Better Safe Than Sorry

Critical Microsoft Fixit

Bill has announced that an unpatched critical security hole in Windows XP operating systems is a genuine threat. A temporary patch using Microsoft Fix it is available here - after the .msi file downloads double-click it and the install is self-explanatory. Users who apply this patch will not need to uninstall it before applying the official patch when it becomes available towards the middle of July.

Facebook Privacy Widget

This is a lovely Firefox Add-on that attempts to check and then offer to fix all your rogue Facebook settings. Krebs on Security reports on a study that found most of the Firefox crashes were do to crappy Facebook applications :(

Facebook IP Leak

It appears emails sent from facebook contain enough info that it is possible to geo-locate a sender The details are here.

Facebook f**k up

Oops. Facebook's new Open Graph API is leaking sez PC World. It's security breaches such as these that will cause problems because of the interrelationship between so many disparate applications and the general mass of users who never check settings. If people don't start taking security seriously before a problem develops the cost and effort to fix the problem could be very high indeed.

WiFi network finder - now with password cracker!

If you use a router and are still using WEP encryption then please read this.

I'll wait.

Ok.

Connect to your router and ensure you are using WPA or better yet, WPA2.

Palm Pre Security Hole

The recent Palm Pre OS has been found to have a major, glaring security gap because, since the browser is embedded into the OS, it's naturally vulnerable to various exploits (Javascript being the obvious one) making it a large target for evil-doers. A fix better come sooner rather than later to save the brand for the forseeable future. What were they thinking?

Adobe .PDF Reader Critical Fix

Adobe has announced a patch for its Reader that is a must have as always.

It appears Adobe's software is highly unsafe and worse, breaks quickly giving the evil-doers more time to exploit the openings. Oops.

Details at Krebs on Security. And, Aviv Raff On .NET has apparently found the horrible Adobe Download Manager will re-install the evil

bits so make sure you un-install it as well. Firefox users should disable or un-install the Adobe Download Manager Extension/Add-on.

Damn Yer Quiz, Facebook!

I thought Facebook was a means where by one could (virtually) keep in touch with loved ones, friends and colleagues? A place to share pictures and thoughts? Now it appears cluttered with quizzes, games and virus-filled applications. Yeech. Greasemonkey to the rescue!

What? Never used Greasemonkey? Hmmm . . . You do use Firefox, right? Check this previous post.

Adobe Reader Critical Vulnerability

It appears the ever popular Adobe Reader (version 9.1.3 and earlier) has a gaping hole that could allow bad people to take over Windows installs. This problem as popped up before. One way to mitigate (but not eliminate) the threat is to disable Javascript in Adobe reader and/or change your browsers behavior to download .pdf files as opposed to view them. You also might want to try the free alternative called Foxit Reader which has a better record when it comes to security issues. Just sayin' . . .

Third-party apps create insecure Facebook

Popular social networking site Facebook has exposed users to phishing attacks that use already hacked accounts to contact friends. Links presented to users lead to look-alike pages not associated with Facebook that may hold any one of 11 rogue scripts (and counting) that do bad things. Trendmicro has details here.

Until facebook tightens up the ship now heading for the shoals be very careful about using third-party apps. Yes, that means a large chunk of facebook, sorry. Do this . . . no, seriously . . . and facebook will adapt or die. Now if Leafs fans would just do the same.

Pick a Problem

So, if your Windows box is hacked the only person to suffer is you, right? Umm, wrong. Your neglect could allow for many evil happenings to occur. Check out the disturbing graphic of just what may happen here. If you need a full description of the exploits it is here.

Adobe Reader Vulnerability

Evil-doers are actively exploiting a security hole in Adobe Reader. Users need only open a rogue .pdf file to have their system taken over.

Since Adobe doesn't plan to patch the problem until March 11th, 2009 users should either disable Javascript within Adobe Reader (Choose "Edit", "Preferences", "Javascript", and uncheck the box beside "Enable Acrobat Javascript") or use an alternative to Adobe Reader called Foxit Reader which is available here: http://www.foxitsoftware.com

Facebook Privacy

Check out the handy list of 10 Privacy Settings Every Facebook User Should Know by Nick O'Neill on February 2nd, 2009 at: http://www.allfacebook.com/2009/02/facebook-privacy/

Phishing Targets Tweeter

The popular mobile service Tweeter has been hit with phishing messages. Nothing new about this. It is a good time to remind folks about the devious nature of these evil doers. Any method will be used to induce the unwary or stupid to visit sites that will attempt to upload all kinds of malware, spyware, trojans, etc. to your PC, smartphone or other device. The vector for this specific attack is the very popular 'TinyURL' online application that turns large, unwieldy URLs such as “http://www.somewhere.orf/really/long/directory/” into something such as “http://tinyurl.com/4d4a2” which can be remembered long enough to key into a browser. The problem is that the TinyURL could lead one to evil sites. Very bad. TinyURL's solution, which folks either don't know about or don't use or understand is to use the Preview TinyURL. In our previous example one should append the TinyURL with preview: “http://preview.tinyurl.com/4d4a2”. This will allow for the best practice of safely viewing a rendering of the intended target before actually visiting it.

Severe IE Vulnerability

An unpatched vulnerability in Internet Explorer 7 (which also affects older versions of the browser as well) is on the loose. Microsoft has stated that IE 5.01 with SP 4, IE 6 with or without SP 1 and IE 8 (Beta 2) on all versions of the Window OS are affected. To complete the horror IE 7 on Windows XP SP 2 and 3 and Windows Vista with or without SP 1 are also vulnerable. Web sites are now actively exploiting the vulnerability. One has to merely view a Web site in order to have a Trojan horse program automatically downloaded to their machine. Once downloaded the evil doers can manipulate the rogue program to download other software which could perform actions such as sending spam emails or steal data. Since Microsoft's next patch is not due until January 13, 2009 one would be wise to use an alternative browser such as Firefox or Opera. Just sayin' . . .

Post-it Passwords

One paragraph in a press report on the recent theft of works by artist Bill Reid astounded me:

"(Museum Director Anthony) Shelton said the heist was well organized: three Mexican Zapotec Indian gold-coloured necklaces, which were found despite being hidden in drawers, were the first items taken."

Folks . . . you just can't put your passwords on a sticky-note afixed to the underside of your keyboard! Got it?

Patch your Flash NOW

US Bound? Secure Your Electronics!

Famed security guru Bruce Schneier has a very imformative article in the UK's Guardian newspaper online. In it he reminds potential visitors to the United States that border agents can and will search through all of your electronic devices. Laptops, cell phones, PDA's, iPods, etc. are all likely targets. Read the whole article here.

Lessons Learned

It seems G-Archiver, a third-party tool for backing up Google's Gmail, was/is sending usernames and passwords back to evildoers. The lessons here are simple: Always check online to see if the software you are thinking of using is safe. A simple search should confirm if others have any concerns regarding security, privacy, function or usefulness. Secondly, consider trying open-source software when possible. Since these applications are constantly examined by users for problems you tend to be protected in part from hassles that effect proprietary applications.

Limewire User Exposes Data

Peer-to-Peer file sharing networks are a haven for Trojans and malware. Letting others into your PC without the proper safeguards (hell, even with the safeguards) is a hole waiting to be filled with evil. If you must use these networks then consider keeping your sharing on your personal machine and not on one used by others.

How to kill ActiveX

ActiveX is generally a gross security problem waiting to happen within Internet Explorer. Having the ability to kill certain (A few? Some? All but what you really need?) ActiveX controls is detailed by Microsoft here. Or you could use Opera or Firefox in place of Internet Explorer.

Unpatched QuickTime Flaw

Those using QuickTime should be aware that a flaw in the most current version could allow attackers to execute code remotely on users machines. While there is no patch available CERT has posted various workarounds to minimize the risk.

RealPlayer Exploit

User of Internet Explorer under Windows are vulnerable to drive-by downloads simply by visiting an evil Web page. As usual, it is an unknown and unpatched ActiveX component that is causing the problem. Note that both Microsoft Outlook and Outlook Express clients are also at risk. Best practices? Uninstall RealPlayer, use an alternative browser such as Firefox or Opera and use another email client such as Thunderbird or Penelope. Those who just can't part with RealPlayer should visit http://service.real.com/realplayer/security/en/ and (when available) download and install the patch. Ryan Naraine over at ZDNet.com has a great write up with info and fixes.

AOL AIM IM BUST

Clear as mud, eh? Internet Service Provider AOL has been informed that its IM client has a flaw that makes it possible for evil attackers to remotely execute malicious code on users computers. Those using Internet Explorer are especially vulnerable. Best practices? Try an alternative such as Pidgin (formerly GAIM).

Web 2.0 vs. Privacy Concerns

There is a growing concern that many of the more popular Web 2.0 applications such as Facebook.com or Myspace.com have more than their share of security holes. No doubt. Best practise? Don't give out data anywhere that could compromise your integrity (Nudie photos? Dope smokin' movies? Looking like a doofus?) or security (SIN, birthdate) unless you have faith in the recepient to keep it safe.

OpenOffice.org Virus Spreads

A virus written in numerous scripting languages that can affect Windows, Linux, and Mac OS X computers is slowly spreading via infected OpenOffice.org documents. Best practice is, of course, to never accept documents as attachments in email if you were not expecting them. Inform the sender that it is always best to announce attachments before sending. Having a good Anti-Virus and firewall is also an excellent idea just in case nasties end up on your system. Better safe than sorry!

Yahoo Messenger Critical Upgrade

Yahoo Messenger has released an upgrade to fix a known security hole that would allow attackers to execute code on your PC. Please upgrade to version 8.1.0.401 from here: http://messenger.yahoo.com/download.php

Google: 1 in 10 Websites Unsafe

Especially if you use Internet Explorer as opposed to Firefox or Opera. The chance of being nailed by a "drive-by download" is almost non-existent when using any browser other than Internet Explorer. Do yourself a favour and try a safer alternative.

Phishing vulnerability in IE7

Secunia has a test page where you can determine if your browser is effected. Our tests show Mozilla Firefox 2.0.0.2 and Opera 9.10 to be safe. Internet Explorer 7.0.5730.11 is unsafe. Best practise: Do not use Internet Explorer except to obtain updates for your Windows OS.

QuickTime Flaw Patched

Apple has patched its QuickTime application for both Mac OS X and all flavours of Windows from 2000 to Vista. Update your version NOW via the software update feature or by going to: http://www.apple.com