Year: 2022

The US Securities and Exchange Commission (SEC) has fined big-name banks and brokerages a collective $1.8 billion over workers’ use of private texting apps to discuss work and for not always saving those messages. The fines include $1.1 billion assessed by the SEC and a $710 million fine from the Commodity Futures Trading Commission (CFTC).

The SEC investigation uncovered what the agency called “pervasive off-channel communications,” that were collected by the firms themselves from employee devices. The employees included senior and junior investment bankers and debt and equity traders.

Tens of thousands of communications were intentionally meant to keep the bank’s internal compliance and regulators in the dark, according to the CFTC. And because many private communications channels are encrypted end-to-end, they leave no recoverable record for the bank’s supervision, the CFTC said in a statement.

“Another common theme is that the CFTC found senior executives — the very people responsible for keeping a bank’s house in order — who directed employees to use unauthorized communications channels and delete messages. Some executives even lied to the CFTC and SEC,” the CFTC said.

The use of unauthorized private apps, and failure to archive those communications, violates record-keeping and privacy rules. Both regulatory agencies called on the financial services sector to “fix internal policies and practices” to ensure US regulators and bank executives can prevent, detect, and correct unauthorized illegal communications.

The firms fined for the violations were: Barclays Capital Inc.; BofA Securities Inc., together with Merrill Lynch, Pierce, Fenner & Smith Inc.; Citigroup Global Markets Inc.; Credit Suisse Securities (USA) LLC; Deutsche Bank Securities Inc., together with DWS Distributors Inc. and DWS Investment Management Americas, Inc.; Goldman Sachs & Co. LLC; Morgan Stanley & Co. LLC, together with Morgan Stanley Smith Barney LLC; and UBS Securities LLC, together with UBS Financial Services Inc.

Two firms — brokerage Jefferies LLC and Nomura Securities International — agreed to pay penalties of $50 million each; brokerage Cantor Fitzgerald & Co. agreed to pay a $10 million penalty.

“Finance, ultimately, depends on trust,” SEC Chair Gary Gensler said in a statement. “By failing to honor their record-keeping and books-and-records obligations, the market participants we have charged today have failed to maintain that trust.”

In addition to significant financial penalties, each of the firms was ordered to prevent future violations of the relevant record-keeping provisions and were censured, the SEC said. The firms also agreed to retain compliance consultants to, among other things, conduct comprehensive reviews of their policies and procedures regarding the retention of electronic communications on personal devices and their respective frameworks for addressing non-compliance by employees.

Rules are designed for transparency

Thomas Shuster, a research director with IDC’s Capital Markets Digital Transformation Strategies business who in the past was a registered agent of two broker-dealers and a registered advisor with a self-regulatory organization (SRO) under the SEC, said there was never any doubt about being subject to stringent record-keeping requirements.

“We weren’t even allowed to text and if we received texts, we had to create an image and maintain a record,” Shuster said. “That said, I don’t know if there’s momentum behind this action. My instinct is that the SEC made an example with these highly visible and deep-pocketed firms and will let the action speak for itself as a cautionary tale. Those appear to be significant fines for the given offense.”

Reports of impending fines first surfaced in July.

Bring your own device (BYOD) policies have long been the norm among financial services firms, but data privacy laws such as SEC Rule 17a-3 & 17a-4, the Dodd-Frank Act, Sarbanes-Oxley, FINRA rules, MiFID II, CCPA and GDPR all require regulated industries to archive business-related communications in a secure and reliable server or face significant penalties and fines — or even class action lawsuits.

The problem was less pervasive when only email was being used; corporate email servers could automatically store communications and archival software could provide regulators with specific messages using search tools.

But data privacy regulations make the use of consumer messaging apps in regulated industries challenging for IT, HR, corporate governance and compliance teams. And the use of “shadow communications” can the risk massive damage to a firm’s finances and reputation.

“It’s the proliferation of these other channels of communication that’s causing the problem,” said John Lukanski, a partner in the law firm of Reed Smith LLP. He said the problem with avoiding instant messaging apps is that clients often prefer them, so financial service employees have to make a decision: please the client or follow the rules.

Many financial services firms decided long ago to create pre-approved communications channels through which messaging could be archived, and employees had to attest they’d comply with those rules.

“The problem is if you have those rules in place, you have to ensure compliance. And, even supervisors are using unapproved channels to communicate,” Lukanski said. “What really infuriates regulators is when they’re performing an investigation and they’ve gone into firms and asked for communications… and a certain percentage of communications has been done off channel. In other words, they can’t produce all the records, which impede the regulators’ investigations.”

The banking, financial services and insurance (BFSI) sector is one of the most heavily regulated because it has so much influence over the broader economy.

“It invites corruption, market manipulation, securities fraud, and other unscrupulous behavior that ultimately leads to financial crises, recessions, etc.,” said Michela Menting, a research director with ABI Research. “So, regulatory bodies like the SEC and CFTC must impose very stringent regulations and compliance requirements to maintain market integrity.”

Menting believes the issue goes beyond just private messaging apps; it’s about the ability to hold the financial services industry accountable at a time whenmany firms are undergoing digital transformation.

Why messaging apps are popular

Secure messaging apps on private phones provide a fast and simple way to connect bankers and traders, supervisors and personnel, anywhere, anytime. And the technology is ubiquitous, cheap and always available.

While WhatsApp is the most popular consumer messaging app, more than a half dozen others are regularly used, including iMessage, Facebook Messenger, WeChat, Telegram, and Signal. All made their way into the workplace as smartphones have proliferated and corporate BYOD schemes matured.

“It makes [the apps] massively popular tools, and practically necessary in a post-pandemic world where the workforce is increasingly distributed,” Menting said via email. “But the problem is that such tools too often sit outside of a company’s purview, in that shadow IT realm, because they are on private phones. One could view it as laziness on the part of financial organizations (at least those that have been sanctioned); they have very specific compliance requirements, which they chose to disregard in favor of convenience.

But laziness may be only half the story; the tools can also be used to obfuscate practices that might be considered unethical, if not illegal, Menting said.

Lukanski agreed, saying the risk of not archiving commutations is that bankers and brokers can become involved in underhanded activities in the name of the firm they represent, and there’s no way to discover it.

But not all of the unauthorized messaging were for nefarious purposes. Much of the activity took place during the height of the COVID-19 pandemic, when employees were mostly working from home. It was simply easier to use a private, off-server messaging app, Lukanski said.

“I’ve always felt…you can always do better,” he said. “If you’re a firm not among those 16 fined, I don’t think you can say, ‘We dodged the bullet.’ You have every reason in the world to pay attention to the issue now.”

Financial institutions have two things they can do, according to Nader Henein, research vice president with Gartner’s Privacy and Data Protection practice. They can train their employees, and they can monitor corporate owned devices.

“They can also monitor personal devices with the employees’ consent, but that is messy,” Henein said. “The weak link is sometimes the employee, but it is also the eternally strained relationship between where the business and the governance teams.”

The feds have been cracking down

The SEC has been turning up the heat under US President Joe Biden to stop financial services firms from using unsecured apps for business. In December, JPMorgan was hit with a combined $200 million in fines from the SEC and the CFTC for failure to monitor and store electronic communications between 2018 and 2020. The SEC cited the use of WhatsApp, text messages, and personal email accounts for business matters.

Before that, in 2020, a senior credit trader at JPMorgan was suspended for communicating with colleagues at Jefferies, KPMG, and VTB Capital using WhatsApp. The latter were then also the subject of investigations after employees were found to be using messaging apps as unauthorized channels for communications.

That same year, Deutsche Bank took steps to ban all text messaging and communication apps to improve compliance standards, with many others, including HSBC, Citi, and Wells Farg0, moving to more secure communications platforms. Some firms, however, appear to be ignoring the implications of not having thorough policies against such practices.

“By bringing these cases at the same time, and in parallel with the SEC, the Commission is sending a strong message … that we will not tolerate efforts to evade our regulatory oversight — oversight that these entities signed up for when they registered with the Commission,” CFTC Commissioner Christy Goldsmith Romero said in a statement. “Those choosing to participate in US financial markets are on notice — the era of evasive communications practices is over. The CFTC will hold you accountable.”

Jamf has teamed up with Amazon Web Services (AWS) to introduce new tools that let IT admins using Jamf Pro enroll virtual EC2 Macs when they are provisioned via the AWS portal.

It means even virtual Macs can have all the security, policy, and access controls you’d expect from the Mac on your home or office desk when enrolled.

This is news because?

We know AWS is one of the world’s biggest cloud services firms — it has such a major presence that it is seen as a “hypervisor.” Amazon began offering Mac instances in the cloud in 2020 and ramped this offer up with the later addition of M1 Mac minis as a service through AWS.

That already means developers can hire both Intel-based and M1-powered Macs, which many use to build, test, package, and sign off apps built for different Apple platforms. The problem was that when it came to enterprise-specific apps or data, those cloud-based machines lived in a strange gray zone outside of traditional MDM/security policy.

That’s fine for some AWS users, but as the value of personal data and business intelligence continues to grow in a highly digital age, many business leaders needed something more.

What Jamf said

I caught up with Jamf CEO Dean Hager, who shared a few insights into the new deal with AWS. He explained that Jamf and Amazon got together because Amazon found its customers needed this kind of integration. They wanted to be able to apply profiles and install software and keep their virtual Macs as updated and managed as their physical ones — but delivering this wasn’t easy due to the way virtual Mac instances worked.

“We have a long history of solving problems,” said Hager. “So we came up with a an ability to manage the virtual instances that are not dependent on MDM but rather dependent on our own innovations, and now customers are going to be able to … procure and manage virtual Macs.”

