This is the first minor point release in the 3.5 series of Firefox. The main reason for this patch is a security flaw in the TraceMonkey JavaScript engine of the browser. We have “zbyte” to thank for the discovery of this flaw. This Firefox user reported that his browser kept on crashing each time he tried to type text in an input box on the site apport.ru. Zbyte sent this bug report in on July 9, and less than a month later, Firefox developers were able to find the reason for the bug AND send out a fix as well.

Anyhow, the TraceMonkey JavaScript engine is a huge development on Mozilla’s part. With the bug concerning the engine, however, Firefox users are left vulnerable to exploits. In fact, a malicious web site can take advantage of this bug and execute arbitrary code. The developers reacted quickly, though, with Firefox 3.5.1 as the result.

By the way, soon after the bug was fixed, news circulated that there is another bug. This is utterly believable – bugs abound anyway. In fact, researchers Berry-Byrne and Andrew Hayes discovered this bug in the “escape” function. The good news is that they strongly believe that this bug is not exploitable. That means that while those who encounter this bug just might be bugged about it (no pun intended), we are not in danger – security wise.

In any case, you might want to get the latest patch for Firefox, if you have not already.

Categories: Firefox

Leave a Comment

The world of cyber-crime has grown so much in these past few years due to the explosion of growth with respect to the number of internet users the world over. It has not only expanded on the side of normal people but on the side of cyber-criminals who now operate on their own networks, spanning the globe and ready to spread their products, malicious code that first scans the globe for weak points in the security net that we all put up to somewhat give us a sense of security from the ever-growing threat which is actually futile to some extent. Read the rest of this entry »

Categories: General, IT Security Basics, Malware, Network Security, News, Real-World Issues, Security Policies

Leave a Comment

You’d think that men, who are supposed to be better at maths and similar subjects, would be better at online security as well. According to an online survey, though, the opposite is true. Carrie Anne Skinner reports:

When it comes to online security, men are less savvy than women, according to PC Tools.

Research by the security firm revealed that 47 percent of men use the same passwords when signing up to online banking and shopping facilities, compared to just 26 percent of women.

I can think of several reasons for this. One, men are notorious for forgetting details, and passwords are one of them. If you think about it, it is only understandable that the men would tend to use one password for most of their accounts. Two, men tend to have this feeling of invincibility. It’s that machismo factor that gets them into fights. They think that they’re not going to get hurt. Yes, it happens to others, but not to them. The same article confirms this:

Men have a more cavalier attitude to email attachments, with 60 percent admitting to opening them immediately without checking to see if they are legitimate, but only 48 percent of women do the same thing.

This is not to say that they are not AWARE of the potential threats. In fact, the same study showed that men knew more about the threats than women did. It really is just the attitude that makes a big difference. Well, maybe that’s why men have more viruses and other malware in their toys.

Categories: E-mail, General, IT Security Basics

Leave a Comment

Yup, 46! That is one heck of a lot of security flaws, don’t you think? Considering that the iPhone is being used by a lot of people to go online, it seems quite irresponsible of Apple to release a product that has so many flaws. Still, that has not stopped people from buying the iPhone. Indeed, the major reason people do not get one is the price and not the existence of security flaws. In any case, the recent iPhone 3.0 update has fixed those flaws.

Of the 46, six of the security flaws involve CoreGraphics. Without the update, if a user views a maliciously coded image, the application he is using may terminate suddenly. Alternatively, it can lead to arbitrary code execution. What that can lead to, who knows? Another flaw involves opening and viewing PDF files. Apple provides the same result: either application termination or arbitrary code execution.

There is also a flaw with regard to the mail client. Without the update, remote images in HTML messages are automatically fetched and loaded. There is no option to turn off this feature. With the update, this potential security flaw has been fixed.

Meanwhile, Safari can now be totally wiped clean – history of visited web pages and searches together – by accessing the option in the Setting menu. Previously, only the history of web sites was removed, and the searches remained. Now, iPhone users can rest easy knowing that they’ve left no traces behind.

Of course, there are other features to the updates, many of them not solely related to security.

Categories: E-mail, News, Operating Systems, Privacy & Anonymity, Web browsers

Leave a Comment

Cool! But wait – Microsoft is giving away something for FREE? Am I dreaming? You better believe it, though. The software giant is jumping into the freeware fray with their latest security product. Dubbed Microsoft Security Essentials, the program is designed to detect, find, and kill malicious software that might find its way into your computers.

The beta version will be released next week. In the meantime, the company is continuing to develop the full version of the product, which is slated to be released in the fall. The security software is not going to be bundled with Windows 7, as this may provoke anti-trust issues, which Microsoft has had more than its share of. Still, critics have not been slow to point out that the description of the product is flawed and misleading.

David Cole of Symantec has stated that it is NOT an essential security solution. He also pointed out that users still need protection such as firewalls, spam fighters, and other features that are included in subscription products.

So what does Microsoft Security Essentials really offer? According to Theresa Burch, the program will try to spot malicious software, even if it is not part of the database of known threats. Once the suspicion of the software is aroused, it will first check with online servers before allowing the program to run. Users do not have to worry about the program interfering with trusted sources, however, as there will be a list of those, such as Google Toolbar.

I think I’ll see what it has to offer next week.

Categories: General, Malware, News, Spyware

Leave a Comment

So you’re convinced that you have to secure your WiFi. Good, now we can make some progress. In the previous post, I mentioned using a password. This is the first step is making sure that unauthorized users will not be able to connect easily.

In most cases, people use WEP, or Wired Equivalent Privacy. While this provides a certain level of protection, WEP is relatively easier to crack. If a hacker is persistent enough, WEP will give way quite easily. As such, I suggest using WPA (Wireless Protected Access) or WPA2 instead. Either way, you will need to indicate an encryption key. As with other instances wherein you have to choose a password, choose one that is hard to guess. Long encryption keys that are combinations of letters and numbers are the best kind.

Another thing that you should do is to change the default SSID (Service Set Identifier) name. This is what computers used to detect available wireless networks. Most laptops and mobile phones are set to automatically detect available SSIDs. If you change the default name, and turn of SSID broadcasting, users who want to connect will have to enter the name manually.

Last, you might want to disable DHCP, or Dynamic Host Configuration Protocol. This will require you to assign IP addresses manually. If you can do this, then you will have added security. However, if you think it’s too complicated, you can leave it. The first two tips above will already give you good enough security for everyday purposes.

Categories: IT Security Basics, Wireless Security

Leave a Comment

I didn’t realize that there are still a lot of people who do not really pay attention to securing their WiFi at home. I guess that I have always taken it for granted that once you set up any connection for home use, you install passwords and other measures to protect it. Apparently, in this day and age, not everyone has the same idea.

My colleague was telling me, just last week, that his connection at home seems to be running exceptionally slowly. First thing I asked him: are you using a wireless router? When he said yes, I asked him about a password. Just as I guessed, he said “What password?”

I moved to a new building a month or so ago and have been having problems having wired Internet hooked up. I have a mobile dongle which I can use to a certain extent but guess what? One day, I turned my WiFi on and voila, the laptop automatically connected to some fella’s wireless connection.

The fact is that this is such a common thing. Hotels, shops, and other establishments are also guilty of this neglect. I have a friend who works from home and is entirely dependent on the Internet. When her connection goes down, she simply gets in her car and drives to a nearby hotel where she can mooch.

It may seem funny or amusing, but if an unscrupulous individual gets wind of your unsecured WiFi, you just might get your bum bitten. If I were you, I’d make sure my WiFi is secure. How to do this? Let’s look at this in the next post.

