Security http://www.maximumpc.com/taxonomy/term/206/ en Effort to Transition Chrome to BoringSSL Underway http://www.maximumpc.com/effort_transition_chrome_boringssl_underway897 <!--paging_filter--><h3><img src="http://www.maximumpc.com/files/chrome_1.jpg" alt="Chrome" title="Chrome" width="228" height="228" style="float: right;" /></h3> <h3>BoringSSL is a fork of OpenSSL</h3> <p>An effort is currently underway to switch Google Chrome over to <strong>BoringSSL, an OpenSSL fork the search engine giant announced last month</strong>. Weaning the world’s most popular browser off of the two cryptographic software libraries it currently uses (OpenSSL on Android and Mozilla NSS on all other platforms) is proving somewhat difficult at this early stage, though.</p> <p>There have been a number of issues ever since developers first began adding <a href="https://www.imperialviolet.org/2014/06/20/boringssl.html" target="_blank">BoringSSL</a> code to Chromium earlier this month. Just take a look at this recent <a href="https://codereview.chromium.org/401153002" target="_blank">revision note by Google engineer David Benjamin</a>: “This is a reland of r284079 which was reverted in r284248 for components build issues. That, in turn, was a reland of r283813 which was reverted in r283845 because it broke WebRTC tests on Android. That, in turn, was a reland of r283542 which was reverted in r283591 because it broke the WebView build.”</p> <p>“This [the switch to BoringSSL] is a much larger change than its diff suggests.” Benjamin wrote further. “If it breaks something, please revert first and ask questions later.”</p> <p>Follow Pulkit on <a href="https://plus.google.com/107395408525066230351?rel=author" target="_blank">Google+</a></p> http://www.maximumpc.com/effort_transition_chrome_boringssl_underway897#comments android boringssl chrome chromium cryptographic software library heartbleed libressl mozilla nss openssl Security News Mon, 28 Jul 2014 05:33:49 +0000 Pulkit Chandna 28248 at http://www.maximumpc.com Russia Offering $111,000 for Tor De-anonymization Know-how http://www.maximumpc.com/russia_offering_111000_tor_de-anonymization_know-how111 <!--paging_filter--><h3><img src="http://www.maximumpc.com/files/u46168/tor-logo.png" alt="TOR " title="TOR " width="228" height="138" style="float: right;" /></h3> <h3>Country came close to outlawing anonymizing software last year</h3> <p>The Russian Ministry of Internal Affairs (MVD) recently <strong>floated a tender inviting bids for help with “obtaining technical information” about users of Tor</strong>, the increasingly popular anonymizing network. Bidding ends on August 13, 2014 and the ministry hopes to announce the winner of the 3.9 million ruble contract ($111,000) a week later on August 20.</p> <p>The MVD is but the latest government entity around the world to have shown such keen interest in denying users of this global network of over 5,000 volunteer hosted relay servers the anonymity they currently enjoy. Documents leaked by whistleblower Edward Snowden suggest that the National Security Agency (NSA) and its British counterpart the Government Communications Headquarters (GCHQ) have at times <a href="http://www.theguardian.com/world/2013/oct/04/nsa-gchq-attack-tor-network-encryption" target="_blank">been able to target Tor with some degree of success</a>, although it’s believed that they mostly rely on indirect methods of attack, having failed to compromise the Tor network itself.</p> <p>The <a href="http://zakupki.gov.ru/epz/order/notice/zkk44/view/common-info.html?regNumber=0373100088714000008" target="_blank">tender notice</a>, which was posted on the government’s official procurement portal on July 11, makes it clear that only citizens of the mighty Russian Federation are eligible for the contract. </p> <p>Interestingly, the FSB, Russia’s premier intelligence agency, tried convincing the country’s lawmakers to outlaw anonymizing software like Tor but eventually nothing came of the effort.</p> <p>Follow Pulkit on <a href="https://plus.google.com/107395408525066230351?rel=author" target="_blank">Google+</a></p> http://www.maximumpc.com/russia_offering_111000_tor_de-anonymization_know-how111#comments bounty de-anonymization online anonymity relay network russia Security the onion router tor News Mon, 28 Jul 2014 05:12:54 +0000 Pulkit Chandna 28247 at http://www.maximumpc.com Device Authentication Could Make Passwords Obsolete http://www.maximumpc.com/device_authentication_could_make_passwords_obsolete_2014 <!--paging_filter--><h3><img src="/files/u69/keys_keyboard.jpg" alt="Keys on Keyboard" title="Keys on Keyboard" width="228" height="153" style="float: right;" />Perhaps one day you won't need a password to log into your accounts</h3> <p>Everyone knows you're not supposed to use the same password for multiple websites and services. If you follow that advice right down to the letter, then you're juggling numerous passwords, depending on how many banking sites, forums, auction portals, and everything else you're signed up for. It's a pain, and perhaps an unnecessary one -- <strong>device-based authentication could render passwords a thing of the past</strong>.