Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

NEWS - February 24, 2015

Feb 23, 2015 10:38PM PST

Included in the first post listed (under Related) in yesterday's News Thread:

Superfish spyware not limited to Lenovo laptops

"In the last 24 hours, researchers have also discovered that the Komodia technology which allowed the Superfish application to monitor what were meant to be private conversations online, is being used much more widely and is present on millions of more PCs.

According to security researcher Marc Rogers, Komodia uses the same framework for many products including parental control software made by Qustodio and Komodia's own Keep My Family Secure parental control software which promises to protect children when surfing online."

So what does this actually mean?

It means that the problem is not limited to the Lenovo laptops sold between October and December 2014 which had Superfish pre-installed. "It means that anyone who has come into contact with a Komodia product, or who has had some sort of Parental Control software installed on their computer should probably check to see if they are affected," Rogers said.

If you think you might be affected, there is any easy way to check if your system is vulnerable. Just visit this website and if you see a Yes, then it might be time to consider removing the offending piece of software.

Continued : http://www.ibtimes.co.uk/superfish-spyware-not-limited-lenovo-laptops-1488859

Note Filippo Valsorda's online "Superfish, Komodia, PrivDog Vulnerability Test" included in the last sentence.

Discussion is locked

- Collapse -
Give us a week to GUT Superfish, begs Lenovo CTO
Feb 24, 2015 2:38AM PST

"Don't Panic, says malware-pusher, Superfish never swam on ThinkPads, servers or arrays"

Lenovo's chief technology officer Peter Hortensius has issued another statement on how the company plans to handle Superfish.

The missive explains that Lenovo has worked with anti-virus vendors to get their products flattening Superfish whenever a PC starts up and issued a removal tool.

Hortensius says Lenovo is now "in the midst of developing a concrete plan to address software vulnerabilities and security with defined actions that we will share by the end of the week."

He can't say what those actions will be for now, but says the company is "exploring a wide range of options that include":

Continued : http://www.theregister.co.uk/2015/02/24/give_us_a_week_to_clean_the_superfish_begs_lenovo_cto/

Related: Still smarting from HTTPS-busting Superfish debacle, Lenovo says sorry

- Collapse -
Critical Samba flaw allows unauthorized remote code..
Feb 24, 2015 2:38AM PST
.. execution

Samba, the popular free software that allows file and print sharing between computers running Windows and those running Unix or Linux, has been found sporting a critical flaw that can be exploited by an attacker to run programs as an administrator.

"CVE-2015-0240 is a security flaw in the smbd file server daemon. It can be exploited by a malicious Samba client, by sending specially-crafted packets to the Samba server. No authentication is required to exploit this flaw. It can result in remotely controlled execution of arbitrary code as root," the Red Hat Product Security team explained in a blog post that also offers more technical details about the flaw.

Continued : http://www.net-security.org/secworld.php?id=17997

Related : Samb-AAAHH! Scary remote execution vuln spotted in Windows-Linux interop code
- Collapse -
Google looks to scrape away scumware, as only it can
Feb 24, 2015 2:39AM PST

Google is looking to cut down on the risk of attacks from web pages serving up unwanted downloads.

The company said on Monday that it will add security protections into Chrome, Ads and Google Search in an effort to keep users away from sites believed to be installing adware, browser toolbars and other nuisance programs.

For Chrome, Google will begin giving users warnings when they view sites known to serve up not only exploits but also potentially unwanted software downloads. The site will show an alert to users warning that a site could install adware or browser plug-ins.

Continued : http://www.theregister.co.uk/2015/02/24/google_looks_to_scrape_away_scumwear/

Related:
Google ups efforts to protect users against unwanted software
Google Broadens Scope of Unwanted Software Warnings

- Collapse -
AT&T Charging Customers to Not Spy on Them
Feb 24, 2015 2:39AM PST

Bruce Schneirer @ his "Schneier on Security" blog:

AT&T is charging a premium for gigabit Internet service without surveillance:

The tracking and ad targeting associated with the gigabit service cannot be avoided using browser privacy settings: as AT&T explained, the program "works independently of your browser's privacy settings regarding cookies, do-not-track and private browsing." In other words, AT&T is performing deep packet inspection, a controversial practice through which internet service providers, by virtue of their privileged position, monitor all the internet traffic of their subscribers and collect data on the content of those communications.

What if customers do not want to be spied on by their internet service providers? AT&T allows gigabit service subscribers to opt out -- for a $29 fee per month.


Continued : https://www.schneier.com/blog/archives/2015/02/att_charging_cu.html

- Collapse -
Avast Launches Free Security Solution for Businesses
Feb 24, 2015 2:39AM PST

Security firm Avast announced on Monday the availability of a free offering designed to help small and medium businesses (SMBs) protect their networks against malicious attacks.

Avast for Business is a cross-platform solution that includes features such as essential antivirus protection, Web threat scanning and integrated browser protection, and a cloud management console. The solution also provides a robust reporting and alerting engine, Avast said.

Businesses that want more than just these basic features can acquire premium services such as Firewall, Sandbox, Anti-spam, SafeZone, and Datashredder. For servers, organizations can also add Exchange and Sharepoint protection. Customers can protect as many devices as they want, and they can activate or deactivate licenses at any time, the company noted.

Continued : http://www.securityweek.com/avast-launches-free-security-solution-businesses

Related : Has Avast Just Launched The World's First Free Business-Grade IT Security?

- Collapse -
Edward Snowden's big regret
Feb 24, 2015 2:43AM PST

Daniel Ellsberg and Edward Snowden have something in common - although decades separate their whistle-blowing. Both of them say "Don't do what I did".

Hot on the heels of "Citizen Four", the documentary of Edward Snowden, winning a well-deserved Oscar, director Laura Poitras, journalist Glenn Greenwald and Snowden himself participated in an "ask me anything" chat on Reddit.

One question in particular stands out for Snowden's response. The NSA whistleblower, who now lives in Moscow, was asked if he would do anything differently in retrospect. [...]

Continued : http://grahamcluley.com/2015/02/edward-snowden-regret-reddit/

Related : I wish I'd leaked sooner says Edward Snowden in post-Oscar chinwag

- Collapse -
Amazon 'Order Details' Email Delivers Malware
Feb 24, 2015 2:43AM PST

Lately an email from Amazon has been hitting the inbox of unsuspecting users all over the world.

This email has been masqueraded as an order notification message from the famed marketplace Amazon.com.

In this email, recipients are thanked for placing order at Amazon and they are informed that their order details can be viewed by opening the attached file.

No matter how compelled you may become to open this amazing email from Amazon.. never do so. It is a fraudulent email sent by attackers with malicious intentions and not by Amazon.

Continued : https://www.hackread.com/amazon-order-details-email-delivers-malware/

- Collapse -
PrivDog Releases Update After Being Compared to Superfish
Feb 24, 2015 4:51AM PST

The developers of PrivDog released an update for the application on Monday after researchers discovered that it failed to validate SSL certificates.

PrivDog is designed to make surfing the Web safe and private by blocking processes that track users' activities and by replacing ads with ones that have been vetted by AdTrustMedia. It's not uncommon for advertising-related apps to put users at risk, but this shouldn't be the case with PrivDog since the software is backed by Comodo, the renowned security firm and certificate authority. PrivDog is not only promoted by the company, but it's also bundled with Comodo solutions.

The existence of the security issue came to light just days after the world learned that Lenovo had preloaded an insecure browser add-on from Superfish on new laptops. The Superfish app used a local proxy and a self-signed root certificate to intercept traffic and inject ads into webpages.

Continued : http://www.securityweek.com/privdog-releases-update-after-being-compared-superfish

Related :
PrivDog Adware Poses Bigger Risk Than Superfish
Worse than Superfish? Comodo-affiliated PrivDog compromises web security too

- Collapse -
Wasn't the fallout more severe for PrivDog? Link follows.
Feb 24, 2015 5:09AM PST
- Collapse -
H&R Block doesn't verify client e-mail, leaks personal info
Feb 24, 2015 4:51AM PST
Tax firm H&R Block doesn't verify client's e-mail, leaks personal info

"Failure gives man ability to hijack stranger's pending tax return."

With tax season in full swing, it's time for the yearly reminder that the security practices of many tax-preparation services are lacking. Case in point: H&R Block's reported failure to confirm the e-mail addresses of at least some of its online account holders.

The lapse was reported to Ars by reader Aaron Johnson, who said H&R Block in recent days has e-mailed him the name, address, and security question of a complete stranger. Johnson said he is confident he has everything he needs to access this person's account, steal his most valuable personal data, and hijack any owed tax returns. We created an account at H&R Block and were not asked to authenticate the e-mail address we used.

Continued : http://arstechnica.com/security/2015/02/tax-firm-hr-block-doesnt-verify-clients-e-mail-leaks-personal-info/