Tag Archives: Security

Firefox 5 Beta Released

Eight weeks after Mozilla rolled out Firefox 4, it has launched a beta version of its fifth edition of the Firefox Web browser on Monday. Firefox 5 is faster and fixes plenty of bugs left over from Firefox 4. It’s new features include performance and stability enhancements, a channel switcher and CSS animations standard.

Firefox 5 Beta

The channel switcher lets users move between aurora, beta and final releases of the browser and test features at each level of development and quality.

CSS animations allows users animate transitions from one CSS style configuration to another.

Firefox 5 beta also includes opt-in location-aware browsing feature. This feature can tell websites where you’re located so you can find info that’s more relevant and useful and improve your browsing experience.

Mozilla’s first mobile release of Firefox 5 is an Android version of the browser. Both the desktop and mobile versions of Firefox 5 have a Do Not Track feature that lets users browse anonymously.

You can download Firefox 5 beta.  If you’ve been using Firefox 5 Aurora, you can switch the channel to continue to use Firefox 5

The final version of Firefox 5 is scheduled for roll-out on June 21.

8 Things You Need To Know About Google Chromebook

The much awaited laptop powered by Google Chrome (a cloud-based operating system) is all set for launch on June 15.

Here are few things that you need to about the all new Chromebook.

Chromebook

How does it work?

The Chromrebook should always be connected to the Internet in order to make use of its functionalities. In other words, everything will be on cloud and you’ll need Internet to access all of the apps, documents, photos, movies etc. Installing software or updating them, making backup of files or running anti-virus checks and all other PC related tasks will be eliminated as everything will be done over the cloud.

Who will release the laptops?

Google has tied up with Samsung and Acer which will release laptops powered with Chrome OS.

The Samsung device will come with 12.1-inch screen with an 8-hour battery life and will retail for $429 (Wi-Fi enabled) and $499 (3G enabled laptop), while Acer’s device will be an 11.6-inch display and a 6.5-hour battery life. Acer’s notebook will start at $349 and up.

No storage

Since Chromebook is Internet based, all of the files and folders will be stored on the cloud. The laptops will be highly integrated with cloud services and there will be no storage space available. However, the laptop will have slots to plug in other storages devices.

Boot-up Time?

According to Google, Chromebooks will boot in about less than eight seconds. Once it is up and running it’ll check for any updates and will reboot up with the latest version.

Offilne mode?

Yes, you can work with your Chromebook if you’re not connected to the Internet. You can access Google Docs, Google Calendar and Gmail accounts without an Internet connection. (However, you won’t be updated with new notifications/mail if you’re not connected to the Internet)

Security

Chromebooks uses the principle of “defense in depth” to provide multiple layers of protection, so if any one layer is bypassed, others are still in effect. Your files and folders will be protected and will be kept safe.

Availability

Chromebooks will be available for sale from June 15.

Laptop Specs

Acer Specifications:
11.6″ HD Widescreen CineCrystalTM LED-backlit LCD
2.95 lbs. | 1.34 kg.
6 hours of continuous usage 1
Intel ® AtomTM Dual-Core Processor
Built in dual-band Wi-Fi and World-mode 3G (optional)
HD Webcam with noise cancelling microphone
High-Definition Audio Support
2 USB 2.0 ports
4-in-1 memory card slot
HDMI port
Fullsize Chrome keyboard

Samsung Specifications:
12.1″ (1280×800) 300 nit Display
3.26 lbs / 1.48 kg
8.5 hours of continuous usage 1
Intel ® AtomTM Dual-Core Processor
Built in dual-band Wi-Fi and World-mode 3G (optional)
HD Webcam with noise cancelling microphone
2 USB 2.0 ports
4-in-1 memory card slot
Mini-VGA port
Fullsize Chrome keyboard
Oversize fully-clickable trackpad
Oversize fully-clickable trackpad

Click here for more details.

The Legend of Google Chrome Sandbox is No More

Google Chrome’s sandbox was assumed to be the uber security feature in any browser till date. Prize money worth a whopping hot $20000 and star recognition was not motivation enough to crack Google Chrome’s sandbox. It seemed like Pwn2Own contestants were giving up on hacking Google Chrome. Though now, they will have more hope.

chrome-sandbox-hacked

Finally, VUPEN, a security research firm seems to have gotten in and out of the Google Chrome sandbox with ease. They claim this by saying,

The exploit shown in this video is one of the most sophisticated codes we have seen and created so far as it bypasses all security features including ASLR/DEP/Sandbox (and without exploiting a Windows kernel vulnerability), it is silent (no crash after executing the payload), it relies on undisclosed (0day) vulnerabilities discovered by VUPEN and it works on all Windows systems (32-bit and x64).

