Eliana Willis

Welcome to the first installment of a new weekly advice column, Ask ZDNet. It’s a time-honored editorial format, like Dear Abby but with a much better grasp of modern tech. This week, we tackle three thorny questions: Are text messages too dangerous to use as a second factor for 2FA? Do you really need Windows 11 Pro edition? And why do smoke detector batteries always seem to die in the middle of the night? If you’ve got a question about any of the topics ZDNet covers, one of our team of editors and contributors probably has an answer. If they don’t, we’ll find an outside expert who can steer you in the right direction. Questions can cover just about any topic that’s remotely related to work and technology, including PCs and Macs, mobile devices, security and privacy, social media, home office gear, consumer electronics, business etiquette, financial advice … well, you get the idea. Send your questions to ask@zdnet.com. Due to the volume of submissions, we can’t guarantee a personal reply, but we do promise to read every letter and respond right here to the ones that we think our readers will care about. Ask away. 

Is it OK to use text messages for 2-factor authentication?

I know I’m supposed to use 2-factor authentication for everything, but I keep reading that using text messages for 2FA is dangerous. Do I really need to worry about this? What are my alternatives?

First things first: Yes, setting up 2FA is a crucial security step for any important online account. When this form of authentication is enabled, you need to provide a second proof of your identity when signing in to an online service for the first time on a device. If your password is stolen in an online data breach or someone fools you into giving it up, the attacker can’t access your account because they don’t have access to a second authentication factor. (For a detailed explainer, see “Multi-factor authentication: How to enable 2FA to step up your security.”) The most basic form of 2FA involves a text message, sent via SMS to a phone you previously registered with your account. After you type in your password, you receive a text message with a code that you enter as the final step of authenticating. SMS-based 2FA is absolutely better than no 2FA. But it’s vulnerable to a variety of attacks, including SIM swapping, where the bad guy is able to intercept the SMS messages and take over the account. This type of attack takes a great deal of work and is most likely to target a high value account, like someone who works at the support desk for a big corporation. But even if you aren’t a target for a global hacking network, it’s smart to steer clear of SMS authentication whenever you can.There are two great alternatives to SMS-based 2FA codes. First is a free authenticator app, which generates 2FA codes or receives approval prompts directly on your phone. (For details, see “Protect yourself: How to choose the right two-factor authenticator app.”) For maximum security, consider a physical hardware key that you connect using USB or NFC. Hardware keys cost more and aren’t as easy to use, but they’re ideal for high-value accounts that need extra protection. (See “YubiKey hands-on: Hardware-based 2FA is more secure, but watch out for these gotchas.”) 

Where are all the PCs with Windows 11 Pro?

I’m ready to buy a new PC, but all of the computers I see for sale at my local retail outlets are running Windows 11 Home edition. Do I need to upgrade to Pro? How do I do that without spending a fortune?

 As you’ve noticed, the PC industry is extremely price-sensitive. The reason you see so many PCs running Windows Home edition is because it costs the PC makers less than the Pro edition, which in turn allows them to cut the price tag on a PC model by about $100. For most consumers, Home edition is good enough. Businesses that run on Windows enterprise networks need Pro edition, however, because it’s a requirement to join a PC to a Windows domain or Azure Active Directory account and then manage that PC with Group Policy and mobile device management software. Pro edition does have a few added features you might be willing to pay for, especially if you’re planning to use your PC for business. It supports full BitLocker encryption without requiring the user to sign in to a Microsoft account. It also allows the use of Windows Information Protection features for secure document sharing. You get to use the full Hyper-V virtualization platform to create and run virtual machines. You can configure Pro edition to be a remote desktop server, allowing you to connect to it remotely from another Windows PC (even one running Home edition) or from a Mac or a mobile device. Instead of installing updates on Microsoft’s schedule, you can set up custom schedules for devices, deferring updates for up to 30 days while you wait for other people to experience any update-related bugs. But that’s pretty much it. If you prefer a PC that comes with Windows 11 Pro (or Windows 10 Pro, for that matter), your best bet is to look online, where you can find stores that specialize in PCs built for business. You can also go to online dealers like Dell, who will happily configure a PC to your specifications. Adding the upgrade to Windows Pro typically costs $50-80.  Or you can buy one of those PCs with Home edition installed and upgrade it yourself. If you have a license key for a Pro or Business edition of Windows 7, Windows 8.1, or Windows 10, you can use it to upgrade. (Instructions here: “How to upgrade from Windows 10 Home to Pro for free.”) You can also buy the Pro license online. The full retail price is $200 (ouch) at the Microsoft Store. You can find legitimate discounts of $50 or so from other online retailers, but be very suspicious of any discount that’s more generous than that. If you see someone offering a “lifetime license” for Windows 11 Pro for $49, there’s a good chance that the seller is not authorized to distribute that license, and there’s a chance (small, but not zero) that Microsoft could revoke your license key in the future. 

