Skip to main content
Please wait...

Apple tramples on security in the name of convenience

1 month 3 weeks ago

Apple plans with iOS 14.5 to allow masked enterprise employees to access their iPhones if they are also wearing an Apple Watch (running WatchOS 7.4), that is unlocked. Heads up: This is a quintessential convenience vs. security trade-off from Apple, and if you don't insist that workers refrain from using the feature, corporate security will suffer.

In short, it will be make it much easier for corporate spies and cyberthieves to snag your company's intellectual property, which is being created, stored, and shipped within smartphones today at a far greater rate than 2019 — aka the pre-COVID-19 times.

[ Related: When work-from-home means the boss is watching ]

Apple has refused to let this convenience do anything other than opening the phone (which is bad enough). And it will not allow the feature to bypass facial ID authentication for the AppleCard, ApplePay or any third-party app (such as banks and investment firms) that have embraced Face ID. That tells you pretty much all you need to know about how much of a security corner-cutter this move is.

To read this article in full, please click here

Evan Schuman

The .NET patch failure that wasn’t

1 month 3 weeks ago

When we started this month of patching, I fully expected to come back by now with massive listings of applications that hated the February updates. That hasn't been the case, though there have been some issues related to .NET this month. 

In case you're wondering, .NET is a framework used by developers to build applications. It makes for standard coding techniques and “managed code” and can make an app more secure. Developers primarily use Visual studio to develop software that we all use on our Windows systems.

To read this article in full, please click here

Susan Bradley

Apple publishes in-depth M1, Mac, and iOS security guide

1 month 3 weeks ago

Apple has published its annual Apple Platform Security Guide, which includes updated details concerning the security of all its platforms, including the new M1 and A14 chips inside Apple Silicon Macs and current iPhones, respectively.

The first look inside M1 Mac security

The extensive 196-page report explains how Apple continues to develop its core security models along the premise of mutually distrusting security domains. The idea here is that each element in the security chain is independent, gathers little user information, and is built with a zero-trust model that helps boost security resilience.

To read this article in full, please click here

Jonny Evans

For February, a 'bumpy' Patch Tuesday ride

2 months ago

One week out from Patch Tuesday and it’s been a bumpy release for the month, especially for older versions of Windows 10 and Server 2016. (Less affected: the consumer versions of Windows 10 2004 and 20H2.)

Windows Server 2016/1607 suffered the worst of the issues: the original version of the Servicing Stack update KB4601392 caused patching to get “stuck.” Server patchers had to jump through a ton of hoops to get the monthly security update installed. Microsoft pulled the bad update and replaced it with KB5001078. If you were unlucky and installed KB4601392 before it was pulled, Microsoft has this  guidance to manually reset Windows updates components.

To read this article in full, please click here

Susan Bradley

What's not to love with this month’s Patch Tuesday?

2 months ago

With only 53 updates in the February Patch Tuesday collection released this week — and no updates for Microsoft browsers — you'd be forgiven for thinking we had another easy month (after a light December and January). Despite lower-than-average numbers for updates and patches, four vulnerabilities have been publicly disclosed and we are seeing a growing number of reports of exploits in the wild.

In short: this is a big, important update that will require immediate attention and a rapid response to testing and deployment.

For example, Microsoft has just released an out-of-band update to fix a Wi-Fi issue that is leading to Blue Screens of Death (BSODs). Somebody is going to run into trouble unless this gets fixed fast. We have included a helpful infographic that this month looks a little lopsided (again), as all of the attention should be on the Windows components

To read this article in full, please click here

Greg Lambert

Can Apple Watch boost your endpoint security?

2 months ago

Enterprises seeking tools with which to improve endpoint security for the new remote working business environment may want to spend a little time considering the Apple Watch.

Access all areas

My argument is simple: Apple’s growing place in the enterprise means its complementary ecosystems can help support your business. As deal follows deal, the number of iPhones in use across the sector is growing fast, which means millions of workers already have access to the watch.

To read this article in full, please click here

Jonny Evans

Apple wants Safari in iOS to be your private browser

2 months ago

Apple seems focused on building Safari to become the world’s leading privacy-focused web browser, continuing development of under-the-hood enhancements to protect private lives.

Better privacy by proxy

Beginning with (currently in beta) iOS 14.5, Apple is improving privacy by changing how Safari accesses Google’s Safe Browsing service. The latter warns users when they visit a fraudulent website. (Apple uses the service to drive the "Fraudulent Website Warning" in Settings>Safari on iOS or iPadOS devices.)

