This month, Microsoft Patch Land looks like a stranger Stranger Things Upside Down, where Security-only patches carry loads of telemetry, Visual Studio patches appear for the wrong versions... and we still can’t figure out how to keep the Win10 1903 upgrade demogorgon from swallowing established drivers.
As we end the month, we’ve seen the second “optional” monthly cumulative updates for all Win10 versions — the 1903 patch was released, pulled, then re-released — and fixes for Visual Studio’s transgressions. There’s a kludge for getting the Win10 1903 upgrade to work. And BlueKeep still looms like a gorging Mind Flayer.Win7 Security-only patch brings telemetry
Those of you who have been dodging Windows 7 telemetry by using the monthly Security-only patches — a process I described as “Group B” three years ago — have reached the end of the road. The July 2019 Win7 “Security-only” patch, KB4507456, includes a full array of telemetry/snooping, uh, enhancements.
News that Siri records snippets of our conversations with the voice assistant isn’t new, but claims that those short recordings are listened to by human agents is — particularly in light of the company’s big push on privacy.These are bad optics for Apple
I’m a passionate believer in the importance of privacy.
It isn’t only important in terms of preserving hard-won liberties and protecting public discourse; it’s also of growing importance across every part of human existence — for every school, medical facility, or enterprise. History shows that the absence of privacy has a corrosive effect on society, turning family members against each other and dampening innovation.
It's tough to talk about Android security without venturing into sensational terrain.
A large part of that is due to the simple fact that the forces driving most Android security coverage are companies that make their money by selling Android security software — and thus companies with strong interests in pushing the narrative that every Android phone is on the perpetual brink of grave, unfathomable danger. Plus, let's face it: A headline about 70 gazillion Android phones being vulnerable to the MegaMonsterSkullCrusher Virus is far more enticing than one explaining the nuanced realities of Android security.
In actuality, though, Android security is a complex beast — one with multiple layers in place to protect you and one that almost never warrants an alarmist attitude. I've been covering Android security closely since the platform's earliest days, and I've busted more myths and called out more shameless publicity stunts than I can even count at this point.
Mozilla has issued multiple after-action reports analyzing the major mix-up in May that crippled most Firefox add-ons. The reports also made recommendations for preventing similar incidents in the future.
The fiasco started just after 8 p.m. ET on Friday, May 3, when a certificate used to digitally sign Firefox extensions expired. Because Mozilla had neglected to renew the certificate, Firefox assumed add-ons could not be trusted - that they were potentially malicious - and disabled any already installed. Add-ons could not be added to the browser for the same reason.
Hoping to raise awareness about blockchain vulnerabilities, cybersecurity firm Kudelski Security next week plans to launch the industry’s first "purposefully vulnerable" blockchain – and will demo it at next month's Black Hat conference.
Kudelski Security’s FumbleChain project is aimed at highlighting vulnerabilities in blockchain ecosystems, according to Nathan Hamiel, head of cybersecurity research at Kudelski.[ Read the Download: Beginner's guide to blockchain special report ]
The flawed blockchain ledger is written in Python 3.0, making it easy for anyone to read and modify its source code, and it's modular – allowing users to hack and add new challenges to promote continuous learning.
I haven't looked at today's tech news too closely just yet, but I have a sneaking suspicion some evil-sounding virtual gremlin or other is probably on the brink of invading my smartphone, stealing my secrets, and setting me up for a lifetime of dread and despair.
He might even be covertly eating all the salty snacks from my kitchen this very second. ALL THE SALTY SNACKS, DAMN IT!
I don't have to scan the headlines too closely to know there's a decent chance of all of this happening — because all of this happens practically every other week here in the Android world. A solid few to several times a month, it seems, some hilariously named and made-to-seem-scary new piece of malware (ViperRat! Desert Scorpion! Ooga-Booga-Meanie-Monster!) is making its way onto our phones and into our lives. Or so we're told, rather convincingly and repeatedly. (All right, so I may have made Ooga-Booga-Meanie-Monster up just now, but c'mon: It's probably only a matter of time til we see something using that name.)
Utah County is the latest government entity to pilot a mobile voting application based on blockchain to allow military absentee voters and their family members living overseas to vote in an upcoming municipal primary election.
The county, which has more than a half million residents, is the third in the U.S. to partner with Tusk Philanthropies on a national effort to expand mobile voting. The pilot is a collaboration between the Utah County Elections Division, Tusk Philanthropies, the National Cybersecurity Center and Boston-based voting app developer Voatz.
Everyone in the enterprise loves the web browser when it’s delivering news, email, documentation, and sales leads. With the shift to web apps, it’s arguably the most important installed software on any corporate desktop. But the internet is filled with people who aren’t nice — sometimes even dangerous — and the same browser can also bring viruses, rootkits, and worse. Even if the browser sits on a little-used desktop in a dusty corner with no access to sensitive information, an attacker can use the seemingly unimportant machine as a stepping stone.
Keeping your users’ browsers secure is essential. The browser companies work hard to block the attackers by sealing the back doors, side doors, and cracks in between, but that isn’t always enough. Some useful features have dark sides, and enterprises can increase security dramatically by shutting down or tightly limiting access to these options.
Mozilla plans bake its Lockwise password manager into Firefox 70, the upgrade now set to launch Oct. 22.
At the same time, the browser will also be more tightly integrated with Firefox Monitor, which will provide warnings to users when their saved passwords have been revealed by a data hack.[ Further reading: 14 must-have Firefox add-ons ]
According to Firefox bug reports and project documentation, Lockwise will automatically record username-and-password pairs, generate complex passwords on demand, identify victimized accounts and instruct users to change any passwords that have leaked.
Slack has overhauled its desktop software, adding offline access and tweaking the software for faster load times.
Recent efforts to improve the desktop app were highlighted at Slack Frontiers last year and the coming update – which the company says will launch 33% faster than before – will be available to users “over the next few weeks.”[ Related: AR and VR bring a new twist to collaboration ]
Calls made to team mates via the app should be a speedier too, up to 10 times quicker, Slack said. “That could mean the difference between showing up to a meeting on time or not,” the company said in a blog post Monday. “These moments saved can quickly add up, giving you more time to focus on the tasks at hand.”
Like liberty for all, privacy demands vigilance, and that’s why Apple users who care about those things are moving to DuckDuckGo for search.Why use DuckDuckGo?
Privacy is under attack.
It doesn’t take much effort to prove this truth. At time of writing, recent news is full of creeping privacy erosion:
And then there’s Duck Duck Go.
If you travel frequently and use an iPhone or iPad, then you simply must familiarize yourself with these two tips – they’ll make it much easier to secure your device and its contents when you are on the move.In praise of Face ID
I’ve become very used to using Face ID. It’s seamless.
On the iPhone, I like that I can pay for groceries with a look and find it much easier to use in the dark than the Home button.
My iPad experience is similar, but I do get annoyed sometimes that I must raise the tablet slightly to get the face angle right – this isn’t always as intuitive as I would like.[ Related: Get to know Apple’s 11+ new privacy tools ]
All the same, given Apple’s claim that there is a 1 in 50,000 chance that someone else's fingerprint will unlock your iPhone and a 1 in 1,000,000 chance that it will be unlocked by another person’s face, I’ll always opt for the highly secure choice.
This government agency has cashiers’ stations for handling transactions with the public, and the treasurer’s office decides it needs new software to run those stations, according to a pilot fish in IT.
And there’s going to be one sign-on and password for all the stations, brag the higher-ups.
Bad idea, protest all the IT programmers and system administrators. For one thing, having a single user sign-on to the system will prevent tracking who is completing each transaction. They cite security, accountability and separation of duties, but their protests fall on deaf ears.
The vendor rep shows up one day, and he and the treasurer do a presentation for an audience that includes IT managers. The two sound excited, and a touch proud, when they tell everyone that the cashiers will sign on with the user ID “Cash.” They don’t share the top-secret password, though; that’s just for the cashiers to know.
Zoom released a patch this week to fix a security flaw in the Mac version of its desktop video chat app that could allow hackers to take control of a user’s webcam.
The vulnerability was discovered by security researcher Jonathan Leitschuh, who published information about it in a blog post Monday. The flaw potentially affected 750,000 companies and approximately 4 million individuals using Zoom, Leitschuh said.[ Related: 6 tips for scaling up team collaboration tools ]
Zoom said it’s seen “no indication” any users were affected. But concerns about the flaw and how it works raised questions about whether other similar apps could be equally vulnerable.
Tim Weil is a Security Architect/IT Security Manager with over twenty five years of IT management, consulting and engineering experience in the U.S. Government and Communications Industry. Mr. Weil's technical areas of expertise include IT Security Management, Enterprise Security Architecture, FISMA Compliance, Identity Management, and Network Engineering. Mr. Weil is a Senior Member of the IEEE and has served in several IEEE positions.