HEADLINES...

VLC PLAYER

It's been reported that Versions 2.0.5 and earlier of the VLC media player software contain a critical vulnerability that can be potentially exploited by attackers to execute malicious code on computers dealing with .asf coded videos. Catch the article HERE.

NY TIMES NETWORK BREACHED BY CHINESE

Hackers from China breached the security defense system for the network of The New York Times, stole passwords that allowed them to gain access to computers and email accounts for a period of four months and you can read all of the gory details HERE.

UPnP flaws expose tens of millions of networked devices to remote attacks

Tens of millions of network-enabled devices including routers, printers, media servers, IP cameras, smart TVs and more can be attacked over the Internet because of dangerous flaws in their implementation of the UPnP (Universal Plug and Play) protocol standard, security researchers from Rapid7 said Tuesday in a research paper. Many home wireless routers give you the option to enable UPnP or leave it disabled. In some particular situations you have to enable it. Read about it HERE.


YA GOTTA LOVE THIS HEADLINE: Oracle will continue to bundle 'crapware' with Java

Story HERE. And don't forget my new Photography Blog!


'Nuff Said,
Brian

HEADLINES

Nothing like Monday morning Headlines to wake you up, although this first one will seem repetitive:

"Bug makes Java's latest anti-exploit defenses moot, claims researcher..."

Another fix, another fault, another crack in the wall. The story can be found HERE.

"After discovering the vulnerability and creating a proof-of-concept exploit that worked on Java 7 Update 11 -- the version released two weeks ago -- running on Windows 7, Gowdiak reported the bug to Oracle."

Someone should grind this JAVA bean and be done with it...

'Nuff Said

Brian

WASN'T IT JUST THE OTHER DAY...

When we were told about a new exploit of JAVA code? Oh, I guess that was today. Oops! it was last week as well. I could probably take 2 or 3 of last years Blogpost's and never have to change them because the news will always be the same.

I could narrow the field and stick to security issues with Adobe Flash, JAVA, Android based phones, and Microsoft, then take the year off by writing the same post and having it re-post itself periodically, while vacationing in Arizona or Colorado.

The saddest part would be that the post would still be relevant all year long -

'Nuff Said,
Brian

LIKE A BROKEN RECORD

Did you ever have a record, or Cd for that matter, that would always reach a certain point that would "BLIP" you backwards by a minute or two only to have it happen over and over and over and over and - well, have you?

You knew that if you could just jump ahead, past the glitch, everything would be just fine but nine out of ten times you couldn't do a darn thing to fix it, and I mean REALLY fix it.

Remember seeing the image above on a recent Blog post of mine? Well, if it were music, it would be skipping in so many places, due to so many flaws in the master pressing that the master would have been thrown out. Why the analogy? I like analogies; they seem to get technical points across to folks without talking over their heads or making them feel dumb [ed. - like a certain "Squad" I've heard about].


"Javas latest desperate attempt at putting a band-aid on an almost severed limb"

 This morning, while digesting the weekend security news I ran across an article (actually several, but I'm picking only one of them out to link to) regarding Javas latest desperate attempt at putting a band-aid on an almost severed limb.

The article was about JAVA 7, update 11, which recently came out after the US Government suggested users disable JAVA. Like a broken record I read the same lines I've read before: "Researchers discover security holes in latest JAVA patch". No, now you've got to be kidding me? Is it April 1st? Am I secretly being recorded for a new reality show? Okay Charles, you can come out from behind the fake html screen now....

You can read it and weep, HERE. I'm going downstairs to start brewing some real java -

'Nuff Said,
Brian

AS THE JAVA TURNS

Okay, a lame attempt at adapting a soap opera title to Java, but that's what it's been - a soap opera! Sometimes, in the middle of the night, I'll wake up and sneak into the computer room to see if the next episode has been posted. Beyond a mere soap opera, on the scale of a movie I can hear the announcers voice -

• IT has chills - (i.e. - Zero Day exploits)
• IT has spills - (i.e. - Oracles botched patch around August/September)
• IT has thrills - (i.e. - US Government suggests users disable Java on their computers)
• IT is "Action Packed" - (Oracle responds to US government's suggestion a week later with 87 patches)
• IT will always have a sequel

Seriously though, these holes in JAVA cost you time and money getting your computer disinfected and back in operation. Only 3 hours ago I received an email alert with the heading:

"Malware impersonates Java patch..."

While the alert came from Computer World's notification system, I read the story on PC World's website. It's pretty scary, and I hope you remember what I've been telling you all along [ed. - download directly from website - not a pop-up]. Here's a short excerpt from the article:

"Once executed, this backdoor connects to a remote server that enables a possible attacker to take control of the infected system," wrote Paul Pajares, a fraud analyst with Trend.

Okay, I think it's time you read the full article, and you'll find it HERE.

'Nuff Said,
Brian

SOMEONE LIT A FIRE UNDER ORACLE'S ARSE

After the US Government suggest that users disable JAVA until further notice, due to the high amount of security breaches in the last few years, came another news headline: "ORACLE RUSHING TO PATCH SECURITY HOLE".

YES, LIKE A STONE THROWN INTO A POND, THE US HEADLINES CREATED FAR REACHING RIPPLES IN THE IT WORLD.

This morning I woke up to see another headline from US Government recommending that users still keep JAVA disabled. Other's in the security arena agree; one example being Malwarebytes as you can see from their most recent blog post.

From Malwarebytes Post:

"Oracle has issued an emergency patch to be shipped with version 7 update 11. While we are pleased to see a quick turnaround time, we stand by our initial recommendations to disable Java in your browser"

'Nuff Said,

Brian



I GUESS SOMEONE WAS LISTENING AFTER ALL

From Reuters:

U.S. warns on Java software as security concerns escalate

"(Reuters) - The U.S. Department of Homeland Security urged computer users to disable Oracle Corp's Java software, amplifying security experts' prior warnings to hundreds of millions of consumers and businesses that use it to surf the Web..."

It seems I've been clanking that bell for some time, but I realize that the Government is a tad slow at getting things done. There is more to the article, and you should read it. You can find it HERE.

'Nuff Said,

Brian

"Hmm..."

         That's about all I have to say about it at this moment.

A 2010 report on digital copiers (the big ones used at work) was broadcast again, which begs the question: "Have they not fixed this yet?". See the CBS News video below:




If you think about everything that gets copied at your workplace, and add any personal documents that you may have scanned [ed. - yearly taxes, birth certificate, drivers license, your butt, etc.] then you realize what problems could arise from the wrong person having access to the hard drive, either when it's returned at the end of it's lease for a newer model, or by "Carbon Based Life Form Hacking".

Explanation: Someone shows up at the front desk of a company. He's carrying a large tool kit, and has your basic lab coat slung over one arm.

"Can I help you?" asks the receptionist

"Yes please", he replies to the unwitting Carbon based life form, adding - "I'm here to work on the Copier on the 2nd floor again".

The receptionist gets him to sign in and gives him a badge to wear so he won't be questioned. The man isn't a copier repair man, he is (in fact) a "Human Hacker" and he knows enough about copiers to allow him to remove/replace or copy the hard drive quickly, without raising any suspicions.

If he's good at it, he probably has a thin floor sheet and a vial of toner which he pours onto the sheet (and some on himself) so that it looks like he's really working on the copier and most people won't hang around for fear of getting the toner on their clothes.

Depending on your browser you may or may not be able to see the video but you can go to the CBS webpage which has the video as well. Thanks to my friend Armando for telling me about this and supplying the link, along with a "Thank You" to CBS News for allowing people to share this video.

'Nuff Said,
Brian

NEWS - SNOOZE - ETC.

In my last post (I believe) I reported that Microsoft had temporarily fixed the Zero Day exploit to Internet Explorer, versions 6, 7, and 8, but they haven't said much else. Does this mean it's really fixed? Does it mean there are other exploits related to this one that they didn't want to talk about? Only time will tell.

