Skip to main content
Please wait...

Apple edges closer to cursory code review for all Mac apps

1 day 2 hours ago

Apple will soon make a code review mandatory for all applications distributed outside its own Mac App Store by new developers, a first step towards requiring all Mac software to pass similar reviews.

The Cupertino, Calif. company argued that the process, which it calls "notarization," would build a more secure macOS environment. "We're working with developers to create a safer Mac user experience through a process where all software, whether distributed on the [Mac] App Store or outside of it, is signed or notarized by Apple," the company stated in an April 10 message on its developer portal.

To read this article in full, please click here

Gregg Keizer

Security theater, ’80s style

2 days 4 hours ago

It’s the late 1980s and pilot fish is working on business application development for an aerospace and defense contractor where physical security is surprisingly lax. There’s a guard on duty at the front desk during business hours, but that’s about the extent of it. That changes with the announcement that all personal gear will be subject to inspection on leaving the building.
Now there are guards 24/7, and everyone leaving the building is politely requested by those guards to open their briefcases and backpacks. The guards then take a look inside before waving the owners through.
Rumor has it that this security push came about because some Apple Mac computers have gone missing. And it continues for about six months, and then suddenly ceases.
What happened? Employees have to rely on rumor again, which holds that the cleaning crew had taken the Macs, which makes sense given that large, wheeled trashcans would make the job easy.
The exit checks never turned up anything, but even law-abiding pilot fish can’t help but notice that it would be pretty easy to cover any contraband in a bag with a few clothes or newspapers and never be discovered, given the cursory nature of the searches.

To read this article in full, please click here

Sharky

Here's an easier way to block the IE XXE zero day security hole

6 days 21 hours ago

The latest Internet Explorer XXE zero-day depends on you opening an infected MHT file. MHT is an old file format that’s almost always opened by IE — no matter which browser you’re using, no matter which version of Windows. Catalin Cimpanu has a good overview of this XXE vulnerability on ZDNet.

It’s a doozy of a security hole as it affects every recent version of IE, and it infects whether you’re actively browsing with IE or not.

To read this article in full, please click here

Woody Leonhard

Win7/8.1/Server patch conflicts abated, somewhat, but it’s still too early to install the April crop

1 week 1 day ago

A week ago, Microsoft released six patches that brought many machines to their knees. As I explained last Friday, when the dust cleared, it was apparent that all six of these April patches:

  • Win7 and Server 2008 R2 Monthly Rollup (KB 4493472) and Security-only (KB 4493448) patches
  • Win8.1 and Server 2012 R2 Monthly Rollup (KB 4493446) and Security-only (KB 4493467) patches
  • Server 2012 Monthly Rollup (KB 4493451) and Security-only (KB 4493450 ) patches

would trigger blue screens on reboot on most systems running Sophos antivirus products, and many systems running AV products from Avast and Avira.

To read this article in full, please click here

Woody Leonhard

Google, Hyperledger launch online identity management tools

1 week 3 days ago

In two separate announcements last week, Google and Linux's Hyperledger project launched tools aimed at enabling secure identity management for enterprises via mobile and other devices.

Google unveiled five upgrades to its BeyondCorp cloud enterprise security service that enables identity and access management for employees, corporate partners, and customers.

To read this article in full, please click here

Lucas Mearian

You Can Now Get This Award-Winning VPN For Just $1/month

2 weeks ago

If you use the internet (which you clearly do), you likely know how important it is to protect your data in an increasingly dangerous cyber environment. But like other essential tasks that tend to be tedious (like filing taxes early and brushing your teeth for the full two minutes), most installing and running a VPN can sound unappealing to many: sure, they encrypt your internet traffic and hide your location — but they can also run frustratingly slowly, delaying the way you’d usually use the internet for entertainment and work.

That’s where Ivacy VPN is different: not only will the speedy service let you browse and stream lag-free, it also offers real-time threat detection technology, removing malware and viruses at the server level. It ensures that all your downloads and devices stay totally secure, so you can stay safe online without being inconvenienced.

