Here is my collection of security trends for 2012 from different sources:
Windows XP will be the biggest security threat in 2012 according to Sean Sullivan, security advisor at F-Secure: “People seem to be adding new systems without necessarily abandoning their old XP machines, which is great news for online criminals, as XP continues to be their favourite target.”
F-Secure also says also that it might not be long before the cyber criminals turn their attentions to tablet devices. Attacks against mobile devices have become more common and I expect this to continue this year as well.
Americans more susceptible to online scams than believed, study finds. A recent survey from The Ponemon Institute and PC Tools dives into this question and reveals a real gap between how aware Americans think they are of scams and how likely they actually are to fall for them.
Fake antivirus scams that have plagued Windows and Mac OSX during the last couple of years and now it seems that such fake antivirus scams have spread to Android. Nearly all new mobile malware in Q3 2011 was targeted at Android.. When antivirus software becomes a universally accepted requirement (the way it is on Windows is the day), has the platform has failed and missed the whole point of being mobile operating system?
Cyber criminals are developing more sophisticated attacks and the police will counterattack.
Mobile phone surveillance will increase and more details of it will surface. Last year’s findings have included Location data collecting smart-phones, Carrier IQ phone spying busted and Police Surveillance system to monitor mobile phones. In USA the Patriot Act lets them investigate anything, anywhere, without a warrant. Now they are on your devices and can monitor everything. Leaked Memo Says Apple Provides Backdoor To Governments: “in exchange for the Indian market presence” mobile device manufacturers, including RIM, Nokia, and Apple (collectively defined in the document as “RINOA”) have agreed to provide backdoor access on their devices.
Geo-location tagging in smartphones to potentially cause major security risks article says that geo-location tagging security issues are likely to be a major issue in 2012—and that many users of smartphones are unaware of the potentially serious security consequences of their use of the technology. When smartphones images to the Internet (to portals such Facebook or Flickr) there’s a strong chance they will also upload the GPS lcoation data as well. This information could be subsequently misused by third parties.
You need to find your balance between freedom and security (
Vapauden ja turvallisuuden tasapaino). Usernames poured out for all to see, passwords and personal identification numbers are published. A knowledge of access management is even more important: who has the right to know when and where the role of functioning? Access, identity and role management are essential for the protection of the whole system. Implementation of such systems is still far from complete.
When designing networked services, the development of safety should taken into account in the planning stage, rather than at the end of execution. Even a secure network and information system can not act as operating a vacuum.
Reliability of the server certificates will face more and more problems. We can see more certificate authority bankruptcies due cyber attacks to them. Certificate attacks that have focused on the PC Web browsers, are now proven to be effective against mobile browsers.
Stonesoft says that advanced evasion techniques (AET) will be a major threat. Stonesoft discovered that with certain evasion techniques (particularly when combined in particular combinations) they could sneak common exploits past many IDS/IPS systems (including their own, at the time last summer). Using the right tool set (including a custom TCP/IP stack) attackers could sneak past our best defenses. This is real and they foresee a not too distant future where things like botnet kits will have this as a checkbox feature.
Rise of Printer Malware is real. Printer malware: print a malicious document, expose your whole LAN says that sending a document to a printer that contained a malicious version of the OS can send your sensitive document anywhere in Internet. Researchers at Columbia University have discovered a new class of security flaws that could allow hackers to remotely control printers over the Internet. Potential scenario: send a resume to HR, wait for them to print it, take over the network and pwn the company. HP does have firmware update software for their printers and HP Refutes Inaccurate Claims; Clarifies on Printer Security. I wonder how many more years until that old chain letter, where some new insidious virus infects everything from your graphics card to your monitor cable, becomes true.
Unauthorized changes in the BIOS could allow or be part of a sophisticated, targeted attack on an organization, allowing an attacker to infiltrate an organization’s systems or disrupt their operations. How Do You Protect PCs from BIOS Attacks? The U.S. National Institute of Standards and Technology (NIST) has drafted a new computer-security publication that provides guidance for computer manufacturers, suppliers, and security professionals who must protect personal computers as they start up “out of the box”: “BIOS Integrity Measurement Guidelines,” NIST Special Publication 800-155.
According to Stonesoft security problems threaten the lives and the year 2012 may be the first time when we lose lives because of security offenses. According to the company does this happen remains to be seen, but the risk is due to industrial SCADA systems attacks against targets such as hospitals or automated drug delivery systems. I already posted around month ago about SCADA systems security issues.
849 Comments
Lucien Cominotti says:
Super-Duper site! I am enjoyingit!! Will come back again – taking you feeds also, Thanks.
Bitcoin Man says:
Bitcoin can solve problems of this sort. Hopefully it will take over eventualy.
Tomi Engdahl says:
Is Your Data At Risk? Why physical security is insufficient for laptop computers
http://whitepaper.talentum.com/whitepaper/document.do?id=24060
The meaning of computer security continues to evolve. Physical security used to be the main concern. Through the 1980s, expensive mainframe computers were locked in special climatecontrolled rooms within secure buildings. Security costs, when they were considered at all, were a very small percentage of the overall system costs. Today, such systems are called ¿Server Systems¿, and while important in their own right, make up a small part of the total computers shipped each year. According to market researcher IDC, 7 million server systems shipped worldwide in 2005, compared to 207.7 million PCs that shipped in the same period.
Tomi Engdahl says:
Real-Time Cyber-Attack Map
In October, two German computer security researchers created a map that allows you to see a picture of online cyber-attacks as they happen.
http://map.honeynet.org/
Tomi says:
Is Google about to start scanning your Android for malware?
http://nakedsecurity.sophos.com/2012/10/12/google-scanning-android-malware/
Do you still think that there’s no need for an anti-virus on your Android smartphone? Soon you might not have any choice.
Judging by a report on the Android Police website, a new edition of the Google Play app (Android’s equivalent to the iOS App Store) has put in place the foundations for some kind of anti-virus functionality.
Looking at the code seen inside the app, it appears that Google could soon have the capability to perform anti-malware scans on your smartphone.
Tomi says:
Sophos has a free anti-virus for Android which you can download (naturally enough) from the Google Play store.
https://play.google.com/store/apps/details?id=com.sophos.smsec&hl=en
Tomi says:
Threats and technology from Iran
http://blogs.computerworld.com/cyberwarfare/21178/threats-and-technology-iran
Iran’s police chief, Brig. Gen. Esmail Ahmadi-Moqadam
“Now it’s all about cyber-attacks, which only shows their desperation but Iran is doing just fine with cyber defense. It’s true that the U.S. made Stuxnet virus did some damage to our facilities but we were able to get them all up and running in no time. However, those who attack should expect retaliation and we haven’t gone there just yet.”
