Third-party releases ‘nano-patch’ for Microsoft zero day bug

The delay in last month's Patch Tuesday fixes has caused considerable angst given there were several known problems, including two disclosed by Google.Microsoft is on track, as far as we know, for a patch release next week, but one company isn't waiting. It has issued its own fix for a minor bug.A U.K. security company called ACROS Security has released what they call their first "nano-patch" for CVE-2017-0038, a bug in EMF image format parsing logic that does not adequately check image dimensions specified in the image file being parsed against the amount of pixels in the file.If image dimensions are large enough, the parser is tricked into reading memory contents beyond the memory-mapped EMF file being parsed. An attacker could use this vulnerability to steal sensitive data in memory or as an aid in other exploits when ASLR needs to be defeated.To read this article in full or to leave a comment, please click here

Microsoft’s Windows Server OS runs on ARM, with help from Qualcomm

Microsoft has warmed up to Qualcomm to make a Windows 10 PC based on its ARM chip, and now the companies are bringing Windows Server OS to ARM. For the first time ever, Microsoft is expected to show the Windows Server OS running on an ARM server. The server runs on Qualcomm's Centriq 2400, an ARM-based chip designed for cloud servers. The server is being shown at the Open Project Compute Summit being held in Santa Clara, California, on Wednesday and Thursday.The ARM-based Windows Server hardware is for Microsoft's internal use. No information was shared on when Windows Server would be available for ARM servers. The ARM-based Windows Server hardware is for Microsoft's internal use. The company didn't share information about when Windows Server would be available for ARM servers.To read this article in full or to leave a comment, please click here

Apple, Cisco, Microsoft and Samsung react to CIA targeting their products

From the trove of CIA documents dumped by WikiLeaks, we’ve heard a lot about attacks the agency could pull off against TVs and smartphones. Some of companies with targeted products have issued their initial responses.October 2014 notes discuss the CIA’s Embedded Devices Branch (EDB) and what it should target. For the “really non-technical,” the CIA would define “embedded systems” as “The Things in the Internet of Things.” But the fact that the CIA intended to exploit IoT should not surprise anyone, considering that in 2012, then-CIA Director David Petraeus said the CIA “cannot wait to spy on you” through your smart internet-connected devices.To read this article in full or to leave a comment, please click here

Apple, Cisco, Microsoft and Samsung react to CIA targeting their products

From the trove of CIA documents dumped by WikiLeaks, we’ve heard a lot about attacks the agency could pull off against TVs and smartphones. Some of companies with targeted products have issued their initial responses.October 2014 notes discuss the CIA’s Embedded Devices Branch (EDB) and what it should target. For the “really non-technical,” the CIA would define “embedded systems” as “The Things in the Internet of Things.” But the fact that the CIA intended to exploit IoT should not surprise anyone, considering that in 2012, then-CIA Director David Petraeus said the CIA “cannot wait to spy on you” through your smart internet-connected devices.To read this article in full or to leave a comment, please click here

An AMP validator you can cURL

Cloudflare has been a long time supporter of AMP, an open-source markup language 1.5 billion web pages are using to accelerate their mobile web performance. Cloudflare runs Ampersand, the only alternative to Google’s AMP cache, and earlier this year we launched Accelerated Mobile Links, a way for sites on Cloudflare to open external links on their site in AMP format, as well as Firebolt, leveraging AMP to speed up ad performance.

One of the biggest challenges developers face in converting their web pages to AMP is testing their AMP pages for valid AMP syntax before deploying. It's not enough to make the templates work at dev time, you also need to validate individual pages before they’re published. Imagine, for example, a publishing company where content creators who are unfamiliar with AMP are modifying pages. Because the AMP markup language is so strict, one person adding an interactive element to a page can all of a sudden break the AMP formatting and stop the page from validating.

We wanted to make it as easy as possible to move webpages and sites to AMP so we built an AMP linter API for developers to check that their Continue reading

Review: JAM Voice speaker adds Amazon Alexa support

Amazon offers several options for people who want to experience the Echo/Alexa voice-controlled assistance technology. For $180 (or $130 if you buy the Amazon Tap) you can buy the full Amazon Echo speaker system; if you already own a Bluetooth speaker system you can get the $50 Echo Dot.If you’re not down with the Amazon hardware, you have another third-party option. The JAM Voice ($50, via Amazon) from JAM Audio is a Wi-Fi and Bluetooth speaker that includes Amazon Alexa Voice Service integration. The tiny speaker offers up to four hours of play time and recharges via USB cable (power outlet adapter not included).The speaker sets up via the JAM Wi-Fi app, letting you connect the speaker to your existing Wi-Fi network (you need Internet connectivity in order to use the Alexa voice services). If you don’t want to utilize that option, you can connect via Bluetooth like every other portable Bluetooth speaker. The JAM Voice also integrates with JAM Audio’s other Wi-Fi speaker systems (the Rhythm and Symphony) to give you multi-room audio.To read this article in full or to leave a comment, please click here

IDG Contributor Network: ScyllaDB another contender to the open source NoSQL database crown

The world of the database is one of those areas that sees lots of people obsessing over details that to outside observers would seem trivial. Graph, NoSQL, SQL, distributed—so many choices.So, when ScyllaDB told me about a funding round that they’d raised and their stated intention to replace Apache Cassandra, I was interested—if slightly skeptical. Not skeptical because of anything I know about ScyllaDB per se, but simply because of the busy-ness of the space.+ Also on Network World: Google’s new cloud service is a unique take on a database + The launch only a couple of weeks ago of Google’s Cloud Spanner database, an offering developed from the internal tools that Google itself uses, certainly upped the database ante. Google’s assertion that Cloud Spanner gives users all the benefits of both regular relational and NoSQL databases put all other database offerings on guard.To read this article in full or to leave a comment, please click here

IDG Contributor Network: ScyllaDB another contender to the open source NoSQL database crown

The world of the database is one of those areas that sees lots of people obsessing over details that to outside observers would seem trivial. Graph, NoSQL, SQL, distributed—so many choices.So, when ScyllaDB told me about a funding round that they’d raised and their stated intention to replace Apache Cassandra, I was interested—if slightly skeptical. Not skeptical because of anything I know about ScyllaDB per se, but simply because of the busy-ness of the space.+ Also on Network World: Google’s new cloud service is a unique take on a database + The launch only a couple of weeks ago of Google’s Cloud Spanner database, an offering developed from the internal tools that Google itself uses, certainly upped the database ante. Google’s assertion that Cloud Spanner gives users all the benefits of both regular relational and NoSQL databases put all other database offerings on guard.To read this article in full or to leave a comment, please click here

CIA false flag team repurposed Shamoon data wiper, other malware

The U.S. Central Intelligence Agency documents published by WikiLeaks Tuesday shows that one of the agency's teams specializes in reusing bits of code and techniques from public malware samples.According to the leaked documents the Umbrage team is part of the Remote Development Branch under the CIA's Center for Cyber Intelligence. It maintains a library of techniques borrowed from in-the-wild malware that could be integrated into its own projects.To read this article in full or to leave a comment, please click here

CIA false flag team repurposed Shamoon data wiper, other malware

The U.S. Central Intelligence Agency documents published by WikiLeaks Tuesday shows that one of the agency's teams specializes in reusing bits of code and techniques from public malware samples.According to the leaked documents the Umbrage team is part of the Remote Development Branch under the CIA's Center for Cyber Intelligence. It maintains a library of techniques borrowed from in-the-wild malware that could be integrated into its own projects.To read this article in full or to leave a comment, please click here

IT professionals think Apple devices are easier to manage, according to new survey

A recent survey has found that your IT department thinks a Mac is more manageable than a PC or Chromebook.According to a survey of IT professionals, Macs and iOS devices are easier to manage when it comes to security, device configuration, software deployment, and support. Of those surveyed, 62 percent said the Mac is as easy or easier to deploy than PC, and 93 percent said it’s as easy or easier to deploy an iPhone or iPad over another device.While most IT professionals found Apple’s products easier to manage overall, that was not the case when it comes to Mac integration. Only 36 percent of IT professionals claimed that it was easy or easier to integrate Macs into other environments. The survey is based on responses from 300 IT professionals and was commissioned by Jamf, the software management firm that focuses solely on Apple devices.To read this article in full or to leave a comment, please click here

How pay transparency and equity help employers retain workers

More than ever, companies are updating their compensation strategy and practice to build more trusting relationships with their workforce, emphasizing pay transparency and equity, according to the 2017 Compensation Best Practices Report from cloud compensation services company PayScale.The 2017 Compensation Best Practices Report (CBPR) is based on data from 7,700 executives, line of business managers, human resource leaders and compensation practitioners, and reflects current attitudes about compensation, business growth, hiring and retention. The latest annual report shows a shift is underway at many companies as key talent markets are becoming increasingly competitive.To read this article in full or to leave a comment, please click here

What’s the value in attack attribution?

For those who pursue forensic analysis with the hope of identifying and prosecuting an attacker, they likely will find that the time spent on attack attribution is fruitless.If, however, they are looking to use what they gain through attack attribution to inform their overall security procedures from prevention to response, the effort yields valuable results.Many experts in the industry have questioned whether there is any value to attribution. SafeBreach CTO & co-founder Itzik Kotler said, "The only interesting aspect in attribution itself is to classify and put information in a box and use it over and over again."Kolter offered a hypothetical in which right now CNN gets hacked by the Chinese. "That someone can or cannot attribute it to the Chinese doesn't matter. It does matter if we can say we think this is from China," Kolter said.To read this article in full or to leave a comment, please click here

What’s the value in attack attribution?

For those who pursue forensic analysis with the hope of identifying and prosecuting an attacker, they likely will find that the time spent on attack attribution is fruitless.If, however, they are looking to use what they gain through attack attribution to inform their overall security procedures from prevention to response, the effort yields valuable results.Many experts in the industry have questioned whether there is any value to attribution. SafeBreach CTO & co-founder Itzik Kotler said, "The only interesting aspect in attribution itself is to classify and put information in a box and use it over and over again."Kolter offered a hypothetical in which right now CNN gets hacked by the Chinese. "That someone can or cannot attribute it to the Chinese doesn't matter. It does matter if we can say we think this is from China," Kolter said.To read this article in full or to leave a comment, please click here

Smackdown: Office 365 vs. G Suite collaboration

Ever since I can remember, Silicon Valley has been enamored with the idea of group editing of documents. Very little good writing gets done that way, of course. It’s like the joke that a camel is a horse designed by committee. Office 365 vs. G Suite: Meeting collaborationTo read this article in full or to leave a comment, please click here(Insider Story)

Ryzen CPUs explained: Everything you need to know about AMD’s disruptive multicore chips

After a decade of fielding ho-hum FX-series processors, AMD’s finally released its highly disruptive Ryzen chips, throwing down the gauntlet and challenging Intel’s supremacy in high-end computing.AMD’s new Ryzen chips include several CPUs (and CPU families) of various levels of potency. What’s more, Ryzen introduces a completely new motherboard platform, and the processors require different memory and coolers than their predecessors. There’s a lot to sift through—so let’s sift!Here’s everything you need to know about AMD’s Ryzen.Meet AMD’s Ryzen CPUs AMD Details about the AMD Ryzen chips announced thus far.To read this article in full or to leave a comment, please click here

Here’s how Microsoft has rethought its approach to email

Two years ago, Microsoft made a massive shift in the way it approached the email market. In January 2015, the company launched Outlook for iOS and Android, free professional-grade email apps for two platforms that Microsoft previously underserved in that regard.Outlook for iOS and its Android sibling were special, because they supported Gmail, Yahoo and iCloud email, in addition to Microsoft’s Outlook.com, Office 365 and Exchange email offerings. While connecting to third party email providers isn't new for Outlook, offering one-click support for different email providers at launch sent a message that this wouldn't be locked to the Microsoft ecosystem.To read this article in full or to leave a comment, please click here

How to Define an IP Range with Wireshark

Consumer Reports decision to rate cybersecurity is a huge deal

Conventional wisdom has it that most consumers simply don’t pay much attention to computer security and privacy issues. Perhaps worse, they don’t think they can do much to protect themselves without foregoing many of the benefits of our digital, connected age. Consumer Reports is trying to change both of those things. Consumer Reports’ new cybersecurity standard The influential publication and public-interest organization announced on Monday that it has collaborated on a digital consumer-protection standard designed to define “how companies should build these products to really be good for consumers in terms of privacy and other issues,” said Maria Rerecich, who directs electronics testing at Consumer Reports, in a statement. To read this article in full or to leave a comment, please click here

Consumer Reports decision to rate cybersecurity is a huge deal

Conventional wisdom has it that most consumers simply don’t pay much attention to computer security and privacy issues. Perhaps worse, they don’t think they can do much to protect themselves without foregoing many of the benefits of our digital, connected age. Consumer Reports is trying to change both of those things. Consumer Reports’ new cybersecurity standard The influential publication and public-interest organization announced on Monday that it has collaborated on a digital consumer-protection standard designed to define “how companies should build these products to really be good for consumers in terms of privacy and other issues,” said Maria Rerecich, who directs electronics testing at Consumer Reports, in a statement. To read this article in full or to leave a comment, please click here