Google Chrome Even More Secure

Written by Saran on August 27, 2009

google-chrome-logoFrom Internet Explorer to Mozilla Firefox to Google Chrome – that’s the path that many computer users have followed in the past years. Personally, I have stuck to Mozilla but I do use Chrome every now and then when I want things to go much faster. But did you know that Google’s streamlined browser has its share of security issues as well?

This is not really that surprising. After all, most any product you see in the market will be exploited by those who want to do so. In any case, Google has come out with updates to their browser, making it more secure for us users.

The most recent update for Google Chrome fixes some issues on how the browser handles Javascript and XML. For the Javascript engine, the fix makes sure that an infected web site will not allow malicious Javascript to run arbitrary code. You and I know very well that the phrase “run arbitrary code” simply translates to “install malware.” With this problem supposedly fixed, Chrome is definitely safer.

Another fix deals with the possibility of a web page using XML to, again, run arbitrary code. This happens when the malicious XML crashes a Chrome tab.

Last, the Chrome update will not allow you to connect to “HTTPS (SSL) sites whose certificates are signed using MD2 or MD4 hashing algorithms.” The reason for this is that these algorithms are prone to hacking and that it is relatively easy to pose as a fake HTTPS site.

For more detailed info, read it from Google’s own blog.

Photo courtesy of Ivan Zlatev

Categories: General, Google Chrome, Malware, News

Leave a Comment

Mozilla E-Store Hacked

Written by Saran on August 6, 2009

mozilla_firefox_readerszoneThis piece of news is not so good for Mozilla. It had to shut down the operations of its online store late on Tuesday because of an alarming finding. The fact is that the firm that Mozilla had hired to deal with their backend operations has suffered a security breach. Mozilla immediately issued a statement about the issue:

Today, Mozilla discovered that GatewayCDI, the third-party vendor entrusted to run the backend of the Mozilla Store, suffered a security breach. Once notified, we took the immediate preventative step of shutting down the Mozilla Store to ensure that no additional users could be compromised.

And just to be sure, the company immediately shut down the international version of their online store. While this was not really necessary since the international edition is being maintained by a separate company, Mozilla still shut it down as a precaution. As of this writing, there is no news yet as to the whether the security breach has been fixed. Indeed, Mozilla did not even really divulge details as to the nature and extent of the breach. I guess it is enough that they owned up to the issue and that they took immediate steps to stop the problem before it became serious.

And in case you were not aware of what Mozilla offers in its online store, this is where you can get T-shirts, coffee mugs, backpacks, mouse pads, and all sorts of other things that you can buy with the popular Mozilla logo prominently printed on them.

Moral of the story? Even one of the best IT companies in existence today is prone to hacking. Us “mortals” should learn from this.

Categories: Firefox, General, News

Leave a Comment

One Out Of Six: Yes To Spam

Written by Saran on July 23, 2009

spamLast week, I found myself craving for Spam – the kind that you put in between two slices of nice white bread. The moment I checked my Inbox, though, my feeling towards spam – in general; food or e-mail related – changed drastically. For some reason, I keep getting these e-mails about Viagra and winning the lotto. And I am talking about my WORK e-mail here, not my personal e-mail! Seriously, I don’t understand why these people keep sending out these e-mails when everyone knows they’re SPAM and that they amount to NOTHING! No one pays attention to these e-mails, right?

Well, apparently, some people do! According to a survey conducted by Messaging Anti-Abuse Working Group, 1 out of 6 people in the United States and Canada respond to spam e-mails. I know, this is simply unbelievable, isn’t it?

In this day and age, why would anyone still fall for these scams? Haven’t we learned anything at all? No wonder that these scammers continue to send out their e-mails! I mean, just one or two people who respond to their bait might give them the profit that they are out for.

To be fair, the scammers are getting more and more creative. They also take advantage of the hottest things happening. For example, around the time of Michael Jackson’s death, there was an astronomical increase in e-mails about him – a lot of these were spam. Even those who are normally careful were lured into opening these e-mails and clicking away.

Bottom line: spam might be here for a while. Make sure you are careful and don’t be cocky (like me) – you never know what might hit you!

Categories: E-mail, Malware, News

1 Comment

46 Security Flaws Fixed By iPhone 3.0

Written by Saran on June 23, 2009

iphone-appsYup, 46! That is one heck of a lot of security flaws, don’t you think? Considering that the iPhone is being used by a lot of people to go online, it seems quite irresponsible of Apple to release a product that has so many flaws. Still, that has not stopped people from buying the iPhone. Indeed, the major reason people do not get one is the price and not the existence of security flaws. In any case, the recent iPhone 3.0 update has fixed those flaws.