Iran has been getting blame recently for some attacks on financial services firms.
Tomi says:
Panetta Spells Out DOD Roles in Cyberdefense
http://www.defense.gov/news/newsarticle.aspx?id=118187
WASHINGTON, Oct. 11, 2012 – Defense Secretary Leon E. Panetta spelled out in detail the Defense Department’s responsibility in cybersecurity during a speech to the Business Executives for National Security meeting in New York, today.
“A cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11,” he said in prepared remarks. “Such a destructive cyber terrorist attack could paralyze the nation.”
The secretary pointed to denial of service attacks that many large U.S. corporations have suffered in recent weeks, but also cited a more serious attack in Saudi Arabia. In that attack a sophisticated virus called “Shamoon” infected computers at the Saudi Arabian state oil company, ARAMCO.
“Shamoon included a routine called a ‘wiper,’ coded to self-execute,” he said. “This routine replaced crucial system files with an image of a burning U.S. flag. It also put additional ‘garbage’ data that overwrote all the real data on the machine. The more than 30,000 computers it infected were rendered useless, and had to be replaced.”
There was a similar attack later in Qatar. “All told, the Shamoon virus was probably the most destructive attack that the private sector has seen to date,” Panetta said.
Enemies target computer control systems that operate chemical, electricity and water plants, and guide transportation networks.
“We also know they are seeking to create advanced tools to attack these systems and cause panic, destruction and even the loss of life,” he said.
DOD has improved its capability of tracking attacks to point of origin. “Potential aggressors should be aware that the United States has the capacity to locate them and hold them accountable for actions that harm America or its interests,” he said.
All U.S. leaders have discussed cyber security with foreign leaders.
But businesses have the greatest interest in cybersecurity. Businesses depend on a safe, secure, and resilient global digital infrastructure, and businesses own and run many of the critical networks the nation depends on. “To defend those networks more effectively, we must share information between the government and the private sector about threats in cyberspace,” the secretary said.
Tomi says:
HSBC Websites Knocked Offline After Hack
http://www.pcmag.com/article2/0,2817,2411180,00.asp
HSBC on Thursday confirmed that it had suffered a cyber attack that took down several of the bank’s websites around the world.
The company was hit by a denial of service attack, which limited access to its websites and online banking services.
HSBC did not provide any information about who might be responsible, but a group with links to Anonymous took credit for the attack on Pastebin and Twitter.
Many customers were annoyed that they were unable to access their accounts and tweeted at FawkesSecurity
The hack, meanwhile, comes amidst what is known as Operation Ababil, or attacks on U.S. banks over the fact that the controversial film Innocence of Muslims is available online here. As Betabeat noted, the campaign recently entered its fourth week by targeting Regions Bank, but has also affected Capital One and SunTrust.
Tomi says:
ZAP – Zscaler Application Profiler
How safe is your mobile application?
http://zap.zscaler.com/
Input the name of an iOS or Android application in order to view historical scan results.
For searching an iOS application enter the search term as “App name iOS”. Similarly, when searching for an Android application, enter the search term as “App name Android”.
Tomi Engdahl says:
New app from Finland takes crime fighting to phone screen
http://www.reuters.com/article/2012/10/18/us-app-police-idUSBRE89H01J20121018
Noisy neighbors and parking violators: beware. A new smartphone app being used in Finland allows reporting of nuisance crimes with a few clicks, and its developer has started to pitch its service to police services around Europe.
The company, Grafetee, on Thursday globally launched its free location-based tagging application for Apple and Google Android devices. The app allows users to bookmark locations and link data from services like Foursquare, Yelp, Flickr and Instagram to the sites.
So far, the police reports feature is available only in Finland where local police now monitor reports from the app.
Tomi Engdahl says:
Megaupload Is Dead. Long Live Mega!
http://www.wired.com/threatlevel/2012/10/megaupload-mega/
What Mega and Megaupload do have in common is that they are both one-click, subscriber-based cloud platforms that allow customers to upload, store, access, and share large files. Dotcom, and his Mega partner Mathias Ortmann say the difference is that now those files will first be one-click-encrypted right in a client’s browser, using the so-called Advanced Encryption Standard algorithm. The user is then provided with a second unique key for that file’s decryption.
Internet libertarians will surely embrace this new capability.
And because the decryption key is not stored with Mega, the company would have no means to view the uploaded file on its server. It would, Ortmann explains, be impossible for Mega to know, or be responsible for, its users’ uploaded content — a state of affairs engineered to create an ironclad “safe harbor” from liability for Mega, and added piece of mind for the user.
“Whatever is uploaded to the site, it is going to be remain closed and private without the key.”
Dotcom’s belief is that even the broad interpretation of internet law that brought down Megaupload would be insufficient to thwart the new Mega
“You have the right to protect your private information and communication against spying.”
Tomi Engdahl says:
IBM claims first with Hadoop data security suite
Big Data tools bonanza from Big Blue
http://www.theregister.co.uk/2012/10/18/ibm_hadoop_security/
IBM is launching what it claims is the first data security system for Hadoop, as part of its biggest product rollout of security software and services yet seen from the company.
The Hadoop system, dubbed InfoSphere Guardium v9 for Hadoop, stems from technology bought out by Big Blue in 2009 from Guardium, and covers real time security and vulnerability monitoring. The software works with both structured and unstructured databases and includes an automatic compliance and data privacy reporting system.
Also for Hadoop systems, IBM has upgraded its Optim Data Masking system for Big Data users, which obfuscates sensitive data, limiting direct access, and also supports application-specific masking from Oracle and SAP.
IBM’s looking to become a one-stop shop for security tools and service, capitalizing on IT managers’ desire to simplify their security around a few key providers.
Tomi Engdahl says:
Android apps get SSL wrong, expose personal data
Researchers find 1,000 insecure apps, pinch credit card and other data
http://www.theregister.co.uk/2012/10/21/android_app_ssl_vulnerability/
More than 1,000 out of a sample of 13,000 Android applications analysed by German researchers contained serious flaws in their SSL implementations.
17 percent of the SSL-using apps in their sample suffered from implementations that potentially made them vulnerable to man-in-the-middle MITM attacks.
They state that they were “able to capture credentials from American Express, Diners Club PayPal, bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote control servers, arbitrary e-mail accounts, and IBM Sametime”.
In addition, since virus software also uses SSL, “We were able to inject virus signatures into an anti-virus app to detect arbitrary apps as a virus or disable virus detection completely.”
The problems arise because of developers misusing the SSL settings the Android API offers.
The researchers say the tool they developed for scanning apps’ SSL implementations, MalloDroid, will be available as a Web app and as part of the Androguard security scanner.
androguard
Reverse engineering, Malware and goodware analysis of Android applications … and more (ninja !)
http://code.google.com/p/androguard/
Tomi says:
Kaspersky Lab and Facebook Partner to Make Social Networking Safer
http://www.kaspersky.com/about/news/business/2012/Kaspersky_Lab_and_Facebook_Partner_to_Make_Social_Networking_Safer
People are more likely to click on a link shared by a friend, and this inherent trust is something cyber-criminals prey upon. Malicious URLs can automatically share themselves with a victim’s personal contacts without the user’s knowledge, making the links appear legitimate.
Now, when Facebook users share or click a link shared by their friends, the link will instantly be compared against Kaspersky Lab’s database of malicious web pages. If the link matches Facebook’s list of “known-bad” URLs – which are supplied to Facebook by Kaspersky Lab and other security vendors – the user will be immediately notified and blocked from visiting the web page. This not only prevents the user’s personal information and computer from being put at risk, but stops the malicious links from spreading further.
Kaspersky Lab believes that informed computer users are the first line of defense against cyber-crime. In addition to supplying Facebook with threat information, Kaspersky Lab will also contribute expert advice, tips and informative articles to the Facebook Security page.
For more information on this Facebook service, please visit http://www.facebook.com/security
Coralee Sarley says:
I just wanted to chime in in on this comment section. I know many people have difficulty when installing ssl certs for openssl, so I looked around and found a ssl tool that makes installing ssl certificates on cpanel a snap. You can use it at http://tools.ssl.com. Happy trails with your ssl installs!
Tomi Engdahl says:
McAfee launches data center security platforms for physical, virtual environments
http://www.cablinginstall.com/articles/2012/10/mcafee-data-center-security.html
McAfee has announced four new Data Center Security Suites to help secure servers and databases in the data center.
According to the company, the new platforms offer a combination of whitelisting, blacklisting and virtualization technologies for protecting servers and virtual desktops.
“The combination of whitelisting, blacklisting and virtualization in a single solution, offers an optimal security posture for protecting servers in the data centers,” comments Candace Worley, senior vice president and general manager of endpoint security at McAfee.
Tomi Engdahl says:
How a Google Headhunter’s E-Mail Unraveled a Massive Net Security Hole
http://www.wired.com/threatlevel/2012/10/dkim-vulnerability-widespread
“You obviously have a passion for Linux and programming,” the e-mail from the Google recruiter read. “I wanted to see if you are open to confidentially exploring opportunities with Google?”
Harris was intrigued, but skeptical. The e-mail had come to him last December completely out of the blue, and as a mathematician, he didn’t seem the likeliest candidate for the job Google was pitching.
So he wondered if the e-mail might have been spoofed
Then he noticed something strange. Google was using a weak cryptographic key to certify to recipients that its correspondence came from a legitimate Google corporate domain. Anyone who cracked the key could use it to impersonate an e-mail sender from Google, including Google founders Sergey Brin and Larry Page.
The problem lay with the DKIM key (DomainKeys Identified Mail) Google used for its google.com e-mails.
For security reasons, the DKIM standard calls for using keys that are at least 1,024 bits in length. But Google was using a 512-bit key – which could be easily cracked with a little cloud-computing help.
Harris wasn’t interested in the job at Google, but he decided to crack the key and send an e-mail to Google founders Brin and Page, as each other, just to show them that he was onto their game.
Harris never got a response from the Google founders. Instead, two days later, he noticed that Google’s cryptographic key had suddenly changed to 2,048 bits. And he got a lot of sudden hits to his web site from Google IP addresses.
Oops, Harris thought, it was a real vulnerability he’d found.
Harris started exploring other sites and noticed the same problem with the DKIM keys used by PayPal, Yahoo, Amazon, eBay, Apple, Dell, LinkedIn, Twitter, SBCGlobal, US Bank, HP, Match.com and HSBC.
Spoofing e-mail is one of the methods that attackers use in phishing attacks that trick users into opening malicious e-mails
Finding the vulnerability in Google’s own domain was ironic, since Google makes concerted efforts to block e-mails sent to Gmail users from other spoofed domains.
The fix is an easy one – companies simply need to generate a new key at the stronger length and place it in their DNS records. But they also need to remember to revoke their old key, Harris says.
Harris isn’t a security researcher,
“The fact that I went into this not knowing what a DKIM header was illustrates that somebody with enough technical background can figure this out as they go along,” he says.
Tomi Engdahl says:
A look inside the cabling for federal government data centers
http://www.cablinginstall.com/articles/print/volume-20/issue-10/features/a-look-inside-the-cabling-for-federal-government-data-centers.html
While both businesses and government share many of the same data center concerns, federal government standards are many times more rigorous to achieve. Especially as the federal government is undergoing data center consolidation, planning to close 1,200 data centers by 2015, it is necessary that new facilities meet the highest standards for cost effectiveness, security, scalability, availability of information and environmental responsibility.
High-security government data centers benefit from secret, Top Secret (TS) and Top Secret/Sensitive Compartmented Information (TS/SCI) cleared personnel working on the facilities. While the beginning of the project may not require secured personnel, as the project reaches completion and installation begins, the need increases. Therefore, many of the telecommunications technicians must possess security clearances.
From the very start of the planning process, a security-cleared designer of record will allow the data center end user to more-freely discuss full requirements and goals of the center. For instance, if the data pertains to national security, a cleared designer has a full picture of the agency’s mission and can determine the best way to keep the data safe. Once the building is complete, it is necessary for cabling infrastructure and physical access to the center to be secure. These physical protections are commonly referred to as protective distribution systems (PDS). There are various PDS that may be installed to protect data centers. Alarm systems, which alert necessary individuals if a cabling system is being tampered with, are a common form of protection. Hardened carrier PDS can allow for the use of interlocking connectors rather than welded conduit joints to provide easy access for future data center growth.
Tomi Engdahl says:
Securing the sensitive data housed in racks and enclosures
http://www.cablinginstall.com/articles/print/volume-20/issue-10/features/securing-the-sensitive-data-housed-in-racks-and-enclosures.html
Security ranks highly on any data center manager’s list of priorities and it’s not difficult to understand why, especially when considering the devastating impact that downtime or data theft can have on a business.
For companies that have to comply with legislation such as Sarbanes-Oxley, Basel II, Payment Card Industry Data Security Standard (PCI-DSS) or the Financial Services Authority, their data centers must adhere to strict asset documentation, configuration and change management, as well as rigorous audit-trail documentation policies.
In colocation facilities, high levels of security are also required in order to comply with service level agreements (SLAs), as any data breach can prove costly both financially and in terms of reputation.
In the financial sector, data protection and corporate responsibility legislation is extremely stringent and even states that a company’s head office and corporate data center must be sited in separate locations.
When it comes to restricting access to data, securing the cabinets and racks that house servers and other active equipment is crucial. There are a number of ways that this can be achieved, and perhaps the most obvious is the use of reliable and intelligent locking systems.
The locking system will usually be used in conjunction with a personal identification number (PIN) or radio frequency identification (RFID) device.
An increasingly popular way of ensuring that only authorized personnel have access to cabinets is by using biometric technologies.
One measure of enhancing the security of a cabinet locking system is to add an electronic keypad that mounts onto the existing handle,
Cabinets can have a video recording system installed that can either record constantly or be activated in the event of an access attempt. The system will send the data center manager an email containing a still image of the person trying to gain access. That person can then remotely access the video system and watch events unfold
Tomi Engdahl says:
Experts warn about security flaws in airline boarding passes
http://www.washingtonpost.com/national/experts-warn-about-security-flaws-in-airline-boarding-passes/2012/10/23/ed408c80-1d3c-11e2-b647-bb1668e64058_story.html
Security flaws in airline boarding passes could allow would-be terrorists or smugglers to know in advance whether they will be subject to certain security measures, and perhaps even permit them to modify the designated measures, security researchers have warned.
The vulnerabilities center on the Transportation Security Administration’s pre-screening system, a paid-for program in which the screening process is expedited for travelers at the airport: Laptop computers can remain in hand baggage, as can approved containers of liquid, and belts and shoes can be kept on.
Under the program, passengers can still be subject at random to conventional security screening.
Flight enthusiasts, however, recently discovered that the bar codes printed on all boarding passes — which travelers can obtain up to 24 hours before arriving at the airport — contain information on which security screening a passenger is set to receive.
Simply by using a smartphone or similar device to check the bar code, travelers could determine whether they would pass through full security screening, or the expedited process.
“TSA does not comment on specifics of the screening process, which contain measures both seen and unseen,” spokesman Sterling Payne said. “TSA Pre Check is only one part of our intelligence-driven, risk-based approach.”
Sen. Charles E. Schumer (D-N.Y.), who has been critical of TSA security measures on several previous occasions, said the new findings were a cause for concern.
“The pre-check system is extremely valuable for making airport screening more efficient, but it is imperative that security not be compromised,”
Tomi Engdahl says:
Young people do not realize that sexy images sent to a small group can easily end up in the images around the network, says The Guardian.
According to the newspaper up to 88 per cent of sexual photos and videos taken by children and young people of themselves end up in circulation. Photos are stolen without the knowledge of the victims to web sites whose goal is to share young people’s sex pictures.
Information is based on the non-profit Internet Watch Foundation (IWF) research.
IMF tries to reduce the spread of child pornography and other illegal material in the Internet.
- Young people need to understand that when the image is sent to the network, it becomes public property, and in practice it is virtually impossible to remove
- The image could jeopardize any future career or reputation, if my family or my friends will find it
Source: http://www.iltalehti.fi/digi/2012102516248539_du.shtml
Tomi Engdahl says:
A serious safety risk industry and utilities: CoDeSys programming environment leaks
More than 200 manufacturer use Codesys rogramming environment to build programmable automation equipment. Platform can be found in a number of power plants, factories and military equipment.
Now, were detected by the security hole it is possible to hack into computer systems and run malicious code CoDeSys enabled device. Security hole allows access to command interface without permission. In practice, the intruder can even launch programs or copy the information and reset the memory.
CoDeSys swing can not be exploited without access to the company’s internal network. CoDeSys manufacturer is working on to fix the problem.
Source: http://m.tietoviikko.fi/Uutiset/Vakava+turvariski+teollisuudessa+ja+voimalaitoksissa%3A+ohjelmointiymp%C3%A4rist%C3%B6+vuotaa
Tomi Engdahl says:
This is the world’s most popular password: password
Next comes 123456
SplashDatan Top25 list includes also the following types of passwords 12345678, abc123, qwerty, monkey, letmein, dragon, 111111, baseball, iloveyou and TrustNo1.
Source: http://m.tietoviikko.fi/Uutiset/T%C3%A4m%C3%A4+on+maailman+suosituin+salasana
Tomi Engdahl says:
Cybersecurity bill likely dead
http://thehill.com/blogs/hillicon-valley/technology/264417-cybersecurity-bill-likely-dead-in-congress
Cybersecurity legislation faces long odds of passing Congress this year despite forceful calls for action from the White House and Defense Secretary Leon Panetta.
But there are several roadblocks that could prevent a bill from even reaching the Senate floor, and observers say Congress will likely punt the issue to next year.
“It’s so hard. The timing is bad [and] the amount of work that has to be done in the lame duck is so substantial,”
Even Lieberman, the bill’s lead author, isn’t enthusiastic about the prospects for passing cybersecurity legislation before the end of the year. He is set to retire at the end of the session.
Tomi Engdahl says:
Clearwire to use Huawei equipment in network upgrade
http://www.reuters.com/article/2012/10/26/us-clearwire-huawei-idUSBRE89P15420121026
Clearwire said it reviewed its plans “with the technical arms of multiple federal agencies” and that it has “great respect for the U.S. government and their oversight role over the nation’s infrastructure.”
The decision follows a U.S. congressional report earlier this month that said Huawei network equipment should be kept out of the U.S. market as potential Chinese state influence could pose a security threat.
Tomi Engdahl says:
U.S. looks to replace human surveillance with computers
http://news.cnet.com/8301-1009_3-57540826-83/u.s-looks-to-replace-human-surveillance-with-computers/
Security cameras that watch you, and predict what you’ll do next, sound like science fiction. But a team from Carnegie Mellon University says their computerized surveillance software will be capable of “eventually predicting” what you’re going to do.
Computer software programmed to detect and report illicit behavior could eventually replace the fallible humans who monitor surveillance cameras.
The U.S. government has funded the development of so-called automatic video surveillance technology by a pair of Carnegie Mellon University researchers who disclosed details about their work this week — including that it has an ultimate goal of predicting what people will do in the future.
“The main applications are in video surveillance, both civil and military,” Alessandro Oltramari, a postdoctoral researcher at Carnegie Mellon who has a Ph.D. from Italy’s University of Trento, told CNET yesterday.
Think of it as a much, much smarter version of a red light camera: the unblinking eye of computer software that monitors dozens or even thousands of security camera feeds could catch illicit activities that human operators — who are expensive and can be distracted or sleepy — would miss. It could also, depending on how it’s implemented, raise similar privacy and civil liberty concerns.
Tomi Engdahl says:
I just bought more than 1 million …Facebook data entries. OMG! /updated/
http://talkweb.eu/openweb/1819
I have the bloody habit to look for cheap deals on some websites and today I’ve got the featured offer to buy more than 1 million Facebook entries containing Full Name, e-mail and Facebook profile URL.
“The information in this list has been collected through our Facebook apps”
“the list is in a zipped excel format split into 12 sheets, each sheet containing roughly 100,000 email addresses with name, last name and facebook profile information separated with comma.”
Do you still feel secure?
Oh yes, the deal price was 5$ – five u.s dollars.
Tomi Engdahl says:
Ernst & Young Global Information Security Survey 2012:
More than three quarters of respondents consider external attacks increased, and at the same time, almost half also sees internal security risks have increased.
63 percent of companies do not have a comprehensive framework of information security management and a basis for development.
Also, the growth of cloud services to form new risks, which more than a third are not prepared for.
According to Ernst & Young Global Information Security Survey 2012 survey results, companies have to take fundamental changes in computer security, so that they are able to meet new technology demands risks.
The biggest problem organizations are too few measures that will help in the short term.
“The uncertain global economy, technological advances and the constantly growing number of regulations will bring additional challenges to an already complex security management. Rapid response to issues no longer enough,”
Source: http://www.tietoviikko.fi/kaikki_uutiset/onko+teidan+firmassa+tama+tietoturvaasia+kunnossa/a851529?s=r&wtm=tietoviikko/-30102012&
Tomi Engdahl says:
FBI Says They’re Now Working 24/7 To Investigate Hackers and Network Attacks:
As of today, the FBI is working 24/7 to investigate hackers and network attacks
26th October 2012 by Emil Protalinski
http://thenextweb.com/us/2012/10/26/as-of-today-the-fbi-is-working-247-to-investigate-hackers-and-network-attacks/
The Federal Bureau of Investigation (FBI) is finally stepping up its game when it comes to hackers.
FBI is now hunting hackers 24/7.
Its goal is to “uncover and investigate web-based intrusion attacks and develop a cadre of specially trained computer scientists able to extract hackers’ digital signatures from mountains of malicious code.”
The FBI is forming relationships with the technical leads at financial, business, transportation, and other critical infrastructures, plus it has hired specialists to work at its Cyber Division’s Cyber Watch command. Starting today, investigators in the field can send their findings to the centre, which will be operating 24/7, looking for patterns or similarities in reported cases.
The division’s main focus is now cyber intrusions, working closely with the Bureau’s Counterterrorism and Counterintelligence divisions.
Tomi Engdahl says:
Extracting data with keyboard emulation
http://hackaday.com/2012/10/30/extracting-data-with-keyboard-emulation/
A common challenge for computer security specialists is getting data out of a very locked-down system.
[András] figured out how to extract data from a computer by emulating a keyboard.
Of course, [András] first needs an app to transmit data through these keyboard status LEDs.
It’s not very fast – just over one byte per second – but [András] did manage to extract data from a computer, circumventing just about every anti-leaking solution.
Tomi Engdahl says:
Give us €7 billion and we’ll give you a digital Europe, says EU commissioner
http://news.techworld.com/networking/3407406/give-us-7-billion-well-give-you-digital-europe-says-eu-commissioner/
The European Investment Bank funds a Dutch Project as Neelie Kroes pushes for similar funding elsewhere
The European Investment Bank announced yesterday that it would provide a €125 million (£100 million) loan to fund high-speed broadband roll outs in 50 Dutch municipalities, while the European Digital Agenda commissioner pushed for more money for similar projects throughout the European Union.
Digital Agenda Commissioner Neelie Kroes called for the European Parliament and member states to give their backing to the Connecting Europe Facility (CEF), a plan to use around €50 billion from the EU budget to be leveraged by the European Investment Bank (EIB) for investment in energy, transport and communications projects. Around €7 billion of that would go to next-generation networks, like the one in the Netherlands.
Negotiations on the Connecting Europe Facility are at a crucial stage as member states are due to decide on the EU’s budget for 2014-2020 in the next few weeks.
“Fibre broadband can transform the digital life of a business or school or family.”
Tomi Engdahl says:
Dutch DigiNotar Servers Were Fully Hacked
http://tech.slashdot.org/story/12/10/31/207212/dutch-diginotar-servers-were-fully-hacked
“”The final report that was handed to the Dutch government today indicates that all 8 certificate servers of the Dutch company DigiNotar were fully hacked.”
“Because the access log files were stored on the same servers, they cannot be used to find any evidence for or against intrusion.”
Tomi Engdahl says:
Medical Pumps Recall: Bug Causes Inaccurate Readings on Touchscreen
http://securityledger.com/medical-pumps-recall-bug-causes-inaccurate-readings-on-touchscreen/
Mobile phones aren’t the only products to benefit from nifty touch screen displays. A whole range of medical devices now sport them, also – as any trip to your local emergency department (or dentist’s office) will reveal. Unfortunately, many of those devices are just as balky and bug ridden as your average mobile phone -despite the fact that patients’ lives can rely on them.
And this week, there’s more evidence of the lurking epidemic of shoddy, IP enabled medical devices. The medical device maker Hospira issued a voluntary, nationwide recall of its Symbiq brand infusion systems after discovering a software error that caused the touch screen interfaces on the devices to respond incorrectly to user input.
Symbiq is a drug infusion system that delivers controlled amounts of medications to patients through intravenous, intra-arterial, epidural and other means. It is designed to prevent medical errors by offering pre-defined doses from a drug library.
