Skip to main content
Please wait...

New Windows 7 'security-only' update installs telemetry/snooping, uh, feature

1 month 1 week ago

Back in October 2016, Microsoft divided the Win7 and 8.1 patching worlds into two parts.

Those who got their patches through Windows Update received so-called Monthly Rollups, which included security patches, bug fixes – and we frankly don’t know what else – rolled out in a cumulative stream.

The folks who were willing to download and manually install patches were also given the option of installing “security-only” patches, not cumulative; these were meant to address just the security holes.

To read this article in full, please click here

Woody Leonhard

Microsoft delivers Defender ATP security service to Macs

1 month 1 week ago

Microsoft on Monday made good on a March pledge by announcing that its most sophisticated endpoint security service is now available for Macs.

Microsoft Defender ATP (Advanced Threat Protection) for Mac shifted to what the company calls "general availability" on June 28, wrote Helen Allas, a principal program manager on the enterprise security team, in a July 8 post to a company blog. Core components of Defender ATP, including the latest - "Threat & Vulnerability Management," which made it to general availability a week ago - now serve Macs.

To read this article in full, please click here

Gregg Keizer

How Apple is improving iCloud this year

1 month 1 week ago

Apple quite evidently plans many interesting improvements in its iCloud service this year. So, what’s going on?

What we know so far about Apple's iCloud plans

Apple at WWDC made several announcements that will be reliant on iCloud – these include obvious things like new services and support for new functions, and less evident topics around sync, data, and artificial intelligence (AI).

Most recently, the company began beta-testing Touch ID and Face ID access to iCloud.com online, meaning that if you happen to be using an Apple device (Mac, iPad, iPhone), you can access your online iCloud services with the touch of a finger or a quick eye scan.

To read this article in full, please click here

Jonny Evans

The top 8 problems with blockchain

1 month 2 weeks ago

While blockchain holds tremendous potential for creating new financial, supply chain and digital identity systems, it's often erroneously seen as a panacea for business problems.

The myriad of pilots and proofs of concept by large corporations and government agencies are showing real promise, but those projects don't always lead to obvious business cases that justify doing something differently. Sometimes a tried and true technology like a relational database can perform the task much more efficiently than a distributed ledger based on peer-to-peer technology that will require complex governance and rules.

To read this article in full, please click here

(Insider Story)
Lucas Mearian

Throwback Thursday: Spoilsport

1 month 2 weeks ago

This IT security pilot fish knows something about audits — and knows what he expects of auditors.

“I have more than 15 years of audit experience in IT,” fish says. “I have written and implemented policy and procedure, and developed incident response plans. I spent the better part of last year making sure that the external auditors could not find any inconsistencies in our control standards.”

Then the internal audit director decides to perform an audit of fish’s group — and sends a young auditor who thinks he knows everything IT.

After three weeks of research and testing, young auditor presents his results in a meeting with his boss the audit director and fish.

To read this article in full, please click here

Sharky

Message to IT: Trusting Apple and Google for mobile app security is career suicide

1 month 3 weeks ago

Ready for the mobile security news that IT doesn't want to hear about but needs to? When security firm Positive Technologies started pen-testing various mobile apps, security holes were rampant.

We'll plunge into the details momentarily, but here's the upshot: "High-risk vulnerabilities were found in 38 percent of mobile applications for iOS and in 43 percent of Android applications" and "most cases are caused by weaknesses in security mechanisms — 74 percent and 57 percent for iOS and Android apps, respectively, and 42 percent for server-side components — because such vulnerabilities creep in during the design stage, fixing them requires significant changes to code."

To read this article in full, please click here

Evan Schuman

Microsoft Patch Alert: The Windows patching heavens buzz with silver bullets

1 month 3 weeks ago

How many bugs could a WinPatcher patch, if a WinPatcher could patch bugs?

Ends up that June’s one of the buggiest patching months in recent memory – lots of pesky little critters, and the ones acknowledged by Microsoft led to even more patches later in the month.

In June, we saw eight single-purpose Windows patches whose sole mission is to fix bugs introduced in earlier Windows patches. I call them silver bullets – all they do is fix earlier screw-ups. If you install security patches only, these eight have to be installed manually to fix the bugs introduced earlier. It’s a congenital defect in the patching regimen – bugs introduced by security patches get fixed by non-security “optional” patches, while waiting for the next month’s cumulative updates to roll around.

