Security patches not being rolled out to Windows 7 & 8

Security patches not being rolled out to Windows 7 & 8

Microsoft is silently patching security bugs in Windows 10, and not immediately rolling out the same updates to Windows 7 and 8, potentially leaving hundreds of millions of computers at risk of attack.

Flaws and other programming blunders that are exploitable by hackers and malware are being quietly cleaned up and fixed in the big Windows 10 releases – such as the Anniversary Update and the Creator’s Update. But this vital repair work is only occurring slowly if at all, filtering back down to Windows 7 and Windows 8 in the form of monthly software updates.

This is all according to researchers on Google’s crack Project Zero team. The fear is that miscreants comparing the various public builds of Windows will notice these vulnerabilities are being silently fixed in Windows 10, realize the same holes are present in earlier versions of Windows – which are still used in homes and businesses worldwide – and thus exploit the bugs to infect systems and spy on people. And if hackers haven’t realized this, they will now: Google staffers have publicly blogged about it.

Redmond engineers are quietly addressing these Windows security flaws as part of their efforts to improve components within the Windows 10 operating system. For instance, a team may be tasked with improving memory management in the kernel, and as a result, will rewrite chunks of the source code, boosting the software’s performance while squashing any pesky exploitable bugs along the way. For the marketing department, this is great news: now they can boast about faster loading times. Malware developers, meanwhile, can celebrate when they discover the programming blunders are still present in Windows 8 and 7.

“Microsoft is known for introducing a number of structural security improvements and sometimes even ordinary bug fixes only to the most recent Windows platform,” Google Project Zero researcher Mateusz Jurczyk said on Thursday.

Azure fell over for 7 hours in Europe because someone accidentally set off the fire extinguishers

READ MORE

“This creates a false sense of security for users of the older systems, and leaves them vulnerable to software flaws which can be detected merely by spotting subtle changes in the corresponding code in different versions of Windows.”

As an example of the problem, Jurczyk highlighted the wobbly use of memset() within the kernel. This is a function that is supposed to overwrite bytes in a specific area of memory to a specific value, such as zero, thus scrubbing away whatever was previously stored in that portion of memory.

When the kernel is told by an application, via the NtGdiGetGlyphOutline system call, to fill an area of memory with information, and copy it into the app’s memory space, the OS doesn’t fully overwrite the area using memset() prior to the copy operation. This means the kernel ends up copying into the application’s memory space left over private kernel data, thus leaking information it really shouldn’t. This can be useful to snoop on the OS and other programs or gain enough know-how of the system’s internal operations to pull off more damaging exploits.

This information-disclosure bug was fixed in Windows 10, but remained present in Windows 7 and Windows 8.1 – until it was reported by Project Zero to Microsoft at the end of May this year and fixed in patches for Windows 7 and 8.1 systems in September. Google typically gives vendors, including Microsoft, 90 days to address any reported security shortcomings before going public, forcing developers and manufacturers to play their hand.

This months-long lag in deploying patches to previous flavours of Windows is leaving systems vulnerable to attack. By broadly upgrading the security defences in Windows 10, Microsoft is making it easier for hackers to see where they could exploit weak spots in older versions.

“Not only does it leave some customers exposed to attacks, but it also visibly reveals what the attack vectors are, which works directly against user security,” Jurczyk explained.

“This is especially true for bug classes with obvious fixes, such as kernel memory disclosure and the added memset calls.”

While it’s not realistic to expect a vendor to maintain major updates and produce patches indefinitely for older software versions, as many as half of all Windows users are still running Windows 7 and 8 – meaning millions of people are being put at risk by Windows 10’s security improvements, ironically.

Windows 8.1 is supposed to receive monthly security fixes until January 10, 2023, and for Windows 7, January 14, 2020.

“Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible,” a Microsoft spokesperson told The Register.

“Additionally, we continually invest in defence-in-depth security, and recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”

Translation: please, please stop using Windows 7 and 8. ®

Why You Should Be Using a Password Manager

Why You Should Be Using a Password Manager

Every few weeks, we hear the news that another major corporation and their website has been hacked, just last week we heard about Equifax being hacked and data on millions of users being compromised. We of course only hear about the major newsworthy hacks which have been discovered or disclosed, but the scary truth is that around 30,000 websites are hacked every single day.

