So much for a new year meaning a fresh start. 2017 brought us security vulnerabilities such as WannaCry ransomware and the Equifax hack, but things haven’t got much better at the beginning of 2018. We had only just finished welcoming in the new year when the next security bombshell hit the headlines. And it wasn’t only one flaw, but two. Nicknamed Meltdown and Spectre, the vulnerabilities originate from computer microprocessors. In terms of severity and number of people potentially affected, experts have likened them to 2014’s Heartbleed bug.

The bugs can attack all desktop operating systems, but in this article, we’re only going to focus on Windows. Let’s take a closer look at how the vulnerabilities work and how you can tell whether they have affected you.

Meltdown and Spectre: A Closer Look

Before we explain how to detect the two bugs on your own system, let’s take a moment to fully understand what the two vulnerabilities are and how they work.

The same group of security researchers were responsible for finding both the problems. At an elementary level, they are flaws in processor architecture (i.e. the transistors, logic units, and other tiny components that work together to make a processor function).

The flaw allows a would-be hacker to expose almost any data that a computer processes. That includes passwords, encrypted messages, personal information, and anything else you can think of.

Meltdown only affects Intel processors. Worryingly, the bug has been present since 2011. It uses part of the out-of-order execution (OOOE) process to change the cache state of a CPU. It can then dump the contents of the memory when it usually would be inaccessible.

Spectre can attack Intel, AMD, and ARM processors, and can thus also affect phones, tablets, and smart devices. It uses a processor’s speculative execution and branch prediction in conjunction with cache attacks to trick apps into revealing information that should be hidden within the protected memory area.

Spectre attacks need to be customized on a machine-by-machine basis, meaning they are harder to execute. However, because it’s based on an established practice in the industry, it’s also harder to fix.

Is Your Windows 10 PC Affected by Meltdown?

Thankfully, Microsoft has published a handy PowerShell script that you can run on your system. Follow the steps below and you can install and activate an additional module on your system. The results will indicate whether you need to take further steps.

First, run PowerShell as an administrator: press Windows key + Q or open the Start Menu, type PowerShell, right-click the first result (Windows PowerShell, desktop app) and select Run as administrator.

After PowerShell has loaded, follow these steps to find out whether your PC is affected by Meltdown. Note that you can copy-and-paste commands into PowerShell.

• Enter Install-Module SpeculationControl and press Enter to run the command.
• Confirm the NuGet provider prompt by entering a Y for Yes and hitting Enter.
• Do the same for the Untrusted repository prompt.
• Next, type Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser and press Enter
• When the installation has completed, type Import-Module SpeculationControl and press Enter.
• Finally, type Get-SpeculationControlSettings and hit Enter.

After you have run these commands, check the output result for the results — it will be either True or False.

If you see only True messages, congratulations, you are protected and don’t need to take any further action. If a False pops up, your system is vulnerable, and you need to take further action. Be sure to note the suggested actions shown in the results. As shown in the screenshot above, our test computer requires a BIOS/firmware update and yet has to install a patch provided through Windows Update.

How Can You Protect Yourself Against Meltdown?

To the company’s credit, Microsoft originally moved quickly to issue a patch for Meltdown. You can find it through the Windows Update tool (Settings > Update & Security > Windows Update > Check of updates). You need to download and install patch KB4056892 for Windows build 16299.

Troublingly, the patch is incompatible with some antivirus suites. It only works if your security software’s ISV has updated the ALLOW REGKEY in the Windows registry.

You should also update your browser. Google has patched Meltdown in Chrome 64 and Mozilla has updated Firefox in version 57 (Quantum). Microsoft has even patched the latest version of Edge. Check with your browser’s developer if you use a non-mainstream app.

Lastly, you need to update your system’s BIOS and firmware. Some computer manufacturers include an app within Windows so you can quickly check for such updates. If your PC manufacturer didn’t supply one, or if you deleted it, you should be able to find updates on the company’s website.

How Can You Protect Yourself Against Spectre?

Meltdown is the more immediate threat and is the easier of the two bugs for hackers to exploit. However, Spectre is harder to remedy.

Because of the way Spectre works, fixing it will require companies to completely redesign the way they build processors. That process could take years, and it could be decades until the current iteration of processors is entirely out of circulation.

