Fresh Off The Block


Apr
11
2017

Privacy Conscious? Don’t Be Too Hasty To Download Windows 10 Creator’s Update

A white Windows 10 Logo on a blue background

The wait is nearly over for Windows users. On April 11th, the long-awaited "Creators Update" will launch for Windows 10, bringing with it such useful features as a new "night light" mode that reduces the amount of blue light emitted by your screen so that you an sleep better; a new Windows Defender Security Centre, where users can tweak their security options in one place; and a Game Mode for better performance while gaming among lots of other tweaks. People who do not want to wait for the update to be offered to them through Windows Update can get ahead of the game by downloading Microsoft's upgrade tool to apply the update right now – but a recent report suggests privacy-conscious users may want to hold off from jumping on the bandwagon early.

According to an article by Tom's Hardware, which has been backed up by numerous less patient users, Microsoft's Windows 10 Update Assistant may not honour your Privacy Settings if you use it to upgrade to the Creators Update yourself. Instead, the Assistant tries to use default settings – whether or not you choose to upgrade or clean install the new version – meaning that if you changed your privacy settings when you installed Windows 10 and subsequently use the Assistant, you may need to keep a close eye on just what is being set, or you may find Windows suddenly gathering more data about you than you originally intended.

Those default settings encourage you to share your location and provide full diagnostic data to Microsoft to fix issues and improve future iterations of Windows 10. The default options also encourage enabling Cortana and receiving targeted ads rather than generic ones. The good news here is that Microsoft is being much more transparent about the data it collects – and when applying the Creators Update, the privacy options offer up clearer descriptions of what they do and the effects enabling or disabling them will have.

If you're not looking forward to going back through all those checkboxes, however, Microsoft state that when the upgrade is made available through Windows Update some time during April 11th, existing privacy settings WILL be honoured. We'll know for sure if this is the case soon enough – but as always, it's wise to look before you leap.

This article first appeared on Sanitarium.FM under the title Windows 10 Creators Edition Available Now – But Keep An Eye On Your Privacy Settings.

Digiprove sealThis informative article has been Digiproved © 2017
Acknowledgements: Windows 10 Logo Courtesy Microsoft / more...
Some Rights Reserved

What Our Visitors are Talking About


Latest CommentsOn Twitter Right Now
  • “Unlock” Dialogue for Clone System tool in Aomei Backupper 2.5 by William Sims
  • Microsoft gets 561 million euro fine for missing browser ballot “oversight” by Gamer Repulic's Dorthea
  • Microsoft gets 561 million euro fine for missing browser ballot “oversight” by Sherman Moya
  • Microsoft gets 561 million euro fine for missing browser ballot “oversight” by Microsoft gets 561 million euro fine for missing browser ballot “oversight” | The Sanitarium.FM
  • Valve’s Steam Gaming Computer: What we know so far by Valve's Steam Gaming Computer: What we know so far | The Sanitarium.FM
  • Tweet to @TMWeb to have your comments appear here!

    Previous Articles


    Apr
    19
    2016

    Ditch QuickTime on Windows – Apple Drop Support for Vulnerable Plugin

    A recent version of the Quicktime logo.

    A recent version of the Quicktime logo.

    Apple are dropping support for Quicktime, a plugin for viewing and streaming video, on Windows on account of no longer being useful.

    The Wall Street Journal reports that Apple has confirmed it'll no longer update or support Quicktime 7 for Windows.

    Way back when, QuickTime was a requirement to run iTunes, as the Quicktime code was used in part to provide the music streaming capabilities of the software, which resulted in many people who had iPods – and later, the iPhone – installing the plugin to their Windows PCs when they wanted them to properly work with their computers. As Apple notes on its support page, however, this situation changed in later versions of iTunes, and Quicktime has not been a requirement to run iTunes since October 2011.

    Despite not being relevant for iTunes any more, Quicktime continued to be useful to serve up video on the web. However, with HTML5 encouraging browsers to support video directly as part of the standard language of the internet, having a separate plugin for the ability now appears redundant. The combination of these two factors appears to have encouraged Apple to have made the decision to no longer support the plugin on Windows.

    The announcement comes a week after the Department of Homeland Security recommended Windows users uninstall Quicktime because of potential security holes, making Quicktime potentially vulnerable and use of it on Windows PCs a major security risk (these flaws do not affect the Mac OS version, which remains in support). Given its status as a potential security threat and the lack of any updates coming from Apple, many sources, including us at Technically Motivated, now recommend that Quicktime is removed from all Windows PCs as soon as possible.

    For those who are unsure how to, Apple's official support pages offer a guide for how to remove Quicktime from Windows PCs. Apple have been reached for comment to confirm the Wall Street Journal's report.

    Digiprove sealThis informative article has been Digiproved © 2016
    Acknowledgements: Quicktime and The Quicktime Logo is a more...
    Some Rights Reserved
    Jan
    27
    2016

    Lenovo Grilled By Security Researchers over poor ShareIT Security

    Computer users often make very basic mistakes that make more sensible people wonder just what they were thinking. Case in point: passwords. Splashdata recently published its fifth annual list of the most commonly-used passwords by computer users in North America and Western Europe; and many people will be hitting their heads against their desks when they learn that obvious choices like "password" and "12345678" still top the list.

    While you can expect individuals to make basic mistakes like these, you would assume actual computer manufacturers would be smarter. But if the latest headlines are to be believed, it seems Lenovo's software developers could do with reading this list themselves. As revealed in an advisory posted by Core Security, Lenovo's ShareIT file-sharing software – built in to their computers – has a very serious password-related flaw.

    How bad? The Wi-Fi Network created and used for transferring files between Windows computers "securely" uses a very predictable password: 12345678. Even worse, this password is "hardcoded" into the software, making it impossible for users to change it to something much more secure. The problem is even worse for Android users, where the ShareIT app has no password at all, leaving the network entirely open for anyone within radio range to connect to.

    The implications for the security of transferred files is serious. Merely using a web browser to connect to a ShareIT network can reveal all the files currently stored on the platform by the affected user. While the files cannot be downloaded this way, the researchers also discovered that the files are transferred insecurely, without any kind of encryption, meaning the simple use of a traffic sniffer once connected could allow anyone to obtain a copy of any transferred file.

    Luckily, the flaws may not exist much longer. Lenovo claim that since being made aware of the issues in October last year, the company has worked to bring the software up to snuff. Those running ShareIT on Windows or Android are now advised to download the latest version of the software from the ShareIT website, which was released this week and claims to resolve all the issues found by the Core Security researchers. Given that this is not the first time Lenovo have been found to engage in shady security practices, however, it may be time to think twice about that ThinkPad.

    Sep
    04
    2015

    Skype users continue to be plagued by ongoing bogus messages

    Despite first being reported over a month ago, prompting Microsoft to advise Skype users to change their passwords, Skype users remain in the dark over a security issue that has resulted in their accounts sending out spam unnoticed, with Microsoft seemingly unable to rectify the problem.

    The problem, first reported on a Skype community forum over a month ago, sees random Skype users send out messages to multiple contacts on their contact list that were not sent by the user themselves. The messages include links to spam websites, which are always disguised using goo.gl short links. The problem has been reported to affect both old and new accounts, including those that have not been logged into in some time; and reports state even accounts that have not been linked to Windows Live accounts are appearing to send spam.

    Though the cause of the issue is yet unknown, some evidence by users suggests the issue could be a vulnerability with Skype's web client. Although the spam messages do not appear in the chat history of affected users when using a Desktop or Mobile version of the Skype client, some users who have been told their accounts have sent the spam messages have been able to see them in conversation windows that appear when the web client is used. Microsoft are yet to confirm these claims, having passed the buck several times already – the company has so far blamed weak passwords; malware on the affected user's computers; and an issue with linked accounts as potential causes.