How do I silence that chirping smoke alarm?

The smoke alarm mounted on my bedroom ceiling started chirping again last night, waking me out of a sound sleep. I’m tempted to just disconnect it completely. Any suggestions on how to set things up so I can get an uninterrupted night’s sleep once again?

According to the folks at Kidde, which manufactures smoke alarms, there’s actually a reason for those chirps in the night.As a smoke alarm’s battery nears the end of its life, the amount of power it produces causes an internal resistance. A drop in room temperature increases this resistance, which may impact the battery’s ability to deliver the power necessary to operate the unit in an alarm situation. This battery characteristic can cause a smoke alarm to enter the low battery chirp mode when air temperatures drop. Most homes are the coolest between 2 a.m. and 6 a.m. Now that we’ve settled, that, please don’t disconnect your smoke detector. It can literally save your life by giving you early warning of a fire so you have time to escape. Modern alarms can also detect another potential killer: the odorless but deadly carbon monoxide. The simplest fix is to set a calendar reminder to change those batteries around the same time every year, using fresh, high-quality lithium batteries. Don’t use rechargeable batteries, and don’t use batteries that have been in storage for a while. For those of us in the Northern Hemisphere, Halloween is a good date, in my experience, as it leads into the winter when windows are likely to be closed most of the time and house fires (and carbon monoxide poisoning) are statistically more likely. If you’d prefer to skip that annual chore, get batteries specifically intended for long-term use in smoke detectors and other critical devices. The Energizer Ultimate Lithium battery, for example, is designed to last 10 years, which is also how often most smoke detectors should be replaced. Just remember to set a calendar reminder for a decade from now to replace those batteries!   

Send your questions to ask@zdnet.com. Due to the volume of submissions, we can’t guarantee a personal reply, but we do promise to read every letter and respond right here to the ones that we think our readers will care about. Be sure to include a working email address in case we have follow-up questions. We promise not to use it for any other purpose.    More

Zyxel is urging customers to immediately patch a critical vulnerability in the vendor’s firewall software.  

In a security advisory published this week, the Taiwanese networking giant said the security flaw can lead to the circumvention of firewall protection in Zyxel USG, ZyWALL, FLEX, ATP, VPN, and NSG product lines. Tracked as CVE-2022-0342 and issued a critical severity score of 9.8, the vulnerability is described as an “authentication bypass” caused by a proper access control mechanism failure.The bug is present in a number of CGI programs embedded in firewall software. “The flaw could allow an attacker to bypass the authentication and obtain administrative access of the device,” Zyxel says. The following firmware is impacted: USG/ZyWALL: versions 4.20 through 4.70 USG FLEX: versions 4.50 through 5.20 ATP: versions 4.32 through 5.20VPN: versions 4.30 through 5.20NSG: versions 1.20 through 1.33 (Patch 4)Zyxel has released patches for impacted software, and users should upgrade their builds to protected versions as soon as possible. The vendor notes that after investigating the vulnerability, patches have been made available for products in their support period. Legacy product users should be aware that they may be vulnerable. Alessandro Sgreccia from Tecnical Service SrL, alongside Innotec Security’s Roberto Garcia and Victor Garcia, have been credited for reporting the bug. See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Google Cloud has published the results of a survey that it says shows the pervasive use of Microsoft tools in government is making workers less secure.The company, via the pollster Public Opinion Strategies, asked workers about their thoughts of the US government’s reliance on Office and Microsoft’s productivity software like Word, Teams, Outlook, and OneDrive. 

ZDNet Recommends

The best cloud storage services

Free and cheap personal and small business cloud storage services are everywhere. But, which one is best for you? Let’s look at the top cloud storage options.