The Safe Browsing service works by identifying potentially compromised sites from Google’s web index. If it suspects a site is compromised, virtual machines are despatched to see whether the site attempts to compromise them.

To read this article in full, please click here

Jonny Evans

Ahead of Patch Tuesday, a cautionary tale

2 months 1 week ago

Microsoft has officially deemed Windows 10 version 2004 as “ready for business,” but I’d argue it still needs a bit more help to be fully ready for consumers. With this month’s Patch Tuesday upon us, here’s an example of what I mean. It involves mysterious NAS issues, some sleuthing, and a workaround — all of which show how troublesome updates can be sometimes.

This case involves one AskWoody subscriber who told me recently that each time he upgraded to Windows 10 2004 the installation would break his computer. Like any good geek who refuses to let technology get the best of me, I emailed him back and asked for more information about what was getting broken when he upgraded. Turns out, he would lose access to mapped drives on his NAS (network attached storage) devices. Though he tried to remap the drives, they would fail, forcing him to roll back to  Windows 10 1909 — where everything would work.

To read this article in full, please click here

Susan Bradley

Jamf, TRUCE bring Apple to the deskless enterprise

2 months 2 weeks ago

A new partnership between Jamf and TRUCE Software will deliver significant benefits to Apple-based enterprises with remote, deskless workforces in such industries as manufacturing or construction.

The remote remote workers

The idea sems pretty solid. Think how a move to adopt Apple kit and management solutions such as Jamf has enabled remote working to flourish during the pandemic.

To read this article in full, please click here

Jonny Evans

Is it time to install Microsoft’s January updates? (Yes.)

2 months 2 weeks ago

Some people can’t wait for a new version of Windows 10. They sign up for insider editions and eagerly watch for the next release.

I’m exactly the opposite of that.

I wait and make sure the version of Windows 10 that I’m using is fully compatible with my applications and I have time to deal with any side effects. My philosophy with security updates is the same; I don’t install them right away. (Though I do install them every month without fail.) If you haven’t yet installed the January updates, do so as soon as possible.

The major update that I warned about last month was KB4535680, which was offered up to Windows Server 2012 x64-bit; Windows Server 2012 R2 x64-bit; Windows 8.1 x64-bit; Windows Server 2016 x64-bit; Windows Server 2019 x64-bit; Windows 10, version 1607 x64-bit; Windows 10; version 1803 x64-bit; Windows 10, version 1809 x64-bit; and Windows 10, version 1909 x64-bit systems.

To read this article in full, please click here

Susan Bradley

When cryptographers looked at iOS and Android security, they weren’t happy

2 months 2 weeks ago

For years, the US government begged Apple executives to create a backdoor for law enforcement. Apple publicly resisted, arguing that any such move for law enforcement would quickly become a backdoor for cyberthieves and cyberterrorists.

Good security protects us all, the argument went.

More recently, though, the feds have stopped asking for a workaround to get through Apple security. Why? It turns out that they were able to break through on their own. iOS security, along with Android security, is simply not as strong as Apple and Google suggested.

To read this article in full, please click here

Evan Schuman

Online privacy: Best browsers, settings, and tips

2 months 2 weeks ago

“You have zero privacy anyway. Get over it,” Scott McNealy said of online privacy back in 1999, a view the former CEO of the now-defunct Sun Microsystems reiterated in 2015. Despite the hue and cry his initial remarks caused, he’s been proven largely correct.

Other ways to protect yourself on the web: GDPR, CCPA, and AdChoices

To read this article in full, please click here

(Insider Story)
Galen Gruman

Microsoft releases Application Guard for Office to M365 customers

2 months 2 weeks ago

Microsoft this week released Application Guard for Office, a defensive technology that quarantines untrusted Office documents so attack code embedded in malicious files can't reach the operating system or its applications.

The announcement of Application Guard's general availability came five months after Microsoft kicked off a public preview of the technology. At that time, Microsoft's roadmap indicated a December 2020 debut for Application Guard for Office.

"When you've enabled Application Guard and a user opens a file from a potentially unsafe location, Office opens the file in Application Guard; a secured, Hyper-V-enabled container isolated from the rest of a user's data through hardware-based virtualization," Emil Karafezov, senior program manager, said in a Jan. 27 post to a company blog.