    Microsoft continue to advise users affected by this issue to change their passwords; and state that they are continuing to look into the matter.

    Jun
    16
    2015

    LastPass Hacked: Users Encouraged to Change Master Passwords

    What happens when a service designed to keep your passwords safe gets hacked itself?

    LastPass Logo

    Password-management service LastPass announced today that it “discovered and blocked suspicious activity” on its network on Friday that caused user email addresses, authentication hashes, password reminders and server per user salts to be compromised.

    While the news suggests that some user’s email addresses may now be known to criminals and that hackers may now have useful hints to passwords for other sites you may be using, LastPass says that there is no evidence that any data from any user’s vault was taken; or that any accounts were logged into illegitimately before the hack was detected. This means that any of the passwords actually stored on the server have not fallen into the wrong hands, so there should be no need to reset passwords for every site you stored data for. LastPass is confident that its encryption is strong enough to make attacking those stolen hashes with any speed difficult.

    Nevertheless, when it comes to LastPass itself, it is highly recommended you change your Master Password right now to ensure those vaults can’t potentially be accessed later. Although the company’s official recommendation is that you only need to change your master password if it’s weak or use that password on multiple sites, in any case of hacking, being paranoid is often the best approach. The company also recommends that users who don’t have two-factor authentication enabled on their accounts do so now, which sounds like sound advice.

    Join the forum discussion on this post
    Mar
    10
    2014

    How to check your Antivirus is properly working

    Some of the worst viruses to hit Windows – and even a few not-so-bad ones – make every attempt to make cleaning your computer difficult, through methods such as disabling your antivirus, interfering with opening the Security Centre or any cleaning or security tools your computer may be running, and even in some cases modifying your computer's HOSTS file so even going on the internet can either be blocked or have you redirected from real sites to illegitimate ones. This is why it's important to block viruses before they spread.

    Most competent anti-malware programs contain real-time protection shields to block viruses and other malware as soon as they crop up; and a fair few even include internet shields to stop downloads and take you away from infected sites that are likely to give you a virus. But what if you're ALREADY compromised? If there's already a virus on your computer that's changing the websites you visit and disabling your antimalware shields, etc. – then you might not even know you're infected and your computer could even be open to further infections, without you knowing they're coming in. Fortunately, there's an easy way to find out if your security is working as expected.

    Most companies working in computer security are members of, or are regulated by, various institutes across the globe who want to make sure every threat is being properly dealt with and every anti-malware does a competent job in keeping users safe. In Europe, the main one of these is the European Institute for Computer Antivirus Research, or EICAR for short. EICAR do a lot of research into computer viruses; and their research is shared with the makers of anti-malware products to improve detections, identify new viruses and basically keep the security you're using in working order. One of the ways they do these is by releasing test files, which contain specific messages not found in most ordinary programs. The test files are not viruses, but antivirus and antimalware programs are asked to treat them as one; and because the messages are unique to the test file, if the product DOES warn about the test file when it sees one, it's probably a good sign you're properly protected.

    You can make one of the EICAR Test Files yourself through a simple text editor like Notepad, allowing you a quick way to test your security is in working order. Just do the following:

    • Launch Notepad on your computer
    • Copy and paste the following line into the Notepad file:

      X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
       

    • Save the File. In the Save Dialog, change "Save As Type:" to "All Files". Then save the file with any name ending ".com" – for example eicar.com

    If your antivirus is working and capable, during or within a few seconds of the file being saved, your antivirus should block and warn about the new file. You may even be told the file has been automatically deleted or moved to the quarantine / virus chest. Any of these messages is a good sign your antivirus is working.

    If your antivirus also includes an on-demand scanner, you can also use this file to test that. First, restore the file from quarantine if your antivirus moved it earlier (check your antivirus product's documentation on how to do this). Then run a scan. If the antivirus product finds an infection in the file you saved using the steps above, you can be assured everything is in proper working order.

    If you didn't get warned about the file when you saved it; and it wasn't found in a scan – then it may be time to investigate as your computer may have been compromised and your security is under threat.

