I’m not going to lie: I really am getting sick of Facebook. The site is seriously a privacy nightmare. Take, for example, Facebook’s notable announcements this week. Mark Zuckerberg, the CEO of Facebook, described his vision of the Internet as a web of human relationships with users sharing all sorts of information with one another. Part of the vision is a universal Like button, which lets users let others know that they, well, like something.
The problem stems from the fact that users do not know precisely how much they are sharing and with whom they are sharing such information. And with Zuckerberg’s new vision for Facebook, profile information could be accessible to third-party sites. Facebook’s privacy settings are unclear at best and useless at worst. When the settings were changed six months ago, 65 percent of users kept their profiles public.
Users either do not understand their own privacy settings or simply do not care, both of which are a problem. Of course other companies, such as Google, have had problems with privacy in the past. But as Dan Costa said in his article at PC World, “For Google, having users share private information is a constant risk and an unfortunate side affect of its services, perhaps even a liability. For Facebook, it is a business model.” And personally, I do not want to have anything to do with a company that has such a business model.
Via PC Magazine, image via Facebook.
Microsoft has released an update to the Windows operating system today but has advised some Windows XP users not to install the update just yet. Systems infected with a rootkit virus, a form of malware that buries itself deep in the operating system, should not receive the update until the virus is cleaned.
The rootkit infects an area that the update attempts to fix. If users install the update on an infected system, the system could be rendered unusable. This happened earlier this year, in February. Users installed an update, which caused some systems to stop working. Microsoft wants to avoid a repeat of that incident, and it also does not want to make users wary about installing updates.
Microsoft urged users to make sure they are not infected with the rootkit and if they are to remove it, either with the Microsoft malware removal tool or tools from security companies.
Via BBC News, image via BBC News.
This afternoon, Apple released updates for Mac OS X 10.6 Snow Leopard and Mac OS X 10.5 Leopard. The update addresses a number of issues, including glitches on the 27-inch iMac and security problems in the OS.
The updates for the 27-inch iMac resolve an issue concerning high processor utilization and a problem with the display backlight coming on when the iMac is powered on. Both updates are relatively small (2.1 MB and 397 KB, respectively) and require Mac OS X 10.6.3 or later.
The update for Snow Leopard, Leopard Client, and Leopard Server addresses a vulnerability concerning documents with maliciously crafted embedded fonts. The exploit was discovered by Charlie Miller, who worked with TippingPoint’s Zero Day Initiative.
Apple also released Server Admin Tools 10.6.3, which includes the latest versions of some Apple applications like iCal Server Utility and Server Preferences. This update is recommended for the remote administration of Snow Leopard Server.
Via AppleInsider, image via Apple.
Hacker Charlie Miller has been snooping around Mac OS X, poking at its core elements to see if there are any major flaws in Apple’s security net. In his attempts to remotely control OS X machines and steal various files from them, it appears he has racked up quite a list of problems. Rounding up no less than 20 holes, he is planning on reporting at the upcoming CanSecWest security conference in Canada. He has made several appearances there before, showing multiple flaws in Apple’s OS.
Ultimately, Miller points out that there are multiple elements in Mac OS X that put it at risk: a combination of open-source components, 3rd party closed-sourced apps, and Apple’s closed sourced pieces. He sums it up with the sentiment, “Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town.” Read, Mac users: be grateful you are such a small demographic, because otherwise you would run a serious risk of being hacked.
Twitter just got a bit too personal by introducing a new feature today that allows users to automatically share their location with their tweets. Make no mistake: I’m not anti-Twitter or anything. I have Twitter and I use it. I think it’s very fun and quite useful for sharing links and the like. But location sharing on the Internet, is, in my opinion, going way too far.
At least Twitter is handling the whole situation properly. When I logged in today, I was asked if I wanted to turn on the location sharing feature or not and was given the opportunity to learn more about the feature if I wanted to. Of course, I did not opt to turn it on. I do commend Twitter for handling this new feature a lot better than Google handled their new Google Buzz back when they introduced it.
Twitter is responding to the recent trend of location sharing over the Internet. Many other Internet services have adopted location-sharing features, and Facebook is expected to join them soon. Twitter’s new feature works with Chrome and Firefox 3.5. For it to work in Internet Explorer, a download of extra software is required.
Via The Associated Press, image via Twitter.
Most of the time, when we fill out those annoying security questions while creating an online account, we really don’t think about what we’re doing. We don’t think about how secure our questions and answers are (or are not) and whether someone else could easily guess them and be able to hack into our accounts.
According to security researchers, this is a bad thing. It is far too easy to guess the answers to security questions such as someone’s mother’s maiden name (this information could easily be found online by a determined and persevering hacker). Research has shown that if hackers get three chances to guess answers, they could hack into one in eighty accounts.
Guessing the answers to security questions can allow a hacker to overwrite a password without knowing what it is. In most cases, it is not difficult to guess answers—a study conducted by Microsoft and Carnegie Mellon showed that seventeen percent of the answers to security questions could be guessed by people who knew the owner of the targeted account.
And there is more at stake when email accounts are hacked: access to a person’s email account can give access to other online accounts that require email registration. Because of this vulnerability, some email providers are trying to make their password reset functions more secure. For example, Google can send reset passwords by text message.
Via BBC News.
According to the organizer of the Pwn2Own hacking challenge, Apple’s Safari will be the first browser to fall to hacking. However, a researcher who won at Pwn2Own the previous two years is not so sure. Aaron Portnoy, the organizer of the contest, said that Safari is on Snow Leopard, which “isn’t on the same level as Windows 7.” But researcher Charlie Miller says Safari is not significantly easier to hack than other browsers.
The Pwn2Own contest has made headlines for hacking Mac OS X, Safari, Microsoft Windows, and Internet Explorer. There are cash prizes and laptops for those who successfully hack the browsers and operating systems. Last year, Safari, Internet Explorer, and Firefox all fell to attack. Google Chrome did not.
There won’t only be operating systems to hack—there is a mobile component to the competition as well. Competitors will have the opportunity to hack an iPhone 3G S, a Blackberry Bold 9700, a Nokia smartphone, and a Motorola that will most likely be running Android. Portnoy said he expects the iPhone to be the easiest to attack. Miller said he does not expect any of the phones to be successfully hacked because there is not common knowledge about attacking phones.
Pwn2Own will be from March 24 to March 26 in Vancouver, British Columbia. The vulnerabilities and bugs discovered are used to help computer security.
Via Computerworld, image via Apple.
The latest security update from Microsoft will patch a bug in Windows that has existed for 17 years. It first appeared in Windows NT 3.1 and has been incorporated into most versions of Windows since then. The security update will also fix 25 other holes, five of which are critical.
The old bug was discovered by a security researcher at Google in January 2010. It involves a utility that allows new versions of Windows to run old programs. The researcher was able to exploit Windows XP, Windows Server 2003 and 2008, Windows Vista, and Windows 7 due to this bug. Microsoft will patch the bug in its February security update.
The security update will also fix bugs in Office XP, Office 2003, and Office 2004 (the Mac version of Office 2003). This update is not the largest released by Microsoft—the October 2009 security update fixed 34 flaws, eight of which were critical. Microsoft also has recently released a patch for a vulnerability in Internet Explorer that is thought to have led to the attacks on Google in China.
Via BBC News, image via BBC News.
Passwords are perhaps the most vulnerable element of computer security. They are the most commonly used means of protecting data, accounts, and other things you don’t want other people getting their hands on. Because of this, and because people often don’t take the time to create secure passwords, the password is the weak point in a system.
That is why it is very important to create secure passwords. Unfortunately, “secure” usually means “very random” and therefore not easily remembered. Still, there are five important suggestions you can follow to create both secure and memorable passwords.
1. Don’t use personal information in a password. A hacker could easily find out your name and other personal details, so don’t use these details in a password.
2. Don’t use real words. Password software can easily crack a password that has words found in a dictionary.
3. Mix types of characters. Use both uppercase and lowercase letters, and replace some letters in the password with different characters (like @ instead of a, and 0 instead of o).
4. Use a passphrase. Some programs can crack the character substitutions mentioned in point 3, so come up with a memorable sentence (like a quote from a movie) and use the first letter of each word in that sentence for a password.
5. Use tools. There are tools that can generate complex, secure passwords (unfortunately, these are often difficult to remember) and tool that can store complex passwords for you.
The bottom line? Passwords can be annoying, but they are, for now, necessary. So do your best to make passwords that are not completely obvious to guess, or buy a fingerprint reader.
Via PC World.
As many have said, it is time to stop using Internet Explorer. It is simply too unsecure. Some new malware is now exploiting yet another vulnerability in Microsoft’s popular browser.
This new threat is not the same as the one used against Google in China. This malware replaces the code of “MessageBeep API” so that Internet Explorer cannot play a beep sound. Then the malware causes the IE window to be displayed again, which results in a malicious file being downloaded. The malware is on hundreds of websites, which contain a shell code that bypasses a warning dialog.
Part of the problem is the incredible number of people who persist in using Internet Explorer 6. IE6 is almost ten years old. It was designed in a time when people did not fully understand browser security, so it is extremely vulnerable. Yet, it remains the browser with the largest market share, despite the fact that Microsoft has released new versions of their browser that are more secure.
Via CIO Today, image via Microsoft.
On Tuesday Apple released a security update for Leopard and Snow Leopard (unfortunately, no updates for those still using Tiger) that patched 12 vulnerabilities, seven of which were in Adobe Flash Player and one involving secure internet traffic. The security update was much smaller than Apple’s recent update, released in November, that fixed close to 60 flaws.
The Flash Player patches updated it to version 10.0.42.34, the edition that Adobe shipped in December 2009 with Windows and Linux operating systems. Apple bundles Flash Player with its operating system, so it can distribute Adobe patches.
Nine of the 12 issues fixed were described by the phrase “may lead to arbitrary code execution,” which in Apple language means attackers could have exploited and hijacked a Mac due to these flaws.
Another notable problem fixed by this update was a flaw in SSL (secure socket layer) and TLS (transport socket layer) that could have allowed attackers to capture encrypted data. Two security analysts working at PhoneFactor discovered the flaw in August 2009.
Via Computerworld, image via Apple.
Chinese attackers who mounted attacks on Google were able to do so by exploiting vulnerabilities in Microsoft’s browser, Internet Explorer, according to new info from McAfee. Microsoft was supposed to release an advisory about the Internet Explorer hole but has not done so yet.
Initially security researchers thought that a vulnerability in Adobe Reader was the problem. Adobe denied this, and it turns out they were right–their software appears to have no security issues associated with this recent attack.
Google released information about the attacks on Tuesday. They were not the only US company to be attacked: Adobe, Yahoo, Symantec, Juniper Networks, Northrop Grumman, and Dow Chemical were also targeted.
Via CNET, image via Microsoft.
One of the many updates in Apple’s new operating system update Snow Leopard was a malware blocker. The blocker scans software downloads for malware, which is a good idea considering recent increases in malware found in pirated Mac software. Though Apple has famously claimed that Macs are safe from the viruses that plague Windows computers, they are not taking any chances and actually recommend the use of third-party security software.
Apparently, Apple has kind of let their malware blocker fall by the wayside. They have not released updates that would help scan for two Trojan horse programs that target Macs, nor have they expanded the malware blocker’s signature base to include many DNS-Changer threats that are specifically targeting Macs. DNS-Changers change a Mac’s DNS server, which then load fake web pages and steal users’ data.
The malware blocker is a great idea, but it could benefit from more attention. The currently available version only scans downloads from certain applications, which include Safari, Firefox, iChat, and Mail. Apple needs to offer more protection on their computers as security threats to Macs increase.
Phones have become more and more advanced in recent years, which could lead to the dominance of mobile Internet within a few years. But all these incredible advances to have a price: phones are becoming more and more likely to be targets of hacking.
Last month, an Australian student created an iPhone worm that affected jailbroken iPhones. The worm didn’t cause any harm, unless you count the humiliation of having your wallpaper changed to a photo of Rick Astley. But this suggests that malicious attacks on the iPhone could be possible. Furthermore, not all such cell phone worm developments have been benign; Kaspersky Lab, a Russian antivirus company, has reported a new malicious program that steals money from users of Nokia phones.
Due to the potential security threats to phones, an entirely new industry is springing up: the mobile security industry. One company typifying the new category is called Lookout, a firm that makes software allowing users to track their phones on the Internet. Users can also remotely back up data, wipe their phones, and protect against rogue programs. Impressively, Lookout claims to have figured out how to have its software work on the iPhone, which does not allow non-Apple products to operate in the background like security software tends to.
While most consumers’ worries center on their laptops and internet scams, we all might need to pay a bit more attention to our phones in the near future.
Via The New York Times.