I'll start with the bad news: There is no perfect security system. If somebody wants your data badly enough, they'll get it. Not just anybody, of course, but the threat is no longer limited to nation states, government security agencies, and elite criminals. Malware, ransomware, and other exploits are available on-line for just a few dollars.
Hardware and software manufacturers are working as fast as they can to patch vulnerabilities, but not everyone keeps their hardware and software up to date. In fact, I'm my own case in point. Until earlier this week, I used a Netgear Nighthawk R7000 router, but I wasn't able to update the firmware.
Until recently, that wasn't a big deal because the firmware updates added features I didn't need and disabled a feature that I do need. The router has a USB3 port that can be used with an external hard disk to create network attached storage that's available to any computer on the network. But only one version of firmware works. Every time I have tried to update the firmware, the NAS drive has stopped working and I've had to roll back to the earlier version.
That changed with the advent of malware called "VPNFilter" that's designed, apparently by Russian state intelligence, to infect routers, steal information, and potentially cripple the router. A few weeks ago, half a million routers in more than 50 countries were known to be infected. Since then, the number has increased by 200 thousand.
The malware can set up what's called a "man in the middle" attack. In this case, the router would intercept communications between you and a service you've connected to. Your bank, for example. Everything would look normal: The malware would intercept your credentials and store them. Then it would pass the credentials on to the bank and log you in. It could capture all information you send to the bank and any information the bank sends to you. Later, this information could be delivered to the perpetrators in Russia.
The man-in-the middle exploit is accomplished with a module called SSLer that strips SSL (Secure Sockets Layer) from websites and injects Javascript into pages. SSL is the security technology that's used to establish an encrypted link between a web server and a browser. The encryption ensures the security of data passed between the web server and browsers.
So I had to make a decision: Update the firmware and stop using the network attached storage, update the firmware and buy a dedicated NAS device, or buy a new router. I chose the third option and purchased a Netgear AD7200 router.
One thing that's clear, at least for Netgear and probably for other router manufacturers, is that the installation process has improved substantially over the last three years. The basic setup is all but automated and it includes a step that requires the user to change the password for the router's "admin" account. This is something that should have been added to the setup process long ago, but at least it's present now.
Also the router's primary Wi-Fi network was set up with an acceptable SSID (NETGEAR13) and an acceptably complex authorization key (kindonion885). I changed both the SSID and the password. The guest network was disabled by default, so I set that up. The default settings for the guest network create a totally open hot spot, so I set security to WPA2-PSK [AES] (Wi-Fi Protected Access 2) and created a strong password. The security setting specifies WPA2, the latest Wi-Fi encryption standard and the latest AES encryption protocol. This is also the default protocol on the primary network.
Netgear provides an app that's supposed to allow router set up via an IOS or Android device. I downloaded the IOS version and installed it on an Ipad Pro, but wasn't able to log on. Perhaps that app is intended for use only during the initial setup; if so, I was trying to use it too late in the process. Netgear also provides Genie, an app that's supposed to allow ongoing management, but logins fail from that app, too.
It may be that these applications depend on having remote management enabled, but the instructions didn't explicitly say that's the case. Remote management can be dangerous and I avoid using it. So I'll be managing the router only from a computer, not from an IOS or Android device. And that really doesn't bother me because I question the security of management via a portable device.
Ironically, though, the new router doesn't work with the 2TB disk drive I've been using for network attached storage, a Seagate SRD00F2. The primary deficiency was Seagate's from the beginning, not Netgear's. Fortunately, 4TB external hard drives are available for less than $100 these days, so I purchased a Western Digital 4TB drive.
The network attached storage device serves two primary purposes: It's a hot backup device for working files and it's the transfer device that I use to move files from one computer to another.
The hot backup keeps near-current versions of files from the applications that I use most of the time. Even though these files are also backed up continuously to CrashPlan and weekly to external drives, having a hot backup allows for the fastest possible recovery of files.
My router is now up to date and I recommend that you check now to see if your router has a firmware update and, if so, install it. The VPNFilter exploit has 3 components. Rebooting the router eliminates components 2 and 3, but leaves component 1. Component 1 can then re-install components 2 and 3, so the firmware update is essential. Also, it's critical to change the router's default login credentials (the user name is almost always "admin" and the password is invariably "password"). And if you've ever enabled remote management on your router, this feature should be disabled.
Despite the fact that a strong majority of US citizens believe that Net Neutrality is in their best interests and the fact that the US Senate voted to overrule the FCC's plan that cripples Net Neutrality, the US House has not acted on the proposal. So this week Net Neutrality ceased to exist.
There weren't any immediate changes, of course, but changes are coming. Several years ago, Comcast and some of the other large ISPs forced Netflix to pay for better service. That practice was outlawed in 2015, but now could return. You're already paying your ISP to deliver the content you want and you're already paying Netflix or the New York Times or other content providers for the content. If the providers must pay more, those costs will be passed on. As of this week, the ISPs are free to do what they want.
Comcast, for example, once prominently displayed a promise on its website not to charge providers for "paid prioritization". That promise disappeared on the very day that the FCC announced the destruction of Net Neutrality. Coincidence?
