Category: Data security

HP to introduce virtual-hardware security for Web browsing

Article

HP Elitebook x360 G2 press picture courtesy of HP USA

HP Elitebook x360 G2 – to be equipped for Sure Click

HP hardens EliteBook protection with Sure Click, a browser secured in virtual hardware | PC World

From the horse’s mouth

HP

Press Release

Bromium

Press Release

Video explaining the Bromium micro-virtualisation approach (Click / Tap to play)

My Comments

A very common attack gateway that has been identified for endpoint computing devices, especially regular desktop or laptop computers, is the Web browser. It is because the browser is essentially the “viewport” to the Internet for most reading-based tasks.

But most recent browser versions have implemented software-based “hardening” against the various Internet-based attacks. This is in conjunction with the main desktop operating systems being “hardened” through each and every update and patch automatically applied. These updates facilitate practices like “sandboxing” where software of questionable provenance is effectively corralled in a logical quarantine area with minimal privileges so it doesn’t affect the rest of the system.

HP and Bromium have developed a “virtual hardware” approach where a browsing session can take place in a separate “logical computer”, a concept being driven by the multi-core CPUs that are the hub of today’s computer systems. This can provide improved security by using the hardware approach that is effectively with its own operating system and has the data destroyed at the end of a session. Here, it restricts the effect of malware like ransomware picked up during a “drive-by” download because the software can only run within that separate “logical computer”.

At the moment, this feature is being initially rolled out to the Elitebook x360 G2 convertible business laptop but will trickle out across the next generation of “Elite” premium manageable business computers to be launched in the second half of the year. It will work only with Microsoft’s Internet Explorer and Google’s open-source Chromium browser at the moment. What I would like to see happen is that this feature is able to be “trickled-down” to HP’s consumer, education and small-business product ranges but in a more “self-service” manner because households, small businesses and volunteer-driven community organisations could equally benefit from this feature.

Send to Kindle

Making sure your business laptop’s fingerprint reader works with Windows 10

Fujitsu Lifebook S-Series SH771 ultraportable

You may have a problem with the fingerprint readers on these business laptops after you upgrade the operating system to Windows 10

Those of you who had purchased a business laptop equipped with a fingerprint reader may find that this feature doesn’t work with Windows 10. The situation can be very difficult if you had participated in the Windows 10 free-upgrade program that happened from 2015 to 2016 and you may have foregone the use of this security feature after that upgrade.

What can you do?

Remove the existing fingerprint-authentication software from the laptop

Use the Windows 10 Add/Remove Programs option to remove the fingerprint-reader software that the manufacturer supplied with your laptop computer. It may also mean that you have to remove the password vault program that came with your laptop computer and you were using to keep your Website passwords with.

The reality is that some of the business laptops came with software installations where a third-party fingerprint-management program was part of the package. This may be due to the fingerprint reader not having driver software that could work directly with Windows at the time the machine was released or the program offering more “enterprise-friendly” features than what Windows and a baseline password vault could offer for the business laptop’s user class.

If you still value the feature set provided by the fingerprint-management program or depend on its compatibility with certain other management software, it may be a good idea to look for and download the latest versions of that software.

Update the fingerprint-reader’s driver software

HP Elitebook 2560p business notebook fingerprint reader

The fingerprint reader on this HP Elitebook may be able to run the same driver software as one installed on some Lenovo ThinkPads

You would then have to update your fingerprint reader’s driver software to the latest version that can work with Windows 10. This is because the newer driver software takes advantage of the application programming interfaces associated with Windows 10’s Hello authentication mechanism.

Some laptops may require you to update their software relating to their BIOS / firmware and chipset before you progress any further. This is a process you would have to do from your laptop manufacturer’s support Website.

One way would be to open Device Manager in Windows 10 and identify then select the fingerprint reader’s entry in the device list. This will be listed under the Biometric Devices class of devices. Right-click that device and choose “Properties”. Click the “Driver” tab and select the “Update Driver” option to make sure it is up-to-date.

