Security and privacy advocates have been pushing online service providers to offer better protection for their customers, and to start offering secure HTTPS connections by default. HTTPS allows you to securely encrypt traffic to and from the server, and for example, protects us from having our usernames, and passwords sniffed out on public networks. Gmail offers users the ability to enable HTTPS as a default connection type (highly recommended), but for the average user, it probably never comes to mind. Email accounts have become a primary hub for password recovery, and many people don’t realize just how painful losing control of one can be until it happens first hand.
This could change in the near future as reported by Google software engineer Alma Whitten in a blog post that claims, we are “looking into whether it would make sense to turn on HTTPS as the default for all Gmail users”. Currently, they are conducting research into the performance impact of rolling this out across the board, but this is a promising step in the right direction. Google is also considering making secure connections the default for other services such as Docs and Calendar.
Secure connections used to be considered very processor intensive for servers, but like anything else, this has become less true as CPU speeds continue to climb. "Unless there are negative effects on the user experience or it's otherwise impractical, we intend to turn on HTTPS by default more broadly, hopefully for all Gmail users," the post says.
June 9th saw a rare 'double-header' in security updates: Microsoft's monthly Patch Tuesday was joined by Adobe's quarterly security updates for Acrobat and Adobe Reader. How big was this month's 10-update Patch Tuesday? According to a Microsoft spokesperson quoted by Cnet, the 31 vulnerabilities covered by updates are "the most since Microsoft started releasing updates on a regular schedule of the second Tuesday of every month in October 2003."
Users of Windows 2000 SP4 through Windows Vista SP2 (and holdouts still running Windows 7 Beta), Microsoft Office 2000, 2003, or 2007; Microsoft Office for MacOS 2004 and 2008, Microsoft Works 8.5 and 9, and IE5.01 through IE8 users have some work to do before heading off on vacation, as do users of Adobe Reader and Acrobat 7.x, 8.x and 9.x. To find out what's being changed - and why - join us after the break.
Oopsy-daisy! According to complaints on McAfee's message board, a mandatory service pack for the company's antivirus VSE 8.7 software has left some machines unbootable. The update, which was issued on May 27 and later pulled on June 2, was intended to squash minor security bugs, but also inadvertently flagged some Windows system files as malware.
"McAfee removed Patch 1 for McAfee VirusScan Enterprise 8.7i from its download servers out of precaution after a potential issue with the update was discovered," McAfee said in a statement. "A very small number of customers reported trouble with the patch on a limited number of computers."
McAfee went on to say that it's working on identifying the cause of the false positives and, once resolved, will repost the mandatory update.
Potentially bad news for G1 owners and anyone else signed up with T-Mobile (we're looking at you Dwayne Wade and Charles Barkley). According to ChannelInsider, hackers have dug their way into the wireless telcom's network and stolen everything they could get their greedy little hands on, including proprietary operating data, customer databases, and financial records.
T-Mobile initially said it was unaware of the reported incident, but has since released a statement to ChannelInsider.
"The protection of our customers' information, and the safety and security of our systems, is absolutely paramount at T-Mobile. Regarding the recent claim, we are fully investigating the matter. As is our standard practice, if there is any evidence that customer information has been compromised, we would inform those affected as soon as possible."
As proof of the alleged breach, hackers fired off an email to insecure.org providing an extensive list of T-Mobile servers. According to ChannelInsider, several former T-Mobile network admins came forward saying the list and server names look authentic.
Last week, the Federation of American Scientists' Secrecy News blog found a U.S. report detailing the sites and assets of the nation's nuclear power industry posted on the website of the Government Printing Office. While most of the information in the report can be found through other sources, the document is understandably considered very sensitive, Arstechnica reports.
U.S. officials maintain that no information from the accidental posting -- all 266 pages -- has compromised national security. That news comes as little consolation to Energy Secretary Steven Chu, who expressed concern regarding a uranium storage facility at the department's Y-12 facility in Oak Ridge, Tennessee.
"That's of great concern. We will be looking hard and making sure physical security of those sites is sufficient to prevent eco-terrorists and others getting hold of that material," Chu said.
