Jeff Rivett has worked with and written about computers since the early 1980s. His first computer was an Apple II+, built by his father and heavily customized. Jeff's writing appeared in Computist Magazine in the 1980s, and he created and sold a game utility (Ultimaker 2, reviewed in the December 1983 Washington Apple Pi Journal) to international markets during the same period. Proceeds from writing, software sales, and contract programming gigs paid his way through university, earning him a Bachelor of Science (Computer Science) degree at UWO. Jeff went on to work as a programmer, sysadmin, and manager in various industries. There's more on the About page, and on the Jeff Rivett Consulting site.

All posts by jrivett


Security, Tools

Password managers

Leave a comment

“If you’re not using a password manager, you should be.” You’ve heard the refrain, and you’re probably tired of hearing it. But we won’t stop saying it until people get the message.

Rule #1 in online security is “Don’t re-use passwords for multiple web sites and services.” Rule #2 is “Use long, complex passwords.” Following those two rules means you have to remember multiple, long, complex passwords. This is not something humans are particularly good at, which is why we need password management software.

I use Password Corral, free Windows software from Cygnus Productions. It’s not limited to storing passwords, so you can use it for bank accounts, license information, and so on. It can generate strong passwords according to customizable rules. It won’t fill in web forms for you, and it can’t be accessed on the cloud, but I don’t actually want either of those features.

I also recommend Bruce Schneier’s Password Safe.

When deciding on a password management solution, there are several factors to consider. There’s a useful comparison of password management tools (PDF) over at the SANS InfoSec Reading Room. It doesn’t include Password Corral or Password Safe, preferring to concentrate on the more mainstream and popular services, but it’s worth reading.

Adware, Android, Google, Hardware, Internet crime, Malware, Mobile, Opera, Security, Spam and scams

Security roundup for March 2016

Leave a comment

Ransomware made news frequently in March. Two more healthcare networks in the USA were hit with ransomware. A new variety of ransomware called Petya took things to a new level, encrypting the core data structures of hard drives. TeslaCrypt continued its destructive march across Europe and into the USA. A surge in malware-laden advertising (aka malvertising) on several popular web sites, including the Certified Ethical Hacker site, led to numerous ransomware infections.

Smartphones and tablets running Google’s Android operating system remain a popular target for malware. A newly-discovered vulnerability can allow malware to permanently take over a device at the root level. Malware that exploits the still largely unpatched Stagefright vulnerability was identified.

Security researchers discovered malware that can infect computers that are not connected to networks, using external USB devices like thumb drives. The malware, dubbed USB Thief, steals large quantities of data and leaves very little evidence of its presence.

A hacking group known as Suckfly is using stolen security certificates to bypass code signing mechanisms, allowing them to distribute malware-laden apps more effectively.

The folks at Duo Security published an interesting post that aims to demystify malware attacks, describing malware infrastructure and explaining how malware spreads.

Ars Technica reported on the surprising resurgence of Office macro malware. Macros embedded in Office (Word, Excel) documents were a major problem in the 1990s but subsequent security improvements by Microsoft reduced their prevalence until recently. Getting around those improvements only requires tricking the document’s recipient into enabling macros, and it turns out that this is surprisingly easy.

Millions of customer records were made available in the wake of yet another major security breach, this time at Verizon.

Google continued to improve the security of its products, with more encryption, better user notifications and other enhancements to GMail.

Brian Krebs reported on spammers taking advantage of the trust users have in ‘.gov’ domains to redirect unsuspecting users to their spammy offerings.

Opera announced that their web browser will now include ad-blocking features that are enabled by default.

Edge, Microsoft, Patches and updates, Windows 10

Windows 10 Insider Preview Build 14295

Leave a comment

Late last week, preview build 14295 started making its way to computers enrolled in the ‘Fast track’ Windows 10 Insider Preview program. Yesterday, the build was made available to computers on the ‘Slow track’.

This latest build actually includes some interesting features. Or it will when the accompanying developer tools become available. With this build, Microsoft is expanding support for Linux tools on Windows 10, including the BASH scripting language.

While not of much interest to regular users, adding Linux tools to Windows 10 shows that Microsoft is actually listening to developers and other power users.

