Better Parental Controls Underway For Apple Devices

Recently, a group of investors wrote an open letter to Apple, urging the company to do more in regards to offering better and more robust parental controls on the devices the company makes. Although the group of investors control some $2 billion in Apple stock, this is a drop in the proverbial bucket, given the company’s $900 billion market cap. Nonetheless, the letter seems to have gotten Apple’s attention.

In a statement published in the Wall Street Journal, the company said: “We think deeply about how our products are used and the impact they have on users and the people around them. We take this responsibility very seriously, and we are committed to meeting and exceeding our customers’ expectations, especially when it comes to protecting kids.”

Previously, the company has touted the suite of parental controls it’s had in place on the devices it makes since 2008. For example, every iPhone sold has a settings app with a parental controls section that allows adults to control in-app purchases, install and delete apps, and restrict website access.

Those are all good things, but the group of investors is pushing for more. Although the company has not released any details about their planned enhancements, it does appear that the letter has prompted them to think even more deeply about the matter, and in that same letter, also requested that apple aid research that studies what impacts excessive smartphone use has on mental health.

To their credit, Apple has done more with parental controls than many, if not most other tech companies, and it is very good to see that they’re listening and responding to the concerns of their investors. This kind of responsiveness bodes well, and depending on the particulars of their plan, it could well cause other companies in the industry to attempt to match their moves.

Hard Drives May Double In Speed With New Technology

What’s an HDD manufacturer to do when faced with competition by faster, more efficient SSD drives?

Go big, and go faster. At least that’s the strategy that both Seagate and Western Digital are adopting.

SSDs tend to get prohibitively expensive as their size crosses the 1TB threshold, which creates an opportunity for HDD manufacturers. Seagate is currently selling drives with an impressive 14TB of capacity, and has plans on the drawing board to introduce a 40TB drive by 2023, with Western Digital not far behind, aiming for a 40TB drive by 2025.

That’s impressive, but as Seagate mentioned in a recent blog post:

“Capacity is only half of the solution. If the ability to rapidly access data doesn’t keep pace with all that capacity, the value potential of data is inhibited. Therefore, the advancement of digital storage requires both elements: increased capacity and increased performance.”

In order to address the performance side of the equation, Seagate is experimenting with a new approach called “multi-actuator technology.”

HDDS are based on platters, with an actuator arm on the top and bottom that write to the platters.

Actuators are all aligned and are designed to move in tandem, but at any given moment, only one arm is writing to the disk.

Seagate’s new solution utilizes two sets of actuator arms, each controlled independent of the other. With two heads capable of reading and writing simultaneously, HDD speeds can effectively be doubled.

It’s an idea that has been around for a while, but until recently, thanks to the prohibitive cost of the components, it was simply impractical. With component prices falling, it’s suddenly viable. The combination of massive HDDs and the new technology are making people take a second look at HDD technology.

This is a great advance that breathes new life into HDDs, and is a truly exciting innovation.

Intel Chips Face Another Possible Vulnerability

Intel’s year isn’t getting off to a very good start. Just after the discovery of a pair of critical vulnerabilities that have been in their chipsets for more than a decade comes the discovery of yet another serious flaw that could impact millions of laptops around the world.

A Finnish data security firm called “F-Secure” just reported an issue with Intel’s Active Management Technology (AMT) that could allow a hacker to completely bypass the machine’s normal login procedure and take control of the target device in under a minute.

AMT is an admin-level feature that allows organizations to control and manage large numbers of PCs and workstations quickly and efficiently via remote. To take advantage of the flaw, a hacker would need physical access to the machine, which is its one saving grace. However, if they have that, they can take complete control even if a BIOS password has been set.

While other research teams have discovered AMT vulnerabilities in the past, this one deserves special attention for three reasons:

  • Once in control, the hacker could gain remote access to whatever network the machine is attached to at some later point.
  • It affects almost all intel laptops, and odds are that if you’re a business owner, there are a number of laptops with Intel chipsets connected to your network
  • It’s an incredibly easy flaw to exploit, requiring no code whatsoever.

F-Security Research Harry Sintonen had this to say about it:

“The attack is almost deceptively simple to enact, but it has incredible destructive potential. In practice, it can give a local attacker complete control over an individual’s work laptop, despite even the most extensive security measures.”

It should be noted that this flaw is in no way related to the Spectre and Meltdown vulnerabilities that have been reported on earlier, giving Intel a trio of nasty problems to deal with right at the start of the new year.

2 Million Credit Cards Stolen From Popular Sandwich Shop

By now, we’ve seen enough large-scale Point of Sale (POS) credit card thefts that patterns are beginning to emerge. Some companies follow the general arc of the narrative better than others, and deserve credit for doing so, but in the end, the story is about the same.

That’s certainly the case with Jason’s Deli. Recently, they discovered RAM-scraping malware on a number of their POS terminals. This has happened at a total of 164 of their locations, scattered across 14 states.

