Posts tagged software
Microsoft will no longer issue security patches for Windows XP
This month’s “Patch Tuesday” includes the final round of security fixes Microsoft will issue for Windows XP, potentially leaving millions that continue to use the OS open to attack.
XP will become an easy target for attackers now that Microsoft has stopped supporting it, said Wolfgang Kandek, CTO for IT security firm Qualys.A The OS will no longer receive fixes for holes that Microsoft and others might find in the OS. Moreover, attackers will be able to reverse engineer patches issued for newer versions of Windows, giving them clues to the remaining unfixed vulnerabilities in XP, Kandek said.
Microsoft has acknowledged the problem and has been pushing hard to get users onto newer versions of Windows.
“If you continue to use Windows XP now that support has ended, your computer will still work but it might become more vulnerable to security risks and viruses,” it said in an advisory.
Its efforts haven’t always been successful. Qualys compiled data from 6,700 companies and found that use of XP still represents a sizable portion of OSes running in the enterprise.A About one-fifth of companies in finance, for instance, still use XP — a surprisingly large number for an industry handling sensitive data. A
In retail, 14 percent of PCs still run XP, and in heath care the figure is 3 percent.
Organizations may be holding off on updating for a number of reasons, Kandek said. Some didn’t realize support was closing and are just now putting a migration plan in place. Others may be taking a calculated risk, saving on the cost of an upgrade and trying to minimize exposure by limiting access to the Internet and through other measures.
In addition to ending support for XP, Microsoft is no longer supporting Office 2003 or Internet Explorer 8.
The company released four security updates altogether on Tuesday. They cover 11 vulnerabilities in Windows, Internet Explorer, Microsoft Office and Microsoft Publisher. Two of the updates are marked as critical. One of those, MS14-018, fixes a number of issues with Internet Explorer. The other, MS14-017, addresses critical vulnerabilities in Microsoft Word and Office Web Apps. They include a zero day in how Office 2010 handles documents encoded in the Rich Text Format.
Even after that fix is applied, organizations might want to disable Word’s ability to open RTF files, if those types of files aren’t routinely used, Kandek advised.A
The two other updates in April’s round of patches were marked important. One of them, MS14-020, handles a vulnerability in the company’s Publisher program. The other, MS14-019, covers how Windows, including XP, handles files.
Kandek also advised administrators to apply the patch Adobe issued Tuesday for a serious vulnerability in its Flash multimedia software.
From anywhere on the planet, a hacker could open and close the lid to your smart toilet, turn your child’s smart toy into a covert surveillance device, or unlock the doors of your smart home.
Disregard for a moment why you would ever want to connect a toilet to the Internet to “record a toilet diary,” and instead ask why would a person hack a smart toilet? Because it’s there; it’s vulnerable and it helps to highlight new security risks associated with smart devices connected to the web, making up the Internet of Things.
LIXIL Satis Bluetooth smart toilet
Since the Japanese manufactured LIXIL Satis smart toilet is extremely expensive, as much as about $6,000, and not readily available in the U.S., researchers at the security firm Trustwave reverse-engineered an Android app for the bluetooth-controlled Satis. It has a hard-coded PIN of “0000,” according to the security advisory, and:
any person using the “My Satis” application can control any Satis toilet. An attacker could simply download the “My Satis” application and use it to cause the toilet to repeatedly flush, raising the water usage and therefore utility cost to its owner. Attackers could cause the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to user.
Although that hack is more of a prank, you might take the security risk more seriously if an attacker could secretly access the webcam in your child’s toy, capture video and then upload it to a remote server.
Violet’s Karotz Smart Rabbit
The toy in question is a Karotz plastic bunny that “can connect to the Internet (to download weather forecasts, read its owner’s email, etc.),” stated the bunny security advisory. It “can be controlled from a smartphone app and is outfitted with a video camera, microphone, RFID chip a speakers.” In fact, an attacker could “take control of it from a computer and remotely watch live video, turning it into an unwitting surveillance camera.”
Hacking smart houses
At the Black Hat Home Invasion v2.0 presentation, Trustwave researchers showed serious topics as well, such as how someone other than the home or business owner can unlock doors from anywhere in the world. As an example, Trustwave security researcher Dan Crowley took a random four-digit number from a hacking conference attendee and then changed the lock’s PIN. They also discussed poor security issues discovered when testing a Belkin WeMo Switch, Linksys Media Adapter, Radio Thermostat, and Sonos Bridge.
