Linux, Patches and updates, Security, WordPress and other CMS

Joomla 3.6.1 update problems

Leave a comment

The latest version of Joomla is causing problems for web servers running older versions of PHP. Affected Joomla sites are still accessible, but users and administrators are unable to log in.

An announcement on the Joomla web site, and another in the Joomla documentation, provide details and workarounds for problems caused by the update, but web servers running PHP 5.3 won’t find them particularly helpful. If you administer a web server running PHP 5.3, the solution is to either wait for Joomla 3.6.2, or make some changes to a single Joomla file, as outlined in this fix on Github.

In case you’re wondering why any diligent web server administrator would still be running a version of PHP that is known to be insecure, what’s actually going on in most cases is that the admin is running a custom build of PHP that has had all relevant security fixes applied. For example, these custom builds of PHP are provided for Ubuntu LTS (Long Term Support) releases to allow for maximum security and stability.

Update 2016Aug05: That was fast. Joomla 3.6.2 is now available, and it fixes the PHP 5.3 compatibility issue.

Security

Frequent password changes don’t necessarily improve security

Leave a comment

Lorrie Cranor, chief technologist at the US Federal Trade Commission, recently made news by warning that frequent password changes may actually reduce security.

This does not mean that you should stop changing your passwords. Cranor is actually referring to the enforced password change policy in place at many organizations. When users are forced to change their passwords at regular intervals (eg. every 60 days), they tend to use patterns, like incrementing a number at the end of a password.

Related research shows that once common patterns are allowed for, password cracking success rates increase markedly. You can be sure that the people writing password cracking software know about this as well.

When you change your passwords (whether enforced or not), don’t use a simple variation of the previous password. Instead, think of an entirely new one, or use one of the many excellent password database programs and services to generate one.

Firefox, Flash, Patches and updates

Firefox 48

Leave a comment

There’s a lot to talk about with the release of Firefox 48. Of course, this being Mozilla, nothing is straightforward.

Process separation

One of the most important new features in Firefox 48 is process separation (aka Electrolysis, aka e10s), whereby Firefox is split into separate processes, instead of running as a single process. The idea is to improve stability, responsiveness, and security. According to Mozilla: “Users should experience a Firefox that is less susceptible to freezing and is generally more responsive to input, while retaining the experience and features that users love.”

Here’s what the release notes have to say about it: “Process separation (e10s) is enabled for some of you. Like it? Let us know and we’ll roll it out to more.” What does this even mean? How do I know if process separation is enabled in my copy? What’s the difference between Firefox 48 with process separation enabled and with it disabled? How can I provide feedback on something if I don’t even know for sure I’m seeing it? If it’s not enabled in my copy, how will Mozilla ‘roll it out’ to me?

A separate Mozilla blog post answers some of these questions. Process separation will be enabled gradually in a series of Firefox releases, starting with 48 and continuing with 49. You can determine whether e10s is enabled in your copy of Firefox by entering “about:support” into the URL bar, and looking at the ‘Multiprocess Windows’ line.

A post on Asa Dotzler’s blog provides a few more answers, including this: “The groups that will have to wait a bit for E10S account for about half of our release users and include Windows XP users, users with screen readers, RTL users, and the largest group, extension users.” In case you were wondering, Asa Dotzler is the Participation Director for Firefox OS, Mozilla Corp.

Improved download security

With version 48, Firefox has beefed up security related to downloads. Actually, it’s more accurate to say that Google added features to its Safe Browsing service, which Firefox uses. Those new features include checking for ‘Potentially Unwanted Software’ and ‘Uncommon Downloads’. The changes are described in another Mozilla post. Unfortunately, this post is poorly worded, making the new features sound as if they watch what a downloaded software installer is doing. In fact, Firefox just checks downloads against a list of known bad or ‘uncommon’ installers (provided by Google) and warns the user if one is encountered. The new features can be disabled in Firefox’s options.

New restrictions for add-ons

Firefox add-ons that have not been approved by Mozilla will no longer work with Firefox 48. Add-ons are a major source of instability and security issues in Firefox, and while this change will be inconvenient for people who use add-ons that have not been verified and signed by Mozilla, it’s definitely a step in the right direction.

