Data security Archive

Removing Superfish from your Lenovo computer

Article

Lenovo Yoga 2 Pro convertible notebook at Phamish St Kilda

Removing Superfish from this Lenovo laptop

Lenovo offers tool to remove hidden adware ‘Superfish’ | BBC News

From the horse’s mouth

Lenovo Support

Advisory page with list of affected laptops

Removal-tool download (Run or copy to “toolbox” USB memory key)

Removal Instructions

My Comments and Instructions

If you bought a Lenovo computer through 2014 that was positioned at consumers like the G50-70 or the Yoga 2 Pro, you may have had Superfish’s Visual Discovery software installed on it. This is part of a common practice especially with consumer and small-business computers where they become loaded with software you most likely don’t really want.

Here, the variant of the Visual Discovery which is meant to be an enhanced “machine+Internet” search tool has been behaving like adware. It even has been jeopardising the security of your SSL-based secure-browsing sessions. Here, they were highlighting it as a software-driven client-side “man-in-the-middle” security threat that can intercept data that passes through your computer.

But you can remove the software form your G50-70, Yoga 2 Pro or other Lenovo laptop, and is a very similar practice to what I have done with a lot of adware that ends up on peoples’ computers.

Lenovo offers a single-purpose download to remove the Superfish software but if you have the patience to work through Windows to “root it out” or a computer-literate relative or friend can do this for you, here are the instructions which I have paraphrased from their Website.

Remove Superfish software

  1. In Windows 8.1, use the Search Charm in the Modern View to search “remove programs”, then select “Add Or Remove Programs”. On the other hand. right-click on the Windows icon on the Taskbar and select Programs And Features.
  2. Hunt for “Superfish Inc. Visual Discovery” and uninstall it by clicking the Uninstall option. This is a good time to go through all of your software that is on your computer and remove any questionable programs.

Remove Superfish certificates from the Windows Certificate Store

This is to remove the Superfish certificates from the main Certificate Store that Windows uses and is the “go to” certificate location for Internet Explorer, Google Chrome, Opera, Safari and co.

  1. In Windows 8.1, use the Search Charm to search “Certificates”, then select “Manage Computer Certificates
  2. Accept Microsoft Management Console’s request to change your computer data
  3. Select “Trusted Root Certificate Authorities” in the Certificate Manager then select “Certificates
  4. Hunt for items with the “Superfish Inc.” name and delete them. When the Certificate Manager asks that you want to delete them, click Yes.

Remove Superfish certificates from Firefox, Thunderbird and other Mozilla software

Mozilla operates a separate certificate store for Website certificates rather than using the Windows Certificate Store. Here, you would have to interact with each Mozilla program separately to remove the certificates.

  1. Open Firefox and, if the address bar and toolbar isn’t visible, click on the orange Firefox button.
  2. Select the Settings drawer with the three lines, then click on the Options gearwheel, then click on the Advanced gearwheel.
  3. Select the Certificates tab and click or touch the View Certificates button.
  4. In the Certificate Manager screen, select Authorities
  5. Hunt for “Superfish Inc” and select that certificate
  6. Click the Delete or Distrust button and click OK to delete the Superfish certificate from Mozilla’s certificate store.

Restart your computer

Immediately, restart your Lenovo computer as you would normally do.

This may be a tipping point for manufacturers to be part of a feedback loop when it comes to the software they supply with computers especially those that are sold to home and small-business users. It involves a requirement to test the software for vulnerabilities before packaging it for installation.

It will also become a time to question the practice of supplying third-party-supplied trial software and demoware with computers, especially notebooks, marketed to consumers.

Send to Kindle

Windows 10 to benefit from the FIDO authentication standards

Article

Microsoft to support Fido biometrics | NFC World

From the horse’s mouth

Microsoft

Windows For Your Business blog post

FIDO (Fast IDentity Online) Alliance

Press Release

My Comments

Microsoft is to enable Windows 10, which is the next version of Windows, to work with the FIDO (Fast Identity Online) Alliance standards for its authentication and authorisation needs.

