Is your Lenovo laptop vulnerable to cyberattack?

Here’s what to know about vulnerabilities in more than 100 Lenovo consumer laptop models and what you can do right away to stay safe – all in under three minutes

The post Is your Lenovo laptop vulnerable to cyberattack? appeared first on WeLiveSecurity

April 20, 2022/by Advantage Computer Inc.

Uncategorized

How can we support young people in harnessing technology for progress?

Young people are not passive victims of technology or helpless addicts. They are technology creators and agents with diverse backgrounds and interests.

The post How can we support young people in harnessing technology for progress? appeared first on WeLiveSecurity

April 20, 2022/by Advantage Computer Inc.

Uncategorized

When “secure” isn’t secure at all: High‑impact UEFI vulnerabilities discovered in Lenovo consumer laptops

ESET researchers discover multiple vulnerabilities in various Lenovo laptop models that allow an attacker with admin privileges to expose the user to firmware-level malware

The post When “secure” isn’t secure at all: High‑impact UEFI vulnerabilities discovered in Lenovo consumer laptops appeared first on WeLiveSecurity

April 19, 2022/by Advantage Computer Inc.

Uncategorized

How to SLSA Part 3 – Putting it all together

Posted by Tom Hennen, software engineer, BCID & GOSST

In our last two posts (1,2) we introduced a fictional example of Squirrel, Oppy, and Acme learning to SLSA and covered the basics and details of how they’d use SLSA for their organizations. Today we’ll close out the series by exploring how each organization pulls together the various solutions into a heterogeneous supply chain.

As a reminder, Acme is trying to produce a container image that contains three artifacts:

The Squirrel package ‘foo’
The Oppy package ‘baz’
A custom executable, ‘bar’, written by Acme employees.

The process starts with ‘foo’ package authors triggering a build using GitHub Actions. This results in a new version of ‘foo’ (an artifact with hash ‘abc’) being pushed to the Squirrel repo along with its SLSA provenance (signed by Fulcio) and source attestation. When Squirrel gets this push request it verifies the artifact against the specific policy for ‘foo’ which checks that it was built by GitHub Actions from the expected source repository. After the artifact passes the policy check a VSA is created and the new package, its original SLSA provenance, and the VSA are made public in the Squirrel repo, available to all users of package ‘foo’.

Next the maintainers of the Oppy ‘baz’ package trigger a new build using the Oppy Autobuilder. This results in a new version of ‘baz’ (an artifact with hash ‘def’) being pushed to a public Oppy repo with the SLSA provenance (signed by their org-specific keys) published to Rekor. When the repo gets the push request it makes the artifact available to the public. The repo does not perform any verification at this time.

An Acme employee then makes a change to their Dockerfile, sending it for review by their co-worker, who approves the change and merges the PR. This then causes the Acme builder to trigger a build. During this build:

bar is compiled from source code stored in the same source repo as the Dockerfile.
acorn install downloads ‘foo’ from the Squirrel repo, verifying the VSA, and recording the use of acorn://foo@abc and its VSA in the build.
acme_oppy_get install (a custom script made by Acme) downloads the latest version of the Oppy ‘baz’ package and queries its SLSA provenance and other attestations from Rekor. It then performs a full verification checking that it was built by ‘https://oppy.example/slsa/builder/v1’ and the publicized key. Once verification is complete it records the use of oppy://baz@def and the associated attestations in the build.
The build process assembles the SLSA provenance for the container by:

Recording the Acme git repo the bar source and Dockerfile came from, into materials.
Copying the reported dependencies of acorn://foo@abc and oppy://baz@def into materials and adding their attestations to the output in-toto bundle.
Recording the CI/CD entrypoint as the invocation.
Creating a signed DSSE with the SLSA provenance and adding it to the output in-toto bundle.

Once the container is ready for release the Acme verifier checks the SLSA provenance (and other data in the in-toto bundle) using the policy from their own policy repo and issues a VSA. The VSA and all associated attestations are then published to an internal Rekor instance. Acme can then create an SBOM for the container leveraging data about the build as stored in Rekor. Acme then publishes the container image, the VSA, and the SBOM on Dockerhub.

Downstream users of this Acme container can then check the Acme issued VSA, and if there are any problems Acme can consult their internal Rekor instance to get more details on the build allowing Acme to trace all of their dependencies back to source code and the systems used to create them.
Conclusion

With SLSA implemented in the ways described in this series, downstream users are protected from many of the threats affecting the software supply chain today. While users still need to trust certain parties, the number of systems requiring trust is much lower and users are in a much better position to investigate any issues that arise.

We’d love to see the ideas in this series implemented, refuted, or used as a foundation to build even stronger solutions. We’d also love to hear some other methods on how to solve these issues. Show us how you like to SLSA.

April 14, 2022/by Advantage Computer Inc.

Uncategorized

Week in security with Tony Anscombe

Ukrainian energy provider targeted by Industroyer2 – ESET helps disrupt Zloader botnets – Where do new ideas come from and how are they spread?

The post Week in security with Tony Anscombe appeared first on WeLiveSecurity

April 14, 2022/by Advantage Computer Inc.

Uncategorized

ESET takes part in global operation to disrupt Zloader botnets

ESET researchers provided technical analysis, statistical information, and known command and control server domain names and IP addresses

The post ESET takes part in global operation to disrupt Zloader botnets appeared first on WeLiveSecurity

April 13, 2022/by Advantage Computer Inc.

Uncategorized

How to SLSA Part 2 – The Details

Posted by Tom Hennen, software engineer, BCID & GOSST

In our last post we introduced a fictional example of Squirrel, Oppy, and Acme learning to use SLSA and covered the basics of what their implementations might look like. Today we’ll cover the details: where to store attestations and policies, what policies should check, and how to handle key distribution and trust.

Attestation storage

Attestations play a large role in SLSA and it’s essential that consumers of artifacts know where to find the attestations for those artifacts.

Co-located in repo

Attestations could be colocated in the repository that hosts the artifact. This is how Squirrel plans to store attestations for packages. They even want to add support to the Squirrel CLI (e.g. acorn get-attestations foo@1.2.3).

Acme really likes this approach because the attestations are always available and it doesn’t introduce any new dependencies.

Rekor

Meanwhile, Oppy plans to store attestations in Rekor. They like being able to direct users to an existing public instance while not having to maintain any new infrastructure themselves, and the in-depth defense the transparency log provides against tampering with the attestations.

Though the latency of querying attestations from Rekor is likely too high for doing verification at time of use, Oppy isn’t too concerned since they expect users to query Rekor at install time.

Hybrid

A hybrid model is also available where the publisher stores the attestations in Rekor as well as co-located with the artifact in the repo—along with Rekor’s inclusion proof. This provides confidence the data was added to Rekor while providing the benefits of co-locating attestations in the repository.

Policy content

‘Policy’ refers to the rules used to determine if an artifact should be allowed for a use case.

Policies often use the package name as a proxy for determining the use case. An example being, if you want to find the policy to apply you could look up the policy using the package name of the artifact you’re evaluating.

Policy specifics may vary based on ease of use, availability of data, risk tolerance and more. Full verification needs more from policies than delegated verification does.

Default policy

Default policies allow admission decisions without the need to create specific policies for each package. A default policy is a way of saying “anything that doesn’t have a more specific policy must comply with this policy”.

Squirrel plans to eventually implement a default policy of “any package without a more specific policy will be accepted as long as it meets SLSA 3”, but they recognize that most packages don’t support this yet. Until they achieve critical mass they’ll have a default SLSA 0 policy (all artifacts are accepted).

While Oppy is leaving verification to their users, they’ll suggest a default policy of “any package built by ‘https://oppy.example/slsa/builder/v1’”.

Specific policy

Squirrel also plans to allow users to create policies for specific packages. For example, this policy requires that package ‘foo’ must have been built by GitHub Actions, from github.com/foo/acorn-foo, and be SLSA 4.

scope: ‘acorn://foo’

target_level: SLSA_L4

allow_github_actions {

workflow: ‘https://github.com/gossts/slsa-acorn/.github/workflows/builder.yml@main’

source_repo: ‘https://github.com/foo/acorn-foo.git’

allow_branch: ‘main’

}

Squirrel will also allow packages to create SLSA 0 policies if they’re not using SLSA compliant infrastructure.

scope: ‘acorn://qux’

target_level: SLSA_L0

Policy auto generation

Squirrel has an enormous number of existing packages. It’s not feasible to get all those package maintainers to create specific policies themselves. Therefore, Squirrel plans to leverage process mining to auto generate policies for packages based on the history of the package. E.g. “The last 10 times Squirrel package foo was published it was built by GitHub Actions from github.com/foo/acorn-foo, and met SLSA 4 (this is the policy above). Let’s create a policy that requires that and send it to the maintainers to review.”
Policy add-ons

Policy evaluation could do more than just evaluate the SLSA requirements. The same policies that check SLSA requirements are well placed to check other properties that are important to organizations like “was static analysis performed”, “are there any known CVEs in this artifact”, “was integration testing successful”, etc…

Acme is really interested in some of these policy add-ons. They’d like to avoid the embarrassing situation of publishing a new container image with known CVEs. They’re not sure how to implement it yet but they’ll be on the lookout for tools that can help them do so.

Delegated policies

When using delegated verification there’s much less that actually needs to be checked and they can be hard-coded directly in tooling. A minimal delegated verification policy might be “allow if trusted-party verified this artifact (identified by digest) as <package name>”. This can be tightened further by adding requirements on the artifact & its dependencies SLSA levels (data which is available in the VSA). For example, “allow if trusted-party verified this artifact as <package name> at SLSA 3 and it doesn’t have any dependencies less than SLSA 2”.

# Delegated verification implicitly checks that the package name we’re

# checking matches the VSA’s subject.name field.

allow_delegated_verification {

trusted_verifier: ‘https://delegatedverifier.com/slsa/v1’

minimum_level: SLSA_L3

minimum_dependency_level: SLSA_L2

}

Policy storage

When using specific, non-default, policies verifiers need to know where to find the policy they need to evaluate.

Co-located in repo

Squirrel plans to store specific policies as a property of the package in the repository. This makes them very easy for users and their tooling to find. It also allows the maintainer of the package to easily set the policy (they already have write permissions!).

A potential downside is that the write permissions are the same as for the package itself. An attacker that compromises the developer’s credentials could also change the policy. This may not be as bad as it seems. Policies are human-readable so anyone paying attention would notice that package foo’s policy now says that it can be built from github.com/not-foo/acorn-foo. Squirrel plans to notify interested parties (including the maintainer!) when the policy changes, potentially letting them “sound the alarm” if anything nefarious happens.

A similar approach is taken in a number of contact-change workflows. For example, when you change your address with your bank, the bank will send you an email (and a letter to the old address) letting you know the address has been changed. This type of notification would alert the maintainer to a potential compromise.

Squirrel would also consider requiring a second person to review any policy changes for packages with over 10,000 users.

