Security http://www.maximumpc.com/taxonomy/term/206/ en Device Authentication Could Make Passwords Obsolete http://www.maximumpc.com/device_authentication_could_make_passwords_obsolete_2014 <!--paging_filter--><h3><img src="/files/u69/keys_keyboard.jpg" alt="Keys on Keyboard" title="Keys on Keyboard" width="228" height="153" style="float: right;" />Perhaps one day you won't need a password to log into your accounts</h3> <p>Everyone knows you're not supposed to use the same password for multiple websites and services. If you follow that advice right down to the letter, then you're juggling numerous passwords, depending on how many banking sites, forums, auction portals, and everything else you're signed up for. It's a pain, and perhaps an unnecessary one -- <strong>device-based authentication could render passwords a thing of the past</strong>.</p> <p>At least that's what Christopher Mims over at <em>The Wall Street Journal</em> believes. In fact, he's so confident about the irrelevance of passwords that he shared the one he setup for his Twitter account. It isn't a dummy account, either, but an active Twitter account that he's been using to post more than 51,000 tweets since 2007. His password is simply "christophermims."</p> <p>He's willing to give it away because he uses a device-based authentication method that requires not only a password, but verification on his iPhone.</p> <p>"If you want to sample the early version of a post-password future, all you have to do is switch on a common security feature of every major Web service. It's available across all the web giants, including every account offered by Google, Yahoo, Microsoft, Facebook, Twitter, and dozens of others, and yet surveys suggest more than half the public hasn't heard of it. It's called two-factor authentication," <a href="http://online.wsj.com/articles/the-password-is-finally-dying-heres-mine-1405298376" target="_blank">Mims explains</a>.</p> <p>It's not unlike an ATM, in which the first factor is your PIN (or password), and the second is your debit card, a physical thing that you keep in your wallet or purse. Without it, the PIN is useless, and so are passwords without a physical device in a two-factor authentication scheme, Mims argues.</p> <p>What's your take on all this? Do you think device-based authentication will render standalone passwords obsolete? Give Mims' article a read and sound off!</p> <p><em>Follow Paul on <a href="https://plus.google.com/+PaulLilly?rel=author" target="_blank">Google+</a>, <a href="https://twitter.com/#!/paul_b_lilly" target="_blank">Twitter</a>, and <a href="http://www.facebook.com/Paul.B.Lilly" target="_blank">Facebook</a></em></p> http://www.maximumpc.com/device_authentication_could_make_passwords_obsolete_2014#comments authentication Password Security News Mon, 14 Jul 2014 16:56:18 +0000 Paul Lilly 28162 at http://www.maximumpc.com Android KeyStore Vulnerability Affects Vast Majority of Devices http://www.maximumpc.com/android_keystore_vulnerability_affects_vast_majority_devices860 <!--paging_filter--><h3><img src="http://www.maximumpc.com/files/u69/android_sick.jpg" alt="Android Keystore Vulnerability" title="Android Keystore Vulnerability" width="228" height="129" style="float: right;" /></h3> <h3>Over 86 percent of all Android devices remain vulnerable</h3> <p>The flagrant fragmentation that has come to be associated with Android is once again in focus, with IBM Security researchers shedding light on a <strong>major vulnerability (CVE-2014-3100) affecting the all-important Android KeyStore service</strong>, which is used for <a href="https://developer.android.com/reference/java/security/KeyStore.html" target="_blank">storing cryptographic keys</a> and other sensitive credentials. Although the said vulnerability has been fixed in the latest version of the operating system (Android Kitkat 4.4), the problem is that the vast majority of Android users don’t have the latest version.</p> <p>According to the <a href="http://securityintelligence.com/android-keystore-stack-buffer-overflow-to-keep-things-simple-buffers-are-always-larger-than-needed/#.U7ECJfmSxOj" target="_blank">security advisory</a> issued by the IBM security researchers, they discovered this Android KeyStore stack buffer overflow vulnerability over nine months ago, and in keeping with their responsible disclosure policy, quietly reported it to the Android security team. They refrained from going public for so long mainly due to the seriousness of the vulnerability and “Android’s fragmented nature.”</p> <p>Per the advisory, an attacker can use the vulnerability to execute malicious code under the KeyStore process on devices running Android 4.3 or lower (around 86 percent of all Android devices), with the successful exploitation having the potential to expose the device’s lock credentials, leak cryptographic keys, and enable unauthorized “crypto operations (e.g., arbitrary data signing).”</p> <p>However, the advisory notes that exploiting the flaw isn’t exactly a cakewalk, as Android has a number of built-in safeguards against such malicious code execution, including data execution prevention (DEP) and address space layout randomization (ASLR).