Critical Security Fix it Released for Windows

If you run Windows Xp, Vista or Windows 7 you need to immediately install a patch. Go to http://support.microsoft.com/kb/2639658 and download and right-click install the Enable Fix it link. If the fix does not install correctly you should re-visit the link and click on the Disable Fix it link.

This threat is serious so don"t fail to install the patch - This “Duqu” Trojan is really nasty.

Peek-a-boo !

Remember the problem back in 2008 that resulted in an Adobe Flash Upgrade? The solution for future attacks targeting users built-in Webcams was to cover it with tape, chewing gum, etc. The USB cams would be made safe by simply unplugging them. Well, keep doing something because the security flaw still exists. Read aout it here.

You're all a bunch of thieving crooks.

A report from the Business Software Alliance (BSA) appears to show that most people have illegal or pirated software on their PC's. A Google news search gives you a good overview.

Tsk-tsk-tsk - you people should be ashamed.

Be aware that you will eventually be plagued with a piece of software containing a virus, spyware, malware, trojan or some other evil bit.

Try using open source software or look into searching for well written applications whose cost is rarely above $50.00 and generally provide years of free updates. Sweet.

What's on Your PC?

Do you know what software is on your PC? A woman in Vancouver now knows. A software application meant to allow a PC to be tracked via its IP address was also taking pics via its built-in webcam. This at the same time she was ingaging in, ahem, risque conduct with a 'special friend' if-you-get-my-drift. The Mothercorps has the story here.

Barn. Door. Open. Horses. Gone

Dropbox, the handy cloud storage people, seem to have left their system open to the public for some four hours. Oops. The tally of accessed accounts is said to be only 1% of the users - or 40,000+ accounts :( If you're now on the lookout for a more secure cloud try http://www.sugarsync.com or https://spideroak.com

Different Passwords for Each Site

LulzSec hacker collective has likely compromised various sites (Facebook, PayPal, Xbox Live, Twitter, etc.) where they harvested user login info.

Folks still using identical credentials for multiple sites may find all of them compromised.

Disabling Facebook facial recognition

Recent changes by Facebook have enabled facial recognition - very nice - Google Picassa also has a great facial recognition component. That Facebook would turn it on by default, however, is a bad idea. Should you wish to disable this feature do this:

Login to Facebook and click "Account" in the upper right-hand corner of the page.

Click on "Privacy Settings."

Click on "Customize Settings."

Go to "Things others share."

Next to the option "Suggest photos of me to friends. When photos look like me, suggest my name," click "Edit Settings."

Click on "Edit Settings."

Change it to "Disabled."

Click "Okay."

Or go here http://www.sophos.com for more details and screencaps.

Encrypt Your Dropbox Files

If you were mightily annoyed or even downright peeved with the recent Dropbox fiasco wherein the company all but admitted that data stored on its site can be accessed by employees then check out SecretSync. Files residing in the SecretSync folder within Dropbox are, of course, synced like any others even amongst numerous computers and are always encrypted when online. So, unless they are in your physical control they're encrypted and no one can access them. Neat, heh? Here is the FAQ for further clarification.

iPhone Tracker Revealed

A story from the Guardian reveals Apple keeps a file on the iPhone and iPad that contains the latitude and longitude of the phone's recorded positions coupled with a time stamp. When synchronised with the owners computer this file is copied over resulting in two copies. The file data can be accessed with mimimal effort by anyone with possession of the device(s). You can access this file with this handy application called IphoneTracker. The only saving grace is that the file is apparently not uploaded to Apple. Stay tuned for the fallout from this.

IE Exploit for Xmas!

Microsoft's Internet Explorer is the target of a new zero day attack.
Best Practice? If you're using IE, stop.
If you must use IE then perhaps Sandbox it with Sandboxie.
Why not try Firefox (with the awesome No-Script Add-on) or Opera instead?
Safer, Better and hip . . . like the kids say.

Firefox BlackSheep: Anti-Networking Sniffing Tool

Not too long ago a Firefox extension called Firesheep designed to (according to the writeup at Lifehacker.com) ". . . sniff out weak security and/or hijack web site credentials on open Wi-Fi networks." was released. While useful for legitimate tasks it also gave crackers a tool that could allow them obvious access to PC's at your local coffee shop.

Now BlackSheep, an anti-Firesheep tool has been released. It is designed to alert you whenever Firesheep is active on your local network.

If you frequent establishments where you use Wi-Fi you might consider using this Firefox extension. The download page is here: http://www.zscaler.com/blacksheep.html

You should also look into grabbing the HTTPS Everywhere Firefox extension which encrypts your entire session not just the login portion.

Facebook coughing up UID's

The online platform for farming, organized crime and poker . . . known in these here parts as Facebook, again finds itself on the wrong end of user privacy. It appears certain online apps (Farmville, etc) have been providing info that could allow evil-doers to reveal names, phone numbers, email addresses, photos and other personal bits.

I use Facebook but never play any games and check the privacy settings religiously to try and stay ahead of the inevitable security breach.

An excellent write up is here: http://mashable.com/2010/10/18/facebook-apps-leak-user-info/

Gmail Security Checklist

The safety conscious folks at Google have a new page that explains how to check your account to ensure your privacy level is adequate.

It is here: http://mail.google.com/support/bin/static.py?page=checklist.cs&tab=29488

Even if you think you are covered give this checklist a glance - you may well be surprised.

New Hotmail Account Recovery Tools

Microsoft has introduced two new features for use when you need to regain control of your Hotmail account(s). Good job, Bill!

First, “Trusted PC” links your Hotmail account with one or more of your physical PC's. Should you need to recover your cracked account it can be done by using one of these machines.

Second, Hotmail will send a secret code via SMS to your cell phone that can be used to reset the password of your cracked account.

So, if you still use Hotmail login to your account(s) and ensure it has all the details required to allow you to recover your account in the future because you know it wil happen.

Critical Microsoft Fixit

Bill has announced that an unpatched critical security hole in Windows XP operating systems is a genuine threat. A temporary patch using Microsoft Fix it is available here - after the .msi file downloads double-click it and the install is self-explanatory. Users who apply this patch will not need to uninstall it before applying the official patch when it becomes available towards the middle of July.

Facebook Privacy Widget

This is a lovely Firefox Add-on that attempts to check and then offer to fix all your rogue Facebook settings. Krebs on Security reports on a study that found most of the Firefox crashes were do to crappy Facebook applications :(

Facebook IP Leak

It appears emails sent from facebook contain enough info that it is possible to geo-locate a sender The details are here.

Facebook f**k up

Oops. Facebook's new Open Graph API is leaking sez PC World. It's security breaches such as these that will cause problems because of the interrelationship between so many disparate applications and the general mass of users who never check settings. If people don't start taking security seriously before a problem develops the cost and effort to fix the problem could be very high indeed.

WiFi network finder - now with password cracker!

If you use a router and are still using WEP encryption then please read this.

I'll wait.

Ok.

Connect to your router and ensure you are using WPA or better yet, WPA2.

Palm Pre Security Hole

The recent Palm Pre OS has been found to have a major, glaring security gap because, since the browser is embedded into the OS, it's naturally vulnerable to various exploits (Javascript being the obvious one) making it a large target for evil-doers. A fix better come sooner rather than later to save the brand for the forseeable future. What were they thinking?

Adobe .PDF Reader Critical Fix

Adobe has announced a patch for its Reader that is a must have as always.

It appears Adobe's software is highly unsafe and worse, breaks quickly giving the evil-doers more time to exploit the openings. Oops.

Details at Krebs on Security. And, Aviv Raff On .NET has apparently found the horrible Adobe Download Manager will re-install the evil

bits so make sure you un-install it as well. Firefox users should disable or un-install the Adobe Download Manager Extension/Add-on.

Damn Yer Quiz, Facebook!

I thought Facebook was a means where by one could (virtually) keep in touch with loved ones, friends and colleagues? A place to share pictures and thoughts? Now it appears cluttered with quizzes, games and virus-filled applications. Yeech. Greasemonkey to the rescue!

What? Never used Greasemonkey? Hmmm . . . You do use Firefox, right? Check this previous post.

Adobe Reader Critical Vulnerability

It appears the ever popular Adobe Reader (version 9.1.3 and earlier) has a gaping hole that could allow bad people to take over Windows installs. This problem as popped up before. One way to mitigate (but not eliminate) the threat is to disable Javascript in Adobe reader and/or change your browsers behavior to download .pdf files as opposed to view them. You also might want to try the free alternative called Foxit Reader which has a better record when it comes to security issues. Just sayin' . . .

Third-party apps create insecure Facebook

Popular social networking site Facebook has exposed users to phishing attacks that use already hacked accounts to contact friends. Links presented to users lead to look-alike pages not associated with Facebook that may hold any one of 11 rogue scripts (and counting) that do bad things. Trendmicro has details here.

Until facebook tightens up the ship now heading for the shoals be very careful about using third-party apps. Yes, that means a large chunk of facebook, sorry. Do this . . . no, seriously . . . and facebook will adapt or die. Now if Leafs fans would just do the same.

Pick a Problem

So, if your Windows box is hacked the only person to suffer is you, right? Umm, wrong. Your neglect could allow for many evil happenings to occur. Check out the disturbing graphic of just what may happen here. If you need a full description of the exploits it is here.

Adobe Reader Vulnerability

Evil-doers are actively exploiting a security hole in Adobe Reader. Users need only open a rogue .pdf file to have their system taken over.

Since Adobe doesn't plan to patch the problem until March 11th, 2009 users should either disable Javascript within Adobe Reader (Choose "Edit", "Preferences", "Javascript", and uncheck the box beside "Enable Acrobat Javascript") or use an alternative to Adobe Reader called Foxit Reader which is available here: http://www.foxitsoftware.com

Facebook Privacy

Check out the handy list of 10 Privacy Settings Every Facebook User Should Know by Nick O'Neill on February 2nd, 2009 at: http://www.allfacebook.com/2009/02/facebook-privacy/

Phishing Targets Tweeter

The popular mobile service Tweeter has been hit with phishing messages. Nothing new about this. It is a good time to remind folks about the devious nature of these evil doers. Any method will be used to induce the unwary or stupid to visit sites that will attempt to upload all kinds of malware, spyware, trojans, etc. to your PC, smartphone or other device. The vector for this specific attack is the very popular 'TinyURL' online application that turns large, unwieldy URLs such as “http://www.somewhere.orf/really/long/directory/” into something such as “http://tinyurl.com/4d4a2” which can be remembered long enough to key into a browser. The problem is that the TinyURL could lead one to evil sites. Very bad. TinyURL's solution, which folks either don't know about or don't use or understand is to use the Preview TinyURL. In our previous example one should append the TinyURL with preview: “http://preview.tinyurl.com/4d4a2”. This will allow for the best practice of safely viewing a rendering of the intended target before actually visiting it.

Severe IE Vulnerability

An unpatched vulnerability in Internet Explorer 7 (which also affects older versions of the browser as well) is on the loose. Microsoft has stated that IE 5.01 with SP 4, IE 6 with or without SP 1 and IE 8 (Beta 2) on all versions of the Window OS are affected. To complete the horror IE 7 on Windows XP SP 2 and 3 and Windows Vista with or without SP 1 are also vulnerable. Web sites are now actively exploiting the vulnerability. One has to merely view a Web site in order to have a Trojan horse program automatically downloaded to their machine. Once downloaded the evil doers can manipulate the rogue program to download other software which could perform actions such as sending spam emails or steal data. Since Microsoft's next patch is not due until January 13, 2009 one would be wise to use an alternative browser such as Firefox or Opera. Just sayin' . . .

Post-it Passwords

One paragraph in a press report on the recent theft of works by artist Bill Reid astounded me:

"(Museum Director Anthony) Shelton said the heist was well organized: three Mexican Zapotec Indian gold-coloured necklaces, which were found despite being hidden in drawers, were the first items taken."

Folks . . . you just can't put your passwords on a sticky-note afixed to the underside of your keyboard! Got it?