The latest Java release, update 10 on December 11, allows users to restrict Java from running in web browsers. The newest version of the Java Development Kit, JDK 7 update 10, provides the ability to prevent any Java application from running in the browser. Since Java has been subject to so many security vulnerabilities and other miscellaneous attacks, this was the best move by Oracle.
It includes a good amount of security enhancements also, including the ability to set a specific level of security for any unsigned Java applets.
Some of the exploits seen in the past have made it clear that this was needed also for the unsigned Java applets. It calls for more default deny technology, which restricts quite a bit of features, but includes greater security.
That’s the biggest problem in applications and operating systems, is that developers do not want to suppress the features so much, but also don’t want a bunch of security threats. So, finding that balance is very important.
Allowing these new enhancements for the security of Java will help prevent a slew of Java attacks and keep people from turning away from Java. Most people will try to find alternatives if a plugin keeps getting attacked, e.g. Foxit Reader or Nitro Reader replacing Adobe Reader.
“The ability to select the desired level of security for unsigned applets, Java Web Start applications, and embedded JavaFX applications that run in a browser. Four levels of security are supported. This feature can be set in the Java Control Panel or (on Microsoft Windows platform only) using a command-line install argument,” Oracle said.
The final security feature released includes the ability to warn the user when the Runtime Environment (JRE) is out of date or below security standards.
How to enable this feature:
- Go to the Control Panel.
- Find the Java icon and double-click on it.
- Click the Security tab.
- Uncheck “enable Java content in the browser”.
There is an Android kernel implementation flaw being investigated a lot closer by Samsung Electronics in their devices. Since Google does not have any official devices that Android can solely run on, that means specific device-makers have to implement the Android kernel into its devices.
Apparently, any app can use this vulnerability to exploit and gain root access to the device. Affected devices include the following Samsung devices:
- Galaxy Note
- Galaxy Note II
- Galaxy Note 10.1
- Galaxy Note Plus
Hackers have increasingly targeted the Android OS. This past Saturday was when this kernel vulnerability was found by user “alephzain” on XDA Developers, a forum for mobile (device/OS) developers. Alephzain noted that this was a “huge mistake” and that people should be very wary of this problem. Another forum user, Chainfire, helped note some more information, including about the affected devices. This flaw was thoroughly tested and confirmed.
It is best to have good mobile protection against any type of threat: Buy Kaspersky Mobile Security and protect your Android smartphone for 1 Year – only
$19.95 – Holiday price: $9.95!
Security experts are investigating an Egyptian hacker who goes by the name “Virus_Hima”, who released screenshots of potential flaws in Yahoo’s website. This has been done before by the hacker, whose intentions may or may not be good.
One of the flaws identified by this hacker included the ability to access a full backup of one of Yahoo’s domains. The other problems included a cross-site scripting (XSS) and SQL injection vulnerability, according to a PasteBin.com post “Yahoo data leak by Virus_Hima“.
Some of his previous work included Adobe, where he released a batch of more than 200 email addresses obtained from a database belonging to them. Adobe shut down Connectusers.com as a result, which is the Connect Web conferencing service.
Without his “good intentions”, it appears that he also has shut down the claim that he sold a $700 XSS vulnerability in the black market. He claims to be a former blackhat, and that his intentions are good as a vulnerability researcher. However, he was spotted in his PasteBin.com post to be taking shots at security reporter Brian Krebs, calling his site “Krebsonshitz” when it clearly is “Krebs on Security”. Krebs reported about the hacker back when the XSS vulnerability was being sold.
It is important to secure your tablet’s web browser before you go internet surfing. Here are five ways to do it…
- Use a secured wireless network for WiFi or 3G/4G connection. Using unencrypted wireless networks are very insecure and can be a way for hackers and other threats to happen to your device.
- Use a Virtual Private Network (VPN). VPNs are available through your mobile service provider (if you have one, like 3G/4G access). They provide an extra layer of protection (sometimes multiple layers of encryption) to secure your web browsing.
- Keep the OS and apps up-to-date. Check for updates at least twice a week for the OS and apps. System upgrades provide multiple security and functionality updates. It’s good to keep apps up-to-date to avoid security exploits.
- Only download from trusted sources. If it looks bad, it probably is. Stick to trusted apps stores such as Apple App Store, Google Play, Amazon: App Store.
- Have a good secure plan. Use a pin code or passphrase to secure access. It’s important to use adequate mobile protection. Because hackers and virus makers are always crafting new threats. Monitoring the latest security threats is a great idea as well, to know how to stay protected from them also.
Google released a new update for the stable version of Chrome, now at version 23.0.1271.97. All of the supported platforms have an update: Windows, Mac, Linux, and Chrome Frame.
One the issues fixes is involved with a website settings popup having texts trimmed under certain conditions. Another problem fixed involves a Linux bug and consists of <input> selection rendering white text on a white background making the string invisible. Also, repaired is the issue with plugins such as Google Voice and Unity Player that would stop working. This revision also includes the latest version of Adobe Flash.
Check for the latest Chrome download on www.google.com/chrome or in the Chrome browser, hit the settings button on the top right, select About Google Chrome. Usually, Google Chrome updates are automatically applied using Google Updater.
The following are good questions to do/answer about security at your company (some may or may not pertain):
- Are employees trained and appropriately monitored with how to stay safe (on the computer/online)?
- Are cash-handling processes, flow, etc. documented well?
- Are wireless communications locked down or protected?
- Are your cash registers, networks, and procedures correctly up-to-date with the latest software updates?
- Do your terminals for the call center display only necessary information about customers?
- Are the facilities well maintained and well-lit for safety, not only for customers but also employees?
- Is physical access control in place and used well?
- Are your defenses developed and well maintained with new updates in virtualization and private clouds?
- Are doors, walls, and windows properly resilient?
- Are there proper security measures in the parking lot, such as cameras, fencing, lighting, call boxes, patrols? (Probably best for large companies with huge parking lots)
- What are the hours of operation?
- Can the HVAC system be used as a portal to your company? (In other words, can people get in to the HVAC system and get into your building?)
- What are consequences of physical disruption of the HVAC system?
- For the loading docks, do you have a visual record of each delivery and associated personnel? Do you know each delivery person, are they commonly the one who do the deliveries, and do they deliver similar amounts of good each time?
- Is the loading dock ever left unattended or does someone maintain it all the time (people change shifts as needed)?
- Can security systems be connected to inventory systems? Does it increase efficiency?
- Are your employees trained to recognize and properly handle a suspicious package? Do you have common rules established for it?
- Are all records appropriately encrypted, locked up, or any other way protected?
- How does data get destroyed, if needed? Paper shredder? File deletion?
- How are records secured when they are transferred to you, whether physical or digital?
Thanks to CSO for inspiration!