</p> <p>Follow Pulkit on <a href="https://plus.google.com/107395408525066230351?rel=author" target="_blank">Google+</a></p> http://www.maximumpc.com/android_keystore_vulnerability_affects_vast_majority_devices860#comments android keystore android kitkat flaw ibm Security vulnerability News Mon, 30 Jun 2014 07:14:08 +0000 Pulkit Chandna 28089 at http://www.maximumpc.com Kill Switch in iPhone is Working, Microsoft and Google to Follow Suit http://www.maximumpc.com/kill_switch_iphone_working_microsoft_and_google_follow_suit_2014 <!--paging_filter--><h3><img src="/files/u69/activate_iphone.jpg" alt="Activate iPhone" title="Activate iPhone" width="228" height="201" style="float: right;" />iPhone thefts are down as a result of kill switch technology in iOS 7</h3> <p>One of the debates in the mobile phone industry is whether or not so-called kill switches can actually reduce smartphone theft. Well, early indications suggest that they do. <strong>Authorities in New York and San Francisco -- two locations where smartphone theft is a growing epidemic -- say they've seen a drop in iPhone robberies</strong> since Apple implemented its Activation Lock feature in iOS 7.</p> <p>Looking at data in the six months before and after Apple implemented the feature, police said iPhone theft in San Francisco dropped 38 percent. Those in London -- another place where smartphone theft happens far too often -- fell 24 percent. As for New York, robberies involving Apple products dropped 19 percent, and those involving grand larcenies went down 29 percent in the first five months of 2014 compared with the same time frame in 2013, <a href="http://bits.blogs.nytimes.com/2014/06/19/antitheft-technology-led-to-a-dip-in-iphone-thefts-in-some-cities-police-say/?_php=true&amp;_type=blogs&amp;_r=0" target="_blank"><em>The New York Times</em> reports</a>.</p> <p>Police have long believed that this type of antitheft technology would discourage crooks from stealing smartphones, and the data up to this point shows they're right. However, kill switch technology might not deserve all the credit. There are other factors at play, such as an increased effort on the part of law enforcement and tech companies to educate consumers on additional security measures to protect their handsets -- things like setting up passcodes.</p> <p>Regardless of the debate, the industry is moving forward with kill switches. As it stands, both Google and Microsoft have plans to implement antitheft technology into the next version of their respective mobile operating systems. Between the three platforms -- iOS, Android, and Windows Phone -- almost every new device will have a kill switch.</p> <p><em>Follow Paul on <a href="https://plus.google.com/+PaulLilly?rel=author" target="_blank">Google+</a>, <a href="https://twitter.com/#!/paul_b_lilly" target="_blank">Twitter</a>, and <a href="http://www.facebook.com/Paul.B.Lilly" target="_blank">Facebook</a></em></p> http://www.maximumpc.com/kill_switch_iphone_working_microsoft_and_google_follow_suit_2014#comments android Google iOS 7 iphone kill switch microsoft mobile Security smartphone windows phone News Thu, 19 Jun 2014 15:20:23 +0000 Paul Lilly 28035 at http://www.maximumpc.com F-Secure Points Angry Finger at Microsoft, Wants Windows XP to Die Already http://www.maximumpc.com/f-secure_points_angry_finger_microsoft_wants_windows_xp_die_already_2014 <!--paging_filter--><h3><img src="/files/u69/f-secure_window.jpg" alt="F-Secure" title="F-Secure" width="228" height="171" style="float: right;" />"[Microsoft] should try and kill this beast!" - F-Secure on Windows XP</h3> <p>It's not cockroaches that would survive a nuclear war, but Windows XP, the legacy operating system that simply refuses to give up the ghost. Officially, Microsoft ended support for XP back in April, but companies still have the option of paying for continued security updates. Security firm <strong>F-Secure isn't real pleased with Microsoft's handling of XP</strong> or the fact that so many businesses and users are still running the OS.</p> <p>F-Secure's chief security researcher Mikko Hypponen lashed out at Microsoft and Windows XP during a roundtable event at the company's labs in Finland.</p> <p>"I can't wait for Windows XP to die. I'm glad Microsoft stopped shipping updates. I'm mad at Microsoft for shipping updates after end of support, it should try and kill this beast. But it's not dead yet," Hypponen said, <a href="http://www.theinquirer.net/inquirer/news/2350525/f-secure-malware-riddled-windows-xp-needs-to-hurry-up-and-die" target="_blank">according to <em>The Inquirer</em></a>.</p> <p>Hyponnen is peaved that around 20 percent of the PC market still runs Windows XP. His issue is with the lack of security compared to newer operating systems.</p> <p>"We should be getting rid of these old systems," Hyponnen said. "Why didn't [businesses] take up to this two years ago? It's surprising how slow governments are and also large companies everywhere. [It's] going to take a while to get rid of this headache and I can't wait."