During the seven-month period before the malware was discovered, the company estimates that the credit card payment information of some two million customers was stolen. The data included credit and debit card numbers, expiration dates, the cardholder’s service and verification codes, and the cardholder’s name.

As is the case with most of these incidents, the company immediately contacted law enforcement and hired a third-party firm to assist with the forensic investigation, which is still ongoing.

Jason’s Deli’s handling of the aftermath of the incident has been well above average. However, the bottom line is that unless companies start paying increasing attention to data security, issues like these are going to continue to occur.

As a general rule, hackers prefer to go after the low-hanging fruit. There’s simply more money in attacking soft targets than hard ones. Your company doesn’t need bullet proof security in order to be safe from most hackers, it’s just got to be better than average. Although obviously, the better and more robust your digital security is, the safer you will be.

Unfortunately, this painfully obvious lesson seems to be falling on too many deaf ears. Until and unless that changes, we’ll continue reading about incidents like these. It’s costing business billions every year. Make sure your company isn’t next on the hackers’ hit list.

Performance Issues Plague PC’s Updated With Spectre Patch

Recently a critical flaw was found inside every Intel chip made during the last decade.  The flaw makes two different exploits possible.  These exploits have been dubbed “Meltdown” and “Spectre.”

The flaws are incredibly severe, and make it possible for a hacker to gain complete, unfettered access to the targeted PC or laptop.  Although no instances of the exploit have yet been found in the wild, now that both are commonly known, it’s only a matter of time before that happens.

Based on that, and given the severity of the flaw, Intel scrambled to release an update, but here’s the catch:  The update would hurt system performance, lowering it by as much as 23%.

In the end, it didn’t matter.  To ignore the problem was simply not an option, so the company scrambled to get a fix ready and has since released it.  Unfortunately, the fix has proved to be even more problematic than was originally estimated.  In addition to degrading machine performance, it also interferes with a variety of maintenance activities and leads to an inordinate number of system reboots.

Initially, Intel advised its customers to proceed with the download in order to protect their systems, even in light of the performance degradation.  However, as the number of complaints have grown, the company reversed course and has now advised against downloading its latest update, asking users to wait for a revision to be published.

At this point, the company has not given an ETA on when the revised firmware update will be ready, but until it is, you’re placed in an awkward position.  Waiting for the update means exposing your company to risk, should a hacker target one of the machines on your network with the exploit.  Proceeding with the current firmware update means you’ll suffer performance issues, leaving you stuck between a rock and a hard place, at least for the short term.

iPhone Throttling Issue To Be Addressed In Upcoming Update

Recently, Apple found itself in hot water with its normally adoring user base. This happened when it became known that the company was intentionally throttling (slowing down) the speed of older iPhones.

The company’s intentions were good.  They clearly meant well.  The move was designed to even out performance in older equipment.  As cellphone batteries age, they tend to lose charge more quickly.  What was happening was that people with older equipment would drop from 20% battery to 0% in the blink of an eye, causing their old phones to simply shut down at inopportune moments.  Apple’s strategy was simply designed to help keep that from happening.

Well-intentioned or not, the company didn’t formally announce the change, and it was discovered by chance by security researchers.  Needless to say, the legions of people who still use older iPhones were not amused and the company has faced backlash from an angry user base since.

Apparently, the backlash got bad enough that they listened.  Apple just announced that as of the next OS update, version 11.3, the OS will include a toggle switch that will allow users to choose whether or not to throttle their  phones to extend battery life.

This is the latest in a series of moves the company has made to get back in the good graces of its users.  Previous efforts have included a public apology and an offer to reduce its fee for battery replacement to just $29.

This has been a PR disaster for the company.  It probably won’t hurt their bottom line much, but perception matters. While the company has been trying bravely to save face, the simple truth is that this was a self-inflicted and avoidable wound.

There’s a lesson here for businesses of all shapes and sizes.  Transparency matters, and if you’re going to do something that directly impacts large segments of your user base, be upfront about it and give them a viable choice.

700,000 Potentially Malicious Apps Removed From Google Last Year

Google recently released their Play Store stats for 2017.  The results are both encouraging and disheartening.  Overall, Google caught and removed more than 700,000 malicious apps from the Play Store, minimizing their impact on the company’s massive Android user base.

That’s unquestionably good news, but it comes with a bit of a dark side.  That figure represents a staggering 70 percent increase in the number of apps removed compared with 2016 figures.  The hackers are not only relentless in their efforts, but they’re picking up the pace dramatically.

Last year, Google made a significant change, putting Play Store security under the umbrella of the Google Play Project.  This system is driven by “smart” detection software that automatically scans and provides alerts for any software that exhibits questionable behavior and gets better on its own thanks to Machine Learning protocols.

So far, that approach seems to be working pretty well.  It’s not without its flaws, of course.  Google found itself in the news a few times last year when some malicious apps managed to slip through their impressive detection mechanisms, and got downloaded by several thousand users.  Even so, it’s clear that the company is committed to the process and takes the security of its users very seriously.  Given today’s digital landscape, that’s important.  That means something.

