Microsoft is silently patching security bugs in Windows 10, and not immediately rolling out the same updates to Windows 7 and 8, potentially leaving hundreds of millions of computers at risk of attack.
Flaws and other programming blunders that are exploitable by hackers and malware are being quietly cleaned up and fixed in the big Windows 10 releases – such as the Anniversary Update and the Creator’s Update. But this vital repair work is only occurring slowly if at all, filtering back down to Windows 7 and Windows 8 in the form of monthly software updates.
This is all according to researchers on Google’s crack Project Zero team. The fear is that miscreants comparing the various public builds of Windows will notice these vulnerabilities are being silently fixed in Windows 10, realize the same holes are present in earlier versions of Windows – which are still used in homes and businesses worldwide – and thus exploit the bugs to infect systems and spy on people. And if hackers haven’t realized this, they will now: Google staffers have publicly blogged about it.
Redmond engineers are quietly addressing these Windows security flaws as part of their efforts to improve components within the Windows 10 operating system. For instance, a team may be tasked with improving memory management in the kernel, and as a result, will rewrite chunks of the source code, boosting the software’s performance while squashing any pesky exploitable bugs along the way. For the marketing department, this is great news: now they can boast about faster loading times. Malware developers, meanwhile, can celebrate when they discover the programming blunders are still present in Windows 8 and 7.
“Microsoft is known for introducing a number of structural security improvements and sometimes even ordinary bug fixes only to the most recent Windows platform,” Google Project Zero researcher Mateusz Jurczyk said on Thursday.
Azure fell over for 7 hours in Europe because someone accidentally set off the fire extinguishers
“This creates a false sense of security for users of the older systems, and leaves them vulnerable to software flaws which can be detected merely by spotting subtle changes in the corresponding code in different versions of Windows.”
As an example of the problem, Jurczyk highlighted the wobbly use of memset() within the kernel. This is a function that is supposed to overwrite bytes in a specific area of memory to a specific value, such as zero, thus scrubbing away whatever was previously stored in that portion of memory.
When the kernel is told by an application, via the NtGdiGetGlyphOutline system call, to fill an area of memory with information, and copy it into the app’s memory space, the OS doesn’t fully overwrite the area using memset() prior to the copy operation. This means the kernel ends up copying into the application’s memory space left over private kernel data, thus leaking information it really shouldn’t. This can be useful to snoop on the OS and other programs or gain enough know-how of the system’s internal operations to pull off more damaging exploits.
This information-disclosure bug was fixed in Windows 10, but remained present in Windows 7 and Windows 8.1 – until it was reported by Project Zero to Microsoft at the end of May this year and fixed in patches for Windows 7 and 8.1 systems in September. Google typically gives vendors, including Microsoft, 90 days to address any reported security shortcomings before going public, forcing developers and manufacturers to play their hand.
This months-long lag in deploying patches to previous flavours of Windows is leaving systems vulnerable to attack. By broadly upgrading the security defences in Windows 10, Microsoft is making it easier for hackers to see where they could exploit weak spots in older versions.
“Not only does it leave some customers exposed to attacks, but it also visibly reveals what the attack vectors are, which works directly against user security,” Jurczyk explained.
“This is especially true for bug classes with obvious fixes, such as kernel memory disclosure and the added memset calls.”
While it’s not realistic to expect a vendor to maintain major updates and produce patches indefinitely for older software versions, as many as half of all Windows users are still running Windows 7 and 8 – meaning millions of people are being put at risk by Windows 10’s security improvements, ironically.
Windows 8.1 is supposed to receive monthly security fixes until January 10, 2023, and for Windows 7, January 14, 2020.
“Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible,” a Microsoft spokesperson told The Register.
“Additionally, we continually invest in defence-in-depth security, and recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”
Translation: please, please stop using Windows 7 and 8. ®
I am sure you are aware by now that using your mobile phone for while driving is illegal.
But you may not realise that using it for sat nav directions could get you in trouble are well, I was not aware of this until today either. There’s a right way and a wrong way to go about it, and improper use might lead to points on your licence and £200 fine, and can also have serious implications for your insurance.
