Skip to main content
Please wait...

Verizon: Companies will sacrifice mobile security for profitability, convenience

1 month ago

Despite an increase in the number of companies hit by mobile attacks that led to compromises, four in 10 businesses sacrificed security to meet profit goals or avoid “cumbersome” security processes, according to Verizon’s third annual Mobile Security Index 2020.

It showed that 43% of organizations sacrificed security. More typical reasons for companies exposing themselves to risk, such as lack of budget and IT expertise, trailed “way behind” things such as expediency (62%), convenience (52%) and  profitability targets (46%). Lack of budget and IT expertise were only cited by 27% and 26% of respondents, respectively.

To read this article in full, please click here

Lucas Mearian

Memory-Lane Monday: The cruelest password

1 month ago

After a network manager unexpectedly tightens up the rules for passwords and forces the expiration of all user passwords on the main application system, calls flood into the help desk, reports a pilot fish on the scene. They’re having trouble because of the new complexity rules.

One of the calls:

User: I can’t seem to change my password.

Help desk tech: Your new password needs to contain letters, numbers and punctuation. Do not use any words such as you’d find in a dictionary.

User: OK. (Pause.) No, it still won’t let me change it.

Tech: What is the password you are trying to use?

User: April.

Tech: “April” is a word.

To read this article in full, please click here

Sharky

How and why you need HomeKit-secured smart homes

1 month ago

Once upon a time, the Internet was amazing, enabling niche interests and connecting people. Apple’s iMac was the epitome of the era, while the iPhone became the prophet of change.

Now, the home is the next connected frontier, and one that should be as secure – as much as possible – as the office. That's especially true given recent trends toward more remote work from home, where corporate data can be endangered by weak security.

What is HomeKit-secured and why should you use it?

These days hackers break into home networks using our routers and smart home devices, which is why everyone must learn how to use HomeKit-secured routers to keep their connected homes safe.

To read this article in full, please click here

Jonny Evans

Firefox starts switching on DNS-over-HTTPS to encrypt lookups, stymie tracking

1 month ago

Mozilla has started to turn on DNS-over-HTTPS, or DoH, as part of its overall strategy of stressing user privacy.

"We know that unencrypted DNS is not only vulnerable to spying but is being exploited," wrote Selena Deckelmann, Mozilla's new vice president of desktop Firefox, in a Feb. 25 post to a company blog. "We are helping...to make the shift to more secure alternatives [and] do this by performing DNS lookups in an encrypted HTTPS connection. This helps hide your browsing history from attackers on the network, helps prevent data collection by third parties on the network that ties your computer to websites you visit."

To read this article in full, please click here

Gregg Keizer

Microsoft Patch Alert: February 2020 patches bring fire and ice but seem to have settled – finally.

1 month ago

The real stinker this month, KB 4524244, rolled out the automatic update chute for four full days until Microsoft yanked it – leaving a trail of wounded PCs, primarily HP machines, in its wake. The other big-time bug in this month’s patches, a race condition in the KB 4532693 Win10 version 1903 and 1909 cumulative update installer, hasn’t been officially acknowledged by Microsoft outside of a blog post. But at least it’s well known and understood.

Folks running SQL Server and Exchange Server networks need to get patched right away.

Win10 UEFI update KB 4524244 blockages

Patch Tuesday brought KB 4524244 for Windows 10 owners, a bizarre single-purpose patch apparently directed at one specific UEFI bootloader. I talked about it last week.

To read this article in full, please click here

Woody Leonhard

10 steps to smarter Google account security

1 month ago

There are important accounts to secure, and then there are important accounts to secure. Your Google account falls into that second category, maybe even with a couple of asterisks and some neon orange highlighting added in for good measure.

I mean, really: When you stop and think about how much stuff is associated with that single sign-in — your email, your documents, your photos, your files, your search history, maybe even your contacts, text messages, and location history, if you use Android — saying it's a "sensitive account" seems like an understatement. Whether you're using Google for business, personal purposes, or some combination of the two, you want to do everything you possibly can to keep all of that information locked down and completely under your control.

To read this article in full, please click here

JR Raphael

Top secret

1 month 1 week ago

It’s back when 5-inch floppy disks roamed the Earth, and a customer service tech sends a software update to a customer known to be a bit more than a little computer-challenged, says a pilot fish in the know. This involves physically mailing a stack of disks to the customer, along with a note saying to call the tech when she’s ready to install the update.

When the call comes, the tech is prepared to walk her through the installation step by step. After getting the computer booted up and verifying that the user has located disk No. 1, the tech says, “Insert the floppy disk into the disk drive, with the label facing up.”

Customer: “Done.”

Tech: “Type ‘A,’ and press the Enter key.”

To read this article in full, please click here

Sharky

Why every user needs a smart speaker security policy

1 month 1 week ago

Does your voice assistant wake up randomly when you are engaged in normal conversation, listening to radio, or watching TV? You’re not alone, and this could have serious implications in enterprise security policy.

All things being equal (they’re not)

“Anyone who has used voice assistants knows that they accidentally wake up and record when the 'wake word' isn't spoken - for example, 'seriously' sounds like the wake word 'Siri' and often causes Apple's Siri-enabled devices to start listening," the Smart Speakers research study says.

To read this article in full, please click here

Jonny Evans

Apple joins industry effort to eliminate passwords

1 month 1 week ago

In a somewhat unusual move for Apple, the company has joined the Fast IDentity Online (FIDO) Alliance, an authentication standards group dedicated to replacing passwords with another, faster and more secure method for logging into online services and apps.

Apple is among the last tech bigwigs to join FIDO, whose members now include Amazon, Facebook, Google, Intel, Microsoft, RSA, Samsung, Qualcomm and VMware. The group also boasts more than a dozen financial service firms such as American Express, ING, Mastercard, PayPal, Visa and Wells Fargo.

“Apple is not usually up front in joining new organizations and often waits to see if they gain enough traction before joining in. This is fairly atypical for them,” said Jack Gold, president and principal analyst at J. Gold Associates. "Apple is often trying to present [its] own proposed industry standards for wide adoption, but is generally not an early adopter of true multi-vendor industry standards.

To read this article in full, please click here

Lucas Mearian

The mess behind Microsoft’s yanked UEFI patch KB 4524244

1 month 1 week ago

Remember the warning about watching how sausage is made? This is an electronic sausage-making story with lots of dirty little bits.

First, the chronology. On February’s Patch Tuesday, Microsoft released a bizarre standalone security patch, KB 4524244, which was then called “Security update for Windows 10, version 1607, 1703, 1709, 1803, 1809, and 1903: Feb. 11, 2020.” The name has changed, but bear with me.

The original problems with KB 4524244

That patch had all sorts of weird hallmarks as I discussed at the time:

To read this article in full, please click here

Woody Leonhard

Complying with CCPA: Answers to common questions

1 month 2 weeks ago
Enforcement of the California Consumer Privacy Act begins this summer, but lawsuits are already being filed. To help you comply and avoid being sued, CSO contributor Maria Korolov joins IDG TECH(talk) host Juliet Beauchamp to discuss critical components of the CCPA and answer viewers’ questions.

Dump Windows 7 already! Jeez!

1 month 2 weeks ago

Why am I still writing about Windows 7? It’s dead, Jim! The tombstone reads, “June 22, 2009 – January 14, 2020.” It was a good run, but unless you’re shelling out some serious coin for Windows 7 Extended Security Updates (ESU), you shouldn’t be running Windows 7.

But many of you are. According to the best survey of who’s running what, the U.S. government’s Digital Analytics Program (DAP), on Feb. 14, weeks after Win7’s end of life, just over one in 20 of Windows users was still using Windows 7! Oh, come on! More than 5%! A dead and buried OS! Get with the program!

To read this article in full, please click here

Steven J. Vaughan-Nichols

Mobile security: Worse than you thought

1 month 2 weeks ago

Many security professionals have long held that the words "mobile security" are an oxymoron. True or not, with today's mobile usage soaring in enterprises, that viewpoint may become irrelevant. It's a reasonable estimate that 2020 knowledge workers use mobile devices to either supplement or handle much of their work 98% of the time. Laptops still have a role (OK, if you want to get literal, I suppose a laptop can be considered mobile), but that's only because of their larger screens and keyboards. I'd give mobile players maybe three more years before that becomes moot.

That means that security on mobile needs to become a top priority. To date, that usually has been addressed with enterprise-grade mobile VPNs, antivirus and more secure communication methods (such as Signal). But in the latest Verizon Data Breach Investigations Report — always a worthwhile read — Verizon eloquently argues that aside from wireless, the form factor of mobile in and of itself poses security risks.

To read this article in full, please click here

Evan Schuman

How blockchain could help block fake news

1 month 2 weeks ago

In 2018, a video of former President Barrack Obama surfaced on YouTube explaining how easily technology could be used to manipulate video and create fake news. It got more than 7.2 million views.

In the video, Obama explains how we live in dangerous times when “enemies” can make anyone say anything at any point in time. Moments later, it’s revealed that the video was itself faked.

Whether its news articles, images or video, fake and misleading content has proliferated across the internet over the past five or so years. One possible solution to the problem now being proposed would standardize how content is delivered online, with anything outside those standards not trusted.

To read this article in full, please click here

Lucas Mearian

Microsoft springs last-minute demand on buyers of Windows 7 after-expiration support

1 month 2 weeks ago

Microsoft this week threw a wrench into the workings of its long-touted Windows 7 post-retirement support, telling IT administrators that there was a brand new prerequisite that must be installed before they can download the patches they'd already paid for.

The last-minute requirement was titled "Extended Security Updates Licensing Preparation Package" and identified as KB4538483 in Microsoft's numerical format.

The licensing prep package can be downloaded manually from the Microsoft Update Catalog. It should also appear in WSUS (Windows Server Update Services), the patch management platform used by many commercial customers. It will not, however, be automatically delivered through the Windows Update service, which some very small businesses rely on to provide them necessary patches.

To read this article in full, please click here

Gregg Keizer

MIT researchers say mobile voting app piloted in U.S. is rife with vulnerabilities

1 month 2 weeks ago

Elections officials in numerous states have piloted various mobile voting applications as a method of expanding access to the polls, but MIT researchers say one of the more popular apps has security vulnerabilities that could open it up to tampering by bad actors.

The MIT analysis of the application, called Voatz, highlighted a number of weaknesses that could allow hackers to “alter, stop, or expose how an individual user has voted.”

Additionally, the researchers found that Voatz’s use of Palo Alto-based vendor Jumio for voter identification and verification poses potential privacy issues for users.

To read this article in full, please click here

Lucas Mearian
Checked
34 minutes 47 seconds ago
Computer World Security
Subscribe to Computer World Security feed

About SecurityFeeds

SecurityFeeds Logo

Tim Weil is a Security Architect/IT Security Manager with over twenty five years of IT management, consulting and engineering experience in the U.S. Government and Communications Industry.  Mr. Weil's technical areas of expertise include IT Security Management, Enterprise Security Architecture, FISMA Compliance, Identity Management, and Network Engineering. Mr. Weil is a Senior Member of the IEEE and has served in several IEEE positions.