Archive for August, 2012

Security Fix for Critical Java Flaw Released

August 30, 2012

Oracle has issued an urgent update to close a dangerous security hole in its Java software that attackers have been using to deploy malicious software. The patch comes amid revelations that Oracle was notified in April about this vulnerability and a number other other potentially unpatched Java flaws.

The patch fixes a critical flaw in the latest version of Java 7 that is now being widely exploited. Users with vulnerable versions of Java installed can have malware silently planted on their systems just by browsing to a hacked or malicious Web site.

The update brings Java 7 to Update 7, and appears to fix the flaw being exploited and several other security holes. Oracle also released a security update for systems running Java 6, which brings that version to Java 6 Update 35.

Today’s patches are emergency, out-of-schedule updates for Oracle, which previously was not planning to release security updates for Java until October. Although it may appear that Oracle responded swiftly to the discovery of extremely dangerous flaws in its software, Security Explorations — a research firm from Poland —says it alerted Oracle about this vulnerability and 30 others back in April. It’s not yet clear how many of those vulnerabilities were patched in this release.

“We … expected that the most serious of them would be fixed by June 2012 Java CPU,” said Security Explorations CEO and founder Adam Gowdiak told The Register’s Neil McAllister. “But it didn’t happen and Oracle left many issues unpatched with plans to address them in the next Java [updates].”

If you don’t need Java, uninstall it from your system. This program is extremely buggy, and Oracle tends to take its time with security updates, behaving as if it didn’t have hundreds of millions of individual users. If you decide later that you do need Java, you can always reinstall the program. If you still want to keep Java, but only need it for specific Web sites, you can still dramatically reduce the risk from Java attacks just by disabling the plugin in your Web browser. In this case, I would suggest updating to the latest version and then adopting a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site that requires it.

For browser-specific instructions on disabling Java, click here. If you’re not sure whether your system has Java installed or which version your computer may have, visit java.com and click the “Do I have Java? link.

Windows users can grab the update by visiting the Windows Control Panel and clicking the Java icon (or searching for “Java”). From there, select the Update tab and the Update Now button. Note that the updater may auto-select a toolbar like the “Ask Toolbar;” if you don’t want that as well, de-select it before proceeding. Macand Linux users can get Java 7 Update 7 from this link.

If you plan to keep Java on your system, update it now. The exploit being used in the wild now has been shown to work against Windows, Mac and Linux systems running Java 7 Update versions 1 through 6.

Advertisements

Here’s Everywhere You Should Enable Two-Factor Authentication Right Now

August 29, 2012

Two-factor authentication is one of the best things you can do to make sure your accounts don’t get hacked. We’ve talked about it a bit before, but here’s a list of all the popular services that offer it, and where you should go to turn it on right now.
What Is Two-Factor Authentication?
Passwords, unfortunately, aren’t as secure as they used to be, and if someone gets your password, they can access your account with no problem. Two-factor authentication solves that problem.

Google’s spam guru, Matt Cutts, put it best: two-factor authentication is a simple feature that asks for more than just your password. It requries both “something you know” (like a password) and “something you have” (like your phone). After you enter your password, you’ll get a second code sent to your phone, and only after you enter it will you get into your account. Think of it as entering a PIN number, then getting a retina scan, like you see in every spy movie ever made. It’s a lot more secure than a password that anyone can hack, and keeps unwanted snoopers out of your online accounts.

Where Can I Use It?
Unfortunately, you can’t use two-factor authentication everywhere on the web just yet. But a lot of sites have recently implemented it, including many of our favorite services. Here are some services that support two-factor authentication, with instructions on how to enable it:

Google/Gmail: Most of us store a lot of information in our Google accounts, and you’ll definitely want to protect it by turning on two-factor authentication. You can learn how to do it here, or check out Google’s official documentation for more info.
LastPass: If you use LastPass to create, manage, and store your passwords for other sites (which we recommend you do), this is one of the most important services you should enable two-factor authentication for, since it stores your passwords for every other site on the net. It uses the Google Authenticator app for Android, iOS, and BlackBerry, and you can read up on how to enable it here. Alternatively, you can use one of these password management apps that sync them between computers with Dropbox (which also supports two-factor authentication, as described below).

Facebook: Getting your Facebook account hijacked could be more than a little annoying, and their two-factor authentication is super easy to use. You can find instructions on how to do it here.