    The EICAR Test File is a great way to ensure your antivirus' protection and scanning routines are working exactly as they should be, without damaging the security of your computer. And you can easily delete the file once you're done to stop being warned about it again; and re-create it later if you want to test another time.

    Feb
    16
    2014

    Hackers steal Usernames, addresses, encrypted passwords and more details of Kickstarter users, change your password now!

    An undisclosed number of Kickstarter users have been emailed with advice to reset their passwords after the company was made aware of a data breach that may have led to the disclosure of personal information.

    Some time in the last 24 hours, Kickstarter updated their website to display a banner on the top of its site for logged-in users, advising them to change their password and providing a link to do so. The advice comes following a statement by Kickstarter – which was emailed to an undisclosed number of users – stating the company was made aware “by law enforcement officials” of hackers breaching their servers to steal account-related information. The advice also recommended users consider using tools such as 1Password or LastPass, which as well as offering storage to let you remember all your passwords, also include password generators to come up with randomised, highly-secure passwords (might I also recommend KeyPass, which does the same but also contains a meter telling you how “secure” any password you type in is likely to be?)

    The following is the full text of the email as sent out by Kickstarter – I’ll leave the explaining to them as it puts it better than I could myself:

    “On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers’ data. Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system.

    No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on your account.

    While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one.

    As a precaution, we strongly recommend that you change the password of your Kickstarter account, and other accounts where you use this password.

    To change your password, log in to your account at Kickstarter.com and look for the banner at the top of the page to create a new, secure password. We recommend you do the same on other sites where you use this password. For additional help with password security, we recommend tools like 1Password and LastPass.

    We’re incredibly sorry that this happened. We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come. We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again.

    Kickstarter is a vibrant community like no other, and we can’t thank you enough for being a part of it. Please let us know if you have any questions, comments, or concerns. You can reach us at accountsecurity@kickstarter.com.

    While it’s disappointing to hear of any type of hack where data is stolen – and a sad reflection of the state of the world today that not even a website that exists to give those with ideas but no money to make them real, the chance to connect with their potential market and get the funding they need, is safe from being hacked – it’s reassuring to see a company own up to the breach so quickly and waste no time in attempting to secure their service better and protect their users. I hope more companies learn from this example.

    Digiprove sealThis informative article has been Digiproved © 2014
    Acknowledgements: Quoted Portions come from a Kickstart more...
    Some Rights Reserved
    Join the forum discussion on this post
    Jan
    26
    2014

    Microsoft: “Don’t live in the US? Would you like to not store your data there?”

    That is the question Microsoft are now asking all its non-American users, after implementing a new feature that will allow users of Microsoft services who registered as outside the United States to opt to have their data stored only on non-American soil.

     

    Microsoft have become what appears to be the first United States-based company to offer those outside the US the option to store their data off of American soil; and it isn’t too surprising given how vocal they’ve been against lack of user privacy in the United States. They’ve been very unhappy with the revelations given to us thanks to Edward Snowden over the fact that the NSA have been spying on American citizens. They are also unhappy with the fact that their own networks have been used to monitor citizens in countries like Brazil and all over Europe as well. It’s also possible that the move may perhaps have an additional role as a subtle middle-finger to the Syrian Electronic Army, who have repeatedly hacked their American servers in recent months.

     

    So far, Microsoft is the only major company offering explicitly non-US data storage, despite evidence that the NSA has also broken into the private networks of both Google and Yahoo.

     

    While there’s no guarantee the NSA won’t be able to reach servers outside US borders, the move would offer an additional layer of protection, as local law enforcement is likely to respond more aggressively to agents of a foreign country. This of course assumes that Microsoft are serious about their commitment to protect the interests of their customers globally; and not just an act to maintain loyalty with customers outside of the US. There’s also still the unanswered question of what happens when data is transit – data may not be STORED on US servers, but could it still pass through one or more of them when the data is transit – for example, whenever you use a different Microsoft service?

     

    We shall see… soon enough.

