Latest Security News
Apple confirmed today it will close a security hole that has allowed law enforcement officials, working with forensic companies, to break into iPhones to retrieve data related to criminal investigations.
In the upcoming release of iOS 12, Apple will change default settings on iPhones to shutter access to the USB port when the phone has not been unlocked for one hour. In its beta release of iOS 11.3, Apple introduced the feature – known as USB Restricted Mode – but cut it from iOS 11.3 before that version was released publicly.
Here in the land o' Android, wrapping your noggin around the subject of software updates isn't always easy to do.
We've got regular OS updates, sure — and info on the various phone-makers' performance in that domain is readily available, if you (a) know where to find it and (b) are even aware that you should be looking for such data in the first place. But still, that's only one piece of the puzzle.
Mobile tech, and especially mobile brought into companies through BYOD, has unique challenges for companies that need to comply with General Data Protection Regulations (GDPR) — and that’s virtually all companies, not just the ones in Europe. The regulations compel companies to manage personal data and protect privacy, and they provide individuals to have a say in what and how data about them is used.
GDPR has several disclosure and control requirements, such as providing notice of any personally identifiable data collection, notifying of any data breaches, obtaining consent of any person for whom data is being collected, recording what and how data is being used, and providing a right for people whose data is being collected to see, modify, and/or delete any information about them from corporate systems.
Using an iPad or iPhone to mine bitcoin or other cryptocurrencies would be hard to do, as the CPU power available to complete the task would be a drop in the bucket compared to what's needed.
But using a portion of the CPU power from thousands of iPads or iPhones to mine cryptocurrency makes more sense – and that's exactly what some malware has been doing.
Apple is now moving to stop the practice.
[ Further reading: The way blockchain-based cryptocurrencies are governed could soon change ]
In May, we saw a host of bugs introduced by the Patch Tuesday “security” patches. By the end of the month, patches for those patches killed almost all of the bugs – even the inability of Win10 version 1803 to run on certain kinds of solid-state drives, including the one in some Surface Pros.[ Related: Windows 7 to Windows 10 migration guide ]
We also saw Microsoft push Win10 version 1803 onto machines that were specifically set to avoid it. I haven’t seen any official response to Microsoft’s inquiry into the reports, but we now have a sighting of a Win7 machine being pushed onto Win10, in spite of its settings.
Apple at its Worldwide Developers Conference this week released an API that allows developers and researchers to create applications that connect to Health Records, a feature released with iOS 11.3 that allows patients to port their electronic health info to mobile devices and share data between care providers.
While the move promises to streamline the sharing of healthcare data, it also could open the door to that highly sensitive data falling into the wrong hands.
At least the really bad bugs, introduced by “security” patches earlier this month, have been fixed. The problems that remain reside in the dregs — not likely to bite, but worth knowing about in case something suddenly goes bump in the night.
And if you’re using Win10 1803, you should definitely ask Microsoft for an increase in combat-duty pay.The ongoing Win7/Server 2008 R2 patching threat
Remember when Win7 was relatively stable? OK, OK; “stable” is a relative term that’s unlikely to apply to any version of Windows, but you know what I mean. Win7 and Server 2008 R2 have gone through months of problems with networking in general, and apoplectic network interface cards in particular.
If you did you’ll have been disappointed.
Apple hasn’t disclosed details concerning the security content of the new software. It hasn’t revealed anything concerning USB Restricted Mode, which apparently makes it harder for people to hack into your device.
Along with key HomePod improvements, Apple also introduced Messages in iCloud with iOS 11.4. It’s a useful feature designed to store your Messages and attachments in iCloud, but enterprise users should think twice before enabling it.Security is everything
I’m not saying iCloud is not secure – so long as you use a six-or more digit passcode or (better, but more awkward) an alphanumeric passcode, it’s highly secure. I’m reasonably confident a strong password, Apple’s own systems and its insistence you use two-factor authentication is enough for most of us.
Once more we have a monthly Windows/Office patch scorecard that needs a guidebook. Or two. And we just got a handful of buried warnings about problems in old patches, plus a brand new way to fry your network interface card.
Thus continues the tradition of two cumulative updates per month for all of the supported Windows 10 versions – that’s eight cumulative updates in total – in addition to bobs and weaves and a very long list of acknowledged bugs introduced by recent security patches in Windows 7.Conflicts with Remote Desktop
The strange behavior of the CredSSP update – where the Patch Tuesday fixes for all versions of Windows seemed to break Remote Desktop Protocol with a strange error message: “This could be due to CredSSP encryption oracle remediation” has been resolved.
Apple will open up fresh opportunities for developers as it extends Near Field Communications (NFC) support in iOS to more uses.NFC: Apple’s story so far WWDC 2018 preview: What can we expect? ]
Core NFC let developers build apps that read NFC tags, but only for things like visitor attractions and museum exhibitions.
Amazon has confirmed a report that one of its Echo devices recorded a family's conversation and then messaged it to a random person on the family's contact list, who is an employee of a family member.
But Amazon, in a statement emailed to Computerworld, confirmed every privacy advocate's worst nightmare with its explanation: “Echo woke up due to a word in background conversation sounding like 'Alexa.' Then, the subsequent conversation was heard as a 'send message' request. At which point, Alexa said out loud 'To whom?' At which point, the background conversation was interpreted as a name in the customer’s contact list. Alexa then asked out loud, '[contact name], right?' Alexa then interpreted background conversation as 'right.' As unlikely as this string of events is, we are evaluating options to make this case even less likely.”
Looks as if we have a solution for the Avast-related blue screens in Win10 1803 upgrades that I talked about earlier this week. Avast heavyweight Ondrej Vlcek chose his words carefully but threw lots of shade at Microsoft for the upgrade installer’s bug.
Posting on the Avast forum, Vlcek says:
Google last week spelled out the schedule it will use to reverse years of advice from security experts when browsing the Web - to "look for the padlock." Starting in July, the search giant will mark insecure URLs in its market-dominant Chrome, not those that already are secure. Google's goal? Pressure all website owners to adopt digital certificates and encrypt the traffic of all their pages.
The decision to tag HTTP sites - those not locked down with a certificate and which don't encrypt server-to-browser and browser-to-server communications - rather than label the safer HTTPS websites, didn't come out of nowhere. Google has been promising as much since 2014.
Google has further fleshed out plans to upend the historical approach browsers have taken to warn users of insecure websites, spelling out more gradual steps the company will take with Chrome this year.
Starting in September, Google will stop marking plain-vanilla HTTP sites - those not secured with a digital certificate, and which don't encrypt traffic between browser and site servers - as secure in Chrome's address bar. The following month, Chrome will tag HTTP pages with a red "Not Secure" marker when users enter any kind of data.[ Further reading: What's in the latest Chrome update? ]
Eventually, Google will have Chrome label every HTTP website as, in its words, "affirmatively non-secure." By doing so, Chrome will have completed a 180-degree turn from browsers' original signage - marking secure HTTPS sites, usually with a padlock icon of some shade, to indicate encryption and a digital certificate - to labeling only those pages that are insecure.