Computer World Security
Programmer pilot fish goes online to a message board for a development system that’s used for one of his company’s applications.
But he gets a message that the site is blocked. He can either forget about it, click a link to continue, or click a link to see the company’s access policy.
He clicks to continue, gets what he needs, and then, just out of curiosity, he clicks to see the access policy to get an idea of why this site is being blocked.
But instead of seeing the access policy, fish sees this message: Content blocked. Click here to access our internet resource policy.
Sputters baffled fish, “It actually blocked the policy!”
The WebKit project - the open-source initiative that generates code for Apple's Safari browser - quietly announced last week that it would follow in Mozilla's footsteps and quash tracking technologies designed to follow users across the web.
In a short message on Aug. 14, the WebKit team pointed to its new Tracking Prevention Policy, a document that spells out its plans in detail, including what types of tracking it will create and how it will deal with any side effects.[ Related: Get serious about privacy with the Epic, Brave and Tor browsers ]
"We have implemented or intend to implement technical protections in WebKit to prevent all tracking practices included in this policy," the document read. "If we discover additional tracking techniques, we may expand this policy to include the new techniques and we may implement technical measures to prevent those techniques."
No doubt you recall the warning back in February that Windows 7, Server 2008 and Server 2008 R2 patches starting in July would use the SHA-2 encryption protocol. If you want to install Win7 patches issued after July, you have to get the SHA-2 translator installed.[ Related: Windows 7 to Windows 10 migration guide ]
A few days ago, Microsoft tossed a zinger into the FAQs down at the bottom of its SHA-2 post, 2019 SHA-2 Code Signing Support requirement for Windows and WSUS. That post now says that you have to install a seemingly unrelated patch, KB 3133977, entitled, BitLocker can't encrypt drives because of service crashes in svchost.exe process in Windows 7 or Windows Server 2008 R2.
August is going to be a perilous patching month.
We’re tracking down credible reports of the Server 2012 R2 Monthly rollup breaking RDP logins, a conflict between the Win10 1903 cumulative update and last month’s version of Outlook 365, confusion about Win7 patches being branded as “IA64 only,” dealing with the lack of telemetry (!) in the August Win7 Security Only patch, much mayhem trying to install SHA-2 signed patches (including the Win7 Monthly Rollup) on systems using Symantec Endpoint Protection, even more confusion over the difference between Symantec Endpoint Protection and Norton Security Suite, and lots of the usual installation failures and rollbacks.
Alternative search engines such as DuckDuckGo are attracting growing numbers of privacy focused users, but there’s no doubt that Google dominates the industry, even on Apple products. Fortunately, there are several ways to make your Google activity more private.Do you have a Google account? (You probably do)
Do you use Gmail? Did you one use Google +? Perhaps you employ Google Drive, Google Docs or any of the company’s other products. If so, you have a Google account.
Google and Mozilla have decided to eliminate visual signals in their Chrome and Firefox desktop browsers of special digital certificates meant to assure users that they landed at a legitimate site, not a malicious copycat.
The certificates, dubbed "Extended Validation" (EV) certificates, were a subset of the usual certificates used to encrypt browser-to-server-and-back communications. Unlike run-of-the-mill certificates, EVs can be issued only by a select group of certificate authorities (CAs); to acquire one, a company must go through a complicated process that validates its legal identity as the site owner. They're also more expensive.[ Further reading: 10 must-have Safari extensions ]
The idea behind EVs was to give web users confidence that they were at their intended destination, that the site computerworld.com, for instance, was owned by its legal proprietor, IDG, and not a fishy - and phishy - URL run by It's Crooks All the Way Down LLC and chockablock with malware. Browsers quickly took to the concept, rewarding EV-secured sites with in-your-face visual cues, notably the verified legal identity in front of the domain in the address bar. The identity was often shaded in green as an additional tip-off. (Chrome dismissed the green in September 2018 as of Chrome 69.)
Public tests of blockchain-based mobile voting are growing.