</p> <p>Hyponnen also talked about Android, noting that F-Secure manages 100,000 malware samples every day, many of which target the mobile OS.</p> <p><em>Follow Paul on <a href="https://plus.google.com/+PaulLilly?rel=author" target="_blank">Google+</a>, <a href="https://twitter.com/#!/paul_b_lilly" target="_blank">Twitter</a>, and <a href="http://www.facebook.com/Paul.B.Lilly" target="_blank">Facebook</a></em></p> http://www.maximumpc.com/f-secure_points_angry_finger_microsoft_wants_windows_xp_die_already_2014#comments f-security malware Security Software windows xp News Wed, 18 Jun 2014 16:28:32 +0000 Paul Lilly 28028 at http://www.maximumpc.com AVG Warns Popular Websites Still Suffering an OpenSSL Security Issue http://www.maximumpc.com/avg_warns_popular_websites_still_suffering_openssl_security_issue_2014 <!--paging_filter--><h3><img src="/files/u69/caution.jpg" alt="Caution" title="Caution" width="228" height="152" style="float: right;" />Even after applying a Heartbleed patch, many websites are still vulnerable</h3> <p><a href="http://www.maximumpc.com/heartbleed_security_flaw_catches_internet_guard_2014" target="_blank">Heartbleed</a> received a ton of media attention, and for good reason -- the security flaw in OpenSSL caught the Internet with its collective pants down, which in turn prompted website owners, IT workers, and web admins to all go scrambling for a fix. Now that there's a patch available, are we once again safe? Not really, says AVG, <strong>According to AVG, thousands of popular websites need to update their servers to stay protected from a new vulnerability</strong>.</p> <p>The new vulnerability, known as a CSS Injection, has left potentially tens of thousands of the web's most popular sites vulnerable to attack. <a href="http://blogs.avg.com/news-threats/webservers-still-vulnerable/" target="_blank">AVG said</a> it scanned the servers of 45,000 of the world's biggest websites based on their Alexa ratings and found that around half use OpenSSL encryption. Of the potentially vulnerable sites, 75 percent are still not protected, leaving around 17,000 open to attack.</p> <p>On the plus side, it takes a complex effort on the part of a hacker to exploit the vulnerability, AVG says. The attacker must intercept the connection between a client and a server, both of which must be using the vulnerable version, and engage a man-in-the-middle attack. Once they've done that, the attacker can decrypt and modify the traffic that flows back and forth.</p> <p>This is a bit of a self-serving warning AVG has issued, which says it built additional functionality into its <a href="http://www.avg.com/us-en/web-tuneup" target="_blank">Web TuneUp</a> product that will inform users with a banner when they vist a site that could be at risk from a CSS Injection. AVG Web TuneUp (beta) is free for the time being, though it doesn't support Windows 8/8.1.</p> <p>Image Credit: <a href="https://www.flickr.com/photos/huskyte/7512877940" target="_blank">Flickr (Michael Theis)</a></p> <p><em>Follow Paul on <a href="https://plus.google.com/+PaulLilly?rel=author" target="_blank">Google+</a>, <a href="https://twitter.com/#!/paul_b_lilly" target="_blank">Twitter</a>, and <a href="http://www.facebook.com/Paul.B.Lilly" target="_blank">Facebook</a></em></p> http://www.maximumpc.com/avg_warns_popular_websites_still_suffering_openssl_security_issue_2014#comments AVG encryption heartbleed Internet online openssl Security web News Tue, 17 Jun 2014 18:18:45 +0000 Paul Lilly 28022 at http://www.maximumpc.com Teens Demonstrate Easiest Way to Hack an ATM is to RTFM http://www.maximumpc.com/teens_demonstrate_easiest_way_hack_atm_rtfm_2014 <!--paging_filter--><h3><img src="/files/u69/atm.jpg" alt="ATM" title="ATM" width="228" height="171" style="float: right;" />There's no excuse for this kind of lax security</h3> <p>You don't have to be a seasoned hacker to break into an ATM, nor do you need to play with explosives or take other extreme measures. In some cases, thwarting an ATM's security is as easy as reading the flipping manual. That's what a pair of 9th grade students in Canada did. <strong>Matthew Hewlett and Caleb Turon, both 14 years old, 'hacked' an ATM by looking up the unit's user manual online</strong>.</p> <p>The ATM in question belongs to the Bank of Montreal. Instructions provided in the online manual showed how to access that model's operator mode, which the teens did. They then took a shot at randomly guessing the ATM's six-digit password and got it right on the first guess.</p> <p>"We thought it would be fun to try, but we were not expecting it to work," <a href="http://www.winnipegsun.com/2014/06/08/code-crackers--charleswood-teens-hack-into-grant-avenue-atm" target="_blank">Hewlett told <em>Winnipeg Sun</em></a>. "When it did, it asked for a password."</p> <p>The boys then went to one of BMO's branches and notified them how easy it was to infiltrate the ATM. The person they spoke with shrugged them off at first, saying they'd never be able to get anything out of it. Faced with the challenge, the boys went back to the machine, fired up the operating mode, and printed off documentation showing how much money was in the machine, information regarding withdrawals, and more. They also found a setting to change the surcharge amount, so they changed it to a penny. Finally, the boys changed the greeting from "Welcome to the BMO ATM" to "Go away. This ATM has been hacked."</p> <p>After all this time, the boys were late for school. BMO wrote them a letter on official letterhead that read, "Please excuse Mr. Caleb Turon and Matthew Hewlett for being late during lunch hour due to assisting BMO with security."</p> <p>What this all boils down to is having an incredibly weak password. One could also argue that ATM operator manuals shouldn't be so easy to access online.</p> <p><iframe src="//www.youtube.com/embed/a6iW-8xPw3k" width="620" height="349" frameborder="0"></iframe></p> <p><em>Follow Paul on <a href="https://plus.google.com/+PaulLilly?rel=author" target="_blank">Google+</a>, <a href="https://twitter.com/#!/paul_b_lilly" target="_blank">Twitter</a>, and <a href="http://www.facebook.com/Paul.B.Lilly" target="_blank">Facebook</a></em></p> http://www.maximumpc.com/teens_demonstrate_easiest_way_hack_atm_rtfm_2014#comments ATM bank of montreal caleb turon matthew hewlett Security News Thu, 12 Jun 2014 18:21:48 +0000 Paul Lilly 27996 at http://www.maximumpc.com Microsoft Warns Against Using Registry Hack Allowing Windows XP to Receive Security Updates http://www.maximumpc.com/microsoft_warns_against_using_registry_hack_allowing_windows_xp_receive_security_updates_2014 <!--paging_filter--><h3><img src="/files/u69/windows_xp_update.jpg" alt="Windows XP Update" title="Windows XP Update" width="228" height="127" style="float: right;" />Registry hack for Windows XP catches Microsoft's attention</h3> <p>Microsoft finally and officially ended support for Windows XP back in April, though not without throwing XP users a bone in the form of one last out-of-cycle security patch for a pretty serious vulnerability affecting most versions of Internet Explorer. However, that was a one-time thing, and now XP users are left out in the cold. Or are they? <strong>A registry hack that allows Windows XP to continue to receive security updates is making the rounds</strong>, and it's caught the attention of Microsoft.</p> <p>It's a simply registry hack that involves creating a text file with the .reg extension and entering the following code:</p> <p style="padding-left: 30px;">Windows Registry Editor Version 5.00<br />[HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady]<br /> "Installed"=dword:00000001</p> <p>Once you save the file, you can double-click it in Windows Explorer and it will proceed to run Windows Update on 32-bit versions of Windows XP (if you're running a 64-bit copy, there's a workaround <a href="http://www.sebijk.com/community/board15-other/board73-tutorials/2985-getting-xp-updates/" target="_blank">here</a>). <em>ZDNet</em> <a href="http://www.zdnet.com/registry-hack-enables-continued-updates-for-windows-xp-7000029851/" target="_blank">tested the hack</a> and said it appears to work as advertised. Several of the updates it pulled by running the registry hack were for Windows Server 2003, which runs the same kernel as Windows XP.</p> <p>Microsoft is privy to the workaround, but strongly advises against running it.</p> <p>"We recently became aware of a hack that purportedly aims to provide security updates to Windows XP customers. The security updates that could be installed are intended for Windows Embedded and Windows Server 2003 customers and do not fully protect Windows XP customers," a Microsoft spokesperson told <em>ZDNet</em>. "Windows XP customers also run a significant risk of functionality issues with their machines if they install these updates, as they are not tested against Windows XP. The best way for Windows XP customers to protect their systems is to upgrade to a more modern operating system, like Windows 7 or Windows 8.1."</p> <p>So there you have it. While the hack appears to work (for now), Microsoft insists it's risky business to use it.</p> <p>Image Credit: <a href="https://www.flickr.com/photos/wfryer/3977441193/sizes/o/" target="_blank">Flickr (Wesley Fryer)</a></p> <p><em>Follow Paul on <a href="https://plus.google.com/+PaulLilly?rel=author" target="_blank">Google+</a>, <a href="https://twitter.com/#!/paul_b_lilly" target="_blank">Twitter</a>, and <a href="http://www.facebook.com/Paul.B.Lilly" target="_blank">Facebook</a></em></p> http://www.maximumpc.com/microsoft_warns_against_using_registry_hack_allowing_windows_xp_receive_security_updates_2014#comments microsoft operating system OS registry Security Software update windows xp News Tue, 27 May 2014 17:01:39 +0000 Paul Lilly 27885 at http://www.maximumpc.com Security Bug in Internet Explorer 8 Still Roams After 7 Months http://www.maximumpc.com/security_bug_internet_explorer_8_still_roams_after_7_months_2014 <!--paging_filter--><h3><img src="/files/u69/ie_bug.jpg" alt="IE Bug" title="IE Bug" width="228" height="193" style="float: right;" />Will Microsoft ever bother to squash this security bug?