But what is this about? FIDO is about providing a level playing field where authentication and authorisation technologies like biometrics, electronic keys and the like can work with applications and sites that support these technologies.

The goal with FIDO is to remove the need for drivers, client-side software and certificate-authority setups for 2-factor authentication or password-free authentication. As well, one hardware or software key can be used across compatible services and applications without user parameters being shared between them.

There are two standards that have been defined by FIDO Alliance. One is UAF which supports password-free login using biometrics like fingerprints; USB dongles; MiFare NFC cards; Bluetooth-linked smartphones and the like as the key to your account. The other is U2F which allows these kinds of keys to serve as a “second factor” for a two-factor authentication setup.

But what could this mean? With a UAF setup, I could set things up so I could log in to Facebook using my fingerprint if the computer is equipped with a fingerprint reader but not have to worry about using a password vault that plays nicely with that fingerprint reader. With a U2F setup, I could make sure that I have a tight two-factor login setup for my Website’s management account or my bank account but use a preferred method like a USB key or a smartcard reader that reads my EMV-compliant bank card.

The current implementation tends to ride on client-side software like browser plugins to provide the bridge between a FIDO-enabled site and a FIDO U2F-compliant key and this can impair the user experience you have during the login. It is because of you having to make sure that the client-side software is running properly and you use a particular browser with it before you can interact with the secure site. There is also the risk that the software may be written poorly thus being more demanding on processor and memory resources as well as providing an inconsistent user interface.

Microsoft will bake these authentication standards in to Windows 10 for the login experience and authentication with application-based and Web-based services. This will cut down on the client-side software weight needed to enhance your Internet security and allows those who develop the authentication methods to focus on innovating with them, just as Microsoft has done with other functionality that it has baked in to the various Windows versions. It will apply to Azure-based cloud-hosted Active Directory services and on-premises Active Directory services for business users; along with the Microsoft Account which is used for home and small business users with Windows 8 login and Outlook.com (Hotmail).

The question yet to raise with FIDO UAF and U2F functionality is whether this will be provided for application-based “client-to-server” authentication for situations like word-processors being used to upload blog posts or native clients for online services like Dropbox and Evernote. Similarly, would this technology allow a device to serve as a temporary or conditional authentication factor such as a smart lock that has just been used with your electronic key; or allow a card like a SIM card already installed in our smartphone or a MiFARE-compliant transit pass to serve as an electronic key for our Webmail.

Personally, I find that Windows implementing FIDO Alliance standards will allow us to make more use of various authentication technologies on our home or business computers.

Send to Kindle

BMW delivers a security update to its ConnectedDrive cars

Articles

BMW 120d car

BMW cars with ConnectedDrive will benefit from an over-the-air software security patch

Your BMW just downloaded a security patch | Engadget

BMW patches in-car software security flaw | IT News

BMW Group ConnectedDrive increases data security | BMW Blog (BMW enthusiasts’ online magazine)

From the horse’s mouth

BMW Group

Press Release

My Comments

BMW ConnectedDrive user interface press picture courtesy of BMW Group

BMW ConnectedDrive user interface – where you can manually draw down that update

An issue that is constantly being raised regarding the Internet Of Everything is data and network security, including making sure the devices work to end-users’ expectations for proper, safe and secure operation. One of the constant mantras associated with this goal is to have a continual software-update cycle for these devices with the ability for customers to place new software in these devices in the field like you can with a regular computer or a smartphone.

BMW had brought about the ConnectedDrive online vehicle management and infotainment system to their newer BMW, MINI and Rolls Royce cars. But they discovered a flaw in the software and wrote a patch to rectify this problem. You would normally think that to have this patch delivered in to the vehicle management system, you would need to bring the car in to the dealership and this would be done as part of its regular preventative-maintenance servicing.

Here, it would typically involve you having to book the car in with the dealership including determining whether you need to use the courtesy car or not, drive it there at the appointed day and time and pick up the courtesy car if you needed it, then make a point of heading back to the dealership before they close to collect your car when it is ready.