Or you could visit your laptop manufacturer’s support Website and download the latest version of the fingerprint reader’s driver software. Then you install that software, whereupon you may have to reboot your computer as part on the install process.

Sometimes a particular laptop manufacturer may not have the updated driver for the fingerprint reader that is integrated in to their business laptop. Here, you may have to do a Google search for details regarding the make and model of your business laptop and how to enable that machine’s fingerprint reader in Windows 10. This is because a particular fingerprint-reader subsystem may be used by two or more manufacturers in their product lines during a particular point in time. For example, the Lenovo website hosts the Validity Fingerprint Common Driver for Windows 10 which has been found to support most of the fingerprint scanners integrated in HP business laptops like the Elitebook 2560p.

On the other hand, you may find that the latest version of the driver software that they host is the Windows 8.1 version. Here, you can get by with this version for your Windows 10 computer thanks to the use of similar APIs.

Set your laptop up for Windows 10 Hello authentication

The next step will be to set up for Windows 10 Hello – the authentication framework that Windows 10 uses for advanced authentication methods like biometric authentication.

Here, you go to SettingsAccountSign In Options. Then you will have to create a PIN number, which is what you use when you log in to your machine. If you log in to Windows using your Microsoft Account credentials, you will need to create a PIN number, which will become a machine-specific alternative credential.

There will be an option to sign in with your fingerprint which will be enabled thanks to the newer drivers that you installed. Click on that button to sign in with the previously-mentioned PIN if you have created that or to create a new PIN number, before you enrol your fingerprints as your sign-in credentials.

If you still want to “swipe in” to your favourite Websites with your finger, you would need to acquire the latest version of the password manager that came with your computer like HP SimplePass, Softex OmniPass or a similarly-competent password vault that uses fingerprint recognition out of the box.

Conclusion

What this means now is that you don’t have to see the fingerprint scanner on your business laptop computer as being redundant just because you have upgraded your computer to Windows 10.

Send to Kindle

NETGEAR have fixed security exploits in some of their newer routers

Netgear DG834G ADSL2 wireless router

If you are running a recent NETGEAR router, make sure its firmware is up to date

Article

Netgear Patches Its Router’s Security Holes, Download Your Updated Firmware Today | Lifehacker

From the horse’s mouth

NETGEAR

Original Security Advisory

Models affected
Smart Wi-Fi Router AC1600 R6250
AC1750 Smart Wi-Fi Router – 802.11ac Dual Band Gigabit R6400
Nighthawk AC1900 Smart Wi-Fi Router R7000
Nighthawk X6 – AC3200 Tri-Band Wi-Fi Gigabit Router R8000
Nighthawk AC1750 Smart Wi-Fi Router – Dual Band Gigabit R6700 Beta firmware
Nighthawk AC1900 Smart Wi-Fi Router R6900 Beta firmware
Nighthawk 4G LTE Modem Router R7100LG Beta firmware
Nighthawk DST – AC1900 DST router
HomeNetworking01.info coverage
R7300DST Beta firmware
Nighthawk X6 – AC3000 Tri-Band Wi-Fi Gigabit Router R7900 Beta firmware
Wi-Fi VDSL2+/ADSL2+ Modem Router D6220 Beta firmware
AC1600 WiFi VDSL/ADSL Modem Router – 802.11ac Dual Band Gigabit D6400 Beta firmware

My Comments

NETGEAR had faced a serious problem with some of its recent-model routers due to a security exploit in the firmware that drives these network-Internet “edge” devices. Previous coverage about this issue had required you to use another router for your home network to stay secure.

This has had NETGEAR rush out firmware updates for each of these affected routers in order to mitigate the recently-discovered security exploit.

A problem that besets most of the commonly-available home-network bardware is that firmware updating requires you to visit the manufacturer’s site, download the firmware as a special file package for your device, then upload that package to your device via its Web-based management interface. This can daunt some computer users who haven’t much experience with these kind of hardware maintenance tasks.

Personally, I would like to see steps taken to support automatic firmware upgrades such as what AVM are doing with their Fritz!Box devices, or at least the ability to click on a button in the management interface to start the download and update process for the device’s firmware. This is a practice that is being implemented in most of the European-made modem routers, along with most consumer-electronics devices like Smart TVs and set-top video peripherals.

There is also the issue of protecting the update files so that you aren’t installing malware on your device and it may involve processes like authenticity checks for software delivered as part of a firmware update or functionality add-on.

The update procedure

The update procedure will require you to download the updated firmware package using your regular desktop or laptop computer. Here, they recommend that you connect your regular computer directly to the router using an Ethernet cable if you can do so for the download and update process to be sure that this process works reliably.

Follow the link listed in this article to the NETGEAR-hosted support page for your router’s model. You will see the link for the firmware package you need to download. Here, you download that firmware package to your “downloads” folder.

Then, once you have downloaded the firmware from the NETGEAR site, you log in to your router’s management page from that same computer using your favourite Web browser. For these routers, the URL is http://www.routerlogin.net. Subsequently, you have to visit the ADVANCED tab, then the Administration option, then the Firmware Upgrade option.

In that screen, you click the Browse button, which will pop up a file-system dialog box where you have to find the firmware file that you downloaded in your “downloads” folder. Once you have selected the firmware file, click the Upload button to transfer the firmware to your router, whereupon it will commence the updating process. Leave the router alone during this process so as not to interrupt this critical process. You will see a progress bar to indicate how the upgrade is progressing.

Once this update procedure is done, a good practice would be to regularly visit NETGEAR’s support pages for your particular router and check for newer firmware on a regular basis. Then, if there is newer firmware available for your device, update it following the instructions on their Website or the general instructions listed in this article.

Conclusion

The increased awareness by industry and computer media regarding software quality and data security for dedicated-purpose devices connected to the Internet along with consumer / small-business network-infrastructure devices is going to make companies who design these devices or the software that runs them wake up regarding these issues.

Send to Kindle

Keeping hackers away from your Webcam and microphone

Article

Creative Labs LiveCam Connect HD Webcam

Software now exists so you can gain better control over your Webcam

How To Stop Hackers From Spying With Your Webcam | Gizmodo

My Comments

A privacy issue that is being raised regarding the use of cameras and microphones connected to your computer is the fact that malware could be written to turn your computer in to a covert listening device.

Those of us who use a traditional “three-piece” desktop computer and have a physically-separate external Webcam may find this an easier issue because you cam simply disconnect the camera from your computer. But the issue of your Webcam or your computer’s microphone being hacked to spy on you would be of concern for those of us who have the camera or microphone integrated in the computer as with portable or all-in-one equipment, or the monitor which is something that could be offered as a product differentiator by display manufacturers.

The simplest technique that has been advocated to deal with this risk is to attach an opaque sticker or opaque sticky tape over the camera’s lens. Some computer and monitor manufacturers have approached this problem using a panel that slides over the Webcam as a privacy shield. But you wouldn’t be able to control the use of your computer’s integrated microphone unless it had a hardware on-off switch.

Most of the mobile computing platforms require that newly-installed software that wants to use the camera, microphone, GPS device or other phone sensors have to ask permission from the phone’s owner before the software can be installed or use these devices. The Apple iOS App Store even vets software to make sure it is doing the right thing before it is made available through that storefront and this is also becoming so for software sold through the Google Play Android storefront and the Microsoft Store Windows storefront.

Lately there have been some software solutions written for the Windows and Macintosh platforms that allow you to take back control of the camera and microphone due to the fact that these regular-computer platforms have historically made it easier for users to install software from anywhere. But I would also suggest that you scan the computer for malware and make sure that all of the software on the computer, including the operating system, is up-to-date and patched properly.

One of these solutions is Oversight which has been written for the Macintosh platforms and can detect if software is gaining access to your Mac’s Webcam or microphone. It also can detect of two or more programs are gaining access to the Webcam which is a new tactic for Webcam-based spyware because it can take advantage of people using the Webcam for business and personal videocalls and record these conversations. The user has the ability to allow or block a program’s access to the Webcam or microphone.

For the Windows platform, a similar program called “Who Stalks My Cam” detects events relating to your computer’s Webcam such as software wanting to acquire material from it.  This has the abilities for you to stop a program that is using the Webcam running or to shut down the Webcam process. But there is also the ability to track processes that are running while the computer system is idle because some spyware processes can be set up to come alive when the system isn’t being actively used. The program even allows you to “whitelist” programs that you trust like over-the-top communications programs or video-recording software so that it doesn’t get in their way.

The ability to track usage of attached / connected cameras and microphones or similar hardware like GPS units by software running on your computer will end up becoming part of a typical desktop/endpoint security program’s feature set as people become concerned about the use of these devices by spyware. This is in conjunction with operating systems also hardening access to devices that can be used to spy on their users by implementing software certification, sandboxing, privileged access and similar techniques.

It is definitely another threat vector that we are being concerned about when it comes to data security and personal privacy.

Send to Kindle

Celebrity gossip sites–attractive to malware distributors

Articles

Who Weekly celebrity-gossip-magazine Web site

Be sure you stick with trusted news sites when you are after celebrity gossip

The most dangerous celebrities to look up on Google | BGR.com

Searching for celebrity news on Google can be dangerous for your computer | Panda Security

Malware parasites feed on PerezHilton.com gossip fans | BBC News

My Comments

An issue that has been raised is that searching for the latest news and gossip about a celebrity can be risky for your computer’s security. Panda Security even described it as being of risk to a business’s computer systems because office workers would do it during slow times in their workday. It is though this activity is still today’s equivalent of looking through the gossip magazines at the supermarket checkout or in the doctor’s waiting room.

This is because the Internet has made it easier to push up “fly-by-night” gossip Websites that are laden with malware and have these advertised.

Online ad - to be respected like advertising in printed media

Ads on sites like here need to be secure to obtain the same respect as magazine ads

It is also because there is a weakness that exists in the online advertising marketplace is that ad networks and publishers don’t subject the advertising that comes to these networks to thorough scrutiny on a safety perspective. This then allows online advertising to become a breeding ground for malware with such things as “malvertising” where scripted ads are used to “push” malware on to users’ systems. This is a topic I have raised because I am wanting to see the rise of a quality online ad marketplace that has the same level of respect as the advertising seen in traditional print media.

A similar situation happens whenever a new album or movie featuring a popular entertainer is released because sites and torrent files would pop up claiming to offer the material for free. To the same extent, this could include offers of “exclusive” photo, audio and video material relating to the content or its performers for free. The same thing also can happen with surveillance, personal-album or similar material that features celebrities in compromising situations and ends up being “leaked” to the public arena. Again these sites and the torrent “file-of-files” available to download would be a minefield of malware files if you aren’t careful.

The situation becomes worse during the time surrounding entertainment-industry awards events, the release of new headline content featuring the celebrities or whenever there are major personal events affecting these people such as new relationships or relationship breakups. The articles cited that people involved with the Hollywood entertainment scene are more likely to be targeted with fly-by-night malware sites, malvertising attempts and similar skulduggery. but I also would place at risk of this treatment the British Royal Family or past and present popular Presidents of the United States.

What can you do?

  • Make sure your regular or mobile computing device is running the latest version of the operating system and you are using the latest version of the Web browser(s) and other software that you surf the Web with. It may also be a good practice to run an up-to-date version of a desktop / endpoint security program which can scan for flaky links and files.
  • Most importantly, think before you click! When you are searching for information about a particular show, recording or star, get it “from the horse’s mouth” – go to the publisher’s or broadcaster’s site that relates to what you are after. Also visit the online presence of the mastheads that you know and trust when you are after the celebrity or entertainment-industry news. Examples of these would be those magazines available at the supermarket checkout
  • But be careful about anyone offering links to resources that are too good to be true, especially where words like “free” and “exclusive” are bandied around. These sites are the ones that are the malware traps.
  • You may find that using tools like search engines or browser plugins that verify Websites’ reputation may be of assistance when it comes to staying away from flaky Websites.
  • As for online advertising with sites that are suddenly popular, be careful about following through on these links or make sure you are using desktop security software to protect your computer against malware.

