Tips on how to ensure network security when working from home

As many people struggle to find work-life balance, the concept of telecommuting- the ability to work from home- is gaining traction. According to the latest Statistics Canada data, 1.4 million Canadians work at home at least part of the time and a 2010 study by Workopolis found that more than h alf of Canadians would like the option to work from home in order to avoid long commutes and increase productivity.

Laptops, PDAs and iPads have all made it much easier to work from any remote location. Camera-enabled tablet computers and programs like Skype make virtual face-to-face meetings simple.

Besides the obvious benefits for the employee, there are benefits for the employer as well. Studies have found that a business with 250 telecommuting employees could save about $3-million a year. The primary financial savings are derived from increased productivity, reduced real estate costs, reduced energy consumption and lower absenteeism and turnover.

There is another side to the freedom and savings. Douglas Grosfield, President and CEO of Xylotek Solutions, says "telecommuting can pose significant risk to the company’s network security." 

This becomes an issue when an employee connects to his/her office network via a home computer. "While security settings are generally standardized on all workplace computers, it can be more difficult to ensure that an employee's home machine and network are as secure. Because the employer has less control over the security of the employee’s home computer."

Tips

Consider using a virtualized solution 
 
A virtual desktop or application virtualization solution would allow all programs and files to reside in a virtual environment in a secure location, which could then be accessed from a home computer or any other computer in the office. If a laptop is lost or stolen, there would be no client data or files on the computer that could be compromised. In addition, software updates and anti-virus scans can be managed centrally to ensure all employees are well covered. Products like Citrix are considered industry leading in this space.

Create a telecommuting policy

According to Ponemon Institute’s 2010-2011 security tracking study, 91 percent of surveyed companies reported their employees downloaded applications that contained malware, viruses, etc. A telecommuting policy can help to prevent this by outlining basic steps for network security such as guidelines on what can be downloaded as well as the need for regular software updates, anti-virus scans, etc. The policy should also identify who can use the computer and should limit the use to the employee only as other individuals in the household may download and install software or malware which may unintentionally infect the system or track sensitive information such as userIDs and passwords. It can also include guidelines on what types of data should not be stored on these devices and details on how to report a lost or stolen device. Ensure policies are strictly enforced.

Secure home wireless networks 

This is critical in order to protect client data and financial information which can be stolen. Having a security key for the wireless network is not enough. It can be cracked depending on the level of encryption. Set the SSID (service set identifier) to not broadcast. Every wireless access point has an SSID, the public name of a wireless network. By setting it not to broadcast, it will be hidden and not come up as an option for others to click on as a wireless network.

Use Virtual Private Networks (VPNs) for added security

If the network connections are not properly secured, confidential corporate information can be intercepted while the data is transmitted between the home and the office network. Virtual Private Networks (VPNs) are a way to secure communications to an organization’s internal network.

Safely secure all work laptop, mobile devices and any storage media

are always safely secure - Laptops and other mobile devices could be considered one of the greatest risks to a company because of the confidential information that could be lost should these devices be misplaced or stolen. It is therefore imperative that they are not left unattended, in the car or in plain sight at home as they may be stolen during a break-in.

Encrypt all devices and anti-theft technologies

Encryption is the process of scrambling information so it cannot be read by unauthorized individuals. According to a 2009 Ponemon study sponsored by Intel, the total economic impact of one lost laptop is $49,256. That same study found that on average, encryption can reduce the cost of a lost laptop by more than $20,000. In addition to encryption, there are anti-theft technologies that can be used to remotely wipe the data on a lost mobile device preventing thieves from accessing the information.

Request all staff to report any suspicious activity

Especially on their employer-issued computers. If an employee notices any changes to the computer and its operation, it must be reported to the company’s IT representatives. E.g.) ads suddenly popping up, a slow-down in performance, etc. This may indicate the presence of software or malware which may cause more harm than good.


While there are significant IT risks to telecommuting, they can be easily managed and should not discourage a company from considering this potentially cost-saving work arrangement which comes with many other benefits. By taking precautions and creating a strong telecommuting policy, companies can reduce the risk of a costly data breach and damaged reputation due to the loss of sensitive client information.

PC-Trojans the Riskiest Cloud Security Malware

According to a newly published report by ASEC (AhnLab Security Emergency Response Center), which discusses about the widely prevalent online threats during the third quarter of 2011 i.e. Q3-2011, PC Trojans continue to be a highly dangerous cloud security malware, while hackers as well as other cyber criminals are found targeting smart-phones more and more.

A survey of Korean users taken as a sample reveals that Trojans with 36% of reported infections ranked first within the list of 20 highly prevalent malicious programs during Q3-2011, with scripts as well as PC worms following at 20.7% and 10.8% of all infections detected respectively. Other reported malware threats on the list were Textimage/Autorun with 16.2% of reported detections, JS/Agent (13.6%), adware (12%) and a fresh entrant namely Html/Agent (9.7%).

Moreover, malware came down from 6,601,705 during July-September, 2011 (Q3-2011) to 39,606,178 during the preceding months of April-June (Q2-2011). Nevertheless, the 20 most prevalent e-threats of Q3-2011 included 13 fresh entrants.

Furthermore, the new research study by ASEC shows that there continues to be an increase in bootkits' aggregate number, the malicious software, which makes deliberate changes to MBR (Master Boot Record). Incidentally, during August 2011, one malicious program, which makes deliberate changes to Award BIOS as well as infects it, was detected as emerging for the first time in the malware world. In September 2011, one kind of bootkit, which pulls down malware for hacking Internet games by disrupting a Korean anti-virus program's working, emerged in the country. While plenty of bootkits have been found, they are not increasing any more since bootkits are more difficult to craft compared to the normal malicious software. Further, bootkits cannot be identified without difficulty as well as they are hard for eliminating; consequently, cyber crooks can be largely seen crafting bootkits, the AhnLab center notes.

Finally, in addition to the aforementioned malicious programs, one more program which too is considered malicious because it generates the well-known virtual currency 'Bitcoin,' as well as another computer worm called Morto, which disseminates through Windows Remote Desktop, came to the notice of the security industry during Q3-2011, as per AhnLab.

Obama enhances computer security

Politico reports that Barack Obama will issue an executive order on Friday that outlines a whole slew of enhancements to cyber security within departments like the FBI, CIA, and the Pentagon.

Some of them are very basic, seemingly obvious measures, like preventing employees from downloading private data onto removable hard drives.


Other implementations include better tracking of what government employees are doing when they access sensitive information. The Department of Defense's chief information officer Teri Takai was quoted as saying, "It’s an additional tool to provide indicators that flag anomalous behavior, much as credit card companies monitor credit card use and a user’s profile."

There's also a set of back-end improvements on how information is encrypted and secured.
In addition, Obama will receive a report within 90 days on how the new measures are affecting data leaks.

This all comes as the result of a seven-month review of internal policies and procedures following the massive and unprecedented data fiasco from the website Wikileaks.

While the Wikileaks stories have lost a lot of their grandeur, the security holes they exposed were of the utmost importance and Obama hopes these new enhancements will prevent future leaks.

OS X and Windows, working together

Being able to switch to a different operating system without having to sacrifice functionality and performance is a welcome rarity in the IT world.

Over the years I have attempted to run other operating systems besides Windows on my primary workstation. I have run OS/2 in the past. I’ve tried running various flavors of Linux. I’ve also tried running OS X on my MacBook Air. Every time I tried, I found that there was always something lacking in the OS, or the applications, that resulted in my returning to Windows.