Here are a few tips to keep your Google/Apple maps use on the right side of the law:
1. Place the phone in a cradle or holder which fixes it in a position that’s easily viewable from the driver’s seat (but position it correctly, see point 5 below).
2. Always programme the route into the sat nav before setting off.
3. Never handle the phone to check directions or re-programme the sat nav app. Always pull over if you need to do this.
4. Pressing the screen once, such as for accepting a faster route if one is suggested, should be ok, but nothing more.
5. Beware that sticking a phone on a windscreen in its holder might not be allowed. That’s because according to the Highway Code “windscreens and windows MUST be kept clean and free from obstructions to vision”
6. Holders can be bought that attach to air vents, which gets over the problem of placing the phone on the windscreen.
What using your phone for sat nav can mean for insurance
Increased cost of cover
Using your phone incorrectly for sat nav directions when you’re driving has been proven to increase the potential for accidents and speeding.
Being distracted handling and using a phone while driving is a common cause of accidents. It also often means drivers aren’t aware that they’re entering an area with slower speed restrictions, resulting in fines and bans.
Being involved in a crash or caught speeding can negatively impact what you pay when you renew your car insurance. You will almost certainly have to pay more (possibly a lot more!) as you’re seen as a higher risk and might even be denied cover.
Potential rejection of insurance claims
If it can be proved that you weren’t in proper control of your vehicle at the time of a crash or other road incident, an insurer might not pay out on any insurance claim you make.
Insurers insist on what’s often described in the Ts&Cs as ‘due care’ to be taken by the insured. This means that reckless driving would almost certainly lead to a claim being denied, potentially costing the claimant thousands to put right any damage themselves or having to pay out for a new car without any financial assistance.
Every few weeks, we hear the news that another major corporation and their website has been hacked, just last week we heard about Equifax being hacked and data on millions of users being compromised. We of course only hear about the major newsworthy hacks which have been discovered or disclosed, but the scary truth is that around 30,000 websites are hacked every single day.
Often these hacks mean your personal information has also been compromised, most likely without your knowledge as often website owners either do not know they have been hacked, or choose to keep it quiet. In this post, I cover the important reasons for why you should use a password manager to protect your online identity, and how to get started with LastPass, a free password manager.
Passwords & Online Security Best Practices
Most websites rely on a simple login process for a user to gain access their account–a username and password.
As an online security best practice, you need to have long, complex and unique password for every web account you use.
Strong passwords need to be:
- Long – The more characters in a password, the longer it would take a hacker to guess your password.
- Complex – By adding additional characters to your password you add complexity or password entropy. Password entropy is a measurement of how unpredictable a password is, based on the character set used (a combination of lowercase, uppercase, numbers and symbols) as well as password length. Basically, your password needs to be something you could never pronounce.
- Unique – You need a different password for every web account you use. Yep, that’s right. Every login on every website needs to be unique and never reused.
Unfortunately, in the real world, meeting all three criteria for strong passwords is basically impossible without the use of a password manager.
Why Use a Password Manager? The Nightmare Scenario
So why is having a long, complex, unique password important?
If you use the same email address and passwords for multiple websites that you log into (as a lot of people do), what happens when one of those websites gets hacked?
The hackers now have your username and password on a list that will be used to try to log into thousands of other websites around the internet. If you use the same email address and password for all your websites, now the hacker will be able to log into all your accounts at once and get access to all your personal data and details. If those same login details are used for your email account as well, they can now access
If those same login details are used for your email account as well, they can now access pretty much anything. Any site they cannot get into, they can simply issue a password reset, which will come to your email, which they now have access to. Identity theft at this point is a high possibility.
Once your password has been compromised, you now have the challenge of updating your information individually on every single website that has the same login information. Do you even remember them all? If you use the same email and password again on each one, you’re probably going to have to repeat this process again in the future.
Don’t Use Common Passwords
Here’s Keeper Security’s list of the most common passwords of 2016. Do you recognize any of them?
These are all lazy password, achieved by just pressing keys which are next to each other on the keyboard, and are easily hackable in seconds by automated hacking tools.
|1. 123456||10. 987654321||19. 555555|
|2. 123456789||11. qwertyuiop||20. 3rjs1la7qe|
|3. qwerty||12. mynoob||21. google|
|4. 12345678||13. 123321||22. 1q2w3e4r5t|
|5. 111111||14. 666666||23. 123qwe|
|6. 1234567890||15. 18atcskd2w||24. zxcvbnm|
|7. 1234567||16. 7777777||25. 1q2w3e|
|8. password||17. 1q2w3e4r|
|9. 123123||18. 654321|
Password Managers vs. Browser Password Storage
A Password Manager such as LastPass not only remembers your login information but also helps you generate long, complex passwords and stores them and other useful information securely.
You may have noticed that your browser prompts you to save login details, but be warned that the password storage built into your browser is a solution of convenience, but is not secure. Anyone using your computer can access those saved details and login to websites, plus you will not have access to those details from other devices. Also bear in mind that if you lose your device or it is stolen, or your hard drive dies, or any disaster, you have lost all those details.
LastPass vs. Other Password Managers
There are numerous excellent options for Password Managers available:
It is also worth mentioning that if you use BitDefender Anti-Virus then this includes a simple password manager called BitDefender Wallet.
Ultimately, using any one of these password managers is a good choice, but I personally recommend LastPass, especially for business users, because it offers the most value in free vs. paid features and is the most configurable with additional security options and options.
So as well as passwords, it is great for storing bank details, licences, card details etc and is very easy to share passwords with other people. It is also very secure, you can set your LastPass to auto lock after xx minutes so that anyone else using your computer cannot access your passwords without your master password. You also have the option of 2-factor authentication.
However, it can be over complicated for the same reason if you are not very competent with computers, in which case one of the simpler solutions might be better for you for personal use.
Here is a review of the top password managers for 2017
Watch LastPass Tutorial for Beginners
LastPass Free vs. Premium
LastPass Free has everything you need to securely store and fills passwords on a single kind of device (for example, a Mac computer, a PC Computer, an iPhone, an Android Phone).
But if you want to access LastPass on different kinds of devices, you will need to upgrade to LastPass Premium for $24/yr. LastPass also offers Business and Enterprise versions that focus on sharing data among multiple users and creating rules and policies for your staff/users.
If you need help to get LastPass configured or require some training, then please contact me.
BT customers in the UK have been targeted by call centre scammers in India – with one person reporting they were defrauded for thousands of pounds this week.
The issue appears to have been going on for more than a year. Some customers said the fraudsters knew their personal details.
One victim reported he had he got a call from someone this week asking for him by name, talking about his existing broadband problems which he had reported to BT previously. This individual claimed he had malware on his computer and said he need to access his machine via a third-party client.
“Within the hour he had over £1,000 in two payments from his bank account. Fortunately, Lloyds stepped in on the second larger payment and stopped it progressing,” said his son-in-law, who asked not to be named.
A BT customer forum thread entitled Possible Scam has hundreds of comments dating back from last year.
Another recently wrote they had already been in touch with BT about their broadband prior to receiving a call from an Indian man stating that he was calling from BT.
“He asked me to confirm the postcode and address which he gave to me over the phone and then my date of birth. At that point, I said no and he hung up. Clearly a scam call and weirdly never had to call BT until the last few weeks and all of a sudden a call.”
Another said the same thing happened to him, adding that the caller was very plausible until they wanted remote access to his PC hard drive.
“She even knew my address, phone number and both mine and my husbands name… so had access to some of our details.”
Fraud appears to be a growing problem across the sector. Last month TalkTalk was hit with a £100,000 fine after the data of the records of 21,000 people were exposed to fraudsters in an Indian call centre.
A BT spokesman gave the usual spiel: “BT takes the security of its customers’ accounts very seriously. We proactively warn our customers to be on their guard against scams. Fraudsters use various methods to ‘glean’ your personal or financial details with the ultimate aim of stealing from you. This can include trying to use your BT bill and account number.”
He advised customers should never share their BT account number with anyone and always shred bills. “Be wary of calls or emails you’re not expecting. Even if someone quotes your BT account number, you shouldn’t trust them with your personal information.”
He said: “We’ll never ask customers for personal information out of the blue and we’ll never call from an ‘unknown’ number. If we’re getting in touch about your bill, it will usually be from either 0800 328 9393 or 0800 028 5085.” ®