</p> <p>At least that's what Christopher Mims over at <em>The Wall Street Journal</em> believes. In fact, he's so confident about the irrelevance of passwords that he shared the one he setup for his Twitter account. It isn't a dummy account, either, but an active Twitter account that he's been using to post more than 51,000 tweets since 2007. His password is simply "christophermims."</p> <p>He's willing to give it away because he uses a device-based authentication method that requires not only a password, but verification on his iPhone.</p> <p>"If you want to sample the early version of a post-password future, all you have to do is switch on a common security feature of every major Web service. It's available across all the web giants, including every account offered by Google, Yahoo, Microsoft, Facebook, Twitter, and dozens of others, and yet surveys suggest more than half the public hasn't heard of it. It's called two-factor authentication," <a href="http://online.wsj.com/articles/the-password-is-finally-dying-heres-mine-1405298376" target="_blank">Mims explains</a>.</p> <p>It's not unlike an ATM, in which the first factor is your PIN (or password), and the second is your debit card, a physical thing that you keep in your wallet or purse. Without it, the PIN is useless, and so are passwords without a physical device in a two-factor authentication scheme, Mims argues.</p> <p>What's your take on all this? Do you think device-based authentication will render standalone passwords obsolete? Give Mims' article a read and sound off!</p> <p><em>Follow Paul on <a href="https://plus.google.com/+PaulLilly?rel=author" target="_blank">Google+</a>, <a href="https://twitter.com/#!/paul_b_lilly" target="_blank">Twitter</a>, and <a href="http://www.facebook.com/Paul.B.Lilly" target="_blank">Facebook</a></em></p> http://www.maximumpc.com/device_authentication_could_make_passwords_obsolete_2014#comments authentication Password Security News Mon, 14 Jul 2014 16:56:18 +0000 Paul Lilly 28162 at http://www.maximumpc.com Android KeyStore Vulnerability Affects Vast Majority of Devices http://www.maximumpc.com/android_keystore_vulnerability_affects_vast_majority_devices860 <!--paging_filter--><h3><img src="http://www.maximumpc.com/files/u69/android_sick.jpg" alt="Android Keystore Vulnerability" title="Android Keystore Vulnerability" width="228" height="129" style="float: right;" /></h3> <h3>Over 86 percent of all Android devices remain vulnerable</h3> <p>The flagrant fragmentation that has come to be associated with Android is once again in focus, with IBM Security researchers shedding light on a <strong>major vulnerability (CVE-2014-3100) affecting the all-important Android KeyStore service</strong>, which is used for <a href="https://developer.android.com/reference/java/security/KeyStore.html" target="_blank">storing cryptographic keys</a> and other sensitive credentials. Although the said vulnerability has been fixed in the latest version of the operating system (Android Kitkat 4.4), the problem is that the vast majority of Android users don’t have the latest version.</p> <p>According to the <a href="http://securityintelligence.com/android-keystore-stack-buffer-overflow-to-keep-things-simple-buffers-are-always-larger-than-needed/#.U7ECJfmSxOj" target="_blank">security advisory</a> issued by the IBM security researchers, they discovered this Android KeyStore stack buffer overflow vulnerability over nine months ago, and in keeping with their responsible disclosure policy, quietly reported it to the Android security team. They refrained from going public for so long mainly due to the seriousness of the vulnerability and “Android’s fragmented nature.”</p> <p>Per the advisory, an attacker can use the vulnerability to execute malicious code under the KeyStore process on devices running Android 4.3 or lower (around 86 percent of all Android devices), with the successful exploitation having the potential to expose the device’s lock credentials, leak cryptographic keys, and enable unauthorized “crypto operations (e.g., arbitrary data signing).”</p> <p>However, the advisory notes that exploiting the flaw isn’t exactly a cakewalk, as Android has a number of built-in safeguards against such malicious code execution, including data execution prevention (DEP) and address space layout randomization (ASLR).</p> <p>Follow Pulkit on <a href="https://plus.google.com/107395408525066230351?rel=author" target="_blank">Google+</a></p> http://www.maximumpc.com/android_keystore_vulnerability_affects_vast_majority_devices860#comments android keystore android kitkat flaw ibm Security vulnerability News Mon, 30 Jun 2014 07:14:08 +0000 Pulkit Chandna 28089 at http://www.maximumpc.com Kill Switch in iPhone is Working, Microsoft and Google to Follow Suit http://www.maximumpc.com/kill_switch_iphone_working_microsoft_and_google_follow_suit_2014 <!