If you've purchased a digital photo frame from Amazon recently, it's in your best interest to pay attention to any emails originating from Amazon Customer Service. That's because the online e-tailer has been warning its customers that one of Samsung's digital frames, specifically its SPF-85H 8-inch unit, ships with a little something extra.
"We have recently learned that Samsung has issued an alert affecting its SPF-85H 8-Inch Digital Photo Frame," Amazon writes. "The alert concerns discovery of the W32.Sality.AE worm on the installation disc SAMSUNG FRAME MANAGER XP VERSION 1.08, which is needed for using the SPF-85H as a USB monitor."
Vista owners and those running a different Frame Manager version aren't affected by the worm, Samsung says. For those that are affected, Samsung advises removing the worm using Norton Internet Security 2009, uninstalling Frame Manager 1.08, and then updating to Frame Manager XP 1.082.
Thsi isn't the first time malware has made its way onto digital picture frames. Earlier in the year, some Insignia units sold at Best Buy were found to contain a Trojan Horse payload, with reports claiming several other vendors, such as Sam's Club, Target, and Costco, were also selling infected digital frames.
Before you drop in on the American Express website to see how much damage you did to your credit line with holiday shopping, you should know it's vulnerable to an XSS (cross-site scripting) exploit. As The Registerreports, this news comes after a bungled attempt to fix the problem. As El Reg puts it,
The cross-site scripting (XSS) error that makes it trivial for attackers to steal americanexpress.com user's authentication cookies is alive and kicking. The confusion stems from a mistake made by many application developers who incorrectly assume that the root cause of a vulnerability is closed as soon as a particular exploit no longer works.
So far, only proof-of-concept exploits have been written to show how easy it would be to pilfer login credentials, but until AmEx really eradicates this problem, keep a careful eye on your website transactions. For a list of precautions you can take to stop XSS exploits, see our 2007 article.
Have you been victimized by an XSS error? Join us after the jump and sound off.
"In our world of customized online services, responsible use of data is critical to establishing and maintaining user trust," said Anne Toth, Yahoo!'s Vice President of Policy and Head of Privacy. "We know that our users expect relevant and compelling content and advertising when they visit Yahoo!, but they also want assurances that we are focused on protecting their privacy."
The new limit puts Yahoo well ahead of its competition. Earlier this year, Google reduced its data retention time frame from 18 months to nine months, and Microsoft vowed to cut its data retention policy to six months if its rivals did the same.
Yahoo will begin implementing the new policy next month and says it will be effective across all of the company's services by the middle of 2010.
Could it be possible that legitimate email messages only account for 10 percent of all email? According to the Cisco 2008 Annual Security Report, the answer is 'yes.' The report claims that nearly 200 billion pieces of spam are sent and received every day, accounting for 90 percent of the world's email. Making the influx of spam messages possible are armies of hijacked computers, Cisco says.
"Every year we see threats evolve as criminals discover new ways to exploit people, networks, and the internet," said Cisco chief security researcher Patrick Peterson. "The botnet is, in many cases, ground-zero for online criminal threats."
Cisco points to the United States as by far the biggest source of spam, accounting for 17.2 percent of the messages. Turkey came in second at 9.2 percent, and Russia ranked third accounting for 8 percent.
What's most striking is that spam volumes have nearly doubled in 2008 compared to 2007. This despite a handful of recent busts by the FTC on various spam rings, which appear to have done nothing when looking at the overall picture. And because spammers "rarely use computers in their physical possession, instead renting or building botnets," the FTC will continue to fight an uphill battle until security improves across the board. Don't hold your breath.
Once again, Internet Explorer (aka "Internet Exploder") has been attacked through a "zero-day" remote code execution vulnerability. That might not seem like MaximumPC.com-worthy news, except for two factors: the flaw is affecting thousands of websites, and this time, it isn't just Firefox fans who are saying "time to switch browsers, already!" - security experts at Trend Micro, the Spamhaus Project, and the UK's PC Pro magazine are all recommending making a switch, according to the BBC. And here's why:
The flaw in Microsoft's Internet Explorer could allow criminals to take control of people's computers and steal their passwords, internet experts say.
Switching Browsers? Choices Abound!
Attacks against IE7 have been verified, but all versions of IE (including IE 8 Beta 2) have the same underlying vulnerability; a vulnerability not present in IE's competitors (Firefox, Opera, Chrome, and Safari). Switching browsers makes sense for most web surfing, but, alas, some websites and (of course) Windows Update and Microsoft Update for Windows XP won't work with anything but IE.
Redmond Readies Security Update
Since the vulnerability was detected on December 10th, Microsoft code jockeys have been working hard to patch the flaw (Redmond doesn't want you to switch, naturally, and given the way that IE and Windows work together, a broken IE isn't good for anybody), and a patch will be available tomorrow (December 17th) for all versions of IE from 5.01 up, applying to all versions of Windows and Windows Server from Windows 2000 on up. It's rare for Microsoft to perform a security update between Patch Tuesdays, but when a "Critical" vulnerability (the most dangerous category of vulnerability) is discovered, there's no time to waste.
