Category: Data security

Article

HP Elitebook x360 G2 – to be equipped for Sure Click

HP hardens EliteBook protection with Sure Click, a browser secured in virtual hardware | PC World

From the horse’s mouth

HP

Press Release

Bromium

Press Release

Video explaining the Bromium micro-virtualisation approach (Click / Tap to play)

My Comments

A very common attack gateway that has been identified for endpoint computing devices, especially regular desktop or laptop computers, is the Web browser. It is because the browser is essentially the “viewport” to the Internet for most reading-based tasks.

But most recent browser versions have implemented software-based “hardening” against the various Internet-based attacks. This is in conjunction with the main desktop operating systems being “hardened” through each and every update and patch automatically applied. These updates facilitate practices like “sandboxing” where software of questionable provenance is effectively corralled in a logical quarantine area with minimal privileges so it doesn’t affect the rest of the system.

HP and Bromium have developed a “virtual hardware” approach where a browsing session can take place in a separate “logical computer”, a concept being driven by the multi-core CPUs that are the hub of today’s computer systems. This can provide improved security by using the hardware approach that is effectively with its own operating system and has the data destroyed at the end of a session. Here, it restricts the effect of malware like ransomware picked up during a “drive-by” download because the software can only run within that separate “logical computer”.

At the moment, this feature is being initially rolled out to the Elitebook x360 G2 convertible business laptop but will trickle out across the next generation of “Elite” premium manageable business computers to be launched in the second half of the year. It will work only with Microsoft’s Internet Explorer and Google’s open-source Chromium browser at the moment. What I would like to see happen is that this feature is able to be “trickled-down” to HP’s consumer, education and small-business product ranges but in a more “self-service” manner because households, small businesses and volunteer-driven community organisations could equally benefit from this feature.

You may have a problem with the fingerprint readers on these business laptops after you upgrade the operating system to Windows 10

Those of you who had purchased a business laptop equipped with a fingerprint reader may find that this feature doesn’t work with Windows 10. The situation can be very difficult if you had participated in the Windows 10 free-upgrade program that happened from 2015 to 2016 and you may have foregone the use of this security feature after that upgrade.

What can you do?

Remove the existing fingerprint-authentication software from the laptop

Use the Windows 10 Add/Remove Programs option to remove the fingerprint-reader software that the manufacturer supplied with your laptop computer. It may also mean that you have to remove the password vault program that came with your laptop computer and you were using to keep your Website passwords with.

The reality is that some of the business laptops came with software installations where a third-party fingerprint-management program was part of the package. This may be due to the fingerprint reader not having driver software that could work directly with Windows at the time the machine was released or the program offering more “enterprise-friendly” features than what Windows and a baseline password vault could offer for the business laptop’s user class.

If you still value the feature set provided by the fingerprint-management program or depend on its compatibility with certain other management software, it may be a good idea to look for and download the latest versions of that software.

Update the fingerprint-reader’s driver software

The fingerprint reader on this HP Elitebook may be able to run the same driver software as one installed on some Lenovo ThinkPads

You would then have to update your fingerprint reader’s driver software to the latest version that can work with Windows 10. This is because the newer driver software takes advantage of the application programming interfaces associated with Windows 10’s Hello authentication mechanism.

Some laptops may require you to update their software relating to their BIOS / firmware and chipset before you progress any further. This is a process you would have to do from your laptop manufacturer’s support Website.

One way would be to open Device Manager in Windows 10 and identify then select the fingerprint reader’s entry in the device list. This will be listed under the Biometric Devices class of devices. Right-click that device and choose “Properties”. Click the “Driver” tab and select the “Update Driver” option to make sure it is up-to-date.

Or you could visit your laptop manufacturer’s support Website and download the latest version of the fingerprint reader’s driver software. Then you install that software, whereupon you may have to reboot your computer as part on the install process.

Sometimes a particular laptop manufacturer may not have the updated driver for the fingerprint reader that is integrated in to their business laptop. Here, you may have to do a Google search for details regarding the make and model of your business laptop and how to enable that machine’s fingerprint reader in Windows 10. This is because a particular fingerprint-reader subsystem may be used by two or more manufacturers in their product lines during a particular point in time. For example, the Lenovo website hosts the Validity Fingerprint Common Driver for Windows 10 which has been found to support most of the fingerprint scanners integrated in HP business laptops like the Elitebook 2560p.

