New Router Malware might be affecting your home/office router

From Talos:

https://blog.talosintelligence.com/2018/05/VPNFilter.html

Given our observations with this threat, we assess with high confidence that this list is incomplete and other devices could be affected.

LINKSYS DEVICES:

E1200
E2500
WRVS4400N

MIKROTIK ROUTEROS VERSIONS FOR CLOUD CORE ROUTERS:

1016
1036
1072

NETGEAR DEVICES:

DGN2200
R6400
R7000
R8000
WNR1000
WNR2000

QNAP DEVICES:

TS251
TS439 Pro

Other QNAP NAS devices running QTS software

TP-LINK DEVICES:

R600VPN

WIRED has an article about this cybersecurity hazard here: https://www.wired.com/story/vpnfilter-router-malware-outbreak/

WIRED has reached out to Netgear, TP-Link, Linksys, MicroTik, and QNAP for comment on the VPNFilter malware. Netgear responded in a statement that users should update their routers’ firmware, change any passwords they’ve left as the default, and disable a “remote management” setting that hackers are known to abuse, steps it outlines in a security advisory about the VPNFilter malware. The other companies have yet to respond to WIRED’s request.

Test for the Shellshock bug in BASH

From ArsTechnica:

There is an easy test to determine if a Linux or Unix system is vulnerable. To check your system, from a command line, type:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the system is vulnerable, the output will be:

vulnerable
 this is a test

An unaffected (or patched) system will output:

 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x'
 this is a test

The fix is an update to a patched version of the Bash shell. To be safe, administrators should do a blanket update of their versions of Bash in any case.

Why you should use Google Public DNS

Why should you try Google Public DNS?

By using Google Public DNS you can:

https://developers.google.com/speed/public-dns/docs/using

Google Public DNS telephone support

  • 877-590-4367 in the U.S.
  • 770-200-1201 outside the U.S.

 

The Google Public DNS IP addresses (IPv4) are as follows:

  • 8.8.8.8
  • 8.8.4.4

The Google Public DNS IPv6 addresses are as follows:

  • 2001:4860:4860::8888
  • 2001:4860:4860::8844

You can use either number as your primary or secondary DNS server. You can specify both numbers, but do not specify one number as both primary and secondary.

You can configure Google Public DNS addresses for either IPv4 or IPv6 connections, or both.

Making rich graphical emails from your desktop email program

A client recently asked about placing graphics into an email template — namely, background graphics.

Email programs (Outlook, Entourage, Thunderbird) are not designed to easily create rich graphical HTML emails. They make it difficult to embed background images (for mastheads, say); they vary in their support and tools for styling CSS, and there are greatly varying display abilities of email platforms across the internet.

HTML emails need to be designed as simple as possible — no backgrounds, complex CSS, floats, etc. since there are 100+ different email readers/webmail systems [hotmail, gmail, yahoo, aol, cpanel webmail, etc.] with varying levels of support. In all, your emails’  html and css must be very simple to be cross-platform.

All the fancy emails you and I get (from Amazon to Gap to Starbucks to NatGeo) are sent by dedicated email publishing systems… carefully constructed to let the sender add design elements to the templates that will work on most email platforms.

The client, if its needs are growing for rich graphical emails, needs to use a 3rd party tool like Campaign Monitor or Mailchimp, or build its own email publisher tool.

These types of emails are useful for communicating with their audience.  For internal emails, using Outlook can work, since all employees are likely on the same platform.

We can hack and tweak our way to success in Outlook or Entourage or Thunderbird, but it’s not for the faint of heart.

To make a template in Outlook, for example, a background image behind the title text can’t just be copy/pasted in. Outlook provides an import/place menu command to insert the image in the background.

Vizio – an American success story

A Vizio tv wall
Photo by Kyle Chayka.

From an article at The Verge: Vizio has 414 US employees who oversee a vast army of suppliers making their products at the manufacturing level. The founder says that 50 percent of their job is orchestrating.

And why are the TVs so low-cost?

“We’re here to make innovative technology a commodity,” Wang told Inc magazine at the time.“ We’re not here to build cheap product, we’re here to make the product affordable.”

You know Vizio for its affordable LED TVs sold at Costco and Walmart… and maybe for its tablets or monitors. But they also are making PCs.

