Security en Mozilla Moves Quickly to Plug Firefox Holes Disclosed at Pwn2Own <!--paging_filter--><h3><img src="" alt="Firefox" title="Firefox" width="228" height="219" style="float: right;" />Well, that was quick</h3> <p>The recently concluded Pwn2Own contest—a lucrative hacking competition held as part of the annual CanSecWest conference—<a href="" target="_blank">saw all four major internet browsers get their soft(ware) underbellies exposed</a>. <strong>Three of the ten browser bugs exposed at the two-day event were in Firefox</strong>, which emerged as the second-most pwned browser at the event behind Internet Explorer. But there’s one area where Mozilla has clearly left its competitors behind.</p> <p>Mozilla, it appears, scuttled to fix the bugs as soon as they came to light, with the rapidity ultimately helping it become the first vendor to fix vulnerabilities disclosed at the conference. Two days and as many minor updates is all it took for the open-source outfit to plug the said holes. </p> <p>The first point release (36.0.3) came on Friday and included a <a href="" target="_blank">fix for a bug in “Mozilla's implementation of typed array bounds checking in JavaScript just-in-time compilation (JIT)</a> and its management of bounds checking for heap access.” The bug, which could have allowed an attacker to execute malicious code, was discovered by a hacker known only by their nom de guerre “ilxu1a.”</p> <p>Another minor release (36.0.4) came out a day later. It fixes what was yet another <a href="" target="_blank">critical vulnerability with the potential for arbitrary code execution</a>. Discovered by Mariusz Mlynski, this was a flaw in the processing of SVG (Scalable Vector Graphics) content navigation.</p> <p>This is what HP—a co-sponsor through its Zero Day Initiative (ZDI)—had to say about <a href="" target="_blank">Mlynski’s exploits</a>:&nbsp; “Mariusz Mlynski stepped up to Mozilla Firefox and knocked it out of the park through a cross-origin vulnerability followed by privilege escalation within the browser – all within .542 seconds. This allowed him to execute a logical flaw to escalate to SYSTEM in Windows and take home $30,000 USD for the Firefox bug and an additional $25,000 bonus for the privilege escalation.”</p> <p><em>Follow Pulkit on <a href="" target="_blank">Google+</a></em></p> browser firefox Mozilla pwn2own Security News Mon, 23 Mar 2015 07:34:44 +0000 Pulkit Chandna 29623 at All Four Major Browsers Hacked in Pwn2Own Contest <!--paging_filter--><h3><img src="/files/u69/hacking_0.jpg" alt="Hacking" title="Hacking" width="228" height="152" style="float: right;" />Not a single browser was left standing</h3> <p>Could the world use yet another browser? Sure, if security is at the forefront of your mind. <strong>At the annual Pwn2Own hacking contest that took place this week, Internet Explorer, Firefox, Chrome, and Safari all fell prey to remote code execution exploits</strong> by the second day. Not to make a mountain out of a mole hill, this isn't unusual, as every year hackers gather at CanSecWest's conference to show off their skills for prizes.</p> <p>Credit goes to JungHoon Lee (known online as lokihardt) for taking down a 64-bit build of Internet of Explorer with a time-of-check to time-of-use (TOCTOU) vulnerability allowing for read/write privileges, which netted him a prize bounty of $65,000.</p> <p>Lee then took out Chrome with a buffer overflow race condition, followed by an info leak and race condition in two Windows kernel drivers to get SYSTEM access, earning him the biggest payout in Pwn2Own history -- $75,000 for the Chrome bug and an extra $25,000 for the privilege escalation to SYSTEM, plus another $10,000 from Google for a total of $110,000. That worked out to $916 per second for his two-minute demonstration, <a href="" target="_blank">HP reports</a>.</p> <p>Before wrapping up work for the day, Lee hacked Apple's Safari browser using a use-after-free (UAF) vulnerability in an uninitialized stack pointer and bypassed the sandbox for code execution. His reward was $50,000, bringing his total for the day to $225,000.</p> <p>In all, researchers earned $442,500 in bounties over the course of two days.</p> <p><em>Follow Paul on <a href="" target="_blank">Google+</a>, <a href="!/paul_b_lilly" target="_blank">Twitter</a>, and <a href="" target="_blank">Facebook</a></em></p> apple browser CanSecWest chrome firefox Google Internet Explorer microsoft Mozilla pwn2own safar Security Software News Fri, 20 Mar 2015 17:37:00 +0000 Paul Lilly 29618 at OpenSSL Readies Series of Updates to Patch Mystery Security Holes <!--paging_filter--><h3><img src="/files/u69/legos_hole.jpg" alt="Legos Hole" title="Legos Hole" width="228" height="136" style="float: right;" />Vague security bulletin is vague</h3> <p>Imagine being told that you're in danger for the next couple of days and that there's nothing you can do about it but sit tight and wait it out. Talk about suckage. Well, that's essentially what the OpenSSL Project just did, though there's a reason behind it. <strong>The OpenSSL Project announced plans to plug up several security holes</strong>, including one that's classified as "high severity," in a series of updates scheduled for March 19.</p> <p>Those security updates will be included in several new versions of OpenSSL -- 1.0.2a, 1.0.1m, 1.0.0r, and 0.9.8zf. They'll address a "number of security defects," though if you're wondering what they are, the <a href="" target="_blank">OpenSSL Project isn't saying</a>. We assume that's to keep black hat hackers in the dark while the group patches whichever vulnerabilities it found.</p> <p>Nevertheless, it's a bit unnerving to know there's a high severity OpenSSL security hole that will exist for the next couple of days, especially after incidents like <a href="">Heartbleed</a> caught the Internet at large with its pants around its ankles, and more recently <a href="">FREAK</a> (Factoring attack on RSA-EXPORT Keys). To say it's been a rough year for OpenSSL is an understatement.</p> <p>The good news here is that OpenSSL's security should significantly improve over time. Companies like Cisco and IBM, to name just two of several, are funding the <a href="" target="_blank">Core Infrastructure Initiative</a>, a $2 million per year project dedicated to supporting and auditing open-source projects like OpenSSL.</p> <p>Image Credit: <a href="" target="_blank">Flickr (Brian Rinker)</a></p> <p><em>Follow Paul on <a href="" target="_blank">Google+</a>, <a href="" target="_blank">Twitter</a>, and <a href="" target="_blank">Facebook</a></em></p> openssl patch Security update News Tue, 17 Mar 2015 16:19:50 +0000 Paul Lilly 29599 at IBM Announces it will Reach $40 Billion in Annual Revenue by 2018 <!--paging_filter--><h3><img src="/files/u166440/ibm_logo.jpg" alt="IBM logo" title="IBM logo" width="200" height="200" style="float: right;" />"Strategic imperatives" will help reach this goal</h3> <p>Last year, we saw some interesting sales and investments by International Business Machines Corp. IBM had announced that it was selling off its <a title="IBM selling off chip business" href="" target="_blank"><span style="color: #ff0000;">chip business</span></a>, revealed plans to invest $3 billion for <a title="IBM to invest $3 billion in R&amp;D" href="" target="_blank"><span style="color: #ff0000;">semiconductor research and development</span></a>, and selling its <a title="IBM sells server business" href="" target="_blank"><span style="color: #ff0000;">x86-based server business</span></a> to Lenovo. Now, <strong>IBM is looking to reach an annual revenue of $40 billion</strong>.</p> <p>The high target was set by IBM executives at the company’s annual investor meeting that took place on Thursday in New York where IBM CEO Ginni Rometty announced the new long-term goal. Rometty expects the revenue to come from areas IBM has designated as “strategic imperatives” which includes the cloud, analytics, social, mobile, and security software.</p> <p>The $40 billion amount would represent around 44 percent of $90 billion in total revenue that analysts are expecting from IBM in 2018. Last year, the businesses that IBM is relying on to reach that target generated $25 billion in revenues which was 27 percent of the company’s $93 billion in sales. To help achieve its goal, IBM will be shifting $4 billion in spending to its “strategic imperatives” this year in order to hit $40 billion annual revenue by 2018.</p> <div>Do you think this is a feasible goal for IBM? Sound off in the comments below!</div> <p><em>Follow Sean on&nbsp;<a title="SeanDKnight Google+" href="" target="_blank"><span style="color: #ff0000;">Google+</span></a>, <a title="SeanDKnight's Twitter" href="" target="_blank"><span style="color: #ff0000;">Twitter</span></a>, and <a title="SeanDKnight Facebook" href="" target="_blank"><span style="color: #ff0000;">Facebook</span></a></em></p> 4 billion 40 billion cloud Ginni Rometty ibm mobile Security News Fri, 27 Feb 2015 22:00:58 +0000 Sean D Knight 29493 at Lenovo Faces Class Action Lawsuit Over Superfish <!--paging_filter--><h3><img src="/files/u69/lenovo_0.jpg" alt="Lenovo" title="Lenovo" width="228" height="170" style="float: right;" />No big surprise</h3> <p>Lenovo's been in <a href="">damage control</a> ever since <a href="">news broke</a> that it was installing a careless piece of adware called Superfish onto consumer laptops and desktops, but the court of public opinion isn't the only one it has some explaining to do. According to reports, <strong>a class-action lawsuit against Lenovo and Superfish was filed at the end of last week</strong> claiming "fraudulent" business practices.</p> <p>Let's backtrack a moment. Superfish came under scrutiny for a number of reasons, the least of which is that some users complained it would install on their systems upon first boot even if they declined the software. Furthermore, attempts to uninstall the software would leave behind a dangerous root certificate, which is the real issue.</p> <h3>New Information</h3> <p><a href="" target="_blank">According to <em>Ars Technica</em></a>, a company called Komodia is behind the dubious technology that allows Superfish to do what it does, which is hijack web searches in order to serve up ads. It uses a fake SSL certificate to do that, essentially a man-in-the-middle attack, leaving users susceptible to hackers. Komodo bundles a password protected private encryption key to prevent hackers from creating websites to spy on users, but it took Errata Security CEO Rob Graham all of three hours to discover that the password is "komodia." Try not to give yourself a nosebleed from the obligatory facepalm.</p> <p>As time goes on, the list of applications that use the same SSL-hijacking technology as Superfish is <a href="" target="_blank">rapidly growing</a>. Facebook's security team alone has identified over a dozen applications other than Superfish using the same Komodo library.</p> <p>"Initial open source research of these applications reveals a lot of adware forum posts and complaints from people. All of these applications can be found in VirusTotal and other online virus databases with their associated Komodia DLL's. We can’t say for certain what the intentions of these applications are, but none appear to explain why they intercept SSL traffic or what they do with data," <a href="" target="_blank">Facebook says</a>.</p> <p><iframe src="" width="620" height="349" frameborder="0"></iframe></p> <h3>Back to the Lawsuit</h3> <p>While the full extent of Komodo's "redirection SDK" continues to be investigated, Lenovo and Superfish are the two high profile companies that are bearing the brunt of criticism. In the lawsuit, Plaintiff Jessica Bennett claimed her laptop was damaged by Superfish, which she refers to as "spyware" in court documents, and that Lenovo and Superfish invaded her privacy, <em>PCWorld </em>reports.</p> <p>The lawsuit is seeking unspecified damages from the two companies.</p> <h3>Removal Tool</h3> <p>Lenovo last week provided instructions on how to manually remove Superfish, including the root certificate that likes to stick around. In an updated statement over the weekend, Lenovo tells us it has now released an automated tool that will completely remove Superfish. You can find the tool (along with its source code) <a href="" target="_blank">here</a>.</p> <p><em>Follow Paul on <a href="" target="_blank">Google+</a>, <a href="!/paul_b_lilly" target="_blank">Twitter</a>, and <a href="" target="_blank">Facebook</a></em></p> adware class action lawsuit lenovo malware Privacy Security Software Superfish News Mon, 23 Feb 2015 17:19:00 +0000 Paul Lilly 29459 at Lenovo Takes Heat for Installing Superfish Adware on Consumer Laptops <!--paging_filter--><h3><img src="/files/u69/lenovo_laptop_0.jpg" alt="Lenovo Laptop" title="Lenovo Laptop" width="228" height="150" style="float: right;" />World's top PC maker installed software that left customers susceptible to man-in-the-middle attacks</h3> <p>It's not too often that Lenovo gets dinged for making a bad decision. After all, Lenovo is the top supplier of PCs in the world, and it didn't get there through a series of mishaps. Nevertheless, <strong>Lenovo has come under fire for installing hidden software on its consumer laptop and desktop PCs that injects third-party ads on Google searches and websites</strong>. Even worse, Lenovo reportedly gave Superfish permission to issue its own security certificates, which allows it to hijack SSL/TLS connections to websites, also known as a man-in-the-middle attack.</p> <p>Superfish is intended to help consumers find and discover products by analyzing images on the web. The visual search tool could allow you to look up an item you've stumbled upon but might not know the name of, or to find similar products that are perhaps more affordable.</p> <p>Unfortunately, Superfish has been found to do more than it says. After users complained about it on Lenovo's forums, Lenovo social media program manager Mark Hopkins sought to extinguish the flames by telling users that Lenovo had removed the software, at least for now.</p> <p>"Due to some issues (browser pop up behavior for example), with the Superfish Visual Discovery browser add-on, we have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues. As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues," <a href="" target="_blank">Hopkins said</a>.</p> <p>He went on to defend the software and tout its merits, though didn't address complaints that it's injecting its own self-signed certificates and intercepting web traffic, behavior that was <a href="" target="_blank">confirmed on Twitter</a> by a security engineer at Google.</p> <p><a href="" target="_blank"><em>BBC News</em></a> spoke with security expert Prof Alan Woodward who described Superfish as being "like Google on steroids." He also said that people have shown it can intercept pretty much anything on the web.</p> <p>"If someone went to, say, the Bank of America then Superfish would issue its own certificate pretending to be Bank of America and intercept whatever you are sending back and forth," Woodward said.</p> <p>Users do have the option of declining the software when firing up their laptop or desktop for the first time, though according to <a href="" target="_blank"><em>The Guardian</em></a>, some have complained that it installs anyway, and stays installed even if the software is uninstalled.</p> <h3>Update</h3> <p>Lenovo sent us the following statement on the matter:</p> <p style="padding-left: 30px;">Superfish was previously included on some consumer notebook products shipped in a short window between September and December to help customers potentially discover interesting products while shopping. However, user feedback was not positive, and we responded quickly and decisively:</p> <p style="padding-left: 30px;">1) Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.</p> <p style="padding-left: 30px;">2) Lenovo stopped preloading the software in January.</p> <p style="padding-left: 30px;">3) We will not preload this software in the future.</p> <p style="padding-left: 30px;">We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns. But we know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software. We will continue to review what we do and how we do it in order to ensure we put our user needs, experience and priorities first.</p> <p style="padding-left: 30px;">To be clear, Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent. Users are given a choice whether or not to use the product. The relationship with Superfish is not financially significant; our goal was to enhance the experience for users. We recognize that the software did not meet that goal and have acted quickly and decisively.</p> <p style="padding-left: 30px;">We are providing support on our forums for any user with concerns. Our goal is to find technologies that best serve users. In this case, we have responded quickly to negative feedback, and taken decisive actions to ensure that we address these concerns. If users still wish to take further action, detail information is available at <a href="" target="_blank"></a>.</p> <p><em>Follow Paul on <a href="" target="_blank">Google+</a>, <a href="!/paul_b_lilly" target="_blank">Twitter</a>, and <a href="" target="_blank">Facebook</a></em></p> adware Hardware laptops lenovo malware notebooks OEM rigs Security Superfish News Thu, 19 Feb 2015 14:08:44 +0000 Paul Lilly 29444 at Security Researcher Warns of Vulnerability Affecting Several Netgear Routers <!--paging_filter--><h3><img src="/files/u69/wnr2500.jpg" alt="Netgear WNR2500" title="Netgear WNR2500" width="228" height="173" style="float: right;" />Vulnerability traces back to Netgear's Genie application</h3> <p><strong>A security researcher has discovered a vulnerability in several wireless routers made by Netgear</strong> that could give an attacker unauthenticated access, both locally and remotely. The vulnerability relates to a service that communicates with Netgear's Genie software, an accompanying program that provides a desktop (or mobile) dashboard so you can easily manage and monitor your router's settings and activity.</p> <p>Peter Adkins, the researcher who discovered the vulnerability, says the embedded SOAP service appears at first glance to be filtered, but is easily manipulated.</p> <p>"HTTP requests with a 'SOAPAction' header set but without a session identifier will yield a HTTP 401 error. However, a HTTP request with a blank form and a 'SOAPAction' header is sufficient to execute certain requests and query information from the device," <a href="" target="_blank">Adkins explains</a>.</p> <p>Since the SOAP services is implemented by the built-in HPPT / CGI daemon, it's possible for unauthenticated queries to be answered over the web, though only if remote management is enabled. If so, a "well placed HTTP query" is all that's required to interrogate and hijack an affected router, Adkins says.</p> <p>When Adkins contacted Netgear about the vulnerability, he was advised to email the company's support team, which he did.&nbsp; However, Netgear downplayed the issue and ultimately closed the support ticket, adding that there are built-in security issues that should keep the network secure.</p> <p>Adkins says he's confirmed the bug exists in Negtear's WNDR3700v4 (firmware v1.0.0.4SH and v1.0.1.52), WNR2200 (v1.0.1.88), and WNR2500 (v1.0.0.24). He also believes (but has not yet confirmed) it exists in at least four other models, including the WNDR3800, WNDRMAC, WPN824N, and WNDR4700.</p> <p><em>Follow Paul on <a href="" target="_blank">Google+</a>, <a href="!/paul_b_lilly" target="_blank">Twitter</a>, and <a href="" target="_blank">Facebook</a></em></p> Hardware netgear networking routers Security wireless News Mon, 16 Feb 2015 13:52:45 +0000 Paul Lilly 29429 at Google Relaxes Project Zero Bug Disclosure Policy <!--paging_filter--><h3><img src="" alt="Google Project Zero" title="Google " width="228" height="95" style="float: right;" />Companies working on a fix can now apply for a 14-day grace period after 90-day disclosure deadline</h3> <p>The whole <a href="" target="_blank">fracas over Google Project Zero team’s disclosure of three Windows zero-day bugs</a> before Microsoft could fix them may now be old news, but it seems to have done enough to get the former to revisit its bug disclosure policy. Google’s bug hunters took to the official Project Zero blog on Friday to announce a <strong>number of key changes to their disclosure policy</strong>.</p> <p>While a large part of the <a href="" target="_blank">blog post</a> is dedicated to the importance of bug hunting and reporting programs having disclosure deadlines and how the outfit’s own 90-day deadline is “reasonably calibrated for the current state of the industry”, it ultimately concedes that Project Zero’s disclosure policy, as effective it is (over 85% bugs fixed within 90 days), could do with a few improvements. The outfit says it has “taken on board some great debate and external feedback around some of the corner cases for disclosure deadlines” and come up with a few policy improvements.</p> <p>The most notable of these policy updates is the provision of a 14-day grace period after the original disclosure deadline has expired: “If a 90-day deadline will expire but a vendor lets us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch. Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed (2 weeks+),” reads the blog post.</p> <p>And don’t you worry about Google having double standards (a <a href="" target="_blank">concern we raised</a> late last month): “As always, we reserve the right to bring deadlines forwards or backwards based on extreme circumstances. We remain committed to treating all vendors strictly equally. Google expects to be held to the same standard; in fact, Project Zero has bugs in the pipeline for Google products (Chrome and Android) and these are subject to the same deadline policy.”</p> <p><em>Follow Pulkit on <a href="" target="_blank">Google+</a></em></p> apple disclosure Google microsoft OS X project zero team responsible disclosure Security Windows zero-day News Mon, 16 Feb 2015 09:31:28 +0000 Pulkit Chandna 29426 at Box EKM Gives Customers Their Own Set of Encryption Keys <!--paging_filter--><h3><img src="/files/u69/keys.jpg" alt="Keys" title="Keys" width="228" height="171" style="float: right;" />Chasing bigger customers and thwarting government requests for data</h3> <p><strong>Cloud storage provider Box is experimenting with a new security solution called Enterprise Key Management (EKM)</strong>. Currently available in beta, EKM adds another layer of security that it hopes will attract big businesses in regulated industries like banking and finance, healthcare, and so forth. There's also a benefit for customers who to make it more difficult for the government to get their hands on data.</p> <p>"Industries like finance, government, legal and healthcare are facing a new set of challenges when it comes to establishing control over their content – and who can access it – without hindering collaboration and productivity," <a href="" target="_blank">said Aaron Levie</a>, co-founder and CEO, Box. "With Box EKM, we’ve removed the final barrier to cloud adoption for industries that require the highest levels of protection over their information."</p> <p>The effort is a joint collaboration with Amazon Web Services (AWS) and Germalto. For customers who sign up for the service, Box will work with them to provision hardware security modules (HSMs) made by SafeNet and provided by Germalto in both AWS and their own data center. The customers manage these HSMs, while Box is connected to them via a secure and dedicated connection.</p> <p>From there, files that are uploaded get encrypted with a unique encryption key for each version of the file, just as Box currently does for all customers. What's different for EKM customers is that Box sends the key to their HSM, which is then encrypted with the customer's own key.</p> <p><img src="/files/u69/box_ekm.jpg" alt="Box EKM" title="Box EKM" width="620" height="427" /></p> <p>EKM customers effectively gain complete control over who can and can't access their data. Even Box can't get to it, so if the government comes knocking with a data request, Box's hands are tied.</p> <p>To be clear, this is a play for big business, not home consumers. But if it works as advertised, this could eventually trickle into the consumer space.</p> <p><em>Follow Paul on <a href="" target="_blank">Google+</a>, <a href="!/paul_b_lilly" target="_blank">Twitter</a>, and <a href="" target="_blank">Facebook</a></em></p> Amazon Web Services aws box cloud ekm encryption gemalto Security storage News Thu, 12 Feb 2015 14:15:20 +0000 Paul Lilly 29417 at Let Google Check Your Account Security and Receive 2GB of Drive Storage <!--paging_filter--><h3><img src="/files/u69/stethoscope.jpg" alt="Stethoscope" title="Stethoscope" width="228" height="276" style="float: right;" />Easier than a trip to the doctor</h3> <p>Free storage is out there for the taking. Earlier today we told you about Microsoft's desire to reward you with <a href="" target="_blank">100GB of free OneDrive storage</a> simply for signing up for Bing Rewards. Well, it turns out Google is in a giving mood as well, just to a lesser extent -- <strong>in recognition of today being Safer Internet Day, Google will inflate your Drive storage by 2GB just for taking a quick security checkup</strong>.</p> <p>It's a quick and painless procedure that Google says will take you 2 minutes to complete, though when I ran it, I was finished in about 30 seconds -- I needed to verify the phone number associated with my main account. The checkup also gives you a chance to view your recent activity for anything suspicious, as well as disable access for less secure apps and double-check your account permissions.</p> <p>"While everything stored in Drive is always encrypted in transit and at rest in Google’s custom-built data centers, this checkup ensures you’re making the most of the 24/7 protection you already get from Google. As our way of saying thanks for completing the checkup by 17 February 2015, we’ll give you a permanent 2 gigabyte bump in your Google Drive storage plan," <a href="" target="_blank">Google says</a>.</p> <p>You can run the checkup tool at any time, something Google advises doing every so often just to make sure there's no funny business going on.</p> <p>Ready to give it a go? Just <a href="" target="_blank">click here</a>.</p> <p><em>Follow Paul on <a href="" target="_blank">Google+</a>, <a href="!/paul_b_lilly" target="_blank">Twitter</a>, and <a href="" target="_blank">Facebook</a></em></p> cloud drive Google Security storage News Tue, 10 Feb 2015 19:42:58 +0000 Paul Lilly 29409 at Google Adds Remote Lock Feature to Chromebook for Admins <!--paging_filter--><h3><img src="/files/u69/chromebook_disabled_message.jpg" alt="Chromebook Disabled Message" title="Chromebook Disabled Message" width="228" height="181" style="float: right;" />Now admins can disable a stolen Chromebook</h3> <p>Well, this was a long time coming. As Chromebooks grow in popularity, so does the risk of one being stolen -- it's just a numbers game, really. It sucks if that happens, but on the bright side, <strong>Google has issued an update that will finally allow admins to place lost or stolen Chrome OS devices in a disabled state</strong>. They can flip the switch right from their web-based management console.</p> <p>They can also input a custom message to be displayed on the disabled device's screen. That could come in handy if you think the system's been lost rather than stolen, allowing you to put a "Reward if found" message or something to that effect. Or if it's stolen, "I know where you live -- return this laptop within 24 hours and I'll spare your pets."</p> <p>Google's François Beaufort announced the new feature on his <a href="" target="_blank">Google+ page</a>, and also linked to a related <a href="" target="_blank">support document</a>. Clicking through reveals some additional information, including the fact that the new feature requires the device to be running Chrome version 40 or later.</p> <p>Once you enable the feature, any user that's signed in gets signed out and taken to the device disabled page. Once that page is displayed, the user can't sign back in, and it will stay in that state until an admin re-enables or deprovisions the devices. It also returns licenses associated with the device to the license pool while disabled, and removes the serial number from the default ("Provisioned") view.</p> <p><em>Follow Paul on <a href="" target="_blank">Google+</a>, <a href="!/paul_b_lilly" target="_blank">Twitter</a>, and <a href="" target="_blank">Facebook</a></em></p> chromebook Google laptop notebook remote lock Security News Fri, 06 Feb 2015 19:32:49 +0000 Paul Lilly 29386 at Researchers Warn of Zero Day Vulnerability in Internet Explorer 11 <!--paging_filter--><h3><img src="/files/u69/ie_logo_0.jpg" alt="IE Logo" title="IE Logo" width="228" height="227" style="float: right;" />Hackers have a new security hole to go phishing in</h3> <p><strong>If you use Internet Explorer 11, be aware that researchers have discovered a zero-day vulnerability</strong> that could allow attackers to change content on domains remotely. The exploit could also allow hackers to inject malicious content in browsers, steal personal data, and track your online movements. That's the bad news. And the good? You're unlikely to fall prey to such an attack, according to Microsoft.</p> <p>"To successfully exploit this issue, and adversary would first need to lure a person, often through trickery such as phishing, to a malicious website that they've created," Microsoft said in a statement sent to <a href="" target="_blank"><em>The Inquirer</em></a>. "SmartScreen, which is on by default in newer versions of Internet Explorer, helps protect against nefarious phishing websites."</p> <p>Microsoft also said that it's not aware of the vulnerability being actively exploited at this time, and that it's working on a fix, which it will dole out in a future update. However, the Redmond outfit didn't provide a time table for the fix.</p> <p>Security firm Symantec weighed in with a statement of its own, saying that it too was unaware of the vulnerability being exploited in the wild. However, it also warned of the exploit's potential for harm, saying it "could allow an attacker to bypass the same-origin policy in order to steal from, and inject information into, other websites."</p> <p>David Leo, the researcher at Deusen who <a href="" target="_blank">discovered the flaw</a>, provided an example of how the vulnerability works. By exploiting the vulnerability, he's able to inject content that reads "Hacked by Deusen" into the <em>Daily Mail's</em> website seven seconds after opening the webpage.</p> <p>To see for yourself, fire up IE11 and click <a href="" target="_blank">here</a>. Close the popup window after three seconds, as it instructs, and then click Go. This will open the <em>Daily Mail</em> website, and after seven seconds, you'll see the Hacked by Deusen message.</p> <p>The zero-day vulnerability affects Windows 7 and Windows 8.1 users.</p> <p><em>Follow Paul on <a href="" target="_blank">Google+</a>, <a href="!/paul_b_lilly" target="_blank">Twitter</a>, and <a href="" target="_blank">Facebook</a></em></p> browser ie11 internet explorer 11 Security Software vulnerability zero-day News Fri, 06 Feb 2015 16:37:27 +0000 Paul Lilly 29385 at Google Explains Decision to Leave 930 Million Android Handsets Unpatched <!--paging_filter--><h3><img src="/files/u69/android_builds.jpg" alt="Android Builds" title="Android Builds" width="228" height="171" style="float: right;" />Don't expect a patch for WebView in pre-KitKat Android devices</h3> <p>If you own an Android handset running a version of the open source operating system that predates Android 4.3 KitKat, you won't be the recipient of a patch for WebView, a component of Android that developers use to display web content in their apps. WebView is also the backbone of Android's built-in browser in all versions up to KitKat. Nevertheless, <strong>Google won't spend time plugging up any security holes for WebView in older Android devices because it's "no longer practical."</strong></p> <p>That may seem like sour grapes to anyone who owns one of the more than 930 million pre-KitKat Android devices in the wild, especially since researchers recently discovered a new vulnerability in WebView. Regardless, once notified of the bug, Google made it clear that no patch was coming. More recently, the company offered up an explanation as to why.</p> <p>"Until recently we have also provided backports for the version of WebKit that is used by Webview on Android 4.3 and earlier," Andrew Ludwig, Google's lead engineer for Android security, <a href="" target="_blank">said in a Google+ post</a>. "But WebKit alone is over five million lines of code and hundreds of developers are adding thousands of new commits every month, so in some instances applying vulnerability patches to a 2+ year old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely."</p> <p>In contrast, Ludwig says that one of the improvements in KitKat is that OEMs can quickly deliver updates of WebView provided by Google, and in Android 5.0 Lollipop, those updates are delivered through Google Play, so OEMs can wipe their hands of them completely.</p> <p>"With the advances in Android 4.4, the number of users that are potentially affected by legacy WebKit security issues is shrinking every day as more and more people upgrade or get new devices," Ludwig added.</p> <p>So, what can you do if you own an older Android device to avoid being a sitting duck? Ludwig recommends using an alternative browser, one that's updated through Google Play. There are various options, including Chrome (supported on Android 4.0 and up) and Firefox (supports Android 2.3 and up).</p> <p>Image Credit: <a href="" target="_blank">Flickr (Travis Wise)</a></p> <p><em>Follow Paul on <a href="" target="_blank">Google+</a>, <a href="!/paul_b_lilly" target="_blank">Twitter</a>, and <a href="" target="_blank">Facebook</a></em></p> android Google mobile Security Software WebView News Mon, 26 Jan 2015 16:00:12 +0000 Paul Lilly 29311 at Oracle Plugs 167 Critical Security Holes Pertaining to Hundreds of Products <!--paging_filter--><h3><img src="/files/u69/oracle_plane.jpg" alt="Oracle Plane" title="Oracle Plane" width="228" height="163" style="float: right;" />Fixes for vulnerabilities in 48 different products</h3> <p><strong>Oracle today rolled out a Critical Patch Update for the month of January 2015,</strong> which contains fixes for 167 vulnerabilities found in hundreds of the company's products. The most severe of these received a score of 10.0 on the Common Vulnerability Scoring System (CVSS), the highest score available -- they pertain to Fujitsu M10-1 of Oracle Sun Systems Products Suite, Java SE of Oracle Java SE, M10-4 of Oracle Sun Systems Products Suite, and M10-4S Servers of Oracle Sun Systems Products Suite.</p> <p>"Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible," Oracle stated in a <a href="" target="_blank">pre-release announcement</a>.</p> <p>Of the 19 security fixes for Java SE, 14 of the vulnerabilities may be remotely exploitable without authentication, meaning they can be exploited over a network without the need for a username and password, Oracle said. And of the 29 security fixes for Sun Systems Products Suite, the same goes for 10 of them.</p> <p>However, it was Fusion Middleware that received the most attention. Oracle included 35 new security fixes for Fusion Middleware, 28 of which may be remotely exploitable without authentication.</p> <p>Image Credit: <a href="" target="_blank">Flickr (D. Miller)</a></p> <p><em>Follow Paul on <a href="" target="_blank">Google+</a>, <a href="!/paul_b_lilly" target="_blank">Twitter</a>, and <a href="" target="_blank">Facebook</a></em></p> Java oracle patch Security Software sun News Tue, 20 Jan 2015 17:56:55 +0000 Paul Lilly 29282 at Batman and Superman Infiltrate List of 25 Worst Passwords <!--paging_filter--><h3><img src="/files/u69/splashdata.jpg" alt="SplashData" title="SplashData" width="228" height="153" style="float: right;" />User a super hard password to guess, not a superhero</h3> <p>Dark Helmit <a href="" target="_blank">warned viewers</a> way back in 1987 that 1-2-3-4-5 is the kind of combination only an idiot would have on his luggage, yet nearly three decades later, it ranks number three on <strong>SplashData's list of the 25 worst passwords of 2014</strong>, which takes into account the most commonly used combinations from 3.3 million leaked passwords last year. In 2013, it ranked number 20.</p> <p>It's hard to know what to make of SplashData's list. On one hand, our knee-jerk reaction is to feel depressed that so many people are using such easy-to-guess passwords to lock down their accounts, especially with how hyperactive the hacking community has become. But at the same time, we wonder how many of these passwords represent one-time use accounts, where a user is simply registering with a bogus email and password combination to access an article.</p> <p>Either way, there's reason to be somewhat optimistic.</p> <p>"The good news is that it appears that more people are moving away from using these passwords. In 2014, the top 25 passwords represented about 2.2 percent of passwords exposed. While still frightening, that's the lowest percentage of people using the most common passwords I have seen in recent studies," <a href="" target="_blank">noted Mark Burnett</a>, online security expert and author of Perfect Passwords.</p> <p>Here's a look at the full list:</p> <ol> <li>123456 (unchanged from 2013)</li> <li>password (unchanged)</li> <li>12345 (up 17)</li> <li>12345678 (down 1)</li> <li>qwerty (down 1)</li> <li>1234567890 (unchanged)</li> <li>1234 (up 9)</li> <li>baseball (new)</li> <li>dragon (new)</li> <li>football (new)</li> <li>1234567 (down 4)</li> <li>monkey (up 5)</li> <li>letmein (up 1)</li> <li>abc123 (down 9)</li> <li>111111 (down 8)</li> <li>mustang (new)</li> <li>access (new)</li> <li>shadow (unchanged)</li> <li>master (new)</li> <li>michael (new)</li> <li>superman (new)</li> <li>696969 (new)</li> <li>123123 (down 12)</li> <li>batman (new)</li> <li>trustno1 (down 1)</li> </ol> <p>There are quite a few new entries to the list, including a pair of comic book superheroes -- Batman and Superman, both DC Comics fare.</p> <p>SplashData says many of the remaining passwords in the top 100 list include swear words and phrases, hobbies, famous athletes, car brands, and film names.</p> <p><em>Follow Paul on <a href="" target="_blank">Google+</a>, <a href="!/paul_b_lilly" target="_blank">Twitter</a>, and <a href="" target="_blank">Facebook</a></em></p> Password Security splashdata News Tue, 20 Jan 2015 16:43:28 +0000 Paul Lilly 29280 at