The attack was carried out on Google Chrome v11.0.696.65 on a Windows 7 64 bit system. This attack exploits the Chrome sandbox and successfully downloads a sample calculator program on your computer. This calculator can of course be any other malicious EXE file if you are a cracker. The guys at VUPEN have refused to release any code for the hack, though they have decided to share it with the Government.

This has come up a few hours from the Google I/O Conference and last I heard, Google I/O was going to be all about Android this time.

As expected always, Google must release a statement on this very soon. Over the years, Google has grown extremely protective of Google Chrome and it was only time before someone hacked the sandbox. Clearly, the sandbox is all that stands between the browser and the hacker. In the meanwhile, you can see this video on YouTube and understand better what is happening there.

Check out the VUPEN research page here.

Three years of legacy comes to an end. Google Chrome finally seems to be hacked.

Get Rid Of Facebook Scams and Infectious Links From Facebook

In today’s world of social networking, Facebook is the word of the day. And so is anything that gets posted on it. Every major incident happens and it goes viral on Facebook. Someone updates and everybody else follows the suit. Sharing information has never been easier. However, people with evil intentions are not lagging behind. They misuse this addiction for all the all the wrong reasons.

Recently as Osama bin Laden was shot dead in an US raid, Facebook was scattered with fake links pointing to Osama execution censored video. And the result was obvious. Curious people ended up clicking them and falling prey to it. The more worrying news is that, those links are going to appear again. So what do we do to stop from getting affected? Well, some rational thinking helps. However here is a great free tool that can save you the worry.

Installing Using Protection

Using Protection is a free (for personal use) browser extension for Firefox and Internet Explorer that does the job for you. Google Chrome let me install the extension, although, there were no significant changes to the scam links I tested.

install-using-protection

3 simple steps and you are done. Provide an email to sign up. You will then be prompted to post an update letting your friends know about the installation. This is optional and you can choose to skip this step. Finally, download and install the add on.

How Does It Help?

using-protection-find-fake-scam-link

Every time you visit any page on Facebook, the page will scanned for any suspicious link. Once detected, the link will be removed and instead it will be provided with a link to post an update letting your friends know about it. Yes, it is as simple as that.

using-protection-sitting-silent

The tool performs the job silently without cluttering your screen space which makes it even better. Provided the fact that Facebook is not going to be clean any time soon, the tool is a definite necessity for any Facebook user.

CCAvenue Payment Gateway Hacked By SQL Injection

Reports have started pouring in that CCAvenue, India’s largest payment gateway has been hacked and all the administrator passwords of various merchants using CCAvenue has been stolen in the process. The method of hack which was used in this is sadi to be SQL Injection. Such incidents are not at all expected from a company which happens to be the basis of lot of online e-commerce businesses.

The hackers have managed to lay their hands on all administrative passwords at CCAvenue, list of various databases and some information on tables within the databases. This was revealed by a portal called Hackerregiment which received an e-mail from a hacker with the screenshots suggesting that all administrator passwords at CCAvenue may have been leaked.

However, the CEO of CCAvenue has a different story to tell. He says that netbanking and non-credit cards related transactions form to be more than 85-90% of the overall transactions on CCAvenue. During these transactions, CCAvenue does not store any such important information on their servers and merely acts as a redirector.

Sony Public Relations Posts Grim Update On PSN Situation.

HUGE ALERT TO ALL THOSE READING THIS: If you use one password on all services online then stop reading this post and go change ALL of those passwords. Done? Okay, good. Read on.

PSNup

Here is the bad news: your Credit Card information has probably been stolen. Here is the extremely bad news: the hackers also know where you live and your phone number, as well as the password that you use on most of your services (if you are the one password is enough for a bajillion accounts I am very secure!kind of person). Here’s the gist:-

What they have stolen:-

  • Name
  • Address
  • Country
  • Birthday
  • Email Addresses
  • PSN ID/Password
  • Probably Your Trophies As Well

What they might have stolen:-

  • Purchase History
  • Credit Card numbers used for purchase
  • Security question on your PSN account (which is usually the same across many platforms, so change this one too)

What Sony officially advises you to do:-

If you have provided your credit card data through PlayStation Network or Qriocity, to be on the safe side we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.

