September 2012 - Posts
QUOTE: When Microsoft's new operating system, Windows 8, hits the market on Oct. 26, it will be chock-full of new and enhanced features aimed at giving users more security than ever before. "There are quite a few security improvements," said Roel Schouwenberg, a senior researcher in the Boston-area office of Russian anti-virus firm Kaspersky Lab. "It all starts at the boot level, with Windows 8 offering the ability to do a secure boot."
Good resource for security professionals
Trend Labs shares an informative update related to adware risks for mobile phones
QUOTE: Despite offering impressive resolutions and more advanced features, users are more concerned with their devices’ battery life. Though manufacturers are poised to offer devices with longer battery life, certain trends such 4G/LTE potentially offsets battery enhancements. Usage certain apps and ads were also found to be power-hungry activities. In particular, ads displayed on mobile devices were also found to consume 65-75 percent of energy in free apps, as per a Purdue University and Microsoft study. In August, we saw an increase of adware in Android applications. While these apps can have malicious routines like collecting user’s personal information, they also pose risks to battery life.
MORE INFORMATION HERE The Growing Problems of Mobile Adware
While only the individual user can see this, sharing your password or hackers compromising an account could create some privacy concerns.
QUOTE: Facebook announced yesterday that they will now be adding user search history to their Activity Log. The Activity Log was released along with Timeline late last year and is a useful tool that allows you to quickly review and manage your Facebook activity. Quite a few bloggers have posted some sensational headlines about this new feature. First off, only you can see your Activity Log. Unless you let other people access your Facebook account you really don’t have anything to worry about. If your account is hacked, you probably have bigger problems than a hacker viewing your search history.
The Next Web warns on a new vulnerability that may allow unwanted posts by email:
QUOTE: Three Facebook users, Hasin Hayder, Rifat Nabi, and Abu Ashraf Masnun, have discovered a security hole in the social network that could lead to a potentially big privacy problem. The “post-by-email” feature in Facebook Groups reportedly lets an attacker post photos or plain text posts as anyone that is a member of a given group. There are a few requirements, however, if I wanted to spoof you: I would need a local SMTP server (or a server side script) and I would need to know the email address connected to your Facebook account.
Here is how it works. The attacker just has to compose a new email, change the “From:” field in the mail header and replace it with the victim’s email address, and then send the email to the group email address. The exploit works because Facebook does not employ a verification system to check who the email is coming from (according to the trio); the service simply believes the victim is sending the email and posts it as that Facebook user to the group’s Wall on the victim’s behalf. I find that unlikely, but it worked for them.
This site recently discovered reaches out to the general public in an easy-to-understand approach
Some of the following protective topis are covered:
* Alarm Price
* Security Systems
* Alarm Monitoring Options
* Security Cameras
* Computer Security
* Fire Safety Security
* Home Security Checklists
* Security Devices
Facecrooks security warns of potential dangers when combining a social networking environment with e-commerence capabilities. Folks desiring to use the new service should exercise the utmost caution and look out for fake sites, phishing scams, malware attacks, and other threats.
QUOTE: On Thursday, the social networking giant launched Facebook Gifts – a new social gifting service that allows users to purchase real gifts for their friends, have them shipped and have a preview of the gift pop up on their Timeline. Facebook will even give users the choice to send a gift in the “birthday reminders” section on the right hand side of the page. Investors are salivating over the monetization possibilities, as just a minute amount of adaptation could result in a windfall of cash for Facebook. However, this feature has already raised some serious privacy concerns.
“The amount of private data users are sharing on social networking sites already exceeds all security precautions,” said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender, to PC World Australia. “Making it so much easier for the user to add a number of addresses they can receive parcels at (including probably work or school addresses) would make it even easier for real-life criminals to gather information about a potential victim…the new information that might be shared by users is particularly dangerous in the case of account compromise.” Experts also caution that hackers and spyware creators could take advantage of people’s natural curiosity about gifts to exploit them.
Sony released this technology in OCT 1982 as documented in this article. A few years later, this showed up in computer technology to be later replaced with DVD drives.
QUOTE: The digital music revolution officially hit 30 years ago, on Oct. 1, 1982. While you may be surprised to learn that the heralds of the coming age were, in fact, the Bee Gees, it probably comes as less of a shock to learn that Sony was at the very heart of it. After years of research and an intense period of collaboration with Philips, Sony shipped the world's first CD player, the CDP-101. Music — and how we listen to it — would never be the same.
GPS technology is a great tool and is highly accurate in most cases. Still, one should not rely completely on this service will real maps or facilities as noted in the artile.
QUOTE: But GPS only tells you where you are in latitude and longitude — building the visual maps that need to be placed under those pinpoints is a challenging multi-billion-dollar endeavor. Even Google — which stood on the shoulders of mapmakers such as TomTom-owned Tele Atlas and Nokia-owned Navteq when building its remarkable geographical database — can get it wrong every so often.
Further confirmation received that all Android devices may be affected where carriers or vendors have not yet provided patches. An update is noted below:
QUOTE: It turns out that the "Dirty USSD" exploit demonstrated yesterday on Samsung devices affects all Android devices running anything below Android 4.1.x aka Jelly Bean. Just to recap, the exploit (disclosed by researcher Ravi Borgaonkar at Ekoparty in Buenes Aires) uses the Android dialer to automatically "call" a USSD code (no user permission required!); the code can be spread through legit-looking URL, an NFC attack, or a malicious QR code. The most threatening USSD code, a factory reset, was specific to Samsung TouchWiz phones and has already been disabled by Samsung. However, there are many other USSD codes that work on different Android devices, though viaForensics's Ted Eull said they aren't so easy to find.
If you bought your device from a carrier, you are probably still vulnerable to this exploit. Unfortunately there's not much you can do since the only entity that can update your OS is your carrier, which isn't exactly known for timely patching (hello Android fragmentation). But all is not lost! Here are a few things you can do right now.
1. First, check if your Android phone is even vulnerable with a simple test Borgaonkar made. Click here from your phone's browser. If you can see your IMEI, Borgaonkar advises, tongue in cheek, to disconnect from the Internet.
2. Use an alternative Android dialer, which will stop the automatic execution of any USSD code. Dialer One and exDialer are free, easy to use, and can be found in Google Play. After you install your new dialer, go to your browser and click this link (a website with an innocuous USSD code) and you'll be prompted to complete the action with your stock Android phone, or with the dialer you just installed. Click the latter by default.
3. If you're interested in learning more about how Android fragmentation affects device security, install X-Ray, a DARPA-funded security app from Duo Security. X-Ray simply checks which version of Android you're running and lists all known privilege escalation vulnerabilities. Most of the vulnerabilities it detects can be exploited by a malicious app without asking for any special permissions. At the end, X-Ray shows you how to appeal to your carrier to release a prompt, OTA update.
A new mobile phone vulnerability is circulating. By visiting a malicious web site, some Samsung models can be reset completely (because they support advanced dialer automation). All internal data and customized user settings would be lost. OEMs and phone service carriers need to patch these vulnerabilities. PC Magazine highlights this as follows:
QUOTE: If you own a Samsung smartphone from a U.S. cell phone operator, you may want to avoid using the Internet until your carrier patches a pretty simple flaw that would let an attacker reset your phone.
On Tuesday, researcher Ravi Borgaonkar demonstrated how he wiped out a Samsung Galaxy SIII simply by opening a website containing an HTML tag for a call function, and replacing the telephone number with the USSD code for a factory reset. The problem appears to lie within both the Samsung dialer and Touchwiz's stock Android browser. Unlike most dialers, Samsung's automatically makes the call while others still require the user to hit "send." Borgaonkar noted that the code can be sent from a website or pushed to the handset by a Charlie Miller-like NFC attack, or through a malicious QR code, in which case absolutely no user interaction is necessary.
But here's the kicker. Borgaonkar told Security Watch that he'd disclosed the vulnerability to manufacturers and carriers in June, and a patch for the firmware was quickly released. But to date, only Google and certain European carriers have sent an over-the-air update to device owners. Hardware manufacturers, including Samsung, have applied the update to their phones as well. So if you buy an unlocked Samsung Galaxy S III from a Samsung store today, you're safe. "I decided to go public because everyone has the patch now, they've just been sitting on it for months," he said. "It's the duty of carriers to make sure everyone's devices are safe."
Check If Your Phone's Safe -- We've reached out to all the U.S. carriers and will update the article once they respond. Meanwhile, Borgaonkar also created a test that lets you check if your Android device is vulnerable. Click here from your phone. If you can see your IMEI (like on the Verizon GSIII pictured above), Borgaonkar advises, tongue in cheek, to disconnect from the Internet.
Two articles by Intego security related to Apple's recent iOS 6 release
QUOTE: With Apple announcing the new iPhone 5 last Wednesday, we now have the release date for the next version of iOS – September 19th. There are a lot of new features (200, to be exact), some of which have some security and privacy concerns and some that have security improvements. Here’s a rundown of the most notable new iOS 6 features and their security/privacy implications:
Apple iOS 6 Security Features and Concerns
* Passbook - users should be careful in this new centralized control system
* App Installation - greater password control
* Kernel Address Space Layout Randomization
* More Granular Privacy Controls
Recent review of the new iPhone 5 by Intego security
QUOTE: So, the question at the end of the day boils down to “is it worth it?” Thinner, lighter, better battery life… these are all things we have come to expect, but they don’t tip the scales of decision when you have a perfectly good iPhone 4S in your pocket. I would argue that the iPhone 5 is absolutely worth the money (assuming you have carrier-subsidized upgrade pricing), and for a few reasons that Apple didn’t push home the way I would have liked.
They focused on the screen, which, sure, is nicer and bigger and more color-saturated, but ultimately is just a feature spec they had to introduce in order to match their competitors. I see the biggest change as more internal, and it’s the LTE chip that now powers the device’s network connection. This isn’t just faster, this is radically faster. When the iPhone evolved from EDGE to 3G, it made a huge difference in everyone’s experience of the device, from surfing the web to how apps performed and the kinds of data we could consume.
The Android and Apple iOS operating systems were hacked during the recent Mobile PWN2OWN contest. Users constantly need to be careful with links, avoid unfamiliar apps, stay updated on patches and carefully read every prompt during an install.
QUOTE: Today MWR Labs demonstrated an Android vulnerability at the EuSecWest Conference in Amsterdam. The demonstration of the 0day exploit took place at the Mobile Pwn2Own competition. The exploit was developed in a team effort between our South African and UK offices. The vulnerability was found and the exploit was developed by Tyrone and Jacques in South Africa and Jon and Nils in the UK.
MWR showed an exploit against a previously undiscovered vulnerability on a Samsung Galaxy S3 phone running Android 4.0.4. Through NFC it was possible to upload a malicious file to the device, which allowed us to gain code execution on the device and subsequently get full control over the device using a second vulnerability for privilege escalation. The same vulnerability could also be exploited through other attack vectors, such as malicious websites or e-mail attachments.
Microsoft quickly responded in patching a new vulnerability that started to be exploited in the wild. Please patch expediently. Most folks using the automatic Windows Update settings have already applied this over the weekend.
QUOTE: Microsoft has released an out-of-band update fixing at least five vulnerabilities in Internet Explorer, including the recently disclosed zero-day vulnerability already being exploited in the wild. The emergency patch applies to all supported editions of Windows desktop, including XP, Vista, Windows 7, Windows Server 2003, and Windows Server 2008, and affects Internet Explorer versions 6, 7, 8, and 9, Microsoft said in its patch advisory released today. Internet Explorer 10, coming soon with Windows 8, is not vulnerable. All the vulnerabilities fixed are rated as "Critical."
Recently Microsoft highlighted EMET which monitors critical system processes and can help detect and prevent new threats in crticial Windows processes. Ed Bott has a great write-up on this tool, from the past.
EMET v3.0 (most current version)
EMET v3.5 (Beta or Preview version)
QUOTE: The Enhanced Mitigation Experience Toolkit (EMET) is designed to help prevent hackers from gaining access to your system. ... Software vulnerabilities and exploits have become an everyday part of life. Virtually every product has to deal with them and consequently, users are faced with a stream of security updates. For users who get attacked before the latest updates have been applied or who get attacked before an update is even available, the results can be devastating: malware, loss of PII, etc. Security mitigation technologies are designed to make it more difficult for an attacker to exploit vulnerabilities in a given piece of software. EMET allows users to manage these technologies on their system and provides several unique benefits:
Client Operating Systems
• Windows XP service pack 3 and above
• Windows Vista service pack 1 and above
• Windows 7 all service packs
MSRC provided following recent update ... FIXIT patch is in the works and that in-the-wild attacks are very limited so far
QUOTE: We will release a Fix it in the next few days to address an issue in Internet Explorer, as outlined in the Security Advisory 2757760 that we released yesterday. While we have only seen a few attempts to exploit the issue, impacting an extremely limited number of people, we are taking this proactive step to help ensure Internet Explorer customers are protected and able to safely browse online. The Fix it is an easy-to-use, one-click, full-strength solution any Internet Explorer user can install. It will not affect your ability to browse the Web, and it will provide full protection against this issue until an update is available. It won’t require a reboot of your computer.
A new unpatched IE vulnerability has been exploited in-the-wild. Currently, it is not widespread and Microsoft is developing a patch. Some prevention techniques include:
* Best practice of "Risk Avoidance" always helps (ounce of prevention for suspicious websites, emails, facebook links, etc)
* Antivirus protection (many products now offer exploit detection, including this new threat)
* Use complementary browser some when deviating from the most trusted sites
* EMET is a great process analysis and detection tool (corporate or advanced users might benefit)
Below is the link for the new vulnerability documented in Security Advisory (2757760)
Additional linkes on new issue, noted below:
QUOTE: Microsoft is investigating public reports of a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9. Internet Explorer 10 is not affected. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability. A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
Kim Komando provides daily tips to consumers and home users. Today's newletter featured tips related to many free toolbars that become embedded in the browser environment. For IE, there are usually 3 types of removal approaches:
1. Control Panel and Uninstall programs
2. Remove Add-Ins in IE "Internet Options" settings
3. Antivirus or standalone removal tools for malware based toolbars
QUOTE: I'm betting you recently installed a free program. Sometimes, free software includes pesky add-on programs, like browser toolbars. Usually, you can choose not to install these extras during the program installation. However, if you just rushed through the install screens, you might have missed it. Babylon is one of the more notorious programs of this type. It's a translation program that boasts 100 million downloads on its site. I wonder how many of those come from people not paying attention when installing programs.
I've tackled removing annoying programs like this in the past. However, some programs like Babylon will change your browser's settings in bizarre ways. You didn't mention what browser you use, so I'll cover Firefox, Chrome or Internet Explorer. Safari users haven't reported Babylon being a problem, so we'll ignore it for now.
IE8 or IE9 removal: For Internet Explorer 9, go to the Gear icon >>> Internet Options (Tools >>> Internet Options in IE8). On the Programs tab, click Manage add-ons. Go through each section and remove any references to the Babylon toolbar or search engine.
From PC Magazine, below are six tips to avoid text message mobile phone scams:
QUOTE: a few tips for staying safe from these kinds of scams.
1. Never respond to unsolicited text messages: If you don't know who sent it don't respond.
2. Remember that these service are packed with hidden fees: Remind family members that responding to text messages can incur charges that may be difficult to reverse.
3. Carefully check phone bill: Are you already being charged for unwanted services?
4. Block third-party charges: Call your cell phone service provider and block all third party charges going forward.
5. Do not click on links: Never click on web links in unsolicited text messages.
6. Talk phone safety: It's important to discuss these tips with all family members
More Posts Next page »