Security vulnerabilities fixed

At least twenty-three security issues were fixed in Firefox 48. That means this is an important update; if you use Firefox, you should upgrade to version 48 as soon as possible. If the new features in Firefox 48 are a problem for you, then it’s time to look at alternatives like Opera and Chrome.

Other notable changes

The address (URL) bar now expands to the width of the screen when you’re typing in it. More matches are shown when you enter text in the address bar, and any that are already bookmarked will show an icon.

Improvements to bookmarks and history: Firefox 48 merges “your Reading Lists into Bookmarks and your Synced tabs into the History Panel. This change means your reading list items will now be available across devices alongside your bookmarks, giving you easier access to your content no matter what device you’re using, which is a major upgrade for those of you using Firefox across devices.”

Related links

Opera, Patches and updates

Opera 39 released

Leave a comment

A new version of the Opera web browser makes improvements to the video pop-out feature, adds a news reader, and adds customizable block lists to the integrated ad blocker.

The context menu that appears when right-clicking selected page text now includes more useful options. Opera’s memory footprint has been improved with version 39.

The Opera 39 announcement doesn’t include a link to the change log, so I had to go hunting for it on the Opera web site. Eventually I found it on the Opera desktop blog. Note that while many of the entries in the change log refer to unreleased, developer or beta versions, all of the changes described apply to the newly-released version, 39.0.2256.42.

Meanwhile, other Opera web resources have disappeared (Unified change logs for Opera), and others include no mention of Opera 39 (Opera for Windows change log). That’s just sloppy.

Internet, Privacy, Security

Connecting everything to the Internet is dangerous

Leave a comment

By now, you’ve probably encountered the term “Internet of Things”, usually abbreviated as IoT. It refers to the rapidly increasing number of devices that are capable of connecting to the Internet. Cars, fridges, thermostats, lights… basically, anything that can be built to include a few microchips can be made to talk to the Internet. Usually wirelessly. Often silently, by default.

Which of course is a perfect scenario for a whole new category of security breaches, privacy concerns, and other, related issues.

Recommendations:

  • Where possible (and unless you have a good reason not to) avoid purchasing any non-computer device that’s Internet-capable.
  • If you must use such a device (and unless you have a good reason not to) disable any Internet-related features.
  • If you’re unable or unwilling to disable a device’s Internet features, at least configure it to maximize security.

Bruce Schneier’s recent analysis of the dangers of IoT is excellent, and definitely worth reading.

Microsoft, Things that are bad, Windows 10

New restrictions for Windows 10 Pro version

Leave a comment

When it became clear that Microsoft intended Windows 10 to be an advertising platform, I wondered how they would sell it to business and education customers (see my Windows 10 review). I doubted that anyone would allow Windows 10 into the workplace unless the advertising and related privacy-compromising instrumentation could be disabled.

It wasn’t long before we started seeing tools and techniques for turning off these undesirable features, and Microsoft even provided some of their own, in the form of Group Policy settings.

The Group Policy editor is included with all versions of Windows 10 except Home. It makes the job of managing Windows settings easier for system administrators, since the alternative is editing the Windows registry.

So the answer to my question about disabling unwanted Windows 10 features for business customers would be Group Policy. Which is okay, but doesn’t help anyone using the Home version. Which is one reason why I tell people to avoid Windows 10 Home. Unless you’re on a tight budget, and don’t mind seeing advertising in your O/S, Windows 10 Professional is highly recommended for personal use.

So: get Windows 10 Pro, disable all the unwanted advertising and privacy-related settings, and you’re good to go, right? Not so fast.

The folks over at GHacks recently confirmed that Microsoft will lock down Group Policy in the Pro version of Windows 10 with the upcoming anniversary update. Many of the more annoying features will still have visible settings in the Group Policy editor, but changing them will have no effect. Even changing the corresponding settings in the registry apparently won’t work.

Microsoft’s message to the world seems to be “Okay, you don’t want us to advertise and track your users in Windows 10 in the workplace, so we’ll give you some tools to turn those features off. But we’ll be damned if we’ll let anyone else (i.e. Home and Pro users) turn that stuff off.”

To which my response is: “Dear Microsoft: Screw you. I won’t buy Windows 10. I won’t use Windows 10. I will tell anyone who cares to listen that they should avoid Windows 10 like they would Ebola. I will use Windows 7 and 8.1 until you abandon them, and then switch to Linux.”

There’s more over at BetaNews.