On the other hand, you may find that the latest version of the driver software that they host is the Windows 8.1 version. Here, you can get by with this version for your Windows 10 computer thanks to the use of similar APIs.

Set your laptop up for Windows 10 Hello authentication

The next step will be to set up for Windows 10 Hello – the authentication framework that Windows 10 uses for advanced authentication methods like biometric authentication.

Here, you go to Settings – Account – Sign In Options. Then you will have to create a PIN number, which is what you use when you log in to your machine. If you log in to Windows using your Microsoft Account credentials, you will need to create a PIN number, which will become a machine-specific alternative credential.

There will be an option to sign in with your fingerprint which will be enabled thanks to the newer drivers that you installed. Click on that button to sign in with the previously-mentioned PIN if you have created that or to create a new PIN number, before you enrol your fingerprints as your sign-in credentials.

If you still want to “swipe in” to your favourite Websites with your finger, you would need to acquire the latest version of the password manager that came with your computer like HP SimplePass, Softex OmniPass or a similarly-competent password vault that uses fingerprint recognition out of the box.

Conclusion

What this means now is that you don’t have to see the fingerprint scanner on your business laptop computer as being redundant just because you have upgraded your computer to Windows 10.

Article

Software now exists so you can gain better control over your Webcam

How To Stop Hackers From Spying With Your Webcam | Gizmodo

My Comments

A privacy issue that is being raised regarding the use of cameras and microphones connected to your computer is the fact that malware could be written to turn your computer in to a covert listening device.

Those of us who use a traditional “three-piece” desktop computer and have a physically-separate external Webcam may find this an easier issue because you cam simply disconnect the camera from your computer. But the issue of your Webcam or your computer’s microphone being hacked to spy on you would be of concern for those of us who have the camera or microphone integrated in the computer as with portable or all-in-one equipment, or the monitor which is something that could be offered as a product differentiator by display manufacturers.

The simplest technique that has been advocated to deal with this risk is to attach an opaque sticker or opaque sticky tape over the camera’s lens. Some computer and monitor manufacturers have approached this problem using a panel that slides over the Webcam as a privacy shield. But you wouldn’t be able to control the use of your computer’s integrated microphone unless it had a hardware on-off switch.

Most of the mobile computing platforms require that newly-installed software that wants to use the camera, microphone, GPS device or other phone sensors have to ask permission from the phone’s owner before the software can be installed or use these devices. The Apple iOS App Store even vets software to make sure it is doing the right thing before it is made available through that storefront and this is also becoming so for software sold through the Google Play Android storefront and the Microsoft Store Windows storefront.

Lately there have been some software solutions written for the Windows and Macintosh platforms that allow you to take back control of the camera and microphone due to the fact that these regular-computer platforms have historically made it easier for users to install software from anywhere. But I would also suggest that you scan the computer for malware and make sure that all of the software on the computer, including the operating system, is up-to-date and patched properly.

One of these solutions is Oversight which has been written for the Macintosh platforms and can detect if software is gaining access to your Mac’s Webcam or microphone. It also can detect of two or more programs are gaining access to the Webcam which is a new tactic for Webcam-based spyware because it can take advantage of people using the Webcam for business and personal videocalls and record these conversations. The user has the ability to allow or block a program’s access to the Webcam or microphone.

For the Windows platform, a similar program called “Who Stalks My Cam” detects events relating to your computer’s Webcam such as software wanting to acquire material from it.  This has the abilities for you to stop a program that is using the Webcam running or to shut down the Webcam process. But there is also the ability to track processes that are running while the computer system is idle because some spyware processes can be set up to come alive when the system isn’t being actively used. The program even allows you to “whitelist” programs that you trust like over-the-top communications programs or video-recording software so that it doesn’t get in their way.

The ability to track usage of attached / connected cameras and microphones or similar hardware like GPS units by software running on your computer will end up becoming part of a typical desktop/endpoint security program’s feature set as people become concerned about the use of these devices by spyware. This is in conjunction with operating systems also hardening access to devices that can be used to spy on their users by implementing software certification, sandboxing, privileged access and similar techniques.

It is definitely another threat vector that we are being concerned about when it comes to data security and personal privacy.

