"The vulnerability allows for RCE (remote code execution) which potentially allows bad actors to install, modify, or run software without authorisation and could also be used to disclose files on the host system. Translation: VLC’s security hole could allow hackers to hijack your computer and see your files."
Read more at Gizmodo
Story from itnews. Read the story here
Full story on: AppleInsider
Google says that the bug affected "a small percentage of G Suite users," meaning it does not impact individual consumer accounts, but does affect some business and corporate accounts, which have their own risks and sensitivities.
Story Source: Wired
You must always use strong passwords that cannot be guessed by anyone and they should never be reused anywhere else.
This obviously makes sense for maximum security but:
- What is a strong password?
- How do you come up with a strong password?
- How do you remember the strong password?
A strong password is obviously one that cannot be guessed or derived through some automated process. An example of a strong password is: Jg4uyG3B87dTg%x. This is using characters randomly put together using a total of 15 characters which include 4 numbers, 1 symbol and upper and lowercase letters.
Another example is using words which may be easier to remember. An example is: musty-eject-thing-quackery using 4 words and hyphens.
So, how do you come up with these strong passwords? The simplest answer is to use software such as 1Password by AgileBits (https://1password.com) or in the case of the Mac, it has a program called Keychain Access which will store passwords generated such as when you create an account in the browser or change your password, it will suggest to create a strong password for you and store it in the Keychain.
Once you have created these strong passwords, then you never have to remember them again as they will be available to you when you need them. In the case of 1Password, you only ever have to remember the password to 1Password to access all your other passwords.
In the latest versions of MacOs and iOS, the passwords created and stored by Keychain carry across your devices and if you also have 1Password, you can open that if the password is stored in it.
Two Factor Authentication
Use for your Apple ID, Google, Facebook, Microsoft and everywhere it is available. It will ensure that there is no unauthorised access to your accounts.
Microsoft uses its Authenticator app on you mobile device and Google use their Authenticator app which a number of third parties such as Square, Amazon, Airtable, Synology etc use.
Disable Automatic Login
Do not allow your computer to login without an account and a password. Require passwords for each account on the computer or in the case of a mobile device, ensure that it is protected by some form of authentication at all times, whether that is FaceID, finger print, passcode or whatever method your device uses.
Don’t Trust Emails or Text Messages
If you receive an email or a text from an unknown source that is unsolicited, do not click on any links or in fact on anything in the email or message.
Banks do not send you links for you to click nor do any sensible organisations. If you think it may be legitimate, go to the site you know and check it out, not via a link in the email or message.
Phone Call Scams
There are many scams out there which include ones where they pretend to have detected an issue with your computer. Just hang up.
More recently, you may receive phone calls from unknown locations and numbers but they hang up before you have a chance to answer. They want you to phone back as they are a premium call that will cost you a great deal of money as they will waste your time as much as possible.
Don’t phone back any of these numbers!
Be aware of any scams involving buying, selling and job offers.
Do not trust any public WiFi hotspots. Do not do anything such as banking or where you need to use account details unless its a https site (secure) or use a VPN service.
Install the latest security updates and OS updates and third party software updates.
Read news sources and keep up with the latest threats.
Scamwatch (https://www.scamwatch.gov.au) has information on the latest scams.
Within five minutes of a smart device going online, hackers will try to gain access by using well-known factory setting passwords and usernames. Even devices that have been updated, where a buyer sets up new credentials immediately, may be hacked because of security vulnerabilities built into the security camera, virtual assistant, thermostat or other product.
Read the full article at gearbrain.com
Apple offers what are known as certificates that let businesses have deep controls over iPhones, with the potential to remotely install apps, monitor app usage and access, and delete data owned by a business on an iPhone. Apple designed the program for organizations whose staff use iPhones for official duties, when privacy needs are different from phones for personal use.
Source: Reuters. (Click the link to read the full story)
“Houzz recently learned that a file containing some of our user data was obtained by an unauthorised third party. The security of user data is our priority. We immediately launched an investigation and engaged with a leading forensics firm to assist in our investigation, containment, and remediation efforts. We have also notified law enforcement authorities.
Out of an abundance of caution, we have notified all Houzz users who may have been affected.”
If you have a Houzz account, it would be worth reading the following information on their site: Houzz Security Update - FAQ
"There have been a host of Facebook virus attacks in the little over a decade it’s been in existence. Some are fairly easy to spot and avoid, others look fairly innocuous until it’s too late. Here, we’ve listed the most common Facebook virus attacks and how to protect yourself from them."
Click on the link above to read their full story or here.
The United States Department of Homeland Security has issued an emergency directive in response to a serious, global campaign of domain name system (DNS) infrastructure tampering, believed to originate in Iran.
Earlier in January, security vendors Cisco Talos and Mandiant FireEye outlined a spate of DNS hijacks against multiple government, telcos and internet infrastructure organisations in Europe, North America and the Middle East/Africa.
Attackers have successfully redirected web and email traffic by altering DNS records, making them point to servers on addresses that they control.
They've been able to do so by capturing administrative credentials for administrative accounts that can make changes to DNS records. FireEye and Talos said they have received reports that sophisticated phishing attacks were used to gain acccess for DNS record manipulation, as well as compromising a victim's domain registrar account.
Sourced from: itnews.com
The foundation said in a submission to the government that being forced to secretly create vulnerabilities in an open source product would be extremely difficult.
Mozilla express a number of concerns, including:
The limitation on systemic vulnerabilities is inadequate.
The key provision seeking to limit the widespread security risks of this bill is a prohibition on forcing companies to build a “systemic vulnerability” into their systems or to prevent them from rectifying a systemic vulnerability. However, the term “systemic” is not defined
in the bill, leaving dangerous ambiguity that could be exploited by the government. The accompanying Explanatory Document provides some additional clarity but not confidence in stating that systemic vulnerabilities exclude “actions that weaken methods of
encryption or authentication on a particular device.”
The Government goes on to say that this legislation would permit “requir[ing] a provider to enable access to a particular service, particular device or particular item of software.”
For a company to enable this capability would effectively be to create a systemic vulnerability, whether the capability is provided by “one-off” upgrades sent to specific devices or by inserting a remote access capability to all versions of their products. In
either case, the company will be left with a fast-path method to compromising their user’s data, thus creating a high risk of compromise by malicious actors.
You can download the PDF here: Mozilla Submission
The bill “could allow the government to order the makers of smart home speakers to install persistent eavesdropping capabilities into a person’s home, require a provider to monitor the health data of its customers for indications of drug use, or require the development of a tool that can unlock a particular user’s device regardless of whether such tool could be used to unlock every other user’s device as well", Apple said in a parliamentary submission.
In the submission, Apple said, "The encryption technology built into today’s iPhone represents the best data security available to consumers. And cryptographic protections on the device don't just help prevent unauthorized access to your personal data — they're a critical line of defense against a criminal who seeks to implant malware or spyware, and use the device of an
unsuspecting person to gain access to a business, public utility or government agency."
They go open to say "While the bill presents many questions and opportunities for clariﬁcation, we focus our comments on several overarching themes: (1) overly broad powers that could weaken cybersecurity and encryption; (2) a lack of appropriate independent judicial oversight, (3) technical requirements based only on the government’s subjective view of reasonableness and practicability, (4) unprecedented interception requirements, (5) unnecessarily stiﬂing secrecy mandates, and (6) extraterritoriality and global impact.".
“The bill specifically provides that companies cannot be required to create systemic weaknesses in their encrypted products or be required to build a decryption capability," Dutton said in the bill's first reading.
The government has said this will invariably involve some weakening of security, but denies that it will lead to systemic weaknesses or vulnerabilities like backdoors in products or services. Read More…
It plans to present the legislation – dubbed the Telecommunication and Other Legislation Amendment (Assistance and Access) Bill – before December 7 this year.
I have heard the arguments from ordinary users stating that they have nothing to hide so why should they care? There are a number of aspects to this.
1. Whilst the government is not a corrupt totalitarian regime, you may have little to fear from them but history has shown that this is not guaranteed and can change very quickly.
2. Your communications which expose personal information such as your banking information, your username and password for the various services you access etc. should always be secure and encrypted. If the government has a backdoor then what stops criminals from exploiting this back door? Its a valid argument because trusting the custodians of the backdoor key has been proven to be folly as it will always be exploited. Just look at the leaks from supposedly secure government organisations such as the NSA, CIA and FBI in the US.
3. On another level, if your data can be decrypted in transit by third parties, what is there to stop this information from being mined and used for marketing or to profile individuals for other purposes?
4. If you are not convinced that it is a bad idea, just think about the countless millions of accounts that have been hacked due to the custodians of your personal data being hacked. This information has been used to steal money, create false identities for other criminal activities etc.
It's interesting that governments that were formerly conservative in their thinking are now on the bandwagon of trying to impose these types of laws. Historically it was always more likely to come from the left of politics that would push such ideas.
Article published on itnews site.
Although the article refers to US carriers, it is likely that it applies to most carriers.
Read the full article at Wired.com
Cryptographer Adi Shamir is worried that billions of microprocessors could be irreversibly bricked in future by a microcode update gone wrong.
Security Research Labs analysed a large number of devices running Google's Android operating system, and found that some vendors fail to apply critical and high severity security patches.
Best to always check.
Source: ITNews Android vendors fail to install security patches
In the past, it was very difficult to work out what your privacy settings actually were and would change, often without users being aware. This has improved but it is still very difficult to work out some of the settings. For example, to delete you Facebook account can be problematic because even if you do find where to do it, should you inadvertently connect to Facebook again from some device, it negates your deletion.
Source article: Wired- Facebook Privacy Issues
Another article on the same subject: What the F*** Was Facebook Thinking and yet another one one how to delete your Facebook at https://vpnandgo.com/delete-facebook-account/
The biz, which was subject to one of the biggest data breaches in US history last May, has already had to revise up the number of affected individuals.
The total stood at 145 million in the US and hundreds of thousands in the UK and Canada – but it's now found a few more people that previously escaped its "forensic" testings.
The RedDrop nasty also harvests and uploads files, photos, contacts, application data, config files and Wi-Fi information from infected kit. Both Dropbox and Google Drive are being used as temporary storage by the attackers.
This is a world-wide trend for governments to seek getting access to encrypted data on the premise that it is to keep society safer.
In Australia, there is a movement to have decryption legislation which will allow access to users' data.
The argument is always that this access is to assist in fighting crime and to protect society. Individuals may say that I have nothing to hide so why not but this is potentially very dangerous if governments are able to spy on everyone at anytime. Past experience has shown that this sort of power has been abused by governments to silence or eliminate opposition groups.
Reuters article: https://goo.gl/SeozfG
ZDNet article: https://goo.gl/L584Ew
Source story: https://goo.gl/GfkcTA
The problem relates to rendering certain Indian characters which could cause the device to crash.
Apparently some mischievous people have intentionally inserted these characters to cause problems for those unfortunate to have encountered them.
Its always a good idea to keep devices up-to-date, especially relating to security issues.