Build 14295 also fixes some minor problems affecting XBox compatibility, the Edge browser, and Kaspersky security software.

Chrome, Google, Patches and updates

Chrome 49.0.2623.110

Leave a comment

At what point does an update qualify as pointless? The full change log for Chrome 49.0.2623.110 contains six items, two of which involve merely changing the version number. Another publishes a small change in dependencies. One is literally about compatibility with Windows NT4. There’s nothing here that justifies all the data movement associated with mass-updating a popular piece of software like Chrome.

But hey, I guess I shouldn’t complain. I’d rather be at the “too many updates” end of that particular spectrum.

What you really need to know about the new Chrome version is that none of the issues addressed relate to security.

Chrome, Google, Patches and updates, Security

Chrome 49.0.2623.108

Leave a comment

Earlier this week, Google announced another new version of Chrome.

Version 49.0.2623.108 addresses five security issues, so if you use Chrome, you should make sure it’s up to date. Click the browser’s ‘hamburger’ menu at the top right, then select Help > About Google Chrome. If you’re not running the latest version, Chrome will start the update process automatically.

The full log lists about sixty changes in the new version, but nothing particularly interesting.

Java, Patches and updates, Security

Java 8 Update 77

Leave a comment

A single major security bug fix appears to be the reason for the newest version of Java 8: Update 77.

The release notes don’t provide much useful information, and neither does the security alert for the bug addressed in the new version.

If you’re still using a web browser with Java enabled, you should consider disabling it. At least configure it as ‘click to play’, so that Java content doesn’t load and play automatically on any web page you visit. If you’re not sure whether Java is enabled in your browser, find out by visiting Check-and-Secure.

Adobe, Flash, Patches and updates

Flash 21.0.0.197

Leave a comment

According to the announcement, the latest version of Flash – released on March 23 – fixes a specific bug that was causing problems for some Flash games.

A review of the release notes seems to show that Flash 21.0.0.197 doesn’t contain any security fixes, so this isn’t an urgent update. Unless of course you’re having trouble running Flash games in your browser.

The announcement for 21.0.0.197 contains at least one error: it shows the new PPAPI version of Flash, used in Chrome, Opera, and other Chromium-based browsers, as 21.0.0.286. My own tests, as well as the official release notes, shows that the new PPAPI version is actually 21.0.0.197. I reported the discrepancy to the author.

There is no new version of Flash for Internet Explorer and Edge on Windows 8.x and 10; the latest is Flash 21.0.0.182.

As usual, Chrome will update itself with the new version of Flash.

Microsoft, Patches and updates, Windows 10

Windows 10 Insider Preview Build 14291

Leave a comment

There’s another preview build for Windows 10. According to the accompanying announcement, build 14291 includes improvements to Edge and the Feedback Hub, Microsoft’s mechanism for reporting Windows 10 issues.

The changes to Edge show that Microsoft is still playing catchup, adding features that have existed in the other major browsers for a while. So there’s nothing particularly revolutionary, but if you’re forcing yourself to use Edge, being able to use extensions and pin tabs will be helpful.

Several of the Windows 10 apps have also been improved, including Maps, and Alarms & Clock.

Internet crime, Security, Tools

Was your account exposed as part of a breach?

Leave a comment

It seems like every few weeks another web site or online service is breached. When that happens, user account information is almost always stolen, and usually published online.

If you have an account on a breached site or service, you may not be in any immediate danger. Often, only email addresses are published. Sometimes account/user names are also published. Occasionally, encrypted passwords are published, and when that happens, the weaker of those passwords are also quickly decrypted. The worst case scenario is where you’ve used a single, weak password for several different web sites or services.

After learning about a breach on a site or service, your first step should be to determine whether you have an account there. If you do, you should sign in and change the account’s password immediately (sometimes this is forced by the site owner in response to a breach). Then, if you’ve used the same account/email + password anywhere else, sign in to those other sites and change those passwords. Then stop using the same password everywhere, and start using a password manager like Password Corral.

If you’re not sure where you’ve used a particular account/user name or email address, you should start by searching for them on the Have I Been Pwned site. ‘Pwn’ is gamer slang for ‘own’, if you were wondering. Enter a username or email address, and the site will search it them in all known lists of breach data.