The PC Informant » Security

Firefox security hole

Vic Laurie — Sat, 20 Mar 2010 02:11:50 +0000

This time it’s the Firefox browser with a security vulnerability. No details have been released so I don’t know what sort of problem it is. See Gregg Keizer at Computerworld for more information.

Facebook malicious spam attack

Vic Laurie — Thu, 18 Mar 2010 17:07:34 +0000

Security software vendor McAfee says that Facebook users are being subjected to a massive malicious spam attack. InfoWorld reports:

Facebook’s 400 million users have been targeted by a spam run that could infect their computers with malicious software designed to steal passwords and other data, according to security researchers at McAfee.

Over the last two days, millions of messages have been sent, which McAfee detected through customers running the company’s security software, said Dave Marcus, McAfee’s director of security research and communication.

Adobe PDF Reader is a target

Vic Laurie — Fri, 12 Mar 2010 10:22:38 +0000

It has often been noted here that Adobe PDF Reader/Acrobat has security problems. There has been one security hole after the other reported. Unfortunately, Adobe has often been slow to patch these holes after they have been publicly disclosed. Since Adobe Reader is on a large majority of PCs, this has presented malware writers with a great target. A previous post reported that PDF files were a major carrier of malware in 2009. Now F-Secure reports that the first two months of 2010 had even more attacks targeted at Adobe Reader. Microsoft Office files were the next biggest target. The figure from F-Secure below shows how the numbers have changed over the last two years with Adobe reader attracting a larger and larger number of attacks:

Unpatched security hole in IE6 and IE7

Vic Laurie — Tue, 09 Mar 2010 23:49:37 +0000

Microsoft has warned of another as yet unpatched security problem in Internet Explorer 6 and 7 (but not IE8).

Creating strong passwords

Vic Laurie — Tue, 09 Mar 2010 10:05:49 +0000

One of the first lines of defense against hackers is the use of strong passwords for Internet logins. However, as numerous posts have noted, many continue to use really weak combinations that are no barrier whatever to hackers. The temptation to use easily remembered passwords is understandable but perilous and there are schemes to help construct stronger passwords that we can still remember. For example, MakeUseOf outlines a way to create robust passwords that can be remembered. One way or the other, be sure to use passwords that are hard to crack.

Too many patches

Vic Laurie — Fri, 05 Mar 2010 09:01:08 +0000

The present way of dealing with security on the Internet just doesn’t work. A major flaw is that the system is predicated on an assumption that the average PC user is savvy about how Windows and the Internet work and is conscientious about keeping his or her computer up to date. This is patently false. The contrary evidence is overwhelming but the tech industry keeps hiding its head in the sand. However, at least one security company, Secunia, is pointing at one broken part of the security system- the way software patches are distributed. At Computerworld, Gregg Keizer reports:

The typical home user running Windows faces the “unreasonable” task of patching software an average of every five days, a security and vulnerability research company said today.

“It’s completely unreasonable to expect users to master so many different patch mechanisms and spend so much time patching,” said Thomas Kristensen, the chief security officer of Secunia. The result is that few consumers devote the time and attention necessary to stay atop the patching job, which leaves them open to attack.

Federal government releases some details of cybersecurity

Vic Laurie — Wed, 03 Mar 2010 17:19:09 +0000

The Wall Street Journal reports:

The Obama administration lifted the veil Tuesday on a highly-secretive set of policies to defend the U.S. from cyber attacks.

It was an open secret that the National Security Agency was bolstering a Homeland Security program to detect and respond to cyber attacks on government systems, but a summary of that program declassified Tuesday provides more details of NSA’s role in a Homeland program known as Einstein.

The current version of the program is widely seen as providing meager protection against attack, but a new version being built will be more robust–largely because it’s rooted in NSA technology. The program is designed to look for indicators of cyber attacks by digging into all Internet communications, including the contents of emails, according to the declassified summary.

Microsoft proposes quarantine and tax to fight botnets

Vic Laurie — Wed, 03 Mar 2010 16:34:14 +0000

There’s been a big meeting on security going on in San Francisco. It’s the RSA Security Conference and Microsoft Vice-President Scott Charney gave a keynote address with some new proposals for increasing security on the Internet. CNET reports on a quarantine suggestion:

–In his keynote at the RSA security conference on Tuesday, Scott Charney, Microsoft’s corporate vice president of Trustworthy Computing, suggested that the security industry should follow the health care model of quarantining infected PCs to prevent them from being used to send spam and conduct denial-of-service attacks.

In a follow-up interview afterward, Charney elaborated on his vision for reducing the damage from botnets and explains how infected computers should be kept off the Internet just like doctors quarantine sick people and smokers are restricted as to where they can light up in public.

Charney also proposed an Internet tax to pay for cleaning up infected computers. Personally, I think Microsoft itself bears a lot of the responsibility for the security mess. I agree with Sebastian Rupley, who posted at GigaOM:

Microsoft Vice President for Trustworthy Computing Scott Charney today at the RSA conference in San Francisco proposed an Internet usage tax to fight malware infections and the effects of botnets. But do users at large really need to pay for one of Microsoft’s own most costly problems?

Added later: Adrian Kingsley -Hughes also thinks that Microsoft’s suggestion that we all be taxed to pay for Windows problems deserves a Bronx cheer:

Where does this idea come from that we should all have to chip in to fight this war of botnets? It’s safe to say that the majority of these botnet systems are Windows-based systems (I’m pegging this number at close to 99% of the botnet PCs). Let’s also not forget that Microsoft has gone out of its way to create a monoculture where one OS dominates, through legal and illegal methods. So the idea that we should now all pay to solve a problem that Microsoft not only wanted to create, but made billions of dollars in the process is frankly a ridiculous idea.

Right on, Adrian.

Windows MS10-015 security patch re-issued

Vic Laurie — Tue, 02 Mar 2010 20:43:41 +0000

The security patch that caused trouble in systems that had a rootkit has been updated. See the Microsoft Security Response Center post for details.

Beware fake Microsoft security software

Vic Laurie — Fri, 26 Feb 2010 18:54:22 +0000

Microsoft is warning about malware masquerading as anti-malware. It is called “Security Essentials 2010″, not to be confused with the real Microsoft Security Essentials. The Microsoft Malware Protection Center gives details.