“the software-related root cause of this issue potentially impacts all Symbiq infusion systems currently in the field.”
Software engineers and security experts have sounded warnings about the vulnerability of IP-enabled medical devices for some time now. A paper prepared jointly by researchers at the University of California, Berkeley, Carnegie Mellon University and the University of Massachusetts, Amherst in 2011 studied a popular automated external defibrillator (AED) and found serious security holes in both the embedded software ton the device and a commercial software update mechanism used to service it. The researchers concluded that software security is an “afterthought in medical device design.”
Tomi says:
Exclusive: Inside Android 4.2′s powerful new security system
http://blogs.computerworld.com/android/21259/android-42-security
Android 4.2 marks the launch of a powerful new security system built right into the platform. The key component is a real-time app scanning service that instantly checks apps put on your device for any malicious or potentially harmful code.
The feature is an extension of the security technology Google introduced for the Play Store this past February. While that technology worked exclusively on the server side, analyzing apps that were uploaded to the Play Store, the new system works with your device and scans any apps you install from third-party sources (a process known as “sideloading”).
“We view security as a universal thing,” Android VP of Engineering Hiroshi Lockheimer tells me. “Assuming the user wants this additional insurance policy, we felt like we shouldn’t exclude one source over another.”
Following typical Google fashion, the new scanning service is completely opt-in: The first time you install an app from a source other than the Play Store — including a third-party app market like Amazon’s app store — Android pops up a box asking if you want such applications to be checked for “harmful behavior.”
Tomi says:
Judge prods FBI over future Internet surveillance plans
http://news.cnet.com/8301-13578_3-57544139-38/judge-prods-fbi-over-future-internet-surveillance-plans/
A federal judge has rejected the FBI’s attempts to withhold information about its efforts to require Internet companies to build in backdoors for government surveillance.
Federal judge tells FBI to do more to comply with open government laws when disclosing what backdoors it wants Internet companies to create for government surveillance.
The FBI says lawful investigations are thwarted because Internet companies aren’t required to build in back doors in advance, or because technology doesn’t permit it.
FCC never granted the FBI’s request to rewrite CALEA to cover instant messaging and VoIP programs that are not “managed” — meaning peer-to-peer programs like Apple’s FaceTime, iChat/AIM, Gmail’s video chat, and Xbox Live’s in-game chat that use the Internet, not the public telephone network.
Tomi says:
“I use historical examples of many of my writings, and all the latest books.”
“history can teach a lot of security. ”
Have you ever felt that the publicity-driven hype the product key security threats around the end-users to alienate real and tangible threats?
Schneier: “This is true in all areas of safety, not just for security. For example, in the United States, it is true, when it comes to terrorism. In information technology vendors trying to sell products and run the hype surrounding the threats that their products will reject.
This means that other hazards, such as to products which do not receive much less attention. Inside the organization will be threats are a good example of this. For decades, the security industry has been to provide a problem with that, so they played down threats. ”
Schneier: “If we have learned anything from the presence of malware, it is that all systems have vulnerabilities. Vulnerabilities of those in favor of the exercise is all about the money. ”
“We see less fast-spreading worms, such as Code Red and Nimda, than a decade ago. Today’s malware infections are likely to be slow, targeted and can’t be detected with radar.”
Source: http://www.tietoviikko.fi/kaikki_uutiset/4+kysymysta+bruce+schneirille/a849218?s=r&wtm=tietoviikko/-04112012&
Tomi Engdahl says:
Technology
The Russian underground economy has democratised cybercrime
http://www.wired.co.uk/news/archive/2012-11/02/russian-cybercrime
If you want to buy a botnet, it’ll cost you somewhere in the region of $700 (£433). If you just want to hire someone else’s for an hour, though, it can cost as little as $2 (£1.20) — that’s long enough to take down, say, a call centre, if that’s what you were in the mood for. Maybe you’d like to spy on an ex — for $350 (£217) you can purchase a trojan that lets you see all their incoming and outgoing texts. Or maybe you’re just in the market for some good, old-fashioned spamming — it’ll only cost you $10 (£6.19) for a million emails. That’s the hourly minimum wage in the UK.
This is the current state of Russia’s underground market in cybercrime — a vibrant community of ne’er-do-wells offering every conceivable kind of method for compromising computer security. It’s been profiled in security firm Trend Micro’s report, Russian Underground 101, and its findings are as fascinating as they are alarming.
Tomi Engdahl says:
Microsoft’s security team is killing it: Not one product on Kaspersky’s top 10 vulnerabilities list
http://thenextweb.com/microsoft/2012/11/02/microsofts-security-team-is-killing-it-not-one-product-on-kasperskys-top-10-vulnerabilities-list/
Security firm Kaspersky has released its latest IT Threat Evolution report
Microsoft products no longer feature among the Top 10 products with vulnerabilities. This is because the automatic updates mechanism has now been well developed in recent versions of Windows OS.
A few years ago, Microsoft would be all over the list, but starting with the release of Windows Vista, the company has seriously cleaned up its act. Windows 7 builds on that, and Windows 8 takes it yet another step forward. Windows is still highly targeted due to its market share: 0-days for Windows 8 allegedly already exist.
this list of findings is for you:
28 percent of all mobile devices attacked run Android OS version 2.3.6, which was released in September 2011.
56 percent of exploits blocked in Q3 use Java vulnerabilities.
A total of 91.9 million URLs serving malicious code were detected, a 3% increase compared to Q2 2012.
That second one is brutal. It’s exactly why you shouldn’t have Java installed, unless you absolutely need it.
Tomi Engdahl says:
Today is a day of attacks in Internet – attacks have already been made
Activist group Anonymous encourages its members to a variety of attacks today on November 5th day. The Internet has already been made visible attacks to NBC, the Australian Government, as well as the IT sector companies.
The timing is because of Guy Fawkes Day still remembered in the UK every November 5th day. Guy Fawkes was a British man who participated in a conspiracy to blow up the Houses of Parliament in London in 1605. The project failed and Fawkes was caught.
Source: http://www.tietokone.fi/uutiset/tanaan_netissa_on_hyokkaysten_paiva_iskuja_jo_tehty
Tomi Engdahl says:
Coke Gets Hacked And Doesn’t Tell Anyone
http://www.bloomberg.com/news/2012-11-04/coke-hacked-and-doesn-t-tell.html
FBI officials quietly approached executives at Coca-Cola Co. (KO) on March 15, 2009, with some startling news.