</h3> <p><strong>There's a zero-day security flaw in Internet Explorer that's been known for at least the last 7 months</strong>, yet Microsoft has yet to release a patch. Perhaps it never will -- after all, IE8 is the last version of Microsoft's browser to support Windows XP, which itself is now an <a href="http://www.maximumpc.com/microsofts_escape_windows_xp_game_caps_end_era_2014">unsupported operating system</a>. Alternately, Microsoft might just be having a really tough time with this one -- the Redmond outfit doesn't have a whole lot to say on the matter.</p> <p>According to <a href="http://zerodayinitiative.com/advisories/ZDI-14-140/" target="_blank"><em>Zero Day Initiative</em></a>, the vulnerability allows remote hackers to execute arbitrary code on vulnerable installations. The exploit requires user interaction, in that the target has to first visit a malicious website or open up a malicious file. In either case, it could spell bad news for the victim.</p> <p>So, what's going on with Microsoft?</p> <p>"We build and thoroughly test every security fix as quickly as possible. Some fixes are more complex than others, and we must test every one against a huge number of programs, applications, and different configurations," a Microsoft spokesperson <a href="http://www.cnet.com/news/zero-day-flaw-haunts-ie-8-for-7-months-and-counting/" target="_blank">told <em>CNET</em></a>.</p> <p>Understood, though a <a href="http://www.maximumpc.com/microsoft_warns_zero-day_bug_internet_explorer" target="_blank">recent zero-day bug</a> discovered in multiple versions of IE shortly after support for XP ended was patched by an out-of-cycle update in less than a week after its discovery.</p> <p><em>Follow Paul on <a href="https://plus.google.com/+PaulLilly?rel=author" target="_blank">Google+</a>, <a href="https://twitter.com/#!/paul_b_lilly" target="_blank">Twitter</a>, and <a href="http://www.facebook.com/Paul.B.Lilly" target="_blank">Facebook</a></em></p> http://www.maximumpc.com/security_bug_internet_explorer_8_still_roams_after_7_months_2014#comments browser IE8 Internet Internet Explorer 8 microsoft online Security Software zero-day News Thu, 22 May 2014 16:43:03 +0000 Paul Lilly 27857 at http://www.maximumpc.com Google Extends Chrome OS Minimum End of Life Term to 5 Years http://www.maximumpc.com/google_extends_chrome_os_minimum_end_life_term_5_years900 <!--paging_filter--><h3><img src="http://www.maximumpc.com/files/u46168/chromebook.jpg" alt="Chrome OS " title="Chromebook" width="228" height="212" style="float: right;" /></h3> <h3>Previously, Chrome OS devices were guaranteed four years’ worth of software support</h3> <p>Google has <strong>updated its Chrome OS End of Life (EOL) policy</strong>, <a href="https://www.google.com/intl/en/chrome/devices/eol.html" target="_blank"> extending the minimum EOL term to five years</a>. Many Chrome OS device owners have already received an email apprising them of the change from the search engine giant.</p> <p>With the new minimum EOL term applying retrospectively, each and every Chrome OS device ever released is affected by this announcement. Take for instance, the very first Chrome OS device — the CR-48 Chromebook. Prior to this EOL policy update, the EOL date for CR-48 was set for December 2014. But now the CR-48 is guaranteed to receive OS updates and security patches until at least December next year.</p> <p>“We’re updating our official End of Life policy for all Chrome devices, including previous models, to extend the End of Life (EOL) minimum term,” <a href="https://plus.google.com/+BrandonTiller/posts/YYD7ETRnV3i" target="_blank">Google told Chrome OS owners in an email.</a></p> <p>“The new minimum EOL term is now 5 years from the date the device hardware is made available for purchase. Some models may have a further extension based on regional releases and the length of sale.”</p> <p>Follow Pulkit on <a href="https://plus.google.com/107395408525066230351?rel=author" target="_blank">Google+</a></p> http://www.maximumpc.com/google_extends_chrome_os_minimum_end_life_term_5_years900#comments chrome os chromebook chromebox eol Google OS Security Software update News Mon, 19 May 2014 02:04:55 +0000 Pulkit Chandna 27825 at http://www.maximumpc.com SanDisk Unveils Self Encrypting X300s Solid State Drive Series http://www.maximumpc.com/sandisk_unveils_self_encrypting_x300s_solid_state_drive_series <!--paging_filter--><h3><img src="/files/u69/x300s.jpg" alt="SanDisk X300s" title="SanDisk X300s" width="228" height="189" style="float: right;" />SanDisk's first attempt at offering a self encrypting SSD</h3> <p>If you take a look at SanDisk's product portfolio, you'll find a range of memory and storage devices, including various solid state drives. However, one thing you wouldn't have found prior to today is a <strong>self-encrypting SSD line. With the introduction of the SanDisk X300s, the company now has one</strong> to offer corporate environments in need of secure storage -- healthcare and financial services are two industries that come to mind.