Computerworld Security
A look at Microsoft's patches and fixes in 2021 — the year of change
Tue, 07 Dec 2021 09:58:00 -0800

As we near the end of another year, I like to look back at the past 12 months in patching from MIcrosoft. What changed (a lot), what didn’t (patch-related problems). We began 2021 thinking Windows 10 would continue to be serviced and updated as usual, for instance. We end the year knowing different. (I’ll have some predictions for 2022 next week.)

We now know that Windows 10 will not receive updates indefinitely. Earlier this year, Microsoft unveiled Windows 11 and announced it would need certain hardware and Trusted Platform Module installed before machines would receive new OS. Given that most users only have hardware that will support Windows 10, many will be running the older OS until 2025. Microsoft already announced it will be providing security updates for Windows 10 until then and will move to an annual feature release model — matching the cadence for Windows 11. (My prediction for 2025: Microsoft will offer extended security patches for even consumer versions of Windows 10 because so many of us will have still usable machines unable to update to Windows 11. Come back in 2025 and we’ll see if I’m right.)

To read this article in full, please click here

Podcast: What Apple's lawsuit against NSO Group means for digital rights
Thu, 02 Dec 2021 11:47:00 -0800

Last week, Apple filed a lawsuit against NSO Group, the technology firm behind the Pegasus spyware. In its lawsuit, Apple seeks to hold NSO Group accountable for alleged surveillance of select iPhone users, as well as ban the firm from using any Apple products. While digital rights activists commend Apple for standing up for privacy rights, they say they want to ensure that the precedent set by the case applies only to bad actors and not organizations in support of user privacy. Computerworld executive editor Ken Mingis and senior reporter Lucas Mearian join Juliet to discuss what the lawsuit means for Apple, those affected by the spyware and digital rights overall.

To read this article in full, please click here

How to use FileVault to protect business data on Macs
Thu, 02 Dec 2021 09:25:00 -0800

If you run a business on Macs (and many companies do) then you should become familiar with FileVault, the disk encryption system that's built into macOS. When used properly, it makes it extremely hard for any malicious person to access your company’s confidential data in the event your Mac is lost or stolen.

What's the problem FileVault tries to solve?

Most businesses possess various forms of sensitive data. This might include corporate  or supplier data, confidential order books, financial records, contact names and addresses, and more. That information has business value, but if compromised could also place you, your employees, or your customers at risk. In many industries, protection of such information is mandatory and legally required.

To read this article in full, please click here

Rise in employee monitoring prompts calls for new rules to protect workers
Tue, 30 Nov 2021 03:01:00 -0800

As remote work rose sharply during the COVID-19 pandemic, many businesses sought ways to keep track of workers no longer in the direct sight of managers. Now, with remote work strategies still in place — and office re-openings being pushed back —, the use of monitoring tools continues to grow.

In fact, the use of new and increasingly powerful technologies to manage and monitor workers has become so common that there are growing calls for regulators in the U.K. and U.S to update rules to protect employees.

“We have seen a significant increase of interest in employee monitoring technology through the pandemic,” said Helen Poitevin, VP analyst at Gartner focusing on human capital management technologies. “This continues as organizations plan for hybrid work environments, with employees working more flexibly from home and at the office.” 

To read this article in full, please click here

How to get more out of Edge (and bolster its security)
Mon, 29 Nov 2021 11:54:00 -0800

I use Edge, the built-in browser in Windows, though I’m very much in the minority. I even think it has the potential to be a better browser than Firefox or Chrome. Case in point: the recent “Super Duper Secure Mode” that has rolled out to the default Edge version after being in beta channels for several weeks. (Let’s call it the “SDSM” setting.)

As noted in a past Edge blog post, SDSM provides additional security features that allows you to disable just-in-time Javascript and then enable Controlflow-Enforcement Technology (CET) instead. Just-in-time Javascript has been used in many zero-day browser attacks in the past — thus, blocking it will help protect our systems and platforms going forward. In my testing so far, I have not seen any side effects running Edge in this mode, even when doing online shopping or banking.

To read this article in full, please click here

Apple’s NSO lawsuit targets illegal spying by oppressive regimes
Fri, 26 Nov 2021 03:00:00 -0800

Apple says its lawsuit against NSO Group this week is an attempt to hold the surveillance firm "accountable for ... the surveillance and targeting of Apple users." And it spared no ire in accusing the Israeli spyware company of its selling surveillance software to authoritarian governments — regardless of whether those governments use it to target dissidents, journalists, and activists.