To read this article in full, please click here

Woody Leonhard

Mozilla takes swipe at Chrome with 'Track THIS' project

1 month 3 weeks ago

Mozilla this week touted Firefox's anti-ad tracking talents by urging users of other browsers to load 100 tabs to trick those trackers into offering goods and services suitable for someone in the 1%, an end-times devotee and other archetypes.

[ Related: Get serious about privacy with the Epic, Brave and Tor browsers ]

Tagged as "Track THIS," the only-semi-tongue-in-cheek project lets users select from four personas - including "hypebeast," "filthy rich," "doomsday prepper," and "influencer" - for illustrative purposes. Track THIS then opens 100 tabs "to fool trackers into thinking you're someone else."

To read this article in full, please click here

Gregg Keizer

Microsoft beefs up OneDrive security

1 month 3 weeks ago

Microsoft today announced changes to its OneDrive storage service that will let consumers protect some or even all of their cloud-stored documents with an additional layer of security.

The new feature - dubbed OneDrive Personal Vault - was trumpeted as a special protected partition of OneDrive where users could lock their "most sensitive and important files." They would access that area only after a second step of identity verification, ranging from a fingerprint or face scan to a self-made PIN, a one-time code texted to the user's smartphone or the use of the Microsoft Authenticator mobile app. (The process is often labeled as two-factor security to differentiate it from the username/password that typically secures an account.)

To read this article in full, please click here

Gregg Keizer

How ‘Find My’ Mac works in macOS Catalina and iOS 13

2 months ago

Apple is changing how its Find My Mac tool works in macOS Catalina and iOS – it will now use Bluetooth and should find your Mac even when it is asleep.

How does ‘Find My’ Mac work?

Apple is combining two apps – Find My Friends and Find My iPhone into a new ‘Find My’ app.

The combined app offers what we are used to from each one of these individual apps, but introduces new tools based on Bluetooth.

The ideas is that it will use low energy Bluetooth signals to help bring people together with lost things.

To read this article in full, please click here

Jonny Evans

Google asks Chrome users for help in spotting deceptive sites

2 months ago

Google this week asked for help in identifying suspicious websites, offering users of its Chrome browser an add-on that lets them rat out URLs.

The Suspicious Site Reporter, which can be added to desktop Chrome, places a new flag-style icon on the top bar of the browser. "By clicking the icon, you're now able to report unsafe sites to Safe Browsing for further evaluation," Emily Schechter, a Chrome product manager, wrote in a Tuesday post to a company blog.

[ Related: How to protect Windows 10 PCs from ransomware ]

Safe Browsing is the name of the technology used by Google's search engine, Chrome, Mozilla's Firefox, Apple's Safari, and Android to steer users away from sites that host malicious or deceptive content. On the back end, Google uses robots to scan the web and build a list of websites that host malware, harmful downloads or deceptive ads and pages. Software developers can then plug into an API to integrate this list into their own applications, something rival browser makers have done for years.

To read this article in full, please click here

Gregg Keizer

What the latest iOS passcode hack means for you

2 months ago

A mobile device forensics company now says it can break into any Apple device running iOS 12.3 or below.

Israeli-based Cellebrite made the announcement on an updated webpage and through a tweet where it asserted it can unlock and extract data from all iOS and "high-end Android" devices.

[ Further reading: The wireless road warrior’s essential guide ]

On the webpage describing the capabilities of its Universal Forensic Extraction Device (UFED) Physical Analyzer, Cellebrite said it can "determine locks and perform a full file- system extraction on any iOS device, or a physical extraction or full file system (File-Based Encryption) extraction on many high-end Android devices, to get much more data than what is possible through logical extractions and other conventional means."

To read this article in full, please click here

Lucas Mearian

How the Huawei ban could become a security threat | TECH(feed)

2 months ago
We’ve already talked about how the Huawei ban may affect business, but how will it affect security? Google has already warned of security threats should the company be unable to send updates to Huawei’s Android-powered devices. And even if Huawei responds with its own OS, will people trust it? In this episode of TECH(feed), Juliet discusses those security implications and what some people think the U.S. should do instead.