To read this article in full, please click here

DealPost Team

Massive bank app security holes: You might want to go back to that money under the mattress tactic

2 weeks 5 days ago

A new report from a well-regarded payments consulting firm has found a lengthy list of security insanity while examining several major fintech company mobile apps. Although the very nature of apps that manage and move money would suggest presumably strong security, banks and their cohorts tend to adopt new technology slower than almost any other vertical, which puts them in a bad place when it comes to security.

My favorite finding from the Aite Group report: "Several mobile banking apps hard-coded private certificates and API keys into their apps. [Thieves] could exploit this by copying the private certificates to their computers and running any number of free password-cracking programs against them," the report noted. "Should the [attackers] successfully crack the private key, they would be able to decrypt all communication between the back-end servers and mobile devices, among other things. The API keys allow an adversary to then begin targeting the [financial institution’s] API servers, gaining them access to data in the back-end databases. This allows [attackers] to authenticate the device with the back-end servers of that app, since this is what APIs use for authentication and authorization."

To read this article in full, please click here

Evan Schuman

Microsoft Patch Alert: Most March patches look good

3 weeks 2 days ago

March was an unusually light patching month – all of Office only had one security patch – and there don’t appear to be any immediate patching worries. Just as in the past few months, Microsoft’s holding off on its second cumulative update for Windows 10 1809, raising hopes that it’s taking Win10 quality more seriously.

Win10 1809 deployment proceeded at a positively lethargic rate, even though Microsoft declared the OS fit for business consumption last week, leading to all sorts of speculation about the next-next update, Win10 version 1903, ultimately overtaking its younger sibling.

To read this article in full, please click here

Woody Leonhard

With its Apple Card, Apple edges further into financial services

3 weeks 6 days ago

Apple's Monday announcement of a credit card – the Apple Card – represented a natural progression of the company's journey into financial services that began with the Apple Wallet app and its contactless digital payment service, Apple Pay.

Apple

The Apple Card, as described by the company this week, will offer users some attractive features: up to 3% cash back on daily purchases, no late or international transaction fees, and a physical chipped card make of titanium (sans any credit card numbers – just your name and an Apple symbol).

To read this article in full, please click here

Lucas Mearian

Microsoft connects rival browsers to Windows 10's Application Guard

4 weeks 2 days ago

Microsoft earlier this month released a pair of add-ons for Google's Chrome and Mozilla's Firefox to cobble together an unwieldy connection between those browsers, Edge and Windows 10's advanced security technology, Windows Defender Application Guard (WDAG).

The debut of the browser extensions - separate add-ons for Chrome and Firefox - was quietly plugged at the end of a March 15 blog post relating a recent Windows Insider build. That build, 18358, will lead, presumably next month, to Windows 10's next feature upgrade, labeled 1903 and also Windows 10 April 2019 Update.

To read this article in full, please click here

Gregg Keizer

ASUS Live Update Utility cracked, installs ShadowHammer backdoor on 1M PCs, but only 600 targeted

4 weeks 2 days ago

Great way to wake up on Monday morning, especially if you own an ASUS machine.

Kaspersky just published a teaser for a more thorough explanation to come in two weeks at the Kaspersky Security Analysts Summit in Singapore. It’s quite an eye-opener.

Apparently somebody broke into the ASUS update servers, and swapped out a valid software/firmware update with one of their own. The bogus update looked like the genuine thing, with a valid certificate, and its size matched the original’s size. As a result, the bad update stayed on ASUS’s servers “for a long time.”

To read this article in full, please click here

Woody Leonhard

How blockchain is becoming the 5G of the payment industry

1 month ago

As more blockchain-based payment networks and fiat-backed digital currencies – including one from the largest U.S. bank – emerge, experts and analysts are predicting a sea change for the financial services industry.

"I think you're starting to see a growing consensus," said Matt Savare, a partner who works in the technology group of New Jersey-based law firm of Lowenstein Sandler LLP. "I do quite a bit of FinTech and I can tell you my clients... the banks, are inherently conservative – at least the large ones. But once they see other banks adopt new technologies, you see it snowball. Other banks will often join on in pretty quick fashion."

To read this article in full, please click here

Lucas Mearian

How blockchain is becomming the 5G of the payment industry

1 month ago

As more blockchain-based payment networks and fiat-backed digital currencies – including one from the largest U.S. bank – emerge, experts and analysts are predicting a sea change for the financial services industry.

