The newest Windows 10 privacy freak out involves Windows Hello which is supposed to be a convenient security feature turned on or off by selecting Settings > Accounts > Sign-in options. Windows Hello replaces traditional passwords with biometric recognition, allowing users to unlock their PC with a swipe or glance. You’ve likely seen Microsoft’s 30 second Windows 10 commercial which shows a toddler who “won’t have to obsess over security” as she will be able to unlock Windows 10 with a smile.To read this article in full or to leave a comment, please click here
Even before Microsoft’s updated Privacy Statement and Services Agreement kicked in on August 1, privacy advocates from the European Digital Rights group warned the new privacy policy was “bad news for privacy.” Then Windows 10 default settings proved to be skewed toward spying on users by default. The fact that users are opted in unless they take steps to opt out is so bad for privacy that people who do not normally bother to read Microsoft’s Services EULA (end-use license agreement) started doing so.To read this article in full or to leave a comment, please click here
Microsoft issued an emergency out-of-band security update on Tuesday to address a zero-day vulnerability in Internet Explorer. All supported versions of Internet Explorer need to be patched as the remote code execution vulnerability is actively being exploited in the wild. While some publications have reported the hole is not being exploited, Microsoft listed "yes" under "exploited."MS15-093 is rated critical for Internet Explorer 7 to 11, which happen to be all supported versions of IE on Windows clients; it's rated moderate for Windows servers. The patch addresses the vulnerability by modifying how IE handles objects in memory.To read this article in full or to leave a comment, please click here
Wireless carriers worldwide are still tracking users via "supercookies" or "perma-cookies," yet Americans are tracked by U.S. wireless carriers more than any other carrier in any other country, according to a new report by the digital rights group Access. "Injecting tracking headers out of the control of users, without their informed consent, may abuse the privileged position that telcos occupy." Those tracking headers "leak private information about users and make them vulnerable to criminal attacks or even government surveillance."It came to light in 2014 that Verizon Wireless and AT&T were injecting special tracking headers, aka "supercookies," to secretly monitor users' web browsing habits. So Access setup the "Am I being tracked?" website for users to find out if their mobile carriers were tracking the websites they visited on their phone. More than 200,000 people from 164 different countries tried out the Amibeingtracked tool; 15.3% were being tracked by tracking headers deployed by their wireless carriers. Of those, the most monitoring occurred in the U.S.To read this article in full or to leave a comment, please click here
It would be a heck of time to be shopping for a new set of wheels. The theme of digitally beating up cars continued with two teams of security researchers at the 24th USENIX Security Symposium.After two years of having their research suppressed by Volkswagen and a UK court, Flavio Garcia, Roel Verdult, and Baris Ege were finally able to present their research (pdf) at USENIX. The researcher paper details "how the cryptography and authentication protocol used in the Megamos Crypto transponder can be targeted by malicious hackers looking to steal luxury vehicles."To read this article in full or to leave a comment, please click here
It would be a heck of time to be shopping for a new set of wheels. The theme of digitally beating up cars continued by two teams of security researchers at the 24th USENIX Security Symposium.After two years of having their research suppressed by Volkswagen and a UK court, Flavio Garcia, Roel Verdult and Baris Ege were finally able to present their research (pdf) at USENIX. The researcher paper details “how the cryptography and authentication protocol used in the Megamos Crypto transponder can be targeted by malicious hackers looking to steal luxury vehicles.”To read this article in full or to leave a comment, please click here
Well, well, Patch Tuesday is not yet dead as Microsoft released 14 security bulletins, four of which are rated critical for remote code execution vulnerabilities; the August 2015 security updates are aimed at Windows, Microsoft Office, Internet Explorer, Edge, Microsoft Lync, Microsoft Silverlight and .Net Framework. One of the patches rated critical (MS15-081) and one rated important (MS15-085) are fixes for exploits detected in the wild.To read this article in full or to leave a comment, please click here
If you have an Internet of Things device, then it’s highly likely that you are using ZigBee whether you know it or not. There are other possibilities, including that your IoT devices use the Z-Wave protocol, which was beat up a couple ago by security researchers who used it to attack automated homes. ZigBee is a wireless standard used for connectivity to controls IoT devices. It’s used in “tens of millions of smart meters” and there are 1,088 items listed as ZigBee Certified products. It depends who you listen to, I suppose, as to whether you believe ZigBee is great or if ZigBee is a great threat to the Internet of Things due to critical wireless security flaws that can be exploited to compromise smart lights, door locks, motion sensors, smart switches, temperature sensors, HVAC systems and other “smart” home devices.To read this article in full or to leave a comment, please click here
When it comes to hacking chemical plants, for an attacker to go hackedity-hack-hack and then the plant goes boom fortunately only happens in the movies. But “if you plan to improve your financial posture” now and at least in the five years is a good time for security researchers to jump into cyber-physical systems security where you will be most concerned about attacks that cause physical damage.Granted, you and attackers may know a lot about the IT world, and even Industrial Control Systems (ICS) aka SCADA, but hacking a chemical plant means also needing to know some physics, chemistry and engineering. The Damn Vulnerable Chemical Process was developed to help you master new skills; it’s the “first open source framework for cyber-physical experimentation based on two realistic models of chemical plants.”To read this article in full or to leave a comment, please click here
When car manufacturers hear Samy Kamkar’s name, they likely cringe as Kamkar has been on a car-cracking spree. About a week after he unveiled OwnStar, Kamkar was at Def Con 23 presenting “Drive It Like You Hacked It: New Attacks and Tools to Wirelessly Steal Cars.”At the end of July, Kamkar revealed his $100 OwnStar device that could “locate, unlock and remote start any vehicle with OnStar RemoteLink after intercepting communications between the RemoteLink mobile app and OnStar servers.” GM quickly patched the OnStar app.To read this article in full or to leave a comment, please click here
For as cool as it might be to use Microsoft's virtual assistance Cortana, she is also a big reason why the Windows 10 settings are so unfriendly to privacy. Start typing in the "Search Windows" box on the taskbar and Cortana wants to help…or to be turned on. It may be a bummer to lose so many features in Windows 10, but you have to choose if you want as much privacy as possible or if you want as many Windows 10 features as possible. Sorry, but you can't have both.