If anyone is interested in how well or poor Windows 8 sales are, someone got out their slide-ruler [ed. - if you don't know what that is; pretend you do] and found that given the same amount of days since they were released, Windows 8 sales lags behind Vista. Get yer Windows 7 computer before they can't be got no more!

Referring back to my first paragraph comes a timely article titled: "Researcher sidesteps Microsoft fix for IE zero-day" -

"Microsoft's short-term fix cannot cover all the different paths a criminal can take to exploit the bug, which the exploit highlights"

Read the full article HERE.

Have fun, and as always - surf safely

'Nuff Said
Brian

BYE-BYE 2012

Taking a look at the hits and misses of 2012 is a lot easier to write about them vs. predicting the future. Someone’s “HIT”, might have been another’s “MISS”, so it's completely my opinion. I’m going to mix it up more than usual, so many items are NOT security related, but I already did a post today on another blog, so I thought I'd post one here as well. Let us start with the FLOPS.

FLOPS OF 2012

Google’s NEXUS Q (probably something most of you have never seen)

Google’s Inexpensive Notebooks – At $200, many people prefer to purchase a handheld tablet, and the Android operating system hasn’t proven to be the most secure OS.

Google APPS – Available from a variety of sites, and not screened thoroughly let Malware incidents on Android phones and tablets to increase by 300% in 2012.

Microsoft’s OFFICE 365 – An alternative to actually buying the software, Microsoft allows users to rent it and use it on the “CLOUD”. This, in itself isn’t a bad idea parse, but the company continued to raise the price on the upcoming OFFICE 2003 software several times until it seemed like a better deal to rent it. They are grasping for dollars.

Microsoft Windows 8 – What can I say about this except that it’s not really a Tablet OS, nor a Desktop OS, it’s an in-between the two OS that is awkward to use, especially on a desktop. If you think Windows 7 was hard to get used to after years of XP, you’ll think it was a cake walk when you see Windows 8. Suggestion: If you are running XP now and plan to buy a new PC, do it before the Windows 7 models disappear [ed. - most brick'n mortar stores like Best Buy, Office Depot, etc. are selling only Windows 8 computers], and your best bet is to have one custom made [ed. - Shameless plug for SUGARLANDPC ] or look online, like Amazon.com.

Microsoft I.E.9 – I still run into customers who are STILL have problems with this version of Internet explorer, yet Microsoft marches ahead with Internet Explorer 10.

Microsoft Security Essentials – Originally introduced in the first Quarter of 2011, this free anti-virus software turned out to be pretty good. So good in fact that many IT shops recommended it as an alternative to an Anti-Virus software you purchase. But something happened this year where MS SEC ESS fell into the depths of one of the worst Anti-Virus solutions you could pick.

APPLE’s “iMaps” APP – Would this little piggy have gone to market if Jobs were still alive? I don’t think so Dave. Heads rolled at APPLE HQ of this one.

Hard Drive Quality – Perhaps it was the flooding of Thailand, the economy, or cheaper components, but many hard drive manufacturers dropped lengthy warranties down to 1 year, and if you’ve purchased a computer in the last 12-14 months you probably have a drive with a 1 year warranty. What does it all mean? Start backing up your data!

Microsoft Tablets with Windows 8 RT – This special OS is designed to run on a ARM CPU (Not Intel or AMD) which means you can’t install your old programs onto it, you’ll have to go online and see what sort of APP’s are available. Many people were not told this before purchase.

Anti-Virus Software - This is more of a "disappointment" for 2012 vs. a FLOP. When you plunk down $80 for Anti-Virus software you figure you're fairly immune from malware, but this year proved that wasn't necessarily true. They tried their best, but they were overwhelmed by a flood of viruses and could not keep up. Hopefully they've adjusted a few things within their respective companies to render faster updates than the previous year, because security experts are predicting 2013 to be worse.

Okay, those were my "FLOPS", and I'll try and come up with some predictions for the new year.

MICROSOFT PATCHES ZERO DAY EXPLOIT IN I.E. 6, 7, 8

Yup, they patched it. Whether or not it could be done on their end, or if it will be a critical patch download is unclear.

'Nuff Said,
Brian