Security

How not to manage your passwords… John, and his unique approach to security is part of an F-Secure Internet Security 2011 campaign. You can find more at besmarterthanjohn.com.

This isn’t good: Intelligent Integration Systems (IISi), a small Boston-based software development firm, alleges that their Geospatial Toolkit and Extended SQL Toolkit were pirated by Massachusetts-based Netezza for use by a government client. Subsequent evidence and court proceedings revealed that the “government client” seeking assistance with Predator drones was none other than the Central Intelligence Agency. IISi is seeking an injunction that would halt the use of their two toolkits by Netezza for three years. Most importantly, IISi alleges in court papers that Netezza used a “hack” version of their software with incomplete targeting functionality in response to rushed CIA deadlines. As a result, Predator drones could be missing their targets by as much as 40 feet. ...

There has been an “unprecedented wave” of exploits against vulnerabilities in Oracle’s Java during the third quarter of this year, according to data from the Microsoft Malware Protection Center. The software giant provided the following data to back its claims, outlining three specific vulnerabilities (all of which have patches available) that are being exploited en masse: CVE Attacks Computers Description 2008-5353 3,560,669 1,196,480 A deserialization issue in vulnerable versions of JRE (Java Runtime Environment) allows remote code execution through Java-enabled browsers on multiple platforms, such as Microsoft Windows, Linux, and Apple Mac OS X. 2009-3867 2,638,311 1,119,191 Another remote code execution, multi-platform issue caused by improper parsing of long file:// URL arguments. 2010-0094 213,502 173,123 Another deserialization issue, very similar to CVE-2008-5353. As you can see, the first two are particularly worrying: they’ve gone from hundreds of thousands per quarter to millions. The third one is the newest, so it’s possible that it will also do the same. ...

RealNetworks, Inc. have published product upgrades addressing vulnerabilities in RealPlayer SP 1.1.4 and earlier. The vulnerabilities may allow an attacker to execute arbitrary code. Windows users of RealPlayer SP 1.1.4 and earlier are advised to upgrade to the latest version here For more information, visit RealNetworks’ security advisory here

Posted by Diana Phan, Gmail Support Team October is National Cyber Security Awareness month and a good time for a reminder about why hijackers do what they do and how you can protect your account. Check out the Online Security blog to learn about common hijacking techniques and security practices that will help you stay one step ahead of the bad guys. To help ensure your Gmail account is safe, take a minute to visit the Gmail help center and complete their new security checklist. ...

Accessing Facebook from a public computer or Internet cafe can now be done more securely. Moving to enhance online security, Facebook on Tuesday said that it will soon offer users the ability to receive one-time passwords on their mobile phones and that it has already enabled the ability to sign out of Facebook remotely. “We’re launching one-time passwords to make it safer to use public computers in places like hotels, cafes or airports,” said Facebook product manager Jake Brill in a blog post. “If you have any concerns about security of the computer you’re using while accessing Facebook, we can text you a one-time password to use instead of your regular password.” ...

The New York Times is reporting a rising number of law suits against some major players because of their use of persistent web tracking: — Fox Entertainment Group — NBC Universal — Specific Media — Quantcast The Times said the suits are claiming that the companies used Flash cookies to collect data on browsing activities in spite of the fact that users had privacy settings on to block them. ...

One unique security feature of Android is the permission check when installing 3rd party apps. The system lists all permissions that an app requires and asks the user to check if that’s alright. Such permissions are the ability to receive your location, send or receive text messages, internet access, phone calls and many more. The user can be sure that the app is not doing any of such activities without the appropriate permission. In case the developer forgets to add a particular permission then the operating system will simply block the corresponding function which leads to a “Force Close”, which means the app will be terminated. ...

For the second time recently, a security researcher has pointed out that running machines without administrative privileges could significantly improve security. Mikko Hypponen, the head of research at Finnish AV company F-Secure in an interview with The Inquirer, said a great way to stop a lot of malware would be to take administrative rights away from online users. “Most wouldn’t notice (although those who did would be incandescent with annoyance) and most malware would be stopped from functioning. It should have been done already,” he said. ...

Don’t run your PC with admin privileges Sometimes in life you know something is a risk, but you don’t know how BIG a risk it is until somebody actually checks it out. There was a German scientist in Russia who repeated Ben Franklin’s kite-in-the-thunder-storm experiment but didn’t live to write up his results. Los Angeles security firm BeyondTrust has released an analysis of Microsoft’s 75 security bulletins last year. They came to the startling conclusion that if users had operated their computers without administrative rights they would have eliminated 64 percent of their risk from Microsoft vulnerabilities! ...