Tag Archive | Vulnerability management

HTTPS Enforcement Furthered in Firefox 17 – Upcoming Release

Mozilla has engineered new “rules” to enforce HTTPS for certain websites. Mozilla calls the new technology, to be included in Firefox 17 (currently in BETA), HTTP Strict Transport Security (HSTS). It is a technology mechanism that shall force certain websites to engage HTTPS connection with the browser, as long as it matches the security certificate presented.

In other words, it gives the ability to Firefox to read SSL certificates, and check to be sure they are legitimate. Once it’s verified, and matched, it will force the site loaded to be in HTTPS, even if the browser receives a HTTP request.

“When a user connects to one of these hosts for the first time, the browser will know that it must use a secure connection. If a network attacker prevents secure connections to the server, the browser will not attempt to connect over an insecure protocol, thus maintaining the user’s security,” Mozilla claims.

The release of Firefox 17 should be in the next few weeks, according to the release schedule.

—————————————————————————————–

Advertisements

Firefox 16.0.1 now released, this time without vulnerability

As we reported yesterday, users were told to downgrade to Firefox 15.0.1 from version 16, because of a vulnerability. Now, that vulnerability has been fixed, and Firefox 16.0.1 is now available.

To get the newest version of Firefox now (if it hasn’t already prompted you), click the Orange Firefox button, select Help > hit About Firefox > Check for Updates.

On the same blog post pointed to yesterday, Mozilla developer(s) placed an update:

Update (Oct 11, 2012)
  • An update to Firefox for Windows, Mac and Linux was released at 12pm PT on Oct 11. Users will be automatically updated and new downloads via http://www.mozilla.org/firefox/new/ will receive the updated version (16.0.1).
  • A fix for the Android version of Firefox was released at 9pm PT on Oct 10.

You can avoid almost all vulnerabilities by getting the proper internet security with automatic vulnerability protection:

Users told to downgrade from Firefox 16 to 15.0.1 because of vulnerability – here’s how

Issue:
Mozilla is aware of a security vulnerability in the current release version of Firefox (version 16). We are actively working on a fix and plan to ship updates tomorrow. Firefox version 15 is unaffected.
Impact:
The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters.  At this time we have no indication that this vulnerability is currently being exploited in the wild.
Status:

Firefox 16 has been temporarily removed from the current installer page and users will automatically be upgraded to the new version as soon as it becomes available.

Reference: Mozilla Blog

How to downgrade the easy way?

If you’re using version 16, it is highly recommended to downgrade now. If you want to downgrade the easy way for Firefox, go to http://getfirefox.com and download the installer for 15.0.1.

Once you have downloaded the installer, run or double-click it to run, and allow it to “Upgrade” the install, which technically the installer would not recognize that it’s truly downgrading Firefox.

Once that’s done, start up Firefox again, and it shall be back to 15.0.1, and vulnerability free!

The Advantages and Disadvantages of Single-Sign-On (SSO) Technology (mini-whitepaper)

Overview

Single-Sign-On (SSO) is a user-authentication process, in which the user signs in to one screen name, and it makes multiple applications or websites unlocked or logged-in. Usually, the system will have conditional measures that will know what a certain user has access to, permissions, etc., and be able to provide the services. Now, the question brought to attention is, what are the advantages and disadvantages of single-sign-on?

Advantages

  • In the healthcare industry, it could be booming with single-sign-on. If a doctor were to need to sign-on to a database to access a patient’s files, he/she would also have to access x-rays, and other data that would be on a different application. Having a single-sign-on for all that would be life-saving and totally worth it. Not only that, but hours of saved time.
  • Apps such as OneLogin provide easy-access to tons of accounts across the board, particularly social media. It says on their site that they are supporting “identity & access management for the cloud”.
  • Could work wonders for those with disabilities. Having a disability may limit you from typing a lot of words at one time, or typing fast enough. If a single-sign-on system were in place, one login means much saved time.
  • Reduces the chance of forgetting your password. By having your one-set master password, it will be a lifesaver to not have to remember a ton of passwords.
  • Reduces IT help desk costs, by reducing the number of calls to the help desk about lost password.
  • Newer technologies are being implemented to help detect the attempt to hack a certain system, in which it would lock out the hacker from the remaining systems. But, this has more studying to prove how good it works.

Disadvantages

  • Vulnerability problems, such as with authentication, privacy keys, etc.
  • The lacking of a backup stronger authentication, such as smart cards or one-time password tokens.
  • The SSO is a highly-critical tool to keep up always. If the SSO goes out, the user would lose access to all sites.
  • It would be critical to have a good password, one that is very hard to crack. With the reduction of accounts, particularly the fact that SSO is in play, it’ll be easier to find and hack accounts. Once the SSO account is hacked, all others under that authentication are hacked as well.
  • SSO is bad news for a multi-user computer, especially if the user stays logged in all the time. This is more prevalent of an issue in plant operations, business floors, etc. where multiple users can access the computer (if the original user left their desk).

Examples of current implementations

  • Log-in with Facebook
  • Log-in with Twitter
  • Log-in with Linked-In or Apply with Linked-In
  • OneLogin
  • ANGEL Learning Systems

And many more.

Worth reading: Building and implementing a SSO solution

Conclusion

Overall, the usage of SSO systems are good and bad. Based on your organization or personal life, it is your choice on whether to use it or not. Based on how potentially problematic it may be, you will have to be on your toes about a lot of it. But, I guess the time you save trying to figure out or remember your passwords, you can spend on staying guard for SSO systems.

 


Get the review of Malwarebytes’ Anti-Malware

 

If this has saved you money or your organization money, or potentially provides savings, please donate to further our cause.

Secunia Personal Software Inspector Updates – V. 3

Searching to simplify the process of vulnerability management for your Windows PC? Get Secunia PSI!

Secunia has released an upgrade to Personal Software Inspector (PSI). PSI is an automatic patch management system that keeps plugins, programs, and other components up-to-date for you!

The more configurable interface, automatic patching is enabled by default of course, it makes the software more comfortable to use. Some have complained that it gets stuck on scanning for updates, but I’m sure this will be fixed soon!

Feel free to learn more about Secunia PSI: http://secunia.com/vulnerability_scanning/personal/

See a video about PSI: http://www.youtube.com/watch?v=iUmaLmO0gx0

 

AD:

Manage vulnerabilities with Secunia PSI, and manage the performance of your PC with TuneUp!

With TuneUp Utilities 2012 improved performance, less energy consumption, a more streamlined Windows setup and PC in top shape – Try now for free!

%d bloggers like this: