After having an incredibly bad week last month, Lenovo started saying the right things, and perhaps doing some of the right things too. But some laptops with the Superfish malware preinstalled on them are still in the supply chain, which means some people are unwittingly buying them.
This isn’t terribly surprising. But there are a couple of things you can do about it, and they’re things worth doing anyway.
Continue reading Lenovo is penitent, but its customers aren’t out of the woods yet
I was talking breaches last week when a very high-up joined the conversation in mid-stream.
“Start over, Dave.”
“OK. I’m talking about breaches.”
“I know what you’re talking about,” he said, knowingly and very clearly interested.
Continue reading You’re telling me someone gave a stranger his password?
This week, Google published a vulnerability in Windows 8.1 after a 90-day countdown timer automatically expired. Microsoft has not yet released a patch.
Controversy ensued. Obviously, yes, an unpatched, well-known vulnerability in Windows is troubling. But the alternative is worse.
Continue reading Why Google ratting on Microsoft isn’t all bad
Tomorrow morning on Fox 2: How this USB drive could be worse than the worst malware you’ve ever imagined!
Yes, when a security vulnerability hits TV news, it’s a big deal. It’s probably also sensationalized. And it’s not time to panic yet. Continue reading USB malware: What you need to know
Late last week Microsoft released a new version of EMET. I’ve written about EMET before and I still recommend it. EMET 5.0 adds a couple of new mitigations, tries to be harder to bypass, and offers improved compatibility, so there’s little reason not to upgrade.
EMET does more than anything else I can think of to protect you from the many things that get past your antivirus software and firewall’s defenses, and it’s free. I can’t think of any good reason not to run it. Of course, the people not running it at all stand to benefit the most from it, but if you’re already running EMET 4.1, upgrading to get better protection is worthwhile, too.
One myth that I hear over and over is that having a router on your Internet connection makes you invisible, and makes you somehow invincible. I even heard someone say recently that if you have a router/firewall, you don’t need to run antivirus software.
Security researcher HD Moore appeared last week on Risky Business and he talked about ways that entire classes of routers can be compromised. Give it a listen. Continue reading Listen to this if you think a router makes you invincible
C’mon. You knew I’d get around to writing a response to Rick Broida’s claim that he doesn’t use antivirus software.
Actually, he’s not nuts. But he’s also mistaken if he thinks he doesn’t use antivirus software. His editorial is kind of like saying, “I don’t use a web browser. I use Internet Explorer.”
Although he’s mistaken that he doesn’t use antivirus software, and not all of his advice is spot-on, you can do a lot worse than follow his advice.
Continue reading Rick Broida thinks he doesn’t use antivirus software
I can’t bribe my preschooler with a penny anymore, but, sadly, a consortium of Carnegie Mellon University, NIST and Penn State University found that 22% of respondents through Amazon’s Mechanical Turk were willing to run a dodgy unknown executable in return for a penny. Fifty-eight percent would do it for 50 cents, and 64 percent would do it for a dollar.
I’ve been telling people for 17 years not to take executable files from strangers. I know the percentage of people who will bend down to pick up a penny off the ground when they see one is less than 22%, so this saddens me. Continue reading Don’t run unknown executables for a dollar. And PLEASE don’t for a penny!
I did a little more digging after getting yet another fake technical support phone call last week, and I’ve done some thinking on my own. If you want to troll these criminals when they call you, here are some ideas. Continue reading Some tips for trolling fake technical support calls
On one of the podcasts I listen to, two of the hosts questioned whether the publicity around recent security vulnerabilities are a good thing.
As a security professional who once studied journalism, I think it’s a very good thing, and it’s going to get better. I liken it to the rise of computer virus awareness. Continue reading The publicity around security is a good thing