Categories: Wireless Security

Leave a Comment

What in the world is an acai berry? If you are into fad diets, then you probably have heard of the acai berry. It is purported to be the next wonder drug, which is all natural by the way. It is supposed to make you lose weight like no other substance in existence. It is also supposed to make you feel better and younger because of its curative properties.

Anyhow, I have nothing against the acai berry fad per se. I mean, these fads come and do and it’s up to you if you want to try them or not. What is happening to me is another story, however. You see, I have somehow been victimized by the acai berry virus (or so I’d like to call it) on Yahoo messenger.

I didn’t have any inkling as to what was happening until I suddenly got this slew of offline messages last week. People on my contact list – even those with whom I had not spoken for months and months – suddenly started sending me offline messages. Their messages seemed to be in reply to something I had sent.

Yesterday, an old friend sent me an SMS saying that I might have a virus. He said that I kept sending him messages on Yahoo Messenger about this acai berry thing. Obviously, it was not me.

I am pretty sure that I am not alone in this thing. I have scoured the web for similar reports and have found a lot of other people complaining of the same thing! The solution? I scanned my laptop for malware using Spybot last night. I am about to scan again using Avast. Then I am changing my passwords. Let’s see if I can get rid of this thing.

Any suggestions?

Categories: IM, Instant Messaging, Malware, Real-World Issues

Leave a Comment

One reason that some people prefer to use Macs over PCs is the fact that the former is considered to be far more superior to the latter when it comes to security. However, that does not mean that Macs are not totally immune to security issues. As a matter of fact, security experts recently warned Mac OS X users of a security flaw that involves Java.

CNET tells us all about it:

Macintosh security consulting firm SecureMac.com on Tuesday issued a critical warning for what it says is an unpatched Java security vulnerability in Apple’s Mac OS X.

According to the man credited with discovering it, Landon Fuller, the Java flaw even affects the latest version of Mac OS X, 10.5.7, released just a week ago. Fuller has gone so far as to release a proof of concept for the security hole.

The vulnerability could be used to perform what SecureMac refers to as “drive-by-downloads,” or the ability to infect a computer by simply visiting a Web page. Fuller explains that the flaw allows malicious code to run commands with the permissions of the current user.

While the fact that a security flaw is certainly acceptable, the fact that it has remain unpatched to date is hard to understand. It is even more perplexing as the flaw had been discovered before the latest update to the OS was released. Is Apple not aware of the flaw (I seriously doubt it) or are they not seeing it as a serious threat?

Categories: News, Operating Systems

Leave a Comment

If there is one thing that a lot of people do but deny doing so, it is buying fake software. This is actually understandable if you think about it. Licensed software is just so expensive and with the way things are going financially right now, people are always looking for ways to save a dime here and there. And if you buy unlicensed software, you will definitely save more than a dime!

Then again, if you are talking about security software, I do not really think that it is such a good idea to buy fake software. After all, you are talking about staying safe here, and who knows where all that fake software comes from?

Microsoft has actually issued statements regarding fake security software. Naturally, many will be skeptical about the statements – it is from the largest software company in the world. Of course they will tell you to stay away from fake products, right?

But they do have a very valid point, one which we will all benefit from. Canada.com has a report on this:

Fake computer security software, created by cyber criminals as smokescreens for viruses, is the No. 1 threat to computer security in Canada, software giant Microsoft said Wednesday in its latest biannual security report.

And experts blame hackers for playing on people’s fears of infectious malicious software, such as the Conficker worm.

According to Microsoft’s report, rogue security software, also called scareware, was found in 5.9 million computers, a rise of 66 per cent in the last six months.

What should you do? Make sure you are buying 100% legit software.

“If you see a message pop up (from a website) no matter how dire it is don’t click on it because almost 100 per cent of the time that message is a fake message,” said Mohammad Akif.

“Norton, Symatec, Microsoft — none of these companies sell their software this way.”

Sounds like a plan to me!

Categories: General, IT Security Basics, Malware, Spyware, Tips

Leave a Comment