Image by pickinjim2006.

Lamm-Hartmann says once you’ve made up your mind, staying on in a job you’re checked out of emotionally will just stress you out even more. Her advice: Don’t let the fact we’re in a recession hold you back—the job market is more fluid than it appears as people leave jobs they’re dissatisfied with.

The ideal way to go would be to have something lined up [before quitting]. But that’s not always the case these days. If you are dissatisfied, and your company is laying off or downsizing, and you know you want to be doing something else, then go. It’s risky, it’s giving up job security, but there’s really no such thing as job security anymore anyway. And a lot of times companies are providing support, too, like outsourcing support where you can actually get some career counseling if you don’t know what you want to do next. There are lots of companies out there right now that are helping people connect with what they really want to do.

If you’re not ready to do something quite so drastic as walk out on a steady (albeit unhappy) job situation, then consider freelancing without quitting your current job. Have you walked away from your job recently to pursue another opportunity? What motivated you to jump ship? How did it work out? Let us know in the comments.

Go to Source

Mozilla, creators of the Firefox browser, say they’ve seen a significant surge in downloads of the software in Germany in the days since a Germany government agency recommended people switch to browsers that compete with Internet Explorer because of a new security flaw in the Microsoft browser. A chart prepared by Mozilla shows that German downloads of Firefox spiked in the four days following the Friday posting of the recommendation by the German agency, which is called the Federal Office for Information Security (or, using its German initials, BSI).

Mozilla says it received about 300,000 incremental downloads above its typical downloading rate over that time period. Mozilla didn’t yet have download figures for France, where the French government has also advised people to try non-Microsoft browsers because of the security flaw.

The uptick echoes a download surge for another Microsoft rival, Norway’s Opera Software, which said the number of downloads in Germany of its Opera browser doubled to 18,000 a day over the weekend.

Both countries are responding to Microsoft’s confirmation of a security hole that is believed to have been exploited by hackers in a recent cyberattack on Google and other companies in China.

Microsoft, meanwhile, on Tuesday said it plans to release a software update soon that will help protect Internet Explorer users from the security vulnerability. The company said it will provide more details about the update on Wednesday.

Go to Source

(…)
Read the rest of Stealth MXP Bio Secure USB Drive Revealed [Secure USB Drive Features 256-bit Encryption, Onboard Processor]

© TFTS – Technology, Gadgets & Curiosities, 2010. |
Permalink |
No comment |
Add to
del.icio.us

Go to Source

With world governments advising citizens to switch from Internet Explorer to alternative browsers, and an unpatched security hole in at least two major versions of Internet Explorer, Microsoft has to do something to restore faith in their browser. Easiest way to do it, apparently, is saying that other browsers are even worse than IE.

Microsoft’s UK security chief Cliff Evans told Techradar that “The net effect of switching [from IE] is that you will end up on less secure browser,” and that “the risk [over this specific] exploit is minimal compared to Firefox or other competing browsers… you will be opening yourself up to security issues.”

Evans then downplays the seriousness of this problem. “The reality of the risk is minimal, even if you have IE6; you would have to go to a website running the exploit,” he says. Even if we disregard the fact that many very serious browser vulnerabilities work in that way – e.g. you have to visit a website running an exploit to be affected – there’s still the fact that this particular vulnerability isn’t just lab-tested, it’s been successfully used on unsuspecting victims in the real world. This alone makes it as serious as security holes go.

Evans continues to undermine the security record of other browsers. “There are broader risks and issues with other browsers,” he claims, at the same time admitting that the IE vulnerability that caused this entire mess probably isn’t present with other browsers. “I’m not aware that the vulnerability exists in other products, but those products may have other vulnerabilities,” he says.

While one can say that absolutely no piece of software is ever completely secure, this logic is flawed. Microsoft’s IE has a serious, unpatched security vulnerability, and pointing to possible holes that other browsers may or may not have won’t make it go away.

Tags: internet explorer, security, web browsers

Go to Source

Switching to an alternative Web browser like Firefox or Google Chrome is one possibility. For now, security companies like McAfee have only identified the latest security exploit as an Internet Explorer issue, but there’s no guarantee that they won’t find vulnerabilities in other browsers that were involved in the broad attack on Google and others.

Generally speaking, a browser switch is going to be a lot easier for an individual than it will be for corporate users, where IT policies often dictate which browser people use on their computers. Graham Cluley, a senior technology consultant and security firm Sophos, said in a blog post Monday that companies may cause “more problems than it’s worth by summarily switching browsers” because of the potential for employee confusion and Web site compatibility problems caused by the new software.

“My advice is to only switch from Internet Explorer if you really know what you are doing with the browser you’re swapping to,” Mr. Cluley said. “Otherwise it might be a case of ‘better the devil you know.’”

For people who don’t want to or can’t move to another browser from Internet Explorer, they should upgrade to the latest version of the software, Internet Explorer 8. While that version of the browser is also technically vulnerable to the security flaw it contains features that minimize the threat, Microsoft says.

And if switching to IE 8 isn’t an option, users with earlier versions of the browser, like IE 6, should adjust their security settings to “high,” which also reduces the risk of running malicious code, Microsoft says. There’s more in blog posts from Microsoft and McAfee describing the hack and precautions for users.

The Journal also posted a list of other common sense security tips on staying safe on the Internet.

Go to Source

It’s no secret that we don’t like Internet Explorer 6 (IE6), the outdated 10+ year old browser still used by 15-25% of people on the web. Last year, we called for IE6 to die so that the web could move on with new innovations such as HTML 5.

Now Internet Explorer, specifically IE6, is under fire again after a critical IE vulnerability was implicated for the attack on Google’s infrastructure by Chinese hackers. While IE6 criticism is not a new phenomenon, last week’s events give those of us who advocate for the abolition of IE6 (myself included) new ammunition.

Whether you work for a company that won’t get rid of IE6 or have parents that just don’t see the need to ugprade, here are five new reasons to upgrade or switch browsers:

1. Your security and your company’s security are at risk: There’s no other way to lay it out: if the security of Google, Yahoo, and around 20 other companies were compromised due to people still running IE6, then your security is at risk too. Upgrading after a hacker uses this exploit to steal your information is simply too late, especially if you hold sensitive customer data.

2. World governments are suggesting you switch browsers: Both Germany and France have issued warnings about Internet Explorer, asking citizens to switch to prevent the same type of breach that affected Google.

3. Even Microsoft wants you to drop IE6: The Microsoft Security Research & Defense Blog specifically addressed the flaw and the risk of attack by platform. The most important part of the post was that they “recommend users of IE6 on Windows XP upgrade to a new version of Internet Explorer and/or enable DEP.”

This isn’t the first time Microsoft has asked people to voluntarily upgrade, but it is the first time that it’s been in response to an exploit or vulnerability. Think of it like a recall: would you keep driving a car that Toyota, Ford, or GM says could malfunction? Don’t make the same mistake with your computer’s security.

4. Not wanting to upgrade from Windows XP isn’t a legitimate excuse anymore: One way to delete IE6 is to upgrade your OS — both Windows Vista and Windows 7 run upgraded versions of the IE browser.

We understood why people didn’t want to upgrade when their choice was Windows Vista, but now that a very stable, solid, and secure upgrade is on the market (Windows 7), there’s no excuse not to upgrade. Yes, it’ll cost you up front, but it’s far cheaper than having your data stolen.

5. This will not be the last massive IE6 security breach: This flaw was unknown before Google’s groundbreaking China announcement. And it’s not the first flaw ever found with the browser — there are at least 142 vulnerabilities in IE6, 22 of which are not yet patched. Would you use armor that had 142 weak spots?

Last week’s series of events drove home just how dangerous and idiotic it is to run the long-broken IE6 browser. It should be a wake-up call to IT departments and users around the world: if you keep running a browser from 2001, you are throwing your online security right out the window.

Tags: IE6, IE6 must die, internet explorer, microsoft, trending

Go to Source

A couple of days ago we wrote that the German Federal Office for Security in Information Technology advised German citizens to switch from Internet Explorer (regardless of the version they use) to an alternative browser for security reasons.