--paging_filter--><h3><img src="/files/u69/activate_iphone.jpg" alt="Activate iPhone" title="Activate iPhone" width="228" height="201" style="float: right;" />iPhone thefts are down as a result of kill switch technology in iOS 7</h3> <p>One of the debates in the mobile phone industry is whether or not so-called kill switches can actually reduce smartphone theft. Well, early indications suggest that they do. <strong>Authorities in New York and San Francisco -- two locations where smartphone theft is a growing epidemic -- say they've seen a drop in iPhone robberies</strong> since Apple implemented its Activation Lock feature in iOS 7.</p> <p>Looking at data in the six months before and after Apple implemented the feature, police said iPhone theft in San Francisco dropped 38 percent. Those in London -- another place where smartphone theft happens far too often -- fell 24 percent. As for New York, robberies involving Apple products dropped 19 percent, and those involving grand larcenies went down 29 percent in the first five months of 2014 compared with the same time frame in 2013, <a href="http://bits.blogs.nytimes.com/2014/06/19/antitheft-technology-led-to-a-dip-in-iphone-thefts-in-some-cities-police-say/?_php=true&amp;_type=blogs&amp;_r=0" target="_blank"><em>The New York Times</em> reports</a>.</p> <p>Police have long believed that this type of antitheft technology would discourage crooks from stealing smartphones, and the data up to this point shows they're right. However, kill switch technology might not deserve all the credit. There are other factors at play, such as an increased effort on the part of law enforcement and tech companies to educate consumers on additional security measures to protect their handsets -- things like setting up passcodes.</p> <p>Regardless of the debate, the industry is moving forward with kill switches. As it stands, both Google and Microsoft have plans to implement antitheft technology into the next version of their respective mobile operating systems. Between the three platforms -- iOS, Android, and Windows Phone -- almost every new device will have a kill switch.</p> <p><em>Follow Paul on <a href="https://plus.google.com/+PaulLilly?rel=author" target="_blank">Google+</a>, <a href="https://twitter.com/#!/paul_b_lilly" target="_blank">Twitter</a>, and <a href="http://www.facebook.com/Paul.B.Lilly" target="_blank">Facebook</a></em></p> http://www.maximumpc.com/kill_switch_iphone_working_microsoft_and_google_follow_suit_2014#comments android Google iOS 7 iphone kill switch microsoft mobile Security smartphone windows phone News Thu, 19 Jun 2014 15:20:23 +0000 Paul Lilly 28035 at http://www.maximumpc.com F-Secure Points Angry Finger at Microsoft, Wants Windows XP to Die Already http://www.maximumpc.com/f-secure_points_angry_finger_microsoft_wants_windows_xp_die_already_2014 <!--paging_filter--><h3><img src="/files/u69/f-secure_window.jpg" alt="F-Secure" title="F-Secure" width="228" height="171" style="float: right;" />"[Microsoft] should try and kill this beast!" - F-Secure on Windows XP</h3> <p>It's not cockroaches that would survive a nuclear war, but Windows XP, the legacy operating system that simply refuses to give up the ghost. Officially, Microsoft ended support for XP back in April, but companies still have the option of paying for continued security updates. Security firm <strong>F-Secure isn't real pleased with Microsoft's handling of XP</strong> or the fact that so many businesses and users are still running the OS.</p> <p>F-Secure's chief security researcher Mikko Hypponen lashed out at Microsoft and Windows XP during a roundtable event at the company's labs in Finland.</p> <p>"I can't wait for Windows XP to die. I'm glad Microsoft stopped shipping updates. I'm mad at Microsoft for shipping updates after end of support, it should try and kill this beast. But it's not dead yet," Hypponen said, <a href="http://www.theinquirer.net/inquirer/news/2350525/f-secure-malware-riddled-windows-xp-needs-to-hurry-up-and-die" target="_blank">according to <em>The Inquirer</em></a>.</p> <p>Hyponnen is peaved that around 20 percent of the PC market still runs Windows XP. His issue is with the lack of security compared to newer operating systems.</p> <p>"We should be getting rid of these old systems," Hyponnen said. "Why didn't [businesses] take up to this two years ago? It's surprising how slow governments are and also large companies everywhere. [It's] going to take a while to get rid of this headache and I can't wait."</p> <p>Hyponnen also talked about Android, noting that F-Secure manages 100,000 malware samples every day, many of which target the mobile OS.</p> <p><em>Follow Paul on <a href="https://plus.google.com/+PaulLilly?rel=author" target="_blank">Google+</a>, <a href="https://twitter.com/#!