Microsoft Security Bulletin
Microsoft has released an update to address vulnerabilities in Microsoft Windows, Office, and Internet Explorer as part of the Microsoft Security Bulletin Summary for June 2009. These vulnerabilities may allow an attacker to execute arbitrary code, operate with elevated privileges, or obtain sensitive information.
Apple Safari Vulnerabilities
Apple has released Safari 4.0 for Windows and Mac OS X to address multiple vulnerabilities in CFNetwork, CoreGraphics, ImageIO, International Components for Unicode, libxml, Safari, Safari Windows Installer, and WebKit. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, bypass security restrictions, or conduct cross-site scripting attacks.
7 Practices for Computer Security
1. Protect your personal information. It’s valuable.
2. Know who you’re dealing with.
3. Use security software that updates automatically.
4. Keep your operating system and Web browser up-to-date, and learn about their security features.
5. Protect your passwords.
6. Back up important files.
7. Learn what to do in an e-mergency.
Access to information and entertainment, credit and financial services, products from every corner of the world — even to your work — is greater than ever. Thanks to the Internet, you can play a friendly game with an opponent across the ocean; review and rate videos, songs, or clothes; get expert advice in an instant; or collaborate with far-flung co-workers in a “virtual” office.
But the Internet — and the anonymity it affords — also can give online scammers, hackers, and identity thieves access to your computer, personal information, finances, and more.
With awareness as your safety net, you can minimize the chance of an Internet mishap. Being on guard online helps you protect your information, your computer, and your money. To be safer and more secure online, make these seven practices part of your online routine.
1. Protect your personal information. It’s valuable.
To an identity thief, your personal information can provide instant access to your financial accounts, your credit record, and other assets. If you think no one would be interested in YOUR personal information, think again. ANYONE can be a victim of identity theft. In fact, according to the Federal Trade Commission, millions of people become victims every year. Visit ftc.gov/idtheft to learn what to do if your identity is stolen or your personal or financial information has been compromised – online or in the “real” world.
How do criminals get your personal information online? One way is by lying about who they are, to convince you to share your account numbers, passwords, and other information so they can get your money or buy things in your name. The scam is called “phishing”: criminals send email, text, or pop-up messages that appear to come from your bank, a government agency, an online seller or another organization with which you do business. The message asks you to click to a website or call a phone number to update your account information or claim a prize or benefit. It might suggest something bad will happen if you don’t respond quickly with your personal information. In reality, legitimate businesses should never use email, pop-ups, or text messages to ask for your personal information.
To avoid phishing scams:
* Don’t reply to an email, text, or pop-up message that asks for personal or financial information, and don’t click on links in the message. If you want to go to a bank or business’s website, type the web address into your browser yourself.
* Don’t respond if you get a message – by email, text, pop-up or phone – that asks you to call a phone number to update your account or give your personal information to access a refund. If you need to reach an organization with which you do business, call the number on your financial statement, or use a telephone directory
Some identity thieves have stolen personal information from many people at once, by hacking into large databases managed by businesses or government agencies. While you can’t enjoy the benefits of the Internet without sharing some personal information, you can take steps to share only with organizations you know and trust. Don’t give out your personal information unless you first find out how it’s going to be used and how it will be protected.
If you are shopping online, don’t provide your personal or financial information through a company’s website until you have checked for indicators that the site is secure, like a lock icon on the browser’s status bar or a website URL that begins “https:” (the “s” stands for “secure”). Unfortunately, no indicator is foolproof; some scammers have forged security icons. And some hackers have managed to breach sites that took appropriate security precautions.
Read website privacy policies. They should explain what personal information the website collects, how the information is used, and whether it is provided to third parties. The privacy policy also should tell you whether you have the right to see what information the website has about you and what security measures the company takes to protect your information. If you don’t see a privacy policy — or if you can’t understand it — consider doing business elsewhere.
2. Know who you’re dealing with.
And what you’re getting into. There are dishonest people in the bricks and mortar world and on the Internet. But online, you can’t judge an operator’s trustworthiness with a gut-affirming look in the eye. It’s remarkably simple for online scammers to impersonate a legitimate business, so you need to know who you’re dealing with. If you’re thinking about shopping on a site with which you’re not familiar, do some independent research before you buy.
* If it’s your first time on an unfamiliar site, call the seller’s phone number, so you know you can reach them if you need to. If you can’t find a working phone number, take your business elsewhere.
* Type the site’s name into a search engine: If you find unfavorable reviews posted, you may be better off doing business with a different seller.
* Consider using a software toolbar that rates websites and warns you if a site has gotten unfavorable reports from experts and other Internet users. Some reputable companies provide free tools that may alert you if a website is a known phishing site or is used to distribute spyware.
File-Sharing: Worth the hidden costs?
Every day, millions of computer users share files online. File-sharing can give people access to a wealth of information, including music, games, and software. How does it work? You download special software that connects your computer to an informal network of other computers running the same software. Millions of users could be connected to each other through this software at one time. Often, the software is free and easy to access.
But file-sharing can have a number of risks. If you don’t check the proper settings, you could allow access not only to the files you intend to share, but also to other information on your hard drive, like your tax returns, email messages, medical records, photos, or other personal documents. In addition, you may unwittingly download malware or pornography labeled as something else. Or you may download material that is protected by the copyright laws, which would mean you could be breaking the law.
If you decide to use file-sharing software, be sure to read the End User Licensing Agreement to be sure you understand and are willing to tolerate the potential risks of free downloads.
3. Use security software that updates automatically.
Keep your security software active and current: at a minimum, your computer should have anti-virus and anti-spyware software, and a firewall. You can buy stand-alone programs for each element or a security suite that includes these programs from a variety of sources, including commercial vendors or from your Internet Service Provider. Security software that comes pre-installed on a computer generally works for a short time unless you pay a subscription fee to keep it in effect. In any case, security software protects against the newest threats only if it is up-to-date. That’s why it is critical to set your security software to update automatically.
Some scam artists distribute malware disguised as anti-spyware software. Resist buying software in response to unexpected pop-up messages or emails, especially ads that claim to have scanned your computer and detected malware. That’s a tactic scammers have used to spread malware. OnGuardOnline.gov can connect you to a list of security tools from legitimate security vendors selected by GetNetWise, a project of the Internet Education Foundation.
Once you confirm that your security software is up-to-date, run it to scan your computer for viruses and spyware. If the program identifies a file as a problem, delete it.
Anti-Virus Software
Anti-virus software protects your computer from viruses that can destroy your data, slow your computer’s performance, cause a crash, or even allow spammers to send email through your account. It works by scanning your computer and your incoming email for viruses, and then deleting them.
Anti-Spyware Software
Installed on your computer without your consent, spyware software monitors or controls your computer use. It may be used to send you pop-up ads, redirect your computer to websites, monitor your Internet surfing, or record your keystrokes, which, in turn, could lead to the theft of your personal information.
A computer may be infected with spyware if it:
* Slows down, malfunctions, or displays repeated error messages
* Won’t shut down or restart
* Serves up a lot of pop-up ads, or displays them when you’re not surfing the web
* Displays web pages or programs you didn’t intend to use, or sends emails you didn’t write.
Firewalls
A firewall helps keep hackers from using your computer to send out your personal information without your permission. While anti-virus software scans incoming email and files, a firewall is like a guard, watching for outside attempts to access your system and blocking communications to and from sources you don’t permit.
Don’t Let Your Computer Become Part of a “BotNet”
Some spammers search the Internet for unprotected computers they can control and use anonymously to send spam, turning them into a robot network, known as a “botnet.” Also known as a “zombie army,” a botnet is made up of many thousands of home computers sending emails by the millions. Most spam is sent remotely this way; millions of home computers are part of botnets.
Spammers scan the Internet to find computers that aren’t protected by security software, and then install bad software – known as “malware” – through those “open doors.” That’s one reason why up-to-date security software is critical.
Malware may be hidden in free software applications. It can be appealing to download free software like games, file-sharing programs, customized toolbars, and the like. But sometimes just visiting a website or downloading files may cause a “drive-by download,” which could turn your computer into a “bot.”
Another way spammers take over your computer is by sending you an email with attachments, links or images which, if you click on or open them, install hidden software. Be cautious about opening any attachments or downloading files from emails you receive. Don’t open an email attachment — even if it looks like it’s from a friend or coworker — unless you are expecting it or know what it contains. If you send an email with an attached file, include a text message explaining what it is.
4. Keep your operating system and Web browser up-to-date, and learn about their security features.
Hackers also take advantage of Web browsers (like Firefox or Internet Explorer) and operating system software (like Windows or Mac’s OS) that don’t have the latest security updates. Operating system companies issue security patches for flaws that they find in their systems, so it’s important to set your operating system and Web browser software to download and install security patches automatically.
In addition, you can increase your online security by changing the built-in security and privacy settings in your operating system or browser. Check the “Tools” or “Options” menus to learn how to upgrade from the default settings. Use your “Help” function for more information about your choices.
If you’re not using your computer for an extended period, disconnect it from the Internet. When it’s disconnected, the computer doesn’t send or receive information from the Internet and isn’t vulnerable to hackers.
5. Protect your passwords.
Keep your passwords in a secure place, and out of plain sight. Don’t share them on the Internet, over email, or on the phone. Your Internet Service Provider (ISP) should never ask for your password.
In addition, hackers may try to figure out your passwords to gain access to your computer. To make it tougher for them:
* Use passwords that have at least eight characters and include numbers or symbols. The longer the password, the tougher it is to crack. A 12-character password is stronger than one with eight characters.
* Avoid common words: some hackers use programs that can try every word in the dictionary.
* Don’t use your personal information, your login name, or adjacent keys on the keyboard as passwords.
* Change your passwords regularly (at a minimum, every 90 days).
* Don’t use the same password for each online account you access.
6. Back up important files.
If you follow these tips, you’re more likely to be free of interference from hackers, viruses, and spammers. But no system is completely secure. If you have important files stored on your computer, copy them onto a removable disc or an external hard drive, and store it in a safe place.
7. Learn what to do in an e-mergency.
If you suspect malware is lurking on your computer, stop shopping, banking, and other online activities that involve user names, passwords, or other sensitive information. Malware could be sending your personal information to identity thieves.
Confirm that your security software is up-to-date, then use it to scan your computer. Delete everything the program identifies as a problem. You may have to restart your computer for the changes to take effect.
If the problem persists after you exhaust your ability to diagnose and treat it, you might want to call for professional help. If your computer is covered by a warranty that offers free tech support, contact the manufacturer. Before you call, write down the model and serial number of your computer, the name of any software you’ve installed, and a short description of the problem. Your notes will help you give an accurate description to the technician.
If you need professional help, if your machine isn’t covered by a warranty, or if your security software isn’t doing the job properly, you may need to pay for technical support. Many companies — including some affiliated with retail stores — offer tech support via the phone, online, at their store, or in your home. Telephone or online help generally are the least expensive ways to access support services — especially if there’s a toll-free helpline — but you may have to do some of the work yourself. Taking your computer to a store usually is less expensive than hiring a technician or repair person to come into your home.
Once your computer is back up and running, think about how malware could have been downloaded to your machine, and what you could do to avoid it in the future.
Also, talk about safe computing with anyone else who uses the computer. Tell them that some online activity can put a computer at risk, and share the seven practices for safer computing.
Where to report:
Hacking or a Computer Virus
Alert the appropriate authorities by contacting:
* Your ISP and the hacker’s ISP (if you can tell what it is). You can usually find an ISP’s email address on its website. Include information on the incident from your firewall’s log file. By alerting the ISP to the problem on its system, you can help it prevent similar problems in the future.
* The FBI at www.ic3.gov. To fight computer criminals, they need to hear from you
Internet Fraud
If a scammer takes advantage of you through an Internet auction, when you’re shopping online, or in any other way, report it to the Federal Trade Commission, at ftc.gov. The FTC enters Internet, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.
Deceptive Spam
If you get deceptive spam, including email phishing for your information, forward it to spam@uce.gov. Be sure to include the full header of the email, including all routing information. You also may report phishing email to reportphishing@antiphishing.org. The Anti-Phishing Working Group, a consortium of ISPs, security vendors, financial institutions and law enforcement agencies, uses these reports to fight phishing.
Divulged Personal Information
If you believe you have mistakenly given your personal information to a fraudster, file a complaint at ftc.gov, and then visit the Federal Trade Commission’s Identity Theft website at ftc.gov/idtheft to learn how to minimize your risk of damage from a potential theft of your identity.