But that doesn’t mean Intel hasn’t tried to offer its customers ways to protect themselves. Unfortunately, the response has been a shambles.

In mid-January, Intel released a Spectre patch. Immediately, Windows users started complaining that the patch was buggy; it was forcing their computers to randomly reboot at unexpected times. Intel’s response was to release a second patch. It didn’t fix the issue; the reboot problems continued.

At this point, millions of users have installed the patch. Intel told customers not to download either patch until it could fix the issue. But there was a problem for Windows users. The Intel patch was being delivered through the Windows Update app. Users continued to unwittingly install it; after all, we all know how opaque the current Windows update process is.

While random reboots are certainly annoying, the most worrying part of the buggy patch was the potential for data loss. In Intel’s own words, “It caused higher than expected reboots and other unpredictable system behavior […] which may result in data loss or corruption.”

Fast-forward to the end of January, and Microsoft was forced to step in. The company took a highly unusual step. It issued an out-of-band emergency security update for Windows 7, 8.1, and 10 that completely disables Intel’s patch.

How to Install the Microsoft Fix

Unfortunately, the new patch will not be available through the Windows Update app. You will have to install it manually.

To begin, head to the Microsoft Update Catalog. You need to find Update for Windows (KB4078130). When you’re ready, click on Download.

Next, click on the [string of text].EXE file.

The file is tiny and will only take a couple of seconds to download. When the download has finished, double-click on the EXE file and follow the on-screen instructions.

So, what about the future? If you’ve been following along, you’ll have realized that affected users are back to where they started: exposed and unprotected.

Hopefully, Intel will release a more successful patch in the coming weeks. In the meantime, you’ll have to sit tight.

Do Meltdown and Spectre Worry You?

It’s understandable to feel worried. After all, our computers quite literally hold the keys to our lives.

But it’s also important to take solace from the facts. You are highly unlikely to be the victim of a Spectre attack. The time and effort a hacker needs to put in for an unspecified return make you an unattractive proposition.

And the big tech companies have known about the two issues since the middle of 2017. They’ve had plenty of time to prepare patches and respond in the best way they are able.

Web-based email services have come a long way over the past decade, and many of them are feature-rich enough to be on par with desktop-based alternatives. But there are several valid reasons to keep using desktop email software. Postbox and Outlook are the two main options, but they’re expensive. If you only need an email client to handle one or two personal accounts, then a free email client will likely serve you just fine — just be aware that you may run into feature restrictions as a free user.

1. Thunderbird

Available for Windows, Mac, Linux.

Though Thunderbird development was discontinued in 2012, it still receives maintenance updates so don’t write it off as dead just yet. In fact, a stable version update was released earlier this year. The client won’t be getting any new features going forward, but it’s absolutely still usable.

And, as sad as it is to say, Thunderbird is the only free and open source desktop email client that’s actually worth using. Other open source clients exist, but they’re riddled with issues like clunky interfaces, glitchy performance, and lack of advanced features.

If you’re adamant about never spending a penny and never switching to a web-based client, then Thunderbird is your best bet. It can do pretty much anything you need, including setting up message filters and autoresponding to emails, among other nifty tips and tweaks.

Download: Thunderbird (Free)

2. Mailspring

Available for Windows, Mac, Linux.

One of the original authors then forked the project and relaunched Nylas Mail as Mailspring. In addition to keeping the project alive, he optimized and improved many of the internal components, resulting in quicker syncing, less RAM usage, faster launch times, and more.

Thunderbird may be the client of choice for those who want reliability and time-tested staying power, but Mailspring is the client to use if you want something fresh, new, exciting, and full of future potential. It’s free to use indefinitely with some advanced features locked behind a subscription.

• Syncs with Gmail, Office 365, Yahoo, iCloud, FastMail, and IMAP.
• Unlimited email accounts and unified inbox.
• Undo sent emails within a given period of time.
• Support for pre-built themes, layouts, and emojis.

Notable Pro Version Features

• Powerful template support for productivity.
• Track whether emails are opened and links are clicked.
• Schedule emails to be sent at a future time.
• Snooze emails and create follow-up reminders.
• Share email threads with others using a web link.

Download: Mailspring (Free, $8/mo for Pro)

3. Sylpheed

Available for Windows, Mac, Linux.

Sylpheed is an email client that’s been around since 2001. While it does feel dated when compared to modern email clients, it’s not bad by any stretch. In fact, its old-school interface and approach to email management may actually prove helpful if your email habits are causing undue stress.

The best thing about Sylpheed is that it knows what it is: an email client. It doesn’t concern itself with tons of extraneous features that do nothing but bloat the installation and clutter the interface. Sylpheed is simple, lightweight, and full-featured.

Notable features include fast launch and overall performance, advanced email search and filters, effective junk mail control, encryption, and extensibility through plugins.

Download: Sylpheed (Free)

4. Mailbird

Available for Windows.

If you’ve never used desktop email before, then you’ll probably love Mailbird. If you’re migrating from another client, it will be hit or miss — some parts will feel familiar, other bits will impress you, but you’ll undoubtedly find aspects that you hate as well.

All we can recommend is giving it a try. It’s definitely slick and modern, and there’s a lot to like about it. Note that it’s a freemium app so the free version is restricted in some ways.

Notable Free Version Features

• Beautifully sleek and minimal interface.
• Syncs with any IMAP or POP email service.
• Lightning fast search and indexing.
• Integration with Dropbox, Evernote, Google Docs, and more.
• Supports up to 3 email accounts.

Notable Pro Version Features

• Unlimited email accounts and unified inbox.
• Snooze emails and set up reminders.
• Speed reader for emails.
• Quick preview for email attachments.

Download: Mailbird (Free, $18/yr or $59 one-time for Pro)

5. eM Client

Available for Windows.

eM Client aims to be an all-in-one solution for dealing with office tasks and communications. It’s primarily designed for email, but also has nifty calendar integration, task management, contacts organization, and even chat support — and the free version only has one (albeit major) limitation, as you can see below.

Notable Free Version Features

• Slick Modern UI interface that fits well with Microsoft apps.
• Syncs with Gmail, Exchange, iCloud, Office 365, and Outlook.com.
• Conversational view for email threads.
• Integration with all common chat services, including Jabber.
• Supports up to 2 email accounts.

Notable Pro Version Features

• Supports an unlimited number of email accounts.
• Can be used for commercial purposes (e.g. business office use).
• VIP support and troubleshooting.

Download: eM Client (Free, $50 one-time purchase)

The Department of Homeland Security (DHS) wants to help small businesses across America protect against ransomware, and the National Cybersecurity and Communications Integration Center (NCCIC) has issued this message: NCCIC has received multiple reports of WannaCry ransomware infections worldwide. Ransomware is a type of malicious software that infects and restricts access to a computer until a ransom is paid. Although there are other methods of delivery, ransomware is frequently delivered through phishing emails and exploits unpatched vulnerabilities in software.

Phishing emails are crafted to appear as though they have been sent from a legitimate organization or known individual. These emails often entice users to click on a link or open an attachment containing malicious code. After the code is run, your computer may become infected with malware.

A commitment to cyber hygiene and best practices is critical to protecting organizations and users from cyber threats, including malware.

In advice specific to the recent WannaCry ransomware threat, users should:

• Be careful when clicking directly on links in emails, even if the sender appears to be known; attempt to verify web addresses independently (e.g., contact your organization's helpdesk or search the Internet for the main website of the organization or topic mentioned in the email).
• Exercise caution when opening email attachments. Be particularly wary of compressed or ZIP file attachments.
• Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
• Avoid providing personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.
• Avoid revealing personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
• Be cautious about sending sensitive information over the Internet before checking a website's security.

If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from anti-phishing groups such as the APWG.

Hackers have breached half of the 28 million small businesses in the United States, according to the 2016 State of SMB Cybersecurity Report. Contact our security experts to ensure your business is safe!

