Monthly Archive for October, 2009
Mozilla is disabling a pair of components stealthily installed by Microsoft earlier this year for Windows users of the Firefox Web browser, warning that the software suffers from a serious security vulnerability. Firefox users may already have seen a pop-up notice about an unstable or insecure add-on being disabled. The message would look something like image below. There's a short backstory to this drama. In May, I wrote about a Windows patch for the Microsoft .NET package that silently installed the Microsoft .NET Framework Assistant add-on into Firefox. The package also included an associated plug-in for Firefox called the Windows Presentation Foundation plug-in. The Mozilla user community was up arms over not just the fact that Microsoft was introducing unwanted components that could potentially weaken the security of Firefox, but that Redmond had made the thing almost impossible to remove. Microsoft's initial response -- that the add-on could be removed
Payroll services provider PayChoice took its Web-based service offline for the second time in a month on Wednesday in response to yet another data breach caused by hackers. Moorestown, N.J. based PayChoice, provides direct payroll processing services and licenses its online employee payroll management product to at least 240 other payroll processing firms, serving 125,000 organizations. On Thursday morning, the company sent a notice to its customers saying it had once again closed onlineemployer.com - the portal for PayChoice's online payroll service -- this time after some clients began noticing bogus employees being added to their payroll. "After investigation, we determined that valid user credentials for an Online Employer user were used in an unauthorized manner to add these fictitious employees in an attempt to have payments made to fraudulent bank accounts," the company said in an e-mail alert to their clients sent Thursday. This week's attack appears to be
A number of games and other applications built to be used on Facebook.com have been hacked so that users are quietly sent to sites that try to install malicious programs, a security researcher has found. Roger Thompson, chief research officer for computer security firm AVG, discovered about a half-dozen Facebook games and app home pages had been compromised by attackers. While hacked Facebook profile pages are not uncommon -- thanks largely to threats like the Koobface worm -- Thompson said this was the first time he'd seen actual Facebook applications being hacked. According to Thompson, the hackers somehow slipped malicious "iframes" -- small, hidden chunks of computer code that invisibly load content from exploit sites -- into each of the Facebook.com Web pages where users would go to use the apps. The exploit sites in turn try to foist malicious software if the visitor is running outdated Adobe products, such
Mozilla is now offering Firefox users a simple way to tell whether the browser's various plug-ins are up-to-date with the latest security patches. Plug-ins are components installed by third-party software that power videos, animation and games in the browser, among other things. Outdated plug-ins can give malware an easy way into your computer, so it's important to make sure your browser has the latest, most secure versions. Even if you are normally vigilant about updating third-party software, occasionally a software update will fail to automatically patch its accompanying plug-in. Enter Mozilla's Plugin Check: Let it scan Firefox, and it will tell you which of the plug-ins you have installed needs patching. (A screen shot of the results of a scan done on my test machine is pictured above). Any outdated plug-ins for which Plugin Check can find an updated version will land at the top of the list, and when
Imagine being in charge of your organization's finances, and learning from your bank one morning that thieves had stolen tens of thousands of dollars from company coffers overnight using your online banking credentials. Now imagine your frustration when you go to log in to your PC to assess the damage, only to find that the computer you typically use to access the account has been kneecapped by the bad guys. This is precisely what happened to Kathy Dake, office manager for St. Isidore Catholic Church in Danville, Calif. Dake had infected her PC with the Zeus Trojan after opening a malicious e-mail disguised as notice from the IRS about "unreported income" (see New IRS Scam Could Be Costly). The thieves used Zeus to steal the credentials Dake uses to administer the church's bank account, and a week ago Friday she came in to work to find her computer would not
Adobe Systems Inc. on Tuesday issued a new version of both Adobe Acrobat and its free Adobe PDF Reader to fix at least 29 separate security vulnerabilities in these products. If you have either (or both) of these programs installed, take a moment to update them. Adobe warns that hackers already are exploiting at least one of the flaws to break into vulnerable systems. Users of Adobe Reader and Acrobat version 9.1.3 and earlier should update to version 9.2, available in the "solution" section at this link. Updates are available for Windows, Mac and Unix versions of the programs. Adobe has some special instructions for those who for whatever reason need to stay with older lines of the software: The company recommends users of Acrobat 8.1.6 and earlier versions update to Acrobat 8.1.7, and users of Acrobat 7.1.3 and earlier versions update to Acrobat 7.1.4. For Adobe Reader users who
Microsoft Corp. on Tuesday issued an unprecedented number of updates to fix security problems in PCs powered by its Windows operating systems and other software: The software giant released patches to plug at least 34 security holes, the highest number of vulnerabilities it has ever addressed in a single month. October's batch of patches offer a little something for all Windows users, fixing security issues in Windows applications from the Internet Explorer (IE) browser and Microsoft Silverlight, to Microsoft's Internet Information Services (IIS) server, said Tyler Reguly, lead security research engineer at security vendor nCircle. "Again we see a month of client-side issues in almost every major Microsoft product," Reguly said. "Whether you run Office, Windows Media Player, Internet Explorer, .NET or just Windows itself, there's a vulnerability for you." Two-thirds of security holes addressed this month earned Microsoft's "critical" rating - it's most severe. Microsoft labels a security flaw
An investigative series I've been writing about organized cyber crime gangs stealing millions of dollars from small to mid-sized businesses has generated more than a few responses from business owners who were concerned about how best to protect themselves from this type of fraud. The simplest, most cost-effective answer I know of? Don't use Microsoft Windows when accessing your bank account online. I do not offer this recommendation lightly (and at the end of this column you'll find a link to another column wherein I explain an easy-to-use alternative). But I have interviewed dozens of victim companies that lost anywhere from $10,000 to $500,000 dollars because of a single malware infection. I have heard stories worthy of a screenplay about the myriad ways cyber crooks are evading nearly every security obstacle the banks put in their way. But regardless of the methods used by the bank or the crooks, all
In past Live Online chats and blog posts, I've mentioned any easy way to temporarily convert a Windows PC into a Linux-based computer in order to ensure that your online banking credentials positively can't be swiped by password-stealing malicious software. What follows is a brief tutorial on how to do that with Ubuntu, one of the more popular bootable Linux installations. Also known as "Live CDs," these are generally free, Linux-based operating systems that one can download and burn to a CD-Rom or DVD. The beauty of Live CDs is that they can be used to turn a Windows based PC into a provisional Linux computer, as Live CDs allow the user to boot into a Linux operating system without installing anything to the hard drive. Programs on a LiveCD are loaded into system memory, and any changes - such as browsing history or other activity -- are completely wiped