The leaked document is intended as part of an agreement on nuclear material inspection under the International Atomic Energy Agency's nuclear nonproliferation effort.
We're not going to start hiding our millions under our mattress (that's right, all bloggers roll in obscene amounts of money and own private jets), but the next time we withdraw a wad of cash, it might be a good idea to skip the ATM and flirt with a real live teller instead. That's because about 20 ATMs, mostly in Eastern Europe, have recently been hacked and are thought to be a testing ground before spreading to other ATMs, including those in the U.S.
"Trustwave's SpiderLabs performed the analysis of malware found installed on compromised ATMs in the Eastern European region," TrustWare said. "This malware captures magnetic stripe data and PIN codes from the private memory space of transaction-processing applications installed on a compromised ATM."
According to the report, the compromised ATMs all ran Microsoft's Windows XP operating system. The malware is installed and activated through a dropper file and once compromised, hackers then have full control over the machine via a customized user interface and accessible by inserting a special controller card into the ATM.
"This malware is unlike any we have ever had experiece with," TrustWare added.
President Obama on Friday announced plans to develop a cybersecurity office in the White House to combat against cyber threats. As part of the plan, the President said he would himself name a "cyber czar" to head up the operation.
"A lot of the things that were discussed [Friday] morning have been said before, but it is a very big deal when the President says them," said President Larry Clinton of the Internet Security Alliance.
Citing a recent survey, President Obama said that cyber crime has cost Americans more than $8 billion over the past years, with the worldwide cost of stolen intellectual property estimated to be in the vicinity of $1 trillion. He also talked about hackers gaining access to campaign computers when he was running for President.
"It's not clear this cyber threat is one of hte most serious economic and national security challenges we face as a nation," Obama said. "We're not as prepared as we should be, as a government or as a country."
You can view the 16 minute video of what President Obama had to say right here.
First detected back in March, the 'Gumblar' attacks have been gaining steam lately, growing by as much as 188 percent in just a single week, ScanSafe warned. Gumblar refers to a Web attack that plants malicious scripts on normally legitimate websites, which then redirects Google search results on victims' PCs.
"A typical series of website compromises reaches peak within the first week or so and subsequently begins declining in intensity as detection is added by signature vendors, user awareness increases and website operators begin cleaning the affected sites," ScanSafe senior security researcher Mary Landesman, said late last week in an advisory.
In Gumblar's case, the opposite has been true, a result of website administrators being affected by the attacks. According to ScanSite, some well known sites have fallen prey to Gumblar include Tennis.com, Variety.com, and Coldwellbanker.com.
Keep those virus definitions up to date, and if you haven't done so already, look into installing an AV app.
Last month, David Murphy wrote that "open-source projects like OpenID are paving the way for a new generation of connectivity, one where differing Web entities come to you for information and display it in a format and location of your choosing." Taking a giant step in that direction, Facebook has officially become an OpenID relying party.
What that means is that Facebook users can now link their Facebook account to a Gmail address, OpenID URL, or any OpenID provider that supports automatic login. It's a move that has proved popular so far, according to Facebook.
"In tests we've run, we've noticed that first-time users who register on the site with OpenID are more likely to become active Facebook users," Facebook says. "They get up and running after registering even faster than before, find their friends easily, and quickly engage on the site."
The social networking site says it plans to integrate more OpenID providers as time goes one, one of which is expected to be Microsoft.
Following in Microsoft's footsteps with its monthly 'Patch Tuesday' approach to system security, Adobe said it will stick to a quarterly release schedule for security updates of its own.
"Based on feedback from our customers, who have processes and resources geared toward Microsoft’s “Patch Tuesday” security updates, we will make Adobe’s quarterly patches available on the same days. (Although our 3/10/09 and 5/12/09 security patches landed on Patch Tuesday, the timing was coincidental. In both cases, we shipped the patches as soon as we finished testing them.)," Brad Arkin, Adobe director of product security and privacy, wrote in a blog post.
In March, Adobe released a patch that fixed a critical vulnerability in Adobe Reader 9 and Acrobat 9 that would have allowed an attacker to gain complete control of victim's PC. According to Arkin, this security hole led to the company's decision to implement scheduled security updates.