The segment that quickly overviews the top technology and cybersecurity stories of the last week or so.
A Passwordless Future
Microsoft made various news headlines this week, but one of the most talked-about announcements was that consumers will now be able to ditch passwords on their Microsoft account in favour of Microsoft Authenticator, Windows Hello, a physical security key or an email/SMS verification code.
In a blog post, Vasu Jakkal, Microsoft CVP of Security, Compliance and Identity said that “nobody likes passwords”. In the blog post, they claim users either create secure passwords that they cannot remember or easy-to-remember passwords that can easily be broken.
You can try the feature by visiting your Microsoft account security settings.
ProtonMail removes no-IP logging claim after controversy
ProtonMail, an email provider generally respected globally for its high security and encryption standards came under fire recently after user’s felt that the company’s claims of privacy were not upheld after they complied with a Swiss legal request for user data as part of a criminal investigation.
The Swiss-based company previously stated in their Privacy Policy:
IP Logging: By default, we do not keep permanent IP logs in relation with your use of the Services. However, IP logs may be kept temporarily to combat abuse and fraud, and your IP address may be retained permanently if you are engaged in activities that breach our terms and conditions (spamming, DDoS attacks against our infrastructure, brute force attacks, etc). The legal basis of this processing is our legitimate interest to protect our Services against nefarious activities.
Old ProtonMail Privacy Policy (Archived)
However, the claims have since been toned-down in an updated Policy, in effect as of September 6 2021:
By default, we do not keep permanent IP logs in relation with your use of the Services. However, IP logs may be kept temporarily to combat abuse and fraud, and your IP address may be retained permanently if you are engaged in activities that breach our terms and conditions (spamming, DDoS attacks against our infrastructure, brute force attacks, etc). The legal basis of this processing is our legitimate interest to protect our Services against nefarious activities. If you are breaking Swiss law, ProtonMail can be legally compelled to log your IP address as part of a Swiss criminal investigation. This obligation however does not extend to ProtonVPN (see VPN privacy policy here). Additional details can be found in our transparency report.
Current ProtonMail Privacy Policy (Source)
The new additions have been underlined for ease of comparison, and make clear that they will log IP addresses if requested to do so by the Swiss authorities. It clarified in a blog post that data will never be provided to foreign governments as it is illegal to do so under Swiss law.
Kali Linux 2021.3 released
A new release of the popular Linux-based, security-centric Operating System was recently revealed and released on September 14 in a blog post. The feature highlights are:
- OpenSSL compatibility improvements
- New Kali-Tools site
- Live Image support improved for virtual machines
- New ethical hacking tools
- Smartwatch support (TicHunter Pro)
- Plasma version sees KDE 5.21
Kali 2021.3 is available now from the Kali website, or you can upgrade an existing system using the following commands:
echo "deb http://http.kali.org/kali kali-rolling main non-free contrib" | sudo tee /etc/apt/sources.list
sudo apt update && sudo apt -y full-upgrade
[ -f /var/run/reboot-required ] && sudo reboot -fSeveral zero-days patched: Patch Tuesday September 2021
Apple has issued an important security update for iPhones with the release of iOS 14.8, and also updated iPadOS, watchOS and macOS. The focus may be on the recently revealed iOS 15, but the current OS has seen an update to patch ForcedEntry, a vulnerability exploited by the NSO that allows them to control a device. NSO Group is a private company based in Isreal, that “creates technology that helps government agencies prevent and investigate terrorism and crime” according to their website. DemocracyNow reports 1.65 billion devices have been vulnerable since March. The exploit uses a maliciously crafted PDF file that users do not need to click, but just have present on the device.
In Microsoft‘s updates, an actively-exploited MSHTML vulnerability that utilises malicious Microsoft Office files has been patched. The vuln is filed as CVE-2021-40444 and has been said to be exploited by ransomware gangs (Source: BleepingComputer). The Windows 10 update is assigned KB5005565 for versions 2004-21H1 and KB5005566 for Windows 10 version 1909.
Multiple security holes have also been addressed in the latest Google Chrome update, which you can read the official details about here. Due to the severity of the security issues, Google is withholding information from the public until “a majority of users are updated with a fix“.