"I think you're starting to see a growing consensus," said Matt Savare, a partner who works in the technology group of New Jersey-based law firm of Lowenstein Sandler LLP. "I do quite a bit of FinTech and I can tell you my clients... the banks, are inherently conservative – at least the large ones. But once they see other banks adopt new technologies, you see it snowball. Other banks will often join on in pretty quick fashion."

To read this article in full, please click here

Lucas Mearian

Heavenly tech support

1 month ago

Pilot fish is helping his pastor fine-tune the church LAN when he notices that the day-care facility next door has a wide-open and unsecured Wi-Fi connection.

Fish’s pastor wants to connect to the day-care center’s printer and print a document saying, “This is from your neighbors. You need to tighten the security on your Wi-Fi.”

Fish suggests that they instead print a document that says, “This is from God. You need to go to church. There’s a really nice one right next door.”

“Too bad the pastor overruled me,” says fish.

Sharky wants your true tale of IT life. If you can’t send it directly to my printer, email it to me at sharky@computerworld.com. You can also subscribe to the Daily Shark Newsletter and read some great old tales in the Sharkives.

To read this article in full, please click here

Sharky

Slack rolls out enterprise key management, but has no plans for end-to-end encryption

1 month ago

Slack has given large business customers control over the keys used to encrypt and decrypt data created in its team collaboration application. 

The enterprise key management (EKM) feature was initially unveiled at the company’s Frontiers event in San Francisco in September, ahead of a closed pilot project; it is now available to all customers of Enterprise Grid, which is targeted at company-wide deployments at large organizations. 

To read this article in full, please click here

Matthew Finnegan

March 2019 Windows and Office patches poke a few interesting places

1 month 1 week ago

Patch Tuesday has come and gone, not with a bang but a whimper. As of this moment, early Wednesday morning, I don’t see any glaring problems with the 124 patches covering 64 individually identified security holes. But the day is yet young.

There are a few patches of note.

Two zero days

Microsoft says that two of this month’s security holes — CVE-2019-0797 and CVE-2019-0808 — are being actively exploited. The latter of these zero days is the one that was being used in conjunction with the Chrome exploit that caused such a kerfuffle last week, with Google urging Chrome browser users to update right away, or risk the slings of nation-state hackers. If you’ve already updated Chrome (which happens automatically for almost everybody), the immediate threat has been thwarted already.

To read this article in full, please click here

Woody Leonhard

Apple’s Box security scare shows the risk of shadow IT

1 month 1 week ago

Until enterprise IT truly understands that its own internal systems need to be as easy to use as any iOS app and as easy to learn as an iPhone, potentially damaging data breaches will take place, threatening business confidentiality. Apple is not immune.

Apple and the human interface

The news is that information from some of the world’s biggest names in business – including Apple, Edelman and Discovery Channel – could have been accessed through Box Enterprise, which offers companies bespoke company name-based file archiving and sharing services using this URL construction:

https://<companyname>.app.box.com/v/<filename>

To read this article in full, please click here

Jonny Evans

Microsoft to start selling Windows 7 add-on support April 1

1 month 2 weeks ago

Microsoft plans to start selling its Windows 7 add-on support beginning April 1.

Labeled "Extended Security Updates" (ESU), the post-retirement support will give enterprise customers more time to purge their environments of Windows 7. From Windows 7's Jan. 14, 2020 end of support, ESU will provide security fixes for uncovered or reported vulnerabilities in the OS.

[ Related: Windows 7 to Windows 10 migration guide ]

Patches will be issued only for bugs rated "Critical" or "Important" by Microsoft, the top two rankings in a four-step scoring system.

To read this article in full, please click here

Gregg Keizer

About SecurityFeeds

SecurityFeeds Logo

Tim Weil is a Security Architect/IT Security Manager with over twenty five years of IT management, consulting and engineering experience in the U.S. Government and Communications Industry.  Mr. Weil's technical areas of expertise include IT Security Management, Enterprise Security Architecture, FISMA Compliance, Identity Management, and Network Engineering. Mr. Weil is a Senior Member of the IEEE and has served in several IEEE positions.