Read More

Respondents were asked: “Do you believe the federal government’s reliance on products and services from Microsoft makes it more vulnerable or less vulnerable to hacking or a cyberattack?”SEE: Cloud computing is the key to business success. But unlocking its benefits is hard workThe 2,600 people surveyed by Google Cloud included 600 workers from the D.C. metro area and 338 federal, state, or local governments employees from across the US.Nationwide, 60% of government employees said the government’s reliance on Microsoft’s productivity tech does make it more vulnerable. In the D.C. metro area, 57% of government employees thought so too. Workers in general, however, were more divided on the question: 51% of all workers nationwide said it does, while 49% in D.C. thought it does. While the results from the survey are finely balanced, Google Cloud’s take on the results was “Government workers say Microsoft tech makes them less secure.” “More than half of all respondents said that the government’s reliance on these Microsoft products actually made the federal government more vulnerable to hacking or cyberattacks,” says Jeanette Manfra, Google Cloud’s senior director of global risk and compliance, in a blogpost. Manfra, who joined Google Cloud in 2020 after a senior role at the US Cybersecurity and Infrastructure Agency (CISA), said the US government was hobbled by legacy software and a “legacy mindset”.”Many government agencies continue to rely on the same legacy productivity software,” said Manfra. But Microsoft’s corporate Vice President of Communications Frank X. Shaw said it was “unhelpful” to create divisions in the security community at a time when everyone should be working together on heightened alert. “We will continue to collaborate across the industry to jointly defend our customers and government agencies, and we will continue to support the U.S. government with our best software and security services,” he said in a statement.SEE: Cloud computing: Spreading the risk with the multicloud approachThe survey also asked respondents why government IT continues to rely on Microsoft, questioning them as to why their employer chooses Microsoft tools, and the responses did not suggest a huge enthusiasm for change. More than half (55%) of workers said it was because the tools are the most effective at helping them do their jobs; 45% said it was because their employer has always used those same products and services and doesn’t want to change.  But Manfra says the respondents believed the choice of Microsoft had “more to do with inertia than innovation”.Manfra argues this trend could be leading workers to use services at work that aren’t approved by IT departments aka “shadow IT”. Google Cloud’s survey found 35% of D.C. metro government employees have used shadow IT at work and as many as 41% of workers age 20 to 34. Manfra also notes its survey found that 70% of government workers use Gmail outside of work.   Microsoft Office 365’s rival is Google Workspace, which achieved FedRAMP High authorization in November. Google also earned IL4 authorization from the Defense Information Systems Agency (DISA) in November: Microsoft points out that Office 365 is accredited to IL6.  More

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert on severe vulnerabilities impacting Rockwell Automation controllers. Rockwell Automation provides industrial digital and automation solutions, including digital twin solutions, engineering products, and factory floor optimization hardware.