Public canonical Git repo

Another option might be to just create a canonical git repo (e.g. github.com/slsa-framework/slsa-acorn-policies) and let people publish proposed policies there. This has the advantage of using a separate ACL control mechanism from the package repository itself, but the disadvantages of being difficult to ensure the author of the policy is actually allowed to set the policy for that package and not scaling well as the repo grows.

The approach outlined in policy auto generation could help here. Automation in the repo could just look at the last N releases of the package and determine if the proposed policy matches what’s actually been published. Proactive changes to the policy (like deciding to switch from GitHub Actions to CircleCI) would be harder to coordinate however.

Org specific repo

Acme plans to establish their own org specific repo for policy storage. This gives them a single place to store all their policies, regardless of ecosystem type, and lets them provide more specific policies for packages provided by upstream repos. Since Oppy doesn’t have any plans to provide package-specific policies this gives Acme a place to store their own policies for Oppy packages (if they ever get around to it).

Organizations can also use their policy repo to vet any upstream changes to policy and potentially add additional checks (e.g. “doesn’t have any known vulnerabilities”).

Trusted Verifier

Acme wants to use delegated verification and that relies on having trusted verifiers to make decisions for downstream users. Who are these trusted verifiers?

Public verifier

A public repo is in a great position to act as a trusted verifier for their users. Users already trust these repos and they may already be doing verification on import.

Squirrel plans to make use of this by making VSAs available for each artifact published, publicizing their verifier ID (i.e. ‘https://squirrel.example/slsa-verifier’) and the public key used to sign the VSAs. They even plan to build VSA verification directly into the Squirrel tooling, so that users can get SLSA protection by default.

Org-wide verifier

While Acme is happy to use Squirrel’s verifier (and the verification built into the tooling) they still need their own verifier so they can publish VSAs to Acme customers. So Acme plans to stand up their own verification service and publish their verifier ID (i.e. ‘https://acme.example/private-verifier’) and signing key. Acme customers can then verify the software they get from Acme.

In the future Acme could require all software used throughout the company to be verified with this verifier (instead of relying on public verifiers). They’d do the verification and generate VSAs whenever artifacts are imported into their private Artifactory instance. They could then configure this ID/key pair for use throughout Acme and be confident that any software used has been verified according to Acme policy. That’s not Acme’s highest priority at the moment, but they like having this option open to them.

Key distribution & Trust

Both full and delegated verification depend upon key distribution to the users doing the verification. Depending on the specifics and what’s getting verified this can be a difficult problem.

Org-specific keys

When using delegated verification this could be the easiest case. Squirrel can just build the key they used for delegated verification directly into the Squirrel tooling. Acme can also fairly easily configure the use of their keys through the company using existing configuration control mechanisms.

When using full verification this can be harder. If there are multiple builders that could be accepted the keys that sign the attestations need to be distributed to everyone that might use that builder. For Squirrel this would be really difficult since they plan to allow package maintainers to use whatever builder they want. How those keys get configured would be tricky just for Squirrel, and much more difficult if downstream Squirrel users wanted to do full verification of the Squirrel packages.

The situation is easier, however, for Oppy. That’s because Oppy plans to only accept artifacts built by their autobuilder network. Oppy can configure this network to use a single (or small set) of keys and then publish those keys (and the SLSA level Oppy believes it meets) for downstream users.

Fulcio

Squirrel plans to solve the problem of which keys they accept by leveraging Fulcio. Squirrel will build support for Fulcio root keys into their verifier and then express which Fulcio subject is allowed to sign attestations in the specific policy of each package. E.g. “Squirrel package ‘foo’ must have been built & signed by ‘spiffe://foobar.com/foo-builder, from github.com/foo/acorn-foo, and be SLSA 4”.

scope: ‘acorn://foo’

target_level: SLSA_L4

allow_fulcio_builder {

id: ‘spiffe://foobar.com/foo-builder’

source_repo: ‘https://github.com/foo/acorn-foo.git’

allow_branch: ‘main’

allow_entrypoint: ‘package.json’

}

The Update Framework (TUF)

The above methods could be further enhanced with TUF to allow the secure maintenance of keys. TUF metadata could include all the SLSA keys, the build services and other entities they’re valid for, and the SLSA levels they’re qualified at. Oppy is considering using TUF to let verifiers securely fetch and update keys used by the Autobuilder network. Oppy would use a TUF delegation to indicate that these keys should only be used for the builder id ‘https://oppy.example/slsa/builder/v1’. Squirrel might do something similar to allow for updating the Fulcio key in its tooling.

Recording & verifying dependencies

Acme wants to record and verify the dependencies that go into its container into the SLSA provenance. Acme would prefer that this functionality were just built-in their build service, but that feature isn’t available yet. Instead they’ll need to do something themselves. They have a few options at their disposal:

Tool wrappers

Since Oppy doesn’t build SLSA into it’s tooling Acme will create wrapper scripts for dependency import/installation that record and verify (using cosign) dependencies as they’re installed. Acme will update their build scripts to replace all instances of Oppy package installation with the wrapper script and then use the recorded results to help populate the materials section of the provenance.

A downside is that this approach, if run in the build itself, is not guaranteed to be complete and cannot meet the “non-falsifiable” requirement (since the results reported by the wrapper could be falsified by the build process), relegating this approach to SLSA 2. Still, it allows Acme to make progress SLSA-fying their builds and provides a starting point for achieving higher SLSA levels.

Built into ecosystem tooling

Since Squirrel does build verification into their tooling, Acme can just use acorn install to verify the dependencies and record what was installed. Acme can use this information to populate the Squirrel packages installed in the materials section of the provenance and it can include the attestations of those dependencies in the in-toto bundle for their container image.