To protect against possible identity theft or other financial loss, we encourage you to remain vigilant to review your account statements and to monitor your credit or similar types of reports.

How did the hackers obtain your password in the first place?

Why, it was in plaintext, my good man!

<user2>  creditCard.paymentMethodId=VISA&creditCard.holderName=Max&
creditCard.cardNumber=**********&creditCard.expireYear=****&creditCard.
expireMonth=*&creditCard.securityCode=***&creditCard.address.address1=
example street%2024%20&creditCard.address.city=city1%20&creditCard.
address.province=abc%20&creditCard.address.postalCode=12345%20

<user2>  sent as plaintext

<user3>  uh

<user3>  did you censor that card?

<user2>  ya its fake

<user3>  good

<user1>  wow, plaintext :S

<user5>  plaintext wow

<user3>  im never putting in my details like that

<user2>  ya is all fake lol

<user2>  i never used cc on ps3

<user2>  normally you ATLEAST enccrypt the securtity code, even if its ssl

PSNDRM

As the entire chat log of the hackers while they were penetrating the PlayStation Network shows at one point of time, I really cannot believe that a network that puts so much Digital Rights Management (DRM) protection on every game manages to store passwords without any kind of encryption. Thoroughly unbelievable. It is going to take a lot of coaxing from them for me to get back to the network. Thoroughly disgusting and outrageous.

Speculation: NSA Building Exaflop Supercomputer?

The United States Government’s National Security Agency (aka the where-privacy-goes-to-die agency) is apparently building a new supercomputer called the for its High Performance Computing Centre. The supercomputer will cost about $895.6 million, as revealed by unclassified documents. The supercomputer is to be built at the headquarters of the agency in Fort Meade, Md. and is slated for completion by 2015.

NSA

The NSA is a surveillance organization (to use a nonspecific and broad generalization) that has been operating since 1952 and is responsible for the decryption of foreign intelligence and the safeguarding and encryption of USA’s domestic signals. The agency has a history of using supercomputers, starting with the purchase and use of one of the first Cray supercomputers (The Cray X-MP/24) which is now decommissioned and is on display at the National Cryptologic Museum.

While exactly how large this computer that the NSA is building is unknown, it is very likely that the computer will be able to perform at 1 exaFLOP. A FLOP, or FLoating point OPerations per Second is a measure of how fast a computer is. It is basically the number of floating point calculations performed in unit time by the computer. A simple hand-held calculator is about 10 FLOPS on an average to show instantaneous results.

An exaFLOP is 10 followed by 18 zeroes (10^18)

In comparison, the combined computing power of the top 500 supercomputers in the world is about 32.4 petaFLOPS (32.4 x 10^15). That is, the new supercomputer being constructed by the NSA is about 31 times faster than the top 500 supercomputers in the world taken together.

However, all this is still speculation, garnered by the power requirements for the new computer about 60 megaWatts. The calculation is based on the Sequoia BlueGene/Q IBM supercomputer that is also under production that needs performs around 20 petaFLOPS and needs 6 megaWatts of power.

Of course, the NSA needs more computing power to sift through all the emails, phone calls and messages we send each day, right?

Microsoft Safety Scanner Scans Your PC For Virus, Spyware and Malicious Software

Over the past couple of years or so, I have used Microsoft Security Essentials as my only virus and malware protection tool. The Free Antivirus tool from Microsoft is definitely worth installing on your PC.

Microsoft Safety Scanner

If you are someone who does not like to install Antivirus on your PC or just want to check whether your current Antivirus is really working well, a new tool from Microsoft will come in handy.

Microsoft Safety Scanner is a free security software from Microsoft which provides users with on-demand scanning while allowing users to remove viruses, spywares, Trojans and another malicious software from their PC. Safety Scanner works along with your current Antivirus software, so you don’t have to uninstall your current AV protection to use it.

One of the bad things about Microsoft Safety Scanner is that it expires every 10 days. Users will have to download a new version to scan your system every ten days which could be annoying considering that it is around 70MB in size. A simple definition update should be added so that users don’t have to download new versions every 10 days.

