Archive | December 2012

Oracle Revises Java: Prevent Apps from Running in Browsers + How to

The latest Java release, update 10 on December 11, allows users to restrict Java from running in web browsers. The newest version of the Java Development Kit, JDK 7 update 10, provides the ability to prevent any Java application from running in the browser. Since Java has been subject to so many security vulnerabilities and other miscellaneous attacks, this was the best move by Oracle.

It includes a good amount of security enhancements also, including the ability to set a specific level of security for any unsigned Java applets.

Some of the exploits seen in the past have made it clear that this was needed also for the unsigned Java applets. It calls for more default deny technology, which restricts quite a bit of features, but includes greater security.

That’s the biggest problem in applications and operating systems, is that developers do not want to suppress the features so much, but also don’t want a bunch of security threats. So, finding that balance is very important.

Allowing these new enhancements for the security of Java will help prevent a slew of Java attacks and keep people from turning away from Java. Most people will try to find alternatives if a plugin keeps getting attacked, e.g. Foxit Reader or Nitro Reader replacing Adobe Reader.

“The ability to select the desired level of security for unsigned applets, Java Web Start applications, and embedded JavaFX applications that run in a browser. Four levels of security are supported. This feature can be set in the Java Control Panel or (on Microsoft Windows platform only) using a command-line install argument,” Oracle said.

The final security feature released includes the ability to warn the user when the Runtime Environment (JRE) is out of date or below security standards.

 

How to enable this feature:

  • Go to the Control Panel.
  • Find the Java icon and double-click on it.
  • Click the Security tab.
  • Uncheck “enable Java content in the browser”.

Android Exploit Found on Samsung Devices

There is an Android kernel implementation flaw being investigated a lot closer by Samsung Electronics in their devices. Since Google does not have any official devices that Android can solely run on, that means specific device-makers have to implement the Android kernel into its devices.

Apparently, any app can use this vulnerability to exploit and gain root access to the device. Affected devices include the following Samsung devices:

  • Galaxy Note
  • Galaxy Note II
  • Galaxy Note 10.1
  • Galaxy Note Plus
  • S2
  • S3

Hackers have increasingly targeted the Android OS. This past Saturday was when this kernel vulnerability was found by user “alephzain” on XDA Developers, a forum for mobile (device/OS) developers. Alephzain noted that this was a “huge mistake” and that people should be very wary of this problem. Another forum user, Chainfire, helped note some more information, including about the affected devices. This flaw was thoroughly tested and confirmed.

It is best to have good mobile protection against any type of threat: Buy Kaspersky Mobile Security and protect your Android smartphone for 1 Year – only $19.95Holiday price: $9.95!

Yahoo Flaws Potentially Found by Egyptian Hacker

Security experts are investigating an Egyptian hacker who goes by the name “Virus_Hima”, who released screenshots of potential flaws in Yahoo’s website. This has been done before by the hacker, whose intentions may or may not be good.

One of the flaws identified by this hacker included the ability to access a full backup of one of Yahoo’s domains. The other problems included a cross-site scripting (XSS) and SQL injection vulnerability, according to a PasteBin.com post “Yahoo data leak by Virus_Hima“.

Some of his previous work included Adobe, where he released a batch of more than 200 email addresses obtained from a database belonging to them. Adobe shut down Connectusers.com as a result, which is the Connect Web conferencing service.

Without his “good intentions”, it appears that he also has shut down the claim that he sold a $700 XSS vulnerability in the black market. He claims to be a former blackhat, and that his intentions are good as a vulnerability researcher. However, he was spotted in his PasteBin.com post to be taking shots at security reporter Brian Krebs, calling his site “Krebsonshitz” when it clearly is “Krebs on Security”. Krebs reported about the hacker back when the XSS vulnerability was being sold.

Five Ways to Secure a Web Browser for a Tablet

It is important to secure your tablet’s web browser before you go internet surfing. Here are five ways to do it…

  1. Use a secured wireless network for WiFi or 3G/4G connection. Using unencrypted wireless networks are very insecure and can be a way for hackers and other threats to happen to your device.
  2. Use a Virtual Private Network (VPN). VPNs are available through your mobile service provider (if you have one, like 3G/4G access). They provide an extra layer of protection (sometimes multiple layers of encryption) to secure your web browsing.
  3. Keep the OS and apps up-to-date. Check for updates at least twice a week for the OS and apps. System upgrades provide multiple security and functionality updates. It’s good to keep apps up-to-date to avoid security exploits.
  4. Only download from trusted sources. If it looks bad, it probably is. Stick to trusted apps stores such as Apple App Store, Google Play, Amazon: App Store.
  5. Have a good secure plan. Use a pin code or passphrase to secure access. It’s important to use adequate mobile protection. Because hackers and virus makers are always crafting new threats. Monitoring the latest security threats is a great idea as well, to know how to stay protected from them also.

Google Releases Chrome 23.0.1271.97

Google released a new update for the stable version of Chrome, now at version 23.0.1271.97. All of the supported platforms have an update: Windows, Mac, Linux, and Chrome Frame.

