11 total posts
Mozilla Releases Firefox 11, Fixes Pwn2Own Bug
Mozilla has released Firefox 11 and acknowledged that the security vulnerability that a pair of researchers used in the Pwn2Own contest last week was one that the company already was aware of and working on repairing.
The bug that researchers Willem Pinckaers and Vincenzo Iozzo used to compromise Firefox during Pwn2Own was a "memory safety" issue in the array.join function, Mozilla said. The company said on Monday that it was planning to delay the release of Firefox 11 in order to get the details of the vulnerability from TippingPoint's Zero Day Initiative, which runs Pwn2Own, and also to ensure that the patches released by Microsoft on Tuesday wouldn't cause any unforeseen issues with the new version of the browser.
But once the details of the ZDI bug came in, Mozilla officials realized it was one of the vulnerabilities that they already were planning to fix in Firefox 11 and went ahead with the release Tuesday afternoon.
"The security bug reported by ZDI is one we had already identified and fixed through our internal processes. This eliminates the need for us to delay this week's releases, and we will be shipping them later today. However, in order to understand the impacts of Microsoft's "Patch Tuesday" fixes, we will initially release Firefox for manual updates only. Once those impacts are understood, we'll push automatic updates out to all of our users," Johnathan Nightingale of Mozilla said in a blog post.
Continued : http://threatpost.com/en_us/blogs/mozilla-releases-firefox-11-fixes-pwn2own-bug-031412
Firefox related: Firefox 11 released with Style Editor and 3D DOM viewer
Dell acquires SonicWall, beefs up security software
"With the acquisition of SonicWall, Dell delves into the security software market a bit more"
Dell acquired firewall and security software company SonicWall as it moves to build out its software portfolio.
Terms of the deal, which is expected to close in the second quarter, weren't disclosed.
The acquisition - the second since Dell named former CA CEO John Swainson head of a new software unit—gives the company complementary assets to go with its SecureWorks services effort and Kace patch management. Last month, Dell bought AppAssure for backup software.
On a conference call with analysts, Dave Johnson, senior vice president of corporate strategy at Dell, said the company has been bolstering its software intellectual property and combining it with services and hardware. He added that the SonicWall acquisition will be accretive to earnings in the second half.
Swainson on the call said Dell will outline its software strategy in detail at its analyst meeting in June.
Here's how the parts will fit together with Dell's security portfolio.
Continued : http://www.zdnet.com/blog/btl/dell-acquires-sonicwall-beefs-up-security-software/71433
Dell to Acquire SonicWall to Expand Network-Security Tools
Dell acquires firewall maker SonicWALL
Dell buys network security company SonicWALL, adds nearly 1,000 employees
BBC suffers cyber-attack following Iran campaign - chief
"The BBC has suffered a sophisticated cyber-attack following a campaign by Iranian authorities against its Persian service, director-general Mark Thompson said on Wednesday."
Thompson also reported attempts to jam satellite feeds of the British Broadcasting Corporation services into Iran and to swamp its London phone lines with automated calls.
In extracts from a speech he will make later on Wednesday, Thompson stopped short of explicitly accusing Tehran of being behind the cyber-attack, but he described the coincidence of the attacks as "self-evidently suspicious".
Last month, Thompson accused Iranian authorities of arresting and threatening the families of BBC journalists to force them to quit the Persian news service.
"It now looks as if those who seek to disrupt or block BBC Persian may be widening their tactics," he said in the extracts of his speech, which the BBC released in advance.
"There was a day recently when there was a simultaneous attempt to jam two different satellite feeds of BBC Persian into Iran, to disrupt the Service's London phone-lines by the use of multiple automatic calls, and a sophisticated cyber-attack on the BBC," he said.
Continued : http://www.reuters.com/article/2012/03/14/iran-bbc-idINDEE82D00220120314
From the BBC: Cyber-attack on BBC leads to suspicion of Iran's involvement
Security experts will tip consumers to cyber fraud
Internet security experts have set up a system to alert Americans when sensitive personal information such as social security numbers and online banking log-in credentials turn up in the hands of cyber fraudsters.
AllClear ID, an Austin, Texas-based company that provides identity theft protection, is offering the free service with help from the non-profit National Cyber-Forensics and Training Alliance. The NCFTA collects information on identity theft cases from member organizations that include law enforcement agencies, big Internet retailers, banks and computer security companies.
NCFTA members will pass on information about fraud that they suspect, witness or prevent directly to potential victims who sign up for the service from AllClear ID.
Consumers can enroll in the service, which is available over the web as well as through an iPhone app, at www.AllClearID.com.
Get Notified When Hackers Get Your Data
A new iPhone app launched today will add a serious - but hopefully infrequent - note to the notifications that set your handset buzzing. AllClear ID will let you know when the FBI or other investigators have found your data in the hands of cyber criminals.
Stories like the spectacular data breach that befell Sony last year mean that most of us now understand that cyber criminals actively access and trade our personal data. A less well-known consequence is that increasing volumes of it - credit card details, social security numbers and online accounts - are also passing through the hands of investigators from organizations like the FBI.
They've traditionally used it only as evidence to help catch crooks. AllClear ID has now set up an agreement that allow the FBI and other organizations affiliated with the National Cyber-Forensics and Training Alliance (NCFTA) to inform people when their data is found in the wrong hands. The NCFTA is a group through which law enforcement, academic and private security experts work together to share information about cyber threats. You must be signed up to AllClear ID's free service, available online as well as through the company's new app, to benefit from that new agreement.
"Being able to notify people their data has been found is the piece that's been missing," AllClear ID's founder Bo Holland told me yesterday. "Let's say a researcher working for PayPal to combat a botnet," he said, "when he finds your credit card information you'll know about it."
Continued : http://www.technologyreview.com/blog/editors/27644/
Geotagging poses security risks
Is a badge on Foursquare worth your life?"
The question was posed by Brittany Brown, social media manager of the Online and Social Media Division at the Office of the Chief of Public Affairs. It may sound outlandish, but in the age of social geotagging, it can be a reality.
There are a number of location-based social media applications and platforms, including Foursquare, Gowalla, SCVNGR, Shopkick, Loopt and Whrrl, currently on the market. They use GPS features, typically in the user's phone, to publish the person's location and offer rewards in the form of discounts, badges or points to encourage frequent check-ins.
Security risks for the military:
A deployed service member's situational awareness includes the world of social media. If a Soldier uploads a photo taken on his or her smartphone to Facebook, they could broadcast the exact location of their unit, said Steve Warren, deputy G2 for the Maneuver Center of Excellence, or MCoE.
"Today, in pretty much every single smartphone, there is built-in GPS," Warren said. "For every picture you take with that phone, it will automatically embed the latitude and longitude within the photograph."
Continued : http://www.army.mil/article/75165/Geotagging_poses_security_risks/
Related: US Army: Geotagged Facebook posts put soldiers' lives at risk
Aghast at Avast's iYogi Support
The makers of Avast antivirus software are warning users about a new scam involving phone calls from people posing as customer service reps for the company and requesting remote access to user systems. Avast is still investigating the incidents, but a number of users are reporting that the incidents followed experiences with iYogi, the company in India that is handling Avast's customer support.
A follow-up investigation by KrebsOnSecurity indicates that Avast (among other security companies) is outsourcing its customer support to a third-party firm that appears engineered to do little else but sell expensive and unnecessary support contracts.
Adam Riley, Avast's third party support manager, wrote in a post on the company's blog that "during the past week or so, we have received some complaints and it appears that some of our customers are being targeted by a new scam. Luckily only a handful of customers have contacted us regarding this so far, but they report receiving phone calls from 'Avast customer service' reps who need to take control of their computer to resolve some issue and who, for a fee, wish to charge them for this privilege." [Screenshot]
I'd first heard about the issue when a reader wrote in to say he'd received complaints from his clients about calls from someone claiming to represent Microsoft and requesting remote access to user computers to help troubleshoot computer problems.
I decided to investigate iYogi myself, and created a fresh installation of Windows XP on my Mac, using the free virtual machine from Virtualbox. I wanted to see whether I, too, would receive follow-up sales pitches. I also wanted to see for myself if there was anything to the claims on Avast's user forum that iYogi was using support requests to push expensive "maintenance and support" packages.
Continued : http://krebsonsecurity.com/2012/03/aghast-at-avasts-iyogi-support/
Microsoft adds new protection mechanisms to IE 10
At the CanSecWest conference held last week in Vancouver, a team of vulnerability researchers from French security firm VUPEN has managed to hack Microsoft's Internet Explorer 9 on a fully patched Windows 7 SP1 machine.
They managed to bypass the browser's DEP and ASLR protection with a 0-day heap overflow vulnerability, and then used a separate memory corruption bug to break out of its Protected Mode.
As VUPEN founder Chaouki Bekrar claims, the memory corruption bug they used to do that is one of many they found, but he also admitted that the new IE 10 will be much harder to break into as Microsoft has added new protection mechanisms.
For those wondering exactly what kind of improvements IE 10 will bring, Forbes Higman, Security Program Manager for Internet Explorer, shared details about some of them on the IEBlog.
"Memory protections aim to safely terminate a browser process under attack before a vulnerability can be successfully exploited to run the attacker's code," he explains. "In many cases, protections allow vendors time to produce and distribute a fix before a vulnerability can be exploited to cause damage."
Continued : http://www.net-security.org/secworld.php?id=12595
Can Google Be Forced By the FBI to Unlock Users' Phones?
Those multi-gesture passcode locks on Android phones that give users (and their spouses) fits apparently present quite a challenge for the FBI as well. Frustrated by a swipe passcode on the seized phone of an alleged gang leader, FBI officials have requested a search warrant that would force Google to "provide law enforcement with any and all means of gaining access, including login and password information, password reset, and/or manufacturer default code ("PUK"), in order to obtain the complete contents of the memory of cellular telephone".
The request is part of a case involving an alleged gang leader and human trafficker named Dante Dears in California. Dears served several years in prison for his role in founding a gang in California called PhD, and upon his release he went back to his activities with the gang, according to the FBI's affidavit (pdf). Agents conducted surveillance on Dears and found that he was using a mobile phone to allegedly communicate with prostitutes and other associates.
Dears had denied to his parole officer that he owned a mobile phone, and in January the parole officer went to Dears's apartment and seized the phone. The FBI subsequently served a search warrant on the parole officer and took the phone, but the bureau's forensics investigators couldn't get past the swipe lock on the Android handset. Once they failed enough times, the phone locked and now requires the user's Google username and password for access. As a result, the FBI is asking that Google be forced to hand over the information to get them into the phone.
Continued : http://threatpost.com/en_us/blogs/can-google-be-forced-fbi-unlock-users-phones-031412