/paul_b_lilly" target="_blank">Twitter</a>, and <a href="http://www.facebook.com/Paul.B.Lilly" target="_blank">Facebook</a></em></p> http://www.maximumpc.com/f-secure_points_angry_finger_microsoft_wants_windows_xp_die_already_2014#comments f-security malware Security Software windows xp News Wed, 18 Jun 2014 16:28:32 +0000 Paul Lilly 28028 at http://www.maximumpc.com AVG Warns Popular Websites Still Suffering an OpenSSL Security Issue http://www.maximumpc.com/avg_warns_popular_websites_still_suffering_openssl_security_issue_2014 <!--paging_filter--><h3><img src="/files/u69/caution.jpg" alt="Caution" title="Caution" width="228" height="152" style="float: right;" />Even after applying a Heartbleed patch, many websites are still vulnerable</h3> <p><a href="http://www.maximumpc.com/heartbleed_security_flaw_catches_internet_guard_2014" target="_blank">Heartbleed</a> received a ton of media attention, and for good reason -- the security flaw in OpenSSL caught the Internet with its collective pants down, which in turn prompted website owners, IT workers, and web admins to all go scrambling for a fix. Now that there's a patch available, are we once again safe? Not really, says AVG, <strong>According to AVG, thousands of popular websites need to update their servers to stay protected from a new vulnerability</strong>.</p> <p>The new vulnerability, known as a CSS Injection, has left potentially tens of thousands of the web's most popular sites vulnerable to attack. <a href="http://blogs.avg.com/news-threats/webservers-still-vulnerable/" target="_blank">AVG said</a> it scanned the servers of 45,000 of the world's biggest websites based on their Alexa ratings and found that around half use OpenSSL encryption. Of the potentially vulnerable sites, 75 percent are still not protected, leaving around 17,000 open to attack.</p> <p>On the plus side, it takes a complex effort on the part of a hacker to exploit the vulnerability, AVG says. The attacker must intercept the connection between a client and a server, both of which must be using the vulnerable version, and engage a man-in-the-middle attack. Once they've done that, the attacker can decrypt and modify the traffic that flows back and forth.</p> <p>This is a bit of a self-serving warning AVG has issued, which says it built additional functionality into its <a href="http://www.avg.com/us-en/web-tuneup" target="_blank">Web TuneUp</a> product that will inform users with a banner when they vist a site that could be at risk from a CSS Injection. AVG Web TuneUp (beta) is free for the time being, though it doesn't support Windows 8/8.1.</p> <p>Image Credit: <a href="https://www.flickr.com/photos/huskyte/7512877940" target="_blank">Flickr (Michael Theis)</a></p> <p><em>Follow Paul on <a href="https://plus.google.com/+PaulLilly?rel=author" target="_blank">Google+</a>, <a href="https://twitter.com/#!/paul_b_lilly" target="_blank">Twitter</a>, and <a href="http://www.facebook.com/Paul.B.Lilly" target="_blank">Facebook</a></em></p> http://www.maximumpc.com/avg_warns_popular_websites_still_suffering_openssl_security_issue_2014#comments AVG encryption heartbleed Internet online openssl Security web News Tue, 17 Jun 2014 18:18:45 +0000 Paul Lilly 28022 at http://www.maximumpc.com Teens Demonstrate Easiest Way to Hack an ATM is to RTFM http://www.maximumpc.com/teens_demonstrate_easiest_way_hack_atm_rtfm_2014 <!--paging_filter--><h3><img src="/files/u69/atm.jpg" alt="ATM" title="ATM" width="228" height="171" style="float: right;" />There's no excuse for this kind of lax security</h3> <p>You don't have to be a seasoned hacker to break into an ATM, nor do you need to play with explosives or take other extreme measures. In some cases, thwarting an ATM's security is as easy as reading the flipping manual. That's what a pair of 9th grade students in Canada did. <strong>Matthew Hewlett and Caleb Turon, both 14 years old, 'hacked' an ATM by looking up the unit's user manual online</strong>.</p> <p>The ATM in question belongs to the Bank of Montreal. Instructions provided in the online manual showed how to access that model's operator mode, which the teens did. They then took a shot at randomly guessing the ATM's six-digit password and got it right on the first guess.</p> <p>"We thought it would be fun to try, but we were not expecting it to work," <a href="http://www.winnipegsun.com/2014/06/08/code-crackers--charleswood-teens-hack-into-grant-avenue-atm" target="_blank">Hewlett told <em>Winnipeg Sun</em></a>. "When it did, it asked for a password."</p> <p>The boys then went to one of BMO's branches and notified them how easy it was to infiltrate the ATM. The person they spoke with shrugged them off at first, saying they'd never be able to get anything out of it. Faced with the challenge, the boys went back to the machine, fired up the operating mode, and printed off documentation showing how much money was in the machine, information regarding withdrawals, and more. They also found a setting to change the surcharge amount, so they changed it to a penny. Finally, the boys changed the greeting from "Welcome to the BMO ATM" to "Go away. This ATM has been hacked."</p> <p>After all this time, the boys were late for school. BMO wrote them a letter on official letterhead that read, "Please excuse Mr. Caleb Turon and Matthew Hewlett for being late during lunch hour due to assisting BMO with security."</p> <p>What this all boils down to is having an incredibly weak password. One could also argue that ATM operator manuals shouldn't be so easy to access online.</p> <p><iframe src="//www.youtube.com/embed/a6iW-8xPw3k" width="620" height="349" frameborder="0"></iframe></p> <p><em>Follow Paul on <a href="https://plus.google.com/+PaulLilly?rel=author" target="_blank">Google+</a>, <a href="https://twitter.com/#!/paul_b_lilly" target="_blank">Twitter</a>, and <a href="http://www.facebook.com/Paul.B.Lilly" target="_blank">Facebook</a></em></p> http://www.maximumpc.com/teens_demonstrate_easiest_way_hack_atm_rtfm_2014#comments ATM bank of montreal caleb turon matthew hewlett Security News Thu, 12 Jun 2014 18:21:48 +0000 Paul Lilly 27996 at http://www.maximumpc.com Microsoft Warns Against Using Registry Hack Allowing Windows XP to Receive Security Updates http://www.maximumpc.com/microsoft_warns_against_using_registry_hack_allowing_windows_xp_receive_security_updates_2014 <!--paging_filter--><h3><img src="/files/u69/windows_xp_update.jpg" alt="Windows XP Update" title="Windows XP Update" width="228" height="127" style="float: right;" />Registry hack for Windows XP catches Microsoft's attention</h3> <p>Microsoft finally and officially ended support for Windows XP back in April, though not without throwing XP users a bone in the form of one last out-of-cycle security patch for a pretty serious vulnerability affecting most versions of Internet Explorer. However, that was a one-time thing, and now XP users are left out in the cold. Or are they? <strong>A registry hack that allows Windows XP to continue to receive security updates is making the rounds</strong>, and it's caught the attention of Microsoft.</p> <p>It's a simply registry hack that involves creating a text file with the .reg extension and entering the following code:</p> <p style="padding-left: 30px;">Windows Registry Editor Version 5.00<br />[HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady]<br /> "Installed"=dword:00000001</p> <p>Once you save the file, you can double-click it in Windows Explorer and it will proceed to run Windows Update on 32-bit versions of Windows XP (if you're running a 64-bit copy, there's a workaround <a href="http://www.sebijk.com/community/board15-other/board73-tutorials/2985-getting-xp-updates/" target="_blank">here</a>). <em>ZDNet</em> <a href="http://www.zdnet.com/registry-hack-enables-continued-updates-for-windows-xp-7000029851/" target="_blank">tested the hack</a> and said it appears to work as advertised. Several of the updates it pulled by running the registry hack were for Windows Server 2003, which runs the same kernel as Windows XP.</p> <p>Microsoft is privy to the workaround, but strongly advises against running it.</p> <p>"We recently became aware of a hack that purportedly aims to provide security updates to Windows XP customers. The security updates that could be installed are intended for Windows Embedded and Windows Server 2003 customers and do not fully protect Windows XP customers," a Microsoft spokesperson told <em>ZDNet</em>. "Windows XP customers also run a significant risk of functionality issues with their machines if they install these updates, as they are not tested against Windows XP. The best way for Windows XP customers to protect their systems is to upgrade to a more modern operating system, like Windows 7 or Windows 8.1."</p> <p>So there you have it. While the hack appears to work (for now), Microsoft insists it's risky business to use it.</p> <p>Image Credit: <a href="https://www.flickr.com/photos/wfryer/3977441193/sizes/o/" target="_blank">Flickr (Wesley Fryer)</a></p> <p><em>Follow Paul on <a href="https://plus.google.com/+PaulLilly?rel=author" target="_blank">Google+</a>, <a href="https://twitter.com/#!/paul_b_lilly" target="_blank">Twitter</a>, and <a href="http://www.facebook.com/Paul.B.Lilly" target="_blank">Facebook</a></em></p> http://www.maximumpc.com/microsoft_warns_against_using_registry_hack_allowing_windows_xp_receive_security_updates_2014#comments microsoft operating system OS registry Security Software update windows xp News Tue, 27 May 2014 17:01:39 +0000 Paul Lilly 27885 at http://www.maximumpc.com Security Bug in Internet Explorer 8 Still Roams After 7 Months http://www.maximumpc.com/security_bug_internet_explorer_8_still_roams_after_7_months_2014 <!--paging_filter--><h3><img src="/files/u69/ie_bug.jpg" alt="IE Bug" title="IE Bug" width="228" height="193" style="float: right;" />Will Microsoft ever bother to squash this security bug?</h3> <p><strong>There's a zero-day security flaw in Internet Explorer that's been known for at least the last 7 months</strong>, yet Microsoft has yet to release a patch. Perhaps it never will -- after all, IE8 is the last version of Microsoft's browser to support Windows XP, which itself is now an <a href="http://www.maximumpc.com/microsofts_escape_windows_xp_game_caps_end_era_2014">unsupported operating system</a>. Alternately, Microsoft might just be having a really tough time with this one -- the Redmond outfit doesn't have a whole lot to say on the matter.