Archive | August 2012

Java releases Update 7 for Java 7, and Update 35 for Java 6

Oracle did what all of us were hoping they would do – release an out-of-band patch for the latest Java zero-day vulnerability. The new version of Java, 1.7.0_07 and 1.6.0_35, both fix the vulnerabilities mentioned in CVE-2012-4681.

If you need Java we recommend that you install this update immediately. If you have no need for Java we recommend that you uninstall Java all together instead if you haven’t already done so. More information from Oracle about the vulnerability and patch is available in their security alert.

Information obtained from Websense and other communities.

Advertisements

Firefox 15 Fixes over 2,200 bugs

After a little over a month since the release since Firefox 14, version 15 got released yesterday fixing about 2,200 bugs. Other than that, 16 critical security vulnerabilities have been addressed. Of course, the normal memory management tweaks were made to make the user experience smoother and more responsive. It continues to utilize the hidden update features, making the updates for it silent. Then, afterward prompts you to restart Firefox to finish updating. This version is most recommended, and you should update now to protect against security threats and exploits.

You can update now at: https://www.mozilla.com

 

Alleged LulzSec Member Arrested by FBI for Sony Hack

LulzSec

A man alleged to hacking in to Sony Pictures Entertainment computer systems has been arrested. A man named Raynaldo Rivera has been arrested, not only for hacking, but also for stealing personal information, passwords, and other personal data from thousands of users. Most of the information leaked was about innocent users whom entered contests held by Sony Pictures Entertainment.

Because of this “simple SQL injection“, it costed Sony over $600,000 apparently, which is not cheap change by any means.

Rivera used the HideMyAss proxy service, illegally according to their Terms, to investigate potential vulnerabilities on Sony servers. The alleged hacker is known by the online handles, “neuron”, “wildicv”, or “royal”. He could face up to 15 years in prison, if convicted.

 

Protect your computer:

Facebook Given Short Notice to Stop Breaching Privacy

A consumer group in Germany has alleged over Facebook App Center about violating privacy laws.

According to the Washington Post, the Federation of German Consumer Organisations has given Facebook one week to stop automatically giving user information to third-party applications without explicit consent.

Legal action is possibly to Facebook, if these solutions are not met to fix privacy flaws, by September 4, 2012.

According to the New York Times about two week ago, “The company’s use of analytic software to compile photographic archives of human faces, based on photos uploaded by Facebook’s members, has been problematic in Europe, where data protection laws require people to give their explicit consent to the practice.”

Officials say this investigation and alleged charges are related to the Google Street View investigation, and similar actions can be taken, if necessary, to resolve the problem.

For the App Center, it’s put in place, some speculate, to help the Facebook mobile market and increase revenue for the company. With its competition against Apple or Android stores, it’s trying to gain attention quickly as an app store itself.

What makes governments and privacy experts nervous, is when Facebook developers make users opt-out, instead of opt-in. This means that new, potentially problematic, features are turned on by default. This requires too much work on the user, and an unfair advantage for Facebook.

Advantages and Disadvantages of Bring-Your-Own-Device (BYOD) in Education (mini-whitepaper)

BYOD is the technology philosphy and business/education policy of bringing your own device (mobile) or technology (shortened BYOT for laptops, iPads, etc.), and using it while at work or school. Therefore, the use in education can be very beneficial as well as troublesome. Of course, monitored by teachers, it can prove those benefits.

In the past, schools provide the technology that the students would need, but as economic troubles emerge and technology is more pricey, it is better established for a student to BYOD. Basically, the schools are asking the parents of these students (except for college-age students) to purchase the devices so the student can use the technology at school.

These are some of the reasons for the set list below of advantages and disadvantages of BYOD in education, and how you can decide what’s best.

(Awesome guide by Cisco [PDF]: http://www.cisco.com/web/strategy/docs/education/46096_byod_ed_aag.pdf )

Advantages

  • Frees up tons of expenditure in educational costs.
  • Provides a big teaching arsenal for teachers, allowing students to view e-textbooks, videos, educational apps, online research, digital learning apps, etc. This type of provision allows reinforced ideas and teachings, and blends the learning. Thus, it has been named as Blended Learning.
  • Less confusion, since the student can use the device at school or at home. This will provide a major way for students to understand the apps much better, make better use of projects (and actually accomplish a good grade), and make learning more fun.
  • Filtering software becoming available (which would be armed on wireless networks and have an acceptable-use-policy in place) to break some disadvantages, which are listed next.
  • Makes learning more efficient. Students are more wired in to technology, so the efficiency of learning would be better for students of all types.
  • Repair costs for educators? Phewey! Students/parents are responsible for repairs, no problem.
  • Digitized classrooms, which brings back instant results in points systems and other apps. The teacher can have their own subscription to the service, while the students utilize their subscription. The students enter the answers or project data, and it can be automatically graded and sent to the teacher. Makes it easier for scoring, saves a lot of time grading, and boosts efficiency even more.
  • Gamification, which brings educational games can be developed which correspond to the learning program and make it more fun for those student gamers talked about above.
  • Ability to instantly send results from government checking units, which may see the quality of education through these digitized classrooms. This could provide the way for even better apps to be developed, more schools to take on the philosophy, and improvement of technology in the classroom.

