Java: Just Another Vulnerability Announcement
On the heels of releasing a patch to address a vulnerability so serious that some users uninstalled Java, Oracle has again released a “Critical Patch Update” to address about fifty vulnerabilities, one of which is being actively exploited.
Yet, despite their horrible track record, Oracle continues to tell users that it “provides safe and secure access to the word of amazing Java content.”
Software security has few absolutes – and Java is a living (or perhaps dying) example of how poorly a lot of software is designed. It’s time for Oracle to wake up and smells the java coffee.
To Java or Not to Java
This week discussions of Java and its latest security flaw has dominated information security discussions It’s not often that the U.S. Department of Homeland Security tells users point blank to temporarily disable java in their web browser. As one would expect, every blogger seems to have an opinion and they range from “they sky is falling” to “DHS is over-reacting.” Standing out from the crowd, Brian Krebbs deserves kudos for his solid, well-researched article on the issue.
So what’s my take on it?
First of all, there are three reasons that DHS may have made such a strong recommendation:
- Their intelligence may indicate that the vulnerability is (or has the potential to be) exploited so frequently that it is a legitimate national security concern;
- They may be over-reacting; or,
- They may be frustrated with Oracle and applying pressure to fix Java.
While I don’t know what intelligence they have, I’d bet on a combination of 1 and 3.
For an exploitation to occur, a user has to visit a web site containing the malware. Those at highest risk are those who visit marginal web sites looking for porn, music, movies, and other material to download. However, malware may be left on compromised web sites and users directed to malware-laden sites through phishing-like emails. To some degree, we are all at risk.
So the question users face: To Java or not to Java?
At the risk of stating the obvious, if you don’t really need Java uninstall it completely from your computer. Java has a poor security record. There is simply no point to having it installed if you don’t need it. If you’re unsure whether you need Java on your personal computer, uninstall it anyway. It’s easy to re-install the latest version if it turns out you really need it.
If you have a genuine need for Java applications installed on your PC, disable the java plug-in in your browser. Instructions to disable it in all browsers or selectively are here.
If you must use a web site that uses Java, the two browser approach is likely your best bet. Note that there is no way to selectively disable Java in Microsoft Internet Explorer (one of many reasons that IE should not be your routine use web browser), so your best bet is to install Google Chrome and disable the java plug in. (For a shortcut, type “chrome://plugins/” into the URL box.)
On the topic of Chrome, if you prefer a more secure browser environment in general, try turning on Chrome’s “click to play” option for plug-ins. Instead of plug-ins running automatically, you’ll have to click on them to load. Some users might find it annoying, but it will stop web sites from automatically launching plug-ins, including Java. You can find the option at “chrome://chrome/settings/content”:
*** UPDATED 2013-01-14 ***
Oracle has released an out-of-cycle update to Java to address this issue. Windows users who wish the patch ASAP should go to Control Panel -> Java, select the Update tab, and click on “Update Now”.
Personal Privacy and Your Work Blackberry
For many of us, the line between work and our personal life isn’t nearly as clear as it used to be. We bring our work laptop home, we take our iPad to work, and some of us are issued a Blackberry by our employer. We know that our employer can — one way or another — see almost anything we do on our work computer. But how about our work Blackberry?
Before I get into specifics, there is one general rule you should always keep in mind:
If an electronic device, including a computer or Blackberry, belongs to your employer, they have the right to ask you for it at any time, and to read any information they can find on it. So, if you’re really concerned about your privacy, don’t use company assets for anything personal.
Having said that, many employers do allow, or at least tolerate, limited personal use of company assets, and many employees do make some personal use, especially in cases where the use does not increase the cost to the employer.
When it comes to the Blackberry, a frequent question is, “What can the administrator at work see?”
It’s important to understand that there are two configurations for the Blackberry, BIS and BES.
BIS is the BlackBerry Internet Service. If gives your BlackBerry access to the Internet, including for email, the web etc. BIS is popular among consumers and some small businesses.
BES, on the other hand, stands for BlackBerry Enterprise Server. In the BES configuration, your employer runs a server through which the BlackBerry communicates. And, as you might guess, that allows the company to monitor a lot of information.
If you’re wondering about your BlackBerry, navigate to “Manage Connections” and select “Server Status” — where you will be able to see if you are connected to a BES. While it is possible to be connected to both BIS and BES, if you are connected to a BES, you should assume that when you surf the web from the device it goes through the BES.
If you are only using BIS, you can stop reading here. Your data is flowing directly to the mobile carrier and onto the Internet. However, if you work for a larger company or government, and they have issued you a BlackBerry, you are almost certainly using BES.
BES capability has evolved throughout the years, and there are many misconceptions. At the time of writing, BES has the capability to acccess an extensive amount of information:
- Corporate email
- Corporate calendar
- Corporate Address book, memo pad, tasks
- Browser bookmarks
- Browser site history
- PIN messages
- Text messages (SMS)
- MMS message text, but not currently any photo sent/received
- Phone call data (Date/time, number called/received, length of call)
- Blackberry Messenger data
- The device’s GPS coordinates every 15 to 60 minutes (according to RIM the user will be prompted and must click Yes to enable location tracking)
- What applications are installed on the device
- The operating system version
In addition, since many use a wireless backup, in theory anything that is backed up wirelessly could be viewed by restoring the data to a new device.
To keep this in perspective, some options like PIN and SMS (text) logging are turned off by default, and administrators may choose to turn off other options like logging phone calls. But, BlackBerry enterprise users should be aware that the capability exists. When the features are activated, telephone call, PIN, and SMS information is written to a text file on the BES server, where it can be read by any administrator with access to the server.
So what is not logged?
As far as I can tell, RIM does not provide any capability to record the actual voice telephone call (only information about the call), and messages to and from third party Instant Messenger applications like MSN, GTalk, and Yahoo are not monitored or logged by BES. In addition, email sent and received through BIS is not routed through BES. However, administrators can see that these applications are in use and block them. Third party applications could also potentially be installed on your BlackBerry to monitor these services. Finally, don’t forget that a BlackBerry connect to BES can be backed up remotely and restored to another device, providing access to almost everything on it.
Please note that while this information is believed to be correct at the time of writing, there are no guarantees. If you want your personal information to remain personal, keep it off you’re employer’s devices.
Stage collapse season begins?
Last year it was a stage collapse at Ottawa Bluesfest and the Indiana State Fair. Today the stage at Downsview Park in Toronto collapsed before the Radiohead concert.
In most Canadian cities, home owners require permits to put up fences and some types of sun decks. For example, here in Ottawa, if I want to build a deck behind my house that is more than 24 inches high, I need a permit and the deck must be inspected at three different points during construction.
We subject homeowners to these stringent requirements, even though if their deck collapses few people are likely to be affected. Yet we apparently allow those hosting thousands at concerts to build unsafe structures.
Isn’t it about time we start taking this seriously?
Recommended Secure USB Storage
I have a love-hate relationship with portable hard drives and memory sticks. On one hand, I use them daily. It makes little sense to me to carry a whole computer when all I really need is data. On the other hand, I encrypt my laptop hard drive, and the thought of losing a small device with a lot of personal or client data on it makes me quite uncomfortable.
There are a number of approaches to securing data on portable media. For example, the incredibly popular open source software TrueCrypt allows the creation of encrypted containers that can be stored on any type of media. However, in my experience solutions that require users to choose to secure their data seldom work well in a corporate environment. In summary, there are three solutions I feel comfortable recommending.
LOK-IT is a secure flash drive with a built-in PIN pad. Once the PIN is set, you simply enter it and the plug the device in. The device is simple and effective, and since there is only one volume – a secured one – there is no security decision for the user to make. Every file stored on it is protected. I’ve tested a LOK-IT for a few months and it has quickly become my favourite pocket-size data carrier. LOK-IT is available in Canada from Solantus Inc. (sales@solantus.com) in capacities up to 16 GB.
