Latest Security News
West Virginia this fall will let members of the military and their families deployed overseas to vote by smartphone or tablet using a blockchain-based app developed by a Salt Lake City start-up, Voatz.
The voters using the app would otherwise have to submit paper absentee ballots via mail or vote over a land line telephone.
The move means the state will become the first in the U.S. to use blockchain in a voting system in a general election.[ Further reading: What is blockchain? The most disruptive tech in decades ]
After being elected in January 2017, West Virginia Secretary of State Mac Warner tasked IT staff to investigate mobile voting options for 8,000 West Virginian military members overseas. Warner, a retired U.S. Army officer with four children who are also all current or former Army officers, cited his own inability to vote when deployed in Afghanistan as one reason for his efforts.
‘Softie Rodney Viana has posted details and a workaround for the “System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized” bug.
Apparently, installing last Tuesday’s KB 4457916 Security Only updates for .Net Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, and 4.7.2 for Windows 8.1 and Server 2012 R2 causes a hard stop with any SharePoint Workflows. (Workflows are set up by an admin to handle the flow of documents through a series of steps.)
This pilot fish is paying his monthly bills online when he discovers one of his utilities has changed the payment part of its website -- a lot.
"I clicked on the 'Payment' button, and saw that I now had the option of paying with or without logging in," says fish.
"OK, the no-login option could be handy, but I've been paying this bill online for years, so I clicked on the login option. It asked me for my user name and eight-digit PIN. What PIN? I have a long, secure password. I tried that. It didn't work."
And after several unsuccessful attempts, fish tries the no-login version -- which just takes him to the same screen asking his PIN.
This pilot fish and his wife are planning a long-overdue vacation to an all-inclusive resort -- one of those places where you don't have to worry about things like meals or tipping.
"I log onto the resort's website in order to make some reservations ahead of our arrival," fish says, "and am presented with the standard registration page."
He enters his information on the page, which also asks "for security reasons" that he set up a password.
It's not until after he has clicked "OK" that fish looks at the icon in his web browser and realizes the page isn't encrypted. He does a quick browse of the source code for the page, and finds that there's no SSL anywhere securing the data he's just typed in.
August 2018 was a relatively innocuous patching month, although the final resolution to the August problems didn’t appear until late Friday night just as the month was coming to a close — on a three-day weekend in the US.
We’ve seen the same pattern repeat itself almost every month since the beginning of the year: The first round of Microsoft security patches (notably including Win10 patches) introduce bugs, while subsequent rounds of patches each month squash most of them. If we’re lucky.
Reports claiming numerous apps distributed through Apple’s App Store are secretly exfiltrating user data should be an alarm call to enterprise CIOs. It signals a new battlefront in the eternal enterprise security wars.The enterprise risk of personal data
On the surface, the data being extracted is kind of… personal: Location, browser histories, information like this provides additional insight into what individual users are up to. Why should that concern an enterprise?
That’s a rhetorical question, of course. Most enterprise security professionals recognize that any form of data exfiltration poses an overall challenge.
IT contractor has a project to upgrade some software for a client -- and the project is way behind schedule, says a pilot fish on the client side.
And why is that such a problem? "The existing product goes End-of-Life soon, at which time it will no longer be an approved product for us," fish explains.
"The contractor's people come in and pitch their schedule to upper management. In the briefing, they bring up the fact that the new product is not even approved to be on our highly secured network, and they have not even started on getting it approved.
"Essentially, if they have to get it approved, they can never get it deployed on time.
New regulations go into effect requiring more physical and electronic security at this health insurance company, so the company hires a chief security officer to oversee the efforts, says a pilot fish there.
"I was involved in the original security implementation on most of the systems and offered to help, but the new CSO refused our input," fish says. "He put keycard access on the computer room and UPS room and confiscated any physical keys he could find.
"When asked what would happen if the keycard system went down, he responded that 'mechanisms are in place,'" fish recalls.
Soon, only three people have physical keys: the CSO, chief financial officer and facilities manager.
With the arrival of “Fourth Week” patches on the last working day of August, and having had a few days to vet them, it looks as if we’re ready to release the cracklin’ Kraken.The steaming pile of Windows Intel microcode patches
Microsoft continues to unleash microcode patches for Meltdown and Spectre (versions 1, 2, 3, 3a, 4, n for n >=4). You won’t get stung by any of them, unless you specifically go looking for trouble.
Mozilla this week said that its Firefox browser will soon start to automatically block some ad tracking technologies that the company claimed impacts page load performance and shadows users wherever they go.
"In the near future, Firefox will — by default — protect users by blocking tracking," wrote Nick Nguyen, Mozilla's top Firefox executive, in an August 30 post to a company blog.
Mozilla added what it dubbed "Tracking Protection" to Firefox 57, a.k.a. "Quantum," last fall. Since then, the feature has remained opt-in, meaning people must manually enable it from the browser's Preferences display if they want to use it. When switched on, Tracking Protection blocks a wide range of content, not just advertisements but also in-page trackers that sites or ad networks implant to follow users from one website to another. Such trackers are the reason why an ad for underwear from a specific vendor seemingly pops up wherever one goes after one has browsed the underwear selection at the seller's website.
Apple recently told the U.S. Congress that is sees customer privacy as a “human right”, though the explanation didn’t at that time extend to how third-party developers treat data they get from iOS apps. Now it does.Privacy for the rest of us
Time for the final August patching shoe to drop.
Late last night Microsoft released a flurry of patches, posting them on the Microsoft Update Catalog. Some are available through Windows Update, some aren't.
As of early Friday morning, the Win10 patches are not available through WSUS, the update server service. It’s not clear if that’s a mistake, a hesitation — or if somebody just went home last night and forgot.
Let’s hear it for patching predictability. And transparency.
Flashback to the early 2000s, when this non-IT pilot fish works in a building where the level of computer literacy is hovering near absolute zero.
"I was the only person in my department who had any computer skills at all," fish grumbles.
"One day we all got an email notice from management about a virus that was going around, spread by email. We were warned about clicking links and opening pages and all the other standard warnings."
Fish suspects that most people in the department will just delete the warning, since they don't use their computers for anything but the bare minimum required by company business -- and they barely understand even that.
Saint Louis University (SLU) has rolled out 2,300 Alexa-powered Echo Dot virtual assistants to all of its student living spaces to provide answers to university-related queries about events, speakers on campus and more.
The university also plans to extend use of the artificial intelligence assistant into classrooms and meeting rooms in future and aims to use the technology to support workplace productivity for its faculty staff, according to CIO, David Hakanson.
Students arriving at SLU this month can access a custom skill that answers questions relating to university services, such as “When does the library open?” or “Where is the registrar’s office?”