Conclusion

You can engage in the digital equivalent of browsing the gossip mags safely as long as you are sure of the resources that you are heading towards and don’t fall for the bait.

Send to Kindle

EU wants to establish a security baseline for Internet Of Things

Article

Netgear DG834G ADSL2 wireless router

The security of network connectivity equipment is now in question thanks to the Krebs On Security DDoS attack

The EU’s latest idea to secure the Internet of Things? Sticky labels | Naked Security Blog

My Comments

The European Commission wants to push forward with a set of minimum standards for data security especially in context with “dedicated-function” devices including the “Internet Of Things” or “Internet Of Everything”. This also includes a simplified consumer-facing product-label system along with a customer-education program very similar to what has taken place in most countries concerning the energy efficiency of the appliances or the nutritional value of the foodstuffs we purchase.

This issue has been driven by a recent cyber attack on the Krebs On Security blog where the “Mirai” botnet was used to overload that security blog, the latest in a string of many attacks that were inflicted against data-security journalist Brian Krebs. But this botnet was hosted not on regular computers that were running malware downloaded from questionable Internet sites, nor was it hosted on Web hosts that were serving small-time Websites running a popular content management system. It was based on poorly-secured “dedicated-function” devices like network-infrastructure devices, video-surveillance devices, printers and “Internet Of Things” devices that had their firmware meddled with.

Nest Learning Thermostat courtesy of Nest Labs

… as could other Internet-Of-Things devices like these room thermostats

There will be issues that concern how we set network-enabled equipment up to operate securely along with the level of software maintenance that takes place for their firmware. A question always raised in this context is the setup or installation procedure that you perform when you first use these devices – whether this should be about a “default-for-security” procedure like requiring an administrator password of sufficient strength to be set before you can use the device.

But I also see another question concerning the “durables” class of equipment like refrigerators, televisions, building security and the like which is expected to be pushed on for a long time, typically past the time that a manufacturer would cease providing support for it. What needs to happen is an approach towards keeping the software maintained such as, perhaps, open-sourcing it or establishing a baseline software for that device.

Manufacturers could be researching ways to implement centralised simplified secure setup for consumer “Internet-Of-Things” devices along with maintaining the software that comes with these devices. This could be also about working on these issues with industry associations so that this kind of management can work industry-wide.

But the certification and distinct labelling requirement could be about enforcing secure-by-design approaches so that customers prefer hardware that has this quality. Similarly, a distinct label could be implemented to show that a device benefits from regular secure software maintenance so that it is protected against newer threats.

It usually just requires something to happen in a significant manner to be a wake-up call regarding computer and data security. But once a standard is worked out, it could answer the question of keeping “dedicated-purpose” computing devices secure.

Send to Kindle

Be careful about USB memory keys left in the letterbox

Articles USB memory keys press picture courtesy of Victoria Police

Police warn of malware-laden USB sticks dropped in letterboxes | The Register

Crims place booby-trapped USB drives in letter boxes | IT News

Don’t plug it in! Scammers post infected USB sticks through letterboxes | Naked Security (Sophos blog)

From the horse’s mouth

Victoria Police

Press Release

My Comments

An issue that is being raised concerning data security is people loading data from USB memory keys that they don’t expect.

This has been used as a way to distribute malware to businessmen at conferences because these thumbdrives, like floppy discs and optical discs, have been accepted as a way to distribute conference content or “electronic brochures” and added to participants’ “show-bags” handed out at these events. The typical method of delivering a malware-laded USB stick was to abandon it at the venue, hotel or “watering-hole” bar and it would inspire people’s curiosity to pick up this memory key, plug it in to their laptop and load up what was on the stick.