Although one of the benefits of having a smart home is that you remotely control it via a smartphone, tablet or PC, that convenience comes with a plethora of personal security and privacy risks. During the Black Hat session [pdf slides], the researchers showed how the home automation gateways Mi Casa Verde Veralite and Insteon Hub have “vulnerabilities that, if not fixed, could result in covert audio and video surveillance, physical access to buildings or even personal harm.”
“The big risk is that a compromise could give you access to hundreds of thousands of homes all at once,” Crowley stated. “I could see that as an attack someone could actually use to launch a crime spree.” He added that if someone broke into your house, but there was no sign of forced entry, then how would you get your insurance company to pay?
Granted the toilet hack is invasive but more like a prank, yet an attacker could also seriously mess with a person’s mind by simply running a web search for smart homes with Insteon and then remotely taking control of the lights as if the house were “haunted.”
The potential for hacking smart homes and the Internet of Things—from exploiting network connected toys, thermostats, wireless speakers, to automated door locks—will only continue to grow as more people adopt these technologies. There are plenty of privacy risks in addition to the security vulnerability issues as their white paper [pdf] states:
There are also privacy concerns in the compromise of these devices. Compromise of a device with a built-in microphone or camera comes with the ability to perform audio and video surveillance. Compromise of a motion sensor could be used to determine when there are people at a physical location. Reading the status of door locks and alarm systems as could be achieved by compromising the VeraLite could be used to determine when the building in which it resides is occupied.
Legally, devices that store data on third party servers also enjoy a lower level of privacy protections due to the 3rd Party Doctrine. Many of the devices in this paper fall into this category.
Mud slinging round one million: Google CEO Larry Page warned against companies being “negative,” before claiming Microsoft is “milking” Google. Microsoft zinged back about the cease and desist letter Google sent.
Last week, Microsoft incorporated Google Talk into Outlook and SkyDrive to allow users “to chat with friends stuck on Gmail.” Then Google CEO Larry Page criticized Microsoft for “taking advantage” of “interoperating” with Google, “but not doing the reverse.” That’s “really sad,” Page said at I/O, “And that’s not the way to make progress. You need to actually have interoperation, not just people milking off one company for their own benefit.”
YouTubeIn return, Microsoft spokesperson Frank Shaw stated, “It’s ironic that Larry is lending his voice to the discussion of interoperability considering his company’s decision — today — to file a cease and desist order to remove the YouTube app from Windows Phone, let alone the recent decision to make it more difficult for our customers to connect their Gmail accounts to their Windows experience.”Cease and desist
Google claimed that Microsoft violated Google’s Terms of Service with the YouTube app. The Verge got its hands on a copy of that cease and desist letter that Google sent Microsoft. It demands that Microsoft “immediately withdraw this application from the Windows Phone Store and disable existing downloads of the application by Wednesday, May 22, 2013.” Google’s real gripe stems from the fact that Microsoft’s YouTube app has “features that specifically prevent ads from playing.”
After the cease and desist letter went public, Microsoft responded by “saying it’s happy to include advertising.” However, ZDNet speculated that the Windows Phone 8 YouTube app might have been part of Microsoft’s Scroogled campaign.
You wouldn’t know all this background cease and desist drama from what Page said at I/O.
Every story I read about Google gives off a notion of “us versus some other company” or some stupid thing. Being negative is not how we make progress. The most important things are not zero-sum. There is a lot of opportunity out there.
Opportunities on “Google Island”
Gadget Lab’s Mat Honan wrote about some of those far-out and freaky opportunities in a fictional piece about “Google Island.” It’s an interesting and trippy read. Honan talked about arriving at Google Island in a “driverless boat” to find Page’s naked “Google Being” explaining “complete openness” made possible by experimenting on an island in which no pesky government’s laws could get in the way with privacy.
At I/O, Page expressed an interest in setting aside a place “where people could experiment freely and examine the effects.” Honan joked that the place is Google Island, where Page would claim, “As soon as you hit Google’s territorial waters, you came under our jurisdiction, our terms of service. Our laws-or lack thereof-apply here. By boarding our self-driving boat you granted us the right to all feedback you provide during your journey.”
Besides Google knowing everything about a user’s health, “genetic blueprint” and even “the chemical composition of your sweat,” Honan’s fictional Page claimed that Google has “looked at everything you’ve looked at online. Everything. We know what you want, and when you want it, down to the time of day. Why wait for you to request it? And in fact, why wait for you to discover that you even want to request it? We can just serve it to you.”
OK, so that was fiction…but it harkens back to a time when then Google CEO Eric Schmidt said, “With your permission you give us more information about you, about your friends, and we can improve the quality of our searches. We don’t need you to type at all. We know where you are. We know where you’ve been. We can more or less know what you’re thinking about.” Schmidt later added, “I actually think most people don’t want Google to answer their questions…They want Google to tell them what they should be doing next.”
Google is all about ad revenue and the company will never allow Microsoft to block ads on YouTube. Meanwhile, speaking of YouTube and ads, Nintendo is scanning for fan-made YouTube clips that show footage of its games, such as how to get through a level, and then “hijacks” the ad revenue. Nintendo is not blocking screencaps that feature its intellectual property; however, by using content ID match to identify game footage videos uploaded by fans, Nintendo is adding advertising “at the beginning, next to or at the end of the clips.”
Because you’re doing your research on MCTS courses, the chances are you’re in 1 of 2 situations: You might be wondering about completely changing your working life to the field of computers, and research demonstrates there’s a growing demand for people with the right qualifications. In contrast you could already be in IT – and you want to enhance your CV with the MCTS accreditation.
When looking into training providers, ensure that you steer clear of those that short-change you by failing to provide the latest Microsoft version. This will only hamper the student due to the fact that they’ll have learned an old version of MCTS which doesn’t fall in with the present exams, so they’ll probably fail. A training provider’s focus must be centred on the most for their students, and everyone involved should have a passion for getting things right. Studying isn’t simply about qualifications – the process should be all about helping you to decide on the best course of action for you.
Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com
It’s essential to have an accredited exam preparation programme included in your course. Because many examining boards for IT are from the USA, it’s essential to understand how exam questions will be phrased and formatted. It’s no use just answering any old technical questions – they must be in an exam format that exactly replicates the real thing. A way to build self-confidence is if you test your depth of understanding by doing tests and mock ups of exams prior to taking the actual exam.
There are colossal changes washing over technology over the next generation – and this means greater innovations all the time. We’ve barely started to see just how technology will affect our lives in the future. Computers and the web will profoundly revolutionise how we see and interrelate with the entire world over the next few years.
Let’s not ignore salaries moreover – the typical remuneration in the UK for a typical person working in IT is considerably better than remuneration packages in other sectors. Odds are you’ll make a whole lot more than you could reasonably hope to get in other industries. With the IT marketplace developing year on year, it’s predictable that the requirement for well trained and qualified IT technicians will continue actively for decades to come.
Make sure you don’t get caught-up, like so many people do, on the training course itself. Your training isn’t about getting a plaque on your wall; this is about employment. Focus on the end-goal. It’s a sad fact, but a great many students begin programs that seem amazing from the syllabus guide, but which provides the end-result of a job that is of no interest. Try talking to typical university leavers for examples.
It’s a good idea to understand what expectations industry may have of you. Which precise qualifications they will want you to have and how you’ll go about getting some commercial experience. Spend some time assessing how far you think you’ll want to go as often it can control your selection of accreditations. Talk to a skilled advisor that has a commercial understanding of the realities faced in the industry, and could provide an in-depth explanation of what tasks are going to make up a typical day for you. Getting to the bottom of all this before commencement of any study program will save you both time and money.
Many trainers will provide an useful Job Placement Assistance program, to assist your search for your first position. Don’t get caught up in this feature – it’s easy for eager sales people to make too much of it. In reality, the massive skills shortage in the United Kingdom is why employers will be interested in you.
Nevertheless, don’t leave it until you have finished your training before bringing your CV up to date. As soon as your training commences, mark down what you’re doing and tell people about it! Quite frequently, you will get your first job whilst you’re still studying (occasionally right at the beginning). If your CV doesn’t say what you’re learning (and it isn’t in the hands of someone with jobs to offer) then you won’t even be considered! Actually, an independent and specialised local recruitment consultancy – who make their money when they’ve found you a job – is going to give you a better service than a recruitment division from a training organisation. They should, of course, also know local industry and the area better.
A slight frustration of many training companies is how hard people are prepared to work to get qualified, but how little effort that student will then put into getting the job they have trained for. Don’t falter at the last fence..