Parents
Parents sometimes can feel outpaced by their technologically savvy kids. Technology aside, there are lessons that parents can teach to help kids stay safer as they socialize online. Most ISPs provide parental controls, or you can buy separate software. But no software can substitute for parental supervision. Talk to your kids about safe computing practices, as well as the things they’re seeing and doing online.
Social Networking Sites
Many adults, teens, and tweens use social networking sites to exchange information about themselves, share pictures and videos, and use blogs and private messaging to communicate with friends, others who share interests, and sometimes even the world-at-large. Here are some tips for parents who want their kids to use these sites safely:
* Use privacy settings to restrict who can access and post on your child’s website. Some social networking sites have strong privacy settings. Show your child how to use these settings to limit who can view their online profile, and explain to them why this is important.
* Encourage your child to think about the language used in a blog, and to think before posting pictures and videos. Employers, college admissions officers, team coaches, and teachers may view your child’s postings. Even a kid’s screen name could make a difference. Encourage teens to think about the impression that screen names could make.
* Remind your kids that once they post information online, they can’t take it back. Even if they delete the information from a site, older versions may exist on other people’s computers and be circulated online.
* Talk to your kids about bullying. Online bullying can take many forms, from spreading rumors online and posting or forwarding private messages without the sender’s OK, to sending threatening messages. Tell your kids that the words they type and the images they post can have real-world consequences. They can make the target of the bullying feel bad, make the sender look bad — and, sometimes, can bring on punishment from the authorities. Encourage your kids to talk to you if they feel targeted by a bully.
* Talk to your kids about avoiding sex talk online. Recent research shows that teens who don’t talk about sex with strangers online are less likely to come in contact with a predator.
* Tell your kids to trust their instincts if they have suspicions. If they feel threatened by someone or uncomfortable because of something online, encourage them to tell you. You can then help them report concerns to the police and to the social networking site. Most sites have links where users can immediately report abusive, suspicious, or inappropriate online behavior.
Android: Open Source Opperating System
Android is an open source operating system that was originally developed by Google for use on cell phones and mobile devices.
Acer has announced that Android will be used on their new netbooks.
The good news is that Android is distributed for free and is improved upon by the open source community. This will give consumers a good alternative to the flawed Microsoft Windows platform.
However, there still appears to be security issues for Android. In February of 2009, security experts found a vulnerability so dangerous it was recommended owners not use their mobile phone web browsers.
Unfortunately, obtaining security information from Google is very difficult. For the flaw reported in February, a user had to first learn of the vulnerability and then figure out where and how to make the fix.
Alert: Apple iTunes
Apple Releases iTunes 8.2 and QuickTime 7.6.2
Apple has released iTunes 8.2 and QuickTime 7.6.2 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.
US-CERT encourages users to review Apple articles HT3592 and HT3591 and apply any necessary updates to help mitigate the risks.
Available for: Mac OS X v10.4.10 or later, Mac OS X Server v10.4.10 or later, Windows Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A stack buffer overflow exists in iTunes when parsing “itms:” URLs. Accessing a maliciously crafted “itms:” URL may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Will Drewry for reporting this issue.
BlackBerry Security Advisory
Research In Motion has released security advisory KB18327 to address multiple vulnerabilities in the PDF distiller of the BlackBerry Attachment Service. By convincing a user to open a specially crafted PDF file on a BlackBerry smartphone, an attacker may be able to execute arbitrary code on the computer hosting the BlackBerry Attachment Service.
US-CERT encourages users and administrators to review BlackBerry security advisory KB18327 and apply the update or implement the workarounds provided in the document to help mitigate the risks.
Obama Creating A “Cyber Czar”
Washington, DC — President Barack Obama considers computer security a top priority. Immediately after taking office, the President ordered the National Security and Homeland Security Advisors to conduct an immediate Cyber Security Review. The creation of the positioin “Cyber Czar” is a direct result of the security review.
——————————————
President Obama Directs the National Security and Homeland Security Advisors to Conduct Immediate Cyber Security Review
Melissa Hathaway Selected to Lead the Review
President Obama has directed the National Security and Homeland Security Advisors to conduct an immediate review of the plan, programs, and activities underway throughout the government dedicated to cyber security.