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

On March 31, CISA pointed customers to two recent advisories, “ICSA-22-090-05: Rockwell Automation Logix Controllers” and “ICSA-22-090-07: Rockwell Automation Studio 5000 Logix Designer,” which detail severe vulnerabilities in controller products. The first advisory describes CVE-2022-1161, a vulnerability assigned a CVSS severity score of 10.0, the highest possible. The bug impacts a range of CompactLogix, Compact GuardLogix, ControlLogix, FlexLogix, DriveLogix, and SoftLogix controllers. According to the advisory, the vulnerability can be triggered remotely with low attack complexity. “Successful exploitation of this vulnerability may allow an attacker to modify user programs,” the US agency says. “A user could then unknowingly download those modified elements containing malicious code.”The second bug, tracked as CVE-2022-1159 and issued a CVSS ‘high’ severity score of 7.7, impacts Studio 5000 Logix Designer in ControlLogix, GuardLogix, and Compact GuardLogix controllers. This vulnerability requires an attacker to secure administrator access on a workstation running Studio 5000 Logix Designer first, but if they achieve this, they can inject controller code “undetectable to a user.”The vulnerabilities were reported by Claroty cybersecurity researchers Sharon Brizinov and Tal Keren. Claroty has compared the exploitation of these security issues to Stuxnet, as stealthy code could be operating without an engineer being aware of any tampering. “Successful stealthy exploits of programmable logic controllers (PLCs) are among the rarest, most time-consuming, and investment-heavy attacks,” the team commented. “Stuxnet’s authors established the playbook for hacking PLCs by figuring out how to conceal malicious bytecode running on a PLC while the engineer programming the controller sees only normalcy on their engineering workstation. Without advanced forensics utilities, the execution of such malicious code cannot be discovered.”Rockwell has published advisories (1,2) on the vulnerabilities with steps toward mitigation. Earlier this week, the US agency added a further 66 vulnerabilities to the Known Exploited Vulnerabilities Catalog federal agencies are instructed to remediate. The bugs currently under active exploitation in the wild include issues in networking kits, security appliances, and browsers. In February, CISA published an online guide containing free guidance and tools on incident response. The service also includes tips for organizations looking to reduce their risk exposure. See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Matt Cardy/Getty Images
The Australian government has cancelled the SkyGuardian armed drone program for the Royal Australian Air Force. The funding is being redirected to the newly-announced REDSPICE cybersecurity and intelligence program. REDSPICE, the Resilience, Effects, Defence, Space, Intelligence, Cyber and Enablers program, is a flagship component of the federal Budget announced on Tuesday. The program aims to double the staffing levels of the Australian Signals Directorate (ASD) over the next four years, creating some 1,900 new jobs. The total program budget is AU$9.9 billion over the next decade, boosting both offensive and defensive cyber capabilities. “This is the biggest ever investment in Australia’s cyber preparedness,” said Treasurer Josh Frydenberg. However in Senate Estimates on Friday, defence officials confirmed that little of this is new money. Of the AU$9.9 billion total, only AU$4.2 billion is budgeted to be spent over the four-year forward estimates period through to 2025–2026. And of that amount, only around AU$588.5 million is new funding. A big chunk of the existing funding will come from the now-cancelled project AIR 7003, a planned AU$1.3 billion program to develop an armed remotely piloted aircraft system. In November 2019, the government had confirmed that defence’s preferred platform was the General Atomics MQ-9B SkyGuardian, a variant of the Predator B drone known in the UK as the Protector. AIR 7003 had been scheduled for government consideration in the current 2021-22 financial year. According to Asia Pacific Defence Reporter, General Atomics had proposed developing a multi-national service hub in Adelaide. “The company has probably spent around $30 million on the project over a decade and is unlikely to recover a single cent,” wrote editor Kym Bergmann. “The scant information available indicates that Defence Minister Peter Dutton has asked the Department to identify projects that need to be cancelled to free up funds to hire more personnel, particularly in support of the cyber security announcement.” According to defence officials, around AU$10 million had been spent on AIR 7003 before its cancellation. The remainder of REDSPICE funding comes from other cancelled projects. This includes about AU$3 billion of “both unapproved and approved” funding which had been allocated to the now-cancelled Attack-class submarines, the SEA 1000 Future Submarine Program, and around AU$236 million for “an ICT remediation project around modernisation and mobility”. Funds also come from previously planned ASD projects which have now become part of REDSPICE. Witnesses before Estimates on Friday morning were unable to shed any light on where the name REDSPICE came from. Related Coverage More

Apple has released updates for many of its operating systems, fixing vulnerabilities that the tech giant says may be under active exploitation. Affecting macOS, iOS, and iPadOS is CVE-2022-22675, a bug in the audio and video decoder which allows an application to run arbitrary code with kernel privileges. The fix is contained in iOS 15.4.1 and iPadOS 15.4.1, which is available for iPhone 6s and later, iPad Pro, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and 7th gen iPod touch. The iOS release also fixed a battery drain issue. The second fix, released only for macOS Monterey, was CVE-2022-22674 which allows an application to read kernel memory. “An out-of-bounds read issue may lead to the disclosure of kernel memory and was addressed with improved input validation,” Apple said in a typically small advisory. “Apple is aware of a report that this issue may have been actively exploited.” Earlier this year, Apple also released iOS 15.3.1 due to the threat of an actively exploited remote flaw. In that instance, simply visiting a web page could lead to arbitrary code execution. Related Coverage More

