Information Technology

Millions of phones across the globe were affected by a vulnerability found within a ubiquitous Qualcomm chipset, according to researchers with Israeli cybersecurity firm Checkpoint. 

ZDNet Recommends

Check Point’s Slava Makkaveev published a blog post on Thursday highlighting a security flaw in Qualcomm’s Mobile Station Modem Interface “that can be used to control the modem and dynamically patch it from the application processor.” “An attacker can use such a vulnerability to inject malicious code into the modem from Android. This gives the attacker access to the user’s call history and SMS, as well as the ability to listen to the user’s conversations,” Makkaveev wrote. “A hacker can exploit the vulnerability to unlock the SIM, thereby overcoming the limitations of the service providers imposed on the mobile device,” he added, explaining that the Qualcomm Mobile Station Modem Interface enables the chip to communicate with the operating system found within the smartphone.The Check Point report noted that the Qualcomm Mobile Station Modem Interface can be found in an estimated 30% of all smartphones out in the world today. Thankfully, the company notified Qualcomm of the vulnerability in October, which then tracked it as CVE-2020-11292 and labeled it a “high rated vulnerability.” Patches were sent to smartphone makers in the fall of 2020, according to a Qualcomm statement sent to multiple outlets including The Record and Bleeping Computer. The chip has been in cellphones and smartphones since the 1990s and has been continuously updated over the years to support the transitions from 2G to 3G, 4G, and now 5G. Samsung, Xiaomi, Google, and One Plus are just a few of the smartphone brands leveraging the chip. 

Setu Kulkarni, vice president of strategy at WhiteHat Security, said this was one of many examples of the “supply chain” nature of the problem plaguing mobile phone vendors, Qualcomm, the Android OS, and the apps on the Play Store. “Making it all work together requires careful synchronization in terms of versions and supported capabilities between the mobile phones, the chipset, the OS, and the apps — and that’s where the cracks are for vulnerabilities to slip through,” Kulkarni said. “Especially since there is no one throat to choke in these kinds of issues.” Even though Qualcomm has patched the issue, Kulkarni questioned who is holding the other parties in the ecosystem to account for the issue. The proliferation of Android-based devices presents a scalability challenge to deploy the fix and at the same time the end-users are completely unable to understand the issue, Kulkarni added. “Which customer will understand the issue in the chipset? One may wonder, is that why Apple is increasingly becoming a closed ecosystem? With control over the device, the chipset, the OS, and the highly regulated App Store — does Apple stand a better chance to protect its customers in such events? Time will tell,” Kulkarni explained.  More

(Image: Shutterstock)
Cisco released software updates this week addressing multiple vulnerabilities the company says “could allow an unauthenticated, remote attacker to execute arbitrary code or gain access to sensitive information, or allow an authenticated, local attacker to gain escalated privileges or gain unauthorized access to the application.”

A variety of security lapses were found in Cisco’s SD-WAN vManage Software and in the web-based management interface of HyperFlex HX, all of which required software updates Cisco said in a statement that there were no workarounds that address these vulnerabilities.The company published detailed breakdowns of each vulnerability, highlighting specific issues revolving around SD-WAN vManage Cluster Mode Unauthorized Message Processing, Privilege Escalation, Unauthorized Access, vManage Denial of Service, and Unauthorized Services Access. The vulnerabilities allow authorized and unauthorized users to send unauthorized messages to the vulnerable application, gain elevated privileges, make application modifications or cause a DoS condition on affected systems. Software updates were also released to address security gaps with Cisco’s HyperFlex HX Installer Virtual Machine Command Injection and the Data Platform Command Injection.Cisco’s Product Security Incident Response Team said it was not aware of any “malicious use of the vulnerabilities” yet for either product. Many of the vulnerabilities listed only affect Cisco SD-WAN vManage Software that is operating in a cluster, and users can figure out whether their software is operating in cluster mode by checking the Cisco SD-WAN vManage web-based management interface Administration > Cluster Management view.The company has sent out multiple updates to address new vulnerabilities over the past few months. Oliver Tavakoli, CTO at cybersecurity firm Vectra, said the drumbeat of vulnerability disclosures against Cisco’s SD-WAN product line actually has a silver lining: Most of the reported vulnerabilities are being discovered by Cisco engineers during what appears to be a period of concentrated security testing. 

“While we all want perfect software, vendors who find and fix security vulnerabilities before in-the-wild exploits against them are reported should be encouraged to continue on this journey. The key measure of success will ultimately be when high and critical vulnerabilities for this product line gradually slow to a trickle,” Tavakoli said. JupiterOne CMO Tyler Shields noted that there has been a recent spike in exploit disclosure for SD-WAN, VPN, and other network-based technologies. He said this is due, in part, to the impact of the pandemic and an increase in network requirements for remote offices and work from home scenarios. Shields added that discovery of exploits tends to cluster over time and said he expects additional network technology-based exploits to be disclosed as hackers continue to target those types of devices.Dirk Schrader, global vice president of security research at New Net Technologies, echoed those remarks, telling ZDNet that because of their importance to the infrastructure, networking devices are, by nature, prime targets for cyber-criminals.”Given the criticality of those vulnerabilities now patched by Cisco, it will be just a matter of time until the patch cycle race once again will distinct between those ahead of the curve and those behind,” Schrader said. “Running a full-scale vulnerability scan on the organization’s infrastructure, both from an external point as well as from an internal one, is necessary to be ahead.” More

The New South Wales government is preparing a new Bill that will require public sector and state-owned entities to report a data breach to the Privacy Commissioner as well as any affected individuals.The Privacy and Personal Information Protection Amendment Bill 2021 aims to strengthen privacy protection in NSW and extends the federal breach reporting requirements mandated by the Notifiable Data Breaches (NDB) Scheme, which came into effect in February 2018.The NDB scheme requires agencies and organisations in Australia that are covered by the Commonwealth Privacy Act 1988 to notify individuals, whose personal information is involved in a data breach that is likely to result in “serious harm”, as soon as practicable after becoming aware of a breach.  The proposed NSW mandatory notification of data breach (MNDB) scheme shares the same notification threshold as the NDB scheme, but differs in application and enforcement. Although the NDB scheme has coverage Australia-wide, the NSW scheme aims to fill the gap it leaves regarding state entities.”Any mandatory data breach notification scheme introduced in NSW would be designed to complement the existing Commonwealth Notifiable Data Breach (NDB) Scheme under the Privacy Act, particularly in areas of jurisdictional overlap,” the Information and Privacy Commission New South Wales said previously.The draft exposure Bill [PDF] proposes to establish an MNDB scheme to require public sector agencies bound by the NSW Privacy and Personal Information Protection Act 1998 (PPIP Act) to notify the Privacy Commissioner and affected individuals of data breaches of personal or health information, which are likely to result in serious harm.It also applies the PPIP Act to all state-owned corporations that are not regulated by the Privacy Act.

“The MNDB scheme will require public sector agencies to notify the Privacy Commissioner and affected individuals if a data breach affecting personal or health information that is likely to result in serious harm occurs,” the fact sheet [PDF] details.”The MNDB scheme will require agencies to satisfy other data management requirements, including to maintain an internal data breach incident register, and have a publicly accessible data breach policy.”The state government said a mandatory scheme is being proposed to improve agency data management, reduce underreporting, and reduce the occurrence of data breaches that cause serious harm. “Mandatory schemes enable individuals to take action to protect themselves in the event of breaches, and can increase public trust in government,” it adds.As detailed in January, in 2019-20, the commission received 41 voluntary breach notifications.State government was accountable for 28, local government for 10, and public universities for three.The proposed MNDB scheme requires an agency to contain and assess a suspected data breach to determine whether it is an eligible breach under the scheme, and, if so, to notify the Privacy Commissioner and any affected individuals. It specifies the timeframes in which an agency must assess a data breach, notify the Privacy Commissioner, and notify affected individual/s of the breach. Agencies will also have other information handling requirements, including maintenance of an internal data breach incident register and creation of a publicly accessible data breach policy.The scheme will permit limited information sharing — such as contact details and dates of birth and death of the affected individual — between agencies for the purpose of notifying affected individual/s of an eligible data breach. In the notification, it is anticipated the entity will be required to provide a description of the breach, including when and how it occurred, what data was affected, how long the data was affected, and what type of breach it was, such as loss, disclosure, or unauthorised access. It will also contain detail of what the agency is doing to control or reduce the harm.Additionally, the entity will be required to provide recommendations to affected individuals about the steps they should take to minimise the impact of the breach, as well as their right to seek an internal review.The agency will not be allowed to make reports anonymously to the commissioner and it must list any other affected agencies.Peripheral information the commissioner would like to receive includes whether it was a cyber incident, the estimated cost of the breach to the agency, the total number, or estimated total number, of individuals affected or likely to be affected by the breach, and whether they have been notified.There are exemptions to the proposed scheme, such as where notification would prejudice law enforcement activities, that the exception would prevent or reduce a serious risk to an individual’s health or safety, the notification is likely to result in more breaches or deteriorate the agency’s cybersecurity, and the agency has remedied the harm of the breach successfully, for example, if an email was sent to the incorrect recipient, but was recalled successfully and deleted prior to the recipient opening the email.A further exception applies where notification to the commissioner would contravene a secrecy provision contained in other legislation.The proposed MNDB scheme would grant the commissioner new powers regarding the MNDB scheme, including to enter premises and inspect anything that may relate to compliance with the MNDB scheme. They will also be given powers to conduct audits in relation to the MNDB scheme and produce a report to the head of agency and responsible minister.Following public consultation, which closes 18 May 2021, it is anticipated that a Bill will be introduced in the NSW Parliament before the end of the year. If passed, the MNDB scheme will commence 12 months following the passage of legislation.RELATED COVERAGE More

Image: Google
Google will follow in the footsteps of Apple and is set to introduce privacy information requirements for developers that publish apps in its Play Store. The company said in a blog post that developers will need to state what data is collected and stored, such as location, contacts, name, email address, and types of files stored; how the data is used, such as whether it changes app functionality or personalisation; which security practices, such as encryption, the app uses; and if the app follows Google’s families policy. App makers will also need to state whether apps need the data to function and whether users have a choice in sharing it, and whether users can request data deletion upon uninstalling an app. Google said it will additionally require developers to declare if the stated privacy information is verified by an independent third party. The company added that the onus will be on developers to be truthful, and if they are found to be telling fibs, they could be “subject to policy enforcement”. “All apps on Google Play — including Google’s own apps — will be required to share this information and provide a privacy policy,” the company said. Laying out the timeline for these requirements, the new policy is set to appear in the next quarter and developers will be able to voluntarily disclose the privacy information in the final quarter of 2021. Meanwhile, users will be able to view the information in the first quarter of 2022 before the hard requirement lands in the second quarter of 2022.

At the end of last year, Apple began to publish privacy summaries in all of its app stores across iOS, iPadOS, macOS, watchOS, and tvOS. Google notoriously took a long time to begin publishing iOS privacy summaries. Related CoverageGoogle is going to start automatically enrolling users in two-step verificationIf you use Google services, get ready for two-step verification to become the norm.Google introduces Woolaroo AI translation app to preserve endangered languagesSnap a photo of an object and Woolaroo will use machine learning to translate it into one of 10 endangered languages supported on the app.Google expects 20% of employees to work from homeEmployees will be offered opportunities to permanently work remotely, or to transfer to other offices, based on their role and team needs, Google said Wednesday.Chromebook units surge 275% in Q1, says CanalysChromebook first quarter shipments are being compared to the beginning of the COVID-19 pandemic a year ago. More

Show More (3 items)

You don’t need to spend a fortune on making your home office secure, and thanks to mobile technology, our options are now far beyond a locked door and window fastenings.  Smart video doorbells that record both video and audio feeds in real-time when you have a visitor; motion and sound sensors that can be used in and outside, digital door locks, cameras with excellent night vision — the range of products that leverage mobile connectivity, apps, and Internet of Things (IoT) sensors are endless.  That is not to say that all smart home security products are created equal, and not every home needs to have bells and whistles on when it comes to security — sometimes, a few select pieces can create a home ecosystem that is enough to protect your home (and office) against intruders, as well as alert you when suspicious activity is detected.  It is also worth noting that any device with connectivity may contain vulnerabilities themselves that could be exploited — and may endanger their users’ privacy as a result — and so when you pick an IoT device vendor, it should be one that maintains a frequent security program and patch cycle. ZDNet has created a list of recommendations suiting a variety of budgets and setups to help homeowners and remote workers decide how best to protect their properties, ranging from full kits to useful window sensors and cameras suitable for use both in and outdoors. 

Smart video doorbell

A smart video doorbell is one of those products that you didn’t realize could be a great addition to daily life until you invest in one. It may seem like overkill to go for a doorbell with Internet connectivity, video and audio feeds, and the ability to check-in remotely, but once you get used to the convenience of being able to chat to visitors and delivery staff no matter where you are, you can see their value. Convenience, however, is just one benefit, as these types of products can be a useful security addition, too, as you can clearly see visitors before opening the door, as well as deter potentially unwanted ‘visitors’ checking out your home. Currently on sale at $169.99, the Ring Video Doorbell Pro is one product for consideration. The hardwired doorbell is able to record 1080p HD footage with two-way talk, and also comes with infrared night vision, sensors, and customizable ‘zones’ for motion detection alerts. Compatible With iOS, Android, Mac, and Windows 10, users can check in on their doorbell at any time. Live view is free but continual recording requires a subscription.Pros:Useful for security and convenience when it comes to visitors, deliveriesReliable and a modern designCons:You need to buy a separate, traditional ‘Chime’ accessory for a traditional sound alertNeeds either frequent battery charging or a hardwired power source

Full, customizable smart home security system

If the Ring ecosystem appeals to you, Ring also offers a full smart home security system that can be customized depending on the property and the user’s wishes when it comes to security. You can create your own security system by combining elements including home alarms, motion sensors, window and door contact sensors, keypads, a smart doorbell, panic buttons, and both indoor and outdoor cameras. Ranging in price from single $19.99 window sensors to a robust security package costing hundreds of dollars, the Ring range considers every point of entry into a home, whether you live in a small condo or a large house with extensive grounds. Pros:You can tailor your home security and tackle any areas of real concern by choosing each product separately and bringing them into one networkEasy installationYou can hand over monitoring to a professional as an optional add-onCons:A full package can prove to be expensive Some users do not find the siren to be as loud as they would like 

Standalone security camera that plugs into an outlet

For do-it-yourself types who want a few security gadgets but not an entire setup, Google’s Nest Cams are worth considering. Nest Cam Indoor products are standalone security cameras that plug into an outlet. Once connected to the Nest mobile app, users are sent alerts when motion is detected and it is also possible to tap into the camera at any time to see what is going on at home. Built-in speakers and a microphone are included. Event-based or continual recording is on offer, and for free, snapshots taken over a three-hour time period are saved and viewable. A subscription option for 24/7 recording and storage is also available. Outdoor alternatives are on sale for $199.Pros:Stylish and discreetNight vision is a useful addition if you are away from homeCons:Pets may trigger the camera by accident in the homeA subscription is required for premium features

$299 at Walmart

$299 at Adorama

Includes Nest Guard, an alarm, keypad, and motion sensor

If your smart home is making use of the Nest ecosystem and already includes products such as Google Home or Nest fire or C02 alarms, the Secure package could be of interest to bolster home security. The $399 Nest Secure (currently on sale at Lowes) includes Nest Guard, an alarm, keypad, and motion sensor; two Nest Detect sensors suitable for use in monitoring doors, windows, or entire rooms, two open/close magnets for doors or windows, two Nest tags that are used to enable or disable alarms quickly, and mounting brackets.The Nest Detect sensors are able to detect motion and sound, and can also be set to chime when a door or window is opened — a useful feature if you have young children at home.A limited free option is available, alongside a feed monitoring and storage subscription. As Secure products are compatible with Google’s overall IoT ecosystem, users can ask their assistant to arm or disarm the Nest alarm remotely, and if the system thinks you have left home without arming, a reminder can be sent to your smartphone. Pros:Versatile accessories in one kit that are enough to guard your average home’s entry pointsCons:Only compatible with Google Home and not Amazon Alexa or Apple’s HomeKit

Includes motion sensor, entry sensor, panic button, and a key fob

For hunters of a full security system without a long-term subscription, SimpliSafe’s home security system should be considered. SimpliSafe offers a $160 entry-level kit containing a motion sensor, entry sensor, panic button, and a key fob, which can be customized to include additional products such as a siren, video doorbell, glass break sensor, or smoke, water, and CO2 sensors. The Wi-Fi-connected system has a backup battery in case of a power outage, and the vendor maintains six monitoring centers to keep an eye on homes within the network — with operators alerting the police even if the devices are damaged by intruders. SimpliSafe offers a variety of subscriptions and accounts for over three million users in the United States. Pros:No contract or long-term subscription requiredCan be extended with sirens, water damage sensors, fire alarmsCons:Expensive to set up beyond the entry kit

$239 at Amazon

$244 at SimpliSafe

Includes motion sensors, key fobs, and a camera

Another popular option on the market is Honeywell’s home security kit. The bundle contains a selection of motion sensors, key fobs, and a camera able to record visual and audio footage in 1080p HD video. Night vision is also included. Honeywell’s security system can be set to automatically arm itself when you leave home, and if you forget to shut a window or door where a sensor is installed, for example, you can be sent alerts to this oversight. A key selling point about this option is versatility, as the security system can be set up to operate in existing IoT setups offered by various vendors. Amazon’s Alexa voice assistant is inbuilt to accept commands.Pros:1080p night vision cameraCompatibility with Alexa assistant built-inExtendable with multiple sensorsCons:The design won’t appeal to everyone

Includes hub, a motion sensor, door sensor, and a keyfob

Abode’s offering is a budget-friendly package that comes with an Abode hub, a motion sensor suitable for entryways or specific rooms, a small window or door sensor, and a keyfob for quickly arming or disarming the system. Users can install the system themselves and connect the hub to their mobile device, as well as control their kit through Amazon Alexa, Google Assistant, or Apple HomeKit. If you want to extend your security system further, additional Abode sensors and cameras can be added to the network. A basic, free plan or more extensive subscription is available. Pros:Smart assistant supportAffordableCellular backup options available in the case of internet failure (subscription)Cons:Additional accessories, such as door and window sensors, are expensive

$229 at Abode

Monitor the lock status of a door

An additional component you might want to consider for your home security setup is a smart lock. An alternative to a traditional deadbolt, a lock such as the August Wi-Fi Smart lock, available in black and silver, connects to a user’s mobile device or Alexa assistant to monitor the lock status of a door.You do not need to replace your existing lock-and-key setup; instead, you attach the smart lock to a deadbolt. It is possible to set up the product to automatically detect when you come home and unlock the door, and in the same way, auto lock when the door closes. If you want to grant others access to your home, “secure keys” can be sent to their mobile devices via the August app. However, it is worth noting this smart lock requires a 2.4GHz Wi-Fi network. The August Wi-Fi Smart lock is currently on sale for $202. Pros:Useful for visitors that you want to grant access to remotelyHeightened security for your doorCons:The setup process can be arduousSome users have reported issues with smart assistant integration

Why are sensors important in a home security product?

Sensors are the key ingredient in effective, discreet home security. There are many different kinds of sensors that are utilized in Internet of Things (IoT) products, including infrared, magnetic, audio, and motion, and each use depends on the type of security product involved.For example, motion sensors are used for video doorbells and both indoor and outdoor cameras — and heat sensors may also be thrown into the mix — whereas door and window products may use a combination of motion and magnetic sensors to detect unauthorized entry.

Do you need an internet connection?

When it comes to today’s smart, connected, IoT home security systems, the answer is usually yes. In comparison to business security offerings that are often monitored remotely, the central focus of home systems is to give the user power and visibility — and this generally requires internet connectivity and a mobile device.

Do you need a subscription?

Subscriptions aren’t compulsory when you buy a home security solution. In many cases, ‘basic’ setups will ping alerts to your handset when a sensor detects activity, allowing you to check your home in real-time — but will not necessarily keep any feeds or recordings for a long duration.It is worth signing up for a subscription if you want to make sure you have access to past event feeds. In addition, subscription services will usually sweeten the pot with additional layers of security such as automatic emergency calls and multiple device monitoring.

Which security system is right for you?