</p> <p>SanDisk's X300s family leverages TCG Opal 2.0 and Microsoft Encrypted Hard Drive hardware-based encryption, coupled with a new SSD administration dashboard for easier audit and compliance management, the company says. The drive line utilizes AES 256-bit FIPS 197 certified hardware crypto engine to enable full-disk encryption without the performance penalty that software-based encryption can introduce. It also features advanced power management with DEVSLP low-power mode, enabling Microsoft InstantGo, a connected standby feature that keeps data on certified hardware in sync while the device is asleep.</p> <p>"Businesses of all sizes want computers that are reliable, secure, built to last and are easy to support remotely," <a href="http://www.sandisk.com/about-sandisk/press-room/press-releases/2014/sandisk-introduces-security-certified-self-encrypting-solid-state-drive-for-corporate-environments/" target="_blank">said Kevin Conley</a>, senior vice president and general manager, client storage solutions at SanDisk. "For the enterprises that deploy hundreds or even thousands of laptops, it’s essential that their IT departments be able to centrally and securely manage these devices. The X300s, designed with SanDisk’s world-class flash, helps corporate IT leaders not only deliver the heightened performance and lower TCO that flash is known for, but also addresses data protection and security needs, without business disruption. "</p> <p>The X300s comes in two form factors -- 2.5-inch 7mm and M.2 2280 single-sided, with capacities of 64GB, 128GB, 256GB, 512GB, and 1TB. In terms of performance, the drives offer up to 520MB/s sequential reads and up to 460 sequential writes, depending on the <a href="http://www.sandisk.com/assets/docs/sandisk-datasheet-X300s-OEM.pdf" target="_blank">model (PDF)</a>.</p> <p><em>Follow Paul on <a href="https://plus.google.com/+PaulLilly?rel=author" target="_blank">Google+</a>, <a href="https://twitter.com/#!/paul_b_lilly" target="_blank">Twitter</a>, and <a href="http://www.facebook.com/Paul.B.Lilly" target="_blank">Facebook</a></em></p> http://www.maximumpc.com/sandisk_unveils_self_encrypting_x300s_solid_state_drive_series#comments Build a PC encryption Hardware Sandisk Security solid state drive ssd storage x300s News Tue, 13 May 2014 15:38:13 +0000 Paul Lilly 27802 at http://www.maximumpc.com AOL Discovers Security Breach During Spam Investigation http://www.maximumpc.com/aol_discovers_security_breach_during_spam_investigation <!--paging_filter--><h3><img src="/files/u69/aol_jacket_0.jpg" alt="AOL Jacket" title="AOL Jacket" width="228" height="171" style="float: right;" />AOL says encrypted passwords and other user data compromised hacker attack</h3> <p><strong>AOL today said it's investigating a "security incident" involving unauthorized access to its network and systems</strong> that resulted in the possible theft of user data, including email addresses, postal addresses, address book contact information, encrypted passwords, encrypted answers to security questions that AOL asks when a user resets his or her password, and certain employee information.</p> <p>External forensic experts and federal authorities are helping AOL in its investigation. AOL said it started looking into things after noticing a "significant increase" in spam appear as spoofed emails from AOL Mail addresses. The company believes that spammers used used stolen contact information to send spoofed emails that appeared to come from about 2 percent of its email accounts.</p> <p>"Importantly, we have no indication that the encryption on the passwords or the answers to security questions was broken. In addition, at this point in the investigation, there is no indication that this incident resulted in disclosure of users' financial information, including debit and credit cards, which is also fully encrypted," <a href="http://blog.aol.com/2014/04/28/aol-security-update/" target="_blank">AOL said</a>.</p> <p>Nevertheless, AOL is strongly encouraging users and employees to reset their passwords, along with their security questions and answers.</p> <p>More information can be found on a special <a href="http://o.aolcdn.com/os/memberservices/faq.html" target="_blank">FAQ page</a> AOL posted in relation to the security breach.</p> <p>Image Credit: <a href="https://www.flickr.com/photos/lazzarello/5454431231/sizes/l" target="_blank">Flickr (lazzarello)</a></p> <p><em>Follow Paul on <a href="https://plus.google.com/+PaulLilly?rel=author" target="_blank">Google+</a>, <a href="https://twitter.com/#!/paul_b_lilly" target="_blank">Twitter</a>, and <a href="http://www.facebook.com/Paul.B.Lilly" target="_blank">Facebook</a></em></p> http://www.maximumpc.com/aol_discovers_security_breach_during_spam_investigation#comments aol email Security spam News Mon, 28 Apr 2014 19:29:56 +0000 Paul Lilly 27710 at http://www.maximumpc.com Microsoft Warns of Zero-Day Bug in Internet Explorer http://www.maximumpc.com/microsoft_warns_zero-day_bug_internet_explorer <!--paging_filter--><h3><img src="http://www.maximumpc.com/files/u46168/ie_0.jpg" alt="Internet Explorer Zero Day" title="Internet Explorer Zero Day" width="228" height="228" style="float: right;" /></h3> <h3>All versions affected</h3> <p>Microsoft has warned Internet Explorer users of a <strong>remote code execution vulnerability (CVE-2014-1776 ) that is present in versions 6 through 11</strong>. The company is aware of limited, targeted attacks aimed at exploiting the vulnerability, the Redmond outfit said in a <a href="https://technet.microsoft.com/en-US/library/security/2963983" target="_blank">security advisory</a> issued on Saturday.