This 60-day interagency review will develop a strategic framework to ensure that U.S. Government cyber security initiatives are appropriately integrated, resourced and coordinated with Congress and the private sector.
“The national security and economic health of the United States depend on the security, stability, and integrity of our Nation’s cyberspace, both in the public and private sectors. The President is confident that we can protect our nation’s critical cyber infrastructure while at the same time adhering to the rule of law and safeguarding privacy rights and civil liberties,” said Assistant to the President for Counterterrorism and Homeland Security John Brennan.
Melissa Hathaway, who has served as Cyber coordination Executive to the Director of National Intelligence, will lead the review and will serve as Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils during the review period.
Iran Cuts Access To Facebook
As the elections draw near in Iran, they have blocked access to Facebook.
“Every single media outlet that is seen as competition for Ahmadinejad is at risk of being closed,” said a top aide. “Placing limits on the competition is the top priority of the government.”
“Facebook is one of the only independent sources that the Iranian youth could use to communicate.”
A spokesperson for Facebook said, “We are disappointed to learn of reports that users in Iran may not have access to Facebook, especially at a time when voters are turning to the Internet as a source of information about election candidates and their positions.”
“We believe that people around the world should be able to use Facebook to communicate and share information with their friends, family and co-workers. It is always a shame when a country’s cultural and political concerns lead to limits being placed on the opportunity for sharing and expression that the Internet provides.”
Mac OS X and Java Alert
Mac OS X Includes Known Vulnerable Version of Java
Current releases of Mac OS X (version 10.5.7 and version 10.4.11 with security update 2009-002) include a version of Java Runtime Environment (JRE) containing known security vulnerabilities. US-CERT is aware of publicly available exploit code for one of these vulnerabilities. This vulnerability may allow untrusted applets to obtain read, write, and execute permissions to local files and applications with the privileges of the local user. A fix for this vulnerability has been released by Sun, but Mac OS X users cannot apply the fix directly. Mac OS X users must use Apple updates to obtain updated JRE versions. At this time, Apple has not yet released an update to address this issue.
US-CERT encourages Mac OS X users to disable Java in each web browser they use until a patch is available from Apple. Guidance for disabling Java can be found in the Securing Your Web Browser document. Please note that disabling Java may affect the functionality of websites that use Java.
US-CERT will provide additional information as it becomes available.
HP Notebook Batteries Fire Hazard
HP Recalls Notebook Computer Batteries Due to Fire Hazard
WASHINGTON, D.C. – The U.S. Consumer Product Safety Commission, in cooperation with the firm named below, today announced a voluntary recall of the following consumer product. Consumers should stop using recalled products immediately unless otherwise instructed.
Name of Product: Lithium-Ion batteries used in Hewlett-Packard and Compaq notebook computers
Units: About 70,000
Importer: Hewlett-Packard Co., of Palo Alto, Calif.
Hazard: The recalled lithium-ion batteries can overheat, posing a fire and burn hazard to consumers.
Incidents/Injuries: The firm and CPSC are aware of two reports of batteries that overheated and ruptured, resulting in flames/fire that caused minor property damage. No injuries have been reported.
Description: The recalled lithium-ion rechargeable batteries are used with various HP and Compaq notebook computers. Models that can contain a recalled battery include:
HP Pavilion Compaq Presario HP HP Compaq
The notebook model is located at the top of the service label on the bottom of the notebook. Batteries that can be subject to the recall will have one of the following bar code labels (^ in the code can be any letter or number).
Sold at: Computer and electronics stores nationwide, hp.com and hpshopping.com from August 2007 through March 2008 for between $500 and $3000. The battery packs were also sold separately for between $100 and $160.
Manufactured in: China
Remedy: Consumers should immediately remove the recalled battery from their notebook computer and contact HP to determine if their battery is included in the recall and to request a free replacement battery. After removing the recalled battery from their notebook computer, consumers may use the AC adapter to power the computer until a replacement battery arrives. Consumers should only use batteries obtained from HP or an authorized reseller.
Consumer Contact: For additional information, visit the HP Battery Replacement Program Web site at http://www.hp.com/support/BatteryReplacement or call (800) 889-2031 between 7 a.m. and 7 p.m. CT Monday through Friday.