Latest Security News
Microsoft has ceded a major asset of its Edge browser to rival Google by releasing an add-on that boosts Chrome's phishing detection skills.
The Redmond, Wash. company had little choice, according to one analyst. "Phishing is a huge problem, and people are going to use the browser they use," said Michael Cherry of Directions on Microsoft. "They're doing this to protect the Windows ecosystem."[ Related: How to replace Edge as the default browser in Windows 10 — and why you should ]
Dubbed "Windows Defender Browser Protection" (WDBP) the free extension can be added to Chrome on Windows or macOS, and after a post-launch fix, Chrome OS as well. Like the defenses built into Edge, the add-on relies on Microsoft's SmartScreen technology that warns users of potentially malicious websites that may try to download malware to the machine or of sites linked in email messages that lead to known phishing URLs.
States and the federal government are increasing their scrutiny of cryptocurrencies in an attempt to bring more transparency to a market where buyers and sellers are anonymous and regulatory oversight is light.
Cryptocurrencies such as Bitcoin, Ether, LiteCoin, and Ripple skyrocketed in value last year as investors sought to get in on what many see as the future of global currency – one that for trade and commerce knows no borders. Bitcoin generated massive hype among investors as its value surged more than 1,900% to nearly $20,000 last year, before tumbling back down below $11,000.
Yesterday, I talked about the weird bug that makes April’s Win7 Monthly Rollup, KB 4093118, re-install itself over and over, even when Windows Update says that it’s been installed successfully. Windows sleuth abbodi86 has discovered the source of the problem, and it should give you patching pause.
To understand how we got into this mess, you need to understand the bugs that Microsoft introduced in the March Win7 patches and their kludgey patches. Installing either the March Monthly Rollup (KB 4088875) or the March Security-only patch (KB 4088878) may knock your machine off the network. As Microsoft says:
You might not know it from all the panic-inducing headlines out there, but Android is actually packed with powerful and practical security features. Some are activated by default and protecting you whether you realize it or not, while others are more out of the way but equally deserving of your attention.
So stop wasting your time worrying about the Android malware monster du jour and which security company is using it to scare you into an unnecessary subscription, and take a moment instead to look through these far more impactful Android security settings — starting with the core elements and moving from there into some more advanced and easily overlooked options.
Last week, Microsoft quietly re-released its buggy April Win7 Monthly Rollup patch, KB 4093118. You may recall the patch as a reaction to the Carnak the Magnificent situation we had with the original version of KB 4093118.
With the re-release earlier this week of the original Carnak patch, KB 4099950, it’s not clear to me what the recommended installation sequence might be. But this much I know for sure. People all over the internet are complaining that this new version of KB 4093118 installs itself over and over again.
With police departments and federal agencies lining up to buy technology from two companies whose products can bypass iPhone security mechanisms, experts said users concerned about privacy should use a strong passcode to help prevent unwanted access to data.
That's also true for enterprise users with iPhones that access potentially sensitive coporate data.[ Further reading: What is Face ID? Apple’s facial recognition tech explained ]
Simply put, complex passcodes are always better for security, according to Phil Hochmuth, IDC's program director for enterprise mobility. Common best practices for creating a hard-to-crack passcode includes using both upper- and lower-case characters, numbers and uncommon words.
Windows Hello is a biometrics-based technology that enables Windows 10 users to authenticate secure access to their devices, apps, online services and networks with just a fingerprint, iris scan or facial recognition. The sign-in mechanism is essentially an alternative to passwords and is widely considered to be a more user friendly, secure and reliable method to access critical devices, services and data than traditional logins using passwords.
“Windows Hello solves a few problems: security and inconvenience,” said Patrick Moorhead, president and principal analyst at Moor Insights & Strategy. “Traditional passwords are unsafe as they are hard to remember, and therefore people either choose easy-to-guess passwords or write down their passwords.”
Yesterday, the third Tuesday of the month, Microsoft dumped another big bucket of patches:
- KB 4093117 brings Win10 1703 up to build 15063.1058, many miscellaneous fixes, no known issues.
- KB 4093120 brings Win10 1607 to build 14393.2214, a similarly large bunch of fixes, no known issues.
- KB 4093113 is the regular Monthly Rollup Preview for Win7.
- KB 4093121 is the similar Monthly Rollup Preview for Win 8.1.
- The Update Catalog says there’s a new version of KB 4099950, the abandoned patch for fixing the NIC/static IP bug in Win7.
There are lots of oddities in this motley collection.
Android security sure can seem like a scary subject.
And it's no wonder: Every few weeks, we see some new hair-raising headline about how our phones are almost certain to be possessed by demons that'll steal our data, eat our ice cream, and pinch our tenders when we least expect it.
This week, it's a series of Android malware monsters known as "ViperRat" and "Desert Scorpion" that has phone-holders everywhere trembling in their bootsies. (Kudos to whoever came up with those spooky-sounding names, by the way. It's an art!) Last week, it was word that Android device-makers might be skipping security updates that had our hands a-shakin'.
With so much focus on staying productive, it may surprise you to realize just how many things you can do with a locked iPhone. What can you do and how can you switch these features off?Wake it up
The Raise to Wake feature available since iPhone 6S/SE means your iPhone can tell when you pick it up and will wake the display up automatically so you need not do so. Left on by default, you can disable this feature in Settings>Display & Brightness where you toggle Raise to Wake to off.Make a call, send a message, and more
You can call people from a locked iPhone. Just ask Siri to call a person in your contact book. You can also send Messages using the locked device. Just ask Siri to send a Message and name someone in the device’s Contacts book. To stop this, set Allow Siri When Locked to off in Settings>Siri & Search.
Flashback to the days when this pilot fish is managing an email system for several corporate clients, and he needs to pick good passwords from the get-go -- because these users will never bother changing them.
"I wrote a program to generate accounts and to create a password," says fish. "The system consisted of a dictionary of about 100 three-letter words, and a separate dictionary of four-letter words where I had tried to remove the bad words. Then there was a list of special symbols, and then the digits 0 through 9.
"The system chose one element from each list, and put them in a random order. It then printed the information out. I folded the piece of paper and placed it in an envelope and mailed it -- never actually looking at it.
A Windows Ink engineer has confirmed that there’s a bug in the third Win10 1709 March Cumulative Update, KB 4089848, that breaks common pen movements in Photoshop, Lightroom and CS Paint. Looks as if the same problem bedevils this month’s 1709 Cumulative Update, KB 4093112, as well. Microsoft, it seems, decided to break pen behavior in Win10 1709 without any notification or explanation.
Early this month, DavideV, on the Microsoft Answers forum, posted a rather strange observation:
Law enforcement interest in iPhone encryption-cracking hardware from two new companies is a strong indication that Apple no longer claims the mobile security high ground.
"What this means, if it's true, is that people who thought all of their communications were totally secure shouldn't feel so confident going forward," said Jack Gold, principal analyst with J. Gold Associates. "But, then security has always been a tug of war between the ones implementing it and the ones trying to break it."
In February, reports surfaced that an Israel-based technology vendor, Cellebrite, had discovered a way to unlock encrypted iPhones running iOS 11 and were marketing the product to law enforcement and private forensics firms around the world. According to a police warrant obtained by Forbes, the U.S. Department of Homeland Security had been testing the technology.
Apple is updating its products and services to bring them in line with the EU’s forthcoming privacy protection rules (GDPR). Among other improvements, customers will be able to download all the information Apple keeps about them.What is GDPR?
Europe is about to introduce General Data Protection Regulations, (GDPR). These rules are designed to bring existing data protection laws into the 21stCentury, they allow individuals the right to see what information companies hold about them, oblige business to handle data more responsibly, and put a new set of fines and regulations in place. Almost any entity that handles personal data will be impacted by the rules, which you can read here. These changes may be taking place in Europe, but there is expectation most big tech firms will apply similar protections outside Europe, which will give more effective protection to most people – which is a good thing.
With all of the problems in the January, February and March patches for Windows and Office, you’d think we would catch a break in April. In one sense we did — some of the worst bugs in the earlier patches now seem to be behind us. But we’re definitely not out of the woods just yet.
Most of us expected Microsoft to drop its latest and greatest version of the last version of Windows yesterday. The highly anticipated version 1803, Redstone 4 — which many of us have been testing for weeks — looked ready to go … until it wasn’t.
Rumors are flying but, as of this writing, the actual cause for the delay isn’t public.
Microsoft, of course, has never committed to a release date. Or a build number. Or even a hokey “Spring after Fall Creators Update” style name, for that matter. (I’m still plugging for “Terry Myerson Swansong version” but doubt it’ll gain traction.)
The company this pilot fish works for is acquired by a larger outfit, and everyone gets a new login based on just the employee's family name -- which in fish's case is Root.
"That should have been a non-issue with any other name," says fish. "But when the administrators created my account, they apparently didn't think about the fact that root is the superuser account in our Unix systems.
"Following the instructions provided in an email, I logged in and changed the password on my 'root' account. The next time I logged in, the password didn't work. I called the help desk for the new company and they reset my password -- and it worked until I logged off and tried to log back in.
March Windows patches were a mess. With the revelation of Total Meltdown, we recently discovered that all of this year’s Win7 patches left gaping security holes. It’s fair to say that the initial Patch Tuesday patches for almost every version of Windows, for every month this year, have had confirmed bugs. Every one.
If you want to help test this month’s Windows and Office patches, hey, I salute you! Most folks, though, would be well advised to turn off Automatic Update and wait for the initial wave of devastation to pass.