Computerworld Security
Chrome vs. Edge vs. Firefox: Which is the best browser for business?
Tue, 19 Jan 2021 03:00:00 -0800

What’s the most important piece of productivity software in the business world? Some might say the office suite. But if you look at the time spent actually using software, the answer may well be the web browser. It’s where people do most of their fact-finding and research.


To read this article in full, please click here

For Microsoft’s January patches, no all-clear (yet)
Mon, 18 Jan 2021 05:11:00 -0800

I’m not ready to give an all-clear to the security patches released Jan. 12, and I want to warn you about one specific update that is affecting HyperV servers and some consumer level workstations.  

KB4535680, also known as Security update for Secure Boot DBX: January 12, 2021, makes improvements to Secure Boot DBX for a number of supported Windows versions. These include Windows Server 2012 x64-bit; Windows Server 2012 R2 x64-bit; Windows 8.1 x64-bit; Windows Server 2016 x64-bit; Windows Server 2019 x64-bit; Windows 10, version 1607 x64-bit; Windows 10; version 1803 x64-bit; Windows 10, version 1809 x64-bit; and Windows 10, version 1909 x64-bit. Key changes affect “Windows devices that [have] Unified Extensible Firmware Interface (UEFI) based firmware that can run with Secure Boot enabled.” The Secure Boot Forbidden Signature Database (DBX) prevents malicious UEFI modules from loading; this update adds additional modules to block malicious attackers who could successfully exploit the vulnerability, bypass secure boot, and load untrusted software.

To read this article in full, please click here

Easing into the new year with a modest January Patch Tuesday
Fri, 15 Jan 2021 12:47:00 -0800

Microsoft rolled into 2021 with a fairly benign update cycle for Windows and Microsoft Office systems, delivering 83 updates for January.

Yes, there is an update to Windows defender (CVE-2021-1647) that has been reported as exploited. Yes, there has been a publicly disclosed issue (CVE-2021-1648) in the Windows printing subsystem. But there are no Zero-days and no “Patch Now” recommendations for this month. There are, however, a large number of feature and functionality groups “touched” by these updates; we recommend a comprehensive test of printing and key graphics areas before general Windows update deployment.

To read this article in full, please click here

Apple makes welcome change to 'Big Sur' security for Macs
Thu, 14 Jan 2021 07:41:00 -0800

When Apple shipped macOS Big Sur in November, researchers quickly spotted a strange anomaly in the system’s security protection that could have left Macs insecure. Apple now seems to be dealing with this problem, introducing a fix in the latest public beta release.

What was wrong?

For some strange reason, Big Sur introduced a controversial and potentially insecure change that meant Apple’s own apps could still access the internet even when a user blocked all access from that Mac using a firewall. This wasn’t in tune with Apple’s traditional security stance. What made this worse is that when those apps (and there were 56 in all) did access the ‘Net, user and network traffic monitoring applications were unable to monitor this use.

To read this article in full, please click here

Apple’s mythical AirTags shimmer slowly to release
Tue, 12 Jan 2021 08:03:00 -0800

Stop me if you’ve heard this before: Apple seems to be closer to actually introducing the near-mythical AirTags, which you’ll no doubt use to track hardware, devices, and the vehicles that make up your transit fleet.

What we think we know

This is a long-running story. We first began to anticipate introduction of these products after WWDC 2019. Later, we thought they might show up even before the iPhone 12, or even as part of the company’s holiday season launches.

To read this article in full, please click here

The first Patch Tuesday of '21; time to delay updates
Mon, 11 Jan 2021 04:30:00 -0800

It’s Patch Tuesday time — that exciting second Tuesday of each month when we turn towards Redmond, WA, hoping for quality updates — and my advice is to not install updates tomorrow. To be fair, the vast majority of Microsoft users should be fine with whatever patches and fixes arrive. But, personally, I push off updates and delay installations on the systems I care about; you should do the same.

With that piece of advice out of the way, I have some suggestions for 2021 for a healthy patching year.

Susan’s first recommendation of ‘21: Use Windows 10 Pro, not Home.

I recommend several things when dealing with updates: First and foremost, make sure you are on Windows 10 professional, not Windows 10 Home. 

To read this article in full, please click here

6 smart steps to get your Android phone in tip-top shape for 2021
Tue, 05 Jan 2021 09:17:00 -0800

Happy New Year! I don't know about you, but I find the start of a fresh voyage around this shiny ol' sun of ours to be a fine time for tidying up, optimizing, and getting good and organized for the months ahead. And while I'd love to pretend I'm the type of person who has one of those disgustingly pristine, clutter-free desks you see on the internet, let me be brutally honest: The physical space around me tends to resemble a half-abandoned hog parlor.

But my Android phone? My Android phone is as orderly as can be, gosh darn it. And if you ask me, that makes far more of a difference than the state of the physical space around me.

Our mobile devices are where we do so much of our actual work and contemplation these days, after all — and yet it's all too easy to overlook the importance of maintaining an optimal arrangement for both productivity and security within 'em. So now, as we gaze ahead at the promise-filled 2021 calendar, join me in taking 10 minutes to get your own trusty Android phone fine-tuned and fully ready for the coming year.

To read this article in full, please click here

SolarWinds, Solorigate, and what it means for Windows updates
Mon, 04 Jan 2021 11:06:00 -0800

Microsoft recently announced that its Windows source code had been viewed by the SolarWinds attackers. (Normally, only key government customers and trusted partners would have this level of access to the “stuff” of which Windows is made.) The attackers were able to read – but not change – the software secret sauce, raising questions and concerns among Microsoft customers. Did it mean, perhaps, that attackers could inject backdoor processes into Microsoft’s updating processes

First, a bit of background on the SolarWinds attack, also called Solorigate: An attacker got into a remote management/monitoring tool company and was able to inject itself into the development process and build a backdoor. When the software was updated through the normal updating processes set up by SolarWinds, the backdoored software was deployed into customer systems — including numerous US government agencies. The attacker was then able to silently spy on several activities across these customers. 

To read this article in full, please click here

The end-of-the-year patching all-clear
Mon, 28 Dec 2020 05:26:00 -0800

It’s that time of the month to give the final 2020 all-clear for installing updates.

Microsoft has already fixed the issue with KB4592438 for Windows 10 20H2 and 2004, where if you were lucky, or rather, unlucky enough to perform a chkdsk c: /f on your system after installing the December updates you might have been forced to rebuild your system — not exactly the greatest holiday present from Microsoft.  As I noted last week, this issue was fixed with a cryptic behind-the-scenes update for those who get their updates from Windows update. 

To read this article in full, please click here

The patching conundrum: When is good enough good enough?
Wed, 23 Dec 2020 03:00:00 -0800

As Günter Born recently reported at Born's Tech and Windows World, KB4592438 has a bug that triggers a blue screen of death when you run the chkdsk c: /f command, leaving the hardware unable to boot. Several others confirmed the issue independently in the various venues and forums. Still others graciously decided to risk their systems and install the update and when they ran the command had zero issues. I tested it myself and also didn’t see a blue screen of death.

To read this article in full, please click here

Android security: Analysis, advice, and next-level knowledge
Mon, 21 Dec 2020 15:32:00 -0800

It's tough to talk about Android security without venturing into sensational terrain.

A large part of that is due to the simple fact that the forces driving most Android security coverage are companies that make their money by selling Android security software — and thus companies with strong interests in pushing the narrative that every Android phone is on the perpetual brink of grave, unfathomable danger. Plus, let's face it: A headline about 70 gazillion Android phones being vulnerable to the MegaMonsterSkullCrusher Virus is far more enticing than one explaining the nuanced realities of Android security.

In actuality, though, Android security is a complex beast — one with multiple layers in place to protect you and one that almost never warrants an alarmist attitude. I've been covering Android security closely since the platform's earliest days, and I've busted more myths and called out more shameless publicity stunts than I can even count at this point.

To read this article in full, please click here

Thoughts on Apple versus Facebook
Thu, 17 Dec 2020 05:21:00 -0800

War against Apple by Facebook has officially begun, with the social media giant spending some of its user data-targeted ad revenue on a series of press ads against the computer company, presumably because using its own platform to spread such claims may fall foul of anti-trust law.

You are the product

Facebook is making the usual hyperbolic arguments around “standing up for small business” and “making sure the internet stays free," though it isn’t entirely clear when Facebook became “the internet," or why we as users aren’t paid for the provision of the personal data on which the social mediam company builds its business.

To read this article in full, please click here

2020: A look back at patching and the pandemic
Wed, 16 Dec 2020 03:17:00 -0800

As we close out this extraordinary year, it’s important to remember the unusual patching experiences this year that affected many businesses and their processes.  

The pandemic effect

Not surprisingly, the pandemic impacted patching in a big way. In April, it forced Microsoft to push off the end of life for two products, Windows 10 1709 and Windows 10 1809 — by six months each. Win 10 1709 wound up with a 36-month support window for Enterprise and Education users and 1809 Home and Pro got an extra six months, to Nov. 10. Clearly, Microsoft could see the impact of the pandemic on enterprise rollout plans and understood that most of us had other things on our minds.

To read this article in full, please click here

Apple's Privacy Nutrition Labels, available now and good for business
Mon, 14 Dec 2020 10:05:00 -0800

Apple today is introducing iOS 14.3, and among a host of improvements the upgrade introduces Privacy Nutrition Labels for apps sold at the App Store. This should be good for developers, enterprises and users.

