Archive for March, 2013

Critical Updates for Windows, Adobe Flash, Air

March 12, 2013

Microsoft and Adobe each released patches today to plug critical security holes in their products. Microsoft issued seven update bundles to address at least 19 vulnerabilities in Windows and related software. Adobe released the fourth security update in nearly as many weeks for its Flash Player software, as well as a fix for Adobe AIR.

winiconMicrosoft today began pushing out seven security patches, four of them rated “critical,” meaning the flaws they fix could be used by malware or bad guys to break into unpatched systems with little or no help from users. The critical patches address bugs in Windows, Internet ExplorerMicrosoft Silverlight,Microsoft Office and Microsoft SharePoint. Updates are available for Windows XPVistaWindows 7,Windows 8Windows Server 20032008 and 2012.

More information on the Microsoft patches is available at the Microsoft security response center blog, which also discusses some changes to the way security updates are applied to apps available through the Windows Store.

The update from Adobe brings Flash Player to version 11.6.602.180 on Windows and Mac OS X systems (see the chart below for the most recent version numbers on other operating systems). This patch fixes at least four security flaws in Flash Player. Adobe says it is not aware of any exploits or attacks in the wild targeting the issues addressed in this update. But that could change soon, so if you have Flash installed (and most users do), please take a moment to update it.

brokenflash-aThis link should tell you which version of Flash your browser has installed. The most recent versions are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Google Chrome and Internet Explorer 10 have built-in auto-update features that should bring Flash to the most recent version. The patched version of Flash for Chrome is 11.6.602.180 for Windows, Macintosh and Linux, although it does not appear that Google has pushed out this update yet. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (FirefoxOpera, e.g.).

Finally, if you have Adobe AIR installed (required by some programs like Tweetdeck and Pandora Desktop), you’ll want to update this program. AIR ships with an auto-update function that should prompt users to update when they start an application that requires it; the newest, patched version is 3.6.0.6090 for Windows, Mac, and Android.

FlashPlayer11-6-02-180

Yahoo Mail accounts still hijacked daily

March 7, 2013
Email account hijacking has been a big problem for Yahoo Mail users since the beginning of the year, as a number of vulnerabilities have been discovered, shared online and exploited by cyber scammers.

Yahoo has repeatedly claimed that the flaws were fixed, but the attacks go on and the number of hijacked accounts continues to be considerable.

The Next Web says that the spikes of Google traffic to their earlier items concerning the attacks is proof that the problem persists and users are searching for explanations. Having been contacted directly by some of them, it seems that not all can point to the likely method employed by the hijackers and the correct time when the hijacking occurred.

Some received booby-trapped emails (often seemingly from friends or colleagues) that contained links that directed them to a bogus news site that hijacked their Yahoo Mail account if they were logged in. Others say they never received a similar email but that, nevertheless, their accounts got taken over.

The attackers are mostly using the compromised accounts to send out spam to the users’ contacts and, indeed, to anyone from whom they ever received a message. Among this spam are also the aforementioned emails that permit cyber scammers to always access a fresh batch of accounts to continue the campaign.

But these hijacked accounts are not only a source of new potential victims. According to one of the polled users, they were offered a toll free number that would supposedly lead to someone who could help them regain control of the accounts – in return for $100.

Yahoo says that they “aggressively investigating reports of any email accounts exhibiting anomalous behavior,” so let’s hope we’ll see some results soon.

Tips to minimize the risk and impact of identity fraud

March 1, 2013

Last week, a Javelin Strategy & Research report found 12.6 million victims of identity fraud in the United States in the past year, which equates to 1 victim every 3 seconds.

They recommend that consumers work in partnership with institutions to minimize their risk and impact of identity fraud by following a three-step approach:

Prevention

1. Keep personal data private – Secure your personal and financial records behind a password or in a locked storage device whether at home, at work and on your mobile device. Familiar fraud is a serious issue with 12 percent of fraud victims knowing the perpetrator personally. Other ways to secure information include: not mailing checks to pay bills, shredding documents, monitoring your accounts weekly, and protecting your computer and mobile device with updated security software. Use a trusted and secure Internet connection (not a public Wi-Fi hotspot) when transmitting personal or financial information, and direct deposit payroll checks.

2. Look for security features – When paying online be sure you have a secure connection. Two ways you can denote a secure connection are to look for “https” and not just http at the start of the merchant’s web address or a bright green box and padlock graphic in the address bar of most browsers. Check for either one of these before entering personal or payment information.

3. Think before you share – Before providing any sensitive information, question who is asking for the information. Why do they need it? How is the information being used? Do not provide the information if you are unsure about the legitimacy of the request. Be careful when clicking on links that then take you to a page asking for personal information. If an organization asks you for your Social Security number to validate your identity, request another question.

Detection

4. Be Proactive – There are many different levels of identity theft protection and consumers should work in partnership with institutions on identity theft prevention. By setting up alerts that can be sent via e-mail and to a mobile device and monitoring accounts online at bank and credit card websites, consumers can take a more proactive role in detecting identity fraud and stopping misuse. In 2012, 50 percent of fraud was first detected by the victims.

5. Enlist others – There are a wide array of services available to consumers who want extra protection and peace of mind including payment transaction alerts, credit monitoring, credit report fraud alerts, credit freezes and database scanning. 3 out of every 5 identity fraud victims did not know the source of their fraud, but many services will now provide alerts directly to a consumer’s smartphone. Some services can be obtained for a fee and others at no cost to the consumers who are victims of a data breach. These services can monitor credit reports, public records and online activity for signs of fraudulent use of personal information.

Resolution

6. Take any data breach notification seriously – If you receive a data breach notification, take it very seriously as you are at a much higher risk according to the 2013 Identity Fraud Report. If you receive an offer from your financial institution or retailer for a free monitoring service after a breach, you should take advantage of the offer, closely monitor your accounts and put a fraud alert on your credit report.

7. Don’t wait. Report problems immediately – If you suspect or uncover fraud, contact your bank, credit union, wireless provider or protection services provider to take advantage of resolution services, loss protections and methods to secure your accounts. A fast response can enhance the likelihood that losses are reduced, and law enforcement can pursue fraudsters so they experience consequences for their actions.