Pittsburgh Tech Guy

Adobe Systems released emergency security updates for Flash Player in order to fix a vulnerability that has been exploited in attacks against users since earlier this month.

The attacks were discovered by security researchers from Kaspersky Lab and were launched from a website set up by the Syrian Ministry of Justice to receive complaints about law violations. It’s not clear who was behind the attack, but the site had been compromised in the past by hackers.

“We received a sample of the first exploit on April 14, while a sample of the second came on April 16,” Vyacheslav Zakorzhevsky, manager of the vulnerability research group at Kaspersky Lab said in a blog post Monday. “The first exploit was initially recorded by KSN [the Kaspersky Security Network] on April 9, when it was detected by a general heuristic signature.”

While the two exploits leveraged the same, previously unknown, vulnerability in Flash Player they targeted users in different ways. One exploit could have been used to infect any computer with Flash Player installed, but the second specifically required Adobe Flash Player 10 ActiveX and the Cisco MeetingPlace Express Add-In to be installed on the targeted systems.

The U.S. government's top cyber-security agency is telling Internet Explorer (IE) users they should consider running a different browser until Microsoft fixes a critical vulnerability.

The U.S. Computer Emergency Readiness Team (US-CERT) added its voice to the growing chorus of security organizations and companies that have warned people of the flaw, which affects IE6, IE7, IE8, IE9, IE10 and IE11.

US-CERT is part of the U.S. Department of Homeland Security, and regularly issues security warnings and threat alerts.

"US-CERT recommends that users and administrators enable Microsoft EMET where possible and consider employing an alternative Web browser until an official update is available," the agency said in a Sunday statement.

EMET refers to "Enhanced Mitigation Experience Toolkit," an anti-exploit utility that lets customers beef up security defenses on select applications.

Windows XP users are especially at risk to exploits of this IE vulnerability, because they will not receive patches for IE6, IE7 or IE8. Microsoft will be writing patches for all three versions, but will not offer them to Windows XP customers; it terminated support for the 12-year-old OS on April 8.

Security experts had warned Windows XP users that they would be targeted by hackers after support ended. They believed that cyber criminals would quickly find flaws by examining Microsoft's patches -- using a before-and-after code comparison -- in those products, like IE, that continue to receive updates on other editions of Windows.

"This happened a bit quicker than I expected, but it is a sign of things to come," said Wolfgang Kandek, chief technology officer of Qualys, in a Monday blog. "Since you will not get a patch for your operating system, deregistering the DLL will be your best option to defend your systems."

Under What's New, your link to the most comprehensive chart detailing your online backup services/options!  Or click here as well. 

The ability to back up files, store them in the cloud, and automatically sync all that data across multiple devices has radically changed the way we use computers, mobile phones, and other Internet-connected devices. That data could comprise home movies, your personal music collections, or work files that you and a colleague are collaboratively editing together. No matter what you put into a cloud storage and syncing solution, the benefit of being able to access it nearly anywhere is phenomenal.

If you don't have a service for storing and syncing your data in the cloud, you need one. You might even need more than one.

Many of the best solutions do something specific, like handle photos exceptionally well and make them easier to share with your friends. The services you choose should be right for the job that needs doing. There isn't one magic bullet that fills all needs. That's not a bad thing. Using multiple services allows you to compartmentalize your data, which in turn may let you take advantage of the free space allotments most services offer. Separate your music from your photos from your office files, and each set might weigh in under the free account limit with three different services.

Sometimes, however, it's worth paying for a service. Perks often include increased access to file-version history, more security, or more features for collaboration and working with teams.

Not every service on this list doubles as a file-syncing service, but many do. File-syncing has become an integral part of online backup. For tips on how to use a file-syncing service and deeper explanation of how some people use them, see Get Organized: File Syncing Services to the Rescue.

Different services can offer vastly different features and perks, and many of them are not directly comparable. If you want the utmost in comparisons, take a look at the insane chart of cloud backup services on Wikipedia.

Click here for the review article.

LastPass has released a new tool to show you which of your supposedly secure online accounts are at risk of being compromised, as the Heartbleed fallout continues with numerous major sites admitting to being hit by the devastating bug.

Heartbleed is the recently disclosed programming flaw in OpenSSL that would allow attackers to read the contents of a server's memory, exposing critical information such as SSL site keys, usernames and passwords, and user data.

LastPass shows your bleeding hearts

LastPass now runs a security check to show accounts for sites affected by Heartbleed. (Click to enlarge.)

Not content with letting users check Heartbleed-affected sites one by one with its individual site-checking tool, the LastPass password manager now has an automated solution for its users. If you're using LastPass in your browser, just tap on the LastPass icon and go to Tools > Security Check.

This will redirect you to the LastPass website, where the service will scan your password vault and come up with a list of sites affected by Heartbleed. The list will also tell you how old your password is, when the site last updated its security certificates, and whether you should change your password.

That last point is crucially important, because there's no sense in changing your password on an affected site until it has been patched, as explained in PCWorld's guide to staying protected from Heartbleed. 

I'm a longtime LastPass user. When I ran the security check against my own vault, it showed a number of accounts that needed to have their password changed. While helpful, the LastPass tool wasn't perfect, however. It advised me to wait before changing my Tumblr password, for example, even though Tumblr publicly advised users to change their passwords before the new LastPass security check was publicly available.

Nevertheless, as a quick way to head off potential problems, the LastPass integrated tool is a great place to start a Heartbleed self-audit.

Heartbleed highlights

A number of major sites have recently admitted they were affected by Heartbleed and issued fixes for their services, including:

• Amazon Web Services
• Dropbox
• Facebook
• GitHub
• GoDaddy
• Google
• LastPass
• OKCupid
• Soundcloud
• Tumblr
• Turbo Tax
• Yahoo

Have you been waiting anxiously to get your hands on Google Glass? Starting next Tuesday, the high-tech specs could be yours.

Beginning at 6 a.m. PT on Tuesday, April 15, any U.S.-based adult will have the chance to purchase Google Glass for $1,500. "The number of spots available is limited, so mark your calendar if you want to get in," the Glass team wrote in a Google+ post.

Initially, Google Glass was only available to those who attended the 2012 Google I/O conference and ponied up $1,500 for the device. The search giant then ran a contest on social media, which asked potential Glass Explorers what they'd do with Glass, and awarded invites to those with creative responses. More recently, Google allowed existing Explorers to invite friends to buy the specs.

"But every day we get requests from those of you who haven't found a way into the program yet, and we want your feedback too," Google said today. "So in typical Explorer Program fashion, we're trying something new."