It's possible, perhaps likely, that internet service providers will begin charging the way cable companies do: You might get basic service for one fee, but have to pay extra if you want access to Amazon, Facebook, Netflix, Hulu, newspapers and magazines, Skype, and such.
Consumer Reports writes about this topic in a June 11th article. There is still some hope because 29 states have bills in their legislatures that partially restore Net Neutrality. The laws are already in effect in Washington and Oregon and governors of several states have signed executive orders that ban state agencies from doing business with ISPs that fail to honor Net Neutrality. Additionally, at least 20 states and the District of Columbia filed suit to overturn the FCC's repeal of Net Neutrality.
The magazine offers a website where you can contact your congressional representative.
By the end of 2020, Adobe will stop supporting Flash. The technology has been round for 2 decades and has long been the target of malware. It continues to be a target for malware and Adobe responds quickly by patching threats. It's up to users, though, to install the updates.
Google plans to remove flash from its Chrome browser, in 2020. Firefox requires users to give Flash permission to run and plans to remove support for most users in 2019 and all users in 2020. By the end of this year, Microsoft's Edge browser will require the user to give Flash permission to run every time a website uses it and support for Flash will be eliminated in 2019, but users will be permitted to re-enable it until 2020. Apple doesn't support Flash on IOS devices and it's turned off by default on MacOS systems. Facebook plans to continue supporting Flash games until 2020.
So Flash is still a threat and will be for the next 18 months or so. If it's installed on your computer, be sure to obtain the latest patch to eliminate a threat from a Flash exploit that uses Microsoft Office files to spread a stack-based buffer overflow attack.
The attacker delivers an Office document with a link to a Flash file that's hosted on the attacker's command and control server. Next, the Flash file downloads encrypted data that includes the payload. The download also contains the key needed to decrypt the file. When that operation is complete, the malware downloads and runs a shell file that downloads more malware.
Microsoft has issued a security bulletin addressing the issue and recommends users turn off ActiveX in Office 2007 and 2010. For the attack to work, the victim must download the Office file and open it, but even if you think you'll never be fooled by a phishing attack, it's still a good idea to update Flash immediately. Although this attack exploited Office documents, the link to the malicious Flash file could easily be delivered in many other ways.
The next update to the MacOS will be out by the end of the year. The current version (10.13 High Sierra) will be replaced by version 10.14, Mojave. At Apple's Worldwide Developer Conference, CEO Tim Cook said that Mojave will have many new features for average users and professionals.
Security will play a big role in Mojave and Apple senior vice president of software engineering Craig Federighi said that the new version will add protections that will affect how apps can access your data. Protected devices will include the computer's camera and microphone along with the mail database, message history, and backups. Mojave will explicitly notify users when the computer's microphone or camera is being accessed.
Safari will be updated to assist with password creation and is supposed to eliminate the re-use of weak passwords. Safari will continue to store passwords, a practice that many security experts consider to be unsafe. Safari's default operation will block tracking scripts and tools like those commonly attached to social buttons or off-site embedded comment systems.
After Microsoft merged Windows mobile and desktop versions, users of Apple products have wondered if that might also be the future for Apple. For now, the answer continues to be no. At least for now a merge is not planned. However, IOS apps will eventually be available on MacOS desktops. No timeline was offered and Federighi says that a lot of internal testing needs to be done first.
Mojave is available in beta now to developers.
Batteries play an increasingly important role in our daily lives. They're essential for hand-held computing and communications devices and their role in transportation is growing fast. In some ways, this is a lot like back to the future.
Batteries were invented* in the mid-1800s and were the primary source of electricity until electric generators were invented and the electrical grids were built out in the first half of the 1900s. As AC current became available, the battery was less important and little research was done. Batteries were either lead-acid wet cells or carbon-zinc dry cells until mid century. Then, as more portable devices came to market, battery technology research picked up.
While constructing a railway in 1936 near Baghdad, workers uncovered what appeared to be a prehistoric battery, also known as the Parthian Battery. The object dates back to the Parthian empire and is believed to be 2000 years old. The battery consisted of a clay jar that was filled with a vinegar solution into which an iron rod surrounded by a copper cylinder was inserted. This device produced 1.1 to 2.0 volts of electricity.
Source: Battery University
It's unclear what the purpose of the device was and it may have been used for electro-plating
Battery technology is attracting attention from the largest companies. Now General Motors and Honda will be working together to develop advanced chemistry battery components to accelerate work both companies are doing on all-electric vehicles. Toyota and Tesla have the perceived lead in electric cars. Although GM's Chevy Bolt is considered to be a good contender, Honda has so far failed to create a viable candidate.
The companies will work to improve GM's battery system so that Honda will be able to use GM batteries in its electric cars. The companies say that the agreement's "combined scale and global manufacturing efficiencies will ultimately provide greater value to customers."
GM and Honda established a joint venture to produce a hydrogen fuel cell system by 2020 and integrated development teams are working to deliver a more affordable commercial solution for fuel cell and hydrogen storage systems.