Even as there's been an uptick in pilot projects, security experts warn that blockchain-based mobile voting technology is innately insecure and potentially a danger to democracy through "wholesale fraud" or "manipulation tactics."
The topic of election security has been in the spotlight recently after Congress held classified briefings on U.S. cyber infrastructure to identify and defend against threats to the election system, especially after Russian interference was uncovered in the 2016 Presidential election.
Apple has announced a new iPhone for 2020, but it will only be made available to a select group of security researchers – along with huge bounties to anyone informing the company of a new OS vulnerability.Probably the world’s most exclusive iPhone
Let's get one thing out of the way right off the bat: If you're looking for recommendations about Android security suites or other malware-scanning software, you've come to the wrong place.
Why? Because, like most people who closely study Android, I don't recommend using those types of apps at all. Android malware isn't the massive real-world threat it's frequently made out to be, and Google Play Protect and other native Android features are more than enough to keep most devices safe.
I’m told Apple is at last looking into the privacy and security of free VPN apps made available across its platforms, following a report from researcher, Simon Migliano.Who owns your VPN service?
The researcher has flagged up several concerns that really should be recognized by anyone choosing a VPN service from both the Apple and Google App Stores:
- Ownership: Migliano claims that almost 60 percent of the most popular VPN apps are actually owned (sometimes opaquely) by Chinese companies.
- Data protection: Migliano claims Apple is not enforcing its third-party data-sharing ban against VPN apps, with 80 percent of the top free VPN apps “in breach of the rules”, he said. Many are sharing data with third parties, he claims.
That last allegation is particularly concerning.
One of the problems with enterprise mobile BYOD efforts is that corporate apps — and lots of corporate data, including sensitive intellectual property — must coexist on the same device with whatever employees choose to download on the personal side. That's far from ideal, but even worse is if employees choose to download a second antivirus program. Unlike doubling up on most apps (two VPNs, two word processors, two email programs, etc.), antivirus programs often conflict and fight each other, generating false positives and other bad results.
Unlike two deadbolts on a door, doubling up on security not only doesn't work with antivirus, it can actually sharply weaken security. This all assumes that both antivirus programs are professional, effective and well-intentioned. But that's often not the case. There are quite a few free antivirus programs out there, and they are disproportionately the ones employees opt to download. After all, if the company has already installed a high-level antivirus on the phone, why would an employee pay to install a second? But a free antivirus program is much more tempting.
Microsoft has quietly relaxed a rule that prevented privacy-first organizations from managing the Windows Update for Business (WUfB) service using group policies.
With Windows 10 1903, aka "Windows 10 May 2019 Update," which debuted in late May, organizations no longer are required to set the "diagnostic data level" for their devices to "Basic" or higher.[ Related: Windows 10 May 2019 Update: Key enterprise features ]
That diagnostic data level is a multi-step categorization of what Microsoft pulls from Windows devices and sends to its own servers. Also dubbed "telemetry," the data harvesting is used by Microsoft for a range of tasks, notably deciding when a specific PC receives a feature upgrade.
Slack today unveiled new security capabilities for Enterprise Grid customers, including tighter controls for admins who oversee mobile device access.
Enterprise Grid was launched in 2017 for Slack’s biggest customers, with additional features to support large-scale deployments. Among the 150 organizations now using Enterprise Grid are Capital One, IBM and Target.
There are countless hackers and threats looming on the internet, so IT departments are in high demand for cybersecurity professionals to pinpoint threats before they strike. Luckily, there’s no better way to fight fire than with fire; ethical hackers study hacking techniques so that IT infrastructures will be better prepared for attacks. If you’re interested in becoming a hacker (legally, of course), then this $39 bundle is right for you.
With one glaring exception, July was a rather benign patching month. The Win10 versions got their usual two cumulative updates (the second considered “optional”). Visual Studio had some hiccups, but they’re fixed now.
Apple has once again proved that it listens to valid criticism with the immediate global suspension of the Siri listening program that attracted so much controversy.When it comes to privacy, Siri listens
At issue was quality control.
A small number of conversational snippets were shared with third party human contractors for quality control purposes.