Of the 46, six of the security flaws involve CoreGraphics. Without the update, if a user views a maliciously coded image, the application he is using may terminate suddenly. Alternatively, it can lead to arbitrary code execution. What that can lead to, who knows? Another flaw involves opening and viewing PDF files. Apple provides the same result: either application termination or arbitrary code execution.

There is also a flaw with regard to the mail client. Without the update, remote images in HTML messages are automatically fetched and loaded. There is no option to turn off this feature. With the update, this potential security flaw has been fixed.

Meanwhile, Safari can now be totally wiped clean – history of visited web pages and searches together – by accessing the option in the Setting menu. Previously, only the history of web sites was removed, and the searches remained. Now, iPhone users can rest easy knowing that they’ve left no traces behind.

Of course, there are other features to the updates, many of them not solely related to security.

Categories: E-mail, News, Operating Systems, Privacy & Anonymity, Web browsers

Leave a Comment

Microsoft To Launch Free Security Software

Written by Saran on June 20, 2009

microsoft-antispyware-beta-security-internet-softwareCool! But wait – Microsoft is giving away something for FREE? Am I dreaming? You better believe it, though. The software giant is jumping into the freeware fray with their latest security product. Dubbed Microsoft Security Essentials, the program is designed to detect, find, and kill malicious software that might find its way into your computers.

The beta version will be released next week. In the meantime, the company is continuing to develop the full version of the product, which is slated to be released in the fall. The security software is not going to be bundled with Windows 7, as this may provoke anti-trust issues, which Microsoft has had more than its share of. Still, critics have not been slow to point out that the description of the product is flawed and misleading.

David Cole of Symantec has stated that it is NOT an essential security solution. He also pointed out that users still need protection such as firewalls, spam fighters, and other features that are included in subscription products.

So what does Microsoft Security Essentials really offer? According to Theresa Burch, the program will try to spot malicious software, even if it is not part of the database of known threats. Once the suspicion of the software is aroused, it will first check with online servers before allowing the program to run. Users do not have to worry about the program interfering with trusted sources, however, as there will be a list of those, such as Google Toolbar.

I think I’ll see what it has to offer next week.

Categories: General, Malware, News, Spyware

Leave a Comment

Mac OS X Has Java Security Flaw

Written by Saran on May 20, 2009

mac_os_xOne reason that some people prefer to use Macs over PCs is the fact that the former is considered to be far more superior to the latter when it comes to security. However, that does not mean that Macs are not totally immune to security issues. As a matter of fact, security experts recently warned Mac OS X users of a security flaw that involves Java.

CNET tells us all about it:

Macintosh security consulting firm SecureMac.com on Tuesday issued a critical warning for what it says is an unpatched Java security vulnerability in Apple’s Mac OS X.

According to the man credited with discovering it, Landon Fuller, the Java flaw even affects the latest version of Mac OS X, 10.5.7, released just a week ago. Fuller has gone so far as to release a proof of concept for the security hole.

The vulnerability could be used to perform what SecureMac refers to as “drive-by-downloads,” or the ability to infect a computer by simply visiting a Web page. Fuller explains that the flaw allows malicious code to run commands with the permissions of the current user.

While the fact that a security flaw is certainly acceptable, the fact that it has remain unpatched to date is hard to understand. It is even more perplexing as the flaw had been discovered before the latest update to the OS was released. Is Apple not aware of the flaw (I seriously doubt it) or are they not seeing it as a serious threat?

Categories: News, Operating Systems

Leave a Comment

RSA 2009 Impressions

Written by Saran on April 25, 2009

3If you have not heard, the RSA 2009 security conference was held in San Francisco in the past week. This conference is a significant one in the industry, and even more so now since we have been facing many different and new threats cropping up here and there. This year, however, what I have been reading about the RSA is not that good. A lot of people are saying that it came a little flat.

John Oltsik of CNET blames the economy for this. He also points out three other reasons:

1.The speakers. The keynote speakers really had nothing new to say. This was especially troubling because the lineup looked so strong. Unfortunately, the most disappointing speaker of all was President Obama’s cybersecurity point person, Melissa Hathaway, who read from a script and said next to nothing about her cybersecurity research effort. Hathaway underwhelmed an audience of security professionals, missing an opportunity to bond with a constituency whose support is critical to her success.

2. The topics. In the past, there was always one topic at RSA that grabbed everyone’s attention. Not this year–same old tired stuff.

3. The vendors. I’m now convinced that most security vendors have no conception of what their customers need. Vendors pitch point technology solutions while users are crying for help to secure their IT-based business processes. There are really only a few security vendors that recognize this. I can’t overstate how much this disconnect alienates the security community.

It is pretty depressing, isn’t it? Do you have other perspectives that might give us more positive views?

Categories: General, News, Security Policies

Leave a Comment

What’s Up With Conficker?

Written by Saran on April 5, 2009

microsoft_logoIf you remember, everyone was up in arms about April 1. This was supposed to be the day that the third version of the Conficker worm was to be released. It’s been several days since April Fools and it seems that nothing big happened. (Knock on wood.)

So what’s up with the Conficker worm? Is it’s reign over? Can we sit back and relax now? According to PC World, no one really knows. They just published a story on it yesterday and here is what they have to say:

But nobody knows for sure what Conficker can accomplish. However, at the time of this writing no Conficker-related catastrophes have surfaced and some think the threat never will. So as attention shifts away from Conficker, it’s important to know where we stand against the world’s most famous piece of malware.

While nothing has happened in the last week, we should not forget that the other 2 versions of the worm is still out there. And if your computer is not protected, you are still a sitting duck.

One thing that I recently learned, you can still access the security patch for the worm even if your operating system is not the real deal (READ: pirated). Data shows that the highest densities of Conficker infections are in areas which have pirated software. And while no one condoning the use of illegal software, “pirates” can still download the security patch directly from Microsoft. So while we don’t know what’s going on with Conficker, we should still be careful.

Categories: Malware, News, Operating Systems

Leave a Comment

Cellphone Deals Here…and there…. What’s the catch?

Written by Saran on February 27, 2009

phishingSeems everybody is out for cheap deals on just about everything and who wouldn’t be in this recession where cash is hard to come by and jobs are being shed by the thousands. Now, there are truly some honest cell phone deals out there but you have to be sure you’re getting the right stuff. Having the latest phone gadget might be one thing but keeping that new phone secure from hacks is another. Sure you can get it cheap from the internet but how sure are you you’re getting the real stuff.
Criminals are becoming craftier than ever and they have even managed to copy branded products complete with all the security stickers and holographic security seals with them. They can also be pre-loaded with malware for the amount of computing power they pack is enough to emulate an ultraportable, in function that is. Just how dangerous are these hacking attempts, for mobile devices using Windows very dangerous for there is a group bent on exacting damage on the software giant.
ensuring you have the latest updates to your operating system is vital to maintaining your ability to fend off attacks. Having intrusion prevention systems installed is also a good thing for like your PC, they also need protection. Given the power of these gadgets and their ability to connect to the internet, they are not immune to attack. Let’s set this as an example, an unprotected PC connected to the internet for the first time will last an average of 15 minutes before it is hacked and compromised. Now you do the math for your mobile!

Categories: Cryptography, E-mail, General, IM, IT Security Basics, Malware, News, Privacy & Anonymity, Real-World Issues, Spyware, Tips, Web browsers, Wireless Security

Leave a Comment

Cyber Security In Obama’s Sights

Written by Saran on February 20, 2009
President Obama And Family Depart White House For Chicago

Who said that Obama does not have a techie side to him? If reports earlier this month are to be believed, the newbie President is not ignoring the importance of cyber space. Iain Thomson of Vnunet.com had this report early this month:

US president Barack Obama has ordered an immediate 60-day review of the online security of government IT systems to check for vulnerabilities.

The review will be led by Melissa Hathaway, who has served as cyber co-ordination executive to the US Office of the Director of National Intelligence. Hathaway will also serve as acting senior director for cyberspace for the National Security and Homeland Security councils during the review period.

“The national security and economic health of the US depend on the security, stability and integrity of our nation’s cyber space, both in the public and private sectors,” said John Brennan, assistant to the president for counter-terrorism and homeland security.

First thoughts…this is wonderful; this coming from the head of the country, it should be a good sign. However, I was thinking about the 60-day limit – would this be enough? More so, are the intelligence arms going to be part of this review? I doubt that the CIA, the FBI, and the NSA will allow anyone to take a look into their systems. Maybe the review is just for the less sensitive government agencies. Who knows?
In any case, I was just thinking of those people who love hacking systems to get credit card numbers, bank account numbers, and the like. Those days will probably be gone pretty soon, don’t you think?

Categories: Malware, Network Security, News, Privacy & Anonymity, Real-World Issues, Security Policies

Leave a Comment