Skip to main content
Please wait...

Apple is learning why shortcut security is a bad idea

1 day 19 hours ago

When Apple launched its enterprise developer certificate program — which helps enterprises make their homegrown apps for employee use-only available through iTunes — it had to make a difficult convenience-vs.-security decision: how much hassle to put IT managers through to get their internal apps posted. It chose convenience and, well, you can guess what happened.

Media reports say pirate developers used the enterprise program to improperly distribute tweaked versions of popular apps — including Spotify, Angry Birds, Pokemon Go and Minecraft — while others used the platform to distribute porn apps along with real-money gambling apps. And all the bad guys had to do was lie to Apple reps about being associated with legitimate businesses. Apple didn't bother to investigate or otherwise verify the answers.

To read this article in full, please click here

Evan Schuman

Microsoft delays Windows 7's update-signing deadline to July

2 days 17 hours ago

Microsoft has revised its schedule to dump support for an outdated cryptographic hash standard by postponing the deadline for Windows 7.

Microsoft, like other software vendors, digitally "signs" updates before they are distributed via the Internet. SHA-1 (Secure Hash Algorithm 1), which debuted in 1995, was declared insecure a decade later, but it was retained for backward-compatibility reasons, primarily for Windows 7. Microsoft wants to ditch SHA-1 and rely only on the more-secure SHA-2 (Secure Hash Algorithm 2).

[ Related: Windows 7 to Windows 10 migration guide ]

Late last year, Microsoft said that it would update Windows 7 and Windows Server 2008 R2 SP1 (Service Pack 1) this month with support for SHA-2. Systems running those operating systems would not receive the usual monthly security updates after April's collection, slated for release April 9, Microsoft promised at the time.

To read this article in full, please click here

Gregg Keizer

Yabba dabba doo!

3 days 3 hours ago

Fish is being onboarded as a software engineer and has to download the code repository and start building it. But in checking the setup guide, he can’t find any instructions on what user credentials to use to log in. This seems like something he should be able to figure out, so he trolls through multiple document systems (internal websites, Google documents and wikis) until he finds an old document that says to use his username as both username and password for version control access. That’s easy enough — but it doesn’t work. Fish gets a message saying his account wasn’t found or the password didn’t match.

Time to submit a help desk ticket. And the explanation is simple. IT had neglected to run the script that created an account for fish in the version control system. Ten minutes after submitting the ticket, fish is in at last.

To read this article in full, please click here

Sharky

Mozilla to harden Firefox defenses with site isolation, a la Chrome

1 week ago

Mozilla plans to boost Firefox's defensive skills by mimicking the "Site Isolation" technology introduced to Google's Chrome last year.

Dubbed "Project Fission," the effort will more granularly separate sites and their individual components than is currently the case in Firefox. The goal: Isolate malicious sites and attack code so individual sites cannot wreak havoc in the browser at large, or pillage the browser, the device or the device's memory of critical information, such as authentication credentials and encryption keys.

[ Further reading: 14 must-have Firefox add-ons ]

"We aim to build a browser which isn't just secure against known security vulnerabilities, but also has layers of built-in defense against potential future vulnerabilities," Nika Layzel, the project tech lead of the Fission team, wrote in a post last week to a Firefox development mailing list. "To accomplish this, we need to revamp the architecture of Firefox and support full Site Isolation." Layzel also published the note as the first newsletter from the Fission engineering group.

To read this article in full, please click here

Gregg Keizer

How to use your Mac safely in public places

1 week ago

Coffee shops across the planet are populated by earnest Apple Mac-wielding remote and/or freelance workers – but are they taking steps to protect themselves in a public place? Follow this checklist to make sure you are protected.

12 ways to use your Mac safely in public places 1. Worry about Wi-Fi

Public Wi-Fi networks are dangerous places, not least because you don’t really know how the network is set up or who else is sitting on the same network with you.

[ Related: Get serious about privacy with the Epic, Brave and Tor browsers ]

Criminals are known to set up legitimate-seeming hotspots on which their software lurks, attempting to take data (including your bank and intranet passcodes) in transit. Please beware:

To read this article in full, please click here

Jonny Evans

All about Android upgrades (and why they're late) | TECH(talk)

1 week 1 day ago

It's not exactly news that Android upgrades almost always take a lo-o-o-o-o-ng time to roll out to most users. As in months. Often, many months. Sometimes more than a year.

Sometimes never.

(There is an exception: Google delivers new versions of Android to its Pixel line right away, and did just that with the release of Android 9.0 (Pie) last fall.)

It's now been six months since Pie arrived, which means it's time for Computerworld blogger JR Raphael's comprehensive look at how device-makers are doing when it comes to upgrades. 

To read this article in full, please click here

Ken Mingis

With latest mobile security hole, could we at least focus on the right things?

1 week 2 days ago

A bunch of apps from some major players — including Expedia, Hollister, Air Canada, Abercrombie & Fitch, Hotels.com and Singapore Airlines — recently came to grief because of a security/privacy hole in a third-party analytics app they all used, according to a report from TechCrunch. In the case of Air Canada, the incident exposed extremely sensitive customer information including payment card and password data shared in clear text. That sort of thing shouldn't be happening — and yet everyone seems focused on the wrong lesson.

To read this article in full, please click here

Evan Schuman

It's time to block Windows Automatic Updating

1 week 4 days ago

Those of you who feel it’s important to install Windows and Office patches the moment they come out – I salute you. The Windows world needs more cannon fodder. When the bugs come out, as they inevitably will, I hope you’ll drop by AskWoody.com and tell us all about them.

For those who feel that, given Microsoft’s track record of pernicious patches, a bit of reticence is in order, I have some good news. Microsoft’s Security Response Center says that only a tiny percentage of patched security holes get exploited within 30 days of the patch becoming available.

To read this article in full, please click here

Woody Leonhard

How to stay as private as possible on Apple's iPad and iPhone

1 week 6 days ago

Apple believes in your right to privacy. Here is some advice on how to use the tools it has given you to protect your privacy on an iOS device.

Use a better passcode

You probably already use a 4-digit passcode, but you can improve that with a 6-digit or alphanumeric code.

You change this in Settings>Touch ID/Face ID & Passcode, select Change Passcode and then tap the small Passcode Options dialog. Alphanumeric codes are harder to decipher, just make sure you remember the code.

To read this article in full, please click here

Jonny Evans

Microsoft: Watch out for zero days; deferred patches, not so much

1 week 6 days ago

Matt Miller’s presentation at Blue Hat yesterday included some startling statistics, based on data gathered by Microsoft’s Security Response Center. The numbers starkly confirm what we’ve been saying for years: The chances of getting hit with malware by delaying Windows and Office patches for up to 30 days is tiny compared to all the other ways of getting clobbered.

To read this article in full, please click here

Woody Leonhard

Get TotalAV Essential AntiVirus for $19.99 (80% off)

2 weeks ago

The term “computer virus” calls to mind imagery of pathogenic creepy-crawlies bringing down a device’s operating system, their flagella wriggling as they multiply into hordes that infiltrate its chips and wires. And while it’s true that our computers can be infected with literal biological bacteria like staphylococci, per Science Illustrated, the threat of malicious codes and programs intent on corrupting data and files looms far larger: According to a recent study from the University of Maryland’s Clark School of Engineering, attacks on computers with internet access is virtually ceaseless, with an incident occurring every 39 seconds on average, affecting a third of Americans every year.

To read this article in full, please click here

DealPost Team

Why Apple is disabling Safari’s Do Not Track feature

2 weeks 1 day ago

Apple takes privacy very seriously. It takes its leadership in that care seriously, and getting rid of the voluntary "Do Not Track" setting in its Safari browser is the right decision.

Why disabling Safari’s Do Not Track feature is the right thing to do

Apple introduced support for Do Not Track (DNT) in iOS 7 but removed the feature in Safari 12.1.

The problem with DNT is that the signal it sends to websites, analytics firms, plug-in makers, and ad networks is a voluntary request and can be ignored.

To read this article in full, please click here

Jonny Evans

Throwback Thursday: Pick a card, any card ...

2 weeks 1 day ago

This conglomerate is structured as several smaller companies, with a big central IT organization plus individual IT groups in some of the companies, reports an IT pilot fish there.

“An IT staffer from one of the companies loaded a password cracker and proceeded to crack the Windows NT servers,” fish says. “He sent out emails bragging about how insecure NT was and giving the NT team a hard time.”

Fish isn’t on the NT team, but he and his security co-workers decide to strike back on behalf of their colleagues — and they do it through the central IT audit group, to make sure it’s all above board.

First, they supply the audit people with a list of more than 100 Unix servers, and get them to pick a server at random. Amazingly, the audit group picks the only server on the list that belongs to the company where the NT attack originated.

To read this article in full, please click here

Sharky

The January Windows and Office patches are good to go

2 weeks 6 days ago

Compared to some months last year, January has been a Microsoft patching cakewalk. We had several rounds of close calls and missed calls, as I posted earlier this week, but almost everything is cleared up.

We’ve seen a few more problems raise their ugly heads in the past few days:

  • Microsoft has confirmed that the latest version of Office Click-to-Run (which you’re likely using if you have Office 365) makes the conversation window disappear in Skype for Business 2016.
  • The Windows 8.1 Monthly Rollup, KB 4480963, breaks the Live Migration feature on older AMD Opteron machines. We’re still waiting for confirmation on that one.
  • Citrix confirms (but Microsoft hasn’t acknowledged) that the latest Win10 1803 cumulative update, KB 4480976, causes page file problems when the page file isn’t sitting on C:. More details on Tenforums.

Those are typical Microsoft edge-use bugs: They don’t affect many people, but if you’re one of the stuckees, you’re up the ol’ creek.

To read this article in full, please click here

Woody Leonhard

Microsoft Patch Alert: January patches include a reprisal of KB 4023057 and a swarm of lesser bugs

3 weeks 1 day ago

In general, the January patches look relatively benign, but for some folks in some situations they can bite. Hard.

On the surface we’ve seen the usual Patch Tuesday Cumulative Updates and secondary Cumulative Updates for all versions of Windows 10. Microsoft calls the secondary Cumulative Updates “optional” because you only get them if you click “Check for updates.”

[ Related: How to clean up your Windows 10 act ]

Windows 7 and 8.1 got their usual Monthly Rollups, but there’s a problem. Specifically, this month’s Win7 Monthly Rollup has a couple of bugs that are only fixed if you install the preview of February’s Monthly Rollup. Which makes no sense at all, but that’s Microsoft. There’s another Win7 Monthly Rollup bug that’s fixed by installing a different “silver bullet” patch.

To read this article in full, please click here

Woody Leonhard

It's a hack!

3 weeks 2 days ago

It's a few years after Y2K, and this pilot fish has overall responsibility for all things related to his company's website.

"Like most corporations, our company had a policy that computers and laptops were to be used only for company business, along with policies governing the appropriate use of the internet in the work environment," fish says.

"After arriving at work one morning, I opened my email to find a frantic message from our CEO to me and our internet security manager, stating that our website had been hacked."

The big boss knows this is the case because there are spammy images and text on the home page, among other issues. Not surprisingly, the CEO is adamant that this must be resolved ASAP.

To read this article in full, please click here

Sharky

Blockchain: The complete guide

3 weeks 2 days ago

Blockchain, which began to emerge as a real-world tech option in 2016 and 2017, is poised to change IT in much the same way open-source software did a quarter century ago. And in the same way Linux took more than a decade to become a cornerstone in modern application development, Blockchain will likely take years to become a lower cost, more efficient way to share information and data between open and private business networks.

Based on a distributed, peer-to-peer (P2P) topology, blockchain or distributed ledger technology (DLT) allows data to be stored globally on thousands of servers – while letting anyone on the network see everyone else's entries in real-time. That makes it difficult for one user to gain control of, or game, the network.

To read this article in full, please click here

Lucas Mearian
Checked
10 seconds ago
Computer World Security
Subscribe to Computer World Security feed

About SecurityFeeds

SecurityFeeds Logo

Tim Weil is a Security Architect/IT Security Manager with over twenty five years of IT management, consulting and engineering experience in the U.S. Government and Communications Industry.  Mr. Weil's technical areas of expertise include IT Security Management, Enterprise Security Architecture, FISMA Compliance, Identity Management, and Network Engineering. Mr. Weil is a Senior Member of the IEEE and has served in several IEEE positions.