Home Affairs Secretary Mike Pezzullo has called on the private sector to work more closely with the federal government when it comes to cybersecurity as there is certain information that only government agencies are capable of uncovering. “We’ve got a superpower over here — like a Marvel superpower — that you could really use. We want to gift this to you,” said Pezzullo, who appeared before Senate estimates on Thursday night. “Sometimes we can see things they can’t see. They might see the attack coming in across their wire. We might be able to see the attacker.” When explaining how government cybersecurity capabilities differ from those of the private sector, such as those possessed by the Australian Signals Directorate (ASD), Pezzullo said the federal government ideally wants the private sector to receive this assistance on a partnership basis rather than on a “last resort” one. “It’s really about building those relationships, which are not in any way going to denigrate the professional expertise of the private sector teams. It just accepts the reality that we have access to more sensitive information,” Pezzullo said. “Once you get through some of the initial distance and you build the partnership, we want to move from a point where direct regulatory consequences are not only a last resort but almost, to an extent, a failure of the relationship.” During Pezzullo’s appearance before Senate Estimates, he also shared department advice regarding how organisations should approach building cybersecurity on older mainframe systems as well as what smaller businesses could do to improve their cybersecurity postures. “The ASD advice is very particular. It says to patch at least on — from memory — a 28-day cycle. If you can’t, mitigate it by putting sensors and cyber mousetraps around that older infrastructure,” Pezzullo told Senate estimates. In all instances, the Home Affairs secretary noted that the idea is to always “conform at the highest level” where possible, even if a system does not have virtualised software controls and is unable to patch quickly. Pezzullo added this is the cybersecurity protocol  undertaken by Home Affairs for its older mainframe systems.For small to medium-sized businesses, Pezzullo said improving cybersecurity starts with the basics of investing in digital tools that integrate cybersecurity. The government has various initiatives for encouraging cybersecurity uplifts, such as allowing small businesses to deduct an additional 20% of the cost for digital business expenses like setting up cybersecurity systems, but only 25% of small businesses will likely take advantage of these initiatives offered by the federal government, according to departmental analysis.   “As you deploy in a way that suits your company … don’t bolt on cyber as an afterthought. It’s got to be integrated,” the Home Affairs secretary said. Cyber is expected to be a growing focus for the Australian government, with the Coalition allocating AU$9.9 billion for bolstering cybersecurity and intelligence capabilities in its Budget earlier this week. It also appears support for bolstering the nation’s cybersecurity will be bipartisan, as Labor Party leader Anthony Albanese pledged last week to set a goal of 1.2 million tech-related jobs by 2030 if he wins the upcoming federal election.”Whether there is a change in government, I don’t see the cybersecurity strategies changing in the future. Both parties are committed to protecting Australia against future security risks, whether they’re physical, cyber, or space-based,” RMIT cybersecurity professor Warren said.  Related Coverage More

Nothing is quite as vexing as a security hole in a security program. Xiaochen Zou, a graduate student at the University of California, Riverside, went looking for bugs in Linux and found a whopper. This vulnerability, CVE-2022-27666, in IPSec’s esp6 (Encapsulating Security Payload) crypto module can be abused for local privilege escalation.

The problem is your basic heap overflow hole. Xiaochen explained that  “the basic logic of this vulnerability is that the receiving buffer of a user message in esp6 module is an 8-page buffer, but the sender can send a message larger than 8 pages, which clearly creates a buffer overflow.” Yes, yes it will. As buffer overflows always are, this is bad news. As Red Hat puts it in its security advisory on the bug, “This flaw allows a local attacker with a normal user privilege to overwrite kernel heap objects and may cause a local privilege escalation threat.” This is bad enough that both Red Hat and the National Institute of Standards and Technologies (NIST) give the hole a high Common Vulnerability Scoring System (CVSS) score of 7.8. Or, as I like to call vulnerabilities with such high scores, it’s a “Fix it now!” bug.Also: Linux developers patch security holes faster than anyone else, says Google Project ZeroRed Hat also noted that if a Linux system is already using IPsec and has IPSec Security Associations (SA) configured, then no additional privileges are needed to exploit the hole. Since almost everyone uses IPSec and SAs are essential for the network security protocol, this means pretty much everyone with the vulnerable code in their Linux distro is open to attack. Xiaochen has found that the latest Ubuntu, Fedora, and Debian Linux distros can be hacked with it. Red Hat reports that Red Hat Enterprise Linux (RHEL) 8 is vulnerable. Specifically, if your Linux contains a 2017 esp6 crypto module, which contains the commits cac2661c53f3 and 03e2a30f6a27, it’s attackable.  Usually, such an attack can knock a Linux system offline. Xiaochen dug into it deeper and found more. On his hunt, he found a way to get around Kernel Address-space Layout Randomization (KASLR). KASLR, as the name says, makes it harder to exploit memory vulnerabilities by placing processes at random, rather than fixed, memory addresses.Also: Nasty Linux netfilter firewall security hole foundThen, after hanging the process, an attacker can use Filesystem in User Space (FUSE) to create his own filesystem and map memory on it. Consequently, all the read and write going through that memory will be handled by his own file system. Once that’s done, it’s relatively trivial to get root in the system. And, as we all know, once the attacker has root, it’s game over. The attacker’s now in charge of the computer. The good news is the fix is now available on Ubuntu, Debian, the Linux kernel, and most other distros. Now get patching! More