Care should be taken when plugging holiday gift gadgets into your personal computer and laptop, said security researchers at Sans.org, Microsoft, and Kaspersky in recent blog posts. Reports of strange files being found on USB storage devices increased over the holiday season. Reporting Monday on the SANS' Internet Storm Center blog, director Marcus Sachs said, "In years past this would have been limited to iPods and USB memory sticks, but now it includes digital photo frames, GPS devices, external hard drives, and of course digital cameras."
Update at 12:10 p.m. PST: Comment from Zango has been added.
Good riddance: Facebook has banned the "Secret Crush" application due to reports of its affiliation with a notorious spyware manufacturer.
The social-networking site confirmed the breakup on Monday: "Facebook is committed to user safety and security and, to that end, its Terms of Service for developers explicitly state that applications should not use adware and spyware," a statement from the company read. "We have contacted the developers and have disabled the Secret Crush application for violating Facebook Platform Terms of Service."… Read more
Verdasys CTO Dan Geer says one of the problems with data theft is that it has nothing in common with our current attitudes toward possession and loss. I recently talked with Geer about protecting your computer assets, and at one point he started quoting that famous Joni Mitchell line, "You don't know what you've got till it's gone."
(Data theft) is one place where our intuition about physical objects and our intuition about data can't be the same.
If I steal your car, you are likely to notice. Or putting it differently, if I … Read more
On Thursday, security vendor Fortinet warned Facebook users that a popular new widget also installed Zango, software that has been labeled by some antivirus vendors as spyware. The Facebook widget, Secret Crush, promises to reveal who has a secret crush on them, and requires the user to add it to their site. Upon doing so, Fortinet says the Zango software also piggybacks in the installation without notification.
Previously, MySpace users were tricked into downloading video from a site called YooTube, which also attempted to install the Zango Cash program.
In preparation for its next Patch Tuesday, January 8, 2008, Microsoft said on Thursday that it will issue two bulletins.
One, deemed critical by Microsoft, will address remote code execution in Windows Vista, Windows Server 2003 service packs 1 and 2, Windows XP Service Pack 2, and Windows 2000 Service Pack 4.
The second, deemed important, will address local elevation of privilege in Windows Server 2003 service packs 1 and 2, Windows XP Service Pack 2, and Windows 2000 Service Pack 4, but not Windows Vista.
In addition to the two bulletins, Microsoft also plans to issue an updated version … Read more
On December 28, an Associated Press story was making the rounds that said in part:
To help reduce the risk of fires, air travelers will no longer be able to pack loose lithium batteries in checked luggage beginning January 1, the Transportation Department said Friday.
Passengers can still check baggage with lithium batteries, if they are installed in electronic devices, such as cameras, cell phones, and laptop computers. If packed in plastic bags, batteries may be in carry-on baggage. The limit is two batteries per passenger.
This caused me to perk up at my computer. After all, I routinely travel … Read more
Online shoppers who signed up for the "Sears Holdings Community" ("My SHC Community" or "SHC") this holiday season got a gift that keeps on giving: spyware.
Sears defends its actions by saying it clearly notified customers before they accepted the software installation. However, several antispyware researchers found the Sears notification process fails to call out that users' online activities (including logging in to bank accounts) will be recorded and that it generally falls below industry standards.
I've been writing (parent.thesis) for about six months now, and the New Year seems like a good time to reflect on the themes that have developed. I love technology, and at the same time, I am cautious when it comes to kids and tech. Here are the three issues that are really bugging me right now:
Disconnect between product design and online safety Commercialization of kids online Information control, privacy, and data mining
I'm in Boston for a meeting with an Alfresco customer, and happened to have a few minutes before my 9:00 meeting. I scanned for open wireless networks and found a Microsoft guest access point, and tried to log on. The response was funny on a number of different levels:
Yes, I know the legal reasons for disclaiming all responsibility. But let's just say that Microsoft's track record on security might come into play, as well. I was going to tell them that I use a Mac and so am not susceptible to all of the attacks … Read more
Microsoft seems to finally be caving on the idea of security through obscurity. No, it's software isn't being open-sourced, but it is creating a public forum in which to discuss its security research and patch management process. The Microsoft Security Vulnerability Research and Defense blog is designed to "provide more information about Microsoft vulnerabilities, mitigations and workarounds, and active attacks."
Doesn't Microsoft already do this? Well, yes. Sort of. But the blog--which is maintained by what appears to be Microsoft's top security people--is meant to give a deeper look into how it … Read more