What to do about Heartbleed?

You have probably heard about the Heartbleed bug in OpenSSL reported last week. It’s been described as a critical flaw compromising the security infrastructure of the Internet. This is estimated to have affected over 66% of websites on the public internet, including Yahoo, Google, Facebook, and Instagram.

How does it work?

There are good explanations out there, so we won’t rehash here, but here is a good technical rundown, and here is a good visual explanation.

Effectively, it allows an attacker to request a 64KB chunk of random data from an affected server, and the attacker can request chunks over and over, as fast as their computer can request and the server can respond. This can expose anything that is in the server’s memory, including usernames, passwords, credit card numbers, personal information, etc.

What can you do?

We are reliant upon service providers to patch their systems and update their cryptographic keys (most have already done this), but there are some steps that we can and should take as individuals to ensure that we are protected.

1. Make sure that your browser checks for certificate revocation

To find out if you browser already does, go to Verisign’s certificate revocation test site. If you receive a certificate warning, then your browser is already properly configured. If not follow these instructions for Chrome, Safari, Firefox or IE.

This is important because if a server’s certificates were compromised, an attacker could use the stolen certificate to masquerade as the original site.

2. Change all of your passwords

This exploit has been around for 2 years, and it’s use is undetectable. Therefore, prudence dictates we assume our passwords have been compromised on any affected sites. If you use the same or similar passwords at multiple sites and one of them was compromised, then you must assume that the rest are also compromised.

This sounds daunting, but if you use a password management utility like LastPass, 1Password, KeePass, Password Safe, or Apple’s built-in iCloud keychain, this isn’t very difficult.

If you don’t use one, now would be an excellent time to start.

A good password management utility allows you to easily generate secure passwords, stores them in a secure way, automatically fills in login pages for you and syncs across multiple devices. It will make your online logins more secure yet easier to manage.

3. What sites were affected

Here’s a good list containing popular sites and the fix status.

Here’s a more comprehensive (though less readable), with snapshots taken on 4/8 and 4/12 for comparison.

If you are using LastPass, you can run their security check, which will provide you with a handy list of sites that you use that were affected, and whether it’s time to change your password or wait until they’ve updated their certificates.

If you want to check to see if a site you use is still affected, you can use this site to test individual pages.

4. Enable multifactor authentication

We don’t recommend this just because of Heartbleed, though if you are using multifactor authentication on sites that were compromised, it dramatically decreases the chance that your account may be broken into.

Gmail, LastPass, Twitter and many other sites now offer multifactor authentication. While it seems like a hassle at first, the added security is worth it.

Here’s Everywhere You Should Enable Two-Factor Authentication Right Now

Recap

Heartbleed is a real and nasty bug, but you can take steps as an individual to limit your personal exposure.

  • Enable certificate revocation checking in your browser
  • Change all of your passwords
  • Use a password manager
  • Enable multifactor authentication when available

Remember, if you haven’t used a password manager in a past, a good candidate for this situation is LastPass. You can use it to create new passwords for all of you sites, then run the security check feature to learn if there are any sites that you use that are still vulnerable or have yet to issue new certificates (and hence will require another password reset in the future).

R.I.P. Windows XP

windowsxp

If you ask for whom the bell tolls, the bell tolls for Windows XP.

Yesterday, Microsoft pushed the final patches to XP and has officially declared it dead. With no more patches coming down the line, that means any security flaws found from here on out (or hackers have been sitting on) won’t be fixed. It’s a holiday for malicious hackers and the like.

If you or someone you know is still running an XP machine… I’d suggest no longer connecting it to the internet.

Future of Work: Internal & External Collaboration

office-5Control Group is helping organizations create more innovative workspaces and tools that foster more productive (and happy) workforces. A major consideration in all of our work in this area is collaboration. Here is a brief Q+A with Lisa O’Neil, Associate Partner of Consulting, on the impact of technology on collaboration, based on her discussion with Inc. Magazine.

How has technology changed the nature of collaboration over the last decade?

10 years ago there was no Cloud, no iPhone, no social media. Ubiquitous and immediate access to every corner of the Internet has changed mass culture as well as business culture. Immediacy and constant contact is normal, people feel entitled to it, and technology has both driven and been driven by this expanding entitlement. Email, Skype and its ilk, CRM platforms, social media, corporate content management systems – all of these are tools that facilitate communication and data exchange instantly, anywhere.

What kinds of opportunities does collaboration create for businesses?

Both businesses and non-profit organizations (NPOs) can realize dramatic increases in efficiencies from improved internal collaboration. For businesses this can translate into increased speed to market, improved management processes, and lowered product development and marketing costs. For NPOs improved efficiencies can result in streamlined, more focused and successful development efforts, and the freeing of resources to focus on fundraising and constituent issues.

How have employee attitudes towards collaboration changed?

Attitudes have definitely changed – the effects of the consumerization of corporate IT are readily evident in the corporate product roadmaps of Dropbox, Evernote, and a host of other platforms that started out focused on consumer apps. Companies heavily use social media as integrated aspects of their marketing efforts. Most people carry their work email, content, and productivity tools around on a smartphone and check in as often as with their personal content and notifications. The work life and the personal life are extremely blended.

