Tech Friday

posted by Brian Thomas - 

  • No more Windows patches if your antivirus clashes with Microsoft's Meltdown fix:
    • "Patch Tuesday" refers to Microsoft's regular releases of software updates (aka "patches" or "fixes") that typically occur on the second and occasionally on the fourth Tuesday of each month
    • Microsoft (MS) has a rating system for vulnerabilities that includes the following categories:
      • Critical
      • Important
      • Moderate
      • Low
    • Critical and other updates may be released outside Patch Tuesday as necessary to address urgent vulnerabilities and flaws
    • Daily updates of anti-malware definitions are made for Windows Defender
    • For the January 2018 Patch Tuesday, Microsoft released patches covering vulnerabilities in Windows, Internet Explorer, Edge, Office, .NET Framework, SQL Server and Adobe Flash
    • Sixteen updates fixed critical vulnerabilities, 38 are rated Important and one was rate Low 
    • 20 of the flaws could lead to remote code execution and at least one has been exploited in the wild
    • Microsoft also released out-of-band updates resolving the now infamous Meltdown and Spectre CPU flaws
    • Unfortunately, there have been issues with the Meltdown and Spectre patches for PCs running some antivirus (AV) software
    • During testing, Microsoft discovered some AV software had been making "unsupported calls into Windows kernel memory", which can cause machines to crash after the patches are installed
    • In a January security bulletin Microsoft wrote: "Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets the following registry key"
    • Microsoft has since clarified that this AV related rule applies to future security updates too
    • It is very important to determine if your antivirus software is on the list that is blocked
    • You can see the status of most popular AV software vendors here: https://threatpost.com/anti-virus-updates-required-ahead-of-microsofts-meltdown-spectre-patches/129371/
    • It's also known that the Meltdown and Spectre patches will negatively impact CPU performance
    • It's a good idea to apply these updates as soon as possible
    • You can get more information on the patches here: https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/858123b8-25ca-e711-a957-000d3a33cf99
  • "123456", "password" and the rest of the worst passwords of 2017:
    • Despite increasing identity theft and cybercrime, a new study confirms that millions of people continue to use weak, easily crackable passwords
    • SplashData released it's seventh annual report on the worst passwords of the year, one of several such reports
    • The list was compiled from more than five million passwords leaked over the course of 2017
    • For the fourth consecutive year, “123456” and “password” are number one and number two on the list, with variations of each word filling six more slots on the list
    • "Hackers know your tricks, and merely tweaking an easily guessable password does not make it secure" said SplashData CEO Morgan Slain
    • "Our hope is that our Worst Passwords of the Year list will cause people to take steps to protect themselves online." - Slain
    • SplashData estimates nearly 10% of people use at least 1 of the 25 worst passwords on the list and 3% have used the worst password, 123456
    • So how can use protect yourself? 
      • Use a different password for each and every account
      • Use "strong" passwords. The advice on creating a strong password has recently changed:
        • Bill Burr, the man responsible for what until recently was accepted as gospel for creating strong passwords, had now said his advice is incorrect
        • Burr authored a publication that was released by the National Institute of Standards and Technology (NIST Special Publication 800-63. Appendix A).
        • Burr recently told the Wall Street Journal (WSJ) that his 2003 paper was based on a paper written in the 1980s rather than real-world password data
        • Burr told the WSJ his previous advice of using special characters, mixed-case letters and numbers is not effective in stopping hackers because the combinations chosen by most people are highly predictable
        • Burr also previously suggested that passwords be changed a minimum of every three months
        • The UK's National Cyber Security Centre has said that forcing users to change their passwords at regular intervals "imposes burdens on the user and carries no real benefits".
        • The new advice is that users should only change their password if there is evidence that it has been compromised, but users should still use a unique password on each site/platform
        • Randall Munroe exposed the flaw in this common password logic by pointing that the password “Tr0ub4dor&3” could be cracked in about three days with standard cracking techniques
        • "correct horse battery staple" would take 550 years to crack. The Wall Street Journal wrote that security experts have confirmed Munroe’s math
        • "Through 20 years of effort, we have correctly trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess" -  Munroe
        • So, rather than a series of letters, numbers and symbols such as I10v355KRC!, users should use a long, easy to remember phrase with 3 or more words, for example, 55KRCIsTheBestRadi0Stati0nEver
        • Ideally, your passwords should be obscure, random phrases that will be easy to remember but nearly impossible for an automated process to crack
    • You can consider using a password manager app that will generate very strong passwords and store them in encrypted database
    • You can view the full list of worst passwords here: https://www.teamsid.com/worst-passwords-2017-full-list/
  • Congress votes to allow warrantless NSA surveillance to continue:
    • The House of Representatives voted 256-164 on 1/11/2018 to extend NSA spying powers for six more years
    • This enables broad NSA surveillance giving the government unabated access to Americans’ emails, chat logs, and browsing history without a warrant
    • Many privacy and security experts as well as some politicians have loudly opposed this violation of the Fourth Amendment
    • The Electronic Frontier Foundation (EFF) wrote: "Today’s House vote concerned S. 139, a bill to extend Section 702 of the Foreign Intelligence Surveillance Act (FISA), a powerful surveillance authority the NSA relies on to sweep up countless Americans’ electronic communications. EFF vehemently opposed S. 139 for its failure to enact true reform of Section 702"
    • According to EFF, this bill:
      • Endorses nearly all warrantless searches of databases containing Americans’ communications collected under Section 702
      • Allows the restarting of invasive "about" collection, which is a type of surveillance that the NSA ended in 2017 after being criticized by the Foreign Intelligence Surveillance Court for privacy violations
    • The House also failed to pass an amendment in a 183-233 vote that would have replaced the text of S. 139 with the USA Rights Act, which had 40 bipartisan cosponsors. Learn more about it here: https://www.eff.org/deeplinks/2017/10/usa-rights-act-protects-us-nsa-spying
    • S. 139 will go to the Senate where it will be voted on soon, possibly by January 19th
    • The Senate has already considered stronger bills to rein in NSA surveillance and Senators Rand Paul (R) and Ron Wyden (D) have been strong opponents of unconstitutional surveillance on Americans
    • On 1/11/2018, Senator Paul tweeted "The U.S. House of Representatives failed to protect Americans’ Fourth Amendment rights and instead passed the FISA Amendments Reauthorization Act to further entrench growing surveillance state powers. Read more here: http://sen.gov/JO5Y"
    • You can read Senator Paul's full statement here: https://www.paul.senate.gov/news/dr-rand-paul-pledges-continue-fight-protect-americans’-privacy
    • The House also failed to adopt meaningful reforms on how the government sucks up massive amounts of data that often contain Americans’ data
    • I encourage you to contact your Senators and urge them to oppose S. 139
    • Additional information and resources on this topic and other privacy topics can be found at: https://www.eff.org/
Brian Thomas

Brian Thomas

Based in Cincinnati, OH, the Brian Thomas Morning Show covers news and politics, both local and national, from a conservative point of view. Read more

title

Content Goes Here