Dropbox: Dropbox is useful for all sorts of things, not the least of which is storing your data and sending sensitive info across the internet. Do yourself a favor and enable two-factor authentication using these instructions. If you want another layer of extra security, you can do so by encrypting the contents of your Dropbox with TrueCrypt.

Some Microsoft Products: Microsoft hasn’t enabled two-factor authentication for Outlook yet, but some of its services—including Xbox Live, its Billing pages, and SkyDrive when you remote to another computer—require it by default. You can read more about it here. And, if you want better security for Outlook, know that Microsoft is currently working on a secure, easy way to strengthen your login.
Yahoo! Mail: If you’re a Yahoo user, you can enable their two-factor authentication for your mailbox.

Amazon Web Services: If you use any of Amazon’s web services, like Amazon S3 or Glacier storage, you can get the extra security of two-factor authentication via the Google Authenticator app for Android, iOS, and BlackBerry. It also supports Windows phone via the Authenticator app.

WordPress: If you don’t want anyone getting unauthorized access to your blog, WordPress also supports the Google Authenticator app for Android, iOS, and BlackBerry.

If you use any of these services, you should head over and enable two-factor authentication right now—it’s one of the best ways to keep your data (and, in many cases, your money) safe. Of course, you should also make sure you use a unique, secure password for each of your accounts, so if you don’t do that, now’s a good time to change that.

Firefox 15 Released

August 29, 2012

August 28, 2012 Mozilla today launched Firefox 15, boasting that users will see “drastic improvements in performance” because of new code that stops add-ons from leaking memory.

Download a Firefox that speaks your language:
http://www.mozilla.org/en-US/firefox/all.html

How to Unplug Java from the Browser

August 29, 2012

Below are instructions for unplugging Java from whatever Web browser you may use to surf the Web. These instructions were originally posted as a how-to in response to the constant news of Java exploits.

For Windows users:

Mozilla Firefox: From the main menu select Add-ons, and then disable any plugins with the word “Java” in them. Restart the browser.

Google Chrome: Click the wrench icon in the upper right corner of the browser window, then select Settings. In the search results box to the right in the next screen, type “Java”. A box labeled “Content settings” should be highlighted. Click that, and then scroll down to the Plug-ins section. Click the “Disable individual plug-ins” link, find Java in the list, and click the disable link next to it.

Internet Explorer:

Apparently, getting Java unplugged from Internet Explorer is not straightforward. The U.S. Computer Emergency Response Team (USCERT) lists the following steps, which may or may not completely remove Java from IE:

In the Windows Control panel, open the Java item. Select the “Java” tab and click the “View” button. Uncheck “enabled” for any JRE version listed. Note that this method may not work on Vista or newer systems. As an alternative, you may use one of the following techniques:

Click the start key and type “regedit” in the search box. Double-click the regedit program file when it appears.

– Change the HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\\UseJava2IExplorer registry value to 0, where is any version of Java on your system. 10.6.2, for example.

If you are running a 32-bit version of Java on a 64-bit platform, you should set the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Plug-in\\UseJava2IExplorer registry value to 0.

– Run javacpl.exe as administrator, click the “Advanced” tab, select “Microsoft Internet Explorer” in the “Default Java for browsers” section, and press the space bar to uncheck it. This will properly set the above registry value, despite the option being greyed out.

US-CERT has some additional suggestions for removing Java from IE if the above steps do not do the trick. See their advisory for more details.

For Mac users:

Safari: Click Preferences, and then the Security tab (uncheck “Enable Java”).

Google Chrome: Open Preferences, and then type “Java” in the search box. Scroll down to the Plug-ins section, and click the link that says “Disable individual plug-ins.” If you have Java installed, you should see a “disable” link underneath its listing.

Firefox: Click Tools, Add-ons, and disable the Java plugin(s).

Critical Java 0-day flaw exploited in the wild

August 27, 2012
Researchers from security firm FireEye have discovered targeted attacks exploiting a zero-day Java vulnerability to deliver the Poison Ivy RAT onto the unsuspecting victims’ machines.

The vulnerability allows computers to be infected by simply visiting a specially crafted web page, and the malware served in the current attacks contacts a C&C server in Singapore.

The attacks are limited, but it’s only a matter of time until other cyber criminals create their own pages exploiting the flaw.

In the meantime, a module that takes advantage of it has alreadybeen added to the Metasploit Framework, and it works against a fully patched Windows 7 SP1 with Java 7 Update 6, Mozilla Firefox on Ubuntu Linux 10.04, Internet Explorer / Mozilla Firefox / Chrome on Windows XP, Internet Explorer / Mozilla Firefox on Windows Vista and Windows 7, and Safari on OS X 10.7.4.