[Also read: Jamf CIO: Apple will be the No. 1 enterprise endpoint by 2030]

The partnership with Jamf provides this as it lets IT admins manage these AWS servers just as they can any other Mac in their fleet. It means organizations can provide managed, trusted access to their macOS workloads on AWS, allowing more enterprises to use these solutions.

“We’re excited to continue to push the envelope on what’s possible with cloud-first technologies centered around the Apple platform,” said Hager.

Why AWS?

AWS customers already run on-demand workloads in the cloud. These solutions let developers scale up their available Mac fleet to handle tasks when building apps; they can simply bring on a new virtual Mac in seconds, dynamically, as required.

Customers can also consolidate development of cross-platform Apple, Windows, and Android apps on AWS, leading to increased developer productivity and accelerated time to market. In very basic terms, that means developing complex projects across multiple platforms can benefit from a huge fleet of Macs without the TCO or purchasing costs. It also means they get the horsepower they need to get their work done fast.

In a statement, dataJAR founder James Ridsdale said: “As a service provider managing tens of thousands of Macs across our enterprise customers, we understand the value that Jamf provides. It enables us to ensure the security, management, and seamless onboarding of Apple devices into our platform of services….

“We are excited to see Jamf’s work with AWS to continue to provide more options for organizations who are looking to adopt a range of computing options for their employees, contractors, and engineering workflows through the management of Amazon EC2 Mac virtualized instances. We think this will be a compelling solution for many types of customers.”

Get ready for Apple-in-the-enterprise week

The news comes as we prepare for one of the busiest weeks on the Apple-in-the-enterprise calendar, with Jamf hosting its own vibrant Apple admins event, JNUC, in San Diego September 27-29.

I also anticipate others in the enterprise-focused Apple services space will have more news in the coming weeks.

As I’ve remarked before, this intensifying competition in this side of the Apple industry means enterprise users have never had it so good when considering platform diversification. Not to mention that the wave of Apple deployments can only grow even taller once Apple introduces new Macs, perhaps as soon as next month.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

Hosts Ken Mingis and Michael Simon talk with guests about the latest tech trends and news.

Audio

Macworld Executive Editor Michael Simon and Ken Mingis, executive editor at Computerworld, go over the high points of the new iPhone 14 Pro Max. Standouts include the "Dynamic Island" and always-on display.

Copyright © 2022 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend

Microsoft today announced the rollout of the first major feature upgrade to Windows 11. Many of the changes are incremental and focus on user interface and productivity enhancements, but there are some useful additions — including a new password security feature.

Mostly, Windows 11 version 22H2, known as the Windows 11 2022 Update, is about polishing up the user experience introduced with Windows 11, while rounding out the feature set with some additional enterprise-targeted capabilities, according to Stephen Kleynhans, a vice president analyst at research firm Gartner.

“On its own, it isn’t a huge update, and for anyone already using Windows 11, it doesn’t represent a major change,” Kleynhans said in an email reply to Computerworld. “Rather, it removes some of the rough spots and inconsistencies in the initial Windows 11 release and makes it a little nicer to use.”

A few new features, such as the system-wide live captioning and improvements in screen reader will be really impactful for some users, Kleynhans noted, but most importantly, “this is the version of Windows 11 that is ready for enterprises to move to.

“I expect to see most enterprises make the move from Windows 10 to Windows 11 during 2023,” he said.

Released to original equipment manufacturers on Oct. 5, 2021, Windows 11 faced strong adoption headwinds from the start. While Microsoft allows anyone to manually install Windows 11 regardless of the CPU, an automatic upgrade is possible only if three critical components of the computer meet requirements — the CPU, the RAM, and the Trusted Platform Module (TPM), a secure cryptoprocessor.

Microsoft updated its support page with instructions on how to install the Windows 11 upgrades, as well as the minimum hardware requirements for that to happen. The free upgrade offer for Windows 11 does not have a specific end date for eligible systems.

Windows 11 was “officially” released on Oct. 5, 2021, but that release only applied to original equipment manufacturers (OEMs), who were then able to include the latest platform on their new hardware. The general availability to the existing “in-market devices” for upgrades was phased in after that, according to a Microsoft blog in January 2021.

What’s missing from Microsoft’s first Windows 11 feature update, according to Kleynhans, are some user experiences that could use further improvements. “Things like a resizable start menu and repositionable taskbar are still missing and will disappoint some users,” he said.

With the latest update, Microsoft is touting an expansion to its Amazon App Store, which now offers more than 20,000 Android Apps available for use on Windows 11. Android app functionality will mirror that of Microsoft apps, with the abilty to resize  and use Snap to arrange open apps. 

Security upgrades

Microsoft is pitching Windows 11 22H2 as a platform aimed squarely at the hybrid worker and workplace. Security upgrades are a big part of adopting the platform for a hybrid environment, where remote workers are more often targets of malware and cyberhacking efforts.