</p> <p>According to FireEye, the security firm that brought the bug to Microsoft’s notice, it is aware of an ongoing attack targeting the said vulnerability in Internet Explorer 9 through Internet Explorer 11. The firm also pointed out that the targeted versions alone accounted for over a quarter of the overall browser market in 2013.</p> <p>“Threat actors are actively using this exploit in an ongoing campaign which we have named ‘Operation Clandestine Fox,’” FireEye said in a <a href="http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html" target="_blank">blog post</a> Saturday. “However, for many reasons, we will not provide campaign details. But we believe this is a significant zero day as the vulnerable versions represent about a quarter of the total browser market. We recommend applying a patch once available.”</p> <p>Microsoft says that it is still investigating the issue and will, upon the completion of its probe, either release a fix as part of its monthly security update release process, or issue an out-of-band security update. In the meantime, IE users could use the workarounds suggested by Microsoft to thwart the attack. These include: deploying the Enhanced Mitigation Experience Toolkit (EMET) 4.1; setting Internet and Intranet security zone settings to “High”, unregistering VGX.DLL; modifying the Access Control List on VGX.DLL to be more restrictive; and enabling Enhanced Protected Mode for IE11 and enabling 64-bit processes for Enhanced Protected Mode.</p> <p>“An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft said in the security advisory.</p> <p>“An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content.”</p> <p>Follow Pulkit on <a href="https://plus.google.com/107395408525066230351?rel=author" target="_blank">Google+</a></p> http://www.maximumpc.com/microsoft_warns_zero-day_bug_internet_explorer#comments Internet Explorer microsoft Security zero day News Mon, 28 Apr 2014 05:19:27 +0000 Pulkit Chandna 27702 at http://www.maximumpc.com Buggy Microsoft Security Essentials Update Kicks XP Machines While Down http://www.maximumpc.com/buggy_microsoft_security_essentials_update_kicks_xp_machines_while_down_2014 <!--paging_filter--><h3><img src="/files/u69/mse_devil.jpg" alt="MSE Devil" title="MSE Devil" width="228" height="138" style="float: right;" />Here come the conspiracy theories</h3> <p>After more than 12 years of service, Microsoft finally pulled the plug on Windows XP by ceasing to support the operating system last week. However, Microsoft did promise to keep doling out updates for its Microsoft Security Essentials (MSE) software, including the version that runs on XP, but in doing so, the Redmond outfit only made things worse. That's because <strong>the latest MSE update is causing some XP machines to freeze up and run slow</strong>.</p> <p>Anyone with a tinfoil hat will tell you this is entirely intentional on Microsoft's part and nothing more than a thinly veiled attempt to get users to upgrade. The real explanation is likely far less insidious, though equally annoying for XP users who had hopes of holding onto the legacy OS for at least a little while longer.</p> <p>"I am a professional computer engineer and maintain many desktops and laptops for my customers on a daily basis: as of today (April 16th) I have seen about 12 computers on which Windows XP - after every boot up - throws up an error message referring to MSE, stating: 'MsMpEng.exe application error. The instruction at 0x5a4d684d referenced memory at 0x00000000 The memory could not be read', leaving the computer in an unusable state," <a href="http://answers.microsoft.com/en-us/windows/forum/windows_xp-winapps/bug-in-microsoft-security-essentials-lames-windows/7e105845-e4e7-4b0d-b7f8-485ba538e3b2" target="_blank">a user wrote</a> on Microsoft's Windows forum.</p> <p>He goes on to say that "the only solution is to disable MSE or uninstall it completely." Doing so will restore performance, but it comes at the expense of security protection, which is now more important than ever for XP users.</p> <p>Microsoft has yet to acknowledge the situation or issue a fix. One is likely coming, but in the meantime, there are third-party AV vendors that still support XP.</p> <p><em>Follow Paul on <a href="https://plus.google.com/+PaulLilly?rel=author" target="_blank">Google+</a>, <a href="https://twitter.com/#!/paul_b_lilly" target="_blank">Twitter</a>, and <a href="http://www.facebook.com/Paul.B.Lilly" target="_blank">Facebook</a></em></p> http://www.maximumpc.com/buggy_microsoft_security_essentials_update_kicks_xp_machines_while_down_2014#comments microsoft Microsoft Security Essentials mse operating system OS Security Software Windows XP News Thu, 17 Apr 2014 18:20:08 +0000 Paul Lilly 27655 at http://www.maximumpc.com Google Beefs Up Android Security, Watches for Misbehaving Apps http://www.maximumpc.com/google_beefs_android_security_watches_misbehaving_apps_2014 <!