Google’s Chrome browser isn’t secure

A word of warning when you use the Google Chrome web browser. The browser uses a misleading notification system.

When you see the “Secure” notification in the browser location bar, this means that the connection between the browser and the website you went to is encrypted. But this does not mean that the you should fully trust the web site. It isn’t guaranteed that the web site is safe from phishing, malware, etc.

This is [as I said] because the “Secure” notification only means that there is encryption between your computer’s browser and that site. You can encrypt anything.

If the encryption certificate for the site has been revoked, the Chrome browser will still show it as “Secure”. Google knows about the issue but hasn’t corrected the issue.

In addition, according to year end reports [2016, 2017], Google’s Chrome browser continues to lead all browsers in vulnerabilities making it less secure.

[Note: Both links above may be technical for some. The results appear on page 20 for both reviews and the comparison of web browsers are on page 21. As well, they are external links. View at your own risk.]

Some vulnerabilities are more critical than others. But with the Chrome browser picking up users over the past few years, some vulnerabilities have been aimed at the browsers. Others are from sloppy programming.

This doesn’t mean you should stop using the Chrome web browser. More like you should understand that the browser isn’t 100% secure and Google’s claim that it is, is misleading. But no web browser is secure.

Advertisements

FBI cracks terrorist’s cell without Apple’s help

As you may have read, the FBI used a security company called Cellebrite [if the story is true] to break into the iPhone used by the San Bernardino terrorist. So an anticipated showdown between Apple and the FBI have been put on hold.

If you recall, it had FBI claiming that they needed to get into the iPhone to see if there was any evidence [but they don’t know if there was any] and Apple claiming a privacy issue – not for the dead terrorist but in future battles like this.

Because of these actions, Magistrate Sheri Pym won’t be ruling on whether a centuries-old law, known as the All Writs Act, provided legal authority for compelling Apple’s assistance.

Some in the tech industry believe at one point the FBI will go after a smaller company that doesn’t have the legal army and money that Apple has, get a favorable ruling and then go after Apple or others.

If the case would of moved forward, Apple would have to rewrite its iPhone software that would make all iPhones less secure and open the door to more demands from government authorities, both in the United States and other countries [especially some that don’t have the proper laws and “checks” that the US has].

Now there is talk that Apple, Google, Microsoft and others will make it even more difficult to hack into a smart phone the way Cellebrite did.

One does wonder regarding some smartphone data as most data is either synced with the cloud or also stored on the manufacturer’s or carrier’s servers [who and when called, search information, etc.].

The US [and other countries] also need to modernize some of the laws such as the All Writs Act which was out long before any modern technology was available.

Meanwhile, federal prosecutors have appealed a court ruling that said Apple doesn’t have to help them extract data from another iPhone in a New York drug case. In at least a dozen pending cases, the government has cited the same All Writs Act as legal authority to compel Apple’s co-operation.

A slippery slope between Apple and the FBI

The US government are at odds with Apple. The FBI got a judge in the Federal District Court for the District of Central California to order Apple to bypass security functions on an iPhone 5c used by Syed Rizwan Farook, who was killed by the police along with his wife, Tashfeen Malik, after they attacked Mr. Farook’s co-workers at a holiday gathering in December 2015.

The judge ordered Apple to build special software that would essentially act as a skeleton key capable of unlocking the phone.

But Apple CEO Tim Cook announced Apple’s refusal to comply citing to protect the privacy of its users – even terrorists. [You can’t cherry pick them.] First there will be this issue, then there will be others. When will it stop.

The FBI says that by withholding access to the phone’s information, it is hampering the continuing investigation. Police and prosecutors want the companies to build what would be considered a master key that can be used to get around the encryption.

The Justice Department had secured a search warrant for the phone, owned by Mr. Farook’s former employer, the San Bernardino County Department of Public Health.

Blackberry was in the same dilemma but with foreign countries such as Pakistan where Pakistan wanted a master key to unencrypt any conversation or mail between two parties.

One needs to wonder whether Pakistan would go after solely what they would describe as terrorists or maybe even after those the government consider subversive such as protesters.

The same could apply in this Apple case – but hopefully at least the US government can be a bit more open.

In 2014, Apple and Google announced that they had re-engineered their software that encrypts the devices used by their operating systems, and therefore could no longer unlock their own products as a result.

[I had this issue with my Android phone about a month ago. Don’t ask me why, but my boot encryption password didn’t working after 2+ years. I had to force a device wipe.]

Not surprising, Republican Presidential nominee is in favor of the master key concept. [Wonder how he would like it if the FBI investigated him and asked for his phone.]

Known treason tech guy, Edward Snowden, has asked why Apple is policing something the FBI should be doing.

This is going down a slippery slope. If Apple is forced to hand the FBI the keys to the castle, when will it stop? Clearly Mr. Farook was a terrorist, but can a warrant be issued to look at the phone of a politician? A celebrity? The person across the street?

If Apple [and Google] are forced to put something in future operating systems, will consumers ignore upgrading to the operating systems that the government can access?

 

Windows 8.1 adds automatic disk encryption

One thing enabled by default on all Windows 8.1 systems [assuming the hardware can support it], is the automatic usage of Bitlocker encryption on the disk.

All version of Windows 8.1 include it, while BitLocker is a Pro- or Enterprise-tier feature in Windows 8 and an Ultimate- and Enterprise-tier feature in Windows 7 or Vista.

To see if it is enabled, go to PC and devices section and click on PC Info. Towards the bottom of the screen you will see the encryption status of your system.

A user with administrator access will have to log in with a Microsoft account, at which point the device will generate a recovery key and upload it to Microsoft’s servers. This recovery key can then be accessed from another computer with your Microsoft account if you’re ever locked out of your system.

Active Directory user accounts can also be used to store the key, provided your domain administrator has enabled the proper Group Policy settings.

But in order for Windows 8.1 systems to take advantage of the automatic encryption, your system will need all of the following enabled:

  • Support for the Secure Boot feature, which implies both UEFI support and 64-bit Windows.
  • A Trusted Platform Module (TPM). The feature requires TPM 2.0, and most current devices use TPM 1.2.
  • Hardware and firmware support for Windows’ Connected Standby feature. Connected Standby allows a sleeping system to wake up periodically and refresh certain data, like e-mail messages or calendar events. Your smartphone already does the same sort of thing. Note that Connected Standby is similar in concept to Intel’s Smart Connect Technology, but Smart Connect support does not imply Connected Standby support.
  • Connected Standby comes with its own set of hardware requirements, including a solid-state boot volume, NDIS 6.30 support for all network interfaces, and memory soldered to the motherboard. The system must also rely on passive cooling when in Connected Standby mode, even if it normally uses a fan.

For the many systems that can’t support the new device encryption features, Windows 8.1 Pro and Enterprise still include the more traditional BitLocker drive encryption feature that has been a part of Windows since Vista.