“PCs aren’t going away,“ says McRae. “They’re still extremely important devices in people’s lives and they’re really becoming an entertainment product as much as a productivity product. And if it’s an entertainment device, it’s in our wheelhouse. We do entertainment devices pretty well.” Vizio first tried to expand beyond TVs into smart devices with the Vizio Phone and Tablet, which launched at CES 2011, but McRae killed the phone after dealing with carriers proved frustrating and expensive. PCs and tablets can be sold directly to consumers — something Vizio is pretty good at.

They have innovative ideas about the direction of PCs:

“The tablet has forced the PC industry out of its slumber. There wasn’t much going on. But the next three to five years in PCs will actually be very interesting. You’re going to see new form factors, you’re going to see touch embedded over time.

 

SSL vulnerability called BEAST

Does it affect your secure webserver?

You should know, if  you accept credit cards or handle social security numbers on your website.

See these two articles for more expert information:

http://arstechnica.com/business/news/2012/04/90-of-popular-ssl-sites-vulnerable-to-exploits-researchers-find.ars

http://luxsci.com/blog/is-ssltls-really-broken-by-the-beast-attack-what-is-the-real-story-what-should-i-do.html

 

Testing:

This company will test your https connection. Here’s a example report.

https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Fmillfalls.com&hideResults=on

 

From Lux-Sci: Real-world vulnerability? What is  affected by BEAST?

This problem can affect people browsing secure web sites, allowing eavesdroppers to gain full access to your accounts on those web sites under certain conditions.  It does not affect

It does affect:

  • Accounts you may have with secure web sites that you login to, like PayPal, LuxSci, Gmail, Bank of America, Facebook, etc.

 

Solution:

It is not yet feasible to use a browser or webhost that supports TLS 1.2. For now, here is LuxSci’s advice:

The Take Away Message

People should always be concerned and aware of security as the landscape changes constantly.  We think that beyond the need to upgrade and to implement software fixes, consider the following:

  • We should actually use SSL and TLS whenever possible. Insecure sites puts our browser and computer at risk, as we have no control over what malicious third party may inject into our browsing session.  SSL and TLS actually protect us from that threat.
  • When going to secured web sites, it is best to start in a new browsing session or one that has only visited other secure (https://)  sites.
  • Make your home page a secure site and your other secure sites easily-accessed via bookmarks
  • Use a separate web browsers for normal insecure browsing and for access to your secure sites.
  • Keep your software, web browsers, operating system, anti-virus, and other components up to date.

 

Firefox 7 brings speed and UI annoyances

1.

For power users who need their address bar to show the “http://” in a web address, you can revert to the original, preferred behavior:

  1. Open a new window and type about:config into the address/URL bar
  2. Paste in this quick filter-field search: browser.urlbar.trimURLs
  3. Double click on the browser.urlbar.trimURLs field to change its value from true to false
  4. Close the window (or tab) and your URL protocols will be unhidden

Why would you want to do this? If you copy/paste web address routinely — say, to clients, via email — you don’t want to be manually adding back the protocol to every email you send or document you create, so that the URL can be clickable.

2.

Firefox 6 introduced a new “domain highlighting” feature, where the address bar grays-out any protocol (like http://  or https:// )  and the directory path in the URL, leaving just the domain in black. The thinking was that it would help inexperienced users easily catch phishing websites.

It is annoying to me, though. It makes the true path harder to see, and since I work with URLs on a regular basis — copy/pasting them to clients in emails and documents — I wanted to turn it off. Here’s how:

  1. Open a new window or tab, and type about:config into the location bar
  2. Search for browser.urlbar.formatting.enabled in the filter field; you can copy/paste it from here
  3. Double click on the browser.urlbar.formatting.enabled field to toggle the value to false
  4. Close the window (or tab) and your domain paths will be unhidden

That’s all there is to it! Now you can revert to a better way. :-)

firefox snapshot

Mac PowerPoint How to Export Text from Slides

PDG is continually astounded at how unhelpful and unintuitive Microsoft programs can be. But thankfully in this case, my not-uncommon gripe has a happy ending.

The unmet need, as framed as a typical google search query:

I want to export all of the text from a 20-page PowerPoint file to a plain text file.

Why? so that we can translate the text easily… or perhaps to proof read the text, or use the content in another medium, like in an email or Word document.

Out of thousands of hits, only 1 website solved the problem. I’ll share with you the solution next.

Thinking (wrongly) that surely PowerPoint 2008 for Mac lets us export the text from slides, I hunted for the option. First discovery: there is no export function. Okay, let’s try Save As… no, these options are useless, as the RTF outline text or HTML options do not export any slide text! Astounding.  The “Outline” option requires some unusual structuring that ignores any actual content on the slides! And the “HTML” option actually flattens all the text into a graphic. Wow. Because in this SEO era, we surely don’t care about text-based content on our web pages, right?