But BMW had worked on delivering the software patch to the car via the mobile broadband link that the ConnectedDrive system depends upon for its functionality. Here, you would be advised that the update is taking place and at an appropriate time, the software patch would be applied. If you had garaged the car, you can manually “draw down” the update to your car once you drive it out of your garage.

What I see of this is the proactive way that the BMW Group have been able to use what is taken for granted with most computer operating systems to roll out critical software patches to their vehicles, which is something to be considered of importance when it comes to data security. This has to work not just through the life-cycle of a vehicle but beyond especially in markets where vehicles are likely to benefit from long service lives.

Send to Kindle

Tech support scams now affecting the Macintosh platform

Article

Mac users: Beware of increased tech support scam pop-ups | MalwareBytes Unpacked blog

My Comments

The Apple Macintosh has been seen by its users as a safe regular-computer (desktop / laptop) platform mainly because it didn’t have as much of a foothold as the MS-DOS / Windows platform. Now this platform is starting to appeal to malware authors due to the fact that more people are heading towards it as a regular-computer option along with the fact that Microsoft has been continually hardening the Windows platform.

Windows users had suffered the bane of various unsolicited “tech-support” scams ranging from Website popups through to phone calls. Now the Mac platform is under attack because these scams implement JavaScript to take over the machine in a similar way to what happens with Windows. Also the same scam targets iOS devices due to their use of Safari with the same codebase and JavaScript implementation.

Of course, don’t follow through with the prompts to call these numbers or download the software because this involves activities like malware downloads or paying exorbitant fees to dodgy overseas-based businesses. But what do you do to close these nag screens?

On the Macintosh, you would have to kill the browser session by using the Force Quit routine. The best way IMHO to do this is to press Command+Option+Shift+ESC together if the browser has the foreground. You can also press Command+Option+ESC to bring up the Force Quit menu and use the mouse or trackpad to select the application to stop. The reason I suggest using the keyboard shortcuts is because some of the nuisance dialog boxes can effectively “take over” the pointing device.

iOS users can stop the browser by double-clicking the Home button and swiping the window representing the troublesome app to kill that app.

On both platforms, you clear out the browser cache and history to stop the fake tech-support Website cropping up. This is more important for the iOS platform because if you open up Safari, it will come up with the last-opened Website. For the OS X implementation, you click the “Clear History” option in the “History” menu, which also clears the cache. For the iOS implementation, you go to the Safari option in the Settings app and then tap the Clear History button to stop it from reopening.

Send to Kindle

A timely reminder to beware of suspicious emails in your inbox

Windows Live Mail client-based email interface

Slow down when you check those emails so you are safe

Increasingly people are receiving emails that are becoming very dangerous to their personal or business security.

This happens during November and December, especially between when the American community celebrates Thanksgiving (last Thursday in November) to Epiphany / Twelfth Night (January 5), where there is a lot of Christmas-driven communications and most, if not all, of us are thinking about Christmas. This includes responding to the shopping offers that are being made available through this time. Here, these emails are being sent in a manner as to “get at” the user and take control of their computing equipment or data..

Over this past weekend, some friends of mine from church had approached me about email issues and I had found out that the husband fell victim to a phishing attack against his Outlook.com Webmail account with it ending up being used to send spam messages. Here, I visited these friends on Monday night for dinner and to help him change his account’s password and report it as being compromised. Then a close friend of his rang him about receiving the Australia Post phishing emails and I suggested to that friend to delete that email immediately.

One example is to supply  malware as an attachment typically obfuscated as a compressed “file of files” or a malformed document file; or direct users to pick up the questionable software at a Web link. The idea is to get users to install this software of questionable provenance on their computer so that it makes it become part of a large botnet that is intended to wreak havoc on other computer users, steal your personal or business information, or extort money from you.

Another example is a link that send users to a forged login or other customer-interaction page for a Webmail, banking, Social Web or similar online service to steal their personal details. This is typically to steal the user’s money or identity, create a bank account or similar financial account for laundering ill-gotten gains, or use an email mailbox and contact list to send further spam to computer users.