The benefits to employees include faster communication cycles, improved workflows, higher productivity, and increased visibility into what other teams and departments are working on. The ability to parcel out and parallelize a team’s work can reduce resource requirements and shorten timelines. These same assets can also be perceived by employees as liabilities. Faster communication is often accompanied by higher turnaround expectations and employee stress. However, inter-departmental coordination and visibility can be threatening in an environment that has embraced collaboration technologically but not culturally.

What are the most important internal collaboration issues affecting managers?

Collaboration technology is not a panacea for solving communication or process problems, and technology by itself does not change behavior. Improving organizational collaboration requires leadership, strategic design, and change management methodology to be successful. Organizations that recognize these fundamentals and address the surrounding cultural challenges as part of a collaboration technology implementation or evolution are successful.

Why should external collaboration be considered in today’s business environment?

Successful companies understand that internal collaboration – a ready exchange of relevant content and data as employees go about their jobs – is vital for efficiency and development of competitive advantages. They also appreciate that collaboration with non-staff stakeholders (e.g., suppliers, customers, shareholders) is equally critical to servicing customers, fostering innovation, and maximizing those competitive advantages.

How has technology changed the nature of external collaboration between organizations and their outside partners?

Social media has of course been huge and an advancement of the digital access trends started with the web and email marketing. Many companies have embraced ticketing systems to facilitate, analyze, and improve customer service. Geo-tracking, sensors, and other spatially aware technology add value to users and relevancy to the exchange of data between them and the organization. Enterprise content management platforms allow companies to manage documents and other work product artifacts and control how content is accessed by people outside of the organization. The “voice” of the organization can be reinforced (or fragmented) through its external exchange of content and data with a wide range of collaboration technology.

What kinds of opportunities does it create for businesses?

The instantaneousness of collaboration technology means that organizations can respond to issues affecting their constituents immediately and capitalize on “hot button” issues while they are actually hot, within minutes instead of days or weeks. For businesses this similarly facilitates quicker, more relevant information that moves more products or services to the right customers in the right locations more profitably.

What are the most important external collaboration issues affecting businesses?

Security policies and practices are of course extremely important, and need understanding and collaboration between the business and IT. More importantly, a high-level alignment of corporate IT with the business strategy is crucial and can be a huge opportunity for forward-thinking technology leaders and staff.  It can also be an extremely difficult proposition for the future-adverse or business-side stakeholders who are uncomfortable with technology.

What lies ahead? 

The trend will surely continue – there will be more corporate “stuff” to be managed, tagged, categorized, commented on, approved, distributed, clicked on, analyzed, repackaged, and archived. There will be more data to be crunched on who and how all of this stuff is being used and how much value its various containers and conveyances add to the bottom line. Corporate IT will continue its shift to a role of business partner rather than technology police, and will be increasingly scrutinized for its business value within the context of whatever it is that the business does to make money.

CG at SXSW: Creative Coding

If you want to build and/or interact with digital experiences in the physical world that amaze and delight, then you want to check out this panel at SXSW this Saturday, March 8 at 3:30PM in Ballroom BC.

Creative Coding: Art + Design with Cinder

cinder-hed-2013

Animated words and pictures behind touch-sensitive glass is no longer enough to amaze digital natives. Now more than ever, digital installations and other interactive experiences require inspired technological creativity in concert with conceptual creativity.

Creative coders now have greater access to brilliant new input devices such as Microsoft Kinect, the Oculus Rift, the Leap Motion controller, and the NeuroSky Mindwave brain wave reader, that can elevate good ideas into magical interactive experiences.

Through a presentation and live-coding demonstration using Cannes Lions winning software, ‘Cinder’, Control Group CTO Toby Boudreaux, along with Cinder co-creator Keith Butters and noted artist Chandler McWilliams, will demonstrate how to begin developing for these devices and discuss how to better incorporate technology into the creative process.

 

MTA: Moving Your (Digital) Way

This week subway riders through Grand Central Station experienced something new – an electronic subway map designed and developed by Control Group in partnership with the MTA. With the touch of the screen, tourists, students and everyday commuters are accessing directions, viewing real-time diversion notices and seeing when the next train is scheduled to arrive.

For the MTA, this represents a big first step forward in embracing the digital age, providing a better experience for the increasingly tech-savvy riding public and generating new and innovative ad revenue for the notoriously cash-strapped agency.  For riders whose expectations and demand for better and more digitally advanced services is ever-growing, the new maps are a big hit:

MTA Twitter 1

MTA Twitter 2

MTA Twitter 3

MTA Twitter 4

Next stop? Mobile applications that deliver much of the same content to user devices and unified messaging, signage and iconography to smooth commutes throughout the system. New Yorkers are a busy lot, and most of the time we just want our trains to arrive on time and frequently, but as the 110-year old subway system continues to modernize, it’s a great sign the MTA is leveraging technology to make getting around that much easier.