Windows 10 Now Installed On Over 600M Machines

When Microsoft first released Windows 10, the company boasted that it would try to get its new OS running on a billion devices by 2018.

Time and circumstance have conspired to make that lofty goal unlikely, and the company has since retreated from it. However, according to statistics released at a recent shareholder’s meeting, there are now more than 600 million devices utilizing it, including PCs, tablets, HoloLens headsets, Surface Hubs and Xbox One consoles.

It’s an impressive number, but two things contributed to dramatically slowing the overall rate of adoption.

First and foremost, the company recently ended its free Windows 10 upgrade offer, which had been the driving force behind the rapid adoption since the initial release of the OS. Secondly, Microsoft gave up on the Windows Phone, making it unlikely in the extreme that smartphones will ever contribute in any significant way to the total number of installed devices.

Earlier this year, Microsoft found itself in hot water when it was discovered that the company was quietly pushing the new OS onto Windows 7 and Windows 8 machines. This move ate up a whopping six gigabytes of hard disk space and drew a considerable amount of fire from a variety of user and industry groups.

Some of the other tactics used by the company have also been found to be overly aggressive, and in some cases, downright coercive. The worst of these have since been abandoned, but not before considerable damage had been done to the company’s image.

As things stand now, Windows 10 is the second most widely used desktop OS, behind only Windows 7, which has a market share of 52.37 percent according to the latest statistics by Netmarketshare. Even if Microsoft never quite reaches its initial 1 billion-device goal, 600 million devices is nothing to sneeze at.

2012 Disqus Hack Exposed More Than 17 Million Users

The hits just keep coming, with Disqus being the latest company to issue a breach disclosure. If you’ve never heard of it, Disqus is an incredibly popular, plugin-based comment service for blogs.

Although the breach was only just discovered, it occurred five years ago in July 2012, and impacted more than 17.5 million users.

Evidence of the breach was initially discovered by an independent security researcher named Troy Hunt. It was then reported to the company and disclosed 24 hours later by Jason Yan, the CTO of the company, who had this to say:

“No plain text passwords were exposed, but it is possible for this data to be decrypted (even if unlikely). As a security precaution, we have reset the passwords for all affected users. We recommend that all users change passwords on other services if they are shared.”

Mr. Yan’s advice is excellent, but unfortunately, it highlights a persistent, ongoing problem. Far too many people are still in the habit of using the same password across multiple websites, which means that when one site is breached, it potentially gives the hackers access to all your other accounts that have passwords in common.

It should be noted that since the breach, Disqus has made several upgrades to their security, including implementing even more robust encryption than they’d formerly been using. Again, per Mr. Yan:

“Since 2012, as part of normal security enhancements, we have made significant upgrades to our database and encryption to prevent breaches and increase password security. Specifically, at the end of 2012, we changed our password hashing algorithm from SHA1 to bcrypt.”

The problem is solved for now, but the damage has been done. The best thing you can do at this point is change your password immediately, stop using the same password across multiple websites and be on the alert for phishing emails designed to get you to give up even more information.

Fake Symantec Blog Post Is Spreading Mac Malware

Sometimes hackers opt for a stealthy approach. Other times, their attempts are downright brazen.  That’s definitely the case with a newly launched malware campaign that seeks to spread “Proton Mac,” a strain of malware designed to steal passwords from Mac users.

The hackers registered a domain very similar to Symantec’s blog, mirrored its content and then created a fake post about a new version of CoinThief, which was moderately successful back in 2014.

After going into a bit of faux analysis about this nonexistent threat, the post recommended downloading a nonexistent piece of software called “Symantec Malware Detector” which it claimed was the best means of protecting against the new version of CoinThief. Unfortunately, “Symantec Malware Detector” is actually Proton Mac in disguise.

It’s a good scam, and it’s proven to be highly effective thus far. Its effectiveness is due in no small part to the fact that references to the post have been tweeted, initially by fake Twitter accounts, and later, by a growing number of legitimate ones.

Although the fake blog is quite good, it doesn’t stand up to intense scrutiny. For one thing, the email address used to register the domain isn’t a Symantec address. For another, their SSL certificate comes from Comodo, rather than Symantec’s own certificate authority. Unfortunately, the overwhelming majority of users don’t look that closely at websites they visit, so they are unlikely to recognize the fake for what it is.

If you have downloaded “Symantec Malware Detector,’ then you’ve got Proton Mac running on your machine right now.

It’s designed to log your username and password in plain text, sending this and any other PII (Personally Identifiable Information) on your machine to a hidden file. It will also capture browser auto-fill data, keychain files and the like, and send all of this to the hackers controlling the software.

If you have been infected, you should treat all online passwords as having been compromised and change them immediately, once you have verified that the malware has been completely removed from your system. Enabling two-factor authentication will also help make you more secure.

Look And Feel May Change In Future Windows 10 Update

Microsoft is experimenting with a new feature that may change the look and feel of Windows 10 in some future update.

The new approach is referred to as “Sets,” which borrows from the playbook of modern web browsers and groups related applications into tabbed sets, with the groupings defined by project type. The applications you need to make use of on any given project will be grouped together, even if the last time you used a given app was several weeks prior.

Essentially, this approach is a combination of the Windows Explorer “Task View,” “Pick up where you left off” and “timeline.” They are wrapped into a single-window experience complete with an “application history” feature, which works a lot like a web browser’s history, so you won’t have to remember which application you were using a few weeks earlier to work on your current project.

It’s a good idea in theory, and it should streamline the user experience. If, for example, you need to use your email, Microsoft Word, Photoshop and Excel to complete a given project, all of these will be organized as tabs across a single window.

While there’s been no word from Microsoft on exactly when we can expect to see the new feature, if the past is any guide, it will first be available to Windows Insiders for an initial evaluation. In the meantime, Microsoft will be seeking support for the new concept from a wide range of third party developers.

Another clear sign that the company is committed to the new idea is that Stardock, a company which has provided some intriguing UI tweaks to Windows for several years now, has released a new product called “Groupy,” which reproduces some of the basic features planned for Sets.

So far, Microsoft hasn’t released a firm time table, so there’s no clear indication when we might be seeing the change. We’ll have more information on this topic as it becomes available.

Many Consumers Would Withdraw Business From Companies If Data Breached

You’ve probably heard the phrase “the customer is always right” a thousand times. It’s a truism in the business world, except when it isn’t. A recent survey released by Gemalto reveals a dismaying dichotomy that’s costing businesses around the world big money.

Only 27 percent of consumers surveyed feel that businesses do enough to protect customer data, and an overwhelming 70 percent of them say that they’d take their business elsewhere if a company suffered a data breach.

Unfortunately, most consumers have exceedingly poor data security habits, with 56 percent admitting to using the same password across multiple web properties and 41 percent failing to take advantage of stronger security measures like two-factor authentication, even when offered by companies.

That puts businesses, rather unfairly, in the crosshairs. They cannot make their customers take advantage of the added security offered, and given the statistics above, they are forced to have to spend even more money since most consumers won’t take significant action to protect themselves or their own data.

Jason Hart, Gemalto’s CTO, had this to say on the matter:

“In the face of upcoming data regulations such as GDPR, it’s now up to businesses to ensure they are forcing security protocols on their customers to keep data secure. It’s no longer enough to offer these solutions as an option. These protocols must be mandatory from the start – otherwise, businesses will face not only financial consequences, but also potentially legal action from consumers.”

Digging more deeply into the details of the survey, we find that consumers trust social media sites the least when it comes to safeguarding their data, with 58 percent of respondents citing these companies as their biggest worry in terms of data security.

Curiously, 33 percent of those surveyed say they trust banks with their personal data, in spite of the fact that banks and other financial institutions are frequent targets and have suffered a number of high profile breaches in recent years.

Regardless, no matter what industry you’re in, if you get breached, your customers are likely to punish you for it, even if you offer them means to make their data more secure.

Former Employees Pose Serious Risk To Security

The Department of Health and Human Services’ Office for Civil Rights (OCR) has reminded those who deal with PHI and PII of the dangers that terminated employees can pose to system security in their monthly cybersecurity newsletter. Their advice is as timely as it is excellent, and includes the following:

“Making sure that user accounts are terminated so that former workforce members don’t have access to data is one important way Identity and Access Management can help reduce risks posed by insider threats.

IAM can include many processes, but most commonly would include the processes by which appropriate access to data is granted, and eventually terminated, by creating and managing user accounts.”

Kate Borten, President of The Marblehead Group, agrees, citing Verizon’s 2017 Data Breach Investigations Report, which was released earlier this year and named health care as the industry with the highest number of insider breaches.

OCR has published an extensive list of recommendations, which include:

• The creation and maintenance of user access logs used to determine when a user’s access levels are increased, or new equipment is assigned. These logs can also be used to track and trace precisely who is accessing what data, when, and using what locations, creating an audit trail.
• Establishing processes designed to terminate an employee’s access as soon as employment ends. These processes should also refer back to the aforementioned access logs to ensure that all equipment has been returned.
• Changing all administrative passwords on termination of an employee with access to those accounts, so that they will be unable to access them post-employment.
• The creation of alerts that call attention to accounts that have not been utilized in some predefined number of days in order to identify accounts that may be ripe for purging from the system.
• And developing a robust auditing procedure designed to ensure that all IAM-related policies are being followed, and that the system is working as intended.

It’s an excellent piece, and if your firm is in any way involved with the handling of protected health information, you owe it to yourself to head to OCR’s website and read it in its entirety.

OnePlus Mobile Phone Found To Be Collecting User Data

If you own a smartphone made by Chinese manufacturer OnePlus, you can thank security researcher Chris Moore for making a discovery that the manufacturer wasn’t going to tell you about.

It turns out that OnePlus phones running the OxygenOS are recording a disturbing amount of user data and sending it back to a company server. The data being collected on users include, but are not limited to:

• Any time the user locks or unlocks the phone
• Any time the user launches, uses or closes an app
• Which WiFi networks the device connects to
• The phone’s IMEI
• The phone number tied to the phone
• Mobile network names

All of this makes it very easy for the company to personally identify users.

When Moore was conducting his tests, he noted that the phone sent more than 16MB of data back to the server in a span of just ten hours. If you’re on a data plan with tight limits, that could max out your usage in no time.

The company issued a response to the findings, confirming that it does indeed transmit analytic data to an Amazon server in two distinct streams, one designed to help them fine-tune their software and the second for sale support, but insists that nothing nefarious is going on. They further stress that users can turn off some of the data collection by going into Settings  Advanced, and then deselecting the option to “Join The User Experience Program” which is set to active by default.

Unfortunately, this only deactivates the first of the two data streams. It is apparently impossible to deactivate the second.

The company’s official explanation seems a bit thin, but unfortunately, there’s little to be done. While you can limit the amount of data collected on you, at this time, there’s no way to stop it completely. Keep this in mind if you use a OnePlus phone.

New Hack Attempts To Access Office 365 Passwords

Companies are getting better at detecting and fending off brute force attacks. Depending on how big, and how hard-hitting the attack is, it can still get through, of course, but the main problem with such an attack is that it’s impossible to miss. The moment it starts, security professionals know what’s going on, and can immediately spring into action.

Of course, the hackers know this, and have been looking for ways around the problem. How can they launch an attack that will go unnoticed?

Now, it seems that they have a viable answer: low and slow.

It requires patience. Rather than hitting hard and all at once, this new attack vector utilizes a small number of machines and a low attack frequency in order to stay under the radar. Often, the hackers orchestrating such attacks will spread them out over weeks, or even months, and alternate between several different companies on the thinking that if it doesn’t trigger any alarms, then the security folks won’t go on high alert, and they can keep chipping away until they get lucky and break in.

While it hasn’t worked so far, the new approach did manage to go unnoticed for a number of months before the pattern was detected by SkyHigh Security.

The attack they discovered is an especially clever one. It has been going on since May, and it seeks to target email accounts not controlled by individuals, but used to fulfill other corporate functions. These are things like service automation, marketing and other system accounts.

The reason? Most of these don’t use two-factor authentication, and most people who check those types of accounts don’t expect to see malicious emails in those inboxes, and are thus more likely to click on embedded links, even if sent by accounts that are unrecognized.

Nothing is currently known about the group behind the attacks. They are focused on high-value targets in the financial services and medical fields and attempted to gain access to Office 365 accounts, which would give them access to a wealth of sensitive corporate information.

Although there’s no evidence that the attack has succeeded to this point, it is as clever as it is insidious, and definitely something to be aware of. From a practical standpoint, the strongest defensive move you can make is to be sure that all of the aforementioned types of email accounts are using two-factor authentication.

New iPhone X May Be Susceptible To Burn-In

<img class=”alignleft size-full wp-image-7088″ src=”https://www.securepc-wi.com/wp-content/uploads/2018/07/New-1-1.jpg” alt=”” width=”300″ height=”225″ />Apple’s new iPhone X is a technological marvel that boasts the best display in the industry today, featuring Super Retina OLED display technology and offering a mind boggling 1,000,000 to 1 contrast ratio.

Unfortunately, there’s a problem, as revealed by a new support document the company released on the iPhone X. In it, Apples states that users may experience shifts in hue and color, and burn-in with the new display, especially if they maximize the phone’s brightness and keep the same image displayed for long periods of time.

According to the support document itself:

“If you look at an OLED display off-angle, you might notice slight shifts in color and hue. This is a characteristic of OLED and is normal behavior. With extended long-term use, OLED displays can also show slight visual changes. This is also expected behavior and can include ‘image persistence’ or ‘burn-in,’ where the display shows a faint remnant of an image even after a new image appears on the screen. This can occur in more extreme cases such as when the same high contrast image is continuously displayed for prolonged periods of time. We’ve engineered the Super Retina display to be the best in the industry in reducing the effects of OLED ‘burn-in.'”

The company also recommends a simple workaround users can employ to minimize the chances of this occurring. If it’s something you’re concerned about, simply adjust your phone’s brightness as follows:

• Go to Settings, and then into General
• From General, tap Accessibility, and then Display Accommodations
• Adjust to taste from there

Another simple thing you can do would be to set your phone to auto-lock after a shorter period of time. To make changes to that feature:

• Go to Settings
• From there, select Display &amp; Brightness
• Then, go to Auto Lock and set whatever time period you deem appropriate

While neither of these are perfect solutions, they will certainly get the job done for the overwhelming majority of users.

Popular Chrome Ad Blocker Faked, 30k Users Infected With Malware

“Fool me once, shame on you. Fool me twice, shame on me,” as the saying goes. Unfortunately, Google has now been fooled by the same trick twice.

For the second time in recent years, Google has allowed a malicious variant of the popular extension “AdBlock Plus” onto its Chrome Web Store. It was noticed by a security researcher going by the alias “SwiftOnSecurity.” Before Google removed it, it had been installed more than 37,000 times by unsuspecting users.

This incident underscores a serious flaw in the way that Chrome extensions are uploaded to the Web Store.

The entire process is automated, and Google only intervenes if an extension is reported as being problematic. Unfortunately, given the automated nature of the process, it’s almost frighteningly easy to abuse, and since there are no significant checks on the front end, hackers can upload extensions bearing the same or highly similar names as extensions from legitimate developers. Unless a user clicks on the “reviews” tab to read what other users are saying about the extension, at first glance, they’d have no real way of knowing that there was a problem until they started experiencing it for themselves.

As mentioned, this is actually the second time this very extension was abused, the first being back in 2015.

As malware goes, this one is annoying, but not awful. Instead of blocking ads, it has a tendency to open multiple new windows, displaying a torrent of unwanted advertising. Fortunately, there don’t seem to be any other “hooks” built into the code, so it doesn’t install more destructive malware, but it’s still annoying.

All that to say, if you’ve been experiencing a sudden flurry of advertising popups, you may have been one of the unlucky few to have grabbed a malicious variant of an otherwise excellent web extension. If you have, just uninstall it and go grab a new copy, and you should be all set.