• CNET
  • All Security posts

Security

Ten simple, common-sense security tips

A friend took me to task last week for a post I wrote back in January on preventing Google from tracking you when you search. His alternative solution: "Just use Bing."

That got me thinking about other no-brainer approaches to security that thumb their noses at the conventional (and often convoluted and time-consuming) advice of the experts.

Search without footprints via the 'other' search engines Truly anonymous Web surfing requires the use of a VPN service that blocks your IP address as well as other personal information. (For more on VPN, see the tip below.) If you simply … Read more

Lookout fires off Signal Flare in big update

Staying ahead of the curve has been a hallmark of Lookout Mobile Security (download), one of the few Android-only security companies to gain a loyal fanbase on Google's mobile platform, and today they've released a major update.

The key feature improvements in the refreshed Android app are a new feature for tracking lost phones with low battery and a dialer-scanner to prevent Dialer app attacks like the one that reared its head in September. The threat was no mere digital crank call. Had you tapped the link and dialed the malicious number, it could remotely wipe your phone. … Read more

Symantec: Russian criminals sell Web 'proxy' with backdoors

A black hat Russian operation has served malware to hundreds of thousands of users a year who thought they were signing up for a paid proxy service, Symantec said today.

The security company said in a blog post that it has linked the malware to a cluster of Russian Web sites -- including one called Proxybox.name -- that claim to provide proxy access, VPN services, and antivirus scanning. Proxybox.name requires users to download what it calls "functional, simple, and convenient" proxy software.

Vikram Thakur, principal manager at Symantec Security Response, told CNET this afternoon that:

What … Read more

Microsoft acquires security authentication provider

Microsoft announced today that it has bought PhoneFactor, a provider of multi-factor authentication.

PhoneFactor offers organizations different ways for their employees to access key software and services without relying just on passwords or security tokens. The company's specialty is phone authentication, but it also provides authentication through text messages.

Timothy Sutton, PhoneFactor CEO, described the concept in a blog, saying that "when we initially launched PhoneFactor, we had a vision to deliver strong authentication as a seamless part of almost every process where an individual needs to access confidential or proprietary data." He added that "phones … Read more

Middle East cyberattacks on Google users increasing

Here we go again.

Three months after it first began warning users of state-sponsored cyber attacks, Google is saying that the assault has only intensified.

The New York Times reports that since it began warning users of state-sponsored attacks, "it has picked up thousands more instances of cyberattacks than it anticipated." Many of the attacks appear to be originating in the Middle East.

Starting on Tuesday, the company began inserting a message at the top of affected users' Gmail inboxes: "Warning: We believe state-sponsored attackers may be attempting to compromise your account or computer.

The attacks affect … Read more

Regulators shut down global PC 'tech support' scam

Regulators from five countries joined together in an operation to crack down on a series of companies they say orchestrated one of the most widespread Internet scams of the decade.

The U.S. Federal Trade Commission (FTC) and other international regulatory authorities today said they shut down a global criminal network that allegedly bilked tens of thousands of consumers by pretending to be tech support providers.

FTC Chairman Jon Leibowitz, speaking during a press conference with a Microsoft executive and regulators from Australia and Canada, said 14 companies and 17 individuals were targeted in the investigation. In the course of … Read more

Microsoft settles botnet case against Chinese site

Microsoft reached a settlement in its legal case against a Web site that has been linked to malicious activity, with the Chinese company agreeing to block malware tied to its domain.

The software giant, which originally filed the suit about two weeks ago, said today that the operator of 3322.org, Peng Yong, has agreed to work with Microsoft and the Chinese Computer Emergency Response Team to block all malicious connections to the 3322.org domain and prevent malware infections associated with the site.

The 3322.org owner will direct all subdomains identified in a "block-list" to a … Read more

How to disable Java in IE, Firefox, Chrome, and Safari

Last week's notice by researchers at Security Explorations of an unpatched hole in the Java runtime environment may have left you wondering whether to disable Java until Oracle releases a patch. CNET's Topher Kessler noted in his report on the Java flaw that no malware exploiting the vulnerability has yet been documented.

Which leads to the question, "Do I need Java?"

The best way to find out is to disable Java in your browser and re-enable it only if you encounter a site that prompts you to download Java before it will open. Then you can … Read more

Security hole exposes Twitter accounts to hacking, victim claims

Twitter users -- especially those with desirable handles -- risk having their accounts stolen, according to one recently hacked user who says there's a fundamental vulnerability in the service's security system.

According to Daniel Dennis Jones, whose account, @blanket, was recently hijacked, Twitter's password reset process allows hackers to attempt a more wide-ranging brute force approach to breaking into accounts than other services with more restrictive systems.

In a lengthy write-up of his recent experience, Jones says he discovered that the security system Twitter employs limits log-in attempts by IP address, rather than by account, meaning that … Read more

White House confirms 'spearphishing' intrusion

The White House has confirmed that one of its internal computer networks -- reportedly a military office in charge of the president's communications -- has been targeted in a successful "spearphishing" attack.

An article yesterday published by the conservative FreeBeacon.com Web site said that hackers with ties to China's government had recently breached an unclassified "system used by the White House Military Office for nuclear commands," including the so-called nuclear football.

Spearphishing means an attacker is targeting a specific person or group, typically by sending fake e-mail that masquerades as legitimate correspondence.

The … Read more