    [Cross-posted to Sanitarium.FM]

    May
    23
    2013

    Twitter is introducing new security measures in light of recent hackings

    Micro-blogging site Twitter says it is bringing in an optional two-step login process for its users to improve the security of each account, following recent high-profile breaches within the social network.

    The news comes after a number of high-profile Twitter accounts were illegitimately accessed, including those of major news organisations such as the Financial Times and the Associated Press (AP), the latter causing widespread panic when hackers sent a fake news tweet claiming US President Barack Obama had been injured. This followed an attack against Twitter itself in February, which led to 250,000 users having their passwords stolen.

    Mr. Jim O'Leary (product security head of Twitter) explained the new two-factor authentication system thusly:

    "You'll need a confirmed email address and a verified phone number. After a quick test to confirm that your phone can receive messages from Twitter, you're ready to go."

    A message containing a verification code would then be sent to the account holder's mobile phone that can be used to log in. However, he also reminded Twitter users of the importance of strong passwords:

    "Of course, even with this new security option turned on, it's still important for you to use a strong password and follow the rest of our advice for keeping your account secure."

    However, Kim Dotcom – owner of Mega.co.nz file sharing site, itself the spiritual successor of the controversial former file upload website MegaUpload – is threatening a patent lawsuit over the Social Network's newfound use of two-factor authentication. Extending the threat to Google, Facebook, Twitter, Citibank and other companies that have implemented the system, he claims the use of mobile devices to offer a second layer of security for website logins infringes a patent describing an SMS-based two-step-authentication process he filed with the US Patent Office in 1998 and was granted in 2000; with Dotcom claiming registrations also exist in twelve other countries.

    "I never sued them. I believe in sharing knowledge & ideas for the good of society. But I might sue them now cause of what the US did to me."

    The BBC reports that he is not alone in these claims, however:

    A New Jersey-based firm called Strikeforce is currently suing Microsoft over its use of two-factor authentication tech based on a patent it filed in 2004.

    And another British company, SecurEnvoy, recently announced it had been granted patents for a "business grade" SMS-based two-factor authentication process.

    However, let's look beyond the arguments and focus on the security. Will you be turning on two-factor authentication for your Twitter account?

    Digiprove sealThis informative article has been Digiproved © 2013
    Acknowledgements: Quoted segments: BBC, Jim O'Leary, @ more...
    Some Rights Reserved
    Dec
    30
    2012

    Beware the fake Google Play store that’s actually malware

    Malware on Android is nothing new. In fact, stories about this very subject can be found on most major news websites or tech blogs on an irregular basis, perhaps approaching once a month if not more. Usually the malware is easy to identify with the right amount of attentiveness, with the wrong developer names, low quality icons or badly written descriptions on the download page being a dead giveaway; and even if you're foolish enough to download these, the failure of the app to work; or unexpected behaviour while it's running should usually grab attention. But what if the Malware looks and acts like the official store where you buy the apps in the first place?

    This is the latest threat to Android users, discovered by effective Russian security firm Doctor Web. Known as the "Android.DDoS.1.origin" trojan, infected devices can be used for an array of malicious purposes including spamming text messages; and even DDoS attacks. Once installed, the app creates an icon that is an exact replica of the Google Play Store. Clicking it will still send you to the Store, but also activates the trojan, which runs silently in the background. The trojan will immediately try to connect to its Command and Control (C&C) server and if it does, the server operators are sent the victim's phone number. From here, the virus can receive texts from its operators, which are intercepted so the phone isn't aware of their receipt, telling it what to do next. These instructions can include a request to start DDoSing; at which point, the malware will spam a given target with quick bursts of data from the infected phone

    The DDoS attacks present a threat to the infected phone's user, who will find the data limits on their calling plans quickly used up unwittingly and criminally; and if enough phones attack the same location, it can also be bad for the receiving site, which may fail temporarily due to the sudden surge of traffic. Be careful out there!

    • You are currently browsing the archives for the Safety and Security category.