Settings>Privacy>To read this article in full or to leave a comment, please click here
You can setup a local account in Windows 10 during a clean installation and you can also setup a local account after installing Windows 10 using a Microsoft account. The process is a bit more straightforward than it was in Windows 8. If you wanted to create a local account in Windows 8.1, Microsoft made you jump through hoops and numerous screens before finally selecting “Sign in without a Microsoft account (not recommended).” Skip down to the second half if you want to know how to create a local account while installing Windows 10.To read this article in full or to leave a comment, please click here
You can setup a local account in Windows 10 during a clean installation, as well as after installing Windows 10 using a Microsoft account. The process is a bit more straightforward than it was with Windows 8.If you wanted to create a local account in Windows 8.1, Microsoft made you jump through hoops and numerous screens before finally selecting "Sign in without a Microsoft account (not recommended)." Skip down to the second half if you want to know how to create a local account while installing Windows 10.To read this article in full or to leave a comment, please click here
A few days ago, over 14 million machines had been upgraded to Windows 10, but millions of other people who used the “Get Windows 10” app are impatiently waiting for Microsoft to notify them that it is their turn to download Windows 10. The app says Microsoft is rolling out the free upgrade in waves; “Watch for your notification so that you can start your upgrade. Your notification to upgrade could come as soon as a few days or weeks.” That notification has become an exploitation opportunity for bad guys who are sending out fake Windows 10 upgrade emails along with supposedly zipped Windows 10 download attachments that ultimately install ransomware on victims’ PCs.To read this article in full or to leave a comment, please click here
It’s the big Windows 10 launch day and Microsoft has reserved a huge amount of bandwidth for the massive rollout, reportedly “up to 40Tb/s per second of capacity from all of the third-party CDNs combined.” If you haven’t done so yet, then you should review Microsoft’s new privacy and service agreements as well as the privacy dashboard to consider making changes to your settings for Windows and Cortana, as well as Microsoft services such as Office 365, Xbox Live, Groove Music, Office Online, OneDrive, Skype, Outlook.com and Bing Rewards.According to Horatio Gutierrez, Microsoft’s deputy general counsel, the company’s updated Privacy Statement and Services Agreement were guided by simplicity, transparency, and privacy. Gutierrez said consumers need “clear terms and policies that both respect individual privacy and don’t require a law degree to read.” The new Privacy Statement, which kicks into effect on August 1 – mere days after Windows 10 – is supposed to have “straightforward terms and policies that people can easily understand.” Yet since the new privacy policy is 22 pages long and the service agreement is 23 pages long, the European Digital Rights (EDRi) group said, “So much for clearly understandable Continue reading
Hacker News had me laughing today as a company called HeavyGifts took a joke and turned it into a real and free product by using metal band logos as CAPTCHAs. Unless there is another computer virus based on weaponizing heavy metal, such as the malware reported to F-Secure’s Mikko Hypponen by an Iranian nuclear scientist after AC/DC’s Thunderstruck was allegedly blasting from workstations in the middle of the night, when else can I write about metal music?To read this article in full or to leave a comment, please click here
If you are sick of your ever-increasing cable bill, have you considered becoming a cord cutter? If you spent a bundle on your TVs but they aren't smart TVs, you likely aren't planning to abandon them. PCMag has a decent cord cutter's guide; for folks without a smart TV, TechHive's media streamer buyers' guide compared Amazon Fire TV, Apple TV, Google Chromecast, Nvidia Shield Android TV, and Roku 3 before recommending Roku 3 "as the best all-around option." TechHive explained:To read this article in full or to leave a comment, please click here
At the 2015 Intelligent Defense European Technical Research Conference in June, Tripwire security researcher Craig Young presented Smart Home Invasion and revealed zero-day flaws in the “brains” of Internet of Things platform hubs such as SmartThings hubs, Wink hubs and MiOS Vera. The Wink and Vera products “contained critical remotely exploitable flaws.” Young warned that “if not addressed, smart home flaws can give rise to a new type of ‘smart criminal' able to case victims without being seen. Once a target is chosen, it is possible to unlock doors and disable security monitoring.”To read this article in full or to leave a comment, please click here
Better late than never, Microsoft is cracking down on the "gross violations of privacy" that is revenge porn. Microsoft's promise to remove links to revenge porn follows similar promises from Google, Facebook, Twitter and Reddit.To read this article in full or to leave a comment, please click here
A hacker duo pretty much just made the case for going old school and steering clear of “smart” and “connected” vehicles as they remotely attacked one. Charlie Miller and Chris Valasek revealed 20 of the “most hackable” vehicles last year, but this year at Black Hat they will blow people’s mind when they present “Remote Exploitation of an Unaltered Passenger Vehicle.”It’s not the first remote hack; when DARPA’s Dan Kaufman remotely hacked a car for 60 Minutes, he triggered the windshield wipers, blasted the car’s horn and then disabled the brakes. That and a report (pdf) claiming that nearly all new cars can be hacked led to a lawsuit against GM, Ford and Toyota for "dangerous defects in their hackable cars."To read this article in full or to leave a comment, please click here