For larger bulk storage, I have also become a fan of the Aegis Padlock Drive from Apricorn (www.apricorn.com). The Aegis is a portable USB hard drive with a built-in numeric key pad for entering a PIN. I’ve been using a 640 GB USB 2.0 version for some time, and the company has recently released a USB 3.0 version in 250 GB, 500 GB, and 1TB sizes. The product can be purchased with 128-bit AES or 256-bit AES for about $10 more. (I recommend AES 256 to my clients). Apricorn also recently released a flash drive format, but I haven’t had the opportunity to test one yet.
Finally, for corporate use, there’s the Stealth MXP line of products from Imation (www.imation.com), formerly MXI Security. They form factors have changed significantly since I tested them, but the fingerprint authentication means no lost password by users. They also offer management software to allow corporation clients to control access to their devices. While I’m a fan of the management capability, it is more complex and not the best choice for individuals.
Guest Post: Top Free Twitter Unfollow Tools
Whether you are an individual blogger or a company trying to market itself, Twitter is undoubtedly one of the best tools to help you promote your business, product or service. It is widely known as the topmost social media marketing instrument that has been able to make profit for a large number of businesses. However, having a twitter account with a huge number of followers can become extremely difficult to manage efficiently and you can end up wasting a lot of your valuable time. Not only this, it would become quite difficult for you to target your potential audience or followers who are really interested in your services or products. Therefore, to make this task easier, there are a number of Twitter unfollow tools available. Here is a list of some of the top free twitter unfollow tools available on the interest these days.
1. ManageFlitter
Formerly called ManageTwitter, this is one of the best tools for unfollowing unwanted Twitter followers. Even though this application may take a few minutes to load but it works quite well to help you unfollow lots of users quickly. With the help of this tool, you will be able to see the list of people you are following and separate out the ones who are not following you back. In this list, you can easily check the ones you wish to unfollow by clicking on the unfollow button next to their name. This is the only app that will allow you to unfollow the users who are inactive and haven’t been active on Twitter in a while or are too lazy to even post a picture on their profile.
2. Refollow
Another great user-friendly application for unfollowing people on twitter is Refollow. It is a great tool for unfollowing people who aren’t following you back in bulk. It is quite simple and safe to use as well as help save a lot of time. Though it has been designed to perform one single task, but it does that task perfectly.
3. Twitter Karma
Besides helping you unfollow Twitter users, Twitter Karma can be used to follow all users who follow you. It is a great program that can be used for following and unfollowing users within seconds.
4. TweetSpinner
This one is a lot more than just a single tool for unfollowing twitter users who aren’t following you back. It is an extremely advance tool which you can use for directing messages, followers, scheduling tweets and designs. Therefore, it is a good choice for people who are looking for an all-inclusive twitter management tool.
5. JustUnfollow
This tool is also quite simple to use and very efficient to help you unfollow Twitter users. Just like most other apps, JustUnfollow presents the list of users you are following and points out the ones that aren’t following you. So you can choose the ones you wish to unfollow within seconds. However, the program immediately makes the user to disappear as soon as you click on unfollow and it becomes a bit difficult to follow which users you have unfollowed.
You can try these tools for unfollowing unwanted followers on twitter and decide for yourself which one suits your requirements the best.
About the author: Margaret is a blogger by profession. She loves writing on the environment and technology and is fond of books. She recently wrote an article on Quartz Countertops. These days she is busy in writing an article on venom gt.
How our browsing history is leaking into the cloud
This presentation (via YouTube) is worth watching!
(Or follow this link)
Guest Post: Six Risks from Not Using Internet Monitoring Software
When you start talking about Internet monitoring software, most times you see folks divide up into two camps. The first is all for it, convinced that the company must watch what users are doing at all times to catch those who violate policy. The second considers monitoring as an infringement on their privacy, and that any Internet monitoring software can only serve to make employees feel even less trusted.
The fact is that both of these camps are in the extreme, if opposite, and both are wrong. Internet monitoring software is an effective and invaluable solution for protecting users from many of the dangers associated with accessing the Internet. The protections that Internet monitoring software offers can all be deployed without having to log a single user’s web access. Sure, Internet monitoring software can be used to maintain logs and provide reports of a user’s surfing if you wish, but that is something a company would choose to do for a specific issue; not a part of the protections that they so desperately need. With all the threats present on the Internet today, let’s look at the top six risks to your company that come about from not using Internet monitoring software:
1. Malware
Malware can cause all kinds of problems if it infects a machine, from lost productivity and downtime, to larger compromises that back door programs can provide to attackers. Malware can spread from machine to machine, and once it gains a foothold within a company, it can take down an entire site whether by infecting all the other machines, or simply because the network team takes a location down to prevent the infection from spreading to other sites. Users can be exposed to malware by downloads of files, or by accessing compromised sites. Internet monitoring software can block access to sites known to be hosting malware, and can also scan all file downloads to be sure they are safe.
2. Time wasted
I will never advocate that you cut users off from personal access to the Internet. As long as the office can interrupt their evenings or weekends, some personal use should be tolerated in the interests of fairness and morale. But the Internet can also be a huge time sink, and many users can hit a site with the intention of no more than a quick check-in, to find 45 minutes later that they are late for a meeting. Internet monitoring software can help control access to non-business sites, and limit the time spent surfing for fun.
3. Bandwidth consumption
Internet monitoring software can help to control access to high-bandwidth services; ensuring that there is enough bandwidth available for customers to hit your website and for email to flow. You don’t want your ecommerce site to be slow to respond because too many users are streaming movies.
4. Data leakage
Whether it’s Wikileaks, peer-to-peer networking, personal web mail services, or your competitor’s portal, you don’t want users forwarding or posting confidential information from your business to outside sites. Internet monitoring software can block access to these services, helping to enforce policy and keeping sensitive information inside.
5. Legal action
A user on your network downloads a pirated movie from one of those sites. The MPAA tracks the download to your network. Who do you think is going to be the target of a settlement offer, or worse, a lawsuit? What users do on their own time and with their own equipment is their business; what they do with the company’s computer on the company’s network is yours. Internet monitoring software can prevent users from stepping on the wrong side of copyright while on the clock, which protects the business from any consequences.
6. HR issues
Again, what a user does at home is their own concern, but there are plenty of things on the web that have no reason for a user to access while at the office. Some users are more sensitive to questionable content than others, and the last thing anyone wants is for one employee to feel threatened or offended by the actions of another. Internet monitoring software can protect users from accidentally clicking the wrong link, which protects everyone from having a sit down with HR.
Remember, using Internet monitoring software doesn’t mean you have to be big brother or play the role of the Internet police officer to protect your users. Internet monitoring software can provide protections while maintaining the anonymity of your users and keeping their individual web browsing habits private. Adding these protections makes good business sense, and can be done without making users think that they are untrusted, or being spied upon. Look at Internet monitoring software as the next layer of your defense in depth strategy.
This guest post was provided by Casper Manes on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Learn more about why you need Internet monitoring software.
All product and company names herein may be trademarks of their respective owners.
Thank you Chris Dodd
The web is buzzing with contempt over a statement by Motion Picture Association of America (MPAA) Chairman and CEO Chris Dodd to Fox last Thursday:
“Those who count on quote ‘Hollywood’ for support need to understand that this industry is watching very carefully who’s going to stand up for them when their job is at stake. Don’t ask me to write a check for you when you think your job is at risk and then don’t pay any attention to me when my job is at stake.”
As pointed out on the MPAA web site, Dodd is also a former US Senator from Connecticut. Surely he understood the implications of publicly confirming what we have always expected — that Hollywood spends a lot of money on politicans and expects a return on their investments. Rather than condemn him, perhaps we should be thanking him for putting this out in the open.
The movie industry, like many others, is facing a harsh new reality — one that, for the most part, they appear to be in denial about. Pushing for draconian, ill-informed legislation such as the Stop Online Piracy Act (SOPA) and the Protect IP Act isn’t the solution. Perhaps it’s time that Hollywood stop trying to purchase politicians and apply some creativity to their business model instead.
Keep in Touch
Kudos
Recent Comments