SWAT Team like precision.
Call any of our local MacMedics offices for in-lab or on-site help anytime!
— MacMedics (@macmedics) April 5, 2014
This reviewer had the following to say about our famous MacMedics In-Lab service after visiting us on Millersville on March 1, 2014:
After having many problems with my Mac, I went to the Apple store twice and spent over 5 hours in store (and they were still unable to fix my Mac even though it was still under warranty). After leaving the Apple store and still having a computer that didn’t work, I found the MacMedics store information and brought in my computer.
Not only was every single employee beyond professional, understanding, and polite, they were also were able to fix my computer in less then 2 days!
I have nothing but great things to say about MacMedics and would highly recommend this store to anyone who has an Apple product related issue!
If you have a tough Macintosh service issue, come visit us in either our Millersville or Lanham office. No appointments are ever required. If you need help carrying your Mac in, just call us from your car, and we’ll run out to carry it in for you.
MacMedics can fix any Mac even if it’s on Apple’s “Vintage” or “Obsolete” list. we also offer advanced data recovery and liquid spill repairs.
Baltimore’s greatest design production and paper show is turning 20 …
but it’s your night to shine.
On March 27th, join the creative community and discover the latest product lines, techniques and services from the area’s best vendors that will help you dazzle your clients and their audiences.
We’ll also unveil the new PCB brand, and a DJ will spin tunes from the last 20 years while you enjoy great food, an open bar and lots of mixing and mingling—all for $25.
We invite you to help us celebrate our platinum anniversary in real style: get out your tuxedo T-shirt and go formal. It’s an evening of platinum opportunities you won’t want to miss.
Thursday, March 27, 2014
5:30 – 8:30 PM
6817 Dogwood Road
Woodlawn, MD 21244
PCB Members FREE
(Cash or Check at Door)
Light Fair, Beer, Wine, Soda
If you believe Ragnarok will happen today, then don’t worry about starting your Backup plan. We’ll be here Monday to help with either that data recovery or that first step to backing up safely. Ask for our free Time Machine white paper.
Right now in Millersville we have SIX data recovery projects running and another couple in the wings waiting for equipment space. We do some pretty amazing data recovery work, but don’t ever count on paid data recovery as your backup plan. Some data is just gone and there’s nobody that can get it back. That’s heartbreaking for you AND us.
Guess what? Hard drive die! If your hard drive is over three years old, it’s a good idea to replace it. MacMedics has new hard drive options like 1GB Hybrid 2.5″ hard drive, custom built Fusion drives, and desktop hard drives up to 4TB. Also, with the price of Solid State hard drives falling to new lows, it’s a great idea to use one of those if you can. Need help? This is what we do! MacMedics replaced over 1000 hard drives in 2013.
Read more on our website http://www.HardDrivesDie.com
Winter Storm Pax Is Coming! Is Your Data Backed Up? Are You Prepared To Telework When The Bad Weather Hits?
Winter Storm Pax will most likely hit the Mid-Atlantic area (MacMedics territory and from the looks of it we will be ground zero!), and it will likely destroy some data in some way.
Here in the Mid-Atlantic area, MacMedics clients and friends should un-plug their computer and remove and store backup hard drives in a dry place if you’re not going to be around when the snow and power outages hit us. If the power is off, or it goes out, it’s a smart idea to go ahead and just unplug your computer from the power and from your network if you have hardwired EtherNet.
Pro Tip: When disconnecting your computer system from power, unplug everything attached to your network, even the COAX cable from your cable or satellite box as that appears to be #1 surge source (based on past repairs). In regards to power surges, if your power DOES goes out (or starts to flicker), disconnect from power, as surges can also occur when the power comes back on as well!
If you are going to be working from home during the snow day, ensure you have access to your company’s VPN or have remote access to your server. Also, if you collaborate with co-workers on Dropbox or other services that let you share data, you should double check that you have access to that today.
This might also be a good time to enhance your back up plan by adding an off-site back up. MacMedics has our own off-site backup plan for our clients. Contact us if you’d like to get a backup configured for you.
For our friends and clients in the Mid-Atlantic region, MacMedics recommends that you back up your hard drive via a “clone” use Super Duper or Carbon Copy Cloner, as that way you can “test” your back up to insure you have a good, bootable copy.
The important thing is to PLAN AHEAD. Your back up is not complete if it’s not:
Here’s a few more tips from MacMedics:
1. If you do not have Ultra Call Forwarding at your office, be sure to forward your business phone lines to your cell phone BEFORE you lose phone and/or power to your phone system.
2. Your alarm system should contain a small back up battery, but you can extend that greatly, by plugging your alarm system into a high capacity UPS system.
3. If your server is not set to Auto Restart after a power failure, it’s not to late to turn that on.
We have tons of posts on Time Machine and we even have a free White Paper on it If you’d like a copy, let us know. If you’re not using an automatic backup, your data is at risk!