</p> <p>According to <a href="http://zerodayinitiative.com/advisories/ZDI-14-140/" target="_blank"><em>Zero Day Initiative</em></a>, the vulnerability allows remote hackers to execute arbitrary code on vulnerable installations. The exploit requires user interaction, in that the target has to first visit a malicious website or open up a malicious file. In either case, it could spell bad news for the victim.</p> <p>So, what's going on with Microsoft?</p> <p>"We build and thoroughly test every security fix as quickly as possible. Some fixes are more complex than others, and we must test every one against a huge number of programs, applications, and different configurations," a Microsoft spokesperson <a href="http://www.cnet.com/news/zero-day-flaw-haunts-ie-8-for-7-months-and-counting/" target="_blank">told <em>CNET</em></a>.</p> <p>Understood, though a <a href="http://www.maximumpc.com/microsoft_warns_zero-day_bug_internet_explorer" target="_blank">recent zero-day bug</a> discovered in multiple versions of IE shortly after support for XP ended was patched by an out-of-cycle update in less than a week after its discovery.</p> <p><em>Follow Paul on <a href="https://plus.google.com/+PaulLilly?rel=author" target="_blank">Google+</a>, <a href="https://twitter.com/#!/paul_b_lilly" target="_blank">Twitter</a>, and <a href="http://www.facebook.com/Paul.B.Lilly" target="_blank">Facebook</a></em></p> http://www.maximumpc.com/security_bug_internet_explorer_8_still_roams_after_7_months_2014#comments browser IE8 Internet Internet Explorer 8 microsoft online Security Software zero-day News Thu, 22 May 2014 16:43:03 +0000 Paul Lilly 27857 at http://www.maximumpc.com Google Extends Chrome OS Minimum End of Life Term to 5 Years http://www.maximumpc.com/google_extends_chrome_os_minimum_end_life_term_5_years900 <!--paging_filter--><h3><img src="http://www.maximumpc.com/files/u46168/chromebook.jpg" alt="Chrome OS " title="Chromebook" width="228" height="212" style="float: right;" /></h3> <h3>Previously, Chrome OS devices were guaranteed four years’ worth of software support</h3> <p>Google has <strong>updated its Chrome OS End of Life (EOL) policy</strong>, <a href="https://www.google.com/intl/en/chrome/devices/eol.html" target="_blank"> extending the minimum EOL term to five years</a>. Many Chrome OS device owners have already received an email apprising them of the change from the search engine giant.</p> <p>With the new minimum EOL term applying retrospectively, each and every Chrome OS device ever released is affected by this announcement. Take for instance, the very first Chrome OS device — the CR-48 Chromebook. Prior to this EOL policy update, the EOL date for CR-48 was set for December 2014. But now the CR-48 is guaranteed to receive OS updates and security patches until at least December next year.</p> <p>“We’re updating our official End of Life policy for all Chrome devices, including previous models, to extend the End of Life (EOL) minimum term,” <a href="https://plus.google.com/+BrandonTiller/posts/YYD7ETRnV3i" target="_blank">Google told Chrome OS owners in an email.</a></p> <p>“The new minimum EOL term is now 5 years from the date the device hardware is made available for purchase. Some models may have a further extension based on regional releases and the length of sale.”</p> <p>Follow Pulkit on <a href="https://plus.google.com/107395408525066230351?rel=author" target="_blank">Google+</a></p> http://www.maximumpc.com/google_extends_chrome_os_minimum_end_life_term_5_years900#comments chrome os chromebook chromebox eol Google OS Security Software update News Mon, 19 May 2014 02:04:55 +0000 Pulkit Chandna 27825 at http://www.maximumpc.com SanDisk Unveils Self Encrypting X300s Solid State Drive Series http://www.maximumpc.com/sandisk_unveils_self_encrypting_x300s_solid_state_drive_series <!--paging_filter--><h3><img src="/files/u69/x300s.jpg" alt="SanDisk X300s" title="SanDisk X300s" width="228" height="189" style="float: right;" />SanDisk's first attempt at offering a self encrypting SSD</h3> <p>If you take a look at SanDisk's product portfolio, you'll find a range of memory and storage devices, including various solid state drives. However, one thing you wouldn't have found prior to today is a <strong>self-encrypting SSD line. With the introduction of the SanDisk X300s, the company now has one</strong> to offer corporate environments in need of secure storage -- healthcare and financial services are two industries that come to mind.</p> <p>SanDisk's X300s family leverages TCG Opal 2.0 and Microsoft Encrypted Hard Drive hardware-based encryption, coupled with a new SSD administration dashboard for easier audit and compliance management, the company says. The drive line utilizes AES 256-bit FIPS 197 certified hardware crypto engine to enable full-disk encryption without the performance penalty that software-based encryption can introduce. It also features advanced power management with DEVSLP low-power mode, enabling Microsoft InstantGo, a connected standby feature that keeps data on certified hardware in sync while the device is asleep.</p> <p>"Businesses of all sizes want computers that are reliable, secure, built to last and are easy to support remotely," <a href="http://www.sandisk.com/about-sandisk/press-room/press-releases/2014/sandisk-introduces-security-certified-self-encrypting-solid-state-drive-for-corporate-environments/" target="_blank">said Kevin Conley</a>, senior vice president and general manager, client storage solutions at SanDisk. "For the enterprises that deploy hundreds or even thousands of laptops, it’s essential that their IT departments be able to centrally and securely manage these devices. The X300s, designed with SanDisk’s world-class flash, helps corporate IT leaders not only deliver the heightened performance and lower TCO that flash is known for, but also addresses data protection and security needs, without business disruption. "</p> <p>The X300s comes in two form factors -- 2.5-inch 7mm and M.2 2280 single-sided, with capacities of 64GB, 128GB, 256GB, 512GB, and 1TB. In terms of performance, the drives offer up to 520MB/s sequential reads and up to 460 sequential writes, depending on the <a href="http://www.sandisk.com/assets/docs/sandisk-datasheet-X300s-OEM.pdf" target="_blank">model (PDF)</a>.</p> <p><em>Follow Paul on <a href="https://plus.google.com/+PaulLilly?rel=author" target="_blank">Google+</a>, <a href="https://twitter.com/#!/paul_b_lilly" target="_blank">Twitter</a>, and <a href="http://www.facebook.com/Paul.B.Lilly" target="_blank">Facebook</a></em></p> http://www.maximumpc.com/sandisk_unveils_self_encrypting_x300s_solid_state_drive_series#comments Build a PC encryption Hardware Sandisk Security solid state drive ssd storage x300s News Tue, 13 May 2014 15:38:13 +0000 Paul Lilly 27802 at http://www.maximumpc.com AOL Discovers Security Breach During Spam Investigation http://www.maximumpc.com/aol_discovers_security_breach_during_spam_investigation <!--paging_filter--><h3><img src="/files/u69/aol_jacket_0.jpg" alt="AOL Jacket" title="AOL Jacket" width="228" height="171" style="float: right;" />AOL says encrypted passwords and other user data compromised hacker attack</h3> <p><strong>AOL today said it's investigating a "security incident" involving unauthorized access to its network and systems</strong> that resulted in the possible theft of user data, including email addresses, postal addresses, address book contact information, encrypted passwords, encrypted answers to security questions that AOL asks when a user resets his or her password, and certain employee information.</p> <p>External forensic experts and federal authorities are helping AOL in its investigation. AOL said it started looking into things after noticing a "significant increase" in spam appear as spoofed emails from AOL Mail addresses. The company believes that spammers used used stolen contact information to send spoofed emails that appeared to come from about 2 percent of its email accounts.</p> <p>"Importantly, we have no indication that the encryption on the passwords or the answers to security questions was broken. In addition, at this point in the investigation, there is no indication that this incident resulted in disclosure of users' financial information, including debit and credit cards, which is also fully encrypted," <a href="http://blog.aol.com/2014/04/28/aol-security-update/" target="_blank">AOL said</a>.</p> <p>Nevertheless, AOL is strongly encouraging users and employees to reset their passwords, along with their security questions and answers.</p> <p>More information can be found on a special <a href="http://o.aolcdn.com/os/memberservices/faq.html" target="_blank">FAQ page</a> AOL posted in relation to the security breach.</p> <p>Image Credit: <a href="https://www.flickr.com/photos/lazzarello/5454431231/sizes/l" target="_blank">Flickr (lazzarello)</a></p> <p><em>Follow Paul on <a href="https://plus.google.com/+PaulLilly?rel=author" target="_blank">Google+</a>, <a href="https://twitter.com/#!/paul_b_lilly" target="_blank">Twitter</a>, and <a href="http://www.facebook.com/Paul.B.Lilly" target="_blank">Facebook</a></em></p> http://www.maximumpc.com/aol_discovers_security_breach_during_spam_investigation#comments aol email Security spam News Mon, 28 Apr 2014 19:29:56 +0000 Paul Lilly 27710 at http://www.maximumpc.com Microsoft Warns of Zero-Day Bug in Internet Explorer http://www.maximumpc.com/microsoft_warns_zero-day_bug_internet_explorer <!--paging_filter--><h3><img src="http://www.maximumpc.com/files/u46168/ie_0.jpg" alt="Internet Explorer Zero Day" title="Internet Explorer Zero Day" width="228" height="228" style="float: right;" /></h3> <h3>All versions affected</h3> <p>Microsoft has warned Internet Explorer users of a <strong>remote code execution vulnerability (CVE-2014-1776 ) that is present in versions 6 through 11</strong>. The company is aware of limited, targeted attacks aimed at exploiting the vulnerability, the Redmond outfit said in a <a href="https://technet.microsoft.com/en-US/library/security/2963983" target="_blank">security advisory</a> issued on Saturday.