Often these hacks mean your personal information has also been compromised, most likely without your knowledge as often website owners either do not know they have been hacked, or choose to keep it quiet.  In this post, I cover the important reasons for why you should use a password manager to protect your online identity, and how to get started with LastPass, a free password manager.

Passwords & Online Security Best Practices

Most websites rely on a simple login process for a user to gain access their account–a username and password.

As an online security best practice, you need to have long, complex and unique password for every web account you use.

Strong passwords need to be:

  • Long – The more characters in a password, the longer it would take a hacker to guess your password.
  • Complex – By adding additional characters to your password you add complexity or password entropy. Password entropy is a measurement of how unpredictable a password is, based on the character set used (a combination of lowercase, uppercase, numbers and symbols) as well as password length. Basically, your password needs to be something you could never pronounce.
  • Unique – You need a different password for every web account you use. Yep, that’s right. Every login on every website needs to be unique and never reused.

Unfortunately, in the real world, meeting all three criteria for strong passwords is basically impossible without the use of a password manager.

Why Use a Password Manager? The Nightmare Scenario

So why is having a long, complex, unique password important?

If you use the same email address and passwords for multiple websites that you log into (as a lot of people do), what happens when one of those websites gets hacked?

The hackers now have your username and password on a list that will be used to try to log into thousands of other websites around the internet. If you use the same email address and password for all your websites, now the hacker will be able to log into all your accounts at once and get access to all your personal data and details. If those same login details are used for your email account as well, they can now access

If those same login details are used for your email account as well, they can now access pretty much anything. Any site they cannot get into, they can simply issue a password reset, which will come to your email, which they now have access to. Identity theft at this point is a high possibility.

Once your password has been compromised, you now have the challenge of updating your information individually on every single website that has the same login information. Do you even remember them all? If you use the same email and password again on each one, you’re probably going to have to repeat this process again in the future.

Don’t Use Common Passwords

Here’s Keeper Security’s list of the most common passwords of 2016. Do you recognize any of them?
These are all lazy password, achieved by just pressing keys which are next to each other on the keyboard, and are easily hackable in seconds by automated hacking tools.

1. 12345610. 98765432119. 555555
2. 12345678911. qwertyuiop20. 3rjs1la7qe
3. qwerty12. mynoob21. google
4. 1234567813. 12332122. 1q2w3e4r5t
5. 11111114. 66666623. 123qwe
6. 123456789015. 18atcskd2w24. zxcvbnm
7. 123456716. 777777725. 1q2w3e
8. password17. 1q2w3e4r
9. 12312318. 654321

Password Managers vs. Browser Password Storage

Note: While most major web browsers today will offer to remember your passwords and fill them in automatically for you, this is for convenience and not security. 

A Password Manager such as LastPass not only remembers your login information but also helps you generate long, complex passwords and stores them and other useful information  securely.

You may have noticed that your browser prompts you to save login details, but be warned that the password storage built into your browser is a solution of convenience, but is not secure. Anyone using your computer can access those saved details and login to websites, plus you will not have access to those details from other devices. Also bear in mind that if you lose your device or it is stolen, or your hard drive dies, or any disaster, you have lost all those details.

LastPass vs. Other Password Managers

There are numerous excellent options for Password Managers available:

It is also worth mentioning that if you use BitDefender Anti-Virus then this includes a simple password manager called BitDefender Wallet.

Ultimately, using any one of these password managers is a good choice, but I personally recommend LastPass, especially for business users, because it offers the most value in free vs. paid features and is the most configurable with additional security options and options.

So as well as passwords, it is great for storing bank details, licences, card details etc and is very easy to share passwords with other people. It is also very secure, you can set your LastPass to auto lock after xx minutes so that anyone else using your computer cannot access your passwords without your master password. You also have the option of 2-factor authentication.

However, it can be over complicated for the same reason if you are not very competent with computers, in which case one of the simpler solutions might be better for you for personal use.

Here is a review of the top password managers for 2017

Watch LastPass Tutorial for Beginners

LastPass Free vs. Premium

LastPass Free has everything you need to securely store and fills passwords on a single kind of device (for example, a Mac computer, a PC Computer, an iPhone, an Android Phone).

But if you want to access LastPass on different kinds of devices, you will need to upgrade to LastPass Premium for $24/yr. LastPass also offers Business and Enterprise versions that focus on sharing data among multiple users and creating rules and policies for your staff/users.

If you need help to get LastPass configured or require some training, then please contact me.

Cyber Security: How to protect your kids online

Cyber Security: How to protect your kids online

To be blunt  (no insult intended),  most parents are not very computer literate and as a result are also oblivious the dangers of letting their kids loose on the Internet. This is not specifically because you are parents but simply a statistic based on research that shows that 69% of the population are not very computer literate and 26% cannot use a computer at all. In most cases, your kids are probably more computer literate than you are.

But while your kids might be better with technology, they have ZERO knowledge or experience of staying safe online, and will happily look at much of the inappropriate stuff you would rather they didn’t and of course the more you tell them not to, the more they want to.

Are you aware of the most common dangers that the Internet and social media (Facebook, twitter etc) present?  children are regularly bullied online, your little darling could even be the one doing the bullying and this cyber-bullying has led to many children committing suicide. They can be easily manipulated into performing any number of dangerous or perverted acts, or groomed into meeting a sexual predator.

Using the internet without protection can also cause you a lot of damage, and if you are allowing your child to use your computer or tablet, then you could end up being the target of cyber-crime. Everything from malware and ransomware attacks, trojans and bots using your computer to attack other people to identity theft, and emptying your bank account.

Just as you do in the real world, you need to offer guidance, set boundaries, and, depending on your child’s age and maturity level, carry out some safeguards.

You also need to be aware of where the threats are coming from, so it is your responsibility as a parent to educate yourself about online security and take action not just for your kids, but for yourself and other people’s children too, who can be indirectly affected by your lack of knowledge or action.

I do of course lock down my home internet connection and my kid’s phones and tablets and PC’s, but the problem is that the majority of their friends parents have not done this. This then means that all the content I have blocked can easily be viewed on their friend’s phones, computers and consoles. This includes looking at porn and whatever else unencumbered, thus bypassing my efforts. So these are practices you not only need to put into place yourself but ideally your friends as well and encourage your school to promote them, post them on social media for other parents to see as well.

If you need help in getting your home network and devices secure, then I can provide this as a service, which in most cases I can do remotely, but can also offer on site support if you are based in Thanet.

 

Things you can do right now to protect your kids


1.  Install anti-virus and parental controls on all your computers and mobile devices

Children are just as vulnerable as the rest of us, if not more so, to clicking on bad links and downloading malicious software. Every device that is connected to the internet needs to be protected from malware. You also need the ability to block them from viewing inappropriate websites.

Some anti-virus software has parental controls built in, but generally, it is not very good and you are better off using separate products.

Anti-Virus

Windows computers do have Windows Defender built in, which is better than nothing, and may well be sufficient for the savvy or safe user who never clicks on dodgy links, never visits porn sites or downloads pirate software etc. But for anyone else, you need something better.

There are some of the most popular free products available from trustworthy brands. Bear in mind that the FREE versions are limited, and may not be much better than Windows Defender, so for the best protection you do need to use a premium product.

For your mobile devices, just search for the names in the Apple or Android store.

If you are happy to pay for your protection and security product, then there are so many choices out there from excellent to terrible. I personally recommend the premium edition of BitDefender, which is a full cyber-security suite and has consistently been the #1 in the industry and is what I use on all my devices, previous to that I used Kaspersky, which is also a good product. If you have multiple devices in your household, then the BitDefender family pack is a great deal to protect them all, there is also a mobile version. The other very handy thing with BitDefender is that you can monitor and manage all your devices from the website, and apply new rules and filters etc.

I suggest avoiding random brands you have never heard of or which you get spam emails about, as these are quite likely malware themselves or next to useless products.

Parental Controls

According to the Pew Research Institute, 50 percent of parents have used parental control tools to block, monitor, or filter their child’s online activities.

Here is a review of some of the top FREE parental control software of 2017
http://www.techradar.com/news/the-best-free-parental-control-software

The ScreenTime app is available for Apple, Android and Amazon devices. The app is free for one child and includes the ability to monitor the device remotely and to see your child’s web and search history. A $4-per-month premium version adds daily time limits, the ability to block apps, and block the use of the device during school hours or after bedtime.

Other apps:

Some of these apps (such as mmguardian) will let you track your child’s location, monitor their text messages, and generally spy on their activities. Which one you use depends on your requirements.

When dealing with older children, explain to them why you are using these parental control apps, that you are only protecting them, and tracking them in case something happens to them so you can find them. Remember that you would not be happy with this level of control, especially if it was forced on you with no explanations.
The last thing you want to do is lose your child’s trust and have them go out of their way to bypass your parental controls, whch will no doubt figure out how to do given enough time, or to get themselves a burner phone which you cannot tracks.

I use MMGuardian and also kid-control on my boy’s phones, and they fully understand why, and they do not mind. The only time they moan is when I lock their phones at bed time or when they have been naughty. The kid-control also allows them to see where everyone else is too, so they can find each other or me if required.

2.  YouTube

YouTube is the new children’s TV. It is one of the most popular sites out there, but a massive number of videos are not suitable for young children. One minute they will be watching someone playing Minecraft, the next they will be bombarded with swearing and making sexual references, even from children’s characters like Elmo.

My best advice is “Do not give your kids unrestricted access to YouTube”. Ideally, you want to limit youtube to use on a TV or PC where you can monitor what they are watching, if this is not possible then I suggest you block YouTube altogether. This can be done in your parental control software.

The youtube site does have a “restricted mode” safety feature, and if you are going to let your kids loose on YouTube then you should take advantage of this, although be warned that there is absolutely no way to block the majority of explicit content because it has not been flagged as explicit by the maker, so is thus regarded as safe by YouTube. There is also nothing to stop a savvy child from turning this setting off again.

On the desktop site, if you scroll down to the bottom of the screen, there’s a “Restricted Mode” setting that hides videos that have been flagged as containing inappropriate content.

In the mobile apps, click on the three dots at the top right and click on Settings > General and scroll down until you see the “Restricted Mode” option.

If your children have phones or tablets, then you can remove the Youtube app and install Youtube Kids instead, which is a kid-friendly version with filtered content. Don’t forget that you will also need to install some parental controls to stop then undoing your changes.
If you are thinking of buying a tablet, then I recommend the Amazon Fire tablet for kids, which is completely locked down by default and only allows child-friendly apps and content, had child-friendly videos, and also has a 2 year guarantee, during which time they will replace the tablet for FREE if your kids break it for any reason.

3.  Help your kids set the privacy controls on their social media accounts

Most social media sites have an age limit of 13, but kids sign up regardless and lie about their age, and frankly, if they have the ability to do this behind your back anyway, then you are better off at least letting them do it so you can monitor their activity.

If your children share messages, pictures or videos on Facebook, Instagram and other social media platforms, they might not be aware of who can see their posts, in fact, many adults do not realise that everything they post/share is public by default.

Most apps do have privacy settings, however, letting your children control who they let into their lives is not really the responsible or safe thing to do, so you should take a hands on approach to this too.

Here are the links to information about the privacy settings on the most popular apps:

 

4.  Set up separate accounts for your kids on your computers

If you share a device with your children, then you need to set up a separate account/user for them. Each account would have its own home screen and, depending on the device and platform, a different choice of features, apps, and permissions.

Not only does this help you protect your own data — or video recommendations — but you can also set up customized security and privacy settings for each child.

On Windows computers, you can set up a new user account for your children. Go to Settings > Accounts > Add a family member > Add a child.

Windows 10 Kids Account

You can blog specific apps, games, or websites, or set screen time limits. Visit https://account.microsoft.com/family for more information. Although I would not rely on this alone, as Microsoft family safety has were notoriously unreliable and randomly breaks.

On Apple computers, you can set up Parental Controls for some user accounts, where you can, for example, restrict access to adult websites. Learn more here: https://support.apple.com/en-us/HT201813

5.  Set up separate accounts for your kids on your mobile devices

Android parental controlTablets and smartphones also allow multiple user accounts on the same device.

On Android tablets, you can create a restricted account for your child, with limits on which apps they can use.

On Android phones, you can create a new user account for your child, but the only account restriction now available is to turn off the ability to make phone calls and send text messages. However, you can restrict their Google Play account. Go to Settings > Parental controls and turn them on. You will able to set specific content restrictions on apps and games, movies, TV, books, and music.

On the Apple side, iPhones and iPads have controls for apps and features, content, and private settings. Launch the Settings app and go to General > Restrictions and tap on “Enable Restrictions.”

6.  Secure your gaming systems

Don’t forget that your gaming console is also an Internet device these days. Children can download games and make in-game purchases, and even surf the Web.

Most devices have parental control features that allow you to restrict the kind of content your children can get, limit their purchases, and restrict or turn off their Web browsing. You should take some time to use your kids games consoles and find out what they can do setup the parental controls accordingly.

The best console for parental control is the Xbox, which because it runs on windows 10, has quite granular controls allow you to set age limits and actions which can be performed, down to allowing and blocking individual games.

More info here on Xbox parental controls

The PlayStation is not so good, you must setup a parent account and then create sub-accounts for your kids, which is an all or nothing solution, with no granular control. This is fine for the little ones, but for your older kids who want to play online with their friends and use game sharing mode, I find it far too restrictive. And the only workaround is for them to setup a full adult playstation account.

More info here on Playstation parental controls

7.  Consider using kid-safe browsers and search engines

For added control, you can install a kid-safe web browser for your children to use.

Zoodles, for example, offers a child-safe environment, and there’s a free version for Windows PCs and Macs, and for Android and iOS tablets and smartphones. The premium version, which costs $8 a month, includes ad blocking, time limits, and other features.

Another alternative kid-safe browser is Maxthon.

There are also some built-in tools in the browsers you’re already using.

If you use the Chrome browser, you can set up a “supervised profile” that will block explicit search results, show you what websites your children visited, and even restrict what websites they can go to. The way the restrictions work is that you can either have a list of approved websites, where your children can only visit the sites on this list, or a list of restricted websites where they can visit any website except for the ones you’ve banned.

More information here: https://support.google.com/chrome/answer/3463947/?hl=en

Also check out these kid-safe search engines:

 

8.  Lock in apps for youngest children

If you want to be able to hand your phone to your child to play with in the back seat of the car without worrying about them messing up your phone or surfing the web for creepy content, what you can do is open up an app for the child and then set it up so that they can’t exit the app.

On phones running Android 5 and higher, it’s called “screen pinning.” First, go to Settings > Security > Screen pinning and turn it on and also enable “Ask for PIN before unpinning.” Then load your app, hit the overview button — the little square on the bottom right — and swipe up until you see a pin icon come up in the lower right corner. Now your child will need your PIN in order to switch apps.

Screen Pinning on Android

On iPhones and iPads, this is called “Guided Access.” First, go to Settings > General > Accessibility > Guided Access to set up Guided Access. Then when you’re in the app you want to lock in, triple-click the home button to bring up the Guided Access settings. You can turn off Guided Access either with a PIN or by setting it up to work with your Touch ID through Settings > General > Accessibility > Guided Access > Passcode Settings.

10.  Make sure your kids are only using safe chat rooms

Some kid-friendly platforms offer chat rooms where kids can talk to other kids. Vet the sites first, to make sure that the chat rooms are monitored.

In addition, teach your kids not to share their real identities on such platforms, and use anonymous screen names, instead.

Teach, Educate and Talk with Your Children


11.  Teach your children not to respond to messages from strangers

If they get a text message, instant message, email or social media message from someone they don’t know — they should just delete it.

Make sure they know not to open it, not to respond to it, and, of course, not to click on any links or attachments.

If those girls from Pretty Little Liars followed that advice, the show would have been over after one episode.

12.  Educate your children about the risks of “sexting”

Last year, in a report to the U.S. Congress, the Justice Department revealed that the most significantly growing threat to children was something called “sextortion.”

It’s bad enough when minors send nude images of themselves to boyfriends or girlfriends, and those images then get distributed to others.