Newer iterations of the desktop operating systems i.e. Windows or MacOS have made it hard to allow one to run a program off a USB memory key by default. Similarly, most of the desktop security software would implement removable-media scanning routines to automatically check for malware on a USB stick or other removable media. But there have been some USB thumbdrive variants which have had the firmware altered to run keystroke macros or meddle with network settings.

This situation has now been found to occur in a personal-computing context in some of the outer south-eastern Melbourne suburbs like Pakenham. This was where USB memory keys were left on households’ mail boxes and these thumbdrives were full of malware including fraudulent content-streaming offers. Infact Victoria Police even encouraged Australian householders who received these thumbdrives in their mailbox to contact Crimestoppers Victoria by phoning 1-800-333-000 or using the online form.

But the common security advice to deal with USB memory keys that you didn’t expect to receive is not to insert them in your computer. If you do expect to receive one of these sticks such as them being in a show-bag from a vendor or you receiving conference material on one of them, make sure that you have your operating system and desktop security software patched and updated.

Send to Kindle

Avoiding a mess-up with your small business’s or community organisation’s IT

Lenovo ThinkPad Helix 2 connected to Wi-Fi hotspot at Bean Counter Cafe

Make sure you know where you stand with your small business’s or community organisation’s IT software and services

A very common situation that can come about with a small business that is starting out or a community organisation that is running with a handful of core volunteers is that you can end up with a messy information-technology situation.

Typically this happens because the people who are behind the organisation typically buy the hardware, software and services out of their own pocket, assuming that the organisation is running on the “smell of an oily rag” with very minimal funds. This situation affects organisations in the religious, charitable or voluntary sector where they want to spend as little on office-related or capital expenses as possible so the money that comes in is focused on the organisation’s raison d’etre.

What can happen especially with software is that the it ends up being licensed in the name of the contributor or volunteer while a service like Web-site hosting and domain-name renewal is paid out of a member’s or volunteer’s personal funds and managed in the name of that member. In the case of operating systems or other software that are furnished with donated computer hardware, the software can also be licensed in the name of the donor rather than the beneficiary and no procedure takes place to technically and legally transfer this ownership.

Then you can end up with issues like software piracy and non-compliance or a service being paid for by someone who has left the organisation then you don’t know where that service is going or whom the computer software should be in the name of. You also have the issue of where the organisation legally stands when it come to using the service and this can also place the continuity of that service in doubt.

Do you know the organisation’s legal entity?

Here, you have to know how the business or organisation is legally referred to and represented. This includes a business, company or other legal name that represents the organisation as well as its trading or other “public-facing” name. Typically, the organisation’s legal name may be written out in any stationery associated with its bank account.

Software

Make sure that any software that the organisation uses is bought in the name of the organisation, If someone wants to donate a program to the organisation, they need to either donate the program’s value to the organisation as cash through the normal paths like a church’s offering plate or basket. Or they could buy the software as an unencumbered package using their funds and hand the software package over to the organisation.

Some “buy and download” software providers may allow you to register a copy of the software in one name while allowing you to pay using a credit card or PayPal account in a different name. This measure is typically provided to allow one to give the software as a personal gift.

Services

Increasingly business IT is being focused towards the purchasing of services like Web hosting, domain names and the like, with a an increasing amount of IT functions like software suites being sold “as a service”. Typically this involves someone having to pay for the service on a regular basis.

Payment for the services

What these organisations can do is to maintain a business debit card based on a major payment-card platform and drawing from the organisation’s funds. The organisation adopts strict usage and accounting procedures with establishing payments using this card and uses it primarily for paying for business services that can only be paid with a major payment card. On the other hand, they could make sure that the service they want to engage can accept a standing direct-debit order as the payment method. Anyone who wishes to donate the cost of a service could do so through a cash payment to the organisation in the usual payment path.

Whose name is the service under?

As for these services, make sure that they are registered or set up in the name of the organisation. For example, a domain name’s WHOIS data must reflect the name of the organisation and whoever is in executive position. For organisations who have a home as their office, it may be better to supply a mailing address like a PO box or a mail-drop; or use the shopfront’s address as a mailing address if they do operate a long-term physical shopfront.

Login details and user accounts

All login details like usernames and passwords associated with these services have to be known to authorised personnel currently in that organisation. This could be achieved through either a paper document or electronic-form document file that is on a USB memory key which has to be kept in safe storage on the organisation’s premises like a safe. Here, you could use a “secure” USB memory key which uses encryption and password security for this purpose and keep the password for that in a separate envelope. This list of passwords needs to be updated every time these passwords are changed and they should be changed regularly such as whenever people leave the organisation.

You may find that it is better to use multiple user accounts for these services so you can add and remove users easily and allow these users to determine their login parameters. The multiple-user-account setup also gives you the benefit of limiting what privileges a user’s account has, so that the privileges reflect the expected job function for the account-holder But the administrator password for these services needs to be kept on the above-mentioned organisational password list that is to be kept in safe storage.

Similarly, you may find that the multiple-user-account setup that a service uses may work with single-sign-on so that the credentials are verified with a third-party platform like Microsoft.com, Google or Facebook with the service receiving the “all-clear” in the form of a token. This may be OK to pursue if the employee or volunteer agrees to using the account associated with one of these platforms as part of single sign-on.

Conclusion

Once your small business or community organisation has their software and services properly under their own umbrella, they can make sure that they know where it stands through the life of the software and services rather than dealing with a dog’s breakfast.

Send to Kindle

August responds to its smart lock’s security weaknesses by patching its software

Article August Smart Lock press picture courtesy of August

IoT manufacturer caught fixing security holes | The Register

Here’s what happened when someone hacked the August Smart Lock | CNet

My Comments

The Internet Of Things, along with network hardware focused at consumers and small businesses, has been considered a thorn in the side of people who are involved with data security. This is because of a poor software-maintenance cycle associated with these devices along with customers not installing new software updates for these devices.

Recently, at the DEFCON “hack-a-thon” conference in Las Vegas, a few of the smart locks were found to have software weaknesses that made them vulnerable.

But August, who makes one of these smart locks which are retrofitted to existing “bore-through” single-cylinder tubular deadbolts, answered this issue in a manner that is considered out-of-place for the “Internet Of Things”. Here, they issued software patches to rectify these security issues and offered them as a user-downloadable firmware update.

What is a sad reality for a lot of these devices is that the manufacturer rarely maintains the firmware that runs these devices, if not at all. Some manufacturers think that this practice is about having to “add functionality” to these devices which they would rather do with subsequent models or product generations. But this kind of updating is about making sure that the software ecosystem associated with the product is secure and stable with all the “bugs” ironed out. Similarly, it is also about making sure that the product is complying with industry standards and specifications so as to work properly with other devices.

August uses the latest iterations of their smartphone apps to deploy the firmware updates to their products, typically requiring that you place your phone with the app running near the door that is equipped with these locks.

The computing security industry and computing press congratulated August on responding to the security weakness in its products through a firmware update with “The Register” describing it as being beyond the norm for the “Internet Of Everything”. But they wanted more in the form of them disclosing the nature of the threats in the lock’s firmware in a similar manner to how Microsoft, Google or Apple would disclose weaknesses in their operating-system software.

This issue also is something that is applying to home-network equipment like routers, along with toys and games that connect to the Internet. What is being called out for is a feedback loop where bugs and other software deficiencies in all these devices are called out and a simplified, if not automatic, in-field software-update process takes place whenever newer firmware that answers these problems is released. This also includes the manufacturers disclosing the security issues that have been found and explaining to customers how to mitigate the risks or update the affected software.

Send to Kindle

More malware being discovered for the Macintosh platform

Article

Apple MacBook Pro running MacOS X Mavericks - press picture courtesy of Apple

Even Apple Macintosh users need to keep secure computing habits

Mac Malware Opens OS X Backdoor to Attackers | Tom’s Guide

My Comments

A lot of Apple Macintosh users have jumped to this platform based on an initial fact that there was very little malware written for it. But now, as more people are using Macs, they are becoming a target for malware including some “backdoor” software which weakens the MacOS’s defences against other malware.

This time, what was being called out was a Trojan-horse program that pretends to be a file-conversion program, the kind of program that is easily downloaded in a hurry.

Keep your Mac’s operating system and software patched and updated

A good practice regarding keeping your Mac secure, as with other computing platforms, is to make sure that the MacOS operating system is up-to-date with all the patches that Apple releases. This is because Apple may have released bug-fixes or remedied exploits that have been discovered in your version of the MacOS operating system.

Preferably, I would recommend you have this set up to work automatically so that when you are connected to the Internet via Wi-Fi or Ethernet, your Mac is kept updated and patched.

You can set this up to be performed automatically by going to [Apple] – [System Preferences]. Then you go to the App Store panel if you have one of the newer versions of MacOS (Yosemite onwards) then check the boxes for “Automatically check for updates” and “Download newly available updates in the background”. This will then make the “Install OS X Updates” option available which you should check.

For Macs that run prior versions, you would still go via [Apple]-[Software Update] and set the appropriate options to automatically patch your version of MacOS X.

You can manually update and patch your Mac by visiting the App Store if you are in Yosemite or newer versions and tick off all of the software that needs updating in the Updates panel. For prior operating systems, you would need to visit the [Apple]-[Software Update] menu and click the option to download and install the latest patches for your Mac.

You can still visit the Updates panel in the App Store and go through all the apps that need updating so you can be sure they are up-to-date. If you have software that isn’t delivered via the App Store, use its interface or the software developer’s Website to keep it up-to-date. This is also important because older versions of application and other software can carry bugs or exploits.

This is something you should do when you switch your Mac on if you haven’t used your Mac or haven’t connected it to the Internet for a significant amount of time, such as with a secondary-use MacBook or a Mac that you use as part of multi-platform computing.

Upgrade your Mac’s operating system if you can

It may be worth upgrading your Mac’s operating system to a newer version if your computer can handle it. In most cases, you can update the system for either pennies’ worth or for free. Here, you could check the App Store or Apple’s website regarding newer operating systems for your Mac.

The main advantages that these new operating systems offer encompass system-wide hardening including the availability of the Mac App Store where the software is verified before it is made available.

Make sure you download software from reputable sources

For all computing platforms, one requirement for safe and secure computing is to obtain computer software from known reputable sources.

In the case of the Macintosh, either download new software from the Mac App Store where the software is verified or from the website of a trusted and known developer. Even when you obtain software from the Mac App Store, check the quality of the software by looking through the reviews that are posted about it and checking the reviews also for other software offered by the same developer. I have written an article about obtaining software from app stores because there has been a risk of them turning in to the equivalent of bulletin boards and download sites that host poor-quality software.

When it comes to software delivered in a packaged form, avoid the temptation to install from anything unless you have bought it yourself from a reputable dealer.

Consider desktop-security software for the Mac

This may sound foreign to Apple Macintosh users but you may also find that it may be worth considering the installation of a desktop-security / endpoint-security program on your Mac. It is more so if you or others who use your Mac are not astute when it comes to downloading software or handling the Internet.

Most of the developers who have written these kind of programs for the Windows-based computers have now written versions of these programs for the Macintosh platform because of the rise of threats against this platform. Like with Windows, the better desktop-security programs also offer protection against Internet-borne threats such as site-reputation checking, content filtering, and spam filtering. Similarly, better-quality software runs in a manner that doesn’t impinge on your Mac’s performance.

Conclusion

Like other computer platforms like DOS / Windows, the Apple Macintosh needs its users to be careful about keeping their computer and data secure. This includes keeping the operating system up-to-date along with being sure about what software you have on your computer.

Send to Kindle