I suppose one question that comes up is, “If everything you need is under Windows, then why are you trying to switch away from it?” The truth is that while I like the capabilities of the applications, I actually prefer a Unix-like environment under the hood. Ubuntu can give me that, but there’s a great deal of functionality missing that I get from Windows applications. The same situation exists under OS X.

This past month, however, fellow ZDNet columnist James Kendrick wrote an article covering the release of the latest version of Parallels Desktop for OS X. This latest version was written to support the new release of OS X, Lion, and has improved speed. Native Windows applications running in seamless mode are nearly as fast as native OS X applications.

There’s no need for me to rehash reviews of Parallels Desktop 7. If you’re familiar with the product, or with VMware Fusion 4, then you know what I’m referring to. Even VirtualBox has a seamless mode, although performance-wise it isn’t as powerful as the other two. It is free, however.

I’m sure I will be told, “These programs existed before, why didn’t you use them?” To be honest, I hadn’t been impressed with the performance or seamless capabilities of the VM applications until now. I wanted the Windows applications to run in seamless mode as if they were native OS X applications. Having access to the Windows start menu from the OS X menu bar, along with Windows system tray icons, adds to the perfect convergence of the two operating systems.
Sometimes it’s the little, inconsequential features that really impress me. For instance, you can have Windows use the native OS X user directories for documents and downloads instead of creating its own within the virtual machine. Copy and paste just works between environments, without any tricks required to get it to work. I can access the Windows control panel and other functions as if they were a native part of OS X.

My main argument against switching from Windows was always, “Why should I have to give up my applications? Why do I have to settle for reduced functionality?” Well, now the answer is that I don’t have to settle. I have all of my apps, and they work. I have replaced a few of the programs I use with their OS X counterparts because they are fully functional native applications. The ones I didn’t replace I simply installed under Windows in the Parallels VM, and added their icons to the OS X dock bar.

Convergence is a great thing when it works well. I’m not the kind of person to settle for passable, or reduced functionality. I felt the same way some years ago when I got my first smartphone that could be a phone, MP3 player and PDA, without making any sacrifices. Now I can do the same on my primary computer. I have Windows, OS X and Unix capability, all in one, without having to jump through hoops to do it.

Beyond the Password

One day five months ago, Karim Hijazi saw an unusual sight while reading his work email. A message that had been marked as "read" was suddenly marked "unread."

What the founder of Unveillance, a computer-network security firm, soon learned was that hackers had broken into his account.

The hackers gained access to his email by stealing log-in information from an insecure website, which they then matched up with a password they found on the Internet. After downloading all of his emails, the hackers sent Mr. Hijazi a message demanding he share sensitive security information with them. When he refused, the hackers released his emails on the Web.

Mr. Hijazi is one of the latest victims of computer hackers focused on getting into websites, corporate networks and email accounts by using legitimate passwords. Many break into poorly secured websites, steal databases filled with personal information and then comb through that data for log-in information for companies, government agencies and banks.

The growing frequency of these attacks has pushed companies to seek other forms of data protection than simple passwords.

Demand for additional barriers and detection programs is already large. Sales of these types of products topped $900 million world-wide last year, according to International Data Corp., and the Framingham, Mass.-based research firm expects the market to double by 2015.

Token Power

One of the fastest-growing technologies is also one of the most visible: code tokens. The technology, also known as two-factor authentication, provides users with an algorithmically generated number that is only briefly valid. Users typically enter the code into a computer after their username and password.

Historically, code tokens have been confined to little devices, like ones that hang off many corporate employees' key chains. With the proliferation of smartphones, however, International Data Corp. analyst Sally Hudson says the technology that generates these single-use codes can easily be translated into an app, making them easier to carry around and cheaper for companies to manage.

Google Inc. is one of the more recent companies to begin offering this technology to its users. The Internet behemoth offered the additional security free to its business-services customers last year. A few months later, Google opened it up to all account holders to use with apps such as mail and calendars. The program is already popular, Google says, and thousands of users sign up for it each day.

Not all companies want to force their customers and employees to use an additional code to log in, however. Many businesses are instead turning to technologies designed to detect bad guys after they've entered a legitimate log-in and password.

These programs, which are known as machine fingerprinting, can be configured to take a snapshot of a computer's settings when the customer first logs in. These types of data often include location, screen size and what type of browser is being used. The next time a user logs in, the system checks against the historical data to determine how likely it is that the person is a hacker or user.

If there's too much doubt, the system might ask for another piece of information, such as a personal detail pulled from public-records databases, before letting the user finish logging in.

The technology was initially popular with banks, but has since expanded to be used by all manner of businesses, including popular social-networking websites such as Facebook. Detection programs are also among the fastest-growing products at companies like EMC Corp.'s market-leading RSA security unit, where the technology is being used to protect roughly 250 million log-in identities.

Good Alternatives

These additional security layers aren't perfect, however. Hackers could find a way past them by answering the public-records questions, for example, or by seeing the one-time codes as they're generated. But analysts say the leading products on the market are better than relying solely on passwords.

"We're putting speed bumps in front of the road of the bad guys," says Paul Henry, an analyst for Scottsdale, Ariz.-based Lumension Security Inc.

Good Hackers Can Protect Caribbean Networks

“Make no mistake about it; the threat of computer attacks in the Caribbean is real. Caribbean networks are already under constant attack from hackers from across the world.”

This statement from Gregory Richardson, CEO of US-based computer security firm Leet Networks, came from a special regional forum for computer professionals organized by the Caribbean Network Operators Group, CaribNOG in Castries, St Lucia.

According to Richardson, organisations in the region and around the world are storing an increasing amount of information on computer networks.

"There is a dangerous flipside to this explosion in electronic data. As computer networks connect to the Internet, they are susceptible to attack by modern-day digital pirates, known as computer hackers."

Wooding, a Trinidad-born technology expert, led the CaribNOG team of ethical hackers from the US and the Caribbean that shared practical measures to help protect corporate networks and data from online hackers.
Wooding explained that the objective of the CaribNOG St Lucia meeting was to bring attention to the threats governments and business face from computer attacks and to provide a forum for the free exchange of ideas and experiences between those responsible for managing our networks.’

According to Wooding, “An ethical hacker is a basically a computer expert who attacks a security system on behalf of its owners, seeking vulnerabilities that a malicious hacker could exploit. They are the good guys.”
He explained that in order to test a security system, ethical hackers use some of the same techniques as their less principled counterparts, but report problems and help resolve vulnerabilities instead of taking advantage of them.

Wooding cautioned, "Hacking presents a very real and serious risk to consumers, businesses and governments in the Caribbean and around the world. Some people mistakenly believe that smaller companies are less likely to be a target of attacks. But as large companies strengthen their network security, hackers are increasingly focusing on small and medium-sized businesses. This makes the Caribbean a very attractive location for hackers.”

The CaribNOG team stressed that it is vitally important that organisations and individuals take the necessary steps to protect their identities and to secure private and corporate data. The key, Wooding said, was to think of computer security not as a technical concern but as a business continuity issue.

"At first glance, network security might seem too complex, and tackling it might seem like too much work, particularly for small businesses. Modern organisations should view security planning as essential as accounting, sales and advertising. This is not a stretch since, for many firms, computer networks have become a basic part of doing business today, " Wooding said.

HP unveils new security software ArcSight Express 3.0

HP has launched new computer-security software as part of its strategy to lessen company’s dependence on PCs business, reports Bloomberg.
ArcSight Express 3.0, one of the latest computer security tools from HP, comprises of a computer hardware and software package. It guards against cyber attacks by monitoring the network activity logs and users’ action.
Company also launched a Fortify Software Security Center product that is able to judge vulnerabilities of applications for attack. Tipping Point Web Application Digital Vaccine software can be used to identify malicious network traffic.
HP has spent about $14 billion in acquisitions in the past year. Last year, HP acquired data-storage company 3Par Inc and security companies ArcSight Inc. and Fortify Software Inc. Last month, it announced plans to acquire search software company Autonomy Corp. for $10.3 billion. HP wants to lessen its dependence on PCs with these acquisitions. Last month, the company also announced its plan to spin off its PC business.
Now company CEO Leo Apotheker has the responsibility to make acquisitions pay off. HP also needs to expand its base in data-center equipment and software.
According to Jan Zadak, executive vice president of global sales, HP could use its computer dominance to sell the software products. “We are of course spending a lot of time with customers,” he said in an interview while speaking from Switzerland. Zadak is traveling the world for the past few months to explain HP’s business plans to the clients.

10 Hackers Who Made History

The computer world has a rich history of hackers who steered the progress of computer science and gave shape to computers, the internet and networking as we see it today — in some cases single-handedly.
And while yes, there are the Black Hat hackers behind internet mayhem, thievery, and chaos, there are also White Hat hackers who use their computer savvy for good. There’s also a different kind of hacker entirely: the tinkerer. They all played parts, big and small, in creating the computer world as it exists today. Here are 10 of the greatest:

 

Konrad Zuse

It all begins with Konrad Zuse, arguably the very first computer hacker. He may not have been a hacker in the modern sense of the word, but none of it would have been possible without him. You see, Zuse made the world’s very first fully programmable (Turing-complete as they say) computer, known as the Z3. It began, of course, as the Z1, and while it wasn’t built in a cave with a box of scraps, Zuse did build it himself in his parents’ apartment, completing it in 1938. Zuse eventually gained some backing by the German government, leading to the evolution from the Z1 to the Z3, which, complete in 1941, is considered the mother of modern computing.

John “Captain Crunch” Draper

John Draper was hacking computers long before computers were even common place. Draper’s hacking heyday was back in the early 1970s, when the largest computer network to which the general public had any access was the telephone system. At the time, telephones were managed by an automated system using specific analogue frequencies which could be exploited to make free long distance or even international calls. It was called “Phreaking”, and one of the most well-known Phreaking tools was a toy whistle that came in a box of Cap’n Crunch cereal. With this whistle, Draper created another popular Phreaking tool known as the Blue Box, a device that could produce many other tones used by the phone companies.

Steve Wozniak

A contemporary to John Draper, Wozniak was no stranger to Phreaking. In fact, after Draper shared the details of his Blue Box design during a Homebrew Computer Club meeting, Wozniak built a version of his own. Steve Jobs saw the marketing potential in the device, and the two Steves began their first joint venture together. Wozniak’s hacking days weren’t all spent on projects of questionable legality, though. With the proceeds from their blue boxes as well as selling Wozniak’s cherished HP calculator and Jobs’ VW van, Wozniak created the Apple I. With the other Steve’s marketing prowess, their company became the industry leader it is today.

Robert Tappan Morris

As a graduate student at Cornell University, Robert Morris created his claim to fame: the computer worm. According to Morris, he created the worm as an attempt to gauge the size of the internet at the time. After its release on November 2, 1988, the Morris Worm went on to infect approximately 6000 systems (about 10 per cent of the internet attached computers at the time). The worm was intended to be unobtrusive, but due to a flaw in its replication algorithm, it copied itself excessively, causing heaving system loads and ultimately leading back to Morris. In 1989, Morris became the first person indicted and later convicted under the Computer Fraud and Abuse Act of 1986.

Mark “Phiber Optik” Abene

Here’s a name you may not be familiar with: Mark Abene. He never hacked into the D.O.D. nor did he steal millions of dollars in some Swordfish-style bank heist. What he did do was piss off AT&T. As a member of the hacker group Masters of Destruction, Abene was often poking around on AT&T’s systems. When AT&T’s telephone system crashed, leaving 60,000 customers without phone service for over nine hours, they quickly blamed Abene. The Secret Service paid him a rather aggressive visit, confiscating his equipment, and while AT&T eventually admitted that the crash was a mistake on its part, Abene was charged with computer tampering and computer trespassing in the first degree. Later, he would face more charges and ultimately serve a year in federal prison, making him the first hacker to do so.

Kevin “Dark Dante” Poulsen

Poulsen holds claim to one of the more amusing hacks of all time. A radio contest held by KIIS-FM promised a shiny new Porsche 944 S2 to the 102nd person to call into the station. Rather than try his luck among the multitude of Los Angeles listeners, Poulsen took over all of the telephone lines to the station to ensure he’d be the 102nd caller. He eventually had to disappear once he became a fugitive of the FBI. This landed him a spot on the popular TV show Unsolved Mysteries. The show’s hotlines crashed when the episode aired. Coincidence? In 1991, Poulsen was arrested and eventually pleaded guilty to various counts of computer fraud, money laundering, and obstruction of justice. Interestingly, since his incarceration, Poulsen made a complete 180, helping in cyber crime cases, and even capturing sexual predators on MySpace.

Kevin Mitnick

Kevin Mitnick is perhaps the most famous hacker in computer history, likely due to his being the first hacker to make the FBI’s Most Wanted list. As a master of social engineering, Mitnick didn’t just hack computers; he hacked the human mind. In 1979, at the age of 16, he hacked his way into his first computer system and copied proprietary software. He would often engage with admin personnel, such as in phone calls and email messages, and trick them into giving up passwords and other security information. After a two and a half year pursuit, Mitnick was finally arrested and served five years in prison. He now runs his own computer security consultancy, Mitnick Security Consulting.

Tsutomu Shimomura

Not all hackers fall under the Black-Hat umbrella. Tsutomu Shimomura is a White-Hat hacker credited with capturing Kevin Mitnick. In 1994, Mitnick stole some of Shimomura’s personal files and distributed them online. Motivated by revenge, Shimomura came up with a trace-dialling technique to back-hack his way in to locating Mitnick. With Shimomura’s information, the FBI was able to pinpoint and arrest Mitnick.

Richard Stallman

In his early years, Stallman was a graduate student and programmer at MIT’s Artificial Intelligence Labs where he would constantly engage with MIT’s rich hacking culture. As an advocate for just about everything Open Source, Stallman fought back when MIT installed a password system in its Computer Science department. He would decrypt users’ passwords (not an easy task given the processing power of the 1970s) and send them a message with their password in plaintext, suggesting they leave the password blank in order to re-enable anonymous use. Going into the 1980′s, Stallman didn’t like the proprietary stance many manufacturers were taking on their software. This eventually led Stallman to create the GNU General Public licence and GNU operating system, a completely free Unix-like OS that is completely Unix-compatible.

Linus Torvalds

Following Stallman’s lead, Linus Torvalds is another White-Hat hacker. His hacking days began with an old Commodore VIC-20 and eventually a Sinclair QL, both of which he modified considerably. On the QL in particular, he programmed his own Text Editor and even a Pac-Man clone he dubbed Cool Man. In 1991, he got an Intel 80386 powered PC and began creating Linux, first under its own limited licence but eventually merged it into the GNU Project under the GNU GPL. Torvalds hadn’t originally intended on continued support for his Linux Kernel, but due to the nature of the Open Source project, it grew into one of the most hacker friendly (and secure) operating systems available.

GlobalSign stops issuing SSL certificates in response to Iranian hacker

Earlier today a person calling himself ComodoHacker made a submission to text posting site Pastebin.com. Similar to a previous post by ComodoHacker it is fair to call it a bit of a bragging rant.

Last March ComodoHacker claimed responsibility for the first attack against a certificate authority that resulted in bogus SSL certificates being issued in the wild.

In addition to claiming his attacks are far more sophisticated than Stuxnet and distancing himself from the Iranian government, he also claims to have compromised four other certificate authorities, including GlobalSign.

GlobalSign, the fifth largest certificate issuer according to NetCraft, responded to this news by immediately ceasing any further signing of certificates while they investigate.

Their response is interesting. While we don't know if they have been compromised (and arguably, neither do they) they are making a tough choice that is what we should expect from organizations whose business models rely on trust.

It's possible the accusations are simply from an anonymous raving lunatic. Yet they could be true, and rather than put the greater internet community at risk, GlobalSign is forgoing some revenue out of an abundance of caution.

That's great news. Let's hope that the accusations are false and everything is safe and secure at GlobalSign and the other three unnamed victims.

While I have argued for a long time that the certificate system is fragile and arguably broken, I'd rather not have two examples in one week to support my arguments.

New cyber security platform released by TIBCO

Infrastructure software provider TIBCO Software Inc (NASDAQ:TIBX) has introduced a new security offering designed to help protect digital infrastructures and critical information systems, the company revealed today.

The TIBCO CyberSecurity Platform can be used to anticipate and help prevent new threats before they jeopardise business operations, TIBCO claims.

It offers increased visibility of events to recognise perpetrators of unauthorised transactions; deeper contextual awareness to detect threats by correlating both activity and status changes; and the ability to learn, adapt and help defend itself with synchronised countermeasures.

The TIBCO CyberSecurity Platform is designed to work with existing solutions that enforce security at lower-level components and it sits on top of these components to assist in providing security at the business level.

Microsoft to pay $250,000 for hot new security defenses

Microsoft is offering more than $250,000 to researchers who develop new security defenses to protect Windows users against attacks that exploit software bugs.

Microsoft's Blue Hat Prize announced on Wednesday at the Black Hat security conference will pay $200,000 for the best “novel runtime mitigation technology designed to prevent the exploitation of memory safety vulnerabilities.” The two runners up will receive $50,000 and a MSDN Universal subscription valued at $10,000, respectively.

“The Microsoft BlueHat Prize contest is designed to generate new ideas for defensive approaches to support computer security,” the software maker's announcement stated. “As part of our commitment to a more secure computing experience, we hope to inspire security researchers to develop innovative solutions intended to address serious security threats.”

Microsoft over the years has added an alphabet soup of protections to its software that are designed to mitigate the damage that can be done when hackers discover buffer overflows and other bugs that inevitably afflict any complex piece of code. ASLR, or address space layout randomization; DEP, or data execution prevention; SEHOP, or structured exception handling overwrite protection; and SafeSeh are just some of the examples.

The protections aren't intended to prevent bugs, but rather to prevent attackers from exploiting them to steal data or remotely execute malicious code on vulnerable systems.

“This is the first and largest incentive prize ever offered by Microsoft, and possibly the industry, for defensive computer security technology,” Matt Thomlinson, general manager of Microsoft’s Trustworthy Computing Group, wrote here. “In the age of increased risk of attacks on personal, corporate and government computer systems, Microsoft recognizes the need to encourage and nurture innovation in the area of exploit mitigations.

Wednesday's announcement came a week after Facebook joined Mozilla and Google in paying cash bounties to researchers who privately report security vulnerabilities in their software and services. Microsoft continues to steadfastly refuse to reimburse bug discoverers for the time and expertise they provide in helping stamp out bugs on the Windows platform.

China victim of 500,000 cyber-attacks in 2010, says security agency

Chinese computer security agency says almost half of cyber-attacks originated overseas, including nearly 15% from US

China's computer security agency claimed nearly 15% of cyber-attacks on its organisations last year originated in the US. Photograph: Associated Press

China was hit by nearly 500,000 cyber-attacks last year, with almost half originating overseas, according to the country's computer security agency.

The National Computer Network Emergency Response Co-ordination Centre said 14.7% of the attacks came from the US and 8% from India.

The report follows suggestions Beijing might be behind global cyber-attacks over the past five years targeting more than 70 government organisations.

A state newspaper called it "irresponsible" to link China with the hacking incidents reported by the McAfee computer security firm.

China has not officially commented on the report but has in the past denied charges of hacking.

Ubuntu Security: Holes Found, Holes Fixed

 There are security holes in Ubuntu 10.04! The sky is falling! Bill Gates is the maker of the one true operating system; forgive us Bill for we have worshiped at the feet of false Penguin idols. Oh please, give me a break!
Linux, like all other operating systems and software, has security holes. Always has, always will. No one ever said Linux was perfect. It’s not. It never will be.

What makes Ubuntu and Linux better than most of their competitors aren’t that they are flawless. It’s that when bugs are found, they fixed as fast as possible and then the fixes are pushed out to users immediately. There is no monthly Patch Tuesday. If there’s a significant problem, its tracked down and fixed. Period. End of statement.

That is after all, the whole point of open source. This specific process is called Linus’ Law by its author, Eric S. Raymond in his seminal description of open-source software development, The Cathedral and the Bazaar. Formally, this “law” is that “Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix will be obvious to someone,” but if you know it, you probably know it as: “Given enough eyeballs, all bugs are shallow.”

It also helps that Linux is inherently more secure than Windows. Linux is based on the design idea that it’s working on a multi-user, networked systems. From its very start, it was built to deal with a potentially hostile world. Windows wasn’t.

Windows is, yes even now, built on a single-user working on a solo machine model. In addition, Windows was designed to make it very easy for programs to trade data and instructions with each other. That’s why it’s so easy to move data from say Word to Excel and back again. The bad news is that these IPCs (interprocess communications), procedures that were never designed with security in mind.

Oh Microsoft is trying to improve security while keeping program interoperability, and it’s certainly much better than it used to be. For example, Office 2010’s sandbox mode is far from perfect, but it’s a lot better than letting any document through your Internet door to possibly cause havoc on your PC. And, both Windows 7 and XP SP3 are far more secure than their predecessors.

That said, let’s look at what went wrong in Ubuntu this time. First, there’s over 30 bugs have been reported, and, yes, fixed. Some of these are serious.

For example, the Common Internet File System (CIFS), which is used to share files with Windows systems  validates Internet Control Message Protocol (ICMP) response packets. An attacker could use this to send denial-of-service (DoS) crafted packets. Mind you, if you’re allowing your server to share files using CIFS over the Internet you’ve got more serious security problems than anything the kernel could ever do to you.

There’s also yet another security hole in the Network File System v4 (NFSv4). I say “yet another,” because NFS, which started life on Sun OS, Solaris’ predecessor, has always had security problems. And, like CIFS, no one who knows their way around a server would ever use it without some kind of tunnel encryption over the Internet.

Actually a closer look at these so-called Ubuntu problems reveals these aren’t uniquely Ubuntu’s troubles at all. No, these were all Linux kernel problems. Many versions of Linux are potentially vulnerable to these problems.

And, guess what? Just like Ubuntu, the vast majority of Linux distributions, have already patched them! Seriously, if you haven’t updated your Linux distribution recently, do so, and you’ll be fine. It’s also a smart idea to not expose network services to the Internet unless they need to be on the Internet. That’s what firewalls are for after all.