Articles

Be sure you stick with trusted news sites when you are after celebrity gossip

The most dangerous celebrities to look up on Google | BGR.com

Searching for celebrity news on Google can be dangerous for your computer | Panda Security

Malware parasites feed on PerezHilton.com gossip fans | BBC News

My Comments

An issue that has been raised is that searching for the latest news and gossip about a celebrity can be risky for your computer’s security. Panda Security even described it as being of risk to a business’s computer systems because office workers would do it during slow times in their workday. It is though this activity is still today’s equivalent of looking through the gossip magazines at the supermarket checkout or in the doctor’s waiting room.

This is because the Internet has made it easier to push up “fly-by-night” gossip Websites that are laden with malware and have these advertised.

Ads on sites like here need to be secure to obtain the same respect as magazine ads

It is also because there is a weakness that exists in the online advertising marketplace is that ad networks and publishers don’t subject the advertising that comes to these networks to thorough scrutiny on a safety perspective. This then allows online advertising to become a breeding ground for malware with such things as “malvertising” where scripted ads are used to “push” malware on to users’ systems. This is a topic I have raised because I am wanting to see the rise of a quality online ad marketplace that has the same level of respect as the advertising seen in traditional print media.

A similar situation happens whenever a new album or movie featuring a popular entertainer is released because sites and torrent files would pop up claiming to offer the material for free. To the same extent, this could include offers of “exclusive” photo, audio and video material relating to the content or its performers for free. The same thing also can happen with surveillance, personal-album or similar material that features celebrities in compromising situations and ends up being “leaked” to the public arena. Again these sites and the torrent “file-of-files” available to download would be a minefield of malware files if you aren’t careful.

The situation becomes worse during the time surrounding entertainment-industry awards events, the release of new headline content featuring the celebrities or whenever there are major personal events affecting these people such as new relationships or relationship breakups. The articles cited that people involved with the Hollywood entertainment scene are more likely to be targeted with fly-by-night malware sites, malvertising attempts and similar skulduggery. but I also would place at risk of this treatment the British Royal Family or past and present popular Presidents of the United States.

What can you do?

• Make sure your regular or mobile computing device is running the latest version of the operating system and you are using the latest version of the Web browser(s) and other software that you surf the Web with. It may also be a good practice to run an up-to-date version of a desktop / endpoint security program which can scan for flaky links and files.
• Most importantly, think before you click! When you are searching for information about a particular show, recording or star, get it “from the horse’s mouth” – go to the publisher’s or broadcaster’s site that relates to what you are after. Also visit the online presence of the mastheads that you know and trust when you are after the celebrity or entertainment-industry news. Examples of these would be those magazines available at the supermarket checkout
• But be careful about anyone offering links to resources that are too good to be true, especially where words like “free” and “exclusive” are bandied around. These sites are the ones that are the malware traps.
• You may find that using tools like search engines or browser plugins that verify Websites’ reputation may be of assistance when it comes to staying away from flaky Websites.
• As for online advertising with sites that are suddenly popular, be careful about following through on these links or make sure you are using desktop security software to protect your computer against malware.

Conclusion

You can engage in the digital equivalent of browsing the gossip mags safely as long as you are sure of the resources that you are heading towards and don’t fall for the bait.

Articles 

Police warn of malware-laden USB sticks dropped in letterboxes | The Register

Crims place booby-trapped USB drives in letter boxes | IT News

Don’t plug it in! Scammers post infected USB sticks through letterboxes | Naked Security (Sophos blog)

From the horse’s mouth

Victoria Police

Press Release

My Comments

An issue that is being raised concerning data security is people loading data from USB memory keys that they don’t expect.

This has been used as a way to distribute malware to businessmen at conferences because these thumbdrives, like floppy discs and optical discs, have been accepted as a way to distribute conference content or “electronic brochures” and added to participants’ “show-bags” handed out at these events. The typical method of delivering a malware-laded USB stick was to abandon it at the venue, hotel or “watering-hole” bar and it would inspire people’s curiosity to pick up this memory key, plug it in to their laptop and load up what was on the stick.

Newer iterations of the desktop operating systems i.e. Windows or MacOS have made it hard to allow one to run a program off a USB memory key by default. Similarly, most of the desktop security software would implement removable-media scanning routines to automatically check for malware on a USB stick or other removable media. But there have been some USB thumbdrive variants which have had the firmware altered to run keystroke macros or meddle with network settings.

This situation has now been found to occur in a personal-computing context in some of the outer south-eastern Melbourne suburbs like Pakenham. This was where USB memory keys were left on households’ mail boxes and these thumbdrives were full of malware including fraudulent content-streaming offers. Infact Victoria Police even encouraged Australian householders who received these thumbdrives in their mailbox to contact Crimestoppers Victoria by phoning 1-800-333-000 or using the online form.

But the common security advice to deal with USB memory keys that you didn’t expect to receive is not to insert them in your computer. If you do expect to receive one of these sticks such as them being in a show-bag from a vendor or you receiving conference material on one of them, make sure that you have your operating system and desktop security software patched and updated.

Make sure you know where you stand with your small business’s or community organisation’s IT software and services

A very common situation that can come about with a small business that is starting out or a community organisation that is running with a handful of core volunteers is that you can end up with a messy information-technology situation.

Typically this happens because the people who are behind the organisation typically buy the hardware, software and services out of their own pocket, assuming that the organisation is running on the “smell of an oily rag” with very minimal funds. This situation affects organisations in the religious, charitable or voluntary sector where they want to spend as little on office-related or capital expenses as possible so the money that comes in is focused on the organisation’s raison d’etre.

What can happen especially with software is that the it ends up being licensed in the name of the contributor or volunteer while a service like Web-site hosting and domain-name renewal is paid out of a member’s or volunteer’s personal funds and managed in the name of that member. In the case of operating systems or other software that are furnished with donated computer hardware, the software can also be licensed in the name of the donor rather than the beneficiary and no procedure takes place to technically and legally transfer this ownership.

Then you can end up with issues like software piracy and non-compliance or a service being paid for by someone who has left the organisation then you don’t know where that service is going or whom the computer software should be in the name of. You also have the issue of where the organisation legally stands when it come to using the service and this can also place the continuity of that service in doubt.

Do you know the organisation’s legal entity?

Here, you have to know how the business or organisation is legally referred to and represented. This includes a business, company or other legal name that represents the organisation as well as its trading or other “public-facing” name. Typically, the organisation’s legal name may be written out in any stationery associated with its bank account.

Software

Make sure that any software that the organisation uses is bought in the name of the organisation, If someone wants to donate a program to the organisation, they need to either donate the program’s value to the organisation as cash through the normal paths like a church’s offering plate or basket. Or they could buy the software as an unencumbered package using their funds and hand the software package over to the organisation.

Some “buy and download” software providers may allow you to register a copy of the software in one name while allowing you to pay using a credit card or PayPal account in a different name. This measure is typically provided to allow one to give the software as a personal gift.

Services

Increasingly business IT is being focused towards the purchasing of services like Web hosting, domain names and the like, with a an increasing amount of IT functions like software suites being sold “as a service”. Typically this involves someone having to pay for the service on a regular basis.

Payment for the services

What these organisations can do is to maintain a business debit card based on a major payment-card platform and drawing from the organisation’s funds. The organisation adopts strict usage and accounting procedures with establishing payments using this card and uses it primarily for paying for business services that can only be paid with a major payment card. On the other hand, they could make sure that the service they want to engage can accept a standing direct-debit order as the payment method. Anyone who wishes to donate the cost of a service could do so through a cash payment to the organisation in the usual payment path.

Whose name is the service under?

As for these services, make sure that they are registered or set up in the name of the organisation. For example, a domain name’s WHOIS data must reflect the name of the organisation and whoever is in executive position. For organisations who have a home as their office, it may be better to supply a mailing address like a PO box or a mail-drop; or use the shopfront’s address as a mailing address if they do operate a long-term physical shopfront.

Login details and user accounts

All login details like usernames and passwords associated with these services have to be known to authorised personnel currently in that organisation. This could be achieved through either a paper document or electronic-form document file that is on a USB memory key which has to be kept in safe storage on the organisation’s premises like a safe. Here, you could use a “secure” USB memory key which uses encryption and password security for this purpose and keep the password for that in a separate envelope. This list of passwords needs to be updated every time these passwords are changed and they should be changed regularly such as whenever people leave the organisation.

You may find that it is better to use multiple user accounts for these services so you can add and remove users easily and allow these users to determine their login parameters. The multiple-user-account setup also gives you the benefit of limiting what privileges a user’s account has, so that the privileges reflect the expected job function for the account-holder But the administrator password for these services needs to be kept on the above-mentioned organisational password list that is to be kept in safe storage.

Similarly, you may find that the multiple-user-account setup that a service uses may work with single-sign-on so that the credentials are verified with a third-party platform like Microsoft.com, Google or Facebook with the service receiving the “all-clear” in the form of a token. This may be OK to pursue if the employee or volunteer agrees to using the account associated with one of these platforms as part of single sign-on.

Conclusion

Once your small business or community organisation has their software and services properly under their own umbrella, they can make sure that they know where it stands through the life of the software and services rather than dealing with a dog’s breakfast.

Article

Even Apple Macintosh users need to keep secure computing habits

Mac Malware Opens OS X Backdoor to Attackers | Tom’s Guide

My Comments

A lot of Apple Macintosh users have jumped to this platform based on an initial fact that there was very little malware written for it. But now, as more people are using Macs, they are becoming a target for malware including some “backdoor” software which weakens the MacOS’s defences against other malware.

This time, what was being called out was a Trojan-horse program that pretends to be a file-conversion program, the kind of program that is easily downloaded in a hurry.

Keep your Mac’s operating system and software patched and updated

A good practice regarding keeping your Mac secure, as with other computing platforms, is to make sure that the MacOS operating system is up-to-date with all the patches that Apple releases. This is because Apple may have released bug-fixes or remedied exploits that have been discovered in your version of the MacOS operating system.

Preferably, I would recommend you have this set up to work automatically so that when you are connected to the Internet via Wi-Fi or Ethernet, your Mac is kept updated and patched.

You can set this up to be performed automatically by going to [Apple] – [System Preferences]. Then you go to the App Store panel if you have one of the newer versions of MacOS (Yosemite onwards) then check the boxes for “Automatically check for updates” and “Download newly available updates in the background”. This will then make the “Install OS X Updates” option available which you should check.

For Macs that run prior versions, you would still go via [Apple]-[Software Update] and set the appropriate options to automatically patch your version of MacOS X.

You can manually update and patch your Mac by visiting the App Store if you are in Yosemite or newer versions and tick off all of the software that needs updating in the Updates panel. For prior operating systems, you would need to visit the [Apple]-[Software Update] menu and click the option to download and install the latest patches for your Mac.

You can still visit the Updates panel in the App Store and go through all the apps that need updating so you can be sure they are up-to-date. If you have software that isn’t delivered via the App Store, use its interface or the software developer’s Website to keep it up-to-date. This is also important because older versions of application and other software can carry bugs or exploits.

This is something you should do when you switch your Mac on if you haven’t used your Mac or haven’t connected it to the Internet for a significant amount of time, such as with a secondary-use MacBook or a Mac that you use as part of multi-platform computing.

Upgrade your Mac’s operating system if you can

It may be worth upgrading your Mac’s operating system to a newer version if your computer can handle it. In most cases, you can update the system for either pennies’ worth or for free. Here, you could check the App Store or Apple’s website regarding newer operating systems for your Mac.

The main advantages that these new operating systems offer encompass system-wide hardening including the availability of the Mac App Store where the software is verified before it is made available.

Make sure you download software from reputable sources

For all computing platforms, one requirement for safe and secure computing is to obtain computer software from known reputable sources.

In the case of the Macintosh, either download new software from the Mac App Store where the software is verified or from the website of a trusted and known developer. Even when you obtain software from the Mac App Store, check the quality of the software by looking through the reviews that are posted about it and checking the reviews also for other software offered by the same developer. I have written an article about obtaining software from app stores because there has been a risk of them turning in to the equivalent of bulletin boards and download sites that host poor-quality software.

When it comes to software delivered in a packaged form, avoid the temptation to install from anything unless you have bought it yourself from a reputable dealer.

Consider desktop-security software for the Mac

This may sound foreign to Apple Macintosh users but you may also find that it may be worth considering the installation of a desktop-security / endpoint-security program on your Mac. It is more so if you or others who use your Mac are not astute when it comes to downloading software or handling the Internet.

Most of the developers who have written these kind of programs for the Windows-based computers have now written versions of these programs for the Macintosh platform because of the rise of threats against this platform. Like with Windows, the better desktop-security programs also offer protection against Internet-borne threats such as site-reputation checking, content filtering, and spam filtering. Similarly, better-quality software runs in a manner that doesn’t impinge on your Mac’s performance.

Conclusion

Like other computer platforms like DOS / Windows, the Apple Macintosh needs its users to be careful about keeping their computer and data secure. This includes keeping the operating system up-to-date along with being sure about what software you have on your computer.