--paging_filter--><h3><img src="/files/u69/nexus_verify.jpg" alt="Android Verify" title="Android Verify" width="228" height="161" style="float: right;" />New security measures keeps your installed Android apps in check</h3> <p>It's not unusual for a malicious Android app to sneak into Google Play, though they're obviously much more prevalent from third-party sources, especially from sketchy areas of the web. To help protect users from falling prey to an app's malicious intentions, <strong>Google is rolling out a new enhancement to its security scheme that will examine an app's behavior after it's been installed</strong>.</p> <p>The security scheme will continually check devices to make sure installed apps aren't misbehaving. It's part of Google's "Verify apps" security system, which also scans apps prior to installation.</p> <p>"Because potentially harmful applications are very rare, most people will never see a warning or any other indication that they have this additional layer of protection. But we do expect a small number of people to see warnings (which look similar to the existing Verify apps warnings) as a result of this new capability," Google stated in a <a href="http://officialandroid.blogspot.co.uk/2014/04/expanding-googles-security-services-for.html" target="_blank">blog post</a>. "The good news is that very few people have ever encountered this; in fact, we’ve found that fewer than 0.18 percent of installs in the last year occurred after someone received a warning that the app was potentially harmful."</p> <p>This new measure will also protect against potentially malicious apps that might have been installed prior to Google's verification system going live in 2012. Either way, it's nice to have the extra layer of protection, especially as malware writers begin to pay more attention to Android.</p> <p><em>Follow Paul on <a href="https://plus.google.com/+PaulLilly?rel=author" target="_blank">Google+</a>, <a href="https://twitter.com/#!/paul_b_lilly" target="_blank">Twitter</a>, and <a href="http://www.facebook.com/Paul.B.Lilly" target="_blank">Facebook</a></em></p> http://www.maximumpc.com/google_beefs_android_security_watches_misbehaving_apps_2014#comments android apps Google Security Software News Thu, 10 Apr 2014 18:21:00 +0000 Paul Lilly 27605 at http://www.maximumpc.com Symantec: Cybercriminals Shift Behavior to Mega Breaches in Hopes of Bigger Payouts http://www.maximumpc.com/symantec_cybercriminals_shift_behavior_mega_breaches_hopes_bigger_payouts_2014 <!--paging_filter--><h3><img src="/files/u69/mega_breach_infographic.jpg" alt="Mega Breach Infographic" title="Mega Breach Infographic" width="228" height="173" style="float: right;" />A so-called "mega breach" can be worth as much as 50 smaller attacks</h3> <p><strong>Large scale cyber attacks are on the rise</strong>, says security firm Symantec, which dubbed 2013 "Year of the Mega Breach." According to Symantec, there's a significant shift taking place in how cybercriminals operate. Rather than go in for quick hits with small rewards, cybercriminals are seeing the financial benefit in plotting bigger attacks months in advance. A single mega breach, as Symantec calls these attacks, can yield the same reward as 50 small scale attacks.</p> <p>"While the level of sophistication continues to grow among attackers, what was surprising last year was their willingness to be a lot more patient – waiting to strike until the reward is bigger and better," said Sheldon Hand, regional manager for Rest of Africa, Symantec.</p> <p>Symantec says there were eight mega breaches in 2013, compared to just one mega breach the year prior. As far as the bigger picture goes, there was a 62 percent increase in the overall number of data breaches from the previous year, which resulted in 552 million exposed identities.</p> <p>"Nothing breeds success like success – especially if you’re a cybercriminal," said Hand. "The potential for huge paydays means large-scale attacks are here to stay. Companies of all sizes need to re-examine, re-think and possibly re-architect their security posture."</p> <p>Targeted attacks jumped 91 percent in 2013 compared to 2012 and lasted an average of three times longer. Interestingly, personal assistant and people working in public relations were the two most targeted professions, Symantec says.</p> <p>You can read more in Symantec's <a href="http://www.symantec.com/security_response/publications/threatreport.jsp" target="_blank">2014 Internet Security Threat Report, Volume 19</a>.</p> <p><em>Follow Paul on <a href="https://plus.google.com/+PaulLilly?rel=author" target="_blank">Google+</a>, <a href="https://twitter.com/#!/paul_b_lilly" target="_blank">Twitter</a>, and <a href="http://www.facebook.com/Paul.B.Lilly" target="_blank">Facebook</a></em></p> http://www.maximumpc.com/symantec_cybercriminals_shift_behavior_mega_breaches_hopes_bigger_payouts_2014#comments Internet mega breach online Security symantec News Thu, 10 Apr 2014 16:06:50 +0000 Paul Lilly 27602 at http://www.maximumpc.com