Today we transferred data from a PowerMac 7300/180 that came with a 2GB SCSI Quantum hard drive. This Mac is owned by NASA. We removed the hard drive and hooked it up to our equipment that can read SCSI devices and copied the entire hard drive to a DVD ROM.
Tuesday, January 21 2014
6:00 PM – 8:30 PM
School of Art and Design
11200 Gundry Lane
Owings Mills , MD
As designers and publishing specialists, keeping abreast of new technologies is a growing challenge. Belonging to the Adobe Community and its user groups affords us opportunities that otherwise would not be available. Did you ever wonder how the heavyweights of publishing get the job done?
We are delighted to announce the details of our first 2014 IDUG event featuring Jacquelynne Hudson, Manager of Digital Content Development, Simon & Schuster, New York. Ms. Hudson will give us an inside look at ePubs from an enterprise point-of-view.
Join us as Jacquelynne covers the following key points:
The difference between reflowable and fixed layout eBooks
What it means to stay in the forefront of the publishing industry today
What it takes for Simon & Schuster (S&S) to stay current with changing technology
Where ePubs are headed in the not-too-distant-future (limitations and opportunities of ePubs)
A look at the S&S workflow
Best way to handle images and illustrations
How to handle footnotes, TOCs, and hyperlinks effectively
How to fix things that break (troubleshooting and testing)
How S&S provides files to its clients (understanding different formats)
We would like to especially thank MacMedics and ThinkBig!LearnSmart for being our 2014 Chapter Gold Sponsors.
6:00 p.m. Registration, raffle sales in support of our chapter, networking, and refreshments
6:30 p.m. Welcome and group business
6:45 p.m. Featured presentation with Jacquelynne Hudson
7:25 p.m. Break (last chance to buy raffle tickets to win cool stuff)
7:35 p.m. Featured presentation continues
8:10 p.m. Questions & Answers with Jacquelynne
8:25 p.m. Selection of raffle winners
8:35 p.m. Adjourn
Remember, sponsor donations and proceeds from raffle sales are our SOLE SOURCE to pay for speakers, food, administrative costs, and venue. Sponsorships and donations are needed and welcome to keep us going, and raffle tickets give you a chance to win cool stuff.
MacMedics is an annual sponsor of the The Greater Baltimore Chapter Adobe InDesign User Group
The OS X Mavericks v10.9.1 Update is recommended for all OS X Mavericks users.
Before you run any software update, MacMedics recommends that you read our Software Update Warnings Page, Which can be found at this link.
Updating your system:
1. You should back up your system before installation. To do this you can use Time Machine.
2. Do not interrupt the installation process once you have started to update your system.
3. You may experience unexpected results if you have third-party system software modiﬁcations installed, or if you’ve modiﬁed the operating system through other means.
4. Choose Apple menu () > Software Update to check for the latest Apple software using the Mac App Store, including this update.
5. Other software updates available for your computer may appear, which you should install. Note that an update’s size may vary from computer to computer when installed using Software Update. Also, some updates must be installed prior to others.
You can also download the manual update installer. This is a useful option when you need to update multiple computers, but only want to download the update once. Standalone installers are available from Apple Support Downloads.
The OS X Mavericks v10.9.1 Update is recommended for all OS X Mavericks users. It improves the stability, compatibility, and security of your Mac. This update includes:
-Improved support for Gmail in OS X Mail, and fixes for users with custom Gmail settings
-Improves the reliability of Smart Mailboxes and search in Mail
-Fixes an issue that prevented contact groups from working properly in Mail
-Resolves an issue that prevented VoiceOver from speaking sentences that contain emoji
-Fixes an issue that prevented iLife and iWork apps from updating on non-English systems
-Addresses an issue that may cause multiple prompts to unlock “Local items” keychain
-Addresses an issue that may cause Japanese keyboards to retain a previously used language
-Includes Safari 7.0.1
-Fixes an issue that could cause Safari to become unresponsive when filling out forms on fedex.com, stubhub.com, and other websites
-Improves Credit Card Autofill compatibility with websites
-Improves VoiceOver compatibility with facebook.com
-Updates Shared Links periodically when open in the Safari Sidebar
About the OS X Mavericks v10.9.1 Update: http://support.apple.com/kb/HT6065
MacMedics is an Authorized Studio Network Solutions Reseller
MacMedics is proud to be an Authorized Reseller for Studio Network Solutions. SNS is a leading provider of shared storage hardware and software technology for Mac, Windows & Linux workgroups. SNS EVO combines high-performance with extensive connectivity in a single product including 8Gb/s Fibre and 10Gb/s Ethernet. SAN or NAS, or both at the same time, EVO is designed for online real-time use with leading applications including Final Cut Pro/FCP X, Adobe, Autodesk, Avid and ProTools. For over 15 years SNS has been advancing workflow efficiency for the media and entertainment, broadcast, post production, digital content creation, game development, and education and government marketplaces.