Users must also note that unlike traditional Antivirus systems the Safety Scanner does not provide continuous protection and should not be used as a replacement for traditional Antivirus software. Microsoft Security Scanner should only be used to additionally scan your PC. If you intend to replace your current Antivirus you might check out our Free Antivirus section to find a suitable alternative.

Additionally, you may also want to read the following articles related to :

Download Microsoft Safety Scanner

Encrypt and Password Protect Your Notes in Evernote

I have come to love Evernote as a note-taking and idea collecting software. I have used it extensively for the past couple of years or more to store bits and pieces of information that has come in handy all through these years.

Evernote

I always had a problem with storing sensitive information in Evernote, because of the lack of security/password protection in the app. For example, if you login to the Evernote app and leave it open, anyone who has access to your PC or mobile device can view the notes and get access to your sensitive information.

Also Read:

In fact, anyone who has access to the local database storage file on your PC will be able to view those notes on another PC or installation. This is a scary proposition considering how much losing sensitive information could affect you.

Luckily, Evernote provides users with a very handy feature that allows them to encrypt part of their notes. Users can use it to encrypt sensitive text in their notes (It only works with text). To encrypt your notes in Evernote, follow the steps given below.

Pandora on Android and iOS Leaks Out Personal Information Back to Ad Servers

Whenever you install an app on your Android or iOS device, you are entering into an agreement to allow a certain level of control on your phone and its data. However, people hardly care about the implications and seemingly, neither do app manufacturers anymore.
pandora
Veracode is an independent security firm investigating into privacy of Android apps and Pandora has emerged as the new culprit of data leakage. Pandora sends a massive amount of personal information including your GPS data, device ID, connection ID, Device brand, model, birth date and gender back to ad servers. That is some serious breach of privacy and Pandora has declined to comment on this at all.

The folks over at Veracode have expressed their concern by saying,

In isolation some of this data is uninteresting, but when compiled into a single unifying picture, it can provide significant insight into a person’s life. Consider for a moment that your current location is being tracked while you are at your home, office, or significant other’s house. Couple that with your gender and age and then with your geolocated IP address. When all that is placed into a single basket, it’s pretty easy to determine who someone is, what they do for a living, who they associate with, and any number of other traits about them. I don’t know about you, but that feels a little Orwellian to me.

Pandora might argue that the data collected through this process is used to serve personalized content but sending it to advertisement servers is not something the users opt-in for.

WordPress 3.1.1 Released, Update Now; Fixes Security Bugs and XSS Flaw

The WordPress team has released a new update to which contains several security fixes in the code. WordPress 3.1.1 fixes almost thirty issues in WordPress 3.1.

WordPress

The new security patches were discovered by WordPress core developers and hardens CSRF prevention in the media uploader. It also adds a patch to avoid a PHP crash in certain environments because of links in comments. The third big patch fixes an XSS flaw in the code.

There are also several other performance improvements and fixes for IIS6 support, fixes for taxonomy and PATHINFO permalinks and fixes for various other query and taxonomy issues caused by plugin compatibility.

I highly recommend that you update your WordPress installation to WordPress 3.1.1 to avoid being affected by these security loopholes.

Vulnerability Arbitration – Neat Idea For Responsible Vulnerability Disclosure

Vulnerability disclosure is a method of publishing information about a problem, often related to computer security which if gone unreported can result in serious consequences. One of the contentions involving disclosure is often up to what amount of information need to be disclosed. Too little information might result in the disclosure being brushed off, and too much disclosure gives people willing to exploit the vulnerability a head start in causing some serious damage with it.

Vulnerability Arbitration(Vulnarb.com) is a neat concept by Zed Shaw which aims in helping security researches, consumers, and the affected companies deal with security vulnerabilities in a timely and a responsible manner.

Vulnarb helps

  • Security researchers to disclose the vulnerabilities that they found in a responsible way
  • Consumers get to know which products are affected, but not know what the vulnerability is
  • Incentive for companies to fix security holes

The concept with Vulnarb is to use a site’s public SSL certificate and a generated  random key to encrypt the vulnerability disclosure. The affected company can then use their private SSL certificate to decrypt the encrypted message and act upon it. Once the vulnerability has been fixed, the company can then publish the decrypted disclosure indicating that it has been fixed or indicate that the disclosure is incorrect.