One the issues fixes is involved with a website settings popup having texts trimmed under certain conditions. Another problem fixed involves a Linux bug and consists of <input> selection rendering white text on a white background making the string invisible. Also, repaired is the issue with plugins such as Google Voice and Unity Player that would stop working. This revision also includes the latest version of Adobe Flash.

Check for the latest Chrome download on www.google.com/chrome or in the Chrome browser, hit the settings button on the top right, select About Google Chrome. Usually, Google Chrome updates are automatically applied using Google Updater.

Security Threats to Monitor throughout the beginning of the New Year

There is a lot to look out for this holiday season, and into the New Year…and many Grinches want to steal your joy. But, as long as you keep an eye on them, there shall be nothing to worry about!

 

  1. Spam – as always. Have you gotten emails from “FedEx” lately or UPS? You know, those fake emails stating you have a package to be tracked, but they need another payment method to process it? Or how about some free or cheap Rolexes? All of these are scammy spam, fraudulent, or just wanting to distribute malware! Remember, if you didn’t order it, don’t believe it! What is spam can also lead to number 2…
  2. Phishing attacks… as millions of people shop online and shoot up the revenue of online shopping to the billions of dollars, there are also tons of scammers and fraudulent websites wanting your personal data, credit card, or to waste your time. Remember, if it doesn’t look legitimate, or does not have a secure transaction process, it probably is not a good idea to make the purchase (no matter how attractive it looks). Usually, trusted stores are the best to shop from, and that’s all that’s best.

    When you go to check out and enter your personal information, first look at the address bar and make sure it highlights green in some area and has the following at the beginning of the web address: https://. By looking for that, or even looking for a padlock icon in the lower right or left corner of the browser will help ensure you have a secure connection where your personal information will be transferred privately.

  3. Social engineering attempts – you can find these on social networks. They attempt to entice you with different ads or offers, or show a shocking story in attempts to get you to click on it. Once you do, you may be asked to login to Facebook, verify personal information, or make a payment to get access to information.

    When it comes to shocking stories, safely ignore them if it didn’t come from what looks like a trusted source. Instead, stay out of trouble and don’t click. “If in doubt, throw it out”, perspectively can be used to help let you think about what you click on. Also, be careful about charity apps. On Facebook, and application called “Causes” is the only legitimately popular app to use for charity donations. Most correct charity ideas are routed through Causes because of how trusted the app is.

  4. TMI on social networks – be careful about how you tell others about places you’re currently staying, eating, or being by yourself (at the office or at home). Using apps such as Foursquare or related, don’t bother using. They are highly insecure to your personal privacy and can result in burglary or worse.
  5. ATM skimmers – fake debit or credit card readers are popping up in random ATM machines around major retailers everywhere. Always look closely before swiping your card, or pressing any buttons. If anything seems out of place, loose, or just doesn’t feel right…Don’t swipe your card, don’t press any pin number, etc. If anything seems funky, ask the cashier to run your card under the counter, or just go to a bank.

    It’s best also to either tell the bank owning the ATM or call the number on the ATM. Let them know the machine can be modified for illegitimate purposes. Lastly, always spread the word to the cashier that the ATM could be modified and to tell customers not to use it.

  6. Unprotected computers and tablets… here’s the solutions for those matters:

PC:

MAC:

ANDROID:

Buy Kaspersky Mobile Security and protect your Android smartphone for 1 Year – only $19.95

How to question security at your company? (mini-whitepaper)

The following are good questions to do/answer about security at your company (some may or may not pertain):

  1. Are employees trained and appropriately monitored with how to stay safe (on the computer/online)?
  2. Are cash-handling processes, flow, etc. documented well?
  3. Are wireless communications locked down or protected?
  4. Are your cash registers, networks, and procedures correctly up-to-date with the latest software updates?
  5. Do your terminals for the call center display only necessary information about customers?
  6. Are the facilities well maintained and well-lit for safety, not only for customers but also employees?
  7. Is physical access control in place and used well?
  8. Are your defenses developed and well maintained with new updates in virtualization and private clouds?
  9. Are doors, walls, and windows properly resilient?
  10. Are there proper security measures in the parking lot, such as cameras, fencing, lighting, call boxes, patrols? (Probably best for large companies with huge parking lots)
  11. What are the hours of operation?
  12. Can the HVAC system be used as a portal to your company? (In other words, can people get in to the HVAC system and get into your building?)
  13. What are consequences of physical disruption of the HVAC system?
  14. For the loading docks, do you have a visual record of each delivery and associated personnel? Do you know each delivery person, are they commonly the one who do the deliveries, and do they deliver similar amounts of good each time?
  15. Is the loading dock ever left unattended or does someone maintain it all the time (people change shifts as needed)?
  16. Can security systems be connected to inventory systems? Does it increase efficiency?
  17. Are your employees trained to recognize and properly handle a suspicious package? Do you have common rules established for it?
  18. Are all records appropriately encrypted, locked up, or any other way protected?
  19. How does data get destroyed, if needed? Paper shredder? File deletion?
  20. How are records secured when they are transferred to you, whether physical or digital?

Thanks to CSO for inspiration!

 

Protect Yourself NOW

%d bloggers like this: