It seems that the stars might finally align to remove one of the largest security holes in the history of… well history itself. Oracle is announcing that it is finally getting rid of the Java Browser Plug-in… sometime. According to a blog post on the Oracle page they are aware that most (if not all) browsers are already blocking plug-ins like the one in the Java Runtime Environment. These are for security, stability and performance, and really should have been done a long time ago. Over the last few years the Java browser plug-in (along with Flash) has been the vector of choice for many web-based attacks.
The world lives in fear of zero-day exploits although the average person does not even know it. A zero-day exploit is a bug or a flaw that has not been discovered by the developers yet, but is known to someone outside. This can be good guys, bad guys or other, but it is still a flaw that can be used to do harm to a computer system and no one has a patch for it yet. When the good guys (security researchers) know about them they work with companies to patch them. When the bad guys know about these things get very ugly indeed. But what happens if someone knows about one (or a bunch of them) and does not tell anyone at all?
Network and application security are big deals and big business these days. It seems that a day does not pass that you hear about a new breach, exploit, hack or something. This sad state has prompted a few companies to actually look outside their organizations for help and offer bug bounties to individual researchers that find holes in applications and hardware. These bounties can be quite the incentive to get people to tear into your application looking for exploits, but even more important than rewards is having a clear method to report problems and a team that actually responds to them when they are found.
We talk a lot about security on DecryptedTech and with good reason, there are a ton of threats out there and this list just keeps getting longer. This is why we tend to get annoyed with large corporations when they either skimp on security or botch the job. This is apparently the case in with eBay owned PayPal. For a while PayPal has been highlighting their 2FA (Two Factor Authentication) as a great way to protect your financial data and it is… unless you screw up the implementation.
After last week experts from Gibson Security found security holes in the application Snapchat, on the internet appeared web page under a name SnapchatDB! where there is allegedly database with usernames of Snapchat users and their associated phone numbers.
Kaspersky Lab experts noticed a security flaw related to Apple's Safari browser, or to be more precise, its storage of passwords and user ID information.
About a month ago we reported on an statement by the FTC in regards to a security flaw in certain models of TRENDNet IP cameras. The statement was a “what he said” move considering that all of the items they talked about have already been done by TRENDNet. We also noted that the FTC was less concerned about the actual presence of flaws than they were with a product being labeled as secure when it was not. At the time of the statement we remarked that the flaws found in TREDNNet products were very common in embedded devices. In fact we recently reported that a similar flaw exists in many residential firewalls and routers. It seems that companies building products with an embedded OS just do not know how to keep things secure.
The company Appriver warned users of Dropbox service to increase caution, as false messages that ask users to change the password they use when signing up for service appeared once again. Fraudulent email messages are composed so that at first glance they look like they were really sent from Dropbox Team.
In a career that has spanned over 20 years in IT I have met a lot of people from different industries. Many of these people I have not kept in contact with and some I have. Occasionally when talking to some of them something will be said that might not hit home until a little later. This was the case with something that was said to be by an acquaintance who just happens to work as a technical manager at a security consulting company. During our talk I mentioned that it seemed like systems were getting much more insecure, and he joked saying: why would any security company want to work themselves out of business?
Indian enthusiast Arul Kumar who deals with computer security issues, reported a flaw in the social network Facebook, which allows you to delete any photo on Facebook within one minute. Failure is spotted within Support Dashboard portal that allows users to send complaints regarding violation or offensive content, and monitor whether the individual complaint is processed. Facebook employees handle complaints 24 hours a day, seven days a week.