Blog Archives

• Patch Lady – Chrome patching impacted by “work from home”

  Posted on March 18th, 2020 at 22:23 Susan Bradley Comment on the AskWoody Lounge

  https://www.zdnet.com/article/google-pauses-chrome-and-chrome-os-releases-due-to-coronavirus-outbreak/

  Interesting side effect of this disruption, Google is pausing Chrome feature updates due to the virus outbreak

  “Due to adjusted work schedules at this time, we are pausing upcoming Chrome and Chrome OS releases. Our primary objectives are to ensure they continue to be stable, secure, and work reliably for anyone who depends on them. We’ll continue to prioritize any updates related to security, which will be included in Chrome 80. Please, follow this blog for updates.”

  Security updates will still come however.  Wonder if Microsoft will do likewise with the Windows 10 feature release?

  Security Patch Lady Posts

• Conference showcases a tsunami of security products

  Posted on March 16th, 2020 at 01:10 Tracey Capen Comment on the AskWoody Lounge

  SECURITY

  By Michael Lasky

  If you needed proof that Web security has become a major industry, you need only to have walked the acres of booths at the RSA Conference 2020.

  More than 36,000 attendees, 704 speakers, and 658 exhibitors gathered at San Francisco’s Moscone Center this past February to explore the “Human Element” in cyber security. The conference included hundreds of keynotes, track sessions, tutorials, seminars, and special events. Protecting the Internet has become a veritable military-industrial complex.

  Read the full story in AskWoody Plus Newsletter 17.11.0 (2020-03-16).

  Security AskWoody Plus Newsletter, RSA security conference, Two-factor authentication

• Patch Lady – bad news about those Server 2008/2008 R2 licenses

  Posted on December 27th, 2019 at 22:18 Susan Bradley Comment on the AskWoody Lounge

  So I have bad news about any extended security updates for Server 2008/2008 R2 licenses that us common folks might want or need to buy a little more time for our Servers.  Even if you have a software assurance license you would need an Enterprise agreement to get extended patches.

  Your only other option is to move to a virtual machine in Azure.

  I heard back from the vendor I use for software assurance and he said….

  Hello Susan,

  I won’t be able to provide pricing on this since you don’t have an enterprise agreement.

  Happy Holidays!

  Security Patch Lady Posts

• LastPass to be acquired, taken private

  Posted on December 18th, 2019 at 06:42 woody Comment on the AskWoody Lounge

  

  LogMeIn Inc — the maker of LogMeIn and LastPass — announced yesterday that it will be acquired by two private equity firms.

  Martin Brinkmann has the details on ghacks.

  Security LastPass

• Patch Lady – if you use a IT consultant

  Posted on December 9th, 2019 at 18:54 Susan Bradley Comment on the AskWoody Lounge

  If you use an IT consultant please please please forward them this post by Amy Babinchak on what a Managed Service Provider should do to audit their own internal processes:

  http://techgenix.com/msps-internal-security-audit/

  Hackers, attackers are targeting consultants because they know they can hit a lot of people with one targeted attack.  Just the other day Krebs on Security reported that 100 small dentist offices were impacted by ransomware after their IT consultant was targeted.

  If you don’t use an IT consultant and instead do your own IT, make sure you think about the vendors and services you use for online activities and think about ways to add two factor authentication to sensitive information.  Add two factor to your bank access.  If you use hosted email, check with your ISP or vendor if they support two factor.  Just the other day I got an alert that my Xfinity had been logged in from an Ubuntu device.  I do HAVE an ubuntu device but I sure wasn’t logging into Xfinity from it.  I quickly added two factor it that account as well.

  Need two factor for remote desktop?  Check out duo.com

  Need a third party app that supports multiple vendors?  Check out authy.com

  Bottom line make sure that you protect accounts and log ins that you can’t live without and make sure they have extra protections.

  They are out to get you.

  Security, Small Business Computing Patch Lady Posts

• Patch lady – Alexa should be on her own network

  Posted on December 7th, 2019 at 19:50 Susan Bradley Comment on the AskWoody Lounge

  As a geek I use Alexa enabled devices to turn on and control turning on and off the Christmas Tree and other lights in the house.  “Hey Alexa, turn on the Christmas tree” is all I have to do to turn on the tree rather than crawling underneath and turning on the tree.  I have Internet enabled outdoor controls that turn on the outdoor Christmas lights at exactly sunset and then turn it off at 11 p.m.  But the one thing I do is ensure that my Alexa enabled devices are on a separate router away from my computers and other devices.  My Alexa devices are on a separate IP addressing scheme and thus can’t browse or talk to the devices on my other network.  The Portland FBI office recommends in fact that you separate out the Internet of Things from the rest of your sensitive devices and laptops.