</p> <p>According to FireEye, the security firm that brought the bug to Microsoft’s notice, it is aware of an ongoing attack targeting the said vulnerability in Internet Explorer 9 through Internet Explorer 11. The firm also pointed out that the targeted versions alone accounted for over a quarter of the overall browser market in 2013.</p> <p>“Threat actors are actively using this exploit in an ongoing campaign which we have named ‘Operation Clandestine Fox,’” FireEye said in a <a href="http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html" target="_blank">blog post</a> Saturday. “However, for many reasons, we will not provide campaign details. But we believe this is a significant zero day as the vulnerable versions represent about a quarter of the total browser market. We recommend applying a patch once available.”</p> <p>Microsoft says that it is still investigating the issue and will, upon the completion of its probe, either release a fix as part of its monthly security update release process, or issue an out-of-band security update. In the meantime, IE users could use the workarounds suggested by Microsoft to thwart the attack. These include: deploying the Enhanced Mitigation Experience Toolkit (EMET) 4.1; setting Internet and Intranet security zone settings to “High”, unregistering VGX.DLL; modifying the Access Control List on VGX.DLL to be more restrictive; and enabling Enhanced Protected Mode for IE11 and enabling 64-bit processes for Enhanced Protected Mode.</p> <p>“An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft said in the security advisory.</p> <p>“An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content.”</p> <p>Follow Pulkit on <a href="https://plus.google.com/107395408525066230351?rel=author" target="_blank">Google+</a></p> http://www.maximumpc.com/microsoft_warns_zero-day_bug_internet_explorer#comments Internet Explorer microsoft Security zero day News Mon, 28 Apr 2014 05:19:27 +0000 Pulkit Chandna 27702 at http://www.maximumpc.com Buggy Microsoft Security Essentials Update Kicks XP Machines While Down http://www.maximumpc.com/buggy_microsoft_security_essentials_update_kicks_xp_machines_while_down_2014 <!--paging_filter--><h3><img src="/files/u69/mse_devil.jpg" alt="MSE Devil" title="MSE Devil" width="228" height="138" style="float: right;" />Here come the conspiracy theories</h3> <p>After more than 12 years of service, Microsoft finally pulled the plug on Windows XP by ceasing to support the operating system last week. However, Microsoft did promise to keep doling out updates for its Microsoft Security Essentials (MSE) software, including the version that runs on XP, but in doing so, the Redmond outfit only made things worse. That's because <strong>the latest MSE update is causing some XP machines to freeze up and run slow</strong>.</p> <p>Anyone with a tinfoil hat will tell you this is entirely intentional on Microsoft's part and nothing more than a thinly veiled attempt to get users to upgrade. The real explanation is likely far less insidious, though equally annoying for XP users who had hopes of holding onto the legacy OS for at least a little while longer.</p> <p>"I am a professional computer engineer and maintain many desktops and laptops for my customers on a daily basis: as of today (April 16th) I have seen about 12 computers on which Windows XP - after every boot up - throws up an error message referring to MSE, stating: 'MsMpEng.exe application error. The instruction at 0x5a4d684d referenced memory at 0x00000000 The memory could not be read', leaving the computer in an unusable state," <a href="http://answers.microsoft.com/en-us/windows/forum/windows_xp-winapps/bug-in-microsoft-security-essentials-lames-windows/7e105845-e4e7-4b0d-b7f8-485ba538e3b2" target="_blank">a user wrote</a> on Microsoft's Windows forum.</p> <p>He goes on to say that "the only solution is to disable MSE or uninstall it completely." Doing so will restore performance, but it comes at the expense of security protection, which is now more important than ever for XP users.</p> <p>Microsoft has yet to acknowledge the situation or issue a fix. One is likely coming, but in the meantime, there are third-party AV vendors that still support XP.</p> <p><em>Follow Paul on <a href="https://plus.google.com/+PaulLilly?rel=author" target="_blank">Google+</a>, <a href="https://twitter.com/#!/paul_b_lilly" target="_blank">Twitter</a>, and <a href="http://www.facebook.com/Paul.B.Lilly" target="_blank">Facebook</a></em></p> http://www.maximumpc.com/buggy_microsoft_security_essentials_update_kicks_xp_machines_while_down_2014#comments microsoft Microsoft Security Essentials mse operating system OS Security Software Windows XP News Thu, 17 Apr 2014 18:20:08 +0000 Paul Lilly 27655 at http://www.maximumpc.com