NSO Group was already facing legal problems after messenger platform provider WhatsApp filed suit in 2019 for similar reasons. Earlier this month, the US Ninth Circuit Court of Appeals rejected the spyware company’s claim that it should be protected under sovereign immunity laws. In the high-profile case, WhatsApp alleged NSO’s spyware was used to hack 1,400 users of the messaging app.

To read this article in full, please click here

Apple pulls no punches in lawsuit against 'amoral' NSO Group
Wed, 24 Nov 2021 06:51:00 -0800

Apple has punched back against the “amoral” surveillance as a service industry of smartphone snoopers, filing suit against the NSO Group and its owner, Q Cyber Technologies, and taking steps to further secure digital lives.

Why this should matter to your business

Israeli firm NSO Group is a spyware firm that provides surveillance services to governments. It effectively privatizes state-sponsored snooping and enables even the most repressive government to outsource such tasks. It has been widely reported that software from NSO Group was used to target family members of murdered Saudi journalist Jamal Khashoggi.

To read this article in full, please click here

Ransomware is a threat, even for the smallest of businesses
Tue, 23 Nov 2021 04:00:00 -0800

If I’ve heard it once, I’ve heard it a million times: “My business is too small for a cyber crook to bother with me.” Oh, my friend you are so, so wrong. No company is too big or too small for a ransomware dealer to come knocking at your virtual door.

A recent report from Webroot, The Hidden Costs of Ransomware, found the vast majority—85%—of managed service providers (MSPs) have reported attacks against small and midsized businesses (SMBs). Despite that appallingly high number, just 28% of SMBs consider ransomware a worry.

To read this article in full, please click here

A 20-second tweak for smarter, simpler Android security
Wed, 17 Nov 2021 06:18:00 -0800

Security is important. That much is obvious, right?

And despite all the over-the-top, hilariously sensational headlines suggesting the contrary, the most realistic security threats on Android aren't from the big, bad malware monster lurking in the shadows and waiting to steal your darkest secrets whilst drinking all of your cocoa.

Nope — the biggest risk to your security on Android is (drumroll, please...) you. The likelihood that you'll at some point provide personal information to an ill-intending person or fail to properly secure an account in some way is without a doubt the most realistic threat to your virtual wellbeing. Malware? Meh. That's rarely scary in anything more than a theoretical sense.

To read this article in full, please click here

Microsoft releases its Windows 10 November 2021 update
Tue, 16 Nov 2021 13:48:00 -0800

Microsoft today announced the general availability of Windows 10 November 2021, also known as version 21H2, which includes new security, management, and virtualization features.

Microsoft reiterated that Windows 10 will continue to receive support until October 2025 and said the Windows 10 release cadence will join Windows 11 in returning to just one feature update a year from here on out.

The company also posted an online comparison of the features between the latest version of Windows 10 21H2 and Windows 11.

To read this article in full, please click here

Stop looking over my shoulder!
Tue, 16 Nov 2021 04:00:00 -0800

Prospect, a 150,000-member U.K. trade union for technology professionals, recently reported that nearly one in three U.K. workers is now being monitored by their employer both at the job site and in their own homes. This is not acceptable. And it never has been.

As Prospect General Secretary Mike Clancy said, “We are used to the idea of employers checking up on workers, but when people are working in their own homes, this assumes a whole new dimension. New technology allows employers to have a constant window into their employees’ homes, and the use of the technology is largely unregulated by the government. We think that we need to upgrade the law to protect the privacy of workers and set reasonable limits on the use of this snooping technology, and the public overwhelmingly agrees with us.”

To read this article in full, please click here

Store your corporate card on an iPhone? Uh-oh
Mon, 15 Nov 2021 06:58:00 -0800

Apple and Google (and especially Visa) last week gave us yet another example of how security and convenience are often at odds with each other. And it looks like they opted for convenience.

The latest issue speaks to only a subset of iPhone and Android users — specifically, those who use their phones for mass transit payments. If you think of how subways work in a major city (I’ll use New York City as an example), they require extreme speed. Using facial recognition or entering a PIN right before paying to get on the subway would dramatically slow down the line. 

Instead of allowing authentication to happen earlier — say, perhaps within five minutes of a transaction — or by accelerating the process to a split second, Apple, Google, and Visa apparently chose to forego any meaningful authentication. (Note: I am focusing on Visa because the hole still exists for it. MasterCard and others have already patched the flaw.)