With the Windows 2022 Update, Microsoft spent a significant amount of time boasting about its better security. Many of those improvements, however, rely on system hardware and TPM 2.0 rather than anything specifically new in Windows 11.

One example of a hardware-based security upgrade: Devices running Intel 8th-generation chipsets and higher will have virtualization-based security (VBS) and hypervisor-protected code integrity (HVCI) enabled by default, according to Wangui McKelvey, general manager for Microsoft 365.

“The two technologies protect you from both common malware and ransomware, as well as more sophisticated attacks,” McKelvey said in a blog post.

With the Windows 11 2022 Update, Microsoft also enabled Windows Credential Guard by default with devices running Windows 11 Enterprise.

“Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them, making it harder for attackers to compromise your network,” McKelvey said.

The Windows 11 2022 Update does also add a new password protection feature to its Defender SmartScreeen. When Windows detects a user typing their Microsoft password, the Defender SmartScreen analyzes where that password is being entered. It checks the application integrity, what websites that application is connected to, what network connections are open, what certificates they’re signed with, and more.

“This allows Defender to help ensure the user is securely entering their Microsoft password into an appropriate location. And more importantly, [it] allows Defender to detect when that’s not the case. For example, when the user is being credential phished, using a compromised network, and even reusing their password across services,” said Jason Weber, Microsoft’s vice president of Web Defense. “These underlying protections are built into the Windows kernel, which allows Defender to help protect applications running on Windows.”

Another feature, Smart App Control, prevents employees from running malicious applications by blocking untrusted or unsigned applications. Using artificial intelligence, Smart App Control only allows processes to run that are predicted to be safe based on existing and new intelligence processed daily.

“This is great for smaller organizations who don’t manage their devices or have unsigned line of business applications and have clean installations of the 2022 Update. For enterprise organizations who do have these needs, we recommend using Windows Defender Application Control,”McKelvey said.

Other upgrades to productivity and user interfaces

Another upgrade in the Windows 11 2022 release includes a drag-and-drop function for the taskbar, allowing users to right-click and pull applications and documents in and out of the bar.

For touch-first or touch-only devices, the Windows 11 2022 Update will include new Snap Layouts. The feature will address users who tend to have too many tabs at the edge open at one time to be able to productively use them. Edge tabs can now be snapped side by side. The Snap feature can also be used through finger touch to more easily arrange windows.

Microsoft

Microsoft also added improvements to a user’s ability to control applications and functions using finger swipes. Users of touchscreen devices can now open the Start menu  by swiping up with their finger and close it by swiping down. Additionally, users can switch between pinned apps and a full app list by swiping left to right, and they can access Quick Actions by swiping up.

Microsoft also added meeting features to Windows Studio Effects² to help make video and audio calls. Effects like Voice Focus are aimed at filtering out background noise, and Automatic Framing automatically works to help the camera frame a user and follow them if they move during meetings, Another feature, called Eye Contact, also assists in making a user appear to looking into the camera even while looking at the monitor or notes below it.

Microsoft

Microsoft also added Live Captions, a function that can transcribe audio content from places like Teams conference calls and web videos. The feature is aimed at helping hearing impaired employees comprehend audio better when it’s presented visually rather than audibly, the company said in a post.

Windows 11 will also offer a “Do Not Disturb” feature through the “Settings” menu, which will turn off all notifications while you’re attempting to focus on a project or while you’re using your PC during off-work hours.

The Do Not Disturb function will also have additional controls, such as choosing the types of notifications you want to receive, such as emails or a phone call.

Notifications not issued while the Do Not Disturb function was activated can then be found in the Windows Notifications Center.

While Windows 11 will also offer users the ability to represent files as tabs, that feature won’t be available until next month (October).

Microsoft will stick with one major update per year

There was also speculation that Microsoft would revert to the 3-year schedule for major Windows releases, something it had done prior to the release of Windows 10.  Microsoft officials, however, dismissed that notion, saying updates will occur on an annual basis each fall, with monthly “Windows quality” updates that include bug fixes, feature improvements, and security issue resolutions. The first of those incremental updates, known as “Moment” updates, is planned for October. They also said there are no current plans to roll out a Windows 12 operating system.

There’s a temptation to think about Windows 10 and Windows 11 “as if this was back in the day of big blockbuster version upgrades like Windows XP or Windows 7,” Kleynhans said.

“In those days, we mounted a major project with lots of effort and evaluation (and great expense) to examine and deploy each major OS iteration,” Kleynhans said. “Windows is now a more continually evolving OS that gets updates on a regular cadence. Installing updates is part of staying secure and current and happens every month.

“Some years the new features Microsoft rolls out will be more impactful than others, but there isn’t really a decision to be made about whether a specific annual update is worth the trouble of deploying or not,” Kleynhans pointed out.

