Archive for the ‘security’ Category.

Patch Tuesday – Microsoft Rolling Them Like There’s No Tomorrow

We already kicked off one heck of a security-minded year with a miasma of bad security in January. Now Microsoft is keeping that tradition alive just in time for Valentine’s Day with a Patch Tuesday chock full o’ love.

That’s right, this Patch Tuesday covers a lucky 13 security bulletins that close up a whopping 57 security holes. If you weren’t feeling insecure before, just think of how all of those vulnerabilities compromised your PCs. On the one hand it’s good that Microsoft is fixing these things. On the other hand, WTF?! 57?

From Internet Explorer (of course) to ActiveX DLLs (again, rather expected) to Windows kernel win32k.sys (doh!) this Patch Tuesday is a whopper that you really shouldn’t miss. Of course if you have automatic updates turned on, then you’re not going to miss it. Then again, if you find that sometimes the patch is worse than the bug, this is one you’ll want to keep apprised of.

Meanwhile Adobe Flash also recently released a patch and Java, well, those Java patches have been pretty half-baked and that mess is still trying to be sorted out while Oracle tries to convince the world to not just drop Java entirely from the web browser.

Security, gotta love it!

Insecurity: 2013

So the year has only just kicked off, and yet we’re already being scared shirtless by vulnerabilities, holes, and hacks in the wild.  Normally I’d have covered all of these in separate blogs, but because I’m playing catch-up after having eye problems, I get to mash them all up into one super-security warning. Let’s get down to utter chip-chilling tales of terror:

Microsoft

When it comes to security, Microsoft is always down in the dumps. This year starts off no differently. Not only has Microsoft’s Patch Tuesday nuked 12 vulns for us, which is quite a lot for a Patch Tuesday these days, but on top of that it doesn’t include one whopper of a security hole found this Holiday season in older versions of Internet Explorer that allows malware to be installed on a PC just by visiting a malicious (or hijacked) website. Microsoft released a temporary workaround for the vulnerability to IE6, IE7, and IE8, but that workaround has already been … worked around.  Oh the irony.  In the wild I might add.  So take it with a grain of useless rocks. Maybe it’ll be fixed next month, but not this one.

nVidia

While it shouldn’t really be a surprise to anyone that something as common as a graphics driver used by probably at least half of computers out there is a point of attack, it was something of a shocker to hear that you should immediately update to nVidia GeForce display driver version 310.90 right now to close the mother of all security holes allowing network attacks to gain super-user level access to your PC and to elevate privileges to lower-level access. Why would a graphics driver have that kind of a network bug in it? And why would a graphics driver allow you to elevate your access level? Goodness only knows. But if you’re got nVidia graphics under the hood and you don’t update your graphics drivers this second, you’re sitting on a huge security hole.

EDIT: But be prepared for other problems with this driver update!

Adobe

Of course a lot of people choose not to use Adobe’s Acrobat Reader. Plenty have switched to third-party alternatives, such as Foxit. And now, they’re suddenly wishing that they hadn’t. Why? Well, as if Adobe software wasn’t bad enough when it comes to security, it turns out that Foxit has its own buffer overflow bug worse than anything from Adobe. It can’t handle very long query strings after a filename and can be used to overwrite the program’s memory to execute arbitrary code. Yes, that’s right, just opening a file with a maliciously crafted filename will allow Foxit to execute whatever code a malware author wants to. Oops. This is one time when Foxit is definitely notbetter than Adobe.

But fear not. Firefox is coming to the rescue. Usually when the words “Adobe” and “security” are used in the same sentence, it means trouble, but here’s one time when it doesn’t: Firefox is now including PDF reader straight into their web browser using some fancy HTML 5 footwork. No more plug-in is needed to view a PDF file in Firefox, so you can kiss your Adobe plug-in (or even more dangerous Foxit plugin) goodbye and say hello to improved speed and security. Huzzah! I guess.  If you don’t actually use Firefox, well then, sucks to be you.  :p  Just kidding.  I’m sure everyone will be doing it before too long.  Except, perhaps, for Internet Explorer that is.

Java

Well, next up on the list of lowest common denominators in the security world is … Oracle.  Who doesn’t want some Java lovin’. Or perhaps in this case hatin’. A new Java zero-day exploit can compromise PCs, allowing a hacker to, you guessed it, execute arbitrary code, escalate privileges, etc. Basically any hacker can own your PC just by you visiting any malicious (or hijacked) website. At least assuming that you have Java enabled. It affects the latest and greatest Java 7 update 10 and prior versions and is being used widespread in the wild. Hopefully Oracle will fix that up for us some day. In the meantime, time to turn off Java.  How many times have you heard that?  Why does anyone even have it enabled?

Ruby on Rails

And surprisingly, our last security warning of the New Year isn’t for Adobe Flash. Nope. It’s far worse than that. Ruby on Rails has been derailed! With two critical security vulnerabilities, anyone can perform remote code execution against any Ruby on Rails application that has the XML parser enabled. (Which just so happens to be the default setting, and for good reason as it is heavily used.) Which is bad enough. But these holes also allow hackers to run system commands on the server with the same privilege level as the application. So if you were wondering about how a hacker can hijack someone’s website to serve up all of those malicious web pages that can use those security holes in Java, Internet Explorer, etc. to infect anyone’s PC just by visiting the website, there you go.

Fortunately Ruby on Rails has been patched already and if you update to the latest version, you’re safe once more. But the key there is “if”.

Conclusion

So all in all, this 2013 year has sure started out with a bang! Insecurity: 2013 reminds us once again that security is far from a given. Take it seriously and get updating!

Rant – FISA – We The People Are Still Enemies Of The State

Normally I avoid politics like the plague because opinions are like asterisk-holes, yada yada.  But this time I’m irked too much to stay quiet.

Looking forward to the expiration of the FISA Amendments Act of 2008? Well … don’t hold your breath.  “We the people” are still considered to be enemies of the state by our own government.

That’s right. The Orwellian law passed by the Bushies that makes wiretapping and other related spying on US citizens legal without a warrant and gives telecommunications companies a free pass from prosecution for any participation was supposed to expire … but it didn’t.

Yep.

O-Lame-A, just as uninterested in protecting American’s Fourth Amendment rights from unreasonable searches and seizures as Dubya ever was, has signed the bill extending the FISA Amendments Act of 2008 all the way out to 2017. And without even bothering to add any of that much-needed oversight, transparency, or privacy protections to spying on our own citizens. The House and Senate both having already given it the green light, that means it’s officially law now with no one bothering to oppose it in today’s world of Fear, Uncertainty, and Doubt.  To think FUD used to be a four-letter word.  Now it’s just SoP for our government.

It’s ironic that the Foreign Intelligence Surveillance Act, passed in 1978 as a response to Nixon-era spying on those darned hippies and other subversive countercultures in the US, an act instituted into law meant to protect us from Big Brother after rampant abuses of power were revealed to have taken place, has been turned right around to the exact opposite in the Bush era … and now continued in the Obama era.

It just goes to show that any rights granted by our constitution can be taken away when our own government stops caring about We The People.

After all, why bother protecting society from unreasonable searches and seizure when there are terrorists out there? Heaven forbid the Alphabet Soup or law enforcement be bothered to actually obtain a warrant so that reasonable people can prevent severe abuses of power. Naw. That takes actual effort and we can’t have little things like evidence or due process interrupting the US government’s search for “justice”.  Just throw all rational thought away. We don’t need it anyway. We have Zero Tolerance. Why bother thinking (or dare I suggest proving) when you can just abuse so much more easily? Rational thought just slows us down.

Sure, we could always have gotten wiretaps and surveillance in the past when we had those little things like compelling evidence. But who has the time for all of that reasonable stuff like, you know, police work.

Maybe next we can mandate public GPS chipping as part of our Social Security services. After all, we just signed on for another five years of our government using our own phones and webcams to spy on us in our own homes. What’s a little GPS tracking. Oh, right, they don’t need to do that since we pretty much always have a cellphone in our pockets anyway, and we already require GPS for pinpointing the locations of 911 calls from mobile phones. Which, also, happens to fall under wiretapping.

So we might as well just repeal the whole Fourth Amendment anyway. Who needs those lousy rights in the first place? They just get in the way and we’ve bypassed them all now anyway. Darn hippies and their free-thinking idealism have no place in this country. Let them move to Canada or something. The only thing the Bill of Rights is good for is wiping your behind on, right?

Apparently that’s what Obama and Bush think. As do the incredible vast majority of our elected officials in the Senate and the House of Representatives. They’re the ones signing this s__t into law after all.

And just as apparently, us, since we’re the ones who voted for them, right?

Or is it possible, just ever so slightly possible, that our electoral system no longer empowers individuals to represent We The People, and has in fact become a tool used against us?

Uh oh. And I just said all of this on a computer?! OMG! I betcha I’ve got my very own wiretap now!

Technology. It’s neat. But just because it can be used for something doesn’t mean that it should. In this era of so much being capable of being recorded on our little gizmos and gadgets with the greatest of ease, maybe it’s not exactly the best time to be handing over unreasonable power to governmental authorities to use every last recording capability of those devices against us without any supervision thereof, or for that matter shred of evidence of illegal activity or even the suspicion of whatsoever. Hmm?

Naw.

That’s crazy talk!

After all, if I’ve done nothing wrong, then I’ve nothing to hide, right?

It has nothing whatsoever to do with rights. Or due process.  Or any semblance of privacy whatsoever. Or for that matter being just plain creepy.

The next time you run around in your underwear with your laptop turned on, even if you left your webcam off; the next time that you’re talking with a friend about your secret plot to choke Bush to death with a pretzel being foiled by a simple glass of water while your cellphone sits happily in your pocket; remember: They are watching you.  They are listening to you. Every conversation, every minute, of every day, they can legally spy on you a upstanding citizen who has done absolutely nothing wrong, using your own phones against you, whether you’ve got your phone turned on or not. Without any regulation. Without any oversight. Without any transparency. Without even so much as a simple warrant. And they just extended the law that makes it legal for them to do so for another four years of fun. Yipee!

Sleep well.

Gee, I wonder why more news agencies aren’t covering this story. Hmm…

That’s what really bugs me.  If I didn’t read European media, I never would have even known.  Warrantless wiretapping had been highly controversial under Bush, and so many had proclaimed that this kind of abuse of power under Dubya had to be stopped.  But now under Obama it has been rubber-stamped in veritable media silence.  Not just rubber-stamped.  Heck, the darned thing was supposed to expire!  But Obama, The House, Senate, they all just happily extended this rampant abuse of power to deny us rights like we’re living in a totalitarian regime.  This isn’t f___ing China!  This isn’t Cuba!  This is the United States of America!  Oh, how we have fallen.

Basic human rights?  Apparently we don’t need – nor even care about – those anymore.

I’m sorry.  You can brand me whatever dangerous free-thinking rebel synonym label you like, but this just isn’t right.  It just isn’t sane.  Not only should this not be happening now that Dubya is out of office, but this should be big news!  People should care!

Maybe the world really is coming to and end.  We all knew that the whole Mayan calendar thing was superstitious horsehockey.  But maybe the world really is about to collapse when the countries that are supposed to be standing against these kinds of abuses of governmental power are the ones passing laws like this without anyone even so much as flinching.  Something is most definitely wrong in the world.  Even if it isn’t ending, maybe it’s time that it should.

Satnav Tech – Sometimes Choices … Aren’t

Don’t Trust GPS? Try BDS! (Or … Not.)

The Global Positioning System (GPS) is, I would say, fairly well known by now, it being really the only way for us non-military folk to navigate throughout the world by satellite.

Or, at least, it was.

Now there’s a new player in town!

Yes, for those of you who don’t trust Uncle Sam (or is that Big Brother?) looking down on your every move through GPS, there’s a new player to the market: BDS.

The BeiDou Satellite System (BDS) is also officially known as Compass, a nice friendly-sounding GPS alternative. Err … that is … if you trust China’s government with your every move.

Okay, so maybe not so much of an improvement to most of the world then…

Which is okay really, as technically speaking, BDS doesn’t actually quite yet cover the whole of the world anyway. Or, really, much of anywhere outside of China.

GPS requires a minimum of 24 satellites to cover the world. There are actually somewhere around 30 GPS satellites in the sky. The number is somewhat debatable as not all of the birds are exactly 100% operational, and it being a government project, it frankly wouldn’t surprise me if there aren’t more military-only satellites supporting GPS for missile launches and such up there as well. But black ops aside, we have enough GPS satellites to get the job done for civilians the world over. Literally.

Whereas BDS, China’s official launch of Compass, the second stage of their satnav, only has a handful of birds in the sky, making coverage rather limited … if global is what you seek. Allegedly it works a right treat in China though.

Which is its purpose after all.

Technically speaking, alternatives to GPS aren’t new. A lot of countries aren’t exactly kosher about Uncle Sam being able to theoretically deny GPS service to anyone at any time. It could put a serious crimp into things like smart missiles and other military operations should the US decide to not support your GPS-based weapons anymore. And goodness knows what the US government could be doing to abuse the information available to them through GPS tracking. Hence the Russian military was the first to create their own GPS-alternative. During the cold war the Soviet Global Navigational Satellite System or GLONASS was operational to Russia’s military. In modern times however it’s fallen apart from disrepair, like so many things, and even though there’s a push to bring it back to life, reports are that it’s not exactly fully operational just yet. And certainly not available to civilians. Though it does allegedly have over 20 satellites in its network. (Though how many of those are fully working is anyone’s guess.)

Likewise over in Europe certain governments in the European Union unhappy with US control of GPS have launched their own satellites into orbit in the Galileo project. There are only three so far, but the Galileo program was designed to augment GPS instead of replace it, the intent to make hybrid devices. After all, if you can’t work with your allies, who can you trust? (You hear that you Frenchies? :P )

But China’s BDS is just not as much of a team player. Or perceived to be as safe, in an already trust-challenged market.

Will the BeiDou Satellite System gain your confidence? Unless you’re Chinese, I doubt it. (Actually, possibly even less if you are Chinese, if you happen to be a dissident, or one of those darned Tibetans like the Dalai Lama who just won’t accept Chinese rule.) Though certainly with the great rise in Chinese production and consumerism lately, that may not matter. The BDS will certainly have its own supportive market in China, if not throughout other Asian markets as well. Politically and geographically, potentially the Chinese BDS and the Russian GLONASS could even become merged much like the USA’s GPS and EU’s Galileo.

But the big question is, what of the cheap little electronic gizmos imported from Asia? Will many of our cellphones, laptops, and tablets now come with BDS instead of GPS? Will we be forced to choose? (Or forced to look very closely at product specs?) Or worse, will hybrids combining GPS and BDS become a new norm now that BDS has officially become available to civilian markets? (And for the conspiracy theorists out there: will they be hybrid devices whether we know it or not, secretly spilling the beans to the Chinese government through alleged GPS-only devices?)

In a time of great mistrust and greater political shenanigans and chest-beating, goodness only knows what the future of BDS holds in the hands of civilian markets.

One thing however is for certain: whether in the sky, or the massive army of location-refining supportive posts on the ground, GPS is certainly going to be hard to beat. It’s entrenched, and it has been repeatedly refined. So don’t toss out your GPS-based satnav just yet. ;)

Android Virus Alert – Tis The Season … To Spambot

SMS text message spam has been greatly increased in the US thanks to an Android Trojan horse that infects your phone and turns it into a spam-bot. The Trojan in this case is SpamSoldier, and it’s allegedly the first such spambot for Android phones and tablets. Whilst other spam bots have infected PCs to send text messages, this is the first SMS-happy spammer to infect Android phones. Thus reiterating my previous warnings that the more a smartphone becomes like a computer, the more viruses will be problematic for smartphones. It’s just the nature of the beast.

In this particular case, SpamSoldier likes to send out SMS messages enticing people to visit web links where they can snag games like Need for Speed: Most Wanted and Angry Birds Space. But, of course, that’s not all that you’re getting, even if the installer app does often times actually give you a free version of the game. That installer also gives you a virus, turning your Android device into an SMS-spewing monster. Which, of course, includes sending other people those same SMS messages that tricked you into downloading it in the first place. And thus it spreads.

It also provides the virus writer with a means to send out other SMS spam for free, which has been used for fishing attacks and other nefarious “fun” and profit. But not profit for you, because you’re the one paying for the SMS text messages that are annoying everyone else. Hope you have an unlimited account.

Antivirus packages, such useless things as they tend to be on phones so far, have as of yet not caught a darned instance of SpamSoldier. Sometimes I wonder why anyone even tries. What good is an antivirus package that doesn’t catch viruses after all?

Admittedly, so far SpamSoldier isn’t exactly spreading like wildfire. It’s not exactly “out of control” as good viruses tend to get. Though perhaps that’s part of the problem, that it’s staying under the radar enough so that people are taking it seriously.

In any event, consider yourself warned. If you want an app, get it from the proper marketplace, not from an unrequested SMS message. (Seriously people. It’s just like email. If you weren’t expecting it and the source is sketchy, don’t go all click-happy! Just delete it.) And if you own a smartphone, or plan to in the future, remember: the more it’s like a PC, the more it’ll get nasty viruses. So far security downright sucks on smartphones. Keep that in mind as you happily enter personal information into them. The more connected a gizmo is, the less secure it is. And you don’t get much more connected than a smartphone. So the next time you get a message for deal that’s too good to be true, please, practice safe text.