Time-Machine Tuesday: Get a room!

2 months ago

This security pilot fish is a big believer in automated systems. And he’s very impressed when his company moves into new offices where the meeting rooms take the manual labor out of scheduling meetings.

“There are room wizards outside every door to assist in scheduling,” fish says. “And there’s full integration with Microsoft Exchange, so that your meeting information is accurate and timely and always shows the proper room.”

One of fish’s most important meetings is a committee meeting every month on the day after Patch Tuesday to consider how to handle that batch of Microsoft updates. It’s been a regular meeting for years, and after the move the new scheduling system seems to handle it fine.

To read this article in full, please click here

Sharky

WWDC: Has Apple closed the door on non-Mac App Store apps?

2 months ago

Ever since Apple introduced the Mac App Store developers have warned it plans to close off its platform, so news the company will insist on App Notarization in macOS Catalina set those critics off again. The thing is, it’s a little more complicated.

What is Apple doing?

Yes, Apple is making it a little more difficult for Mac users to install apps that aren’t sold at the Mac App Store or made available from bona fide developers happy to submit their software for the company’s speedy App notarization service.

To read this article in full, please click here

Jonny Evans

The case against knee-jerk installation of Windows patches

2 months ago

Heresy. Yes, I know. Any way you slice it, from my point of view anyway, Windows Automatic Update is for chumps.

Just like the “users must be forced to change their passwords frequently” argument that’s no longer au courant, the “users must get patched immediately” argument is based on old, faulty, and totally unsubstantiated claims that make security people feel better — and little else.

With a few notable exceptions, in the real world, the risks of getting clobbered by a bad patch far, far outweigh the risks of getting hit with a just-patched exploit. Many security “experts” huff and puff at that assertion. The poohbahs preach Automatic Update for the unwashed masses, while frequently exempting themselves from the edict.

To read this article in full, please click here

Woody Leonhard

WWDC: Apple’s iOS 13 NFC improvements are good for business

2 months 1 week ago

Apple will make near field communication (NFC) much more useful in iPhones running iOS 13, and these enhancements will impact the retail, medical, government, and security industries.

What is Apple changing?

Apple already uses NFC to support Apple Pay and the Apple Pay Express Transit system, which is rolling out at this time.

While it has incrementally extended the tasks NFC supports over the years, the company has limited its NFC support to the NDEF standard until now, but it extends this with support for new standards in its Core NFC Framework in iOS 13.

To read this article in full, please click here

Jonny Evans

Microsoft is better at documenting patch problems, but issues abound

2 months 1 week ago

I don’t know about you, but I’ve given up on Microsoft’s ability to deliver reliable patches. Month after month, we’ve seen big bugs and little bugs pushed and pulled and squished and re-squished. You can see a chronology from the past two years in my patching whack-a-mole columns starting here.

[ Related: Windows 10 May 2019 Update: Key enterprise features ]

For the past few months, though, we’ve seen some improvement. Microsoft has started identifying and publicly acknowledging big bugs, shortly after they’re pushed. Consider:

To read this article in full, please click here

Woody Leonhard

Save yourself a headache: Make sure Windows automatic update is off

2 months 1 week ago

Much has changed in the past month. We’ve seen an emergency cry for all Windows XP, Vista, Win7, Server 2003, 2008 and 2008 R2 systems to get patched in order to fend off widely anticipated BlueKeep attacks. We’ve also seen Microsoft officially release Windows 10 version 1903, with unsuspecting “seekers” now the prime targets.

To read this article in full, please click here

Woody Leonhard
Checked
45 minutes 23 seconds ago
Computer World Security
Subscribe to Computer World Security feed

About SecurityFeeds

SecurityFeeds Logo

Tim Weil is a Security Architect/IT Security Manager with over twenty five years of IT management, consulting and engineering experience in the U.S. Government and Communications Industry.  Mr. Weil's technical areas of expertise include IT Security Management, Enterprise Security Architecture, FISMA Compliance, Identity Management, and Network Engineering. Mr. Weil is a Senior Member of the IEEE and has served in several IEEE positions.