“They are all mandatory. Companies need to focus on establishing an ongoing process to roll out the next annual update each year as part of the overall maintenance and operations associated with running Windows,” he said.

Adoption of Windows 11 is fairly consistent with past versions

One of the problems early on with Windows 11 adoption among enterprises is that it significantly elevated the hardware requirements to run it over its predecessor, Windows 10.

An upgrade to Windows 11 requires a system with 64-bit processors, 4GB of memory, 64GB of storage, UEFI secure boot, and the Trusted Platform Module (TPM) v2.0.

For IT executives, the question remains whether they can move to Windows 11 or should they wait for all the bugs to be worked out and their organization’s normal hardware upgrade cycle. When Windows 11 came out in October 2021, few organizations jumped to deploy it because it changed little from Windows 10, and it had stiff hardware requirements. As with any new platform version, IT shops also didn’t know if it was ready for prime time.

Windows 11 currently accounts for just under 25% of current installations, according to several organizations that track the platform, including AdDuplex, a cross-promotion network for Windows Store apps and games, and IT asset management platform provider Lansweeper.

The primary reasons Windows 11 isn’t seeing higher adoption rates “are likely due to the harsh requirements in place to upgrade to Windows 11 and a lack of urgency, since Windows 10 is still supported until 2025,” Esben Dochy, technical product evangelist for Lansweeper, said in an earlier interview with Computerworld.

According to an April 2022 report from Lansweeper, only 44.4% of workstations were eligible to receive the automatic Windows 11 upgrade, while the rest would be ineligible due to necessary hardware requirements.

“To roll out the new OS, they’ll need a quick and cost-effective Windows 11 readiness check to identify machines that are eligible — and ineligible — for the upgrade. Our research shows that over 55% of workstations are not capable of being upgraded,” Lansweeper wrote in a blog.

AdDuplex showed Windows 11 adoption in August had reached 23.1% of devices. “Less than 3.5% of modern Windows PC upgraded to Windows 11 in the last two months. Approximately the same number was was added to the latest version of Windows 10,” AdDuplex stated on its site.

Steam, a digital game distribution service, publishes a  It showed that in August, Windows 11 accounted for just over 24.71% of all devices. Windows 10 continues to dominate, with 71.76% of market share.

Microsoft claimed early on that it had seen strong demand and preference for Windows 11, with people accepting the upgrade offer at twice the rate it saw for Windows 10, but Windows 10 remains popular with organizations as hardware challenges remain. 

“The adoption challenges for Windows 11 still very much exist, and are arguably more relevant than ever,” said Roel Decneut, Chief Strategy Officer at Lansweeper. “The latest data clearly shows many organizations are choosing to focus on Windows 10 for now, with Windows 11 still very much in the testing phase.”

In addition, a lot of the benefits of Windows 11, such as its Smart App Control and better malware protection, are only available on brand new systems, Decneut said.

“In the current climate, businesses clearly don’t feel that the costs of purchasing new devices and upgrading from [Windows] 10 to 11 are worth it just yet. This remains the biggest obstacle to widespread adoption, and with Windows 10 continuing to be supported until 2025, it may be a while before we see that particular needle move,” Decneut said.

With 63 updates affecting Windows, Microsoft Office and the Visual Studio and .NET platforms — and reports of three publicly exploited vulnerabilities (CVE-2022-37969, CVE-2022-34713, CVE-2021-40444) — this month’s Patch Tuesday release gets a “Patch Now” priority. Key testing areas include printing, Microsoft Word, and in general application un-installations. (The Microsoft Office, .NET and browser updates can be added to your standard release schedules.)

You can find more information on the risk of deploying these Patch Tuesday updates with this helpful infographic.

Key testing scenarios

Given the large number of changes included in the September patch cycle, I have broken down the testing scenarios into high-risk and standard-risk groups:

High Risk: These changes are likely to include functionality changes, may deprecate existing functionality, and will likely require the creation of new testing plans:

• Test these newly-released functionality updates. Please attach a camera or phone to your PC and use the Photos import function to import images and videos.
• Basic printing tests are required this month due to functionality changes in the Windows spooler controller.

The following updates are not documented as functional changes, but still require a full test cycle:

• Microsoft Office: Conduct basic testing on Word, PowerPoint, and Excel with a focus on SmartArt, diagrams, and legacy files.
• Test your Windows error logs, as the Windows Common Log File system has been updated.
• Validate domain controller authentication and domain related services such Group Managed Service accounts. Include on-premise and off-premise testing as well.
• High-duration VPN testing is required, with VPN testing cycles that need to exceed eight hours on both servers and desktops. Note: you will need to ensure that PKE fragmentation is enabled. We suggest the following PowerShell command: “HKLM:\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\Ikev2\” -Name EnableServerFragmentation -PropertyType DWORD -Value 1 -Force Restart-Service remoteaccess

In addition to these changes and testing requirements, I have included some of the more difficult testing scenarios for this update:

• Test any application using the OLE DB interface and sqloledb.dll to make database connections. This process will require an assessment of your application portfolio, looking for dependencies on the SQL OLE libraries and components and focused testing on application functionality that uses these updated features.
• Application un-installations will require testing due to changes in the Enterprise Application Management windows component. The big challenge here is to test that an application package has been fully uninstalled from a machine, meaning all the files, registry, services and shortcuts have been removed. This includes all the first-run settings and configuration data related to application. This is a tough, time-consuming task that will require some automation to ensure consistent results.

Testing these important and often updated features is now a fact of life for most IT departments, requiring dedicated time, personal and specialised processes to ensure repeatable consistent results.

Known issues

Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle.

• Microsoft SharePoint Server: Nintex Workflow customers must take additional action after this security update is installed to make sure workflows can be published and run. For more information, please refer to this Microsoft support document. 
• After installing KB5001342 or later, the Cluster Service might fail to start because a Cluster Network Driver is not found. For more information about the specific errors, cause, and workaround, see KB5003571.
• Some enterprise users may still be experiencing issues with XPS Viewers. A manual re-install will likely resolve the issue.

Starting at 12 a.m. Saturday, Sept.10, the official time in Chile advanced 60 minutes in accordance with the Aug. 9 announcement by the Chilean government of a daylight-saving time (DST) time zone change. This moved the DST shift from Sept. 4 to Sept. 10; the time change will affect Windows apps, timestamps, automation, workflows, and scheduled tasks. (Authentication processes that rely on Kerberos may also be affected.)

Major revisions

As of Sept. 16, Microsoft has not published any major revisions to its security advisories.

Mitigations and workarounds

There are four mitigations and workarounds included in this Patch Tuesday release, including:

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

• Browsers (Microsoft IE and Edge);
• Microsoft Windows (both desktop and server);
• Microsoft Office;
• Microsoft Exchange;
• Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core);
• Adobe (retired???, maybe next year).

Browsers

Microsoft has released a single update to the Edge browser (CVE-2022-38012) that has been rated as low ,even though it could lead to remote code execution scenario due to its difficult exploitation chain. In addition, there are 15 updates to the Chromium project. Slightly out of sync with Patch Tuesday, Microsoft released the latest version of the Edge Stable channel on Sept. 15 that contains a fix for CVE-2022-3075. You can read more about this update’s release notes and can find out more about Chromium updates. Add these low-profile browser updates to your standard release schedule.

Note: you will have to deploy a separate application update to Edge — this may require additional application packaging, testing, and deployment.

Windows

Microsoft addressed three critical issues (CVE-2022-34718, CVE-2022-34721 and CVE-2022-34722) and 50 issues rated important this month. This is another broad update that covers the following key Windows features:

• Windows Networking (DNS, TLS and the TCP/IP stack);
• Cryptography (IKE extensions and Kerberos);
• Printing (again);
• Microsoft OLE;
• Remote Desktop (Connection Manager and API’s).

For Windows 11 users, here is this month’s Windows 11 video update. The three critical updates all have NIST ratings of 9.8 (out of 10). Coupled with the three exploited vulnerabilities (CVE-2022-37969, CVE-2022-34713, CVE-2021-40444) these make this month’s Windows update a “Patch Now” release.

Microsoft Office

Microsoft released seven security patches to the Office platform affecting Visio, PowerPoint, SharePoint and SharePoint Server. The Microsoft Visio and PowerPoint updates are low-profile deployments that should be added to your standard Office update schedules. The SharePoint Server updates (CVE-2022-38008 and CVE-2022-37961) are not rated critical, but they could lead to a remote code execution scenario (though difficult to exploit). We recommend adding these two updates to your server update schedule, noting that all patched SharePoint Servers will require a restart.

Microsoft Exchange Server

Fortunately for us (and all IT admins) Microsoft has not published any security advisories for Microsoft Exchange products this month.

Microsoft Development Platforms

Microsoft published three updates rated important for their developer tools platform (CVE-2022-26929, CVE-2022-38013 and CVE-2022-38020) affecting Microsoft .NET and the Visual Studio platform. These three updates are relatively low risk to deploy and should be added to your standard developer release schedule.

Adobe (really just Reader)

Adobe published six security bulletins affecting: Animate, Bridge, Illustrator, InCopy, InDesign and RoboHelp. However, there were no updates to Adobe Reader or other related PDF products. This may be the result of Adobe being otherwise engaged with the $20 billion purchase of Figma.

Geolocation was once a glorious way to know who your company is dealing with (and sometimes what they are doing). Then VPNs started to undermine that. And now, things have gotten so bad that the Apple App Store and Google Play both offer apps that unashamedly declare they can spoof locations — and neither mobile OS vendor does anything to stop it.

Why? It seems both Apple and Google created the holes these developers are using.

In a nutshell, Apple and Google — to test their apps across various geographies — needed to be able to trick the system into thinking that their developers are wherever they wanted to say that they are. What’s good for the mobile goose, as they say.

Food delivery services use geolocation to track delivery people and to see if they have indeed delivered to a customer’s address. Banks use location to see whether a bank account applicant is really where the applicant claims — or to see whether multiple bogus applications are coming from the same area. And AirBNB uses geolocation to try and detect fake listings and fake reviews, according to André Ferraz, the CEO of mobile location security firm Incognia.

“For fraudsters, besides exploiting developer mode to change GPS coordinates, many other tools enable location spoofing, both for IP-based geolocation and GPS-based geolocation,” Ferraz said. “For IP-based geolocation, there are VPNs, proxies, tor, tunneling. For GPS, the most accessible are the fake GPS applications. Still, there are also tampering and instrumentation tools, rooted or jailbroken devices, emulators, tampering with the location data in motion and many others.”

Ferraz is regrettably right. Regardless of which one of these many options a fraudster opts to use, the bottom line is that IT simply can no longer trust geolocation for much of anything. There are some applications where the risk of meaningful damage from location fraud is so low that it’s probably fine to use location — say, a gaming application where someone pretends to be in Central Park when they aren’t. If all they get are points or access to a special visual treat, it’s likely harmless.

Trust, here, is the key word. If your business needs to trust location data, then an alternative is needed. 

Can this location fraud be detected? It gets tricky. Certain fraudulent methods can be detected, but not all — and certainly not all of the time. More importantly, merely detecting a geolocation anomaly should not on its own positively determine fraud. 

VPN is a wonderful example. Many users have gotten so used to surfing the Internet in VPN mode that they do so all the time. That means they may not even think about it when they try, for example, to open a bank account. Instead of assuming fraud and blocking access and declining the application, banks could offer up a simple pop-up warning: “It appears that you are using a VPN. Although we applaud your security and privacy intent, what appears to be a VPN is interfering with our location-detection. Please turn off your VPN, shut down your browser, relaunch your browser and come back.”

The problem with spoof detection is that some companies will overreact and assume intentional fraud. It’s not that simple.

Ferraz chooses not to fault either Google or Apple, since they truly do need to mimic locations across the globe. 

“This feature to enable developers to test their apps as if they were elsewhere was purposefully built by the OS providers, Android and iOS. Therefore, it is not a security vulnerability from the operating system. Otherwise, developers would not be able to work remotely, for example, because they would need to go in-person to places where the App offers some location-based service for testing purposes,” Ferraz said. “The OS even provides APIs for developers to identify if the device is in developer mode and has activated the tool that enables them to change the GPS coordinates. Unfortunately, many developers don’t use this and other device signals to identify location spoofing.”

Ferraz cites the food-delivery service as a classic example of how some companies try to use location tracking — but can get burned. There are multiple ways fraudsters try to rip off food-delivery services; some will accept a delivery and simply not go anywhere. Instead, they trick the food delivery system into thinking they picked up the order and then delivered it. 

The problem with some of these services is that they pay instantly once the system thinks the food’s been delivered. If they chose to wait, let’s say an hour or so, they could avoid the fraud. That hour leaves plenty of time for the customer to phone in and complain that the food was never delivered. (Sometimes, the food delivery company will “verify” whether the food was delivered by looking at the geolocation tracking. Oops! They fail to deliver and may call a customer a liar.)

Sometimes, food delivery fraud is not about money — it’s about the food itself. Ferraz said some drivers will actually pick up the order and eat it themselves — while tricking the app into “seeing” the driver deliver to the customer. 

This raises the question of what IT should do about the issue. There’s a big difference between “don’t use geolocation” and “don’t trust geolocation.” It’s similar to how a journalist deals with an unreliable source; you don’t necessarily ignore what they are saying, but you triple verify everything.

Take cybersecurity authentication, for example. If you’re doing everything properly — especially in a zero-trust environment — you’re likely relying on dozens or more datapoints. In that scenario, it’s fine to use geolocation data. After all, most of that data is probably fine. Just as with the bank example, don’t reject someone solely based on a mismatched location. But it’s perfectly appropriate to use any  mismatch to trigger further questions.

There’s no reason you can’t have different processes; in some cases, geolocation accuracy is relied upon; in others, it’s merely supplemental; in still others, it doesn’t matter that much (possibly gaming). In short, use geolocation but no longer even think about trusting it.

Apple’s move to eliminate the SIM tray in US models of its new iPhone 14 could be a bigger move than its decision to abandon the old headphone port with iPhone 7. The obvious questions: what does eSIM offer and how do you provision devices?

Apple’s journey to eSIM

Apple first introduced electronic Subscriber Identity Module (eSIM) support in the iPhone XS, but it was optional — the handset also had a SIM tray for use with physical SIM cards. But Apple’s newly introduced iPhone 14 line-up has no SIM tray in the US, which means carriers must provision the device exclusively using an eSIM. (The new iPhones arrive on Friday.)

It’s likely the company is trying to accelerate eSIM adoption with the move even though Apple smartphones sold outside the US will continue to host SIM trays.

What is an eSIM?

An eSIM is a built-in programmable identity module placed inside the iPhone itself. It’s like a hard-wired SIM, but must be provisioned by the networks, who must also upgrade their own systems to accommodate their use.

Just like a physical SIM card, an eSIM carries a 17-digit code that shows your country of origin, carrier, and unique user ID.

Apple’s decision to move to the eSIM is fine if your carrier supports the technology, but the decision to make it mandatory could prove  challenging for a small number of US customers whose carriers don’t. I received several messages apparently from readers in the US on smaller carriers complaining about Apple’s decision when it was announced. Hopefully, the carriers will play ball.

The pros and cons of eSIM use

Apple’s move to eSIM will probably have little impact on most people’s experience. But there are pros and cons to its use.

One pro is that you no longer need to use a physical SIM, which means moving between handsets might become a little easier when your carrier supports eSIM. There is likely also a positive impact in terms of ensuring iPhones remain water resistant, as the removal of the tray also means the removal of an opening in the case.

Another advantage: you can have multiple lines installed. Apple says you can store at least eight different eSIMs on the device and have any two active at any time. When you have multiple eSIMs installed, the two “active” numbers can make and receive voice and FaceTime calls and send and receive messages using iMessage, SMS, and MMS. Your iPhone will still only use one mobile data network at a time.

One con is that use of eSIM makes it much harder for international travellers to simply pick up a Pay As You Go (PAYG) SIM to use with their device once they reach their destination. Given hefty roaming charges, this might be a big negative for frequent travellers, particularly those travelling to nations in which eSIMs are not available, though providers such as GigSky may be able to help some travellers plug this gap.

Another potential negative would arise if carriers then decide to begin levying hefty fees against users attempting to provision an eSIM, or use the tech to make it even harder to migrate devices between networks.

[Also read: 14+ reasons enterprises should upgrade to iOS 16]

How to setup an iPhone eSIM

There are several ways to setup an eSIM on an iPhone. These include eSIM Carrier Activation, eSIM Quick Transfer ,and other activation methods. Here’s a list of carriers and how they support eSIM.

1. How to use eSIM Network Provider Activation

This means your network provider assigns an eSIM to your iPhone on purchase.  If an eSIM was assigned to your iPhone when you bought it, turn on your iPhone and follow the instructions to activate your eSIM.

If you are moving to a new device the line is frequently provided via a QR code which must be scanned by your device. It may also be provided within your network provider’s iPhone app. Alternatively, you might receive a notification that says Provider Mobile Data Plan Ready to Be Installed, which you should approve.

2. How to use eSIM Quick Transfer to convert a physical SIM

If your carrier supports eSIM Quick Transfer, you can convert your physical SIM to an eSIM when you set up your iPhone (you won’t need to contact your network provider). To do so, open Settings>Cellular and tap the Convert to eSIM button, if it is available. It that button is not available, you will need to contact your carrier. If the button does exist, tap Convert Cellular Plan, and then choose Convert to eSIM. Once the eSIM is activated, your SIM card will be deactivated, at which point you should remove the physical SIM and reboot your iPhone. You will see an option that enables you to transfer the eSIM to another device once the process is complete.

3. How to use eSIM Quick Transfer to transfer your line

First, ensure both the old and new iPhones are running iOS 16. Then open Settings>Mobile Data>Add Data Plan. You should see one or more mobile data plans to “transfer from another device,” or tap Transfer From Another Device. You’ll be provided with instructions on your older device that you must follow to transfer the line, and may be asked for a verification code. Then wait until the transfer takes place. You may receive a message asking you to Finish Setting Up Your Network Provider’s Data Plan. Follow this to be redirected to your network provider’s web page to transfer your eSIM to your new device.

It is important to note that not every carrier supports all the different ways in which to transfer your line.

4. You may need to enter details manually

It is possible your carrier will choose to supply you with details you must enter into your device manually in order to activate an eSIM. You’ll enter these in Settings>Cellular or Mobile Data>Add Mobile Data Plan and then select Enter Details Manually.

Preparing your device for sale

You may need to erase your eSIM, particularly if you choose to assign it to another device or are preparing to trade or sell on your existing iPhone. This is easy to achieve, just open up Settings>Cellular or Mobile Data where you should select the plan you want to get rid of and then choose Delete SIM.

How is it for you?

I’m particularly interested in learning if the process is more or less complicated for large device deployments and the process (if any) of remote provisioning of eSIM for IT admins. Drop me a line if you have insight into this.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.