In addition to the psychological damage, children who both send and receive the “sexts” are breaking the law — and could result in prosecution and even registration as a sex offender.

And it gets worse.

According to the FBI, the “sextortionists” have gone pro, with individual criminals targeting hundreds of children each. They pretend to be the same age as their victims, trick or coerce them into producing child pornography for them — and even get them to recruit friends and siblings.

In a review of 43 such cases, the FBI found that two victims committed suicide, and ten others attempted to kill themselves. Victims also have their grades decline, drop out of school, get depressed, and engage in cutting or other types of self harm.

According to the National Center for Missing and Exploited Children, reports of sextortion were up 150 percent during the first several months of 2016 compared to the same time period in 2014. 

In 4 percent of the sextortion reports, the children engaged in self-harm, threatened suicide or attempted suicide as a result of the victimization, the Center said.

13.  Warn your kids about file sharing

Uploading illegal files is, of course, illegal.

And so is downloading, though fewer media companies seem to be prosecuting kids these days.

But downloading illegal files also carries other risks, such as viruses.

Fortunately, there are now many free and low-cost services out there where kids and teens can get videos and music.

14.  Warn your kids about online polls and surveys

There are lot of fun, harmless polls out there, like the one that tells you what kind of poodle you are.

Others ask for too much personal information, and could land your kids on spammers’ email lists, or open them up to identity theft.

Many adults have a separate, throw-away email account for when they need to provide an email address in order to register for something. If your child have a legitimate reason to fill in questionnaires that require an email address, consider helping them set up a throw-away email account of their own.

15.  Warn your kids about getting too close to strangers

When you’re meeting someone for the first time after, say, communicating with them via an online dating app, you know to set the meeting in a public location, such as a coffee house, and to let friends know where you are.

This is common sense.

But children and teenagers often lack that basic common sense — or might be tricked into keeping their online relationships secret.

Of course, predators can also communicate with potential targets via traditional mail, or meet them at bus stops. But the Internet allows them to scale up their activities dramatically.

Attackers can use online relationships to lure children to meet them in person. Or, more frequently, they will try to trick children into making unnecessary purchases, or sharing information, photos, or videos.

Know your children’s online friends. And, just as with regular friends, confirm their identities, and talk to those kids’ parents. If those “kids” are, in fact, kids.

16.  Help your children deal with cyberbullying

Cyberbullying affects up to 15 percent of children, according to a report released last year by the National Academies of Sciences, Engineering, and Medicine.

And the rates are even higher for children who are overweight, disabled, or LGBT, or members of a minority group.

Victims have physical problems such as sleeping, upset stomachs, and headaches and also suffer psychological effects, such as depression, anxiety and alcohol and drug use.

Let your kids know that they can turn to you for help, and find out what resources are available from your local schools.

You should save messages and other evidence of the cyberbullying and report the bully to the social media platform, telephone or Internet service provider, school, or local law enforcement authorities. In addition, you should block the bully from your child’s social media, telephone, or email accounts.

More information here:

17.  Set a good example

How many baby pictures and vacation photos have you posted online? Before lecturing your kids about staying safe, make sure that you yourself are a good model. Learn about the privacy settings in the social media apps you use most, then check that you aren’t sharing private, personal moments with the whole Internet.

Also, don’t drive while texting or talking on the phone.

Wait until we all have those self-driving cars, and do your texting then.

18.  Set rules about what your kids can share online

As an adult, you know to be careful about what information you post online. You know not to share your financial information or social security numbers with strangers.

Make sure your kids know the rules and understand the reasons behind them. Even seemingly innocuous information, like vacation pictures, can let criminals know when your house is empty.

Some information, like funny picture of your cat in the snow, can be shared with everyone. Some information, like vacation plans, can be shared with family and close friends. And some things should never be shared online at all.

In addition, the recommended age for children to have their own social media accounts is 13.

The Family Online Safety Institute has a sample family online safety contract here: https://www.fosi.org/good-digital-parenting/family-online-safety-contract/

19.  Add your kids as “Friend”

If your children have their own accounts on Twitter, Facebook, Google Plus, Instagram, Snapchat or other social media sites, follow or friend them.

Don’t let your kids tell you that other parents don’t do this. According to the Pew Research Center, 83 percent of parents are friends with their teenage child on Facebook.

You’ll be able to see if they are posting inappropriate things online and can step in before problems escalate.

It’s not foolproof — there are ways that children can keep their communications hidden from you. And if you are too heavy-handed in your monitoring, it may cause your children to be more secretive.

20.  Set limits on how much time your children can spend online

According to a recent national survey, tweens spend an average of six hours a day with their devices, and that’s not including the time spent on school or homework. And teens spend an amazing nine hours a day staring at their screens..

Sure, some of that is listening to Spotify while exercising. But the bulk of the time is spent watching videos, playing games, and using social media.

The American Academy of Pediatrics used to recommend that children under two should not have any screen time at all, and had very conservative limits for screen time for older children. In late 2016, the organization re-evaluated current research and loosed its recommendations.

Some screen time, such as video chats with relatives, or educational applications, can be very valuable, even for the youngest children.

Now, the organization suggests that families create a Family Media Plan.

However, the organization recommends that parents limit the use of screens during meals, and for an hour before bedtime. Also, phones and tables shouldn’t be charged overnight in the child’s bedroom, to limit the temptation to check the devices at all hours of the night.

21.  Additional resources

Internet Matters: Resources for parents looking to keep children safe online, with age-specific how-to guides, free apps, and device safety checklists. https://www.internetmatters.org/

Family Online Safety Institute: Parenting guides and news and reports about online safety issues. https://www.fosi.org/

Safe, Smart & Social: Social media training guides and safety tips for parents and educators. https://safesmartsocial.com/

Thanks go to John Mason for most of this content, who conveniently emailed me which reminded me I had this article in draft, so saved me a lot of typing.

Linux can be hacked using only the backspace key

As any I.T. person will know, Linux geeks consider Linux to be the most secure OS on the planet, and many will even claim it is so secure and un-hackable that they do not need any malware protection or such. So it is ironic that a Linux hack has now been discovered which is probably the worst and simplest hack ever discovered, far worse than any hack or vulnerability ever discovered for Windows. If you press the backspace key 28 times on a locked-down Linux machine you want to access, a Grub2 bootloader flaw will allow you to break through password protection and wreck havoc in the system.

Researchers Hector Marco and Ismael Ripoll from the Cybersecurity Group at Universitat Politècnica de València recently discovered the vulnerability within GRUB, the bootloader used by most Linux distros.

As reported by PC World, the bootloader is used to initialize a Linux system at start and uses a password management system to protect boot entries — which not only prevents tampering but also can be used to disable peripheries such as CD-ROMs and USB ports.

Without GRUB password protection, an attacker could also boot a system from a live USB key, switching the operating system in order to access files stored on the machine’s hard drives.

The researchers discovered the flaw within GRUB2, of which versions 1.98 to 2.02 are affected. These versions were released between 2009 and today, which makes the vulnerability a long-standing and serious problem.

In a security advisory, Marco and Ripoli said the bootloader is used by most Linux distributions, resulting in an “incalculable number of affected devices.”

Exploiting the flaw — and checking if you are vulnerable — is simple. When the bootloader asks for a username, simply press the backspace button 28 times. If vulnerable, the machine will reboot or you will encounter a Grub rescue shell.

The shell grants a user a full set of admin privileges — within the rescue function only — to load customised kernels and operating systems, install rootkits, download the full disc or destroy all data on a machine.

The researchers say the fault lies within two functions; the grub_password_get() function and the andgrub_password_get() script which suffer integer overflow problems. Exploiting the flaw causes out of bounds overwrite memory errors. When a user presses backspace, the bootloader is erasing characters which do not exist — damaging its memory enough to trigger an exception in authentication protocols.

Not only does the vulnerability give attackers the chance to steal data and tamper with peripherals and passwords, but Linux entries can be modified to deploy malware.

While there is an emergency patch available on Github for Linux users, the main vendors have been made aware of this security flaw. It is recommended that users update their machines as soon as patches have been deployed, but it is worth noting an attacker needs physical access to the machine to exploit the flaw.