I found one helpful web page out of thousands that had a solution. It involves running a simple macro snippet, after adding it to the PPT file. I have never used Macros before, but I was able to figure it out in under 5 minutes.

But this technique does not work for POWERPOINT:MAC 2008 — because Microsoft removed Macro support in Office 2008.  Astounding again. Who does the thinking at the Mac Business Unit there?  UPDATE:  Macro support is back in Office 2011.

However, luckily, I also have Office 2004 for Mac. If you do too, follow along.

powerpoint Mac 2004

The website with the macro solution is here, at the PPT FAQ site. Credit to Stephen Rindsberg, who modified code from Kris Lander.

Copy the 2nd chunk of code. Here it is for you:

Sub ExportText()

  Dim oPres As Presentation
  Dim oSlides As Slides
  Dim oSld As Slide         'Slide Object
  Dim oShp As Shape         'Shape Object
  Dim iFile As Integer      'File handle for output
  iFile = FreeFile          'Get a free file number
  Dim PathSep As String
  Dim FileNum As Integer

  #If Mac Then
    PathSep = ":"
  #Else
    PathSep = "\"
  #End If

  Set oPres = ActivePresentation
  Set oSlides = oPres.Slides

  FileNum = FreeFile

  'Open output file
  ' NOTE:  errors here if file hasn't been saved
  Open oPres.Path & PathSep & "AllText.TXT" For Output As FileNum

  For Each oSld In oSlides    'Loop thru each slide
    For Each oShp In oSld.Shapes                'Loop thru each shape on slide

      'Check to see if shape has a text frame and text
      If oShp.HasTextFrame And oShp.TextFrame.HasText Then
        If oShp.Type = msoPlaceholder Then
            Select Case oShp.PlaceholderFormat.Type
                Case Is = ppPlaceholderTitle, ppPlaceholderCenterTitle
                    Print #iFile, "Title:" & vbTab & oShp.TextFrame.TextRange
                Case Is = ppPlaceholderBody
                    Print #iFile, "Body:" & vbTab & oShp.TextFrame.TextRange
                Case Is = ppPlaceholderSubtitle
                    Print #iFile, "SubTitle:" & vbTab & oShp.TextFrame.TextRange
                Case Else
                    Print #iFile, "Other Placeholder:" & vbTab & oShp.TextFrame.TextRange
            End Select
        Else
            Print #iFile, vbTab & oShp.TextFrame.TextRange
        End If  ' msoPlaceholder
      End If    ' Has text frame/Has text

    Next oShp
  Next oSld

  'Close output file
  Close #iFile

End Sub

Now open the PPT file in PowerPoint:Mac 2004, open the menu item “Tools –> Macros” and you will see the Macro editor. It will be empty at first.

PowerPointt 2004 Macro dialog box

You will not see this macro like I show, at first; to begin, type in a simple name, then click CREATE.

Copy/paste the visual basic snippet into the new dialog/edit box that appears, then SAVE it.

Now you can RUN this macro. Voila. The exported txt file will be placed in the same directory as the PPT file itself.

It worked seamlessly, without a hitch.

And his script works for Mac and PC.

Try it out! it saved me lots of manual copy/paste time.

Useful Twitter tools – roundup

There are many desktop programs that make using twitter easier. Whether for managing multiple accounts or tracking comments across many social media sites, these apps and programs can make the experience of using twitter/facebook/tumbleupon etc. more efficient.

Here’s a website that scans your website/tweets for word frequency and creates art in the form of a “word cloud”. While not strictly useful, this site can be used to scan a web page and find the most popular words for SEO keyword purposes.

wordle image

http://www.wordle.net/

Wordle is a toy for generating “word clouds” from text that you provide. The clouds give greater prominence to words that appear more frequently in the source text. You can tweak your clouds with different fonts, layouts, and color schemes. The images you create with Wordle are yours to use however you like. You can print them out, or save them to the Wordle gallery to share with your friends.

Another website, Appstorm, gathered together over 50 Mac twitter apps/programs/clients.

An important fuel to this fire is the remarkably open Twitter API which has allowed developers to create a plethora of beautiful and incredibly convenient desktop applications that connect with every facet of the service. This article is dedicated to all you readers who, like me, are completely addicted to two things: Mac applications and Twitter.