Hackers had broken into the company’s computer systems and were pilfering sensitive files about its attempted $2.4 billion acquisition of China Huiyuan Juice Group (1886), according to three people familiar with the situation and an internal company document detailing the cyber intrusion. The Huiyuan deal, which collapsed three days later, would have been the largest foreign takeover of a Chinese company at the time.
It is unclear whether the attack played a role in the demise of the Huiyuan acquisition.
Coca-Cola, the world’s largest soft-drink maker, has never publicly disclosed the loss of the Huiyuan information, despite its potential effect on the deal. It is just one in a global barrage of corporate computer attacks kept secret from shareholders, regulators, employees — and in some cases even from senior executives.
Concealing Breaches
Digital intruders are increasingly targeting information about high-stakes business deals — from mergers and acquisitions to joint ventures to long-term supply agreements — and companies routinely conceal these breaches from the public, say government officials and security companies.
Such thefts are tilting the playing field, putting compromised companies at a disadvantage in business negotiations and, in turn, leaving investors in the dark, they say.
“Investors have no idea what is happening today,” says Jacob Olcott, a former cyber policy adviser to the U.S. Congress. “Companies currently provide little information about material events that occur on their networks.”
“We don’t credit the idea that no one would care”
Yet no company has publicly disclosed the theft of sensitive deal-related information from a computer intrusion
“They fear that bringing this to the public will do them more harm than good,”
Little Known
A striking aspect of the wave of corporate hacking is how little is sometimes known about the information taken, much less who is taking it and how it’s being used, say security researchers.
Without complete answers, it can be difficult for companies to attach a dollar figure to the losses. Most don’t deem hacks to be a material event, which would require disclosure to shareholders
“If these attacks are left unchecked, they could have a devastating impact on the future earning potential of many major companies and the economic well-being of countries,” Hague said.
“China is also a major victim of cyberattacks,” ministry spokesman Hong Lei said at a press briefing last week. “We hope to engage in active and practical international cooperation so as to jointly ensure Internet security.”
Jonathan Evans, head of Britain’s MI5 domestic security service, said in a speech in June that digital intruders targeting a “major London listed company” had caused a loss of 800 million pounds ($1.3 billion), in part because of the resulting disadvantage in “contractual negotiations.”
Investor advocates are trying to prod companies into publicly disclosing the breaches, even if they can’t estimate their cost. If information worth a few million dollars is compromised, the same security weaknesses could be exploited to steal data worth hundreds of millions of dollars, says Michael Connor, executive director of Open MIC, a New York-based non- profit that focuses on media policies and supports shareholder activists.
To gain access to confidential deal information, hackers often target links in a chain of outside organizations that handle such information on the company’s behalf, such as banks and law firms.
“An increasing number of companies, including ArcelorMittal, have recently experienced intrusion attempts or even breaches of their information technology security,”
“Like most major corporations, the company’s information systems are a target of attacks,” the report states.
“Investors have an expectation that companies are disclosing everything they should,” says Olcott. “The reality is this widespread trade-secret theft matters to investors. It has an impact on a company’s future competitiveness, which affects the bottom line.”
Tomi Engdahl says:
Some Smart Meters Broadcast Readings in the Clear
http://hardware.slashdot.org/story/12/11/05/235258/some-smart-meters-broadcast-readings-in-the-clear
“University of South Carolina have discovered that some types of electricity meter are broadcasting unencrypted information that, with the right software, would enable eavesdroppers to determine whether you’re at home.”
Smart meters not so clever about privacy, researchers find
http://www.networkworld.com/news/2012/110512-smart-meters-not-so-clever-263977.html
A University of South Carolina study found smart meters transmitting plain text information that could be used against home owners
Researchers at the University of South Carolina have discovered that some types of electricity meter are broadcasting unencrypted information that, with the right software, would enable eavesdroppers to determine whether you’re at home.
The meters, called AMR (automatic meter reading) in the utility industry, are a first-generation smart meter technology and they are installed in one third of American homes and businesses. They are intended to make it easy for utilities to collect meter readings. Instead of requiring access to your home, workers need simply drive or walk by a house with a handheld terminal and the current meter reading can be received.
While many gas and water AMR meters continuously listen for a query signal from a meter reading terminal and only transmit a reading when requested, the researchers found at least one type of electricity meter works on the opposite principle. It continuously sends a meter reading every 30 seconds around the clock.
It turns out, not very.
The tools were simple: a $1,000 Universal Software Radio Peripheral software-defined radio, an amplifier, and the freeware GNU Radio software, plus of course, the team’s knowledge of wireless protocols and data processing.
“Once we got the raw signal, we processed it, and reverse engineered it,” she said.
Using an off-the-shelf antenna and amplifier, the researchers were able to capture packets from electricity meters at a distance of up to 300 meters. In the neighborhood where they tested, they were able to receive packets from 106 electric meters.
Neighborhood Watch: Security and Privacy Analysis
of Automatic Meter Reading Systems
http://www.cse.sc.edu/~wyxu/papers/fp023-rouf.pdf
Tomi Engdahl says:
7 Technologies That Will Make It Easier for the Next President to Hunt and Kill You
http://www.wired.com/dangerroom/2012/11/president-hunt-you/
Robotic assassination campaigns directed from the Oval Office. Cyber espionage programs launched at the president’s behest. Surveillance on an industrial scale. The White House already has an incredible amount of power to monitor and take out individuals around the globe. But a new wave of technologies, just coming online, could give those powers a substantial upgrade. No matter who wins the election on Tuesday, the next president could have an unprecedented ability to monitor and end lives from the Oval Office.
Tomi Engdahl says:
IT Threat Evolution: Q3 2012
http://www.securelist.com/en/analysis/204792250/IT_Threat_Evolution_Q3_2012
Mobile malware and operating systems
During Q3 2012, over 9,000 new malicious .dex files were added to our malware collection. This is 5,000 files fewer than last quarter but 3,500 more than in Q1 2012.
This is due to the fact that in Q2 files that had been detected heuristically for some time were added to our malware collection. (Note that one heuristic is used to detect a large number of different programs.) In Q3, the situation was standard and the number of new files added to our collection was in line with the trend we have seen since the beginning of the year.
Android 2.3.6 “Gingerbread”, which accounts for 28% of all blocked attempts to install malware, was the most commonly attacked version. It is not new: it was released in September 2011. However, due to the considerable segmentation of the Android device market, it remains one of the most popular versions.