  They also recommend that you review what features your smart TV has and ensure it’s patched and set to update automatically.  Unlike Windows, most smart tvs and internet of things are based on Linux, not Windows and thus installing updates and rebooting are typically less of an issue.

  Finally, be aware of Holiday scams this time of year.  As they note, keep an eye on your credit card and bank account and always monitor the use of both.  Use a credit card, not a debit card when shopping online.  If you see any fraudulent charges, contact your bank immediately.  Sign up for and turn on fraud alerts on your bank accounts.  It may be a slight bother if they deny a large purchase that you really wanted to get, but it saves you from having fraudulent transactions posted to your account.

  Be aware this holiday season…. they are out to get us.

  Security Alexa, FBI warning, Patch Lady Posts, TV

• The web has a padlock problem

  Posted on November 30th, 2019 at 13:29 Kirsty Comment on the AskWoody Lounge

  Danny Palmer (ZDNet) has just written about recent changes to websites showing “security padlocks” in browser bars, in a very easy-to-digest article.

  Internet users are being taught to think about online security the wrong way, which experts warn might actually make them more vulnerable to hacking and cyberattacks.

  HTTPS encrypts that information, allowing the transmission of sensitive data such as logging into bank accounts, emails, or anything else involving personal information to be transferred securely. If this information is entered onto a website that is just using standard HTTP, there’s the risk that the information can become visible to outsiders, especially as the information is transferred in plain text.

  Websites secured with HTTPS display a green padlock in the URL bar to show that the website is secure. The aim of this is to reassure the user that the website is safe and they can enter personal information or bank details when required. Users have often been told that if they see this in the address bar, then the website is legitimate and they can trust it.
  …
  “This is why phishers are using it on phishing sites, because they know that people who use the websites think that means its OK when it’s not,” said (Scott) Helme. “The padlock doesn’t guarantee safety, it never has, that’s just a misunderstanding of the interpretation of what this actually means.”

  …the (cybersecurity) industry needs to improve its messaging, because cybersecurity can be complicated for the average web user and changing advice all the time isn’t going to help, especially if people stick to adhering to the first thing they were told – like believing the padlock automatically means the website is safe.

  I’m sure many of us will have seen information by Troy Hunt and Scott Helme in recent months, on browser security. Changes are afoot in how browsers indicate websites’ security; e.g. Firefox’s recent changes on how padlocks work is related.

  WSJ indicate the depth of the problem here:

  The use of security certificates, once a badge of authenticity for the internet, among phishing websites has almost doubled, rising to 15% in 2019 from 8.5% in 2018

  Even CASC (Certificate Authorities Security Council) recently published, in a very interesting article:

  The padlock is putting users in danger

   
  We all need to get used to these changes, for our own safety.
   

  On Security, Security Browser security, phishing

• Microsoft is enabling Win10 version 1903 “Tamper Protection”

  Posted on October 15th, 2019 at 07:50 woody Comment on the AskWoody Lounge

  Yesterday, Microsoft program manager Shweta Jha posted an announcement on the Microsoft Tech Community blog, saying that a feature called “Tamper protection” has reached general availability for Win10 version 1903. Permit me to parse that sentence:

  • Tamper protection is a switch that prevents programs from altering Defender security settings. (You may be surprised to know that programs can alter Defender settings.)
  • General availability in this case means that Microsoft will be turning on the switch on updated Win10 version 1903 machines. The precise mechanism for turning it on isn’t described, and we don’t explicitly know which build number will be required, but “We’re currently turning on the feature gradually; some customers will start seeing the setting on their devices.”

  To me, the rollout sounds a whole lot like the remote feature enabling we’ve been warned about in Win10 version 1909, which is due next month.

  At any rate, the feature sounds worthwhile (should I say “long overdue”?) and it’s easy to set manually if you’re so inclined.

  For details, Lawrence Abrams at BleepingComputer has a good rundown.

  Security, Windows 10 Releases Tamper Protection
• « Older Entries