To read this article in full, please click here

Updates to Exchange and Microsoft Installer drive Patch Tuesday testing
Fri, 12 Nov 2021 12:04:00 -0800

This is a relatively light Patch Tuesday update from Microsoft, though wo significant vulnerabilities in the Windows platform (CVE-2021-38631 and CVE-2021-41371), both relating to Remote Desktop Protocol handling, have been disclosed and are lending some urgency to applying Windows updates. And we have another technically challenging update to Microsoft Exchange Server to manage as well.

To read this article in full, please click here

No, sideloading is not good for you
Thu, 11 Nov 2021 06:47:00 -0800
What’s past is prologue: When code-signing in Windows 11 goes bad
Mon, 08 Nov 2021 03:00:00 -0800

Once upon a time in technology, many years ago, Microsoft previewed server software to great fanfare at a meeting of IT pros. The company demonstrated how easy it was to use the software, which would automatically install the server, email server, and SharePoint server — all in less than 30 minutes.

There was one problem: every time Microsoft went to demonstrate the server software, it would fail with an unclear error message.

Back then, I would sometimes post and answer questions in a Microsoft newsgroup. Just before Thanksgiving, I started seeing consultants trying to install the software see the same failure. One person in the forum thread figured out the issue: a specific SharePoint dll file used during the installation had a Nov. 23 expiration date. If you installed the server software before that date, you had no issues. If you tried to do it after, the installation would fail. The workaround? Go into the BIOS of the server, set the date back to before Nov. 23, install the software, then set the clock back to the correct time.

To read this article in full, please click here

5 Android 12 features you can bring to any phone today
Fri, 05 Nov 2021 03:00:00 -0700

Google's Android 12 software is packed with interesting treasures — but unless you're using one of Google's own Pixel phones, it's still a ways off from actually landing in your hands.

The tortoise-like pace of most Android updates is another subject for another day (as is the tortoise named Rupert who I'm pretty sure is responsible — that slimy-shelled rascal). Today, I want to explore some creative solutions for bringing a small but significant smidgeon of Android 12's goodness onto any device this minute.

To read this article in full, please click here

How Apple's iCloud Private Relay creates a shadow IT nightmare
Thu, 28 Oct 2021 03:00:00 -0700

One can make the argument that Apple created the phenomenon of shadow IT when it introduced the iPhone and the App Store. Suddenly managers and individual users had the ability to source their own business software and services, bypassing IT departments completely. And they could do so with devices not connected to a corporate network, preventing IT from even realizing shadow IT was happening in their organizations.

To read this article in full, please click here

Acronis gets deeper into the Apple enterprise with Addigy partnership
Fri, 22 Oct 2021 08:48:00 -0700

The burgeoning enterprise Apple space saw thousands of IT admins virtually attend this week’s JNUC event, and the week tails off with news from Addigy and cybersecurity firm Acronis.

Securing the Apple enterprise

Addigy has confirmed that its cloud-based Apple device management tools now integrate with Acronis. This integration means IT can use Addigy to extend Acronis security tools to Mac and iOS systems via Acronis Cyber Protect Cloud. The idea is to bring all this control inside one management tool.

To read this article in full, please click here

Asana takes aim at the enterprise with new workflow features
Wed, 20 Oct 2021 06:05:00 -0700

Asana, a work management platform for teams, today announced the Enterprise Work Graph, a suite of features designed to give greater clarity and flexibility to enterprise workflows. The new capabilities aim to align teams around goals, coordinate workflows across teams and time zones, and provide visibility into where work stands in real time. 

Alongside the new Work Graph data model, Asana is introducing enterprise-grade security and controls to its platform.

To read this article in full, please click here

Just who is Windows 11 for, anyway?
Tue, 19 Oct 2021 05:00:00 -0700

Seriously, who did Microsoft develop Windows 11 for? Only people who like centered taskbars? Only people who don’t mind “unlearning” how to get into task manager?

Maybe not, but I’d argue that Windows 11 wasn’t designed for you and me. Rather, it was designed for the businesses, governments, schools, and other entities that we interact with. It’s built to ensure that sensitive information can be secured.

Baked-in security

For starters, Windows 11 has allowed Microsoft to cut the cord on the 32-bit platform. Windows 11 will be first Windows OS that is 64-bit only. This allows Microsoft to build in more virtualization and containerization security features that cannot be done in the 32-bit platform.

To read this article in full, please click here