Archive for the ‘Security and Privacy’ Category

Facebook – An admirable start but not nearly enough

Facebook Adds Two Privacy Tools – InformationWorld:

Both tools have to do with stopping unknown devices from logging in to a user’s Facebook account.

Definitely a first step, and an important one to be sure, especially since many hacks apparently were coming from mobile devices — but this is not nearly enough.

This does not even begin to address the privacy related issues brought on by changing the default from privacy by default to public by default which is why Facebook won over from MySpace in the first place.

My account will remain deactivated for the time being.

Facebook account deactivated today

Well, today is the day.

As much as I love Facebook, and enjoy the ability to keep in contact with family and friends easily, I have deactivated my account today in protest of their stance on privacy and the apparent lack of concern for their users by changing to the opposite stance on user privacy. It has been one step, after another over the last year or so. Desensitizing users to the changes they have made by doing it slowly.

Facebook sees dollar signs where we users are concerned. They have deluded themselves into thinking that with all the family and/friends connectios, and simplicity of keeping in contact with our Facebook friends, that we won’t be able to stop, that we are now hooked…”we have you now” in Darth Vader’s voice.

Is it true?

Not in my case at least. I let my friends and family know what I was doing. They support and understand. Will any of them do the same thing? I hope so…

We need to stand together to disallow Facebook a pass on the changes from supposed concern for users and user’s security and privacy to what it is today … where they are saying we don’t care about privacy by default. That we only see the connections we can make to other sites?!?! Facebook is saying proudly that they are the next MySpace … “now we control all these users and connections, and you as users have no privacy. Privacy is dead.”

Can we prove them wrong?

===

Edit: added some links to help make your decision:

With Facebook’s security and privacy standards under fire from all sides, suffice it to say that this is not a good time for one of the company’s investors to fall for a Facebook phishing scam. (Facebook phishing scam snares company board member – CNET – May 10, 2010 8:42 AM PDT )

Comparing Facebook’s latest product modifications to deadly natural disasters is probably a little bit inappropriate, but the psychological reaction doesn’t seem all that different. The social network modified its policies for handling user data once again as part of its F8 conference and release of the Open Graph API, and ever since it became clear that more information is being set as public by default and more is being shared with third parties, concerned Facebook users have been on jittery alert, perhaps prone to overreaction, concerned that something even bigger may be about to change. (Understanding Facebook’s privacy aftershocks – CNET May 6, 2010 3:51 PM PDT)

Criticism of Facebook (Wikipedia.com)

Four senators are adding their voices to criticism that Facebook Inc. doesn’t do enough to give its 400 million users easier ways to protect their privacy online. (Senators turn up the heat on Facebook privacy issues – SFGATE.com – April 28, 2010)

More links on my blog post, Bye, Bye, Facebook, Bye, Bye… AND ALL OVER THE WEB! Just do a search on facebook privacy issues on any search engine and read it and weep.

Mac OS X 10.4.11 Tiger Java Security Update Missing

What the heck is going on?

Is the Java Update that was put out last month for Windows and this past week for Leopard and Snow Leopard not a security issue for Tiger users, or did Apple decide to not bother making sure those who still are stuck using Tiger wouldn’t be safe??!??

This is one of two reasons why I hate that Apple does the Java updates for Mac OS X instead of letting Java do it like it does for Windows.

First reason is they are always late. Second reason, when Apple doesn’t want to update Java for Tiger, like they did for Panther, etc., they just stop updating it.

If it were left up to SUN Java to update it we would have gotten it when they released the Windows versions instead of getting this when you go to Apple site with Mac OS:

Apple and Java

Apple and Java

Or is Tiger (and earlier versions) the only OSes on the planet that don’t need this security update?! Tiger hasn’t had a security update for Java since June 2009: Java for Mac OS X 10.4, Release 9

Data breach at Heartland may be bigger than TJX’s

And you thought the TJX’s data breach was bad? Well…

Data breach at Heartland may be bigger than TJX’s

A data breach disclosed last week by Heartland Payment Systems Inc. may displace the one revealed by The TJX Companies Inc. in January 2007 as the largest compromise of payment card information to date.

Heartland, a Princeton, N.J.-based payment processor, said intruders broke into its systems sometime last year and planted malware that they used to steal credit and debit card data.

A Heartland spokesman said Thursday that the company still had no idea how many cards had been compromised. It wasn’t even sure how long the malware had been on its network, he noted. “All we know is that it was there for a period of time in the second half of 2008,” he said.

But given that Heartland processes more than 100 million card transactions per month, it’s conceivable that the number of compromised cards could be at least that high, said Gartner Inc. analyst Avivah Litan. In the TJX breach, 45.6 million card numbers were stolen over 18 months.

The latest news over at The Chronology of Data Breaches (PrivacyRights.org), shows on their last update for the TJX/January 17, 2007 entry, that the TJX data breach seem to have affected 100 Million accounts and they think it may have dated back as far as 2005!

The Heartland one may be worse than that since it processes at least 100 Million!?

Over time, what will they find out about the Heartland one?

Unbelievable.

Windows XP SP3 – time for an exorcism?

I am beginning to think that SP3 was Microsoft’s “killer” app for Windows XP so folks would get frustrated with XP and move to Vista … and at the same time, when they move to Vista, they wouldn’t have too high of expectations.

Looks to me like Microsoft has just proven that Apple definitely does it better! And Microsoft has no room to ever say a word about Linux, ever again!

Talk about a true dog of a Service Pack! Some folks may not be having problems, but some clients have been through h*ll this past week with their haunted XP SP3 systems after the September 2008 Windows Updates.

We had, obviously wrongly, thought we were out of the woods when we were able to get all the updates for the hardware and software in preparation for SP3 and then the SP3 update went very smoothly and worked well for about a month … until the September 2008 Windows Updates turned one client’s set of computers into possessed computers that would all of a sudden decide that their printers were no longer installed, or Outlook or Firefox or Quickbooks. Or just puke when Adobe Distiller tried to convert to PDF.

By last night they seemed to be working OK, but gawd knows what today will bring. I hope they are out of the woods, but there’s no way to be sure till they try to work with them today. I was beginning to think the computers needed an exorcist. And they still might. If so, I sure hope Microsoft made a safe reversal on SP3.

I can not believe they didn’t test these stupid updates better than this! We were so careful and waited at least a number of months before installing SP3 to make sure SP3 wasn’t creating problems after installation before we figured it was safe to install it.

I think like many, we just thought that once you finally were able to get the daggone thing installed Microsoft would do better than this on the updates. Knowing full well that many people depend on their computers for work!

I think this posting at blogcritics pretty much continues to sum up my feelings on it:

I’d like to extend a nice big F-U to Microsoft for releasing yet another product that’s screwing up my computer (pardon my French). Windows XP SP3 has been out for a few months and I haven’t heard about the world coming crashing down as a result, so I figured it might be safe to install. HA! I should have known the clowns in Redmond wouldn’t be able to get this right.

Well, Microsoft, you’ve managed to once again make people skiddish about installing security updates … Thanks for nothing Microsoft.

Malware Silent Alters Wireless router settings!

Brian Krebs at his Security Fix column at the Washington Post reported last week:

Malware Silently Alters Wireless Router Settings

A new Trojan horse masquerading as a video “codec” required to view content on certain Web sites tries to change key settings on the victim’s Internet router so that all of the victim’s Web traffic is routed through servers controlled by the attackers.

According to researchers contacted by Security Fix, recent versions of the ubiquitous “Zlob” Trojan (also known as DNSChanger) will check to see if the victim uses a wireless or wired hardware router. If so, it tries to guess the password needed to administer the router by consulting a built-in list of default router username/password combinations. If successful, the malware alters the victim’s domain name system (DNS) records so that all future traffic passes through the attacker’s network first. DNS can be thought of as the Internet’s phone book, translating human-friendly names like example.com into numeric addresses that are easier for networking equipment to handle.

Much more in the article!

We have always recommended changing your router’s default settings like username/password combination, as well as the standard wireless SSID and channel and applying the latest firmware patches for your router.

Also turn off UPNP (Universal Plug’N’Play) in the router. And use WPA security whenever possible for your wireless users to protect your network and keep nefarious users from spreading spam or other bad things through your wireless Internet connection.

And as one of the comments noted:

Besides a non-admin (limited user)* account and AV software, another effective defense against these types of malware is a blocking hosts file:

http://www.mvps.org/winhelp2002/hosts.htm

They also have a related blog that covers a lot of these types of malware tricks using codecs.

http://msmvps.com/blogs/hostsnews/default.aspx

Thanks striker in this topic at Scot’s Newsletter Forums for the heads up on this one.

* Where possible (generally easier on Linux, Mac and Vista to run as a limited user than previous versions of Windows like WinXP, and earlier).

Unfortunately even printing can be a challenge in some versions of Windows (WinXP) depending upon the type of printer, if you are using a limited account.

However, if and when you can, either running as a limited user, or using a Linux LiveCD (LiveCD List) to surf the web would be a much safer way to surf the web in general, as well as making sure your router’s information has been updated as noted above regardless.

NOTE: If you adjust your settings on that LiveCD page, you can even find Linux LiveCDs for PPC Macs. I have tried and really like the Ubuntu LiveCD for the PPC Mac.

Next Mac OS X — 10.6 — at WWDC 2008? another big cat? end of PPC?

Well, it makes sense that 10.6 will be announced soon especially with Steve Jobs’ comments to the New York Times regarding major Mac OS X, but at WWDC 2008? Hard to say.

There is also the naming question brought up at Mac360 as well …some say the only big cat left is Lion. But even a cursory look at wikipedia’s big cat page would indicate that Lion isn’t the only one unless you go with strict ‘big cat’ names. A more expansive list also includes things like Cougar, Snow Leopard, Clouded Leopard and Cheetah (or Puma) (which Apple has been used already and broke the ice for the more expansive Big Cat naming for Mac OS X).

My guess would be Cougar. I would think that would be the most logical choice. Wait to use Lion till they move to an all Intel based Macs and maybe proved their dominance might be a better choice of timing to use “The King” Lion.

And if the RoughlyDrafted magazine/blog article was correct in 2007 about their thoughts on Unraveling the PPC Myth (linked in their Leopard and the History and Future of Mac OS X on PPC article noted above), then it’s not likely going to be with 10.6.

I tend to be leaning toward RoughlyDrafted being right on that score, at least after reading over the history of Apple again in those two articles.

Also, Ars Technica last year also didn’t give any real hope that ZFS would be in 10.5 — maybe have to wait for 10.6, but I don’t think so. Too soon. I think they will wait for the next one, 10.7? or whatever that will be called. Might as well wait to do ZFS when it goes to all Intel Macs makes more sense. Make the major change then.

So, I would say Cougar makes more sense at this time. No Lion King here yet…no MAJOR change to the underpinning….yet.

And really, if the truth be known about Cougars — the Cougars are nothing to sneeze at! And with this description: “This large, solitary cat has the greatest range of any wild terrestrial mammal in the Western Hemisphere,[3] extending from Yukon in Canada to the southern Andes of South America.”?? Doesn’t that sound like the desire of Apple with their next version of Mac OS X? To be the most broadly used Mac OS/computers?

Which also would indicate (to me) that they would not want to ditch PPC just yet either … like the RoughlyDrafted articles indicated.

I really think that Microsoft made that Mistake with Vista. And I really hope Apple will not make that same mistake. But who knows with the Entertainment Cartels whispering in their ears just like they did with Microsoft…

When the dust settles and if the Entertainment Cartels get their big Win (controlling when and where you can view content on every front from TV (HDTV, computers, etc.), and the Major OS makers have totally pissed off their real paying customers, we shall see what happens then. But I think we’ve already had about enough of that as evidenced by this ExtremeTech article entitled, “How the Hollywood Morons Can Beat the Pirates! (Thanks Adam for the link!!)

EDIT: Well, I guess I had a better opinion of Apple than I should have. Apparently, according to MacRumers, who was reporting on an article from Ars Technica, Apple has decided to turn PPC users away now after all. Oh, and it’s Snow Leopard, not Cougar. More like Nuclear Winter. Very unhappy Mac user here. What a crock!

Even seemingly reliable e-mail vulnerable

Even seemingly reliable e-mail vulnerable to [unethical] hackers

“The bad guys are trying billions of random combinations … and finding new ways to break in,” says Gartner tech security analyst John Pescatore.

Crooks use flaws uncovered by fuzzing to create tainted files disguised to fool targeted employees. Earlier this year, individuals at several corporations were targeted to receive e-mail carrying an attached Excel file corrupted via a previously unknown flaw. Clicking on the file opened a worksheet with data relevant to the targeted worker; it also gave the attacker a beachhead to probe deeper into the company’s network. “The victims never really knew,” says VeriSign iDefense researcher Matt Richard, who discovered the attack.

In another attack, crooks installed a tainted QuickTime video file at several porn websites crafted to steal data from eBay and PayPal accounts, according to security firm Intego.

“It’s not just Microsoft,” says Secunia Chief Technical Officer Thomas Kristensen. “Crooks now use many different ways to gain control of computers.”

This is nothing new to many of us, but the fact that USA Today has even posted this article shows how pervasive the problem really is. And how easily people within companies, corporate or home office/small/mid sized businesses are being affected, as well as home users.

Social Engineering is alive and well. And although Windows computers are mainly targeted, no operating system is entirely safe.

However, to limit the problem to simply saying that email is the problem would be a disservice to the public.

With thousands of ordinarily safe websites hacked by unethical hackers, people don’t even have to open a dangerous email to have their computers infected with malicious tools that steal passwords, install keyloggers or other malware in order to take over the computer or spew spam, or open backdoors to pretty much do whatever they want. All behind the scenes. Often going unnoticed unless the computer becomes inordinately slowed to the point that it interferes with what the legitimate user wants to do on their computer.

There is an old saying, curiosity killed the cat … for many today, curiosity killed security, thoroughly.

On the other hand, it is also wisely reported at ImformIT in the article entitled, “Crime, War, and B.S. in the Electronic Universe“,

Unlike Chicken Little (and plenty of people in the media), Michael Kemp doesn’t believe that the sky is falling and our electronic connections will soon evaporate under attack by terrorists, criminals, and [unethical] hackers. But he does warn of a more insidious threat: By pandering to these fears, industry professionals may drive themselves right out of business.

And later in the article,

The U.S. Patriot Act has become a stick with which to beat security researchers and invade personal privacy alike. Also in the U.S., the Digital Millennium Copyright Act (DMCA) has been employed to criminalize even legitimate reverse-engineering (thanks to supposed copyright infringement), making a criminal out of Dmitry Sklyarov, and impeding research by cryptographers and security consultants alike. And what has the security industry done about these legal trends? Thus far, not a lot.

There are always AT LEAST two sides to a coin depending on which ‘dimension’ you refer to.

Overall, I think our best intelligence would dictate that we can not be naively clicking on anything that piques our fancy, or be too busy to think through before clicking or opening a file from email or on a website, or make sure that a file in an email truly is from the person we think it’s from, or assume that person has a virus-free computer, and making sure we virus check files with the latest virus definitions before opening them. Period.

We can’t assume, rightly or wrongly, that everything on a website is benign just because the organization is a good one. We have seen in the news that we can’t blindly trust every security site, bank site, sports site, news site, kid’s site, good cause site, etc.

Sometimes we seem to get caught by malware, when we were only doing what seemed reasonable — trusting a known good site.

We need a heads up on what search results appear to be safe and which ones do not appear safe or have some problems like good and bad downloads, or popups, or massive emails sent after visiting a particular site.

There are some really good security tools out there for many of the problems that we might come up against. They may not all be free, but they are available.

Fear is never a good thing. F.U.D. (Fear, Uncertainty, Doubt) is a big enemy to thinking individuals, communities and governments.

Rogue Flash ads pushing malware

Sunbelt Blog posted an article entitled Rogue ads pushing malware – how it works. Here’s the video that shows what’s happening:

At Sunbelt Blog’s website, Alex Eckelberry continues to talk about the Flash .swf ads that are being used to push all this malicious content after throwing the user back and forth all over the web utilizing techniques that are big with Web2.0 interactive and mashed up content:

This is not a trivial problem, and the most important thing for publishers to do is to be extremely careful when accepting new advertisers (and be wary of tricks these people use, like giving fake references), and then keep a close eye on the advertising as it’s running (and hopefully some good tools can be developed for publishers to use to check the content of ads for malicious redirects before posting).

Must read for all Web Surfers.

Legitimate sites like the Major League Baseball site that had at one time recently been unknowingly spewing this type of bad content which was infecting visitors’ computers (see the article) were just trying to keep their visitors/users interested using innovative Web 2.0 features — bringing in and displaying, aka Mashup (web application hybrid) content such as articles, news, videos, ads and more from various sources on the Internet. In the process, something occasionally happens on these legitimate sites. Bad things are being injected.

Thanks for the heads up Alex!

Beware: Facebook Widget installs Zango

Beware: Facebook Widget installs Zango:

Fortinet Global Security Research Team discovered a malicious Facebook Widget (officially, a “Platform Application”) actively spreading on the social networking site which ultimately prompts users to install the infamous “Zango” adware/spyware.

Antivirus/Anti-Malware programs block the installation and state it’s Zango as shown later in the article at Fortinet’s FortiGuard Center report.

Thanks to TeMerc @ Scot’s Newsletter Forums and Sunbelt Blog.

Tag Cloud

%d bloggers like this: