Have You Changed Your Facebook Privacy Settings Lately (or Ever)?

Is your social network secure? Do you even know where the account security and privacy settings are, or what the default settings are? A recent survey conducted by ESET illustrates the relative insecurity of social networks--which is alarming given the volume and sensitivity of information that is shared on them.

Social networks are fertile ground for malware attacks and scams. The very concept of the social network assumes some degree of trust and sharing, and attackers can prey on that inherent trust. You know enough to ignore that email from the Nigerian prince (please, tell me you know enough to ignore that email!), but would you have enough skepticism or common sense not to click on a link sent from your own mother?

Take the time to use the privacy controls Facebook has provided.
Privacy is subjective to some extent. Some people are comfortable sharing things that others find too sensitive or invasive. The thing is, social networks like Facebook provide you with the tools you need to customize the security and privacy to your liking...assuming you ever take the time to do so.

Read more »


The Good, the Bad, and the Ugly of the Dropbox Authentication Error

Online storage service Dropbox made an embarrassing error Monday, turning off password authentication for millions of users.

The company updated some code on the service just before 2:00 pm Monday, yet the new code included a bug that switched off the need to authenticate to access files on a Dropbox. This means that every file on every Dropbox could have been accessed without requiring any credentials to do so. The company figured out what it had done just before 6:00 pm and quickly closed the hole, but for four hours, users' documents were readily accessible to anyone who was looking.

It's the latest black eye for security in a cloud-based world, following on the likes of Sony's PlayStation Network debacle and other LulzSec shenanigans and high-profile downtime for cloud giants like Amazon.

Read more »


SCADA Systems: Achilles Heel of Critical Infrastructure

Our critical infrastructure is an attractive target for enemy nations, terrorist groups, or even run-of-the-mill cyber criminals, and many security experts believe that it is not remotely protected against cyber attacks. The SCADA systems that manage and control much of the critical infrastructure for the United States were not designed with security in mind, and are not engineered for an Internet-connected world.

SCADA systems are uniquely enticing because a successful attack could cripple a nation. The Stuxnet worm that targeted nuclear power capabilities in Iran contained a rootkit that could hijack the control and behavior of PLC (programmable logic controller) devices used for plant operations.

security radar
SCADA systems are a prime target, and a weak link in protecting the critical infrastructure.
In a Wall Street Journal article Richard Clarke, former White House advisor on cyber security, warns that there is evidence that China has been actively probing and hacking the United States power grid. Clarke points out, "The only point to penetrating the grid's controls is to counter American military superiority by threatening to damage the underpinning of the U.S. economy. Chinese military strategists have written about how in this way a nation like China could gain an equal footing with the militarily superior United States."

Read more »


Dangerous WebGL Flaws Haunt Chrome and Firefox

Context--an independent information security consultancy--has published a new report on security flaws with WebGL. The report, "WebGL--More WebGL Security Flaws", includes a video clip demonstrating why organizations should think twice about relying on Web browsers built on WebGL.

After Context first published its findings that WebGL exposes systems to security risks, Khronos--the developers of WebGL, and browser vendors have stepped up and taken action to address those concerns. This new report is based on continued research by Context, as well as testing done to determine if the actions taken by Khronos and browser vendors actually work to make WebGL safe.

Web browsers
Browsers that enable WebGL by default pose a security risk.
In a nutshell, it appears the answer is "no". What is the risk? In order to deliver advanced graphics and 3D rendering from the Web without introducing lag and impacting performance, WebGL interacts with the graphics driver at a core level. The low-level functionality of the graphics processor has always been shielded from executable code, and was not designed with security in mind. WebGL exposes the low-level core functions of the system to possible malicious exploits.

Read more »


Patch Tuesday Fixes Dangerous Flaws with Exploits Imminent

Today is Patch Tuesday. I don't know if it was the focus on Apple's WWDC announcements and the gaming news coming out of E3, the attention I have been devoting to the 30 Days With Ubuntu Linux project, or the headline-stealing LulzSec hacks, but Patch Tuesday caught me by surprise this month. Ironically, as low-key as Patch Tuesday seems this month, it is actually one of the biggest in recent months when it comes to critical updates.

Microsoft unleashed 16 security bulletins for June, nine of which are ranked as Critical by Microsoft. Even more concerning than the Critical designation is the fact that seven of the nine Critical bulletins also have an exploitability index of one--indicating that an exploit is very likely in the next 30 days.

Security warning
Seven of the security bulletins have an exploitability index of one--indicating imminent exploit.
Paul Henry, security and forensics analyst at Lumension, explains, "With 9 critical bulletins and the vast majority directly requiring a reboot, this marks the beginning of a long summer for IT professionals with no room for slowing down."

Read more »


iPhone 5 Phishing Attack Preys on WWDC Hype

Perhaps you've heard about a little event going on this week called the Worldwide Developers Conference? Attackers are preying on the frenzy of hype around the Apple WWDC to launch new phishing scams "announcing" the iPhone 5G.

Graham Cluley, a senior technology consultant with security vendor Sophos, alerts users in a blog post to watch out for iPhone 5-related phishing scams. Letting your curiosity get the best of you could lead to infecting your Windows PC with a nasty Trojan.

A new phishing attack targets the frenzy for an iPhone 5.
The phishing e-mail claims that the new iPhone is many things. "Launch and switch between applications quickly. Bigger display, transparent mode, better cloud integration. Shoot, edit, and share video like never before. Slimmer, faster and sleeker. Discover many more features that make iPhone 5G S the best iPhone yet."

Read more »


Sony Hacked Again: How Not to Do Network Security

Yes. As unbelievable as it may seem, Sony was hacked again. It is not (entirely) Sony's fault that it is the target du jour for hackers everywhere. But, it is Sony's fault that its networks and servers seem to be trivial to hack and easy to pwn.

The trials and tribulations of Sony's epic struggle against hacks and data breaches over the past month or so are well-documented. You can read all about the breach of Sony Ericsson Canada, or Sony BMG Greece, or the Sony Playstation Network, or any of the other network attacks against Sony all over the Web.

LulzSec, the hacker collective responsible for the Wikileaks hacktivism attack and fake Tupac resurrection story on the PBS site last week, made it clear that Sony was the next target on its radar. Now it has made good on that threat with a hack of the Sony Pictures network, and claims to have compromised the account details of a million users.

Read more »