As with tool wrappers, if this method is used in the build itself it cannot meet “non-falsifiable” requirement.

Proxied verification

Acme considered creating a proxy for their existing builder to proxy outbound connections. This proxy could verify everything fetched and use its logs to populate the provenance. Since this proxy is trusted it would be easier to meet “non-falsifiable” requirement. Unfortunately it’s also a lot of work for Acme so they’re going to defer this idea for now.

Next time

In the first two parts of this series, we’ve covered the basics of getting started with SLSA and the details of policy and provenance storage, policy verification, and key handling. In our next post we’ll cover how Squirrel, Oppy, and Acme put this all together to protect a heterogeneous supply chain.

April 13, 2022/by Advantage Computer Inc.

Uncategorized

Innovation and the Roots of Progress

If you look back at the long arc of history, it’s clear that one of the most crucial drivers of real progress in society is innovation

The post Innovation and the Roots of Progress appeared first on WeLiveSecurity

April 13, 2022/by Advantage Computer Inc.

Uncategorized

How to SLSA Part 1 – The Basics

Posted by Tom Hennen, Software Engineer, BCID & GOSST

One of the great benefits of SLSA (Supply-chain Levels for Software Artifacts) is its flexibility. As an open source framework designed to improve the integrity of software packages and infrastructure, it is as applicable to small open source projects as to enterprise organizations. But with this flexibility can come a bewildering array of options for beginners—much like salsa dancing, someone just starting out might be left on the dance floor wondering how and where to jump in.

Though it’s tempting to try to establish a single standard for how to use SLSA, it’s not possible: SLSA is not a line dance where everyone does the same moves, at the same time, to the same song. It’s a varied system with different styles, moves, and flourishes. The open source community, organizations, and consumers may all implement SLSA differently, but they can still work with each other.

In this three-part series, we’ll explore how three fictional organizations would apply SLSA to meet their different needs. In doing so, we will answer some of the main questions that newcomers to SLSA have:

Part 1: The basics

How and when do you verify a package with SLSA?
How to handle artifacts without provenance?

Part 2: The details

Where is the provenance stored?
Where is the appropriate policy stored and who should verify it?
What should the policies check?
How do you establish trust & distribute keys?

Part 3: Putting it all together

What does a secure, heterogeneous supply chain look like?

The Situation

Our fictional example involves three organizations that want to use SLSA:

Squirrel: a package manager with a large number of developers and users

Oppy: an open source operating system with an enterprise distribution

Acme: a mid sized enterprise.

Squirrel wants to make SLSA as easy for their users as possible, even if that means abstracting some details away. Meanwhile, Oppy doesn’t want to abstract anything away from their users under the philosophy that they should explicitly understand exactly what they’re consuming.

Acme is trying to produce a container image that contains three artifacts:

The Squirrel package ‘foo’
The Oppy package ‘baz’
A custom executable, ‘bar’, written by Acme employees

This series demonstrates one approach to using SLSA that lets Acme verify the Squirrel and Oppy packages ‘foo’ and ‘baz’ and its customers verify the container image. Though not every suggested solution is perfect, the solutions described can be a starting point for discussion and a foundation for new solutions.

Basics

In order to SLSA, Squirrel, Oppy, and Acme will all need SLSA capable build services. Squirrel wants to give their maintainers wide latitude to pick a builder service of their own. To support this, Squirrel will qualify some build services at specific SLSA levels (meaning they can produce artifacts up to that level). To start, Squirrel plans to qualify GitHub Actions using an approach like this, and hopes it can achieve SLSA 4 (pending the result of an independent audit). They’re also willing to qualify other build services as needed. Oppy on the other hand, doesn’t need to support arbitrary build services. They plan to have everyone use their Autobuilder network which they hope to qualify at SLSA 4 (they’ll conduct the audit/certification themselves). Finally, Acme plans to use Google Cloud Build which they’ll self-certify at SLSA 4 (pending the result of a Google-conducted audit).

Squirrel, Oppy, and Acme will follow a similar qualification process for the source control systems they plan to support.

Verification options

Full verification

At some point, one or more of the organizations will need to do full verification of each artifact to determine if it is acceptable for a given use case. This is accomplished by checking if the artifact meets the appropriate policy.

Typically, full verification would take place with SLSA provenance, source attestations, and perhaps other specialized attestations (like vulnerability scan results). While having to coordinate this data for all of its dependencies seems like a lot of work to Acme, they’re prepared to do full verification if Squirrel and Oppy are unable to.

Delegated verification

When Acme isn’t using full verification, they can instead use delegated verification where they check if an artifact is acceptable for a use case by checking if some other trusted party who performed a full verification (such as Squirrel or Oppy) believes the artifact is acceptable.

Delegated verification is easier to perform quickly with limited data and network connectivity. It may also be easier for some users who value if someone they trust verified the artifact is good.

Squirrel likes how easy delegated verification would make things for their users and plans to support it by creating a Verification Summary Attestation (VSA) when they perform full verification.

When to verify

Verification (full or delegated) could happen at a number of different times.

On import to repo

Squirrel plans to perform full verification when an artifact is published to their repo. This will ensure that packages in the repo have met their corresponding policy. It’s also helpful because all the required data can be gathered when latency isn’t critical.

If this were the only time verification is performed, it would put the repository’s storage in the trusted computing base (TCB) of its users. Squirrel’s plans to use delegated verification (and issue VSAs) can prevent this. The signature on the VSA will prevent the artifacts from being tampered with while sitting in storage, even if they’re just SLSA 0. Downstream users will just need to verify the VSA.

Acme also wants to do some sort of verification on the import to their internal repo since it simplifies their security story. They’re not quite sure what this will look like yet.

On install

Acme also wants to do verification when an artifact is actually installed since it can remove a number of intermediaries from their TCB (their repo, the network, upstream storage systems).

If they perform full verification at install then they must gather all the required information. That could be a lot of data, but it might be simplified by gathering the data from external sources and caching it in their internal repo. A larger problem is that it requires Acme to have established trust in all parties that produced that information (e.g. every builder of every package). For a complex supply chain that may be difficult.

If Acme performs delegated verification, they only need the VSA for the packages being installed and to explicitly trust a handful of parties. This allows the complex full verification to be performed once while allowing all users of that package to perform a much simpler operation.

Given these tradeoffs Acme prefers delegated verification at install time. Squirrel also really likes the idea and plans to build install time verification directly into the Squirrel tool.

On use

Verification could also take place each time an artifact is actually used. In this model, latency and reliability are very important (a sudden increase in site traffic may necessitate a scaling operation launching many new jobs).

Time of use verification allows the most context with which decisions can be made (“is this job allowed to run this code and is it free from vulns right now?”). It also allows policy changes to affect already built & installed software (which may or may not be desirable).

Acme wants their users to be able to verify on use without too many dependencies so they plan to provide VSAs users can use to perform delegated verification when they start the container (perhaps using something like Kyverno).

How to handle artifacts without provenance?

Inevitably a build or system may require that an artifact without ‘original’ provenance is used. In these cases it may be desirable for the importer to generate provenance that details where it got this artifact. For example, this generated provenance shows that http://example.com/foo.tgz with sha256:abc was imported by ‘auto-importer’:

Such an artifact would likely not be accepted at higher SLSA levels, but the provenance can be used to: 1) prevent tampering with the artifact after it’s been imported and 2) be a data point for future analysis (e.g. should we prioritize asking for foo.tgz to be distributed with native SLSA provenance?).

Acme might be interested in taking this approach at some point, but they don’t need it at the moment.

Next time

In our next post we’ll cover specific approaches that can be used to answer questions like “where should attestations and policies be stored?” and “how do I trust the attestations that I receive?”

April 12, 2022/by Advantage Computer Inc.

Uncategorized

Industroyer2: Industroyer reloaded

This ICS-capable malware targets a Ukrainian energy company

The post Industroyer2: Industroyer reloaded appeared first on WeLiveSecurity

April 12, 2022/by Advantage Computer Inc.

4.9
andre wellington
18:49 06 Jan 25
I had a problem with my laptop charging port not working properly. I took it to Advantage Computer Solution on the day after Christmas where I spoke to Al who quickly diagnosed that the port was broken and offered to fix it for less than what I would have paid if I had gone to Best Buy or another local technician. Their service was fast, both guys were friendly and he even fixed my laptop lid which turned out to be broken. If that's not a Christmas gift then I don't know what is. I am truly grateful and if ever I need my laptop or PC to be cleaned or repaired, this is where I will go. You should too.
louis savaglio
01:27 04 Jan 25
The best IT service I ever had. They have been servicing my business for over 20 years. I am an accountant and I can't survive without them. Very quick turn around and they are able to remotely fix issues on my system when they can. Thank you
Vincent Manno
19:40 31 Dec 24
Very attentive, great customer service and very helpful.
Hanadi Seyam
01:29 28 Dec 24
I took my older Sony notebook for repair, the battery needed replacement. I didn't have to leave it, I left a small deposit, they ordered the battery and when it came in, it took 3 hours and they called me, it didn't cost much. Great service and very pleasant staff. Thank you.
Riky Lozado
20:16 26 Dec 24
Great costumer service!
Daniel Ritz
23:07 19 Dec 24
I was referred their for a repair of a Dell All-In-One. Nasser and his associate are super pleasant and polite to work with. They did the repair quickly and affordably. I like their intake system that generated a receipt and a label for my unit. I knew right there that they are organized and responsible. Couldn't have been a better.
Nicolas Bermúdez
22:19 14 Dec 24
Thanks for repairing my computer man
Jonathan Rodriguez
23:01 20 Nov 24
This is an amazing store for all your computer needs. I built my own computer, and when things stopped working and I couldn’t figure out why, I sent it to this shop. The owners were very polite and knowledgeable from the start. He not only fixed my issue but also explained what I could do to prevent it in the future and gave me options for upgrading parts later down the road all of this for a very reasonable price.I could not recommend this store more and will definitely be coming here for any computer needs I might have in the future.Thank you, Advantage Computer Solutions!!
Georgia
20:41 11 Nov 24
The best computer specialist you can find around!! They are prompt and solve any problems you might have when it comes to your computer programs! thank you guys for all you do for our company!
Jacob Fontanez Kanaropoulos
22:10 30 Oct 24
Customer service was AMAZING!!! Fixed the problem within minutes and was fairly priced as well. Thank you guys🙏
Mark Stevens
21:41 30 Oct 24
Very helpful and honest. They fixed my wife's computer very fast and very reasonable cost.
Soufian Aglaguel
04:28 27 Oct 24
The best people ever! They were able to fix my problems, they fixed my computer which I had an issue with for a week now. The man Naser and Aref were super nice, understanding and were able ti get the job done overnight. Thank you! I wish I can give this more stars!!!!!
Mateusz Marciniak
22:17 30 Aug 24
Gave me free computer advice. Great guys running the place!
Faisal s.m
00:43 28 Aug 24
I found Advantage Computer Solutions from Google. I was impressed to get their great customer service. They gave me reasonable price for my laptop’s cracked screen and they fixed it in short time. Thanks AdvantageComputer Solutions!!!
kathleen denny
16:26 15 Aug 24
fantastic . so helpful, so instructive, Absolutely saved me. i will be forever grateful for the assistance and the knowledge
Matt Font
05:15 04 Aug 24
Al and Zach are worth the visits and not just because of knowledge/secondary opinions... my family's been infrequent visitors for almost over 2 decades! I don't often have the tools/ foresight for electrographical malfunctions during an arbitrary power outage or whaling out emotional kicks on my desktop from a game-over screen en masse. These guys resurrected my desktop numerous times & will always eclipse any kind of troubleshooting you'd expect at a big box computer retailer (who could only resort to selling me bricked hardware and underperforming specs versus a 5 year dinosaur from their own supply chain). Ordinary people have a responsibility to shop small and support the establishments that don't see obsolescence and sales as the defacto norm.
East Ridgelawn Cemetery
18:14 12 Jul 24
For over two decades, Advantage Computer Solutions has been our go-to for all things tech. As a family-owned business, they bring a personal touch and genuine care that's hard to find these days.Their expertise is undeniable. They've tackled every computer issue we've thrown their way, from routine maintenance to complex repairs, all with a professionalism and reliability that keeps our business running smoothly.We can't recommend Advantage Computer Solutions enough. If you're looking for a trustworthy, expert partner for your computer needs, look no further!
Alexandra Alvarez
23:20 09 Jul 24
They did a great job at fixing my husbands computer. The price was very reasonable and they took great care of it. The attention is top 1. Thank you for all your help☺️
Stefanie
17:34 06 Jul 24
Would give them 10 stars if I could! I called Al after a quick google search because part of my laptop was damaged. It took a few seconds for him to recognize the problem and he helped me pop the loose piece back into place. He did not charge me. That's how you know he likes to do good, honest business. An act of kindness goes a long way. I will recommend you to family and friends :) thanks again!
Rich Lanning
11:39 14 May 24
Zack is the best! He took the time to explain in user friendly terms the steps he took to optimize our network connectivity and to enhance the performance of our multiple laptops. Whether a small business, a work from home employee or a family with multiple devices on a network, I highly recommend Advantage Computer Systems to help you with computer & network setup and or maintenance issues.
Mattie B
19:12 09 May 24
I've known these guys for I'd say roughly 20 years. They've done great work for both my family and for my dad's business, extremely friendly and professional. They were also our tenants prior to COVID and were great to work with. I highly recommend them.
Matthew Davila
20:59 27 Apr 24
Great people honest and do great work. They fixed my system at a very reasonable price and quick turnaround.
June Neblung
20:36 24 Apr 24
These good folks provide us with our security cameras and all of our computer and internet needs. Al, Nasser and Zach are the best!
Dank F
22:39 15 Apr 24
Amazing people helped me with all my problems great work on my machine I’m definitely coming back !!!
Manoj Bhagat
18:44 28 Mar 24
Great service, they revived my old notebook and made it fast again.. Very reasonable prices. Thank you
Berman Taylor
15:34 17 Mar 24
They have taken care of my computers for years! I can't imagine getting anything done without them. I appreciate their calm, good humor and advice.
Orelvis Redwoods
14:26 27 Feb 24
My computer didn't want to turn on, display anything at all, etc. Took it to these gentlemen and they fixed it for a reasonable price, totally recommend them.
Ashley Aguirre
22:26 19 Feb 24
Good prices they have everything and provide great service.
Laura H
12:50 17 Feb 24
The best computer support for a small business.
moira crabtree
19:15 17 Aug 22
I want to praise this company to the heavens! They are so very good. If your computer has ANY problem, particularly a difficult problem, THIS IS THE COMPANY TO CALL! They come quickly (eases any computer anxiety whether it's a business or personal situation). They are so smart (and you need someone smart enough to solve your issue), thorough (you do not need a half-baked job done), and so very pleasant to deal with (in a time when most service people are cranky.). This company was recommended by a business that needs flawlessly running systems. I was told they were good and reliable. They are so much better than that. I will never use anyone else. Once I have found the best, why look anywhere else? Save your sanity. Just call Advantage Computer Solutions. You won't regret it.
Amy Neustein
18:10 13 Jul 22
From Today --July 13, 2022I just had my computer serviced at Advantage Computer Solutions and again I couldn't be more pleased!! Al and Zack were fantastic! Not only did they diagnose the problem, and jump in immediately to help me, but they did it in record time!!! Al gave me a new SSD which makes my computer work at record speed. In addition, he cleaned out my fan to help with the freezing of the computer when the fan overheated. The concern and care afforded by Advantage Computer Solutions are extraordinary. This is a family-owned business that truly treats each client like a family member! I wholeheartedly recommend this place over the chain repair shops. I have complete confidence in Advantage Computer Solutions, which is a blessing indeed!!!Amy Neustein, Ph.D.Fort Lee, NJFrom six years agoI don't have enough words to express my appreciation for Nassar and Paul, and the other members of Advantage Computer Solutions. I live in Bergen County and travel to Passaic County because of the trust I have in the competence and honesty of Advantage Computers. What a blessing to have such seasoned and caring professionals available to service my computer. The company has deep respect for its customers. I am very pleased as I have been using their services successfully since 2010.
MikSchlag
13:46 15 Mar 22
Quickly attuned and all options presented within minutes. I was back up and running within 20 minutes ( on main computer) and it cost me 1/3rd of an office visit (they had everything (memory and SSD and didn't push options) in stock for my older computers)! Outstanding... or you could be standing out in the cold. They kept my business running!!
Steve Walden
14:00 10 Feb 22
I never leave reviews, but I have to give a shout out to Al and Advantage Computers because they do terrific work. Had my house wired with ethernet cable and they worked quickly, efficiently, were pleasant to deal with. Everything was cleaned up and done professionally. Among the best service I've had as a homeowner. Would highly recommend!
Dmitry Kreslavskiy
19:31 04 Jan 22
Had a great experience here. Nice, very polite and highly professional people and very reasonable charges as well.A laptop died suddenly for no apparent reason, occasionally allowing you to peek into BIOS setup, but not always, and always ending up with a black screen without going into Windows.Microcenter people told me to wait a week because of COVID, Nasser here took it and had good quality research results for me the morning after, - it was a dead motherboard, and he even explained the likely reasons for its failure.He salvaged the data for us to a USB stick and he let us spend all the time we needed picking the data we wanted copied.He spent a ton of time on us and only charged us about $50 for the research and another $50 for data copying, very reasonable, - Best Buy and Microcenter wouldn't been more pricey.Happy to recommend and come back again as well. Thank you so much for a great service!
RICHARD DEMAYO
14:45 22 Jan 21
The best guys in the business bring them any problem and give them a little time and they will give you a solution.
PRO AUTO BROKERS
23:50 11 Jan 21
These guys are the best in the business, very knowledgeable and easy going. Highly recommended, top notch in the computer business. My main man Al took care of us efficiently and fast, also great prices.Ed
Carlos Santos
23:24 26 Oct 19
I’ve known the Advantage Team for years. They are the absolute best techs in the field, bar none. I couldn’t tell you how many tens thousands of dollars they saved us over the years; they can be trusted to never scam anyone even though they would do so very easily. The turnaround time is also excellent, even if they don’t have a particular part in stock. They work fast and they work smart. In the decade I’ve known them, I’ve never had to return a computer because something wasn’t fixed. I believe that they’re one of the industries’ best kept secret.
D Lobiondo
18:07 30 Apr 19
They're true problem solvers for anyone with computer issues. We received expert help and courtesy at a reasonable price. We trust them and will return!
Sonya G
03:01 06 Aug 18
I had an excellent experience with Advantage. Aside from being extremely professional and pleasant generally, Zack was incredibly responsive and helpful, even before and after my appointment, and really resolved IT issues in my home office that had been plaguing me for years. I am so relieved to not have to think about this anymore! I will definitely call Zack again should I have any more IT needs.
Camp Sparkles
02:18 05 Aug 18
Al and Zack were so nice and knowledgeable. They figured out immediately what the problem was but instead of fixing it they let me know that my computer was still under warranty and that I should send it back to Dell. I stood in their store for 50 min on the phone with Dell and Al and Zack walked me through the process. I will definitely tell all my friends about their honesty and refer them. Thank you!
Mary Ann Adams
01:23 23 Mar 18
Very professional, excellent work, reasonable price. They definitely know their business.
Clemons Kunkel
06:16 07 Jan 18
Has worked on my computer for years.. Al does a great job and very Friendly. Have brought 3 computer because ever thing Changes. Thanks
Gennady Lager
18:04 17 Aug 17
I hired Advantage Computers to install an access point and improve the wifi signal at my home office. Zack took the time to understand my problem, communicate via email and phone, come up with a proposed solution, and schedule the work. He showed up on time and was very fair on price. The quality of the work is solid. I would hire him for all of my IT needs that I cannot resolve on my own.
Holly Kaplansky
13:09 02 Feb 16
Advantage Computer Solutions is absolutely great. They show up, do what they say they are going to, complete the job without issues (my other computer companies had to keep coming back to fix things they "forgot" to do....) and are fairly priced. Zack is awesome, reliable, dependable, knowledgeable....everything you want in a computer solutions vendor.
trudy holt
19:47 20 Nov 14
Excellent service! I am the administrator for a busy medical office which relies heavily on our computer system. We have used Advantage Computer Solutions for installation, set-up and for service. The response time is immediate and the staff is often able to provide help remotely. Very affordable and honest.... A++!!! Essex Surgical relies on Advantage Computer Solutions.
More reviews

Easy Contact
253 Main Ave, Passaic NJ 07055
Call 973-777-5656
info@advantagecomputers.com
Fax 973-777-5821

© 2025 ~ All Rights Reserved
Advantage Computer Solutions, Inc
Company
Home

About Us

Contact

Testimonials

Blog

Partners

Services
Managed IT Solutions

Medical IT Solutions

Cloud Services

Firewall Installation

Server Solutions

Data Backup and Recovery

Network Cabling Installation

Computer Repair

Virus and Spyware Removal

Testimonials
Zack is amazing! I have gone to him with computer issues for the past few years now and he always finds a way to fix things and at a reasonable price. This time I went to Advantage Computer Solutions to find a new laptop. I needed help because like most of us I had no… Read more “Amazing!”
Amanda Tolve
Cannot say enough good things about Zack Rahhal and his team. Professional, smart, sensitive to small biz budgets and a helluva good guy. Could not operate my small biz without them!
Karen Schloss
stars indeed. So reliable and helpful and kind and smart. We call Al and he is “on it” immediately and such a FABULOUS teacher, patient and terrific. So happy with Advantage Computer Solutions and Al and his AMAZINGLY WONDERFUL STAFF.
Nancy Alberga
I’ve been a customer of the staff at Advantage for many years now. They have never let me down! Whatever my need, however big or small my problem, they have been unfailingly helpful, friendly and professional. Services are performed promptly and effectively, and they are very fair with pricing, too. I am lucky to have… Read more “Whatever my need, unfailingly helpful”
Michael Lesher
I’ve known the Advantage Team for years. They are the absolute best techs in the field, bar none. I couldn’t tell you how many tens thousands of dollars they saved us over the years; they can be trusted to never scam anyone even though they would do so very easily. The turnaround time is also… Read more “Best Kept Secret”
Carlos Santos
I had an excellent experience with Advantage. Aside from being extremely professional and pleasant generally, Zack was incredibly responsive and helpful, even before and after my appointment, and really resolved IT issues in my home office that had been plaguing me for years. I am so relieved to not have to think about this anymore!… Read more “Excellent Experience”
Sonya G
Simply The Best! Our company has been working with Advantage Computer Solutions for a few years, Zack and his Team are AWESOME! They are super reliable – whether it’s everyday maintenance or emergencies that may arise, The Advantage Team take care of us! Our team is grateful for their knowledgeable and professional services – a… Read more “Simply The Best!”
Kara Steible
Advanced Technology Search
The engineering team at Advantage Computers is the best in the business. They are nothing short of technical wizards.
Susannah Rubenstein
Al, Nasser and Zack have been keeping our operations going for over a decade, taking care of our regular upgrades and our emergency system problems. When we have an emergency, they make it their emergency. Its like having a cousin in the business.
lenny steinbach
Lucille Laundry - Monroe St Passaic NJ
In many cases, exceptional people do not receive recognition for their hard work and superior customer service. We do not want this to be one of those times. Zack Rahhal has been our hardware and technical consultant for our servers, Pc’s and other technical equipment since April 2004 and has provided valuable input and courteous service to… Read more “Exceptional People”
John Belly
Cambridge Paving Stones and Wall Systems, Inc
I became a customer about 6-7 months and I can say nothing but great things about this business. Zack takes care of me. I am an attorney and operate my own small firm. I have limited knowledge of computers. Zack is very patient in explaining things. He has offered practical and economical solutions to multiple… Read more “Highly Recommended”
Nick T.
West New York, NJ
THANK GOD for this local computer repair business who saved me hundreds, my hard drive was messed up, i called the company with warranty they said it would be $600, I went in they did a quick diagnostic, and based on his observations he gave me a step by step of the possible problems and… Read more “Life Savers”
Desirée A.
East Rutherford, NJ
I don’t have enough words to express my appreciation for Nassar and Paul, and the other members of Advantage Computer Solutions. I live in Bergen County and travel to Passaic County because of the trust I have in the competence and honesty of Advantage Computers. What a blessing to have such seasoned and caring professionals… Read more “I don’t have enough words to express my appreciation”
Amy Neustein
Advantage Computer Solutions is absolutely great. They show up, do what they say they are going to, complete the job without issues (my other computer companies had to keep coming back to fix things they “forgot” to do….) and are fairly priced. Zack is awesome, reliable, dependable, knowledgeable….everything you want in a computer solutions vendor.
Holly Kaplansky
Minuteman Press Newark
Knowledgeable, Reliable, Reasonable Working with Advantage Computers since 1997 for both personal and business tech support has been a rewarding and enjoyable experience. Rewarding, in that the staff is very knowledgeable, approaching needs and issues in a very straightforward, common sense manner, resulting in timely solutions and resolutions. Enjoyable, these guys are really friendly (not… Read more “Knowledgeable, Reliable, Reasonable”
Ben Rowner
MR Capital Group, Inc
Excellent service! I am the administrator for a busy medical office which relies heavily on our computer system. We have used Advantage Computer Solutions for installation, set-up and for service. The response time is immediate and the staff is often able to provide help remotely. Very affordable and honest…. A++!!! Essex Surgical relies on Advantage… Read more “Excellent service!”
Trudy Holt
Essex Surgical
Advantage offers great advice and service I bought parts for my gaming pc online and they put it together in a day for a great price. They are very professional. I was very satisfied with their service. I am a newbie in terms of PC gaming so they gave me great advice on this new piece… Read more “Great Advice and Service”
Jose
Clifton NJ
Our company has been using the services of Advantage Computers since 2006. It was important to find a reliable company to provide us with the technical support both onsite and offsite. It was through a recommendation that we contacted Advantage to have them provide us with a quote to install a new server and update our… Read more “Great Service, Support and Sales”
John Mezzina
Synatech, Inc.
Our company has been working with Advantage since the 1990’s and have been a loyal client ever since. Advantage does not make it very difficult to be loyal as they offer services from the most intricate and personalized to the global scale. Our company has grown beyond its doors of a local office to National… Read more “Extremely Professional and Passionate”
Cherie Avinger
RCL Agencies, Inc. Clifton, NJ
Advantage Computer Solutions has handled all of our computer and IT needs for the past 2 years. The staff is always professional and the service is always prompt. When your computers are down or not working properly is affects all aspects of your business, it is wonderful to have such a reliable team on our… Read more “Handles all our Office IT”
Jennifer Raspanti
Optimum Orthopedics
Since 1996 the Housing Authority of the City of Passaic has been a client of Advantage Computer Solutions. Our Agency has utilized their outstanding services and expertise to solve our technologic problems and growth over the past eighteen years. We would like to personally thank them for proposing cost effective solutions while reducing labor-intense tasks… Read more “Passaic Housing Authority”
Michael S. O’Hara
Passaic Housing Authority
“When the computer I use to run my photography business started acting erratically and kept shutting down, I was in a panic. I depend on that computer to deliver final products to my clients. Fortunately, I brought my HP into Advantage for repair and in one day I had my computer back. Not only did… Read more “They made sure EVERYTHING was working”
Phil Cantor
Phil Cantor Photography