Researchers from heise Security have also created a PoC page using information that is publicly available.

Oracle is yet to comment on the news, and to say whether it will break its scheduled quarterly patch cycle to issue a patch for the flaw.

In the meantime, users are advised either to disable or remove Java for the time being – or for good.

If you’re a Windows user and you have decided to disable Java, go to your Control Panel, select “Java”, and once the “Java Runtime Environment Settings” dialog box appears, select “Java” once again and uncheck the “Enabled” check box. Needless to say, if in the future you need to use Java again, go through the same steps and check the aforementioned check box.

To completely remove Java from your system, go to the Control Panel > Programs > Programs and Features, find Java, select it and press the “Uninstall” button.

New Adobe Flash Player Update Fixes 6 Flaws

August 21, 2012

For the second time in a week, Adobe has shipped a critical security update for its Flash Player software. This patch, part of a planned release, closes at least five six security holes in the widely-used browser plugin, and comes just one week after the company rushed out a fix for a flaw that attackers were already exploiting in the wild.

Updates are available for WindowsMacLinux and Android platforms. Windows and Mac users will need to update to v. 11.4.402.265 (Linux and Android should users see the advisory for their version numbers). The Flash Player installed with Google Chrome should automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player v. 11.3.31.230 for Windows and Linux, and Flash Player v. 11.4.402.265 for Macintosh. When I composed this post, however, the installation of Chrome on my Mac had not yet updated to the new version Google began pushing out today (a restart of the browser fixed that).

To find out what version of Flash is on your system, browse to this link. The latest version is available at this link, which should auto-detect the version of Flash your browser and operating system needs. Windows users take note: Unless you also want McAfee Security Scan Plus bundled with your Flash update, make sure to uncheck that box before clicking “download now.”

Adobe also has released an update that addresses these vulnerabilities in Adobe AIR. Windows and Mac users will want to update to Adobe AIR 3.4.0.2540. Windows users should be able to tell if they have this program installed and its version number from the Add/Remove Programs section of the Windows Control Panel. Determining the presence of AIR and its version number gets a bit more complicated for Mac users.

If You Do One Thing Today To Improve Your Online Security, Do This

August 17, 2012

The week is winding down and we’re sure you’re getting excited for the weekend, so here’s just one, simple step you can take today to increase your online security:

Update the password for your email address, and make it a secure one.

It may be old advice for some of you, but if you’ve been putting off the process of strengthening your passwords, don’t delay any longer in making your email account’s password as strong as it can be. Do. It. Now.

Why? It’s a known tactic that hackers target sites with weaker security, to then harvest email addresses and passwords that they can test against other, more popular (and important) sites. With rampant password reuse, it gives easy access to critical accounts where you’ve used the same login details. There have been an unending stream of database breaches in the last several months, and the login information for tens of millions of people have been posted on the web.

For most people, their email account is a window to their personal, financial, and even work life, so it’s critical to (1) use a unique password and (2) to use as long, strong of a password as you can manage, which means it can’t be guessed and isn’t dictionary-based.

LastPass can obviously help there, by generating a long, secure password for you, then remember it so you don’t have to – it’s as easy as a few clicks. Now you really don’t have an excuse!

There are many more elements that go into being proactive about protecting your data, but it’s a good starting step. If you’re looking for even more ways to increase your online security, check out our round-up of security tips & tricks from the past week:

11 Ways to Make Your LastPass Account Even More Secure via How-To Geek
10 Online Security Tips for Gen Y via Mashable
Turn on Two-Factor Authentication via Lifehacker

And now you can relax just a little bit more this weekend!

Best,
The LastPass Team

Tips to keep kids safe online

August 16, 2012
Malware is just a step-away when children click on games, free shoes, Justin Bieber videos or gift cards offered on social networks. Hackers use social engineering techniques to exploit kids’ curiosity and easily convince them to click on appealing surveys and videos. These may expose computers to malware, which grabs sensitive information and sends it to a remote machine controlled by cyber criminals.
Kids could also be lured to click on a malware-infected link if they try to install applications to check out their profile or photo visitors. With children keeping in touch with friends they rarely see over the school holidays, activity on Facebook, Twitter and other social networks increases. So does the danger of clicking on a malicious link unwittingly distributed by a friend.

Animated toolbars, free games, free movies, and free music that children search out on the internet can also lead to spyware, a type of malware that collects personal information from the device without the users’ knowledge. This could have serious consequences, particularly if it’s a shared device where parents store important data.

Android malware is another danger for children this summer and usually spreads in rogue applications that pose as legitimate. Depending on their age, children are most tempted to click on free or cracked malicious editions of the most popular Android games.

Identity Theft is another danger for kids on the Internet this summer. With an increasing number of kids shopping online and paying with their parents’ credit cards, phishing websites can easily persuade kids to send credentials directly into attackers’ hands. With the stolen data, phishers can empty bank accounts in seconds.

Though they only represent two per cent of all phishing websites, the sites that most capable of tempting children host games. The most targeted brands are Habbo, Blizzard, World of Warcraft, and Runescape, according to Bitdefender Labs.

Here are a few tips to keep kids safe online:

  • Talk to them about the main risks and consequences of using webcams, sharing personal information on chat rooms, social networks, and Instant Messenger, clicking on junk e-mails, unknown links or attachments.
  • Establish a regular, security-themed family gathering to learn together about malware, identity theft, cyber-bullying, cyber-baiting (when children provoke teachers to the breaking point, record the incident, then post it online), online sex predators, and social networking dangers.
  • Block inappropriate content with filtering software before kids see it. Monitor the websites children visit by checking the history feature on your browser or installing parental control software.
  • To keep track of your children and protect your computer, use antivirus software that includes parental control features. The software allows parents to receive extensive reports on their children’s Facebook activity, restrict web access to certain hours, protect them from real-world threats with GPS tracking, and more.
  • Do not let the child use the home PC with administrative privileges. This way, they can’t install applications on the machine, minimizing the risk of running infected or pirated applications.
  • Keep your Flash and Java distributions up to date, as children’s favorite destination, casual online games intensively use these technologies which are easy to exploit.

How to to Ensure the Apple and Amazon Exploit Never Happens to You

August 8, 2012

Strong Passwords Aren’t Enough:

This weekend, former Gizmodo writer Mat Honan lived every tech geeks worst nightmare: he got hacked, with all his accounts compromised and his computers wiped with no backup. The scary part: No “real” hacking was involved—all it took was a few support calls to Apple and Amazon and nearly all his most important accounts were compromised. Here’s everything you need to do now to keep this from happening to you.

What Happened

The person who hacked Mat’s accounts didn’t need to crack any passwords to get in. Instead, he used social engineering, manipulating both Apple tech support and Amazon into believing they were Mat (something that’s easier than you might imagine). Apple and Amazon only require limited, easily accessible information, including billing address, email, and the last four digits of a credit card (which sounds more difficult to access than it was) before allowing anyone to change or reset user accounts. Once the hacker had access to Mat’s iCloud account, he was able to get into Mat’s Gmail and other accounts, not to mention wipe his iPhone, iPad, and Mac, setting a PIN that kept Mat from recovering any of that data.

What happened to Mat was awful, but we should all take this as a cautionary tale to not only set up good security and backups, but to take heed of security flaws in services like iCloud. Here’s what you should do right now to protect yourself from a similar incident.

Audit Your Insecure Services (Like iCloud)

Strong Passwords Aren't Enough: How to to Ensure the Apple and Amazon Exploit Never Happens to YouThe biggest problem in Mat’s breach was that there were some serious security flaws in Apple and Amazon that let the intruder right into his accounts. In his Wired piece on the hack, Mat details some of the things you can do to avoid a similar issue with iCloud. Namely, you should create a separate Apple ID for your iCloud account, turn off remote wipe for your computers, and don’t attach your home address to anything public, like your personal domain name.

Takeaway lesson: Some services, like iCloud, don’t have the security features they should have. As such, make sure you don’t give them too much power, and don’t connect them with your secure accounts like Gmail—one weak link in the chain can bring everything crashing down.

Use Strong, Separate Passwords for Every Account

 

While it may not have helped Mat, everyone should still have a good password system set up. We’ve shown you how easy it is to hack a weak password, and if you use the same one everywhere—or even easy-to-crack variations—you’re screwed. Remembering 100 different passwords can seem tough, but it’s okay if you don’t know them off the top of your head—in fact, it’s more secureUse a tool like LastPass (or one of these alternatives) to keep your passwords easily accessible from any of your machines, no matter how long or complex they are (but remember, multi-word phrases are actually the best password you can have). 

Takeaway lesson: If you haven’t updated your passwords in awhile, take some time to audit and update your passwords now to get it all done in one fell swoop.

Enable Two-Factor Authentication to Ensure No One Gets In

 

 

Mat didn’t have his passwords “hacked” in the traditional sense of the word, so even with strong passwords, his accounts still would have been compromised. However, two-factor authentication could have stopped the whole thing from happening. Two-factor auth requires something you know (your password) and something you have (your phone), so when an intruder types in your password, she won’t be let in unless she also types in a code sent to or generated by your phone, which only you have.

Takeaway lesson: Set up two-factor authentication on every account you can, like Google,Facebook, and other high-profile services. It’s one of the best ways to protect yourself againstany kind of breach.

Strengthen Your Password Recovery Options

Strong Passwords Aren't Enough: How to to Ensure the Apple and Amazon Exploit Never Happens to YouEven if your passwords are different across all services, you’re done for if a hacker gets into your email. With access to your email, they can reset your password on any other service you want, which is why you should consider using a non-primary email address for password resets and other recovery options. Setting up a Gmail or Outlook account is free, and you can have as many as you want, so set up a new email address and change all your recovery options to go to that mailbox instead—if someone ever gets into your email, you’ll be glad you did.

You should also make sure your security questions aren’t easy for someone to answer. Anyone can figure out your pet’s name or high school mascot, so those won’t keep you safe. Instead, strengthen your security questions by adding extra wordspicking out key words in the question, or shifting your hand on the keyboard. That way, they’ll truly become questions only you know how to answer.

Takeaway lesson: One of your biggest security flaws is probably in your password recovery method. Make sure your security questions aren’t easily answerable, and that your password resets go to a separate account designed for resets only.

Back Up Your Data

 

By far the worst factor in Mat’s breach was that he didn’t have any of his data backed up. He lost a year and a half worth of photos, emails, and documents when his computer was wiped with no way to get it back. You’ve heard us say it a billion times, but if you haven’t started backing up your data, let this be a wake up call: data loss can happen at any time for any reason, and you don’t want to be kicking yourself down the road. Take 30 minutes and set up a program like Crashplan, ourfavorite backup app for WindowsMac, and Linux. When you’re done, you can just set it and forget it, and you’ll have that backup in case anything ever goes wrong. 

If you don’t back up to the cloud (or you want a local backup as well), check out these recommendations from our friends at the Wirecutter. They have picks for external drivescheap network drives, and full NAS solutions for all your home backup needs.

Takeaway lesson: Seriously, guys, back up your data. It only takes a few minutes to set up, and it’ll make sure you never lose your most important files.

Every major event is exploited by cybercriminals to deliver malware

August 8, 2012

The more people feel concerned with the event, the bigger the game and the easier the hoax.

You can group these past years’ major events into 3 categories:

1. Disaster relief (earthquakes in New Zealand and Japan, nuclear disaster in Fukushima, famine in Somalia…) Cybercriminals will prey on the sympathy for the victims, using legitimate charity credentials to collect donations into accounts they control. These guys are looking for money, credit card numbers and personal details. So, if you want to donate, use the official Website, or send your donation to the official offices, heck, you can even go to the offices. Just don’t reply to unsolicited emails.

2. Sporting events (FIFA EuroCup, 2012 Olympics) – Before, during and after the event come a flurry of scams ranging from fake game tickets, fake hotel rooms, betting scams, fake lotteries… cybercriminals are hunting for money and personal details. So, if you want the real deal, buy the real tickets, from the real official seller.

3. Celebrities (especially death) – Cybercriminals try to arouse base instincts by luring people in with gory and shocking video footage or pictures. The idea behind the scam is to steal credentials (especially on social networking sites such as Facebook), and/or install malware on your computer, thereby giving cybercriminals access to sensitive data and computer resources. So, if you want shocking images, rent a horror movie or just watch the news.

This year’s novelty is actually scammers using their own fake shortened URL services. Shortened URLs are increasing in popularity with micro-blogging and social networks. Unfortunately, they also turn out to be a very convenient tool for abuse. These URL shortening services don’t work like legitimate ones.

The spam emails contain a shortened URL created with a legitimate URL-shortening service. The link actually points to another shortened URL, but this time created using the spammer’s fake shortening service, which, in turn, redirects to the malicious website.

Spammers use it to better disguise their spam by giving them the appearance and functionality of a legitimate URL-shortening service: to better evade anti-spam filters and to better avoid disruption.