What are Privacy Nutrition Labels?

Apple announced Privacy Nutrition Labels at WWDC 2020. Under the scheme, developers selling apps on the App Store must explain the privacy practices of each one they sell. That means detailed information concerning what data they collect, why, and what they do with it must be provided to users in the form of what looks like a food nutrition label.

To read this article in full, please click here

Microsoft presents us with a light Patch Tuesday for December
Fri, 11 Dec 2020 10:40:00 -0800

With just 58 updates to deal with this month, the December Patch Tuesday should make for a welcome  light-duty patch-and-test cycle. There were no zero-days or reports of publicly exploited security issues, though there is a critical update to Microsoft Exchange Server that should be a priority. But we saw less pressure on the Windows, browser, and Office updates.

Microsoft has also released two Servicestack Updates (SSUs) for its desktop and server platforms (ADV990001) and an update to the Chromium project (ADV200002).

To read this article in full, please click here

December Patch Tuesday round-up: Winding down for the year
Wed, 09 Dec 2020 10:10:00 -0800

At last, we have the final updates for 2020 from Microsoft. For anyone keeping count, we ended up with 1,250 CVEs (Common Vulnerabilities and Exposures) for the year. That’s almost 50% more than the 800 we had to deal with in 2019. Given the way we get updates delivered in a cumulative fashion, I don’t think of it as about the number of vulnerabilities; I think more about how many times I had to deal with post-release issues in 2020. I’ll recap the year’s major patching issues later this month. For now, I’ll summarize the issues to watch out for in December.

First, a reminder if you’re running Windows 10 1903: This is the last official release for that version. You must be on Windows 10 1909 (or later) to continue to receive security updates. In the past, I have recommended setting the deferral for feature updates for 365 days. Now, I recommend using the targetreleaseversion setting to specify the exact feature release version you want. So if you set the value at 1909, you’ll receive 1909; if you set it at 2004 — even if you are on 1903 — you’ll get offered 2004, not 1909. (For Windows 10 Home users, I continue to recommend you upgrade from Home to Professional to better control updates.) 

To read this article in full, please click here

Windows hackers target COVID-19 vaccine efforts
Wed, 09 Dec 2020 04:00:00 -0800

I’ve written before about how during the coronavirus pandemic, hackers have increasingly exploited Windows vulnerabilities to trick people into downloading malware and ransomware to get fast, easy money.

To read this article in full, please click here

Apple VP Federighi wants competitors to copy Apple's privacy protection
Tue, 08 Dec 2020 03:43:00 -0800

Apple Vice President of Software Engineering, Craig Federighi, discussed his company’s thoughts on ad tracking and more at the European Data Protection and Privacy Conference today. Not surprisingly, he stressed the importance of privacy for Apple — which has made it a centerpiece — in particular and users in general.

Privacy is possible...

It is “absolutely possible to design technology that respects [customer] privacy and protects their personal information,” Federighi said during this speech. "When it comes to privacy protections, we’re very happy to see our competitors copy our work, or develop innovative privacy features of their own that we can learn from."

To read this article in full, please click here

SMS: Texting numeric strings is the best holiday gift to cyberthieves
Mon, 07 Dec 2020 03:00:00 -0800

For years, enterprise IT and security operations have been told they need to advance beyond texting short numeric strings in plain text and calling it meaningful Multi-Factor Authentication (MFA) or even just Two-Factor Authentication (2FA). It is stunning how many enterprises still cling to that entry-level security sham, even knowing how subject it is to man-in-the-middle attacks.

As for the oft-cited defense that, "it's better than having no MFA at all," I am not so sure. It provides false comfort to enterprise users that they have meaningful security. That prevents companies from quickly deploying truly robust security, such as an MFA that uses several authentication layers, including voice-recognition, facial- or finger-ID courtesy of the ubiquitous smartphone and almost any of the mobile encrypted authentication apps. (Don't forget that Signal can work well, too.)

To read this article in full, please click here

It's December patch prep time
Tue, 01 Dec 2020 03:00:00 -0800

It’s the final patching month for 2020 — and what a year it’s been. Two more Windows 10 feature releases, numerous servicing stack updates, the end of Office 2010, the pandemic — this has been a year when technology has driven us slightly crazy, and kept us sane. 

The first Tuesday of the month is the start of my Patching month and serves as a reminder to make sure my machines have all of the mandatory patches installed for November — and I’m ready to pause updates for December. We will not see any optional updates at the end of the month; Microsoft has indicated it will not be releasing the optional preview updates for Windows 10 that they would normally arrive during the third week of December.

To read this article in full, please click here