Microsoft, Patches and updates, Windows 10

Windows 10 Insider Preview Build 14393

Leave a comment

According to the announcement, Windows 10 Insider Preview Build 14393 consists of bug fixes and reliability improvements. Which is a good thing, because according to several sources, build 14393 is what Microsoft will use for the Windows 10 anniversary update.

The anniversary update will become available on August 2, and will be available for free for anyone already running Windows 10 or on the Insider Preview program. If you want it for free and you’re not yet running Windows 10, you have until tomorrow (July 29) to upgrade your Windows 7 or 8.1 computer.

Ars Technica: Windows 10 Anniversary Update is ready to go and free for just a few more days

The Verge: Windows 10 Anniversary Update: the 10 best new features

Microsoft, Windows 10

Free Windows 10 upgrade offer ending soon

Leave a comment

If you want to take advantage of Microsoft’s free Windows 10 upgrade offer for Windows 7 and 8.1, time is running out. The offer will end on July 29.

Of course, there’s nothing particularly compelling about Windows 10. Unless you’re excited by the idea of seeing advertising in Windows. Or happy that (by default) Microsoft will track your Windows 10 activity.

Both Windows 7 and Windows 8.1 are still excellent operating systems. Windows 7 will be supported by Microsoft until January 14, 2020. Windows 8.1 will be supported until January 10, 2023. That means Microsoft will continue to develop (and make publicly available) security updates until 2020 for Windows 7 and 2023 for Windows 8.1.

Internet crime, Malware, Security, Spam and scams, Things that are bad

Ransomware update

1 Comment

Ransomware has been in the news a lot lately. The CryptXXX ransomware is no longer susceptible to easy decryption, and it’s been making a lot of money for its purveryors, in many cases using compromised, high profile business web sites as its delivery mechanism. On a more positive note, the people who created the TeslaCrypt ransomware stopped production and released global decryption keys. New ransomware delivery systems are able to bypass Microsoft’s EMET security software. The Cerber ransomware was recently delivered to a large proportion of Office 365 users via a Word document in an email attachment. And an even more hideous piece of malware surfaced in the last week: posing as ransomware, Ranscam actually just deletes all your files.

Ransomware is different from other kinds of attacks because of the potential damage. It can render all your data permanently inaccessible. Even paying the ransom is no guarantee that you will get all your data back intact. Other types of attacks typically try to fly more under the radar: trojans and rootkits want to control and use your computer’s resources; and viruses want to spread and open the door for other attacks. While other types of attacks can be fixed by removing the affected files, that doesn’t work for ransomware.

Like other types of attacks, ransomware first has to get onto your computer. These days, simply visiting the wrong web site can accomplish that. More common vectors are downloaded media and software, and email attachments. Preventing malware of any kind from getting onto your computer involves the kind of caution we’ve been advising for years; ransomware doesn’t change that advice.

What CAN make a big difference with a ransomware attack is limiting its reach. Once on a computer, ransomware will encrypt all data files it can access; specifically, files to which it has write access. Ransomware typically runs with the same permissions as the user who unwittingly installed it, but more insidious installs may use various techniques to increase its permissions. In any case, limiting access is the best safeguard. For example, set up your regular user so that it cannot install software or make changes to backup data.

Here’s a worst-case scenario: you run a small LAN with three computers. All your data is on those computers. Your backup data is on an external hard drive connected to one of those computers, and a copy exists on the Cloud. For convenience, you’ve configured the computers so that you can copy files between them without having to authenticate. Once ransomware gets onto one of the computers, it will encrypt all data files on that computer, but it will also encrypt data it finds on the other computers, and on the external backup drive. Worse still, some ransomware will also figure out how to get to your cloud backup and encrypt the data there as well.

How to limit your exposure? Require full authentication to access computers on your LAN. Use strong, unique passwords for all services. Store your passwords in a secure password database. Limit access to your backup resources to a special user that isn’t used for other things. In other words, exercise caution to avoid getting infected, but in case you get infected anyway, make sure that you have walls in place that limit the reach of the ransomware.

Most ransomware targets Windows systems, so most of the verbiage out there is about Windows as well. This article covers the basics fairly well.

Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.

Close

Ad-blocker not detected

Consider installing a browser extension that blocks ads and other malicious scripts in your browser to protect your privacy and security. Learn more.