The VAR Guy’s Security Round-Up: Week Ending April 15
No big security story dominated the headlines this week, but that doesn’t mean there wasn’t plenty of action on this front from technology leaders to startups.
No big security story dominated the headlines this week, but that doesn’t mean there wasn’t plenty of action on this front from technology leaders to startups. A new company out of San Francisco revealed an ambitious plan to encrypt the entire Web, rival Internet giants teamed up to secure a longstanding and vulnerable e-mail protocol and Microsoft forced PC makers to provide better security. These and other moves were some of the latest in security news to hit the headlines this week.
Startup Reveals Plan to Encrypt the Entire Web
San Francisco-based Internet Security Research Group revealed an ambitious and so far successful plan to encrypt the entire global Web. The company announced that the initiative it calls Let’s Encrypt is coming out of beta, along with progress toward helping tens of millions of unencrypted sites around the world switch from the insecure web standard HTTP to HTTPS. The latter encrypts someone’s Web browsing to protect it from surveillance, straddling the line between privacy and law-enforcement interests. The way Let’s Encrypt makes it easier for websites to switch from HTTP to HTTPS is to flatten one of the biggest hurdles in the process: certificates. The service itself acts as a certificate authority, verifying that servers running HTTPS Web sites are who they claim to be.
Google, Microsoft, Yahoo Team Up to Enhance Vulnerable SMPT with Better Security
Google (GOOG), Microsoft (MSFT) and Yahoo (YHOO) may be longtime business and technology rivals, but they’ve teamed up once again to make the protocol that’s powered most of the world’s e-mail communications since the early 1980s more secure. That protocol is Simple Mail Transfer Protocol (SMTP), and along with three other participants, the three companies have formed a new effort to protect e-mail users by updating the security of the protocol, which has evolved over the years but still isn’t on par with today’s threat landscape. The new mechanism that Google and its partners are proposing, called SMTP STS, prevents messages from being transmitted if an encrypted connection cannot be established, as well as requires the server on the receiving end to verify its legitimately. It also lets the user know exactly why their e-mail is blocked in the event of a problem.
Microsoft Mandates Stronger Security Adoption for PC Makers
Microsoft is upping the ante for Windows security by requiring all PC makers supporting Windows 10 devices to upgrade to a stronger security platform, one designed specifically to provide hardware-based security functions on Windows machines. The company confirmed this week it plans to force its hardware OEMs to use stronger TPM 2.0 (Trusted Platform Module) security on all Windows 10 devices, which will make the latest computers, tablets and smartphones more secure. The enterprise has already widely adopted TPM 2.0 to protect sensitive data, and this year the technology will be compulsory for all PC makers from July 28, Microsoft said. Tablets and smartphones running Windows also must begin supporting the module.
IBM, Box Team Up So Cloud Customers in Europe, Asia Can Store Data Locally
European and Asian customers of IBM Cloud customers who are worried about the safety of their assets will soon have the ability to store them on infrastructure local to their regions thanks to a partnership between IBM (IBM) and Box. The two companies this week unveiled a plan to offer IBM Cloud customers in France, Germany, Italy, Japan, the Netherlands and the United Kingdom the option to store data in their local regions through an offering called Box Zones. The hybrid cloud service allows clients to store data in their own data centers as well as in IBM Cloud data centers. The move comes just after Europe and the United States reached the EU-US Privacy Shield Agreement in February, which replaces the Safe Harbor agreement as a framework designed to ensure that European data transferred to the US gets handled in accordance with EU regulations.
DHS, Trend Micro to Windows Users: Uninstall QuickTime ASAP
The Department of Homeland Security is advising Windows users to uninstall QuickTime if they have it on their machines, echoing advice of security firm Trend Micro. The reason? Apple no longer plans to release security updates for the Windows version of the software, which currently contains two new critical vulnerabilities that could allow remote attackers to take over a user’s system. So far there have been no active attacks of those vulnerabilities, according to Trend Micro—whose researchers also discovered the flaws—but a “better safe than sorry” approach is advice both the firm and the DHS are stressing just in case one occurs. It shouldn’t be a tough decision for Windows users to dump the software, as there are number of safer alternatives available to them.