Tomi Engdahl says:
Kaspersky’s top 10 vulnerabilities list
Oracle Java Multiple Vulnerabilities: DoS-attack (Gain access to a system and execute arbitrary code with local user privileges) and Cross-Site Scripting (Gain access to sensitive data). Highly Critical.
Oracle Java Three Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Extremely Critical.
Adobe Flash Player Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Gain access to sensitive data. Highly Critical.
Adobe Flash Player Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Bypass security systems. Highly Critical.
Adobe Reader/Acrobat Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Extremely Critical.
Apple QuickTime Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Highly Critical.
Apple iTunes Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Highly Critical.
Winamp AVI / IT File Processing Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Highly Critical.
Adobe Shockwave Player Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Highly Critical.
Adobe Flash Player Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Bypass security systems. Gain access to sensitive data. Extremely Critical.
Source: http://thenextweb.com/microsoft/2012/11/02/microsofts-security-team-is-killing-it-not-one-product-on-kasperskys-top-10-vulnerabilities-list/
Tomi Engdahl says:
Boffins foul VM sandboxes with CPU-sniffing hack
Elaborate attack watches CPU activity on co-located VM, retrieves crypto key
http://www.theregister.co.uk/2012/11/07/vm_side_attack_extracts_crypto_key/
So much for your sandbox US researchers at RSA, the University of Wisconsin and the University of North Carolina have used a malicious virtual machine to extract a cryptographic key from another virtual machine running on the same hardware.
The finding will not be welcomed by virtualisation companies or cloud computing providers, as it shows that the logical isolation between virtual machines may not be as secure as promised.
Hypervisor vendors and cloud providers alike constantly talk up security, asserting that despite virtual machines sharing physical resources there’s no extra risk associated with this mode of computing.
The researchers’ findings seem to both support and disprove those assertions.
“The attacker program monitors usage of a shared architectural component to learn information about the key, e.g., the data cache, instruction cache, floating-point multiplier, or branch-prediction cache.”
The paper delves into very technical detail about how the research team found ways to observe and decipher CPU behaviour,
The paper often goes out of its way to point out the attack it describes is unusual and required a lot of effort to achieve. Even so, it will likely make virtualisation users just a little less confident that their sandboxes will always remain free of unpleasant contaminants.
Tomi Engdahl says:
Why Google Went Offline Today and a Bit about How the Internet Works
http://blog.cloudflare.com/why-google-went-offline-today-and-a-bit-about
November 6, 2012
Today, Google’s services experienced a limited outage for about 27 minutes over some portions of the Internet. The reason this happened dives into the deep, dark corners of networking. I’m a network engineer at CloudFlare and I played a small part in helping ensure Google came back online. Here’s a bit about what happened.
The Fix
The solution was to get Moratel to stop announcing the routes they shouldn’t be. A large part of being a network engineer, especially working at a large network like CloudFlare’s, is having relationships with other network engineers around the world. When I figured out the problem, I contacted a colleague at Moratel to let him know what was going on. He was able to fix the problem at around 2:50 UTC / 6:50pm PST. Around 3 minutes later, routing returned to normal and Google’s services came back online.
Building a Better Internet
This all is a reminder about how the Internet is a system built on trust. Today’s incident shows that, even if you’re as big as Google, factors outside of your direct control can impact the ability of your customers to get to your site so it’s important to have a network engineering team that is watching routes and managing your connectivity around the clock.
Tomi Engdahl says:
Security of the key issues are software updating and judicious use of security software. Even the security software does not ensure that, if it is itself vulnerabilities. These have been found from Sophos Symantec products.
Vulnerable software according to Cert-fi is the Symantec Endpoint Protection 11
Memory-related error handling could allow arbitrary code to run the system, when the program tries to extract the CAB file to look for the malware.
Symantec does not publish repair to version 11, so will have to move to version 12.
According to Cert-fi Sophos Antivirus software uses a number of vulnerabilities, some of which are associated with memory processing and is part of the design defects.
Sophos also have problems with Microsoft CAB files for reading. The process is a buffer overflow vulnerability that an attacker can take advantage of. There are similar memory problems also in rar and pdf handling. There is also security problem in update: modules will be loaded from network to the folder where any user has write access!
Source: http://www.tietokone.fi/uutiset/tietoturvaohjelmistoista_loydettiin_haavoittuvuuksia
Tomi Engdahl says:
Adobe, now ‘married’ to Microsoft, moves Flash updates to Patch Tuesday
Will sync Flash security updates with partner’s monthly schedule
http://www.computerworld.com/s/article/print/9233342/Adobe_now_married_to_Microsoft_moves_Flash_updates_to_Patch_Tuesday
Adobe on Tuesday announced that it will pair future security updates for its popular Flash Player with Microsoft’s Patch Tuesday schedule.
At the same time, Adobe issued an update that patched seven critical Flash vulnerabilities, and Microsoft shipped fixes for Internet Explorer 10 (IE10), which includes an embedded copy of Flash.
But the move to synchronize Flash Player updates with Microsoft’s monthly patch schedule was the bigger news. “Starting with the next Flash Player security update, we plan to release regularly-scheduled security updates for Flash Player on ‘Patch Tuesdays,’” Adobe said in a statement yesterday.
“Microsoft and Adobe are now officially married,” cracked Andrew Storms, director of security operations at nCircle Security, in an email reply to questions. “They started dating when they decided to share the MAPP program [and] once Microsoft agreed to embed Flash in IE10, [it was] inevitable that Adobe was going to be strong-armed into following Microsoft’s patch cadence.”
Tomi Engdahl says:
The Web Won’t Be Safe Or Secure Until We Break It
http://it.slashdot.org/story/12/11/07/2039226/the-web-wont-be-safe-or-secure-until-we-break-it
“Jeremiah Grossman of Whitehat Security has an article at the ACM in which he outlines the current state of browser security, specifically drive-by downloads. ‘These attacks are primarily written with HTML, CSS, and JavaScript, so they are not identifiable as malware by antivirus software in the classic sense. They take advantage of the flawed way in which the Internet was designed to work.’”
“By adopting a similar application model on the desktop using custom-configured Web browsers (let’s call them DesktopApps), we could address the Internet’s inherent security flaws”
The Web Won’t Be Safe or Secure until We Break It
http://queue.acm.org/detail.cfm?id=2390758
Unless you’ve taken very particular precautions, assume every Web site you visit knows exactly who you are.