Disadvantages

  • The biggest concern in doing the BYOD philosophy, is the inability to filter out inappropriate text, images, videos, etc. Teachers would still be required to check up on each student to make sure they’re staying on task. It is sure those sneaky students will still find a way around the fact the teacher checks on them.
  • Ability to filter out gaming is a problem. Games are so easy to access and put away in smart phones and iPads, that it would be easy for students to play a game, see the teacher, react, and close the game before getting caught. The reaction time is so much easier than a PC/Mac (where a taskbar reveals current apps open).
  • With students having access to the device at home and school, they can get used to the devices easier and learn better reaction times, just described above.
  • Inappropriate digital material being brought to school. The major concern is focused on plagiarism, school cheating, etc. One example would include macros (which can automate math problems).
  • Forgotten, lost, damaged, or stolen device. This is especially true for younger students. There could be problems of leaving it on the bus, dropping it in a puddle or water, leaving it on a desk, someone stealing it, etc. Also, the fact that confidential data could be at risk. This could provide a whole new level of privacy trouble and potential liability for schools, if gone out of hand.
  • Some students live in poor or lower income/budgeted families that cannot afford such devices. There is hope that PTA organizations and such can provide financial assistance or a more generic low-cost device to help the student get the best learning possible. While many families are prepared for the general school fee, they’re not so prepared for this new philosophy of BYOD.
  • Schools not prepared with the proper wireless equipment, filtering software, and other technologies such as software apps.
  • Cuts the needs of extra teachers, teacher assistants, etc. Which could drop employment levels in education. But, of course, an assistant could qualify as helpful in monitoring the student’s habits on the device.

Overall, the advantages versus disadvantages are pretty standard, and hopefully, it can help educators decide if the use of it is okay for their systems of learning.

If this has saved you money or your organization money, or potentially provides savings, please donate to further our cause of better security.

Get the review of Malwarebytes’ Anti-Malware

The Advantages and Disadvantages of Single-Sign-On (SSO) Technology (mini-whitepaper)

Overview

Single-Sign-On (SSO) is a user-authentication process, in which the user signs in to one screen name, and it makes multiple applications or websites unlocked or logged-in. Usually, the system will have conditional measures that will know what a certain user has access to, permissions, etc., and be able to provide the services. Now, the question brought to attention is, what are the advantages and disadvantages of single-sign-on?

Advantages

  • In the healthcare industry, it could be booming with single-sign-on. If a doctor were to need to sign-on to a database to access a patient’s files, he/she would also have to access x-rays, and other data that would be on a different application. Having a single-sign-on for all that would be life-saving and totally worth it. Not only that, but hours of saved time.
  • Apps such as OneLogin provide easy-access to tons of accounts across the board, particularly social media. It says on their site that they are supporting “identity & access management for the cloud”.
  • Could work wonders for those with disabilities. Having a disability may limit you from typing a lot of words at one time, or typing fast enough. If a single-sign-on system were in place, one login means much saved time.
  • Reduces the chance of forgetting your password. By having your one-set master password, it will be a lifesaver to not have to remember a ton of passwords.
  • Reduces IT help desk costs, by reducing the number of calls to the help desk about lost password.
  • Newer technologies are being implemented to help detect the attempt to hack a certain system, in which it would lock out the hacker from the remaining systems. But, this has more studying to prove how good it works.

Disadvantages

  • Vulnerability problems, such as with authentication, privacy keys, etc.
  • The lacking of a backup stronger authentication, such as smart cards or one-time password tokens.
  • The SSO is a highly-critical tool to keep up always. If the SSO goes out, the user would lose access to all sites.
  • It would be critical to have a good password, one that is very hard to crack. With the reduction of accounts, particularly the fact that SSO is in play, it’ll be easier to find and hack accounts. Once the SSO account is hacked, all others under that authentication are hacked as well.
  • SSO is bad news for a multi-user computer, especially if the user stays logged in all the time. This is more prevalent of an issue in plant operations, business floors, etc. where multiple users can access the computer (if the original user left their desk).

Examples of current implementations

  • Log-in with Facebook
  • Log-in with Twitter
  • Log-in with Linked-In or Apply with Linked-In
  • OneLogin
  • ANGEL Learning Systems

And many more.

Worth reading: Building and implementing a SSO solution

Conclusion

Overall, the usage of SSO systems are good and bad. Based on your organization or personal life, it is your choice on whether to use it or not. Based on how potentially problematic it may be, you will have to be on your toes about a lot of it. But, I guess the time you save trying to figure out or remember your passwords, you can spend on staying guard for SSO systems.

 


Get the review of Malwarebytes’ Anti-Malware

 

If this has saved you money or your organization money, or potentially provides savings, please donate to further our cause.

What We All (in IT) Can Learn from Anonymous Hacking & Activism (mini-whitepaper)

Overview

When talking with several other IT professionals, they happened to know who Anonymous was. Based on hacking, activism, and other protesting events particularly online, Anonymous has become very well known around the IT world. But, the questions today have to do with how all of us (in the IT and business world) can learn from these motives by Anonymous.

Here are some automatic principles that can be learned that applies to all of us in the IT world:

  1. Anonymous will not ever cease function, because it is an awesome principle. It requires the hacker to be anonymous, and to not admit identity. Tons of people worldwide do not display their picture with their name online. Ask a “private” person to put their full name online, and they will cower in fear. That is why Anonymous can get away with their motives that are done in secret.
  2. The target to bring down Anonymous, is to get them to stop their hacking, and to stop the activism in the streets. It’s not getting anywhere. The collective thinks that we need a perfect world, but sadly, it won’t happen!
  3. Membership in Anonymous is a “free-for-all”. Which means that even if your code name gets banned, you can come back as a different code name/IP address and continue contribution on hacking, projects (software), etc.
  4. There is probably not a grand-master or leader, just people keeping the same old mission going year after year. It all began with a few voices on 4chan years ago, and keeps on going (8 years now?).
  5. Time is of the essence. These people spend countless hours hacking. That means you have to work countless hours fighting back and on prevention.

What Businesses can learn

  1. Anyone entering your organization with anonymous identity ideas, or asks to be anonymous (by preference), has probably bad motives.
  2. It’s about time to implement better password security policies.
  3. It’s also time to implement better database encryption.
  4. Ensure good reputation across the entire spectrum of business…why? It attracts awesome workers, makes income rise, and makes the overall feeling of running the company a great type of feeling.
  5. Ensure the host server has excellent firewall technology and antivirus. It should not allow even the tiniest of malware threats onto a client server.

What Developers can learn

  1. “There may be developers smarter than me in Anonymous, so I need to step up my coding skills and get better encryption.”
  2. Encrypting files and databases has never been more important than now. Don’t think it cannot happen to you. That’s what Philips thought, or even AMD thought. You’d think AMD would have proper protection for their WordPress databasing since they know how to engineer root-level microprocessing chips. What gives?
  3. If the network is running one or two servers to operate a website, then it DOES need antivirus/firewall software. Don’t think just because your skills in database administration or server management are very good that malware can’t trump your server…you’re wrong. Some of the best administrators/managers have trouble with their server keeping free from malware.
  4. If you must get an unknown application from the web, or download it from an “anonymous source”, then run it in a sandbox or virtual machine. Execution of malware could be the end of the life for a server…don’t be tricked…stay protected.
  5. Just because your programming skills are awesome doesn’t mean anything. There are a lot of others that think their programming skills are awesome, however, the first time you let your guard down or get prideful – expect trouble.

What IT Security can learn

  1. Hackers can get in to nearly anything. Keep up on top standards in IT security. Being one step ahead of the hackers is a good thing.
  2. Keep the defense-in-depth method in mind. If you can get it to work, it will help for miles and miles (or kilometers and kilometers).
  3. Don’t expect security to be a piece of cake anymore. It’s now the top challenge in IT, and people are being recruited all across the IT stage to work in security. There just isn’t enough warriors on the scene. It’s time to step it up a notch in all aspects of your work. Don’t procrastinate and don’t be pessimistic. Be optimistic about all outcomes of your work, and see the improvement before your eyes!
  4. As stated above for businesses: password security is extremely important! Push password security big time. It’s the only chance at keep information secure in personal, business, and enterprise aspects.
  5. Push internet security software like there’s no tomorrow. Because for some people’s computers, personal or business, there will be no tomorrow. Not just for computers now, but also for devices such as smart phones, tablets, and PDAs.

Conclusion

There may be no more way to stop Anonymous, but at least we can be 5-10 steps ahead of them. If we do that, we’re showing them they have no future. It will also make it more challenging for hackers, and improve the best of technologies all across the IT spectrum. See for yourself, and try these principles on your specific spectrum. You won’t be sorry!

 

Protection

Get Kaspersky Antivirus for Server now to safeguard your Windows Server!

Please consider a donation to help our project, if we have helped you or your business save money.

%d bloggers like this: