Tighter security coming in Firefox 4 – (Including silent updates?)

A new JavaScript engine, HTML5, tabs on top, and a new add-on framework are not the only improvements that users can expect in Firefox 4. At Black Hat on Wednesday, a trio of security representatives from Mozilla detailed how the company plans to push the browser to be more secure for users while nudging developers toward safer coding practices.

One of the biggest fixes that’s been implemented in the Firefox 4 beta (Windows | Mac | Linux) repairs a hole that affects all browsers, a decade-old vulnerability that was mentioned in the documentation for CSS2. The exploit is a CSS sniffing history attack, where malicious code can gain access to your browser history by manipulating link appearance and style. What made the bug so difficult to repair is that the simplest solution, to prevent all link style manipulation, would be like throwing the baby out with the bathwater, said Firefox’s director of development, Jonathan Nightingale. Changing an already-visited link’s colors is one the most-used features of the Web, and it would be catastrophic to prevent that.

Mozilla’s David Baron figured out how to solve the problem with a three-pronged approach that focuses on the user instead of the Web site. His solution limits what aspect of links can be tweaked to color, then "lies" through JavaScript so that although the page queries the link and reports back what it would look like if it was unvisited, the one that Mozilla’s engine draws is the correct one, whether it’s been visited or not. This solution also limits the amount of computation that the rendering engine needs to do, said Nightingale, which allows the focus to remain on the content and reduces the overall "heavy lifting" required to render it properly. "By limiting the link, there’s fewer options for [link exploits that look like] dancing bananas."

Nightingale added that Wednesday’s release of Safari 5.0.1 has incorporated the fix.

Another type of bug addressed in the Firefox 4 beta is an XSS primary scripting exploit.  […]

Other changes in Firefox 4 promise to be less technical. Firefox’s approach to browser updates is changing, and sounds like in some cases it will more closely resemble Google Chrome’s automatic updates. "There are updates that we want you to know about, and that you’ll have a choice to install or not, but there’s also updates that we just want to get our security patches out," said Nightingale. Those silent updates will be rolled out first to Windows users because Windows experience the most security risks, he said, but Mac and Linux users will eventually see them, too.

CNET Download Blog

Tool will test for phone bugs – Airprobe

A researcher released software at the Black Hat conference on Thursday designed to let people test whether their calls on mobile phones can be eavesdropped on.

The public availability of the software, dubbed Airprobe, means that anyone with the right hardware can snoop on other peoples’ calls, unless the target telecommunications provider has deployed a patch that was standardized about two years ago by the GSMA, the trade association representing GSM (Global System for Mobile Communications) providers, including AT&T and T-Mobile in the United States.

For more on this story, read Can your calls be intercepted? This tool can tell on CNET News.


AirTight defends Wi-Fi WPA2 ‘vulnerability’ claim

A "publicity stunt?" Major threat? Or easily contained?

Executives at AirTight are defending their description of a little-known "vulnerability" in the 802.11 standard in the face of criticism following their demonstration of a Wi-Fi exploit at the Black Hat security conference. One WLAN vendor called the claim a "publicity stunt."

Others are saying the attack, which can only be mounted by an internal authorized WLAN user, is so limited in scope that it would be easier for an attacker to just use the unattended computer in a neighbor’s cubicle or even bribe a fellow employee to access data.

"What those limitations really mean is that ‘YES’ there are much easier ways to get the data," says Jennifer Jabbusch, chief information security officer, Carolina Advanced Digital, a Cary, N.C. IT services company. "In a scenario like this, that data is most likely (more than 99.9% likely) to be [already] unencrypted on the wire. In addition to that, the close physical proximity [required] would mean an attacker could also just as easily walk over to the victim’s machine and load a tool to collect data while they’re at lunch or getting a soda in the break room. The wireless attack is ‘going around your butt to get to your elbow,’ as we say in the South."

She analyzed the AirTight exploit previously in her SecurityUncorked blog

WLAN vendor Aruba Networks issued its own analysis, by Robbie Gill of the company’s engineering department, which concluded, "The attack scenario described by AirTight is well known and old news – it was, in short, a publicity stunt."

Yesterday’s detailed demonstration at Black Hat Arsenal, a demo area associated with the Black Hat info security conference, confirmed nearly all of the details that Jabbusch and others had been expecting. [See: "Wi-Fi WPA2 vulnerability FAQ".] It did little to convince observers that the exploit constituted a serious threat to enterprise wireless LAN security.


Dell Tech Swipes Nude Photos of Gullible Customer

Dell is apparently eager to compete with Best Buy and Walmart for the title of most despised retailer in the country. A few months back, a tech support rep got in trouble for turning on a woman’s webcam without her permission. Then, last month, the company got nabbed knowingly shipping faulty PCs. And, just this week, the Texas-based manufacturer was caught shipping motherboards infected with malware. Now, a woman from California is alleging that a support technician for Dell stole nude photos of her from her PC and posted them online, and then charged $800 worth of computer gear to her credit card for another woman in Tennessee.

This is not a cut-and-dry case of a misbehaving tech rep, though. This drama has actually been going on for almost a year, and only now is Tara Fitzgerald coming forward with her accusations. Try and follow the sequence of events, and make sense of Fitzgerald’s often questionable judgment.


Did Dell tech support display woman’s naked pics?

Fitzgerald wanted to send some pictures of herself to her boyfriend, but she couldn’t find them on her Dell computer.

Her urgent need to find these pictures drove her, quite naturally, to call Dell tech support. Her call was answered, she said, by a gentleman in Mumbai, India, named Riyaz Shaikh.

Shaikh, who, by the time you finish this tale, might not turn out to be a gentleman, after all, offered to remotely access her computer so that he could find the pictures for her. Fitzgerald said she watched him as he located her snapshots.

It was another fine day in the helpful history of tech support. However, this success was ruined somewhat, when Fitzgerald allegedly received an e-mail from an unidentified source telling her that her pictures were now freely available for anyone to see on the Web. They were on a site called "bitchtara." […]

News10 contacted Dell, it received the following reply: "We investigated the issue, which involved a technical representative at one of Dell’s vendors. We contacted the vendor about the allegation and can confirm that the representative no longer handles Dell calls. We’ve been in contact with Ms. Fitzgerald regarding this issue and continue to investigate her claims to best assist in a resolution."


Sites Feed Personal Details To New Tracking Industry

The largest U.S. websites are installing new and intrusive consumer-tracking technologies on the computers of people visiting their sites—in some cases, more than 100 tracking tools at a time—a Wall Street Journal investigation has found.

The tracking files represent the leading edge of a lightly regulated, emerging industry of data-gatherers who are in effect establishing a new business model for the Internet: one based on intensive surveillance of people to sell data about, and predictions of, their interests and activities, in real time.

The Journal’s study shows the extent to which Web users are in effect exchanging personal data for the broad access to information and services that is a defining feature of the Internet.

In an effort to quantify the reach and sophistication of the tracking industry, the Journal examined the 50 most popular websites in the U.S. to measure the quantity and capabilities of the "cookies," "beacons" and other trackers installed on a visitor’s computer by each site. Together, the 50 sites account for roughly 40% of U.S. page-views.

The 50 sites installed a total of 3,180 tracking files on a test computer used to conduct the study. Only one site, the encyclopedia Wikipedia.org, installed none. Twelve sites, including IAC/InterActive Corp.’s Dictionary.com, Comcast Corp.’s Comcast.net and Microsoft Corp.’s MSN.com, installed more than 100 tracking tools apiece in the course of the Journal’s test.

The Journal also surveyed its own site, WSJ.com, which doesn’t rank among the top 50 by visitors. WSJ.com installed 60 tracking files, slightly below the 64 average for the top 50 sites.

The Wall Street Journal

If you use IE, enable "InPrivate Filtering"

Use Hosts file to block ads.  Use Adblock Plus for FF or use AdBlock IE for IE

Business ISP Star UK Finds Workers Use Office Internet for Personal Stuff

The latest independent survey of 1,000 workers from business ISP Star UK has found that 72% of British workers spend their lunch hour online and performing activities like shopping, banking, catching up with the latest sport or chatting to their friends on email or Facebook.

The research was conducted after Star noticed that the network bandwidth usage for business Internet traffic in their data centres was consistently peaking between 12:00 – 14:00hrs, which is normally when British workers should be enjoying their lunch breaks.

The most popular lunchtime habits for 63% of people are checking their personal email accounts, engaging in online shopping and banking (62%), and 31% catch up with friends on social networking sites like Facebook – unsurprisingly this trend was higher ( 40%) for younger workers between the ages of 16 to 34 years.


Farmville Will Get You in Trouble with IT Police

Farmville is arguably the biggest social game the world has seen. Well, maybe that’s a bit much, but it is a popular game. It so popular in fact, that many people will play it at work. However, doing so might get you into trouble with the IT police.

According to a security report by Cisco, employees are breaking company policies by playing social networking games, and, by doing so, could be opening up networks to outside attacks.

Cisco’s 2010 Midyear Report found that 7-percent of those who admitted to using Facebook at work also fessed up to spending an average of 68 minutes each day playing ‘FarmVille.’

FarmVille isn’t the only game Facebookers play, as they are also sucked up into playing ‘Mafia Wars’ (5-percent for 52 minutes each day) and ‘Cafe World’ (4-percent for 36 minutes each day).


Guard Dog Inc. Partners With Javacool Software LLC, Creators of Popular ‘SpywareBlaster’ Program

Guard Dog, Inc. today announces a significant advance in its mission to protect consumers with a truly complete level of security against threats of identity theft through a recent partnership with Javacool Software LLC (JCS). In keeping with the company’s commitment to provide the best protection and solutions against online identity theft threats JCS’s popular software, SpywareBlaster, will be provided to all Guard Dog members to help protect them online.

“It has always been our primary objective to provide both current and future members of our identity theft protection service with the most comprehensive protection,” states Guard Dog Inc. Chief Executive Officer James Watson. “This partnership is one of many clear strategic moves towards Guard Dog achieving that objective. This is a never-ending process of building layers of protection and it is critical to include online partners in that process. SpywareBlaster is a proven anti-spyware, anti-malware system and when combined with Guard Dog’s unique, full-featured pro-active approach; the combination provides serious protection against identity theft.”

There are many key features that make SpywareBlaster a perfect fit for the Guard Dog product line. SpywareBlaster works alongside any existing security software on a PC to help provide a strong “layered defense” against spyware, malware and other threats. It also prevents the installation of ActiveX-based spyware and other dangerous programs, blocks spying and tracking via cookies, and restricts the actions of potentially unwanted Web sites. Unlike many other security tools, the performance-friendly SpywareBlaster software does not remain running in the background to slow down your PC.

“We are extremely pleased to announce our cooperative agreement with Guard Dog ID,” said a Javacool company spokesperson. “Over the years we have been approached by numerous companies that wanted to enter into a partnership program. The only one that was clearly in the best interests of our customers and our SpywareBlaster product was Guard Dog. We have been in talks with Guard Dog over the last three months and have a good understanding of their product and how SpywareBlaster fits into the equation. We are very excited to be a part of it.”

With more than 60 million free downloads since the company’s launch in 2002, having this agreement with Javacool furthers the distance between Guard Dog ID and its competitors. The company now truly offers a full suite of comprehensive identity theft protection, including key protection against online threats.


FTC Issues Final Rule to Protect Consumers in Credit Card Debt

Amendments to Telemarketing Sales Rule Prohibiting Debt Relief Companies From Collecting Advance Fees Will Take Effect in October 2010

Starting on October 27, 2010, for-profit companies that sell debt relief services over the telephone may no longer charge a fee before they settle or reduce a customer’s credit card or other unsecured debt.

“At the FTC we strive every day to make sure America’s middle class families get straight deals for their dollars,” Chairman Jon Leibowitz said. “This rule will stop companies who offer consumers false promises of reducing credit card debts by half or more in exchange for large, up-front fees. Too many of these companies pick the last dollar out of consumers’ pockets – and far from leaving them better off, push them deeper into debt, even bankruptcy.”

Three other Telemarketing Sales Rule provisions to take effect on September 27, 2010, will:

require debt relief companies to make specific disclosures to consumers;
prohibit them from making misrepresentations; an
extend the Telemarketing Sales Rule to cover calls consumers make to these firms in response to debt relief advertising.


FTC’s List of Corporate Privacy Abusers Shows Advertisers Can’t Be Trusted With Data Security

The FTC yesterday published a list of companies that used unfair, deceptive, false or misleading claims about consumer privacy that caused “substantial consumer injury,” and the names on it will surprise you. Sure, many of the companies are mortgage scammers and spam phishers. But lots of them are household and blue-chip brands such as Twitter, TJ Maxx (TJX), Microsoft (MSFT) and Dave & Busters.

The list proves that advertisers cannot be trusted to regulate themselves when it comes to tracking and targeting consumers on the web or on mobile devices. There are currently few rules controlling how advertisers can use personal information gathered from consumers electronically, and if self regulation worked the FTC would not have brought action against these companies for privacy abuses (see pages 7 and 8):

  • Twitter
  • Dave & Buster’s
  • LifeLock
  • ValueClick
  • CVS Caremark
  • The TJX Cos. (TJ Maxx)
  • Reed Elsevier
  • DSW
  • BJ’s Wholesale Club, Inc.
  • Nationwide Mortgage Group
  • Petco Animal Supplies
  • Guess?
  • Microsoft Corp.
  • Lexis Nexis

In addition, the FTC has brought:

… 15 actions charging website operators with collecting information from children without parents’ consent, as well as 15 spyware cases and dozens of actions challenging illegal spam, …