Oracle did what all of us were hoping they would do – release an out-of-band patch for the latest Java zero-day vulnerability. The new version of Java, 1.7.0_07 and 1.6.0_35, both fix the vulnerabilities mentioned in CVE-2012-4681.
If you need Java we recommend that you install this update immediately. If you have no need for Java we recommend that you uninstall Java all together instead if you haven’t already done so. More information from Oracle about the vulnerability and patch is available in their security alert.
Information obtained from Websense and other communities.
After a little over a month since the release since Firefox 14, version 15 got released yesterday fixing about 2,200 bugs. Other than that, 16 critical security vulnerabilities have been addressed. Of course, the normal memory management tweaks were made to make the user experience smoother and more responsive. It continues to utilize the hidden update features, making the updates for it silent. Then, afterward prompts you to restart Firefox to finish updating. This version is most recommended, and you should update now to protect against security threats and exploits.
You can update now at: https://www.mozilla.com
- Firefox 15 released: Seven critical vulnerabilities patched and stealthy updates too! (nakedsecurity.sophos.com)
- Debunking A Misconception About Firefox Releases (mozilla.org)
A man alleged to hacking in to Sony Pictures Entertainment computer systems has been arrested. A man named Raynaldo Rivera has been arrested, not only for hacking, but also for stealing personal information, passwords, and other personal data from thousands of users. Most of the information leaked was about innocent users whom entered contests held by Sony Pictures Entertainment.
Because of this “simple SQL injection“, it costed Sony over $600,000 apparently, which is not cheap change by any means.
Rivera used the HideMyAss proxy service, illegally according to their Terms, to investigate potential vulnerabilities on Sony servers. The alleged hacker is known by the online handles, “neuron”, “wildicv”, or “royal”. He could face up to 15 years in prison, if convicted.
Protect your computer:
A consumer group in Germany has alleged over Facebook App Center about violating privacy laws.
According to the Washington Post, the Federation of German Consumer Organisations has given Facebook one week to stop automatically giving user information to third-party applications without explicit consent.
Legal action is possibly to Facebook, if these solutions are not met to fix privacy flaws, by September 4, 2012.
According to the New York Times about two week ago, “The company’s use of analytic software to compile photographic archives of human faces, based on photos uploaded by Facebook’s members, has been problematic in Europe, where data protection laws require people to give their explicit consent to the practice.”
Officials say this investigation and alleged charges are related to the Google Street View investigation, and similar actions can be taken, if necessary, to resolve the problem.
For the App Center, it’s put in place, some speculate, to help the Facebook mobile market and increase revenue for the company. With its competition against Apple or Android stores, it’s trying to gain attention quickly as an app store itself.
What makes governments and privacy experts nervous, is when Facebook developers make users opt-out, instead of opt-in. This means that new, potentially problematic, features are turned on by default. This requires too much work on the user, and an unfair advantage for Facebook.
- Facebook given one week to stop breaching privacy laws (nakedsecurity.sophos.com)
- German consumer group sets Facebook privacy ultimatum (reuters.com)
- Facebook’s new app bazaar ‘violates’ punters’ privacy – lobbyists (go.theregister.com)
BYOD is the technology philosphy and business/education policy of bringing your own device (mobile) or technology (shortened BYOT for laptops, iPads, etc.), and using it while at work or school. Therefore, the use in education can be very beneficial as well as troublesome. Of course, monitored by teachers, it can prove those benefits.
In the past, schools provide the technology that the students would need, but as economic troubles emerge and technology is more pricey, it is better established for a student to BYOD. Basically, the schools are asking the parents of these students (except for college-age students) to purchase the devices so the student can use the technology at school.
These are some of the reasons for the set list below of advantages and disadvantages of BYOD in education, and how you can decide what’s best.
(Awesome guide by Cisco [PDF]: http://www.cisco.com/web/strategy/docs/education/46096_byod_ed_aag.pdf )
- Frees up tons of expenditure in educational costs.
- Provides a big teaching arsenal for teachers, allowing students to view e-textbooks, videos, educational apps, online research, digital learning apps, etc. This type of provision allows reinforced ideas and teachings, and blends the learning. Thus, it has been named as Blended Learning.
- Less confusion, since the student can use the device at school or at home. This will provide a major way for students to understand the apps much better, make better use of projects (and actually accomplish a good grade), and make learning more fun.
- Filtering software becoming available (which would be armed on wireless networks and have an acceptable-use-policy in place) to break some disadvantages, which are listed next.
- Makes learning more efficient. Students are more wired in to technology, so the efficiency of learning would be better for students of all types.
- Repair costs for educators? Phewey! Students/parents are responsible for repairs, no problem.
- Digitized classrooms, which brings back instant results in points systems and other apps. The teacher can have their own subscription to the service, while the students utilize their subscription. The students enter the answers or project data, and it can be automatically graded and sent to the teacher. Makes it easier for scoring, saves a lot of time grading, and boosts efficiency even more.
- Gamification, which brings educational games can be developed which correspond to the learning program and make it more fun for those student gamers talked about above.
- Ability to instantly send results from government checking units, which may see the quality of education through these digitized classrooms. This could provide the way for even better apps to be developed, more schools to take on the philosophy, and improvement of technology in the classroom.
- The biggest concern in doing the BYOD philosophy, is the inability to filter out inappropriate text, images, videos, etc. Teachers would still be required to check up on each student to make sure they’re staying on task. It is sure those sneaky students will still find a way around the fact the teacher checks on them.
- Ability to filter out gaming is a problem. Games are so easy to access and put away in smart phones and iPads, that it would be easy for students to play a game, see the teacher, react, and close the game before getting caught. The reaction time is so much easier than a PC/Mac (where a taskbar reveals current apps open).
- With students having access to the device at home and school, they can get used to the devices easier and learn better reaction times, just described above.
- Inappropriate digital material being brought to school. The major concern is focused on plagiarism, school cheating, etc. One example would include macros (which can automate math problems).
- Forgotten, lost, damaged, or stolen device. This is especially true for younger students. There could be problems of leaving it on the bus, dropping it in a puddle or water, leaving it on a desk, someone stealing it, etc. Also, the fact that confidential data could be at risk. This could provide a whole new level of privacy trouble and potential liability for schools, if gone out of hand.
- Some students live in poor or lower income/budgeted families that cannot afford such devices. There is hope that PTA organizations and such can provide financial assistance or a more generic low-cost device to help the student get the best learning possible. While many families are prepared for the general school fee, they’re not so prepared for this new philosophy of BYOD.
- Schools not prepared with the proper wireless equipment, filtering software, and other technologies such as software apps.
- Cuts the needs of extra teachers, teacher assistants, etc. Which could drop employment levels in education. But, of course, an assistant could qualify as helpful in monitoring the student’s habits on the device.
Overall, the advantages versus disadvantages are pretty standard, and hopefully, it can help educators decide if the use of it is okay for their systems of learning.
- 10 BYOD Classroom Experiments (and What We’ve Learned From Them So Far) (pattidudek.typepad.com)
- BYOD Brings The Ownership of Learning to Students (classroom-aid.com)
- Schools Implementing BYOD. Still Doubt The Cloud? (erplife.com)
- Mobile Learning: How Technology is Transforming Education Around the Globe (blogs.cisco.com)
- What Teachers Need to Know about BYOD ( Bring Your Own Device ) Trend in Education (teacherlingo.com)
- BYOD: Breaking the Traditional Mold in Education (blogs.cisco.com)
- BYOD could have insurance implications (premierlinedirect.co.uk)
- 10 Real-World BYOD Classrooms (And Whether It’s Worked Or Not) (edudemic.com)
Single-Sign-On (SSO) is a user-authentication process, in which the user signs in to one screen name, and it makes multiple applications or websites unlocked or logged-in. Usually, the system will have conditional measures that will know what a certain user has access to, permissions, etc., and be able to provide the services. Now, the question brought to attention is, what are the advantages and disadvantages of single-sign-on?
- In the healthcare industry, it could be booming with single-sign-on. If a doctor were to need to sign-on to a database to access a patient’s files, he/she would also have to access x-rays, and other data that would be on a different application. Having a single-sign-on for all that would be life-saving and totally worth it. Not only that, but hours of saved time.
- Apps such as OneLogin provide easy-access to tons of accounts across the board, particularly social media. It says on their site that they are supporting “identity & access management for the cloud”.
- Could work wonders for those with disabilities. Having a disability may limit you from typing a lot of words at one time, or typing fast enough. If a single-sign-on system were in place, one login means much saved time.
- Reduces the chance of forgetting your password. By having your one-set master password, it will be a lifesaver to not have to remember a ton of passwords.
- Reduces IT help desk costs, by reducing the number of calls to the help desk about lost password.
- Newer technologies are being implemented to help detect the attempt to hack a certain system, in which it would lock out the hacker from the remaining systems. But, this has more studying to prove how good it works.
- Vulnerability problems, such as with authentication, privacy keys, etc.
- The lacking of a backup stronger authentication, such as smart cards or one-time password tokens.
- The SSO is a highly-critical tool to keep up always. If the SSO goes out, the user would lose access to all sites.
- It would be critical to have a good password, one that is very hard to crack. With the reduction of accounts, particularly the fact that SSO is in play, it’ll be easier to find and hack accounts. Once the SSO account is hacked, all others under that authentication are hacked as well.
- SSO is bad news for a multi-user computer, especially if the user stays logged in all the time. This is more prevalent of an issue in plant operations, business floors, etc. where multiple users can access the computer (if the original user left their desk).
Examples of current implementations
- Log-in with Facebook
- Log-in with Twitter
- Log-in with Linked-In or Apply with Linked-In
- ANGEL Learning Systems
And many more.
Worth reading: Building and implementing a SSO solution
Overall, the usage of SSO systems are good and bad. Based on your organization or personal life, it is your choice on whether to use it or not. Based on how potentially problematic it may be, you will have to be on your toes about a lot of it. But, I guess the time you save trying to figure out or remember your passwords, you can spend on staying guard for SSO systems.
If this has saved you money or your organization money, or potentially provides savings, please donate to further our cause.
When talking with several other IT professionals, they happened to know who Anonymous was. Based on hacking, activism, and other protesting events particularly online, Anonymous has become very well known around the IT world. But, the questions today have to do with how all of us (in the IT and business world) can learn from these motives by Anonymous.
Here are some automatic principles that can be learned that applies to all of us in the IT world:
- Anonymous will not ever cease function, because it is an awesome principle. It requires the hacker to be anonymous, and to not admit identity. Tons of people worldwide do not display their picture with their name online. Ask a “private” person to put their full name online, and they will cower in fear. That is why Anonymous can get away with their motives that are done in secret.
- The target to bring down Anonymous, is to get them to stop their hacking, and to stop the activism in the streets. It’s not getting anywhere. The collective thinks that we need a perfect world, but sadly, it won’t happen!
- Membership in Anonymous is a “free-for-all”. Which means that even if your code name gets banned, you can come back as a different code name/IP address and continue contribution on hacking, projects (software), etc.
- There is probably not a grand-master or leader, just people keeping the same old mission going year after year. It all began with a few voices on 4chan years ago, and keeps on going (8 years now?).
- Time is of the essence. These people spend countless hours hacking. That means you have to work countless hours fighting back and on prevention.
What Businesses can learn
- Anyone entering your organization with anonymous identity ideas, or asks to be anonymous (by preference), has probably bad motives.
- It’s about time to implement better password security policies.
- It’s also time to implement better database encryption.
- Ensure good reputation across the entire spectrum of business…why? It attracts awesome workers, makes income rise, and makes the overall feeling of running the company a great type of feeling.
- Ensure the host server has excellent firewall technology and antivirus. It should not allow even the tiniest of malware threats onto a client server.
What Developers can learn
- “There may be developers smarter than me in Anonymous, so I need to step up my coding skills and get better encryption.”
- Encrypting files and databases has never been more important than now. Don’t think it cannot happen to you. That’s what Philips thought, or even AMD thought. You’d think AMD would have proper protection for their WordPress databasing since they know how to engineer root-level microprocessing chips. What gives?
- If the network is running one or two servers to operate a website, then it DOES need antivirus/firewall software. Don’t think just because your skills in database administration or server management are very good that malware can’t trump your server…you’re wrong. Some of the best administrators/managers have trouble with their server keeping free from malware.
- If you must get an unknown application from the web, or download it from an “anonymous source”, then run it in a sandbox or virtual machine. Execution of malware could be the end of the life for a server…don’t be tricked…stay protected.
- Just because your programming skills are awesome doesn’t mean anything. There are a lot of others that think their programming skills are awesome, however, the first time you let your guard down or get prideful – expect trouble.
What IT Security can learn
- Hackers can get in to nearly anything. Keep up on top standards in IT security. Being one step ahead of the hackers is a good thing.
- Keep the defense-in-depth method in mind. If you can get it to work, it will help for miles and miles (or kilometers and kilometers).
- Don’t expect security to be a piece of cake anymore. It’s now the top challenge in IT, and people are being recruited all across the IT stage to work in security. There just isn’t enough warriors on the scene. It’s time to step it up a notch in all aspects of your work. Don’t procrastinate and don’t be pessimistic. Be optimistic about all outcomes of your work, and see the improvement before your eyes!
- As stated above for businesses: password security is extremely important! Push password security big time. It’s the only chance at keep information secure in personal, business, and enterprise aspects.
- Push internet security software like there’s no tomorrow. Because for some people’s computers, personal or business, there will be no tomorrow. Not just for computers now, but also for devices such as smart phones, tablets, and PDAs.
There may be no more way to stop Anonymous, but at least we can be 5-10 steps ahead of them. If we do that, we’re showing them they have no future. It will also make it more challenging for hackers, and improve the best of technologies all across the IT spectrum. See for yourself, and try these principles on your specific spectrum. You won’t be sorry!
Get Kaspersky Antivirus for Server now to safeguard your Windows Server!
Please consider a donation to help our project, if we have helped you or your business save money.
Sabu, mole hacker of Anonymous small groups Antisec and LulzSec, now has a wait time on his sentence, because of his cooperation with the FBI. The cooperation is done to help the FBI track down hackers involved with Anonymous, and attempt to put an end to the nonsense.
Since the FBI arrested Sabu, or his real name Hector Xavier Monsegur, last June, he’s been working undercover for them. After providing information leading to arrests of several Antisec and LulzSec members, the charges/sentencing is being waited for Sabu.
The reactions from fellow LulzSec/Anonymous members has been utter denial of his original involvement with the group, and how Sabu even got the idea that spilling the details would help the groups’ plans: “Activism and hacking, also known as Hacktivism. It involves protest against the government, corporations, news media, etc. using street protest and online blackhat hacking. Usually the hacking done by these members has been more blackhat style, in which they are doing it for the purpose of damage and to also gain money. Makes Anonymous seem more illegitimate if you look at it like that.
Although unstated what the plea deal was, Sabu is entitled to a maximum charge (after pleading guilty in March) to 124 years in prison. The charges involved 12 federal offenses, including conspiracy to commit computer hacking, and conspiracy to commit bank fraud, among other charges. Some of the things mentioned by Sabu led to other charges for hackers that were also arrested from Anonymous.
Since LulzSec’s & Antisec’s fallout, small hacking groups have appeared and then disappeared, including SpexSec and r00tbeersec. Since Sabu’s leave, Anonymous has never been the same. Who would care? Their unethical behavior must be stopped. The only way to get it to stop is to continue to hold strong to our values and beliefs. The world system cannot be perfect, and they seem to have this idea it can be. The economic difficulties all around the world complicate every year. There is no end to struggle, it’s part of life.
As we reported a few days ago, Shamoon is a new trojan malware that has the ability to take control of a computer and then infect the MBR. However, from a full study, it does not appear to be as “up-to-speed” as researchers thought.
ThreatPost reports on the issues: “Some clumsy coding discovered during an analysis of the Shamoon malware has led researchers to conclude that it is probably not related to the Wiper malware that hit some Iranian networks recently and likely isn’t the work of serious programmers.”
“This error indirectly confirms our initial conclusion that the Shamoon malware is not the Wiper malware that attacked Iranian systems,” wrote Kaspersky Lab researcher Dmitry Tarakanov in a Securelist post.
Instead, researchers are seeing that the Shamoon malware only steals data from the machine, before infecting the MBR. Some consider the work of Shamoon malware, like we also do, the work of a skiddie.
Also, it seems the malware is misbehaved, because it relies on a Windows Service, set to Start and Run Automatic. If the Service is stopped, half the malware doesn’t work. This kind of peculiar sense shows that this Shamoon malware may just be a test of the abilities of the hacker, and could possibly lead to other complicative malware.
As usual, stay tuned here for more updates in the future on the Shamoon malware.
New releases of update from Adobe come a week after their recent release, which was critical. Having subsequent updates for critical flaws begs the question of whether or not Flash Player is safe. Looks as if AIR was affected, as well. This patching closes six vulnerabilities, helping to safeguard against hackers.
These platforms are affected, and now have a patch available for download:
- Windows (New update: 11.4.402.265)
- Mac (New update: 11.4.402.265)
- Linux (New Update)
- Android (New Update)
The customized Google Chrome version (Pepper) should be automatically update to version 22.214.171.124 for PC and 11.4.402.265 for Mac.
For Windows and Mac users, bear in mind the new Adobe AIR 126.96.36.1990, which you should include with your updates for Flash Player.
For this week’s update, it fixes the following, according to Adobe:
- These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2012-4163, CVE-2012-4164, CVE-2012-4165, CVE-2012-4166).
- These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2012-4167).
- These updates resolve a cross-domain information leak vulnerability (CVE-2012-4168).