1. Protect against viruses, spyware, and other malicious code Make sure each of your business’s computers are equipped with antivirus software and antispyware and update regularly. Such software is readily available online from a variety of vendors. All software vendors regularly provide patches and updates to their products to correct security problems and improve functionality. Configure all software to install updates automatically.
2. Secure your networks Safeguard your Internet connection by using a firewall and encrypting information.  If you have a Wi-Fi network, make sure it is secure and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router.
3. Establish security practices and policies to protect sensitive information Establish policies on how employees should handle and protect personally identifiable information and other sensitive data.  Clearly outline the consequences of violating your business’s cybersecurity policies.
4. Educate employees about cyberthreats and hold them accountable  Educate your employees about online threats and how to protect your business’s data, including safe use of social networking sites.  Depending on the nature of your business, employees might be introducing competitors to sensitive details about your firm’s internal business. Employees should be informed about how to post online in a way that does not reveal any trade secrets to the public or competing businesses.  Hold employees accountable to the business’s Internet security policies and procedures.
5. Require employees to use strong passwords and to change them often  Consider implementing multifactor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multifactor authentication for your account.
6. Employ best practices on payment cards  Work with your banks or card processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations related to agreements with your bank or processor. Isolate payment systems from other, less secure programs and do not use the same computer to process payments and surf the Internet.

   Are you ready for the shift from magnetic-strip payment cards to safer, more secure chip card technology, also known as “EMV”? October 1st is the deadline set by major U.S. credit card issuers to be in compliance. Visit SBA.gov/EMV for more information and resources.

7. Make backup copies of important business data and information Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly, and store the copies either offsite or on the cloud.
8. Control physical access to computers and network components Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.
9. Create a mobile device action plan Mobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network.. Require users to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen equipment.
10. Protect all pages on your public-facing websites, not just the checkout and sign-up pages

With tax fraud on the rise, it is important to be aware of the fraudulent activities that can take place this tax season and what you can do to minimize your risk of becoming a victim of identity theft. In actuality, tax fraud is relatively easy to commit. All that is required for a scam to take place is a name, date of birth and Social Security number, and with the number of data breaches that have taken place recently, your personal information could be vulnerable to cybercriminals and identity thieves. According to LifeLock’s marketing intelligence director, Nada Baiz, “tax fraud will continue to develop because criminals are realizing how lucrative and easy it is.” She also adds, “With chip-enabled debit and credit cards now making credit card fraud more difficult to commit, criminals will look to replace this lost ‘income’ with something else.”

With Tax Identity Theft Awareness week (Jan 29 – Feb 2) approaching, it is important to spread the word about how to prevent becoming a victim to scams this tax season.

To help reduce your chances of identity theft this tax season, here are six best practices to follow:

File taxes early

Identity thieves are ready as early as January to file fraudulent returns, so it is important to have all of your paperwork in order before they do in order to protect yourself. This is even more crucial if you have reason to believe your personal information has already been compromised, such as in an earlier data breach. However, you don’t have to be a victim of a previous identity theft crime to become a victim of tax refund fraud.

Don’t fall for scams

If someone calls or emails claiming to be from the Internal Revenue Service (IRS) asking for personal information, don’t give it. The IRS will only request information by mail, so if you receive a call, email or text message claiming to be from the IRS and asking you to provide personal details, don’t – it is most likely a scam.

Research your tax preparer

Be very careful about choosing a tax preparer. Only hire individuals who have the proper IRS credentials, then request their full name and tax certification documentation. Be sure to keep copies of it with your tax paperwork even after filing. Even if you’re using an e-filing service, researching the provider is just as important.

Protect your Social Security number

Leave your Social Security card at home and only give out the number when absolutely required. If you are requested to provide it on a form, ask the company why they need it and if it is necessary, because this is often optional.

sign up for protection services

Signing up with a service that specializes in identity theft protection could help you to stay on top of keeping your personal information safe by receiving alerts immediately if any fraudulent activity occurs.

Shred your personal records

Destroy old tax forms, monthly financial statements and other documents that include your personal information once deemed unnecessary. Switching to online delivery is another safe bet so your documents are less likely to end up in places where they can be stolen, like your mailbox or recycling bin.

If you do choose online delivery, make sure that any personal accounts storing this information are appropriately secured.

Lock Down Your Login: Your usernames and passwords are not enough to protect key accounts like email, banking and social media. Strengthen online accounts and use strong authentication tools – like biometrics, security keys or a unique, one-time code through an app on your mobile device – whenever offered.