To read this article in full, please click here

Gregg Keizer

Decoding Microsoft Defender’s hidden settings

2 months 3 weeks ago

Ask someone what antivirus software they use and you’ll probably get a near-religious argument about which one they have installed. Antivirus choices are often about what we trust — or don’t — on our operating system. I’ve seen some Windows users indicate they would rather have a third-party vendor watch over and protect their systems. Others, like me, view antivirus software as less important these days; it matters more that your antivirus vendor can handle windows updating properly and won’t cause issues.

Still others rely on Microsoft Defender. It's been around in one form or another since Windows XP.

To read this article in full, please click here

Susan Bradley

The work-from-home employee’s bill of rights

2 months 3 weeks ago

Remote work became the new normal quickly as COVID-19 pandemic lockdowns came into force in spring 2020, and it’s clear that after the pandemic recedes, remote work will remain the norm for many employees — as much as half the deskbound “white collar” workforce, various research firms estimate. As a result of the sudden lockdowns, many employees had to create makeshift workspaces, buy or repurpose personal equipment, and figure out how to use new software and services to be able to keep doing their jobs.

Navigating the WFH world

Users and IT departments alike made Herculean efforts to adapt quickly and ensure business continuity, and the result was an improvement in productivity despite the pandemic. But now the pandemic has become a longer-term phenomenon, and remote work will become more commonplace, even desirable as a way to save on office expenses and commute time, even after the pandemic subsides.

To read this article in full, please click here

Galen Gruman

For Microsoft’s January patches, no all-clear (yet)

2 months 4 weeks ago

I’m not ready to give an all-clear to the security patches released Jan. 12, and I want to warn you about one specific update that is affecting HyperV servers and some consumer level workstations.  

KB4535680, also known as Security update for Secure Boot DBX: January 12, 2021, makes improvements to Secure Boot DBX for a number of supported Windows versions. These include Windows Server 2012 x64-bit; Windows Server 2012 R2 x64-bit; Windows 8.1 x64-bit; Windows Server 2016 x64-bit; Windows Server 2019 x64-bit; Windows 10, version 1607 x64-bit; Windows 10; version 1803 x64-bit; Windows 10, version 1809 x64-bit; and Windows 10, version 1909 x64-bit. Key changes affect “Windows devices that [have] Unified Extensible Firmware Interface (UEFI) based firmware that can run with Secure Boot enabled.” The Secure Boot Forbidden Signature Database (DBX) prevents malicious UEFI modules from loading; this update adds additional modules to block malicious attackers who could successfully exploit the vulnerability, bypass secure boot, and load untrusted software.

To read this article in full, please click here

Susan Bradley

Easing into the new year with a modest January Patch Tuesday

3 months ago

Microsoft rolled into 2021 with a fairly benign update cycle for Windows and Microsoft Office systems, delivering 83 updates for January.

Yes, there is an update to Windows defender (CVE-2021-1647) that has been reported as exploited. Yes, there has been a publicly disclosed issue (CVE-2021-1648) in the Windows printing subsystem. But there are no Zero-days and no “Patch Now” recommendations for this month. There are, however, a large number of feature and functionality groups “touched” by these updates; we recommend a comprehensive test of printing and key graphics areas before general Windows update deployment.

To read this article in full, please click here

Greg Lambert

Apple makes welcome change to 'Big Sur' security for Macs

3 months ago

When Apple shipped macOS Big Sur in November, researchers quickly spotted a strange anomaly in the system’s security protection that could have left Macs insecure. Apple now seems to be dealing with this problem, introducing a fix in the latest public beta release.

What was wrong?

For some strange reason, Big Sur introduced a controversial and potentially insecure change that meant Apple’s own apps could still access the internet even when a user blocked all access from that Mac using a firewall. This wasn’t in tune with Apple’s traditional security stance. What made this worse is that when those apps (and there were 56 in all) did access the ‘Net, user and network traffic monitoring applications were unable to monitor this use.

To read this article in full, please click here

Jonny Evans
Checked
42 minutes 11 seconds ago
Computer World Security
Subscribe to Computer World Security feed

About SecurityFeeds

SecurityFeeds Logo

Tim Weil is a Security Architect/IT Security Manager with over twenty five years of IT management, consulting and engineering experience in the U.S. Government and Communications Industry.  Mr. Weil's technical areas of expertise include IT Security Management, Enterprise Security Architecture, FISMA Compliance, Identity Management, and Network Engineering. Mr. Weil is a Senior Member of the IEEE and has served in several IEEE positions.