Or, as Gerry Carr, Head of Platform Marketing for Canonical, Ubuntu’s parent company, put it, “Zero users who installed the update are at risk first of all. Secondly, this is (more accurately was) a Linux kernel vulnerability not an Ubuntu one so not sure why we were called out. Thirdly it would have effected very few users anyhow as it was a backport kernel not the default kernel. Fourthly any reporter who wants to check out the details of an Ubuntu Security notice is welcome to check the detail with the security team. Fifthly Ubuntu continues to be an incredibly secure platform to use thanks to the efforts of the Linux security community and the openness with which we all share security notices and their details.”

I couldn’t have said it better myself. If you want a real Linux-related security problem to worry about, as opposed to business as usual, I suggest you look to Google’s failure to monitor what gets into the Android Market. Now, this is a real problem.

Android itself is relatively secure… unless you install malware on it. Android users have trusted Google to make sure that applications on the Market aren’t malware, and Google has fallen down on the job. Google does indeed need to rethink the Android Market. It’s great that Android is the leading smartphone platform, but it’s not going to stay there if Google lets junk onto people’s smartphones and tablets.

10 most common online passwords revealed

Too many people are using the same password for all the websites they access, according to new research.


Strings of consecutive numbers and the word 'Password' itself dominate the top ten, which also sees 'rockyou' and 'iloveyou' as commonly used, according to a study carried out by data security company Imperva.

Approximately half of computer users are guilty of assigning very similar details to each internet page they need passwords to access.

Principal researcher at consumer watchdog Which?, Martyn Saville, said the results are "breathtaking", he added: "There are enough threats to our online security around without making it so easy for fraudsters to steal your identity and your cash."

Family names, pets, nicknames and birthdays are easy to guess and security expert at Which? suggests avoiding these as well.

A combination of upper and lower-case letters and special characters such as the keyboard's pound or percentage signs are ideal and could prevent real words from the dictionary being used.

However, consumers may not have realised the answers to their security questions could be displayed on their Facebook profiles.

An article by USA Today revealed one user's pets' and children's names that may have comprised his login details for websites. 

Why is my computer whirring?

I have installed Norton Security and the computer is whirring away continuously like it's about to have a nervous breakdown. It's very annoying. Does it matter? Can I get rid of it?


A home PC will normally spend most of its time idling along, without using much of the processor's power or accessing the hard drive. It shouldn't "whirr away" for very long, unless it's working hard. Unexplained whirring is usually due to excessive use of the central processing unit (CPU), which creates heat and noise, and slows down or even stops any programs that you actually want to run. It's therefore a good idea to find the cause and eliminate it. To do this yourself means delving into Windows' internal processes, but it's useful to know how. You can use the same approach with any program, not just Norton. Otherwise, if this answer seems hard going, skip to the last paragraph.

Of course, you should expect Norton to make heavy demands on your system when it is checking your hard drive for malware, but it shouldn't be doing that while you're around. Recent versions of Norton Internet Security (from about 2009 onwards) are only supposed to kick into action during "system idle time", when your PC is not in use. You can adjust this value in Norton by clicking on CPU usage, so you could try setting a longer time interval, but I wouldn't expect this to solve the problem.

Before we start, however, you should get your PC up-to-date, because you may be trying to solve a problem that has already been fixed. Go to the Windows Update site (there's a link near the top of the Start menu) and make sure you have all the critical updates installed. Next, open Norton, click on Support, and select New Version Check. Install the 2011 version if you don't have it, plus any updates, then run a virus check using the latest signatures. Finally, reboot your PC to see if the whirring has gone away. If not, you'll at least be starting with a fresh system.

To find a CPU hog, download two free tools written by SysInternals: ; Process Explorer and Process Monitor. Microsoft liked SysInternals' tools so much it bought the company, so they are now available from Microsoft's site. Both downloads need to be unzipped but neither needs to be installed: you can run them from anywhere you like. It's a good idea to put copies of them along with HiJackThis, Malwarebytes and other useful tools on a "rescue" USB stick.

Process Explorer does the same job as the Windows Task Manager, but it's more advanced. Run it and it will list all the processes that are running in your PC. Look in the third column under CPU and it will tell you what's hogging the processor. It won't be hard to spot because almost all the other entries will be blank apart from System Idle Process. This should normally be at around 95% to 99%, which is what you want. If Norton is the culprit, it could be a process called ccsvchst.exe. Either way, each process should have an entry in the Company Name column.

In Process Explorer, click on View and then select Columns to bring up a tabbed properties sheet. You should be at the Process Image tab. Put a tick in the box next to the entry for Command Line and click OK. You will now have a column that tells you where to find the code for the malfunctioning process ("C:\Program files\" etc), so you can check its size and date stamp. If you search for the file name online, numerous websites will tell you if your file has the correct size and date, and some will hazard a guess as to whether it's likely to have a virus infection. Some virus writers like to disguise files by giving them the same names as system files, but they may be a different size or in a different directory. Either way, you can upload any file to Symantec or another other anti-virus site to get it checked.

Sometimes you may find two or more processes hogging the CPU. This can happen if two programs are operating at a low level, which is why it's not recommended to run two anti-virus programs at the same time. You might be running a child safety program or other monitoring software that Norton might reasonably suspect is doing malware-type things. You might have a program that kicks in to check mail in the background, and so on. The Microsoft Outlook Connector sometimes used to give Norton problems. See if you can update, reinstall or entirely remove whichever program appears to be causing the problem. This includes Norton.

To log any problem that you have found using Process Explorer, go to the File menu, select Save As, and save the text file (call the first one procexp.exe-01.txt) to your download directory or desktop. If you need to go to an online support forum or have any contact with Norton, it will be much easier to paste in all or part of this file than to try to remember or describe it.

Having found the process that is hogging the processor, you can now run Process Monitor to find out exactly what it's doing. I don't have a copy of Norton, but I did have a similar problem with MsMpEng.exe, which is the "engine" that drives the Microsoft Security Essentials anti-virus program. It was using 50% of my CPU, and might have used more if MSE had not been set to use a maximum of 50%. (The setting is at the bottom under the Settings tab.) I ran Process Monitor (Procmon.exe), then used the drop-down selections to create a filter where "Process Name" is "MsMpEng.exe". This told me what that process was doing.

As it turned out, MsMpEng.exe appeared to be obsessed with the entirely harmless psialog.txt file – the log kept by Secunia's free Personal Software Inspector 2.0. My quick-and-dirty solution was to open MSE, go to Settings, click "Excluded files & locations" and exclude the Secunia directory (C:\Program Files\Secunia) from "real-time protection". MsMpEng.exe's processor use promptly dropped to zero, the fan turned off, and the whirring stopped.

You might not be able to find such a simple solution to your PC's problem. However, you will have enough information to post a smart query on the Norton community support site. It's easier to answer a query that asks why ccsvchst.exe has a conflict with SpyBuddy, or whatever, than "why is my computer whirring?"

Finally, for those who find Process Explorer and Process Monitor induces brain-freeze, there is a simple Softonic program that "does what it says on the tin": What's my computer doing? This provides a continuous read-out of the three or four processes that are actively doing something – which includes accessing the hard drive – without listing the thousands that aren't. Clicking on any process gives you a good read-out of its details, including Known Problems with links to external solutions in, for example, Microsoft support documents. Even people who don't have a PC problem may find the readout of interest.

New computer security threats found

SAN FRANCISCO, Feb. 14 (UPI) -- More than 100 advanced evasion techniques used by hackers have been discovered and researched by Stonesoft, a California network security company.

Stonesoft, which originally reported the discovery of the 23 AETs last October, will detail its findings at this week's RSA information security conference in San Francisco.

"It seems that those who claim to have 100 percent protection against advanced evasion techniques do not really understand the magnitude of the problem nor have they done enough research around the issue," said Joona Airamo, chief information security officer at Stonesoft. "The discoveries made so far are only the tip of the iceberg."

Stonesoft said that since the discovery of AETs was first reported and confirmed by ICSA Labs, it has continued extensive research in the area and discovered 124 new threats to computer network security.
Stonesoft said that while many vendors claimed to have "fixed" product vulnerabilities disclosed in initial industry advisories, real-life testing in Stonesoft's research lab confirms that AETs are still able to penetrate many of these systems without detection.

In other cases, microscopic changes to an AET -- such as changing byte size and segmentation offset -- allow them to bypass the product's detection capabilities.

While there is no single solution to eliminating the threat of AETs, organizations can mitigate the risks and lessen their vulnerability, Stonesoft said in a news release. One such way is making sure the security devices they use do a proper multi-layer normalization process, working on all relevant protocol layers for each connection.

Centralized management is also critical as it enables constant updates and upgrades to be made deep within a network's security architecture. Unfortunately, fingerprinting and signature-based matching -- typical security responses for the actual exploits -- don't work with the constantly evolving nature of AETs.

Super Bowl cyber crimes: Your weekly ScamWatch

Here is a roundup of alleged cons, frauds and schemes to watch out for.


Super Bowl cyber attacks:
                                            For many people, Super Bowl Sunday is an opportunity to get together with friends, eat some good food and knock back a few cold ones. Computer security experts say it’s also a big day for cyber criminals, who will be targeting the millions of people using their home computers to keep up with the game, visit gambling websites and chat about television advertising. Internet security company PC Tools suggested in a news release that computer users be careful when visiting file-sharing websites that offer links to game or advertisement videos because these links can contain harmful malware. Users should also be sure that they change all passwords frequently and use software to protect their computers from viruses and other threats.

Bakersfield real estate:
                                       Ten people have been indicted on charges that they participated in a long-running mortgage fraud scheme that defrauded lenders out of more than $20 million between 2004 and 2007. The indictment focused on Bakersfield realtors David Marshall Crisp and Carlyle Lee Cole, who owned and operated Crisp & Cole Real Estate. With the help of eight other associates, Crisp and Cole allegedly obtained numerous real estate loans by making false statements about the borrowers’ income, assets, employment and intent to occupy homes they were borrowing against, prosecutors said. The case was investigated by the FBI and Department of Housing and Urban Development.

Tax preparer:
                        A federal judge has issued an order prohibiting the owner of an Upland tax service from preparing returns and other documents for clients. U.S. District Judge Otis D. Wright II issued the order against Guillermo B. Garcia at the request of federal prosecutors, who accused Garcia of making false statements on clients’ returns in order to obtain larger returns than they expected. The U.S. Attorney’s Office alleged that Garcia kept the extra money. Auditors with the Internal Revenue Service said Garcia filed at least 183 fraudulent returns in the past four years, understating the taxes his clients owed by $784,000.

Investment fraud:
                              Three brokers have pleaded guilty to charges that they defrauded investors in private placements by making false statements about how their money would be invested. Arn Wilson, Michael Passaro and Robert Grabowski had been accused of using investor money to enrich themselves, pay excessive, undisclosed fees to brokers and to repay some victims. They raised about $140 million between 1998 and 2006 through their companies, Sky Capital and the Thornwater Co., prosecutors said.

How Digital Rights Management Could Ensure Cloud Security

Yet another survey is indicating that security is a big issue for those intending to take up cloud computing. Network equipment manufacturer Ipswitch asked 1000 of its customers if they planned to invest in cloud technology in 2011.

The good news is that over two thirds of them reportedly said yes. The bad news is that most want either a private cloud setup (29 percent) or a mix of public and private clouds (21 percent).

Nobody entirely agrees what constitutes a private cloud, but there's some agreement that it's a method of offering cloud-like services using dedicated hardware entirely owned or managed by the company itself (or dedicated hardware managed on its behalf).


The whole point of the cloud is that it's supposed to do away with the need and cost of managing hardware, so this doesn't make a lot of sense. But it might be the first step of an evolutionary process for companies that will eventually embrace cloud computing in its purest form.

Encryption is one answer to cloud security worries. If a file is encrypted with 256-bit AES protection, for example, it doesn't matter if it ends up in the wrong hands because nobody will be able to decrypt it without the correct key. However, finding a system where file encryption can be used in a way that is transparent to users is a goal that arguably hasn't yet been met.

However, there might be a solution, and it's been around for years: Digital Rights Management (DRM).
Nobody likes DRM because when applied to movies, music and games, it creates a "them and us" situation: Rights holders impose unfair restrictions on end users, and there's a lack of trust between both parties.

However, I can't see any issues with a democratic DRM system, where everybody working for a particular company automatically enforces DRM on documents, and a certificate file needs to be installed on any computer or mobile device that requests to open or edit the file. We could call this Document DRM, or "DDRM."

Something similar already exists. Microsoft has been building what it calls Rights Management Services into its operating systems and office suites for years. The problem is that this uses a client-server model to protect files--which is to say, to open a document, a computer needs to be logged into a Microsoft server. No doubt Microsoft would argue that this is the best way of enforcing DRM, but cynics might suggest a client-server model was chosen to lock people into using Microsoft's technology.

What would be better is a simpler, standalone system based on encryption certificate files. If your computer has the correct certificate, then it can open or edit a document. Certificates would expire after, say, one week, meaning that the client computers would need to phone home periodically to refresh their certificates. But they wouldn't need to phone home every single time they accessed a file.

This proposed system isn't perfect. Hackers could steal certificate files and possibly decrypt documents, although certificates would ideally be generated using a specific hardware identifier, such as the computer's CPU serial number, making this more difficult.

But it's very unlikely there will ever be a perfect cloud security solution. Usability needs to be balanced with security, without too many trade-offs in either camp.

Ideally such a DDRM system would work at the file level within operating systems, and not at an application level. That's to say there'd be no need to build it into applications, and that would also mean old applications would be entirely compatible with DDRM. Instead, the operating system would take care of encryption, decryption and certificate management. The user would be largely unaware.

 DDRM should also need to be an open standard that anybody could implement on any operating system--proprietary or open source, mobile or desktop. Both Apple and Google claim to fully support open standards, and could easily build it into their iOS and Android mobile operating systems. Microsoft might be reluctant but it wouldn't matter if they didn't play ball; a file system driver would be all that's needed to implement DDRM. Files protected with DDRM could have an extra file attribute, or perhaps even something as simple as a different file extension (.docd rather than just .doc for a Word document, for example).

Sadly, it already might be too late for such a system. Assuming a company like Google took the initiative--which would require the audacity of such a giant--it would take a year or two to outline a system everybody was happy with, and then even longer for it to be incorporated into operating systems. By that point mobile operating systems will be fully mature, and adding in DDRM would be a matter of ugly retrofitting. Ideally, such a system should have been dreamed up a few years ago, so it would have become a feature in the nascent wave of mobile operating systems.

Additionally, I wouldn't be surprised if somebody has already thought of a system such as DDRM and patented it. That could create all kinds of problems and expenses.

So for the moment DDRM will have to remain a thought exercise, although a curious one that perhaps deserves more attention.

What Security Technology Will Be Hot at RSA 2011?

The annual RSA Conference, now in its 20th year, will be rocking this month as the security industry gathers in the weeklong extravaganza of product introductions and security experts arguing cloud and mobile computing security issues.


Industry executives stepping into the limelight at the show will include Scott Charney, Microsoft's corporate vice president for trustworthy computing. Charney will be posing the idea of a "collective defense for Internet health" that might involve a new type of computer check-up to detect botnet or other malware code, and what might be social and political implications. The Pentagon's deputy secretary of defense, William Lynn, is expected to speak about the Defense Department's cybersecurity strategy - and ask for assistance from industry to develop technologies against adversaries trying to get into sensitive networks.

Other keynote speakers will be Enrique Salem, president and CEO of Symantec; Bill Veghte, executive vice president, software and solutions, enterprise business at HP, expected to discuss what HP will be doing to innovate with its recent acquisitions of ArcSight and Fortify; and Tom Gillis, Cisco's vice president and general manager, security technology business unit, likely to discuss Cisco's security strategies in mobile and cloud computing.

MUCH MORE ON RSA: From cloud and mobile security to encryption, security concerns abound as RSA turns 20

But far from the hoopla, the RSA Conference - which began two decades ago as a modest gathering of cryptography experts invited to a conference of their peers organized by what was RSA Data Security (now part of EMC) - still remains a place to explore some of the latest thinking about public- and private-key encryption.

And this year a good place to start would be at the Oasis KMIP Interoperability Demonstration, where members of the industry group Organization for the Advancement of Structured Information Standards (OASIS) will be demonstrating secure communication of key-management information across vendor product boundaries using products based on the OASIS Key Management Interoperability Protocol v. 1.0.

KMIP is an industry specification developed by OASIS participants, including IBM, HP, EMC/RSA and nCipher (acquired by Thales), among others, for policy-based centralized control over "cryptographic material, public/private keys, certificates, all kinds of materials with cryptographic keys that need to be managed," says Robert Haas, manager of storage systems research at IBM's Zurich Research Lab.

Managing encryption keys, wherever used in storage and database systems, servers and hosts, or elsewhere, has always been hugely difficult - and the complexity has sometimes been called "the Achilles' heel of cryptography," Haas adds.

The KMIP v. 1.0 specification appears to be the best shot so far to create a standard for multivendor interoperability in key management, Haas points out. The demonstration at the RSA Conference will show how it's possible to do tasks such as generate keys, locate existing keys, and retrieve, register and delete keys across vendor client/server boundaries using products from SafeNet, Emulex, RSA/EMC, Cryptsoft, IBM, HP and High Density Devices.

The topic of interoperability in highly sensitive security environments will be taken up by Michael Denning, general manager, security customer solutions unit at CA Technologies, who will host a panel discussion with executive directors from Raytheon, EADS, and Northrop Grumman. The focus will be on use of data-sharing technologies developed by the Transglobal Secure Collaboration Program, the group of corporate and government participants fostering secure means to share sensitive information in the aerospace and defense organizations across international boundaries.

INDUSTRY TALK: What is an 'Advanced Persistent Threat,' anyway?

 

Meanwhile, a number of announcements related to mobile data security, next-generation firewalls and intrusion detection and prevention are expected, including what is said to be the first commercial implementation of the Suricata specification fostered by the Open Information Security Foundation, regarded as a competitor to open-source Snort, which is shepherded by Sourcefire.
Specifically under the OISF banner, the ThreatMeter 10 Gbps IDS/IPS appliance from nPulse will be showcased, based on rule-sets from company Emerging Threats as well as supporting technology from Napatech.

Other product demonstrations will include a joint demonstration of how the Tufin SecureTrack firewall-management audit and compliance product for the first time will support a next-generation firewall, in this case the NGFW line from Palo Alto Networks. This means that using the Tufin firewall-management tool could make it easier to migrate from a traditional port-based firewall to a next-generation firewall such as Palo Alto's, that can work based on application-level controls. Palo Alto and Tufin will be demonstrating how this works at both their booths at the show. CA Technologies will be showing how its SiteMinder Web-access control product gains expanded and advanced security authentication through integration with security-policy enforcement technology from Arcot, a company it acquired late last year.

Read more about wide area network in Network World's Wide Area Network section.

For more information about enterprise networking, go to NetworkWorld. Story copyright 2010 Network World Inc. All rights reserved.

Facebook HTTPS: False sense of security?

The rollout of Facebook's new Hypertext Transfer Protocol Secure encryption is about complete. (Elinor Mills described the feature in a post on her InSecurity Complex blog last week.) While encryption is a welcome addition to the social network, it is far from a Facebook security panacea.

To enable encryption in Facebook, click Account in the top-right corner and choose Account Settings. Select Change next to Account Security to view your current settings. Check the option under Security Browsing (https). You may also want to check "Send me an email" under "When a new computer or mobile device logs into this account" to be alerted to possible unauthorized access to your account.

 

Enable Facebook's encryption setting via the Account Security option on your Account Settings page.

(Credit: screenshot by Dennis O'Reilly/CNET)
 
It's great that Facebook is taking steps to protect its customers from scammers and ID thieves, but there's only so much that company or any Web service can do to thwart snoops and malware purveyors. In Facebook's case, the weak link may be games and other applications that remain unencrypted.

Earlier this week Sophos security researcher Graham Cluley wrote in his Naked Security blog about a Facebook flaw discovered by two students. According to Cluley, malware can imitate an app that has been granted permission to access your data and publish to your wall to launch phishing attacks and propagate viruses and Trojans.

The researcher was initially unable to duplicate the attack method because his Facebook security settings were "pretty rigid," but lowering the settings allowed him to gain access to his account via the scam app.
In August 2009 I described how to change the default Facebook security settings to make the service safer. The privacy options have changed somewhat since that time, but the steps for strengthening your Facebook security are about the same. Facebook's own Controlling How You Share page goes into greater detail on the service's security options.

Cluley reports that the students notified Facebook security officials of the flaw and it has been patched. But as the Sophos researcher points out, a complex system such as Facebook is sure to contain other flaws, some of which may be exploited by bad guys.

Facebook users targeted by phishers

As you might expect, Facebook's success has made it a favorite target of Internet scammers. Security vendor Panda Security recently reported on two new malware attacks that attempt to trick Facebook users into opening a bogus e-mail attachment and click a link in an instant message, respectively.

The e-mail warns users that their Facebook account is being used to send spam and their password has been changed. They are instructed to open the message's attachment, which includes a Microsoft Word icon, to find their new password and then to log in and change the password. The attachment opens Word to make users think it's legitimate, but it also opens all their system's ports and connects to mail services in an attempt to send spam, according to PandaLabs researchers.

The link in the fake IM downloads a worm that takes over the person's Facebook account and locks them out, displaying a message when they try to log in stating that the account has been suspended. To reactivate the account, the message instructs them to complete a questionnaire and even promises prizes for doing so.
The questionnaire even asks for the person's cell phone number to receive "data download credits" and a new password to be used to reactivate the account. This breaks several of the cardinal rules of safe computing:

• Don't click links in e-mails or IMs, even if you think you trust the sender. Phishers may have compromised the person's account for use in their nefarious schemes.

• Don't open e-mail attachments you're not expecting without verifying them with the sender beforehand.

• Don't volunteer personal information to any site you don't trust and that doesn't use encryption. Look for "https:" at the start of the URL and the lock icon, either near the address at the top of the screen or in the status bar at the bottom of the screen, depending on your browser.

There will certainly be new, craftier attempts to trick Facebook users into giving thieves and snoops access to their accounts. Protecting against them is every Facebook user's responsibility. It starts by knowing the bad guys are out there waiting for us to drop our guard.

Smartphones raise computer virus risk

Social networking and the explosive growth of mobile computing have created a new layer of risk for companies embracing web technology to boost the bottom line, data security experts said Tuesday.


Nick Galletto, a partner at Deloitte Security and Privacy Services in Toronto, said threats from malicious software are multiplying with the proliferation of mobile computing devices, including the iPhone and BlackBerry.


He said smartphones and tablet PCs are increasingly linked to corporate networks through unsecure connections. And users are often unaware of the need to provide password and encryption protection on phones that may store corporate as well as personal data.


The result is that deliberate breaches, along with careless behavior, are a mounting threat to business operations and individual privacy, he told a Toronto seminar on securing the mobile workforce.


Smartphones are embraced by government and individuals to conduct commerce and share information. But he said corporations, anxious to drive efficiencies and cost-savings from digital technology, “are the main source of data leakage.”


As such, Galletto said smartphones are a conduit for the spread of computer viruses and other malicious code between the mobile gadget and enterprise networks. He said the problem is made more acute by the blurring of the line between business and personal use of mobile digital technology.


“If you bring a smartphone with corporate data home, don’t be surprised if your tech savvy teenager can jailbreak the code,” he said.


And there are also new dangers from social networking sites that encourage users to link to web addresses that may not be secure, he said.


As well, there are the threats posed by the more than 250,000 applications available for mobile download from online stores operated by Apple Inc., Research In Motion Ltd. and others, said Daniel Hoffman, chief mobile security “evangelist” at data security firm Juniper Networks and a speaker at the seminar. He said a smartphone virus in Russia “stole money” by sending unauthorized texts to gain control over a bank account.


Hoffman also said that Google pulled dozens of unauthorized mobile-banking apps from its Android Market, adding that applications not vetted by store employees can secretly infect mobile gadgets with worms, Trojans, spyware, key loggers and other bugs that can disable a device, or even record users’ phone conversations.


And while Apple says it vets applications before they appear in its App Store, it has pulled hundreds of apps it said violated policies dealing with security and privacy.


As well, recent research from computer training firm SANS found that 85 per cent of users were not scanning their mobile devices for malicious programs running on the devices. Of the 15 per cent who were, 18 per cent found mobile malware, higher than the overall infection rate for PCs in North America.


Hoffman said mobile device users need to begin treating the technology like mobile desktop computers; installing anti-virus protection, securing passwords and enabling encryption. But he added that there is nor substitute for common sense.


“I think the biggest threat to the enterprise is not from external sources, but from users with a false sense of security.”

Computer Security: ZoneAlarm (antivirus)

Over the past few years, I build and repair computers from my house and unfortunately I'm sorry to say that most problems begin with the user. Well, maybe the producer, only for the installation of a test of any anti-virus program (usually about three months), then you are no longer able to update from there download server (if you buy there product) be very important in these days, it's anti-virus and spyware removal> Software installed and updated regularly "at least twice a week."


The two most recommended anti-virus programs are
 
Symantec (Norton AntiVirus) MacAfee

"Both versions are different", they can integrate Internet Security and Firewall, and I tried both problems with small problems and conflicts, so not only could I be.

I myself have always been a fan of Norton Antivirus was the extent to which "integrates activation" from there, to be used with ayear subscription for updates there. Then there are more updates after that year.

But there is an alternative to these two, as I used Zone Alarm Pro for many years, from about 1999 while I was searching for a copy of Norton AntiVirus, I came across Zone Alarm Pro with Antivirus, because I Trusted Zone Alarm Pro for so long and trust the program. And with a price difference of $ 20.oo. I decided to prove not only that you have a firewallin which the main program for many years, so, now with anti-virus software. I liked the idea because I really do not like the programs in conflict "that the two are known, but two in a package that makes it very more likely to learn two programs in one package seems to work to choke a lot.

Zone Alarm has offered a free version (with no expiration date) for the firewall program, unfortunately, and maybe ask a display, even in an updateduring

Services and is characterized by a strong anti-virus protection. Firewall network and program. Firewall Operating System (OS FirewallTM). Smart DefenseTM service. E-mail protection. Wireless PC Protection.

The anti-virus Zone Alarm Anti-Virus uses sophisticated logic to identify and remove viruses.
Zone Alarm Anti Virus System Requirements: Windows 2000 Pro / XP. Pentium III 450 MHz or higher. 50 MB free hard disk space. Internetaccess. Minimum system RAM: 64MB (2000 Pro), 128 MB (XP).

Unblock and Block Programs Using Windows 7 Firewall

Windows Firewall in Windows 7 provides two-way firewall protection to control computer programs using the Internet connection. Find out how to you can block and unblock applications using Windows 7 firewall.

Firewall Protection in Windows 7

 

The built-in firewall in Windows is similar to third-party firewall program because of its ability to block or unblock ports that a computer program may need to be able to use the Internet connection. This is a common problem if the firewall has determined that a particular connection to the server by a program is not responding to request by the user and if no data is received. A firewall is doing its task in protecting the computer. For any event in which the firewall in Windows prevents the connection, the user will be notified and there are options on how Windows firewall will act on an unresponsive server request by a program. The options are to keep blocking, unblock, or to ask you later.
In some cases, the program may keep changing the ports to use and the firewall is not configured to allow the connection on particular port because it is blocked or not open.

Fixing Connection Problems when the Firewall is Enabled

You may have seen a problem of using software to connect to the Internet or to function properly. Application that requires an Internet connection may not connect to the Internet if Windows 7 firewall blocking the application. To solve Windows firewall blocking any programs, follow the method in this article:

• Add a program exception in Windows Firewall –         the first thing to do is to check if the affected program is in the firewall exception list already and that it has a checked mark. If the program is listed already but the check box does not have a check mark, simply put a check and then apply the changes. However, if the affected program is not listed, you may add it by clicking Add Program button and then browse for the executable. 

 

• Open the port number for the affected program –          some programs require a port number to use. Find out from the software vendor or from the documentation of the application the required port numbers, and then use Windows Firewall to open the port number. Note that you can may also identify the required port number by using the command prompt and then type netstat –ano. Try using the affected program and note the process identifier (PID) and the port number in use after the local address. Add the said port number in Windows firewall exception to solve the issue to connect a program.

How to block program using Windows firewall

If the firewall protection automatically adds an exception for a program or application, you may block it by removing the name of the program from the exception or allowed programs. There is also an option to uncheck the program from the list of allowed programs to connect to the Internet. Use this option if you want Windows firewall to keep the program name.
Blocking an application to connect to the Internet using Windows firewall is effective but if the application has associated executable, the connection may not be blocked. An example is Google Toolbar that uses Google Updater to connect to Google.com servers. Make sure that you will block the application that installed additional software.

Final words

A computer without firewall protection is vulnerable to remote and local attackers which is why it is recommended to always enable the Windows Firewall in Windows 7 or earlier operating systems. Using a third-party firewall is also recommended to enjoy better firewall controls and options. The computer that uses firewall protection is also vulnerable to attackers if the settings are not correct. Always review the firewall policy and request help from advanced users in creating firewall rules for home or work computers.