The email is suspicious if

It is out-of-character with the sender

This may be reflecting a situation that you know the sender is not in, such as them or their business being in financial dire straits. It may also simply be an email of a kind the don’t normally send.

Contains nothing but enticing “click-bait” text

You may find some enticing text written in the Subject line or in the body of the message that gets you to either open the attachment or click on that link.

Implores on you to open it or click on the link under pain of losing service continuity or something similar

Looks very official and has copy that threatens you that you will lose access to your funds or continuity of a service you use, or something similar; and requires you to click on a link in that message to take action to remedy the situation. This may also be about the pending arrival of a parcel or some funds and you have to click on a link or open an attachment to print out a “claim form”.

What to do?

Do not click on the links in that email or open the attachment

Under no circumstances should you click on any links in the suspicions email or open any attachment that is part of that email.

Check the email out

In the case of a personal email, check the email address that purports to be in the name of your contact to see if it is one that you and your contact regularly use. Here, some people may operate a business email address alongside a personal email address and you need to confirm these addresses through conversation, business collateral that they supply, amongst other things.

In the case of a business email, check to see if the email looks as though it genuinely represents that organisation. If the email is requiring you to do something to assure “continuity of service”, access to funds, etc. contact that business directly using their customer-service number or email.

One obvious red herring would be if you receive a contact from a bank or other business you don’t do any business with. Another red herring is an email that isn’t addressed to you personally, rather it uses a generic “all-call” salutation like “Dear Customer”. Yet another red herring is the quality of the document. Here, you look out for whether the email represents the company’s current “trade dress” such as current logos, colour schemes and the like. As well, you look for the quality of the document to see that it reflects what is expected for a business document coming from the company’s location of business, such as spelling, grammar, punctuation, etc.

Sometines, what may appear in the “To” list may be contacts, including “virtual contacts” which represent a cluster of email address, whom you don’t have anything to do with. This is also a sign of a suspicious email.

Check with the sender

If you receive an email from a contact of yours which appears to be out-of-character with them, contact them about that email. You must do this not by replying to that email but by either calling them on the phone, sending an SMS or instant-messaging message to them or sending a separate email to them.

If it is business-related like correspondence from your bank or other organisation, log in to the business’s Website yourself using its commonly-publsihed or commonly-known Web address. Here, you type the address in to your Web browser’s address bar or, if you do regular business with the site, go to the bookmark or favourite link you have created for it. As well, it may also be of value to contact the organisation on their published phone number to check the veracity of that email. Here, you may find this in the regular business correspondence that you have for them or use the common telephone directory or the organisation’s Web page to find that number.

Report the email then delete it

If you are using your Webmail provider’s Web-based user interface, you may have an option to report that email as spam, hacking, fraud or something similar. If you are using a client-based email setup, forward the email as an attachment to your ISP’s or email provider’s email address that has been set up for reporting email abuse or fraud.

Business users who work for a company that has an in-house or contracted IT team should let that IT team know about the suspicious email. This will also apply to those of us who study at a school or university which has its own IT team.

As well, if the email appeared to be in the name of the bank or other organisation, look on the organisation’s Website for a “report fraud” link or email and use that to report the fraudulent emails that you received. Here, they can engage local or national law enforcement to take further action especially if the behaviour is consistent.

Then delete the fraudulent email immediately.

Security tips

  • Keep the computer’s operating system and application software up-to-date with the latest patches
  • Make sure you are running a good anti-malware utility and that it is updated frequently and regularly. It may also be a good practice to run a full scan with this software
  • Make sure that you have strong and preferably unique passwords on your online services
  • Make sure that your home network hardware is on the latest firmware and has strong non-default passwords.
  • Consider using a password manager program or service. As well, it may be worth it to implement a two-factor authentication setup on your online services with your smartphone showing a key number as a “second factor”.
  • As well, you may find that if you have an account with a major online service like a Microsoft service or one of the popular social networks, you may have the opportunity to implement a single sign-on. This may be worth using especially with games, forums, comment functionality, online music or similar services so you don’t have to work out extra passwords.
  • Back up the data you created yourself using your computer to a NAS and/or USB hard disk and preferably make a separate copy of this backup in a separate location
  • Only visit Websites and online services that are known to be reputable
Send to Kindle

Web-page advertising needs to adopt a secure-ads strategy

Article

Beware of Risky Ads on Tumblr | MalwareBytes Unpacked

My Comments

Online ad - to be respected like advertising in printed media

Ads on sites like here need to be secure to obtain the same respect as magazine ads

Most of us who use the Web are making increased use of ad-sponsored Web sites for news, blogs, social media and the like.

In most cases, the banner advertising that appears on these Websites or on advertising-funded mobile-platform apps and is delivered in a tasteful manner provide a similar experience to the display advertising we see, accept and take for granted in newspapers, magazines and other printed media. That is where pop-up or pop-under advertising isn’t used or you don’t hear noisy video commercials playing through. It could be enough to see an animated or slide-show ad appear within the confines of the banner. Here, the advertising doesn’t interrupt the reading experience unlike with TV advertising or online-video advertising where it interrupts the viewing experience.

Such advertising, like the Google AdSense ads you see on this site, is sold on a contract that is based on cost-per-click which the advertiser pays when you click on the ad to follow through with it, or cost-per-impression which is based on simply on the ad being loaded and appearing on the site.

The malvertisement threat

But there is a security problem cropping up here in the form of “malvertisements”. These are online advertisements that are delivered to lead users to Websites that host malware. Typically they use enticing copy and graphics in the advertisements to attract users to view content on these sites and download software of questionable provenance.

Security vendors run a rhetoric that encourages us Web users to use ad-blocking software to keep our computer secure by masking all online advertising. But this can get in the way of honest advertisers and the publications that depend on them for revenue because the software works on an “all or nothing” approach.

But what can the online advertising industry do about this?

If a Website author has control over all of the advertising they admit, they can easily “fence out” malvertisements and distasteful advertising by examining what their potential advertiser is tendering at the start of and through the life of their advertising contract.

But this is not the case for most Websites where they will rely on one or more ad networks like Google AdSense to supply all or the remainder of their ad inventory. These ad networks typically source the advertising themselves and pay publishers a cut for each advertisement that appears or when someone clicks on an advertisement.

Ad networks

Malware sites advertise through these networks on a “pay-per-click-only” contract because it is a “low-risk high-return” option. But the networks could make life harder for them by, for example, vetting the creatives (advertising text, graphics, scripts and links) offered for an ad campaign before accepting them for display and through the life of the campaign. Similarly, they could make it harder to establish or sustain advertising contracts for “fly-by-night” operations like distributing malware such as implementing the ability to break-off ad contracts if the advertiser engages in deceptive conduct or not offering “very-low-risk” advertising options such as “pay-per-click-only” text ads. One way would be to require all ad contracts to be based on the requirement to pay for a particular time length or minimum number of impressions.

Ad networks can also exchange details about advertisers that engage in deceptive business practices so that the advertisers don’t go “shopping around” different ad networks to hawk their wares at the lowest risk. This is similar to a lot of proper business practices where companies are able to exchange details about known credit risks for example.

This could be part of an online advertising code of conduct to protect the validity and legitimacy of the online display advertisement as part of an advertiser’s campaign mix and as a way for Web publishers to raise some income.

Webmasters

Webmasters can work with the ad network’s control panel to reduce the kind of advertising that gets through to their ad spaces. For example, they could opt to keep the advertising that appears to tightly reflect the content and tone of their Website. The Webmaster can also exercise a tight level of control over any advertising they directly sell for their Website such as offering contracts with a minimum level of risk to the advertiser or vetting the creative material tendered by the advertisers.

As well, they can take out security measures over the Website to stop undesireable activity from occurring with their Website. This could include implementing hardened login procedures such as brute-force lockout or two-factor authentication on the critical admin and editor accounts.

Conclusion

Like most online-security issues like Wi-Fi security, it isn’t just up to end-users to do the “heavy-lifting” to keep their Web experience secure. Other stakeholders like advertising networks need to join in the game to keep a secure Web with respected online advertising and avoid exposure to liability.

Send to Kindle

Business-grade data security could approach the home network

Article

Startup builds intrusion prevention system for home networks | PC World

My Comments

A device that is being used mainly in enterprise networks is the “intrusion prevention system” which is another form of firewall installed at the network’s edge. This device is typically set up between a modem and the router that serves normally as the network’s edge to protect the network from outbound and inbound Internet-based attacks.

Increasingly, as most home networks acquire more devices and more of these devices are programmed with firmware that isn’t “written for security”, these devices are being seen as necessary for home and small-business networks.

Itus Networks are working on one of these devices and optimising it for the home network, so it is as secure as a similar device used in Enterprise America but is more cost-effective and is able to be managed by most householders. The iGuardian product is intended to go between the router and the modem to analysie outgoing and incoming traffic for malicious activity and block such activity based on community or commercial “Snort-form” rulesets.

But this form factor wouldn’t work well with the modem-router which is the way to go for most DSL services, where the modem and router are in one box. Personally, I could see the “intrusion prevention system” become an included feature with high-end routers that are pitched at “enthusiast” consumers, SOHO users or small businesses rather than the low-tier routers sold to most consumers.

Similarly, a functionality gap exists where other network devices could be at danger of intrusion caused by one network device without Internet involvement.

As well, I find that they may not be accepted for most home networks because they may be difficult to operate unless you have a lot of competence with business-grade computing. This may be due to issues like lack of “task-based” or “simple-language” design.

At the moment, this device is showing that the concept of business-grade internet security for the home network in the form of an “intrusion prevention system” is at its early stages and there needs to be a lot more work done to make a mature product for this class of network and the kind of operator that it will face..

Send to Kindle

Google Chrome can now detect loaded downloads

Article

Chrome update to raise alarms over deceptive download bundles | The Register

From the horse’s mouth

Google

That’s not the download you’re looking for …. – Blog post

My Comments

I have helped a few people out with removing browser toolbars and other software from their computers that they didn’t necessarily invite in the first place. What typically happens is that a person looks for software to do a particular task such as a lightweight game, native front-end for an online service, video-codec pack, an “essential” CD-burning tool or an open-source Web browser, but they work through a very confusing install procedure that has them invite software like TubeDimmer to their computers if they aren’t careful.

A lot of this unwanted software ruins the browsing experience by “cluttering” the screen with extra advertisements and data or redirects genuine links to advertising sites hawking questionable products. As well, they are more likely to “bog” the computer down by stealing processor time and RAM memory space.

Mozilla has become aware of the problem with Firefox courtesy of their bug-reporting mechanism and found that it wasn’t about proper software bugs but improper bundling practices. They had found that these bundles were infringing their copyrights and trademarks that they had with the software, especially the open-source concept.

Google has answered this problem at the search phase of the operation by identifying whether a download site is paying to advertise courtesy of its Adwords keyword-driven advertising service and provided a way to highlight that the software is not the official software site. This is typically because a download site may bundle multiple programs in to the install package rather than just having the program you are after.

They are even going to “expose” the detection software to Mozilla and others to allow them to integrate the detection functionality in their “regular-computer” browsers or desktop-security software by virtue of their Safe Browsing application-programming interface.

This may be a step in the right direction towards dealing with “loaded downloads” but desktop security programs could work further by identifying installation packages that have more than what is bargained for.

Send to Kindle

Public-access computers now being seen as a security threat

Article

The danger of using PCs in hotel business centres | HOT For Security

Data thieves want to track what you type at hotel business centers | Engadget

My Comments

A very common part of the Internet landscape is the availability of public-access computers that are connected to the Internet. These were made available in schools, universities and libraries but then ended up as being part of cafes, bars and the like, including hotel business centres.

