Business executives will soon be able to view porn without fear of mucking up their system with malware, and they'll have HP, Mozilla, and Symantec to thank for it. The three-pronged team has set out to create what HP calls the Firefox Virtual Browser, which will appear on the upcoming HP Compaq dc7900 business desktop.
If the concept of a virtual browser sounds familiar, it's because these solutions already exist outside of the OEM realm, some of which have been covered in your favorite computer magazine (assuming Maximum PC is your favorite rag). Like Trustware's BufferZone, the Firefox Virtual Browser consists of a virtual layer independent from the operating system. This sandbox approach means that any downloaded cruft that manages to spread its contaminates stays contained and can easily be undone by simply emptying the virtual environment..
"What we have created is a virtual layer where your browser runs and all the downloads, all the clicks, all the cookies and everything is placed within...a virtualized run-time environment," explains Kirk Godkin, HP senior product manager for business PCs. "With the browser, the user only has to click the mouse and it will reset the browser to its original state and all their favorites will remain the same."
Godkin went on to say that the virtual browser will eventually spread to all of HP's corporate desktops by the end of November, but didn't say whether not HP is also working with Microsoft on a similar option for Internet Explorer.
Two researchers, Alex Pilosov and Anton Kapela, have concocted a technique to exploit the Border Gateway Protocol (BGP) – internet’s core routing protocol. They demonstrated their technique at the DefCon hacker conference in Las Vegas. The threat emanates from the innate credulity of the routing protocol: the BGP apparently is designed to trust all nodes and can be exploited to redirect insane volumes of internet traffic to malevolent networks.
It can be used for spying at a truly unprecedented scale. No, we are not talking about stalking someone on Facebook but nation-state espionage. Millions of users can be exposed within moments of such an attack. A few solutions have already been propounded, but ISPs seem to be watching quietly from the sidelines.
The past few months we've watched SSDs gain momentum and attract the focus of both manufacturers and consumers. From larger capacities to faster performance, traditional hard drives suddenly find themselves on the verge of obsolesence. Or do they?
One of the biggest concerns surrounding SSDs continues to be long-term reliability, but there might even be a bigger stumbling block. Because many SSDs use industry-standard NAND flash chips designed for handheld gadgets, physical security becomes a potential issue. Jim Handy, director of semiconductor research and consulting firm Objective Analysis, points out there's nothing to prevent a hacker from unsoldering NAND chips from an SSD and extracting the data using a flash chip programmer. "There's really nothing sophisticated about this process," Handy said.
But that's not the only method. A hacker could use an ultraviolet laser to wipe out lock bits (encryption locks) from fuses on chip that secure SSDs. The data can then be read without any special software.
Is Jim Handy right to be concerned? Hit the jump to post your thoughts.
Some Linux users are getting a feel for what it's like to be one of the Windows faithful, as the open source community looks to be under siege. The U.S. Computer Emergency Readiness Team (CERT) has issued a warning for "active attacks" against Linux-based infrastructures using compromised SSH keys.
Specifics remain scarce, but the attacks appear to use stolen SSH keys to gain access to a system, after which time the attacker uses local kernel exploits to gain root access and install a rootkit called phalanx2.
"Phalanx2 appears to be a derivative of an older rootkit named "phalanx". Phalanx2 and the support scripts within the rootkit, are configured to systematically steal SSH keys from the compromised system. These SSH keys are sent to the attackers, who then use them to try to compromise other sites and other systems of interest at the attacked site."
The US-CERT has outlined ways Linux users can reduce the risk of attack, as well as what steps should be taken if a compromise is already confirmed.
With the exception of a Celine Dion concert, nothing sucks more than having your laptop stolen. Not only is there the physical cost of the notebook to consider, but there goes all your saved and private data into the hands of a crook. To help deal with this type of harrowing situation, LoJack offers a service for laptops that, once installed, will track your notebook anytime it's able to detect an internet connection. Even better, the software comes pre-installed in most BIOSes, so once activated, it will still be able to dial home even if the hard drive is reformatted or swapped out altogether.
That's well and fine, but according to a team of computer scientists at the University of Washington, your privacy could still be at risk by relying on a third party to handle your security. To alleviate this concern, the team has come up with an open-source alternative called Adeona, named after the Roman goddess of safe returns. With Adeona, the developers say users can install the software themselves without the help of a corporate intermediary. The service is said to work much like LoJack does (minus the BIOS integration), except that it's up to the user to track their stolen notebook. And best of all, it's free.
Which would you prefer - taking security into your hands, or ponying up a fee for professional assistance? Sound off below.
It's a super-sized Patch Tuesday this month, and here's what to expect Windows Update to be sending you in the next day or so (if not already). Follow the links if you prefer to install the updates immediately.
Critical updates include:
A fix for a remote code execution vulnerability in Windows Image Color Management affects users running Windows XP, Windows Server 2003, and Windows 2000 SP4 (Windows Vista users can breathe easy on this one).
A fix for a sextet of vulnerabilities in Internet Explorer 5.01, 6, and 7 affects users of Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003, Windows Vista, and Windows Server 2008.
A fix for a remote code execution vulnerability in the ActiveX control for Microsoft Access's snapshot viewer affects Office 2000 SP3, Office XP SP3, and Office 2003 SP2 and SP3 (Office 2007 users, you ducked this one).
As we told you last week, Microsoft rolled out two new security programs, Microsoft Active Protections Program and Microsoft Exploitability Index, during the Black Hat USA 2008 Conference. Unfortunately for Microsoft, the same conference saw a presentation by security experts Mark Dowd and Alexander Sotirov that renders these and other protections for Windows Vista, including its much-touted Address Space Layout Randomization (ASLR) and Data Execution Protection (DEP) features, effectively null and void.
How did they do it? The full presentation (available here in PDF format) is quite technical, but here's the short version. according to SC Magazine:
In explaining the problem, the researchers said that most memory protection mechanisms are based on two things: detecting corruption and stopping common exploit patterns, and attempts to reinforce these are integral to Vista. But in many cases, some of the built-in protection mechanisms in Vista are not enabled by default for compatibility reasons.
“At the desktop level, compromises had to be made because of compatibility issues. Exploiters have a lot more control over browsers,” Sotirov said.
And in many cases, third-party applications are not compiled to use the Vista memory protections. For example, Java and Flash are not compiled using the critical protection called ASLR.
What can be done? My take: Microsoft needs to rethink the balance of compatibility versus protection, do a better job of informing users of what's protected and what's not, and get third-party application vendors to take advantage of the protection features in Vista. What about ordinary users like us? Watch out for compromised legitimate websites, and, as always, as our own Will Smith says, think before you click.
What's your take on Vista and other browser security issues? See us after the jump for your chance to sound off.
Power users know how critical it is to change their passwords often and to avoid using easily guessed characters. Creating a login for your bank account based on your first born's birth date is a good way to share your financial information with anyone who cares to look, and the best passwords are the ones that contain a random mixture of letters and numbers. But is it enough?
An article in the New York Times points out that all password-based log-ons are susceptible to being compromised in any number of ways, and they're right. We're constantly warning users against falling for phishing schemes, and new forms of malware have become so adept at sneaking past common security fronts that a host of vendors have begun looking at new ways of dealing with the latest threats (see Internet Security 2.0 in Maximum PC's February 2008 issue, or download the PDF).
Hit the jump to see why security experts are now saying we should abandon passwords altogether.
Gamers have enough trouble trying to come up with a game plan to beat pesky end bosses and single-handedly defeat armies of mutant soldiers. Saving often gives gamers an endless advantage and cheat codes can help in a pinch, but neither of these tactics will do any good against an increasing amount of real-life threats the online gaming scene.
More than just an annoyance, time spend in virtual worlds like Second Life can translate into real currency and it's attracted the attention of organized criminal gangs. According to security software vendor ESET (best known for its NOD32 Antivirus products), "high volumes of malware intended to steal passwords for online gaming and virtual worlds" have been detected since 2007, resulting in a "dramatic upsurge."
The alarming news comes courtesy of ESET's mid-yearly Global Threat Report, which focuses on broad trends in malware over the past six months. In addition to an upsurge in attacks against gamers, ESET notes that malicious software that tries to use the Windows Autorun facility to self-install from removable media continues to flourish.
On the opposite end of the spectrum, the company reports email bound malware is in "dramatic decline," at least when it comes to dirty attachments. Malicious URLs passed through email messages have taken the place of attachments.
Further reading to keep yourself (and your virtual self) protected:
MAPP provides advance notification to third-party security providers of vulnerabilities that are being addressed by Microsoft security updates, such as the ones rolled out each month on "Patch Tuesday." MAPP is designed to help stop exploits that are launched between the announcement of upcoming patches and the availability of patches. MAPP starts in October, according to eWeek.
Security providers can learn more about MAPP by downloading the fact sheet (MS Word 97-2003 format). For additional insight from a former military and government security specialist who now works for Microsoft, see Steve Adegbite's blog entry about MAPP.
The Microsoft Exploitability Index will provide ratings of how likely each vulnerability is to being successfully exploited. The index will rate each vulnerability at one of three levels:
Consistent exploit code likely
Inconsistent exploit code likely
Functioning exploit code unlikely
Microsoft's fact sheet suggests (MS Word 97-2003 format) that vulnerabilities with the "Consistent" rating should be treated as the most serious threats, followed by the others. To get more insight into the need for this index, see Microsoftie Mike Reavey's blog entry (Reavey is part of the Microsoft Security Response Center). The index will be included with each new security bulletin, also starting in October.
For your chance to sound off about Microsoft's newest security initiatives, see us after the jump.