Unlike a business premise, homeowners do not need to spend a fortune in order to adequately protect their assets. Instead, a few products that have been carefully selected and placed in weak spots or entry points — including a front porch, garden, or close to ground floor windows — can be all that is needed.A camera or two — preferably with night vision — sensors monitoring windows, and, perhaps, a video doorbell or smart lock to protect your front door. Larger properties can benefit from additional security components linked to the same network, but in either case, today’s smart home security products can give you peace of mind both in or outside of the house.Many of us have been working from home during the pandemic, but as things begin to unlock and we do spend more time away from our residences, now may be the time to consider a security option that is right for you.

Our selection process

We wanted to consider as many security angles to protecting a home and home office as possible. Entry points including windows and doors can be protected through smart door locks, sensors, and cameras, and should an intruder manage to get into a property, monitoring systems that send alerts to homeowners can make all the difference between perpetrators being caught or getting away with their actions. More

Network security and content delivery network provider Cloudflare this afternoon reported Q1 revenue that topped expectations, and profit in line with Wall Street’s forecast,  and an outlook for this quarter’s, and the full year’s revenue that was higher as well. The report sent Cloudflare shares up by 6% in late trading. CEO and co-founder Matthew Prince noted the company had a “record-setting start to the year, citing revenue growth but also the company’s retention rate among its customers of 123%. “We crossed 4 million total customers, and our large customer count was up 70% year-over-year, accounting for more than half of our total revenue,” said Prince. Added Prince, “We delivered terrific financial results while also investing in innovation, the fuel our engine runs on. “Firing on all cylinders, we’ve already announced or delivered more than 100 products and capabilities this year. There’s no slowing down as we continue to deliver business-critical offerings and displace point solutions with Cloudflare’s robust global network.”Revenue in the three months ended in March rose 51%, year over year, to $138.1 million, yielding a net loss of 3 cents a share, excluding some costs.

Analysts had been modeling $131 million and negative 3 cents per share.For the current quarter, the company sees revenue of $145.5 million to $146.5 million, and net loss per share in a range of 3 cents to 4 cents. That compares to consensus for $139 million and a 3-cent loss per share.For the full year, the company sees revenue in a range of $612 million to $616 million, and EPS of $TK to $TK. That compares to consensus of $593 million and a 9-cent loss per share.

Tech Earnings More

Million of users in the UK could potentially be affected, estimated Which?, as vulnerable routers present an opportunity for hackers.
Kittichai Boonpong / EyeEm / Getty Images
Millions of households in the UK are using old broadband routers that could fall prey to hackers, according to a new investigation carried out by consumer watchdog Which? in collaboration with security researchers. After surveying more than 6,000 adults, Which? identified 13 older routers that are still commonly used by consumers across the country, and sent them to security specialists from technology consultancy Red Maple Technologies. Nine of the devices, it was found, did not meet modern security standards.  Up to 7.5 million users in the UK could potentially be affected, estimated Which?, as vulnerable routers present an opportunity for malicious actors to spy on people as they browse, or to direct them to spam websites. 

One major issue concerns the lack of upgrades that older routers receive. Some of the models that respondents reported using haven’t been updated since 2018, and even in some cases since 2016.  The devices highlighted for their lack of updates included Sky’s SR101 and SR102, the Virgin Media Super Hub and Super Hub 2, and TalkTalk’s HG523a, HG635, and HG533. Most of the providers, when they were contacted by Which?, said that they regularly monitor the devices for threats and update them if needed.  Virgin dismissed the research, saying that 90% of its customers are using later-generation routers. TalkTalk told ZDNet that it had nothing to add to the release. 