But there had to be a level of control over what software ended up on these computers so that they don’t become a conduit for mailware. Even before the Internet, there was the issue of people bringing in software on floppy disks and these were known to be a conduit for viruses. For example, the computer systems that I used at the TAFE college where I studied my computer course were connected to a network but these were set up to boot from the network where the IT department had control over the software that was made available. In some cases, the boot sequence required the computer’s local hard disk to be “swept clean” of data and the locally-required software image to be reinstalled on that hard disk.

A common reality with public-access computers nowadays is that they operate all the time the business is open, surviving the day without being rebooted. In some cases, it becomes feasible to install software on them thus allowing any “Tom, Dick and Harry” to install software off removeable media or the Internet. As well, there is a culture amongst a lot of organisations who run these computers where no-one cares about what goes on with them, usually due to technically-inept or overworked customer-service staff or IT support staff who are distant from the venues.

This has lead to situations like keylogger malware being planted on these machines because users enter personally-identifiable information in to these computers to complete transactions or communicate with others.

What can we do

If you can, use your own computer equipment to perform your sensitive communications or transactions. If you have to use a public-access computer, make sure that the machine you intend to use implements a “wipe-clean-and-install” arrangement where the local hard disks are “wiped clean” and the software reinstated from a known image after every usage session.

What venues can do

Encourage the staff to keep an eye on the public-access computers and respond to issues that the users may have with the systems. As well, they keep an eye out for any physical tampering with these systems such as installation of hardware keyloggers or similar devices.

Another issue worth considering is deploying system-management software that can either restore from a known disk image when the computer is restarted (Faronics DeepFreeze), lock down the computer (Anfibia Deskman) or provide a simple “Web kiosk” environment (Webconverger). These can limit the effect that malware can have on the public-access computers.

At least, they could keep the computers running operating systems, application software and desktop-security software that is kept updated with the latest security patches. In a lot of cases, the software could be set up with “blind updating” where the updates are downloaded and installed automatically. As well, making sure that the computers are restarted on a regular basis to be sure of updates being properly installed and can increase the effectiveness of “wipe-clean” system management software.

General comments

Personally I see the public-access computers becoming the Internet equivalent of the public pay phone – something that we are making less use of and people who use these devices regularly are seen as social pariahs. This is although they become a stop-gap measure for computing tasks when we deal with laptops or smartphones that are out of battery for example.

Send to Kindle

AVM hardens consumer router security with latest FritzOS version

Article (German Language / Deutsche Sprache)

AVM kündigt FritzOS 6.20 mit neuen Sicherheitsfunktionen für Ende Juli an | ZDNet.de

From the horse’s mouth

AVM

Press Release (English / Deutsch)

My Comments

 

AVM FRITZ!Box 3490 - Press photo courtesy AVM

AVM Fritzbox 3490 to be able to update itself like your Windows or Mac computer

Previously I had covered AVM being the first consumer router manufacturer offering automatic firmware updates for their router products. Here, this firmware, known as FritzOS 6.20 will have this feature and be rolled across most of their product lineup.

But it will also have the ability to notify users of newer firmware being available along with identifying ports that are open and who logged on or off the management user interface.

What AVM have done is reacted to an industry-wide issue with consumer and small-business routers running old unpatched firmware, typically the software that is “out-of-the-box”. This is often found to be a security risk due to software exploits or vulnerable configuration setups not being rectified even though manufacturers do rectify this through newer firmware updates which the customer has to download and deploy.

A step in the right direction for idiot-proof home network security

As well, they are throwing in enhanced Wi-Fi hotspot, VPN endpoint setup functionality and Web based access to shared storage in to this firmware. It is becoming a sign that firmware integrated in an Internet gateway device is being treated by the device manufacturers as an operating system along the same lines as what you would run on a computer, tablet or smartphone. This means having a continual upgrade program to rectify any bugs or vulnerabilities, allowing for hands-off or one-touch software deployment and even adding functionality in a device’s life.

Send to Kindle