Archive for 'Security'
Apple pushes insecure web browser on computers
Posted on March 31, 2008, under Current Events, Security, Web Dev/Tech.
Apple pushes Safari on Windows via iTunes updater (posted 3/21)
Apple has started offering Windows users its Safari 3.1 Web browser through the same online updater it utilizes for iTunes and the QuickTime video player.
Not just offering, but pushing. As in you must manually un-check the install or ignore it, or Safari will be installed the next time you run the updater to bring your iTunes up to the next release.
MacBook Air hacked in security contest (posted 3/27)
A team of security researchers has won $10,000 for hacking a MacBook Air in two minutes using an undisclosed Safari vulnerability.
Bad decision, Apple. I don’t want that accidentally pushed out on my machines, or any of the family members I help support.
If you want to prevent this from happening on your machine when you run the Apple updater, make sure the Safari option is checked, and then in the top menu, select “Tools > Ignore selected updates”.
Hiding Wireless SSIDs
Myth vs Reality. Hi Jeff! 
10 things to know before you register a domain name
Posted on June 28, 2007, under Security, Web Dev/Tech.
Sometimes I get asked what is involved in registering a domain name, and is there anything to be careful of. I just ran across this site which does a good job of listing out most of the concerns to watch for when choosing an organization to register a domain name with:
10 things you MUST know before you register a domain name with anyone
Firefox Extensions Auto-Update Vulnerability
CyberNet News has the description for how someone can attack your Firefox browser using auto-updating extensions as the attack vector:
A new Firefox vulnerability has been discovered, and this time it is quite a doozy. It affects many different extensions including Google Toolbar, Google Browser Sync, Yahoo Toolbar, Del.icio.us Extension, Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, LinkedIn Browser Toolbar, Netcraft Anti-Phishing Toolbar, and PhishTank SiteChecker.
Google: Total Information
Google’s goal to organise your daily life
Eric Schmidt, Google’s chief executive, said gathering more personal data was a key way for Google to expand and the company believes that is the logical extension of its stated mission to organise the world’s information.
Asked how Google might look in five years’ time, Mr Schmidt said: “We are very early in the total information we have within Google. The algorithms will get better and we will get better at personalisation.
“The goal is to enable Google users to be able to ask the question such as ‘What shall I do tomorrow?’ and ‘What job shall I take?’”
Dear Google, should I switch search engines?
Windows Activation Virus Alert
Check out this post about a Windows Activation Virus. The virus spoofs the Windows Activation screens, and asks for credit card information to activate Windows. Pretty convincing screens.
QuickTime 7.1.5
QuickTime 7.1.5 has been released, which addresses about eight security vulnerabilities, so you might want to upgrade to the new version.
Secunia Software Inspector
For the last year or so, I’ve used Secunia to keep track of the latest software vulnerabilities that have been discovered. Recently, they released a new, free web-based service called the Secunia Software Inspector. The tool will scan your computer for software that has reported vulnerabilities, and it alerts you of what to do to update your software or address the issue. I don’t know how comprehensive its software list is, but it seems to at least catch major browsers, plug-ins and e-mail clients.
On both my work and home computers, the scanner let me know of a vulnerability for the installed version of Apple QuickTime, as well as remnants of old, trouble-some Adobe Flash installs. I did end up having to go research how to remove old versions of Flash player on my own though. It’s helpful to note Adobe provides a global Flash uninstaller.
The Software Inspector is by no means a replacement for a good anti-virus package or firewall, but it is a nice free service to help keep your machine a little more clean and secure.
Trillian Basic 3 - Fake password security
For awhile now, I’ve used the Trillian Basic instant messaging client, since I have contacts on Yahoo, MSN/Live, and AIM. There have been times when entering the startup password for Trillian, I thought - “Ooops, I fat-fingered that”, only to have Trillian continue to log in. I would shrug and move on, thinking I must have typed it correctly. Yesterday, I was logging into Trillian, and knew that I fat-fingered the password - and Trillian logged in! No errors! Hrmm.. So I did a couple tests:
- I used a completely bogus password - Trillian started right up.
- I tried no password, and yep, Trillian logged right in, no problems.
So the password prompt in Trillian is useless for security as far as I am concerned. This makes me highly question my continued use of Trillian. Does anyone else notice this with their install of Trillian? I’m using Trillian Basic 3.1 (build 121). In the meantime, I’m thankful I have Trillian and its data saved in a TrueCrypt encrypted volume. That still retains some of the security I was assuming was there in the first place.
Evil Firefox Extensions
The Symantec Security Response team writes about the existence of Firefox extension malware in the wild. I had already pruned some of my installed extensions after reading about memory leaks, slow downs, and conflicts caused by some. (See the section entitled “Problematic Firefox Extensions“.) You may want to go through your extension list, and ask yourself if you really want/need that extension. It may not be malware, but it may be a performance drain on your browsing experience.
I’m still waiting for the first report of a ‘mainstream’ extension that will be found to have rogue code in it. It will happen.