Now, the French government has issued a similar advisory, pointing out that Internet Explorer 6, 7 and 8 all share a similar vulnerability, which allows malicious hackers to remotely execute arbitrary code.

The fix? CERTA (Centre d’Expertise Gouvernemental de Réponse et de Traitement des Attaques informatique) proposes a switch to an alternative browser.

This is another serious hit for the world’s most dominant web browser, but also one that’s been losing its marketshare in the last couple of years. Alternative browsers — Firefox, Opera, Safari and others — may not have a perfect security record, but all of them have always been perceived as safer alternatives. This latest vulnerability, discovered after the cyber attacks on Google, does nothing to change that notion.

Tags: france, internet explorer, microsoft, software, web browser

Go to Source

Security analysts told Reuters the malicious software (malware) used in the Google attack was a modification of a Trojan called Hydraq. A Trojan is malware that, once inside a computer, allows someone unauthorized access. The sophistication in the attack was in knowing whom to attack, not the malware itself, the analysts said.

Local media, citing unnamed sources, reported that some Google China employees were denied access to internal networks after January 13, while some staff were put on leave and others transferred to different offices in Google’s Asia Pacific operations.

Regardless of whether or not insiders were involved, it’s important to note that "Operation Aurora", as the attacks have been dubbed, stem from a particular vulnerability in Micosoft’s Internet Explorer. Security giant McAfee has a page set up with information on protection. The company explains: 

McAfee Labs identified a zero-day vulnerability in Microsoft Internet Explorer that was used as an entry point for “Operation Aurora” to exploit Google and at least 30 other companies. Microsoft has issued a security advisory and McAfee is working closely with them on this matter. “Operation Aurora” was a coordinated attack, which included a piece of computer code that exploits a vulnerability in Internet Explorer to gain access to computer systems. This exploit is then extended to download and activate malware within the systems. The attack, which was initiated surreptitiously when targeted users accessed a malicious Web page (likely because they believed it to be reputable), ultimately connected those computer systems to a remote server. That connection was used to steal company intellectual property and, according to Google, additionally gain access to user accounts.

The company’s "Security Insights" blog has been updated continuously, and may be a good spot to keep in mind for the latest developments on Operation Aurora. 

The attack on Google has of course led to Google stopping the censoring of its search results in China, which could in turn lead to the company having to shut down its Chinese operations. Philipp Lenssen at Blogoscoped points to some other instances where Google is censoring results.

More WPN articles on the Google/China story here.

 
Related Articles:

> China Responds To Google Situation

> Baidu’s Stock Soars Following China News

> Google May Quit China

Go to Source

In a statement issued today, the German Federal Office for Security in Information Technology (known as BSI) recommends that all Internet Explorer users switch to an alternative browser. They may resume using Explorer after a fix is issued by Microsoft for a critical vulnerability that has been implicated in the Chinese cyberattack against Google.

If you missed it, yesterday McAffee released a report outlining details of the cyber assault on Google and around 20 other major technology companies. It specifically implicates a critical flaw in all versions of IE that allows hackers to “perform reconnaissance and gain complete control over the compromised system.” Microsoft has responded that it is developing an update to the vulnerability.

According to the statement from BSI, even running Internet Explorer in “protected” mode is not enough to prevent a hacker from exploiting this security flaw.

IE, while the world’s most popular browser, has been steadily losing marketshare over perceptions that it is slower and less secure than rival browsers, especially Firefox. This incident won’t help.

The full statement, translated via Google, is below:

Translated Statement from Germany

“In Internet Explorer, there is a critical yet unknown vulnerability. The vulnerability allows attackers to inject malicious code via a specially crafted Web page into a Windows computer to infiltrate and set up. The last week became known hacker attack on Google and other U.S. companies has probably exploited the vulnerability.

Affected are the versions 6, 7 to 8 Internet Explorer on Windows systems XP, Vista and Windows 7 Microsoft has released a security advisory in which it discusses ways of minimizing risk and is already working on a patch to close the security gap. The BSI expects that this vulnerability will be used in a short time for attacks on the Internet.

Running the Internet Explorer in ‘protected mode’ as well as disabling scripting Acitve Although more difficult to attack, but it can not completely prevented. Therefore, the BSI recommends to switch to the existence of a patch from Microsoft to an alternative browser.

Once the vulnerability has been closed, the BSI will provide information on its warning and information about public-CERT. Keep informed about the civic-CERT and the BSI warns citizens and small and medium enterprises from viruses, worms and vulnerabilities in computer applications. The expert analysis of the BSI around the clock, the security situation in the Internet and send alerts when action is needed and safety information via e-mail.”

Tags: germany, internet explorer, software

Go to Source

There are many ways to secure your server from configuring it yourself and using open source software, to hiring an IT staff with a support team to monitor your server. Each option has its merits and flaws. If you configure it yourself, do you have the knowledge to correct issues that come up without major downtime? If you opt for the IT staff, does their cost out weigh the benefit? Do you use open source? All of these questions and more need to be answered to have a secure server.

One of the simplest ways to secure your server is to make sure it is patched and updated with the latest updates. This is a simple step and needs to be performed at least weekly. Another simple step would be to do testing on your server before you make applications live. Not just making sure that it works correctly, but making sure that it is not vulnerable to SQL injection.

Web applications have opened up an entirely new headache with security. Many times they have direct access to the database with little error checking. A way to help try to stop this is to use something like ModSecurity. ModSecurity is an open source web application firewall. It has many features that will make it more difficult for intruders to gain access to your server.

A step that many people do but do not take advantage of, is logging. Many people have log files but never look at them. An intruder may have been trying for weeks to gain access to your server before he finally got in. If you examine your logs, then you may have discovered his attempts before he compromised your server.

There is much more to running a server than just plugging it. It takes work and a lot of knowledge. Most people can connect a computer to the internet and have it run a web server, but it takes great deal more to secure it.

Go to Source

Given their recent security episode in China, and the ever-expanding realm of devices and portals users can get at Gmail from, it’s probably a smart step forward to gently goad users into using a more secure connection standard. Google notes that, although using https creates a slight latency, they believe the trade-off is worth it.

If https presents a problem in your particular IT environment, you can still switch it off in your Settings. Here’s Google’s explanation:

If you’ve previously set your own https preference from Gmail Settings, nothing will change for your account. If you trust the security of your network and don’t want default https turned on for performance reasons, you can turn it off at any time by choosing “Don’t always use https” from the Settings menu. Gmail will still always encrypt the login page to protect your password. Google Apps users whose admins have not already defaulted their entire domains to https will have the same option.

Google also notes that Offline Gmail users who weren’t already using https as a default may see some issues, but they suggest a work-around.

Does a default https present problems for your own Gmail account? Happy to see the security struggle moving a step forward? Tell us your take in the comments.

Go to Source

A new approach to China

Like many other well-known organizations, we face cyber attacks of varying degrees on a regular basis. In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident–albeit a significant one–was something quite different.

First, this attack was not just on Google. As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses–including the Internet, finance, technology, media and chemical sectors–have been similarly targeted. We are currently in the process of notifying those companies, and we are also working with the relevant U.S. authorities.

Second, we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists. Based on our investigation to date we believe their attack did not achieve that objective. Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.

Third, as part of this investigation but independent of the attack on Google, we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties. These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users’ computers.

We have already used information gained from this attack to make infrastructure and architectural improvements that enhance security for Google and for our users. In terms of individual users, we would advise people to deploy reputable anti-virus and anti-spyware programs on their computers, to install patches for their operating systems and to update their web browsers. Always be cautious when clicking on links appearing in instant messages and emails, or when asked to share personal information like passwords online. You can read more here about our cyber-security recommendations. People wanting to learn more about these kinds of attacks can read this U.S. government report (PDF), Nart Villeneuve’s blog and this presentation on the GhostNet spying incident.

We have taken the unusual step of sharing information about these attacks with a broad audience not just because of the security and human rights implications of what we have unearthed, but also because this information goes to the heart of a much bigger global debate about freedom of speech. In the last two decades, China’s economic reform programs and its citizens’ entrepreneurial flair have lifted hundreds of millions of Chinese people out of poverty. Indeed, this great nation is at the heart of much economic progress and development in the world today.

We launched Google.cn in January 2006 in the belief that the benefits of increased access to information for people in China and a more open Internet outweighed our discomfort in agreeing to censor some results. At the time we made clear that “we will carefully monitor conditions in China, including new laws and other restrictions on our services. If we determine that we are unable to achieve the objectives outlined we will not hesitate to reconsider our approach to China.”

These attacks and the surveillance they have uncovered–combined with the attempts over the past year to further limit free speech on the web–have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

The decision to review our business operations in China has been incredibly hard, and we know that it will have potentially far-reaching consequences. We want to make clear that this move was driven by our executives in the United States, without the knowledge or involvement of our employees in China who have worked incredibly hard to make Google.cn the success it is today. We are committed to working responsibly to resolve the very difficult issues raised.

Posted by David Drummond, SVP, Corporate Development and Chief Legal Officer

Go to Source

In an effort to increase security for Gmail users, in 2008. Google has added the option to always use HTTP Secure (HTTPS) when accessing Gmail. However, this option was disabled by default; Google’s reasoning for this was the fact that HTTPS makes your email access slower.

Now, Google has decided that internet connections for most of its users are fast and stable enough to turn this option on by default.

If you like, you can stil turn the option off; simply choose “Don’t always use https” from the Settings menu. Google will still use HTTPS on the login page, but will then switch back to unsecured connection, which could make the service a tiny bit faster. Of course, you should do this only while connected to a network that you fully trust.

Tags: email, gmail, Google, security, web

Go to Source

In the wake of last Friday’s unsuccessful attempt to blow up a Northwest Airlines flight, the U.S. Transportation Security Administration (TSA) began to impose some temporary security screening measures, including thorough pat downs and limitations on what passengers can do during the last hour of flight. However, for two travel bloggers, posting the unclassified details about these procedures (which expired on December 30) resulted in home visits and civil subpoenas from TSA agents.

Fortunately, it looks like sanity has prevailed and the subpoenas and legal action have been withdrawn and the government agency has apologized for the strong-arm tactics that were used. Still, the entire situation sheds some light on how government agencies are able to respond to the age of real-time instantaneous communication.

Background

The TSA issued its enhanced security directive on December 25. This directive was sent to airlines and airports around the world, giving a rundown of some new temporary screening procedures and in-flight passenger restrictions.

This non-classified document was posted on a number of blogs and even some airline websites. On the 26th, we linked to the New York Times’ article on the new procedures. Although the NYT piece didn’t contain the document verbatim, it seems clear that the author of that post had access to the document or at the very least had a source with access to the document.

However, when bloggers Steven Frischling and Christopher Elliott posted this information, they were treated with home visits from TSA agents, threats and subpoenas.

The Line Between Security and Freedom of the Press

The public outcry over these actions led the agency to investigate matters and ultimately, do the right thing, but it’s still an unfortunate situation.

In countries like the United States that have laws protecting the press, how the press is defined in a world that is increasingly comprised of self-publishers and online entities becomes an important question. In this case, it seems clear that two TSA agents overreacted to the online publication of non-classified information.

Still, we have to question if more “traditional” print journalists would have been questioned or harassed.

It’s understandable that the US government wants to keep its security documents as guarded as possible — after all, national security can often depend on their plans staying private — however, we hope that government agencies will take a more level-headed approach in the future when dealing with the press, online or off.

Tags: bloggers, bloggers rights, legal, security, tsa

Go to Source

Brickhouse Security, a website that sells security and tracking equipment (like “Teen Trackers”, lock pick kits and “sex kits”) has begun selling a small ID card that actually contains a camcorder and can let you discreetly record conversations. Brickhouse claims that the Spy ID Card Camera uses the thinnest digital video recorder produced.

(…)
Read the rest of Spy ID Card Camcorder Unveiled [Goofy ID Card Has Miniture Camcorder, 4GB of Storage]

© TFTS – Technology, Gadgets & Curiosities, 2009. |
Permalink |
No comment |
Add to
del.icio.us

Go to Source

Numerous blogs discussed the possibility that electronic devices like laptops and MP3 players could be barred altogether on international flights arriving in the United States. The speculation came after various news outlets posted details of new security measures, including requiring passenger to remain seated during the final hour of flights.

Gizmodo, for example, on Monday posted what appeared to be a leaked memo from the Department of Homeland Security, in which the Transportation Security Administration’s
acting administrator Gale Rossides wrote that airplanes should “disable aircraft-integrated passenger communications systems and services (phone, internet access services, live television programming, global positioning systems) prior to boarding and during all phases of flight.” The TSA on Monday appeared to relax some of the rules detailed in the memo.

However, some passengers did report that they experienced curtailed usage of electronics on international flights landing in the United States.

For example, Altimeter Group analyst and founder Charlene Li confirmed via Twitter that the new security rules meant that passengers couldn’t use any electronics during her flight from Montreal to Chicago. She tweeted: “So no Kindle, no laptop on int’l flights into US. My kids slept and read a good book. I worked on my book–with a pen & paper.”

Various airlines like Virgin Atlantic, British Airways, and Air Canada took to their Web sites to warn passengers that they’d be facing additional screenings on international flights to the U.S., though none referred specifically to policies on electronic devices.

The blogosphere wasted little time in lamenting the possibility of withstanding international air travel without support from beloved Kindles or iPods. Conservative political strategist Patrick Ruffini tweeted: “Hey TSA, why don’t we try not letting people on terrorist watch lists on flights instead of banning iPods, OK?”. (Welcome to the terrorist watch list, Mr. Ruffini.) Twitter user unfocused wrote: “I don’t understand the ban on books & electronics for the last of hour of flights. Did the guy try to blow up the plane with a Kindle?”, while OmarShahine tweeted ominously: “A plane with no electronics is called Hell.”

On a more humorous note, Jeff Jarvis, journalist and author of the book “What Would Google Do?” wrote: “I seriously want to get together a class-action suit for people who need the bathroom and for workers who need laptops,” and later added:
tweeted: “New #TSA rule: Airlines required to publish magazines worth reading for one hour.”

And in a post titled “How to Be a Kindle Terrorist,” Sean Percival of the blog lalawag.com compiled ways in which airplane passengers could use their Kindles discreetly during the final hour of a plane flight, which included hiding the device behind a fake book cover or employing the Kindle’s text to speech functions. Or, he wrote, “it seems the air travel industry doesn’t bother checking various terrorist watch lists these days when booking passengers. So before getting on any flight you should probably download a copy of the real terrorist watch lists to your Kindle. Then if there is any protest to you using the device during a flight simply show them the list.”

Go to Source

A German software engineer and encryption expert named Karsten Nohl told a group of hackers at the Chaos Communication Congress that he and a group of enlisted contributors had broken the primary encryption code protecting GSM phone calls.

According to The New York Times, spokespeople from the GSM Association shrugged off the news, saying that actually listening in on a call is still practically complex, even with the code book now available online.

However, other security experts disagree, saying the crack now puts mobile interception of the majority of non-3G cellphone calls within reach of “any reasonable well-funded criminal organization.” Simon Bransfield-Garth, CEO of London-based Cellcrypt, said the net effect of Nohl and the company’s work would likely “reduce the time to break a GSM call from weeks to hours.”

The current GSM encryption scheme is known as the A5/1 standard, based on a 64-bit encryption scheme. A newer specification based on more modern and tougher to crack 128-bit encryption called A5/3 has been available since 2007, but few network operators have undertaken the expense to upgrade their networks.

Nohl says the project was meant to point out the vulnerability of the current 64-bit system and “push operators to adopt better security measures for mobile phone calls.” He says his team took precautions to keep the effort within legal boundaries, and “are not recommending people use this information to break the law. What we are doing is trying to goad the world’s wireless operators to use better security.”

You probably don’t have to worry about sniffers on the other end of your next wireless call just yet, but it seems like 64-bit GSM encryption might not be long for this world. Do you think Nohl’s “white hat” efforts will have the desired effect? How do you think carriers should respond to the crack?

[Img credit: soylentgreen23]

Tags: encryption, GSM, hacking, Mobile 2.0, security

Go to Source

WiFi might be getting more prevalent on planes, but the amount of time you’re actually allowed to use your laptop and take advantage of it might be about to take a significant hit.

As a result of Friday’s unsuccessful attempt to blow up a Northwest Airlines flight, the TSA is reportedly set to impose new security rules that would cut off access to personal belongings during the final hour of flight.

The TSA has not posted specific new guidelines publicly yet, writing only that they are “working closely with federal, state and local law enforcement on additional security measures, as well as our international partners on enhanced security at airports and on flights.”

However, it appears that at least one of those measures involves no personal belongings on one’s lap in the last hour of flight, as a statement on Air Canada’s website reads:

“New rules imposed by the U.S. Transportation Security Administration also limit on-board activities by customers and crew in U.S. airspace that may adversely impact on-board service. Among other things, during the final hour of flight customers must remain seated, will not be allowed to access carry-on baggage, or have personal belongings or other items on their laps.”

Laptops aren’t specifically mentioned, but the goal of such a regulation would presumably be to allow flight staff to have full visibility of a passenger during the restricted time, so “no laptops” seems a likely outcome. Given the new restriction and the existing ones post-takeoff, it means laptops are essentially unusable during short flights (under 90 minutes), and a lot less useful unless you’re flying a significant distance.

We’ll wait and see what official guidelines the TSA issues relating to electronics, but be it seems like we should be prepared for having a bit less time to finish that project in-flight.

Tags: security, terrorism, tsa

Go to Source

A successful attack on Twitter early Friday morning is being blamed on Twitter’s own email security, as hackers were able to get access to an email account and change a password, then redirect Twitter.com traffic elsewhere.

Twitter suffered a security breach Friday morning that displayed a message from the “Iranian Cyber Army” for around an hour before Twitter.com became completely inaccessible. Early reports confirmed that Twitter itself had not been compromised: rather the DNS records (which send web users to the right place when hitting Twitter.com) had been changed to point to another location.

Now Twitter’s DNS provider, Dyn Inc., has absolved itself of blame by claiming that the DNS records were changed by an authorized user: in other words, the attacker had the password to Twitter’s Dyn Inc account, logged in and changed the settings. That points to one likely cause: a Twitter administrator had their email security compromised, and a password reset request was made.

Twitter’s email security was also the cause of previous Twitter attacks: a breach of one staff member’s email account provided access.

It’s a vulnerability that might lead some to question the security of web-based applications like Google Apps: if all your data is online, you’re only one password away from a major breach.

Tags: hack, twitter

Go to Source

Update: An update from the Twitter status blog: “Twitter’s DNS records were temporarily compromised but have now been fixed. We are looking into the underlying cause and will update with more information soon.”

-

We’re still in shock over what has just transpired. Twitter was just hacked. A group claiming to be the “Iranian Cyber Army” took over Twitter and stuck its own text, logos, and images on the site.

Twitter’s security resume was badly damaged in July when hackers stole secret company documents depicting its operations. Yet even that didn’t take down the website. It’s also had its share of security exploits and fail whales.

Little compares to what has happened tonight. Even if it was a 3rd party DNS attack, Twitter still gets the black eye.

This is unacceptable for one of the world’s top 20 most visited websites. There needs to be accountability for this situation (no matter if it’s within Twitter or within a third paty), and a more detailed explanation is warranted. Twitter also needs to find a way to assure that this never happens again.

We’ve reached out to not only Twitter, but to the hackers themselves for comment.

Tags: twitter

Go to Source

We’re still in shock over what has just transpired. Twitter was just hacked. A group claiming to be the “Iranian Cyber Army” broke through Twitter’s defense, took over Twitter, and stuck its own text, logos, and images on the site.

Here’s what we want to know: How the hell could this have happened?

Twitter’s security resume was badly damaged in July when hackers stole secret company documents depicting its operations. Yet even that didn’t take down the website. It’s also had its share of security exploits and fail whales.

Yet nothing compares to this. Nothing compares to what has happened tonight. Twitter was summarily hacked, taken over, and taken down. It’s security protocols were clearly ineffective.

This is unacceptable for one of the world’s top 20 most visited websites. This is unacceptable for a website attempting to compete with Facebook and establish itself as a world player. This is black eye of epic proportions.

This incident cannot be taken lightly by Twitter or its users. A full explanation is needed and people need to be held accountable. Who knows if the hackers got our passwords and personal information? In fact, you should be changing your passwords now just in case.

We’ve reached out to not only Twitter, but to the hackers themselves for comment.

Tags: twitter

Go to Source

The Bunkersix Personal Security Console and Control Centre enables you to monitor multiple sources of security information in one place. New applications can be added to the console from the application store with one click and if you have a Internet capable smart phone the console is also available as a mobile edition.

From the application store the features available include: Remote Desktop, Security Cameras, Alarm Monitoring,PC & Server Monitoring, Track Lost Laptops, View Local Maps, Torrents Status, Data Usage, and Event History.

http://www.bunkersix.com

Go to Source

That didn’t take long. Just 24 hours after Facebook began rolling out a privacy announcement and settings tool to its more than 350 million users, a number of privacy experts and security firms are already out with statements advising against using the social network’s new recommended settings, which encourage users to share more data with “everyone.”

The issue, as we highlighted yesterday, is that while Facebook is spinning the changes as “setting a new standard in user control,” another goal is clearly getting users to share more information publicly, which makes its search partnerships with Google and Bing all the more valuable. And security experts are seeing right through it.

Experts Weigh In

Here’s what the ACLU of Northern California said in the comments of our post yesterday:

“As you’ve pointed out, the ‘privacy’ changes are all about encouraging [users] to share more stuff publicly.’ It’s great that Facebook is making all users think about privacy, but we are concerned that the transition tool and other changes actually discourage or eliminate some privacy protections that Facebook users currently employ.”

Here’s what the Electronic Frontier Foundation concludes in a lengthy commentary on the changes:

“The Facebook privacy transition tool is clearly designed to push users to share much more of their Facebook info with everyone, a worrisome development that will likely cause a major shift in privacy level for most of Facebook’s users, whether intentionally or inadvertently … Even worse, the changes will actually reduce the amount of control that users have over some of their personal data.”

A spokesperson from security firm Sophos says in a statement to Mashable:

“These could be the most important clicks you ever make on Facebook. If you don’t read carefully you could find that every post you make on Facebook, and your personal information, is visible to everyone in the world who has a computer rather than just your Facebook friends.

Let’s make this clear. If you make your information available to “everyone”, it actually means “everyone, forever”. Because even if you change your mind, it’s too late – and although Facebook say they will remove it from your profile they will have no control about how it is used outside of Facebook,”

The company has also produced this video demonstrating the new privacy transition tool while providing some security commentary:

A spokesperson from web security firm Trend Micro adds in a statement to Mashable:

“It’s laudable that Facebook has taken continuous interest in this, but I would remind Facebook users that it is just not a private place. If you require strict privacy for your communications, photos, etc., find some other medium to share them. I would encourage all Facebook users to read and understand the privacy guidelines to be found on the site.

Second, what gets revealed in my FB page is entirely up to me. I choose the photo, I make the comments. Striking a balance between utter security (no visibility at all, and if that’s what you need may I suggest a diary) and entirely publicly visible and archived statements (as we have with Twitter) must lie the happy medium we seek. Getting there is not going to be instant because we don’t yet know what there means.”

I like that there is controversy about these settings. It shows people at least notice that there is something going on.”

A Huge Mistake?

All of these sources are essentially saying the same thing: the privacy changes at Facebook have the potential to create significant issues for those who don’t carefully review them, which, let’s be honest, is likely to be most users.

Like other controversial decisions the company has made, Facebook surely weighed the risks and rewards of this move. Their analysis likely concluded that the benefits of being more public (and search-engine friendly) far outweighed the risk of a lot more “Scandalous Facebook photos cost so and so his/her job” stories.

But really, there’s no turning back now. Millions of users have already been greeted by the new privacy tool, made changes and/or ignored it, and moved on using Facebook how they always have, unaware of the ramifications of a change they might spend 30 seconds thinking about.

If it turns out that millions of users ultimately screw up their lives somehow thanks to Facebook’s privacy settings, the stigma that gets attached to the site could end up being a catastrophic blunder that sees the site lose its seemingly insurmountable lead, much like MySpace and Friendster before it.

Tags: facebook, privacy

Go to Source

A couple of days ago we wrote about the Black Screen of Death, a problem that caused Windows-based machines to freeze and lock out users, leaving them teary-eyed and black-screened.

The issue, however, doesn’t seem to be a common one, nor is it tied to Microsoft’s security updates, as we’d previously thought. In fact, UK security company Prevx, who pointed out the issue (and actually offered a software fix), admitted that the problem is likely caused by malware and not by Microsoft’s error.

Prevx’s CEO Mel Morris wrote a blog post, apologizing to Microsoft for the inconvenience. From the post:

“The issue appears to be related to a characteristic of the Windows Registry related to the storage of string data. In parsing the Shell value in the registry, Windows requires a null terminated ‘REG_SZ’ string. However, if malware or indeed any other program modifies the shell entry to not include null terminating characters, the shell will no longer load properly, resulting in the infamous Black Screen with the PC showing only the My Computer folder.”

The folks at Microsoft, understandably, aren’t happy. Chief Security Advisor of Microsoft EMEA Roger Halbheer fired at Prevx on his blog, saying:

“Looking at that, you should now make your risk assessment and decide which source you want to trust. For me, the ultimate source for information you should build your assessment on is neither Twitter nor your brother’s sister in law’s father’s brother (unless he works for Microsoft’s security) but our website.”

While this particular case was a false alarm, Halbheer forgets to point out that if we had listened exclusively to what Microsoft says when it comes to security issues in the past, we would have missed quite a lot of them. As always, don’t believe everything you read, see or hear, but also don’t immediately write off any news that doesn’t come from an official source.

Tags: BSOD, microsoft

Go to Source

Those involved in hacking WordPress usually want to use the sites as concealed (cloaked) link farms. Its rare that actual damage is done to your site, and often the site owner remains blissfully unaware that there’s been any interference. Some of the link injection systems are extremely sophisticated! Testing for enemy action can be as simple as opening your site and choosing View / Source and reading through the content of the <Head> section down to, and including, the <BODY> tag. The link injections I’ve seen are usually immediately after <BODY>. Is there a long string of HTML code containing links to dozens of sites you know nothing about? If there is, you’ve been violated, and have a WordPress STD (Security Terminated Deficiency)!

This article is not about fixing security violations. Its about simple prophylactic measures most “non-technician” site owners take. This is not slick and professional security strategy, and there are some who will scoff at using  “security by obscurity” as a primary tactic. However, even on a tight budget, the following 12 zero-dollar steps can and should be taken to minimise the possibility of attack.

1 – Always Use the Current Version

Why anyone would persist with an older version is beyond me. Upgrading has always been easy enough, and recent versions reduce the pain to a button click! The community of authors work extremely hard and surprisingly quickly to address known security problems.

2 – Remove Primary Target Identifier

Remove the Powered by WordPress credit details in the footer of your website’s theme – e.g.; /wp-content/themes/the-current-theme/footer.php. This is the fastest way to reduce the chances of the ill-intentioned finding your site in the first place! Try it – do a search on Google for “Powered by WordPress” and you’ll get the picture… At time of writing, there are 106 million competing page opportunities out there for hackers!

By all means give WordPress the credit they deserve – but you could do it on your links page, or make it a graphic / image link instead of text…

3 – Remove Secondary Target Identifier

A lot of WordPress themes come with an giveaway WP version HTML tag in the <HEAD> section. In View / Source it displays as follows; <meta content=”WordPress 2.8.4″ />

Obviously, this immediately reveals the WordPress version used on the site. Since some versions are vulnerable to known security flaws, you’ve just told the hackers where they are best to start their evil work…

Removing this giveaway is straightforward enough. Simply open up /wp-content/themes/the-current-theme/header.php and delete the code that’s outputting the Meta Generator tag.

4 – Remove Tertiary Target Identifier

There is another version identifier tag in the RSS Feed output, e.g.: <generator>http://wordpress.org/? v=2.8.4</generator>

Removing the RSS version identifier can be done by opening /wp-includes/general-template.php and searching for “function the_generator”

The line immediately below that statement commences with: echo apply_filters(’the_generator’……

Place a # character in front of the word echo, as per: #echo apply_filters(’the_generator’ etc

5 – Remove Lesser Target Identifiers

Doing the above pretty much gets you out of the spotlight and into the shadows. You could also remove links to “Log In”  from the current theme’s footer. There are 3.8 million competing page opportunities for a Google search for “wp-login.php” and its probably a good thing to not be in that list either.

WordPress also adds two easily accessible files in the directory into which it is installed; licence.txt and  readme.html. Renaming or removing those is important because they also contain WP version information!

6 – Don’t Use Easy Passwords

Don’t make it easy for the hackers! Use super-difficult passwords that are impossible to guess, and not easy to crack.  That applies to the hosting account control panel, FTP access AND the WordPress administration access. Ideally, high-exposure sites should use different password for each of those areas.

Recent versions of WordPress seem to have addressed the issue of directory browsing, by keeping people out of areas they should not be looking. Securing the wp-admin area via SSL is a lot more complicated than it should be. There are no well-written, easy to use plugins available for this – those that do exist appear well past their WP version use-by date. Its also far too easy to end up locked out of your site while trying to make them work!

7 – Don’t Use Default Admin ID

If you recklessly use “admin” as the default user ID, you’ve given the hacker half the pieces of the puzzle and they only have one item left to crack – the password.

8 – Ensure WP File Permissions Are Adequate

File system security is important, to prevent easy unauthorised access. There may be times when you have needed to alter permissions to edit a file, or copy files into a directory. Did you reset permissions to the correct default afterwards? If not, you’ve left a door ajar… Pull it shut and lock it again!

9 – Plugin Integrity

As a general rule, only install plugins from the official WordPress Extend / Plugins repository. There at least, they are in the spotlight, and subject to some scrutiny. Installing plugins from anywhere else leaves you wide open to malware exploitation!

10 – Theme Integrity

Ok, you can go anywhere and get free themes and make them work… but can you trust the source? Can you be sure that no malware is included? Can you be sure that no security breaches are opened by insecure coding? Personally, if I want a theme, I’d rather go to a reputable source and buy one that is coded for the latest version of WP, and where some assurance is implied as to suitability for the intended purpose.

11 – Automate Your Backups

There are backup plugins that automate the process of backing up your WordPress database and emailing the file to you daily or weekly. Install and use one of them! They can be a lifesaver, for a variety of other reasons.

12 – Server, Network and PC Vulnerabilities

Be aware of the configuration of your hosting company’s web server. Is it running old versions PHP, MySQL, cpanel in a shared hosting environment? If so, that places you at greater risk than being on a hardened server with up to date tools and services running.

Never access your WP installation from a non-secure networks such as internet cafes, coffee shop or hotel WiFi systems.

Another commonsense measure is to ensure your PC you post from uses current and reputable antivirus software that also detects malware, spyware and key-loggers.

Post from: SiteProNews: Webmaster News & Resources

WordPress Security – An Ounce of Prevention is Better than a Pound of Cure

Go to Source

It seems that the latest security patches from Microsoft, deployed over the last Patch Tuesday, are causing serious problems for some users of Windows, including Windows 7.

In a nutshell, the affected Windows machines simply stop working and start displaying a (mostly) black screen, in some cases showing only a “My Computer” Explorer window.

The problem was first noticed by UK security company Prevx, which already offers a software fix. The folks at Prevx claim that this is no small matter, and that this “massively debilitating” issue could potentially affect “millions of Windows users.” However, no official fix is yet available from Microsoft.

A Microsoft representative said that “Microsoft is investigating reports that its latest release of security updates is resulting in system issues for some customers. Once we complete our investigation, we will provide detailed guidance on how to prevent or address these issues.”

Have you had similar issues with your Windows machine after installing the latest security patches? If you have, please let us know in the comments.

Tags: Black Screen of Death, BSOD, microsoft, Windows

Go to Source

Richard Schaeffer is the NSA official who said before the Senate’s Subcommittee on Terrorism and Homeland Security that the National Security Agency has been working closely with Microsoft to enhance Windows 7’s security guide, igniting fear that the software giant has deliberately coded a backdoor into the newly announced operating system. But given Microsoft’s announcement today, it’s all speculation, as they have “not and will not put ‘backdoors’ into Windows”.

(more…)

See: Microsoft Denies NSA Backdoor in Windows 7 [No Exploits Deliberately Coded in Win 7, Privacy Ensured]

Go to Source

Chris walks us through the history of javascript. The days of building complex systems with document.write() are over thankfully, though some people still think that’s what it’s all about. Having annoyed people with all the js bling, Ajax came around and suddenly javascript is seen as a tool for useful stuff. But…a little too much Ajax perhaps? People using it where it didn’t need to be and how it shouldn’t be used, hence the security fears.

According to a pie chart Chris presents, browser problems are responsible for only 8% of vilnerabilties; the biggest problems are SQL injection and XSS, where the server should be locking down.

Don’t judge the language by its implementation. it does have intrinsic issues like global variables, but the right implementation can keep things secure. As well as poor practice, the browsers bear responsibility. And the cool kids – safari and firefox – are the most vulnerable according to this survey. And it gets a lot worse when you start playing with browser extensions.

So do we turn javascript off? No, the experience of google maps etc is just too good. We don’t have to learn just by “View Source” anymore. There are plenty of resources out there to learn how to do it and how to do it properly (not just with a magic code-gen tool). Use javascript for the right things, not all things. e.g. Slicker UI, data validation warnings, UI controls not native to HTML, visual effects not native to CSS.

What if you’re sharing content from third parties, as the yahoo homepage now allows? Caja is presently the only way to do sandboxing in the browser. It doesn’t output pretty code right now, but it does cut out many risks. Caja prohibits eval(), iframes, * and _ hacks, an many other dangerous features. The latest YUI is caja-compliant code, and Chris reports John Resig is open to the same thing for jQuery, if it turns out there is demand out there.

Chris presents various examples of Javascript outside the browser – Air, web widgets, server side, even TV sets. It’s a very useful tool here, and shows it doesn’t have to be limited to the browser and the security risks that come with browsers.

Go to Source

The report found that politically motivated cyberattacks have increased and five countries, including the United States, Russia, France, Israel and China, are now armed with cyberweapons.

"McAfee began to warn of the global cyberarms race more than two years ago, but now we’re seeing increasing evidence that it’s become real," said Dave DeWalt, McAfee president and CEO.

"Now several nations around the world are actively engaged in cyberwar-like preparations and attacks. Today, the weapons are not nuclear, but virtual, and everyone must adapt to these threats."

Attackers are building both cyberdefenses and cyberoffenses, to target infrastructure such as power grids, transportation, telecommunication, finance and water supplies, because damage can be done quickly and with little effort. In most developed countries, critical infrastructure is connected to the Internet and lacks proper security, leaving them open to attacks.

Critical infrastructure is privately-owned in many developed countries, making it a huge target for cyberwarfare. The private sector relies heavily on the government to prevent cyberattacks. If cyberwarfare breaks out, governments, corporations and private citizens may get caught in the crossfire. Without insight into the government’s cyberdefense strategy, the private sector is not able to be proactive and take proper precautions.

"Over the next 20 to 30 years, cyberattacks will increasingly become a component of war," said William Crowell, a former Deputy Director of the U.S. National Security Agency.

"What I can’t foresee is whether networks will be so pervasive and unprotected that cyber war operations will stand alone."

Related Articles: 

> Spam Is Getting More Malicious

>Stealth Phishing Attack Looks Like Internal Email

>Security A Concern For Online Holiday Shoppers

Go to Source

More than half (63%) of online shoppers said they did not complete a purchase because of security concerns. The most common reasons for not making an online purchase include:

•   41 percent said the site requested more information than necessary for the transaction
•   46 percent were worried about providing the information requested
•   32 percent said it wasn’t clear about how the site would use personal information
•   62 percent simply were not sure the site was secure

Some online retailers are concerned that adding more security measures to their sites would decrease purchases. Just over 75 percent of online shoppers said they would still make a purchases even if a website required more information than a username and password to verify their identity.

"Americans are extremely focused on protecting their personal information and their identities," said Michael Kaiser, executive director of the NCSA.

"Skepticism is a front-line defense and it is heartening to see that Americans are actively engaged in making critical decisions when shopping online. This poll should alert online retailers that there is direct relationship between security and revenue."

The NCSA recommends the following tips for secure online holiday shopping:

  Update Core Protections: Take a few minutes to update your core protections — anti-virus, anti-spyware, and firewall — before you get on the information superhighway. Also make certain they are set to automatically update against new threats.
  Shop Secure Sites: Is there a closed padlock on the browser’s status bar? Does the Web site’s address (URL) change to shttp or https when you are asked to provide payment information? If so, you know the vendor has secured their payment process.
  Check Sellers Out: Conduct independent research on a seller’s reputation before you buy from a seller you have never done business with.
  Passwords Are Key: Create long unique passwords incorporating symbols and numbers to increase your security against hackers and others trying to access online accounts.
  Always Ask WWW: When providing personal information for any purchase, always ensure that you know who is asking for the information, what information they are asking for and why the need it.
  Not All Money is Created Equal: Credit cards are generally the safest option because shoppers can seek a credit from the issuer of the card if the item isn’t delivered or not what was ordered.
Related Articles: 

> Spam Is Getting More Malicious

> Online Retailers To Have Better Holiday Season

> Beware Holiday Emails

Go to Source

Originally posted at Workers’ Edge

Go to Source

Originally posted at The Download Blog

Go to Source

FAIL toStaticHTML API

What is what I got when I pointed a Chrome dev channel build at the new security tests on BrowserScope. Collin Jackson and Adam Barth have written up the test suites.

Steve is excited to see this:

The new security tests in Browserscope were developed by Adam Barth from UC Berkeley, and Collin Jackson and Mustafa Acer from Carnegie Mellon University. It’s exciting to have these experts become Browserscope contributors. The tests cover such areas as postMessage API, JSON.parse API, httpOnly cookie attribute, and cross-origin capability leaks. See the Security about page to read about all the tests.

What tests are next?

Go to Source

Originally posted at Rafe’s Radar

Go to Source

DIRECT LINK »
Go to Source

Both Firefox and Chrome have a new version out, fixing mostly stability issues and a couple of minor security vulnerabilities.

Firefox 3.5.5 brings several stability fixes, most importantly the notorious GIF decoder bug which sometimes caused the browser to crash. You can find a complete list of changes in this version here.

Chrome has a bit more important update, bringing its (awkwardly long) version number to 3.0.195.32. The new version includes five stability fixes and several security issues. Among other things, Chrome should now behave better with Acrobat Reader 9.2, Google Maps, and AAC files. Read the details on these fixes here.

Tags: chrome, Firefox

Go to Source

Having a good Content Management Systems (CMS) doesn’t mean you will be saved from all the possible security risks your site can face. WordPress is usually the leading choice for a publishing platform because it allows you to add security plugins and edit them for fixing loop holes and more. However, for that reason hackers and phishers often choose WordPress sites for vulnerable attacks.

Hackers can gain access to your site through specific access points. In many cases just by displaying your WordPress version information and error messages your site could be left vulnerable. For instance there are “minor” attacks when hackers use site scraping tools to copy your content, allowing them to duplicate it on their own site in order to steal your traffic, as well as obtaining the possibility of diminishing your Google Ranking.

Below we will review a few steps that you can take to stop your WordPress site from being taken over or flooded with malicious attacks. Please join the discussion by leaving a comment with your own tips along with your thoughts.

AntiVirus for WordPress

AntiVirus is exclusively for use with WordPress as a smart and effective solution to preventing any hostile exploits and spam being injected onto your blog. You will be able to monitor possible platform vulnerabilities, viruses, malicious links, worms, and more. You can also set it up so that it can send you important email notifications and whitelistings.

Updating WordPress

As simple and basic as this step may seem, a large portion of WordPress users forget to update their site on a regular basis. You don’t always need to upgrade to the latest version as soon as it’s released, in fact you should wait a while, so that you’re able to download a version that has most of the bugs fixed. If you don’t update you’re definitely taking some unwanted risks that could come back to hurt you in the long run. We recommend not letting your WordPress blog go past 1-2 versions old.

Forbidding Users Access to your Server

No one should have access to search your entire server. This could cause severe problems such as the pirating of content. Use this code:

<?php bloginfo ('home'); ?>

You can also Block WP- folders from being indexed by search engines by blocking them in your robots.txt file. Make sure you add the following in your code:

Disallow: /wp-* 

Securing Your wp-admin Folder

Individuals who intend on attacking can easily use bots for a forced attack that can guess the admin password until they eventually aquire the correct one and login. Here, in this section, you will find a few solutions to this possible issue.

You can prevent a security break-down within the wp-admin folder by limiting the IP addresses that can access it through an .htaccess file. To do this you’ll need to create a new text file and add the following:

order deny, allow
allow from 123.456.78 #Your IP Address
deny from all

Save this file and place inside your wp-admin folder for a stronger combat against unauthorized access to your site.

Turning Off Visitor Registrations

Once you install a new blog with WordPress it allows visitors to register for a guest account on your site, unless you choose not to. If you wish to build a community around your site then I could see how advantageous it would be, however, it’s best to keep registration turned off if possible, due to a majority of the latest exploits being done from within a WordPress account.

Mysterious Passwords

Your WordPress site can easily be hijacked if you use a password that’s too simple, very easy to remember, and repeats numbers or letters. Many users are so busy installing several security plugins, that they pay little or no attention to the importance of choosing a complex password. You can use a variety of tools that can test the strength of your password online. The most recommended would have to be Microsoft’s Password checker.

Backing-Up Your Database

Remember to always back up your site files and database because you never know what the next few moments may hold. It would be ideal if you could regularly back-up your MySQL database. You can do this by exporting your MySQL data in the form of a .sql file that you can store in an easy to access location. You can also download a plugin called WordPress Database Backup to automatically have your site back-up the neccessarry info to keep your site running in case of an emergency.

Further Reading

• Hardening WordPress
• 9 Best WordPress Security Plugins
• 16 Excellent WordPress Security Plugins To Secure Your Blog
• 20 WordPress Security Plug-ins And Tips To keep Hackers Away

Go to Source

Mozilla released Firefox 3.5.4 for Windows, Mac, and Linux on Tuesday to patch six critical security holes and some other problems.

The new browser version also improves stability and fixes a problem with clearing browser history, according to the release notes. Mozilla updated the corresponding version of its earlier browser to fix some of the same security problems by issuing Firefox 3.0.15.

The six vulnerabilities potentially could let remote attackers take over the computer by running their own software on the machine. For details, check the Firefox security site.

Meanwhile, Mozilla is on the brink of releasing the first beta of Firefox 3.6, a version that will add the Personas feature for a customizable look. Mozilla, trying to move to a faster Firefox release cycle, is debating whether to issue 3.6 as a minor release that arrives automatically or a major release that people must actively download.

Also Tuesday, Mozilla released SeaMonkey 2.0, which combines the Firefox browser and Thunderbird e-mail software into an all-in-one package. It uses Firefox 3.5.4.

Originally posted at Deep Tech

Go to Source

It looks like those Going Google billboards are actually good for something, as the Los Angeles’ city council has just unanimously approved a Google Apps deal worth $7.2 million.

According to CNET, LA would become one of the largest government agencies, outside the District of Columbia, to make the switch to using hosted Google email and application services.

However, security concerns over storing information in the cloud did factor into the process and have yet to be 100% aleviated. Apparently the deal hinges around an agreement with Computer Sciences Corp, a contractor who would need to agree to pay a penalty should there be a security breach.

If the deal does go through it would be quite the coup for Google and their Going Google campaign. With both the US Government supporting the initiative and the city of Los Angeles joining the Google team, Google is building up an arsenal of large and impressive customers that should make it easier to attract more top dollar enterprise clients.

Image from Peter Kaminski on Flickr

Tags: going google, Los Angeles

Go to Source

A new variant of the Bredolab Trojan horse is attached to a fake “Facebook Password Reset Confirmation” e-mail, security firm MX Labs is reporting.

Some users are receiving the e-mail from “The Facebook Team,” according to the security firm. The sender’s e-mail address displays “service@facebook.com.” In reality, the address and sender were spoofed.

MX Labs found that the e-mail was accompanied by an attachment named, “Facebook_Password_4cf91.zip and includes the file Facebook_Password_4cf91.exe” that, the e-mail claims, contains the user’s new Facebook password. The security firm said that the element between the underscore and .zip are randomly chosen letters and numbers for each recipient.

When a user downloads the file, it could wreak havoc on their computer. MX Labs said in a blog post that the Trojan horse Bredolab “executes files from the Internet, such as rogue anti-spyware. To bypass firewalls, it injects its own code into legitimate processes svchost.exe and explorer.exe. Bredolab contains anti-sandbox code (the trojan might quit itself when an external program investigates its actions).” In other words, it’s nasty.

Once it makes its way to the user’s PC, Bredolab creates “%AppData%\wiaservg.log” and “%Programs%\Startup\isqsys32.exe” in the user’s system files. MX Labs said that it also creates two new processes, called “isqsys32.exe” and “svchost.exe.”

For its part, Facebook was quick to point out that the e-mail containing the virus wasn’t coming from the social network.

“This virus is being distributed through email, not on Facebook,” a Facebook spokesperson wrote. “The email is disguised as a Facebook password reset e-mail with an attachment that purportedly contains the new password, but is actually the virus. We’re educating users on how to detect this through the Facebook Security Page.”

Facebook said that users should be “suspicious of unexpected emails claiming to be from Facebook.” The company also said that it will never send users a new password as an attachment.

Those users that have downloaded the file should use anti-malware software to remove it. Click here for a list of security software available from CNET’s Download database.

Go to Source

To convince users to install rogue software, cybercriminals place ads on websites that prey on users’ fears of security threats.  The ads generally include false claims such as "If this ad is flashing, your computer may be at risk or infected," instructing the user to follow a link to scan their computer or get software to remove the threat.

The study found 93 percent of the software installed for the top 50 rogue security software scams were intentionally downloaded by the user. As of June 2009, Symantec has detected more than 250 different rogue security software programs.

Stephen Trilling,
Senior Vice President,
Symantec Security

The initial loss to people who download the rogue software ranges from $30 to $100. The personal details and credit card information provided during the purchase can be used for additional fraud or sold on black market forums leading to identity theft.

There are a number of ways used to trick people into downloading rogue security software. The software can be advertised through both malicious and legitimate websites such as blogs, forums, and social networking sites. Legitimate websites are not part of these scams, but  they can be compromised to advertise these rogue applications.

To increase the likelihood of fooling users, rogue security software creators design their programs so that they appear as credible as possible, mimicking the look and feel of legitimate security software programs.
In addition, these programs are often distributed on Web sites that appear credible and allow the user to easily download the illegitimate software.

Some malicious sites actually use legitimate online payment services to process credit card transactions and others return an e-mail message to the victim with a receipt for purchase – complete with serial number and customer service number.

"The findings of our Report on Rogue Security Software make it clear that cybercriminals are willing, eager, and well-equipped to prey on today’s Internet user," said Stephen Trilling, Senior Vice President, Symantec Security Technology and Response.

"To avoid becoming a victim of such predatory practices, Symantec strongly urges Internet users to make sure they are using the latest security protection and always obtain their security software directly from trusted vendors’ websites."

Go to Source

If you’re one of the about 10% of Twitter users that protect your tweets, watch out, because anybody can read them with a simple Google search.

The security hole, first reported by The L.A. Times, reveals that, by just typing “site:twitter.com/*username*” (replacing *username* with the Twitter name of a protected account), you can see most or all of the tweets of an account. And it’s already being used to see the tweets of Bill Clinton, and others.

Apparently, while you can’t directly access a protected Twitter account, Google’s crawling bots can pass right by without any problem. By looking at the Google results, you can get a sense of what that person is tweeting about. For example, here’s what comes up when you search Bill Clinton:

Yeah, you can find some juicy stuff, and that is not good at all for the microblogging startup.

So what can you do if you have a protected Twitter account? Unfortunately, there is not much you can do until Twitter fixes this security hole. For now, don’t tweet anything sensitive if you have a protected account. We have informed Twitter of the issue and if there is any new information on this story, we’ll bring you the update.

Update: There are reports that Google bots don’t crawl private accounts, but tweets from accounts before they were privatized. We are checking with Twitter to see if this is accurate.

Tags: twitter

Go to Source

If you’re one of the about 10% of Twitter users that protect your tweets, watch out, because anybody can read them with a simple Google search.

The security hole, first reported by The L.A. Times, reveals that, by just typing “site:twitter.com/*username*” (replacing *username* with the Twitter name of a protected account), you can see most or all of the tweets of an account. And it’s already being used to see the tweets of Bill Clinton, and others.

Apparently, while you can’t directly access a protected Twitter account, Google’s crawling bots can pass right by without any problem. By looking at the Google results, you can get a sense of what that person is tweeting about. For example, here’s what comes up when you search Bill Clinton:

Yeah, you can find some juicy stuff, and that is not good at all for the microblogging startup.

So what can you do if you have a protected Twitter account? Unfortunately, there is not much you can do until Twitter fixes this security hole. For now, don’t tweet anything sensitive if you have a protected account. We have informed Twitter of the issue and if there is any new information on this story, we’ll bring you the update.

Tags: twitter

Go to Source

Perhaps in light of over 20,000 email accounts including Gmail being recently compromised, Google thought it might be a good time to remind everyone about how to create a secure password.

Half the battle is being alert for signs of phishing — a method hackers use to trick people into sharing personal information including account passwords. The other half is starting with a strong password, and changing it to another smart password regularly — particularly if you have any suspicion your account might have been compromised.

To many of you these are probably old hat by now (and some of them are plain common sense), but in light of the recent successful scams that saw as many as 30,000 account details posted online, it might be worth a periodic review:

Use different passwords on different sites — After all, if you use the same login credentials for multiple sites and one gets compromised, they all are. Since many of us use umpteen web services daily, it’s worth checking out a good password manager tool to help you keep the all straight — and safe.

Don’t use common words or sequences — Simple dictionary terms or sequential numerical sequences won’t cut it. You should make sure your passwords are a mix of letters, numbers and symbols.

Don’t base passwords on personal data — Hackers often use “social engineering” techniques to greater effect than running actual lines of code. Since we routinely share various bits of personal data with others, things like pet names, middle names, birthdays and so on don’t make a good basis for passwords.

Don’t leave your password somewhere visible — If you simply must write it down, don’t put it on a post-it attached to your monitor. Relatedly, if you keep a list of passwords on your computer, name the file something more cryptic than “password file.”

Make sure your password recovery questions are also secure — Strong passwords that lack semantic meaning are unfortunately also easier to forget. Many sites allow you to reset your password over email or after answering one or more Security Questions you set up when creating the account. Make sure these aren’t based on common-knowledge personal data either — try to make them difficult to guess, and avoid any information you’ve posted publicly online anywhere as well.

What steps do you take to ensure the security of your online logins? Do you have any password or security tips to share? Let us know in the comments.

Tags: email, gmail, Google, passwords, phishing, security

Go to Source

Yesterday, it was revealed that 10,000+ Hotmail accounts were compromised and all of the usernames and passwords of these accounts were posted online. It was a major security and scam issue, but it was thought to only affect Hotmail users.

Unfortunately, Hotmail was only the beginning. Google has now confirmed that thousands of Gmail accounts were compromised by an “industry-wide phishing scheme.” According to the BBC, the login data of over 30,000 Hotmail, Gmail, Yahoo, AOL, Comcast, and Earthlink accounts have been posted online.

Google’s already taken action on the list, forcing password resets on the affected accounts. They also stress that it’s not a breach of security, but the result of certain users falling for phishing scams. The lists of emails have been removed from the web, but many scammers have surely downloaded these compromised lists by now.

Remember to protect your email accounts: change passwords frequently, check for any odd behavior, and never use the same password on multiple web apps.

Tags: aol, email, gmail, Google, hotmail, microsoft, Yahoo

Go to Source

As time goes on, it may become helpful or perhaps even necessary to use these tools for actual e-commerce. The common thinking behind social media marketing is that you don’t want to be too sales-pitchy in your conversations, and in some ways that is still very true. However, while social media is largely about conversations, it’s not only about conversations.

As time progresses, social media becomes a lot of things to a lot of people. We’ve reached the point where social networks are simply "where we hang out" online. People are not only having conversations. They’re sharing pictures. They’re playing games. They’re looking for information. They’re using social networks to help them make purchase decisions. Sometimes this is through conversation. Sometimes it’s as simple as being a fan of a brand’s Facebook page and receiving timely updates.

Has social media ever led you to an online purchase? Tell us about it.

Facebook has virtual currency, and is starting to open up possibilities for transactions for physical goods. Facebook Connect has just been made easier for webmasters to implement on their sites. That’s huge. As people spend much of their time on Facebook, they are pretty much relinquishing a certain amount of trust to the social network, whether they realize it or not (and whether they should be or not, but that’s another issue).

If your site is plugged into Facebook via Facebook Connect, and they can log in to your site to make purchases just by being logged into Facebook, they may not find themselves as concerned with security issues. Security concerns have long hindered the true potential of e-commerce, and as a result, plenty of trustworthy e-commerce sites have likely missed out on tons of sales, just because of the distrust of the method of purchasing in general.

Now I’m not saying that Facebook Connect is a sign of security. In fact, some might even suggest that it damages security, simply based on the fact that Facebook is often associated with security issues. I’m just saying, users are always signed in to Facebook anyway, and if they see your site is connected with Facebook, they may have no problems signing in with their Facebook info.

"Facebook Connect would allow you to go to a Website like Dell.com and authenticate yourself using your Facebook profile, allow your identity to be known and access your friends so you could spark up a chat," says Paul Dunay, Global Managing Dir. of Services, Social Marketing with Avaya in an interview with eMarketer. "So I could say, ‘Hey, Jeff, I’m looking at this new fancy laptop or this netbook. I heard you bought something. Would you recommend this to me?’

"So you could almost take your friends shopping with you. That is the potential with this example," he adds. "We’re in a period now where we’re all starting to get comfortable with Twitter and get comfortable with using Facebook and LinkedIn and a lot of these other tools, and now we’re about to expand." 

You want to stay relevant in real-time searches to stay current in people’s minds as well. It’s simple branding. That doesn’t mean you have to send out excessive tweets promoting your product. It is information that Twitterers often seek, and by simply discussing information, you’re brand is still visible, even if that information isn’t directly related to your brand. Read this for ways to optimize for real-time search.

Also be sure to watch this video where Sheila Dahlgren of Adobe gives some predictions for the e-commerce industry, which include behavioral targeting and personalization tactics.

What role do you think social media will play in e-commerce in the future? Share your thoughts.

Go to Source