The researchers also found a local network vulnerability with EE’s Brightbox 2, which could let a hacker take full control of the device.  An EE spokesperson told ZDNet: “We take the security of our products and services very seriously. As detailed in the report, this is very low risk vulnerability for the small number of our customers who still use the EE Brightbox 2. (…) We would like to reassure EE Brightbox 2 customers that we are working on a service patch which we will be pushing out to affected devices in an upcoming background update.” In addition, BT Group – which owns EE – told Which? that older routers still receive security patches if problems are found. Red Maple’s researchers found that old devices from BT have been recently updated, and so did routers from Plusnet. The consumer watchdog advised that consumers who are still using one of the router models that are no longer being updated ask their providers for a new device as soon as possible. This, however, is by no means a given: while Virgin Media says that it gives free upgrades for customers with older routers, the policy is not always as clear with other providers. “It doesn’t hurt to ask,” said Hollie Hennessy, senior researcher at Which?. “While an internet provider is not obliged to provide you with a new router for free, if you call and explain your concerns you might get lucky, especially if your router is quite old.” For consumers whose contracts are expiring soon, Hennessy suggested asking for a new router as a condition to stick with a given provider – and consider switching if the request is not met. Weak passwords remain a top concern On top of being denied regular updates, many older routers were also found to come with weak default passwords, which can be easily guessed by hackers and grant an outsider access.  This was the case of the same TalkTalk and Sky routers, as well as the Virgin Media Super Hub 2 and the Vodafone HHG2500. The first thing to do, for consumers who own one of these models, is to change the password to a stronger one, as opposed to the default password provided, said Which?. The organization, in fact, is calling for the government to ban default passwords and prevent manufacturers from allowing consumers to set weak passwords as part of a new legislation that was proposed last month. As part of an effort to make devices “secure by design”, the UK’s department for Digital, Culture, Media and Sport has announced a new law that will stop manufacturers from using default passwords such as “password” or “admin”, to better protect consumers from cyberattacks. The future law would also make it mandatory to tell customers how long their new product will receive security updates for. In addition, manufacturers would have to provide a public point of contact to make it easier to report security vulnerabilities in the products. In a similar vein, Which? called for more transparency from internet service providers. The organization said that providers should be more upfront about how long routers will be receiving firmware and security updates, and should actively upgrade customers who are at risk. Only Sky, Virgin Media and Vodafone appear to have a web page dedicated to letting researchers submit the vulnerabilities that they found in the companies’ products, according to Which?.  More

Google will soon start pushing more Gmail users and Google Account holders to enable two-step verification — the extra layer of security that can protect people when their credentials have been phished or exposed through a data breach.  May 6 is “World Password Day” which is largely about making people less reliant on them for securing online accounts.  Google’s contribution this year is to nudge more people into enabling two-step verification, otherwise known as two-factor authentication.  Today, Google prompts its two billion Gmail users to enroll in two-step verification (2SV) but soon it will be automatically enrolling users.  “Soon we’ll start automatically enrolling users in 2SV if their accounts are appropriately configured. (You can check the status of your account in our Security Checkup),” Mark Risher, director of product management in Google’s Identity and User Security group, notes in a blogpost.  “You may not realize it, but passwords are the single biggest threat to your online security – they’re easy to steal, they’re hard to remember, and managing them is tedious,” he says.   That second factor, be it a security key or a smartphone, means that someone in possession of your username and password — in most cases — can’t log into your account unless they have physical access to your device. 

Google has refined its processes over the years to make 2SV less of an obstacle, but it can still be fiddly if you change a mobile phone number. Today, after signing in with a username and password, users who have enrolled in 2SV get a code via SMS, voice call or the Google app.  The other option is a security key like Google’s Titan key. Google has also built its security keys in Android phones and last year delivered the same capability for iPhones via its Smart Lock app for iOS.  “Using their mobile device to sign in gives people a safer and more secure authentication experience than passwords alone,” notes Risher.  Passwords, unfortunately, are still rife some 17 years after Microsoft co-founder Bill Gates predicted they would one day disappear. Since then world has only seen a proliferation of new username and password combinations, but two-factor authentication is more widely adopted and supported in online consumer services and in the enterprise.  Multi-factor authentication does work. According to Microsoft, 99.9% of the compromised accounts it tracks every month did not use multi-factor authentication.  Microsoft has also been doing its bit in tackling outdated password policies that lead to people choosing bad passwords.  Two years ago it changed a Windows 10 security baseline that until then recommended enterprise users change their password every few months. “Periodic password expiration is an ancient and obsolete mitigation of very low value,” Microsoft declared at the time.  Google’s other key password assistant is the built-in password manager in Chrome. Apple offers the same feature in its Safari browser.  Risher also points to an experimental feature in Chrome called “password import” recently spotted by the Verge. It lets users import passwords from a CSV file.   More