If you must use IE and you're looking for workarounds until you can get the update, join us after the jump for details.
Earlier this year, researchers for Finjan, a web security firm, said that stolen bank data had become "commoditized," with items like PIN codes and credit card information fetching only a fraction of what they used to pull in. Now Finjan warns of an impending "sharp rise [in cybercrime] in 2009 due to the current economic downturn, which makes financial gain from stealing data and selling online even more attractive."
Finjan's report (PDF) notes that cybercrime has evolved into a "booming global business" in 2008, and pointed out an early trend of unemployed IT personnel boosting their income by using crimeware toolkits sold by professional hackers. Finjan says the trend is only the beginning and as layoffs go on the rise in 2009, so too will cybercrime, both in the amount of attacks and the severity.
But not everyone is convinced of Finjan's gloom and doom future. ArsTechinca points out that Finjan's sources are up for interpretation, including a November 19 Forbes article cited in the PDF report. According to ArsTechnica, the Forbes article "doesn't really provide a solid foundation for Finjan's statement. While the piece does take note of various trends, occurrences, and vibrations in the malware market, the author notes that the data 'remains largely anecdotal.'"
Are we on the verge of a major cybercrime spike? Hit the jump and post your predictions.
One of the advantages with Firefox that has helped it move up in market share is the perception of a more secure browser over Microsoft's Internet Explorer. Whether or not IE has managed to level the security playing field is a topic for another post, but there's at least one new piece of malware specifically designed to go after just Firefox users.
"Trojan.PWS.ChromeInject.A filters data sent by the user to over 100 online banking websites," BitDefender warned in a press release. "The banking websites include: bankofamerica.com, chase.com, halifax-online.co.uk, wachovia.com, paypal.com, and e-gold.com."
One the malware identifies one of the websites, it records the user's login information and forwards it along to a server in Russia, and not for safe keeping.
Talk to any Mac-inite and he'll tell you how secure his Mac is compared to your Windows-based PC. And admittedly, he's right. But is it because Mac OS X is inherently more secure than Windows, or do virus writers simply not give a damn when there are so many Windows users to target? Justin Long doesn't say, and instead insinuates that Mac users needn't worry about malware - see for yourself.
In what might be an ironic twist, Apple's ad campaign has helped Macs increase its market share and potentially draw attention to the platform as a viable target. For the first time ever, Apple is telling its users to install antivirus software.
"Apple encourages the widespread use of multiple antivirus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus writing process more difficult," Apple posted on its support site.
But don't take that to mean that Apple suddenly thinks its operating system is wrought with security holes. As Dave Marcus, director of security research and communications at McAfee points out, malware is targeting data and not a specific OS. Vulnerabilities in Flash and the Safari web browser, for example, have given rise to non-OS attacks.
Reaction to Apple's recommendation? Hit the jump and post your thoughts.
Earlier in the week, reports of a supposed newly discovered Gmail vulnerability started making the rounds on the web. The proof of concept was first posted on GeekCondition.com and showed how a hacker, with a bit of effort and persistence, could potentially infiltrate a user's Gmail account, create a malicious filter to forward emails to the hijacker, and top it off by stealing any domains the victim may have registered. But is the proof of concept truly indicative of a security flaw in Gmail?
While it's true that there have been users affected by the scheme, Google ascertains the root cause has more to do with phishing than it does with Gmail.
"With help from affected users, we determined that the cause was a phishing scheme, a common method used by malicious actors to trick people into sharing their sensitive information," Google wrote in a blog post. "Attackers sent customized emails encouraging web domain owners to visit fraudulent websites such as 'google-hosts.com' that they set up purely to harvest usernames and passwords. These fake sites had no affiliation with Google, and the ones we've seen are now offline."
As is often the case when it comes to security issues, a combination of common sense and safe computing habits remains your best defense.
Your data means a lot to you, and Lenovo is looking to add one more layer of security to it with their latest concoction – a remote disable that you activate using a text message. The system, called Lenovo Constant Secure Remote Disable will be rolling out as early as 2009.
The remote disable allows anyone with a lost or stolen laptop to simply send a text message that will completely lock down the computer. According to Stacy Cannady, Lenovo’s Product Manager of Security, the computer waits to be turned on by the would-be thief, then locks itself down and uses this time to encrypt the hard drive. Once the machine is recovered all it takes is a “resurrection” password to completely unlock the whole thing.
According to Cannady, “The limitation here is that you have to have a WAN card in the PC and you must be paying a data plan for it. If that is true, when someone steals the PC, you can whip out your cell phone and send a message to your PC, wherever it is, and when the PC gets that message, it will shutoff at that moment. The only way to get it back is to type in the resurrection code.”
Now, let’s just hope that once this technology comes full circle to the Twitter using public, they don’t get the two mixed up!