Advertisements

Month: April 2014

  • There’s a new zero-day vulnerability in many of the current versions of Internet Explorer and is being used in active attacks right now. The exploit that’s in use has the ability to bypass both DEP and ASLR and researchers say it’s being used by a known APT group. Microsoft has issued an advisory (2963983) about the CVE-2014-1776 IE vulnerability, and said it is aware of some targeted attacks using the exploit. The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website Microsoft has said that a patch will be available next patch Tuesday (May 13, 2014). In the meantime other methods can be used to protect your self from the zero-day exploit. 1. Download and install its Enhanced Mitigation Experience Toolkit (EMET), a free tool that can help beef up security on Windows 2. You can also run IE in a more secure mode by going to Internet Option s> Security and setting the slider to High and/or Disable Active Scripting 3. Use Chrome or Firefox for surfing the web. 4. If using IE10 or higher enable Enhanced Protected Mode
  • Apple has fixed a serious security flaw that’s present in many versions of both iOS and OSX and could allow an attacker to intercept data on SSL connections. The bug is one of many that the company fixed Tuesday in its two main operating systems, and several of the other vulnerabilities have serious consequences as well, including the ability to bypass memory protections and run arbitrary code. The most severe of the vulnerabilities patched in iOS 7.1.1 and OSX Mountain Lion and Mavericks is an issue with the secure transport component of the operating systems. If an attacker was in a man-in-the-middle position on a user’s network, he might be able to intercept supposedly secure traffic or change the connection’s properties. The vulnerability affects OS X Mountain Lion 10.8.5, OS X Mavericks 10.9.2, as well as iOS 7.1 and earlier. The bug joins a list of serious problems that have affected SSL in recent months, most notably the OpenSSL heartbleed vulnerability disclosed earlier this month.
  • April 23, 2014

    AOL E-mail Hacked By Spoofers

    In Internet years, AOL and its webmail counterpart AOL Mail are beyond ancient at this point. A relic of electronic mail history, the majority of users have long since jumped ship for Gmail or Yahoo. Yet those who still have accounts with AOL were no doubt unhappy when they discovered last weekend that a slew of old AOL Mail accounts had been hacked to send spam to their friends. While it’s unclear exactly how many users’ accounts have been compromised at this point, multiple users have complained on Twitter that their accounts  – some which naturally have not been used for years – were compromised and used to send spam to other users. AOL acknowledged the hack late yesterday and pointed out that it’s likely affected users weren’t hacked but spoofed, and that it’s doing everything in its power to correct the issue. “AOL takes the safety and security of consumers very seriously, and we are actively addressing consumer complaints,” AOL said in a statement Tuesday, “We are working to resolve the issue of account spoofing to keep users and their respective accounts running smoothly and securely.” As AOL notes, spoofing attacks are basically spam emails that appear to come from the victim but are technically coming from the spammers’ email account and are sent via the spammers’ server. While spoofing attacks are nothing new this particular campaign appears to have really started picking up steam over the weekend. The hashtag #AOLhacked on Twitter has seen users bemoan the service’s security and others cracking their fair share of jokes since Sunday. Since there’s a difference between being hacked and being spoofed, there’s nothing users can really do prevent the spammer from continuing to spoof their email accounts. Users can change their passwords and delete their contacts but it doesn’t really...
  • Sally Beauty supply, a retail chain that sells hair and beauty items based in Denton, was hacked earlier this month according to a release obtained by Breitbart Texas. The company hired Verizon’s forensics firm to investigate the incident and pinpoint exactly how many people may have been affected. A Sally Beauty spokeswoman confirmed to Breitbart News that fewer than 25,000 credit card records were compromised as a result of the breach. She added, however, that the number of affected individuals is not certain at this point and that “we don’t know if there has been actual abuse of that 25,000.” A statement released by Sally Beauty on Tuesday said, “As experience has shown in prior data security incidents at other companies, it is difficult to ascertain with certainty the scope of a data security breach/incident prior to the completion of a comprehensive forensic investigation, As a result, we will not speculate as to the scope or nature of the data security incident.” The hair supply company also claimed the U.S. Secret Service is assisting in the early steps of the investigation. The recent breach echoes an incident late last year when Target experienced a massive data breach. http://www.breitbart.com/Breitbart-Texas/2014/03/20/Texas-Based-Sally-Beauty-Supply-Hacked-Credit-Cards-Compromised
  • April 12, 2014

    TTG 33 – WWE Network

    The Technology Geek – Episode 33 Today in this podcast we discuss this being our second live podcast and The Technology Geek Radio Network. Were talking about the WWE Network and the pay per view industry changing. We talk about the Chromecast SDK and Windows XP End Date April 8th. Schools Using iPads for students that cant read and we talk about the technology news of the week and answer your questions. Join Me Today As I Respond to Your Calls and Discuss… WWE Network and the pay per view industry Chromecast SDK Windows XP End Date April 8th Schools Using iPads for students that cant read Disabling ‘Find My iPhone’ on iOS 7 without any Password More Countries Give Hams Access to 60 Meters Comcast and Time Warner Cable Merger Windows 8.1 Update Released, With Improvements For Non-Touch Hardware Netflix begins 4K streams Weather Channel Agrees to Alter Program Lineup to Return to DirecTV Game of thrones premiere takes down HBOGO Vine Cofounder Colin Kroll Is Stepping Down OpenSSL Bug Allows Attackers To Read Memory In 64k Chunks Samsung Galaxy S5, Gear family hits AT&T on April 11 Join Me Today As I Answer Your Questions… What do you think about Radioshack closing? Was the Mozilla CEO kicked out due to being gay? Canada freezing online income tax due to heartbleed bug? What should I do to protect myself? What is the Zues banking trojan? Is Bitcoin investable? What scanner should I get? Can I use a VPN to get around ISPs throttling Netflix? Can I run Windows on a Mac? What bluetooth should I get with my iPhone? Remember to be on a show like this one just pick up your phone and call (570) 630-0744. The best way to improve your chances of being on the air is ask your question or make...
  • April 10, 2014

    Heartbleed Bug Information

    Dire warnings about Heartbleed, a serious internet security risk affecting millions of websites, is echoing across the internet today. Described as a flaw in OpenSSL, the open source encryption technology used by the vast majority of web servers. The Heartbleed bug is a particularly nasty bug. It allows an attacker to read up to 64KB of memory, and the security researchers have said: “Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.” Alleged Yahoo user credentials visible due to Heartbleed (source: Mark Loman). The problem is fairly simple: there’s a tiny vulnerability — a simple missing bounds check — in the code that handles TLS ‘heartbeat’ messages. By abusing this mechanism, an attacker can request that a running TLS server hand over a relatively large slice (up to 64KB) of its private memory space. Since this is the same memory space where OpenSSL also stores the server’s private key material, an attacker can potentially obtain long-term server private keys TLS session keys confidential data like passwords session ticket keys
  • Choosing a cloud service provider is a task that shouldn’t be taken lightly. You need to make sure the company you choose is capable of storing your data as securely as possible while providing a solution that works for your business. With that in mind, you shouldn’t be afraid to ask some serious questions: Software and Contracts Questions Can I try the software/service before making a commitment? This is a great way to see if the solution actually meets your needs before spending a lot of money. If they won’t give you access to the full product, see if they have a trial or limited version that you can try. Do you have any stories of successful similar deployments? Ask for specific case studies that deal with businesses in the same industry or with the same needs. You can also ask to talk to current and past clients. How flexible is the contract? Will the price remain constant? Is there a termination fee? Can we configure a solution to specifically meet our needs? Don’t be afraid to ask if you can tweak certain aspects of the solution to more fully meet your needs. Security Questions Where is your data center? What security measures are in place at the physical location? Different countries and locations have different laws regarding data security. Find out where the data center is and what physical measures they take to prevent data loss. What certificates do you have for data protection? How will you store my data? Find out about encryption, both on their servers and in transit. If they do encrypt data, ask that you control the decryption keys. What happens in the event of data corruption? Similarly, what is your disaster recovery process? Do they offer data duplication? Do you offer backup storage? If...
  • An image transmitted from Mars to Earth by NASA’s Curiosity rover has some alien enthusiasts seeing the (artificial) light about the possibility of life on Mars. The image, visible at the raw images database from NASA’s jet propulsion laboratory, depicts what appears to be a white speck of something in its upper left-hand portion. Curiosity snapped the image shortly after arriving at the “The Kimberley” waypoint on April 2. Over the past few days, UFO-spotting blogs have picked up the image as a sign that something … is out there. UFO Sightings Daily’s Scott C. Waring, for instance, wrote this over the weekend about the image: “An artificial light source was seen this week in this NASA photo which shows light shining upward from…the ground. This could indicate there there is intelligent life below the ground and uses light as we do. This is not a glare from the sun, nor is it an artifact of the photo process. Look closely at the bottom of the light. It has a very flat surface giving us 100% indiction it is from the surface. Sure NASA could go and investigate it, but hey, they are not on Mars to discovery life, but there to stall its discovery.” And YouTube user Thelifebeyondearth set the image to new age music. In one close up of the image, the user writes, “this close up seems to reveal a hole or shadow beneath the light…could it be an underground base.” http://news.yahoo.com/ufo-spotters-very-excited-suspicious-nasa-photo-mars-143042715.html
  • There has been a big buzz around cloud computing for a few years now, although the technology has been around for a while it is not until recently where it has advanced into a much useful tool. You may not even know that you are using a cloud computing service, if you use Google Mail for example, then you are in fact using a cloud service as your emails are handled by an external source. In certain circumstances, cloud computing can be the best thing for your businesses as it has the capacity to allow your business to grow. In addition to this, cloud computing may not be the right type of service for your company, this article shall point out the benefits of each of the main cloud computing services so that you can assess whether they are right for you – although you can contact IT specialists such as these that can outline the cloud computing services to you. The use of managed servers There are many circumstances where having a managed server will benefit your business, if your business agrees with the following points then investing in such a service can be beneficial to growing your company. It is not uncommon now for you to have offices in several different locations, and this is where managed services can help your offices to all work as if it was one big hub. This is also extremely helpful if you’re going to be constantly on the go as you can therefore access all of your applications and files when you are outside of your office. These external servers can be hosted outside of the office too in IT centres which means that you can save on space and have undisrupted maintenance. However, if you have a big office with...