As for Google’s plans for 2018:

More of the same.  Continued, incremental improvements in the Google Play Project, continued support for the Zero-Day initiative, and keeping a watchful eye on all things security-related.  The company is by no means perfect, but it’s nice to know that we’ve got such a large company out there, fighting back.

Of course, it still falls to each individual user to be careful what apps you install on your various devices.  No matter what Google does in the coming year, due diligence is still your last, best defense.

If your Point Of Sale Uses Oracle, Update Now

Oracle is currently the third-largest provider of POS (Point of Sale) software on the market today, which means that there’s a fairly good chance you’re using an Oracle POS system.  If you are, there’s trouble ahead.  A recently discovered security flaw could put your system at risk.

Oracle has already identified and patched the security flaw, but there’s a problem.  Since POS systems are deemed “mission critical” by most businesses, System Administrators rarely schedule maintenance for them on fears that an unstable patch or update could cause undue downtime for the company.  Because of that, it will likely be a month or more before the new update finds its way to all 300,000 of the at-risk systems.

As security flaws go, this one is fairly nasty, too, as it allows a hacker to collect configuration files from any vulnerable Micros POS system.  This data can then be used to grant the hacker full, unrestricted access to the POS system,  as well as the database and server it feeds information to.

Most hackers attacking a POS would be content with simply collecting credit card details for resale on the Dark Web However, with this exploit, any sort of malware could be installed to use against the company later.

Even worse, a hacker need not be in close proximity to the device in question.  A carefully crafted HTTP request could trigger the security flaw and open the door.  Of course, if a hacker is in close proximity to the system, then there are many easier ways to infect it.  One only needs to distract the sales clerk long enough to attach a simple Raspberry Pi board equipped to run the exploit code and the damage is done.

The bottom line is, if you use an Oracle POS, make installing the latest security patch a priority.  You’ll be vulnerable until you do.

Malware Makers Testing Vulnerability Of Meltdown And Spectre

Security researchers from around the web are reporting finding an increasing number of instances of proof of concept (PoC) code that incorporates the recently discovered Spectre and Meltdown vulnerabilities.

If you somehow missed those earlier reports, Spectre and Meltdown are a pair of critical security flaws recently discovered in literally every Intel chip set made over the last decade.  Exploiting these vulnerabilities would give a hacker root-level access to the impacted system.

Since the discovery, the chip giant has been scrambling to fix the issue. However, their first attempt to do so caused so many system problems for people who installed the patch that the company is now recommending that users avoid it until they can come up with a better solution.

Unfortunately, that leaves you between the proverbial rock and a hard place.  Installing the patch will protect you, but cause you to experience system reboots several times a day and seriously degraded performance.  Not installing it leaves you at the mercy of the hackers.

So far, at least, it appears that most of the proof of concept code found is the result of security researchers playing with the exploits.  This includes testing them, seeing how they work, and how to prevent them.  That said, the researchers point out that it’s all but certain that some of the PoC examples were created by teams of hackers who plan to use them in their next round of attacks.

To make matters worse, Mozilla has confirmed that the Spectre flaw can be executed remotely by inserting commands into Javascript.  Given that, plus the increased appearance of PoC code fragments, it seems it’s just a matter of time before we see the first ever Spectre-based hack.  The clock is ticking.

Microsoft is Adding Much Needed Feature To Windows Defender

Microsoft is getting tough on so-called “registry cleaners”, and it’s about time.  The company recently announced a planned change to Windows Defender (the anti-malware program that comes standard with every Windows installation).  The change will see to the deletion of an increasing number of these registry cleaners.  It’s a great move, and the company deserves credit for it, but there’s a catch.  This type of software has been around for decades. So the move, as welcome as it is, comes very late in the game.

It’s overwhelmingly likely that you’ve seen these programs in action.  They’re usually free downloads (though there are a few web based services too) that scan your system to find problems with your registry that the software claims are causing performance issues and slowing your machine down.

There are two major problems with this:  First, the software tends to be light on details, refusing to provide much information about exactly why the “problems” that have been identified are impacting system performance.  Worse, the software often incorrectly identifies critical system files and registry entries as being problematic. So of course, when they are deleted, they actually create many more problems than they solve.

Second, in order to actually fix the problems that have been identified, you’ve got to buy the premium version of the package.  The result is that you’re losing money, and the software often breaks your system.  Not a pretty picture.

This latest move by Microsoft builds on action they took back in 2016, when the company started penalizing the makers of such registry cleaners if their software didn’t provide adequate information. This missing information included why the problems they found needed to be fixed in the first place, and if they utilized a high pressure up-sell technique.

Ultimately, those moves proved to be insufficient, so Microsoft decided to take things to the next level.  Now, they’re simply going to start deleting these no- or low-value programs.  Late or not, that’s one less headache for you, and a very good thing.