For the time being, Zed has indicated this is a concept and has invited people to test it out and see if it can work. Indeed, this looks like a great idea. Do feel free to head over to Vulnarb, check it out and drop in a comment or two about this.

Tivo, Walgreens, Citi Amongst Others Hit By Epsilon Security Breach

Epsilon, a marketing firm acquired by Alliance Data which handles loyalty marketing of  several  big brands, was hit by a security breach.  This security breach resulted in infiltration of their email systems. Epsilon maintains that only a subset of their user data was harvested and as of now, only the email address and usernames were gathered.

Security Now which  initially reported that only  Kroger, United States’ largest traditional grocer was hit, now has confirmed that several big brands were also affected. Some of the brands hit include

  • Brookstone
  • Citi
  • Home Shopping Network
  • JP Morgan Chase
  • Kroger
  • Marriott Rewards
  • McKinsey & Company
  • New York & Company
  • Ritz-Carlton Rewards
  • The College Board
  • TiVo
  • US Bank
  • Walgreens

Epsilon’s  assessment has determined that no other personally identifiable information is at risk and are currently investigating the matter.

Citi tweeted about the breach with a link to the message on Citi’s site, calling upon users to be careful about phishing scams via email.


Please be careful of phishing scams via email. Statement from Citi for our valued Customers regarding Epsilon & email http://citi.us/dQuCp0less than a minute ago via CoTweet

TiVO has also issued a public interest message, maintaining that no Credit Card details and other such personally identifiable information was available to Epsilon and as such, such data is safe.

While it might be conceived that customer names and email address harvesting does not pose much of threat, such data in the hands of spammers is likely to result in a much more personalized phishing attack  attempts.

To be safe from phishing, never click on links or open email attachments from unknown sources. Remember: No one will ever ask to confirm your password/Credit Card details by entering them in a webpage!

 

Serious Attack on EU Bodies and a Possible Security Breach

The European Union has faced a massive cyber-attack, of a scale so high, that it has asked members to change their passwords, and has shut all access to their intranet and the email-servers. This sounds like a breach has already taken place and the EU was unable to prevent it. Disconnecting their computers from the network was the only probably solution.

european-union

(Image Source)
The European Union was about to discuss critical strategies on the current war in Libya besides other discussions.

Antony Gravili, the spokesperson for the inter-institutional relations and administration commissioner, told the BBC News,

We are already taking urgent measures to tackle this. An inquiry’s been launched. This isn’t unusual as the commission is frequently targeted.

The attacks are speculated to have a link to the attack on the French foreign-ministry where files related to the G20 summit were attacked. There is no word yet on whether any computers are affected or not. However, a prompt shutdown has indeed been successful in mitigating some of the risk. The EU has also taken additional precaution in asking users to renew their login credentials.

There has been an alarming increase of attacks on the government in recent months. EU has already issued an investigation and the findings of the investigation will reveal some interesting data.

 

 

Windows Phone 7, Android, Chrome, and Firefox Survive Pwn2Own

Earlier in the week, we reported that Internet Explorer (running on Windows 7) and Safari (running on Snow Leopard) had been hacked almost instantaneously on the first day of pwn2own, an annual hackfest. Google’s Chrome browser made it through as the sole participant who had registered to take a crack at Chrome failed to turn up.

pwn2ownThe following days of the competition witnessed Firefox web browser, and Android and Windows Phone 7 mobile operating systems survive pwn2own 2011 in a similar manner as contestants either failed to turn up or withdrew.

On the other hand, Apple’s poor show in the competition continued with the legendary Charlie Miller succeeding in bypassing iPhone’s defense by exploiting a bug present in Mobile Safari.

RIM’s Blackberry OS, which was tested next, also fell quite easily. Once again, a flaw in its Webkit based browser was the culprit. The team made up of Vincenzo Iozzo, Willem Pinckaers, and Ralf Philipp Weinmann targeted the browser as unlike RIM’s operating system, WebKit is well documented and well known.

Meanwhile, after examining the vulnerabilities exploited by Stephen Fewer to hack Internet Explorer 8, Microsoft has stated that they have already fixed the concerned vulnerability in Internet Explorer 9. It didn’t however explain why older versions of internet explorer were yet to be patched, and when, if at all, they will be patched. All the exploits used in the competition are properties of TippingPoint ZDI, which passes them on to the concerned vendors, and provides them six months to fix the issue.