Popular celebrity news stories lead to increase in malware attacks

Posted by Tracy Mooney - July 3, 2009 on 4:14 pm | In Mcafee Security | No Comments

The amount of celebrity deaths in the past ten days, losing icons like Farrah Fawcett, Michael Jackson and Ed McMahon, has been surprising and sad, especially if you believe in the death comes in three’s superstition. What is even more surprising to me is how quickly cybercriminals use the deaths of celebs or latest big news story as a way to lure you into potentially downloading malware onto your computer.

McAfee’s Avert Labs sent out an alert this week reminding everyone to be extra vigilant in light of recent events. In this blog (http://www.avertlabs.com/research/blog/index.php/2009/06/25/) they remind us to be careful of spam emails that offer links to news or photos. “When the users click on the fake links, they are susceptible to any kind of attack, spyware or malware installation, or information theft” the blog says.

This is a great time to remind kids about the danger lurking in their email inbox and also when they do a search. If they do not know who an email is from, they should just delete it without opening it. Many dangers on the net are financially motivated and the criminals will do anything, including spreading false emails or links boasting false information surrounding news events in order to gain access to your credit card number or personal information. Unfortunately, kids are sometimes the ones to open the “door” to criminals, letting them into your computer.

Not all sites are created equal and neither are all emails. A free product like Site Advisor can help you know the difference. Download it and teach your kids how to use it. Kids are curious and even if they don’t know who an email is from, they may want to open it anyway because it has a subject line that gets their attention. Criminals prey on our curiosity. So best arm yourself and your kids to back out of a potentially harmful mistake before your information is stolen or a virus is downloaded.

I subscribe to Google alerts and occasionally one of the links that is returned in the search is to a site that contains malware. A big McAfee Site Advisor alert shows at the top of the email warning me about the dangerous site and what the site could potentially do. Site Advisor, while it is not an antivirus product can help make you aware when an email contains a link to a bad site or a harmful site comes up in a search. It really is nice knowing about the danger before I inadvertently click or before the kids do a search for “free lyrics”!

Share/Save/Bookmark

 


How to Use the Frame Blocking Facility (Anti-Clickjacking Defence) in Internet Explorer 8

Posted by thesitewizard.com - July 2, 2009 on 10:25 pm | In Site Wizard | No Comments

Internet Explorer 8 gives webmasters a new way to protect their site from being placed in a frame, and thus, hopefully, prevent clickjacking from taking place. This article shows you how you can configure your website so that it takes advantage of IE 8's new feature.

 


Consumer Expectations in the Netbooks Market

Posted by Rizwan Husain - July 2, 2009 on 6:20 pm | In Mcafee Security | No Comments

There is no doubt that Netbooks device category has been one of the hottest and most talked about consumer product categories in recent times. There has been a massive amount of consumer interest in netbooks and industry analysts have been keeping a very close watch on whether these inexpensive devices are actually going to cannibalize sales of the more expensive PC devices. Like many other prominent hardware and software vendors, McAfee too has a vested interest to see how things play out in the netbooks market.

IDC expects 26.4M units of netbooks to be shipped globally in 2009, and most of the industry analysts have generally forecast strong growth for the next few years on the horizon. However, a new survey by NPD suggests that a large number of consumers who buy netbooks may be dissatisfied with their purchase. According to the survey results, 60 percent of consumers who purchase netbooks expect them to have similar functionality and performance as notebooks. The data clearly suggests that consumers’ expectations have not quite been sufficiently managed or met by the netbook vendors so far. Assuming that the results of this survey really reflect the true sentiments of netbook consumers, this data should be a major wake-up call for the netbook manufacturers and retailers.

At the end of the day, netbooks are meant to be lower-cost computing devices with scaled down features and specifications. Therefore, consumers who purchase netbooks and are expecting performance and functionality similar to notebooks are bound to be disappointed. In light of this, we could find an ever-increasing emphasis from vendors to position netbooks as companion devices (second or third PC) which cater to mobility and portability needs, rather than as replacements for traditional notebooks and desktops. Positioning and marketing netbooks in this fashion will go a long way in ensuring that consumers know what they are buying and are eventually more satisfied with their purchases.

This data from NPD also has great relevance for McAfee. A part of consumers’ satisfaction also has to do with expectations that the applications on their netbooks will run as fast as they would on a traditional PC. Therefore, software vendors such as McAfee also have a very pivotal role to play. From a security perspective, netbooks running on a Windows OS need the same level of protection as regular notebooks running on Windows. However, the challenge is to deliver the same level of protection on these netbooks without any significant performance impact. Leveraging technologies such as McAfee’s Artemis can certainly help. However, McAfee is taking a holistic look at this, and is exploring several other avenues that will enable McAfee to lead in the security software market for netbooks. Meeting and exceeding consumer expectations in the netbooks market space is certainly going to be a challenge, but as always, McAfee is up for it.

Share/Save/Bookmark

 


Critical SMS Vulnerability Unpatched on iPhone

Posted by Security Watch - July 2, 2009 on 4:33 pm | In PCMag Security | No Comments A weakness in the way iPhones process SMS text messages could allow a remote attacker to remotely install and run unsigned code as root, according to a report in Computerworld. Apple is working on a fix. The bug was found by researcher Charlie Miller and announced during a presentation at the SyScan conference in Singapore on Thursday. Miller did not provide details, but plans to do so at BlackHat in Las Vegas later this month. Apple expects to have a fix by then. Because it would run as root, attack code could do just about anything, including tracking the user with the GPS receiver or monitoring conversations. In the meantime there's little you can do to mitigate the issue short of turning off SMS reception.

 


Here Come the Malware July 4th Fireworks

Posted by Security Watch - July 2, 2009 on 4:30 pm | In PCMag Security | No Comments Eset researchers say that the Waledac botnet is gearing up for a major malware-spam campaign around July 4th themes. The organizers of the botnet, which Eset estimates at tens of thousands of infected PCs, have registered 18 domain names related to video, fireworks, and Independence Day. (Why doesn't Eset include the domain names in their reports?) The goal of the campaign appears to be to grow the botnet, which Waledac's controllers have done before around holidays, including Valentine's Day and Christmas. The e-mails will contain links to the domains, which will serve the malware to the user. Eset says that detection rates for the Waledac malware have always been bad and only a handful of products detect the new variant. Good anti-malware is essential, but for protection nothing compares to common sense. Beware of links in unsolicited e-mails.

 


Is it Time to Stop Password Masking?

Posted by Security Watch - July 2, 2009 on 4:20 pm | In PCMag Security | No Comments From the early days of the web it has been default behavior for forms to "mask" passwords by displaying asterisks or something similar instead of the actual characters. The obvious point of this is to protect your password from the eyes of passers-by. Now famed usability expert Jakob Nielsen is calling into question the value of this practice and arguing that the usability impact of it is too great. Nielsen says forms should display passwords in clear text, at least usually and by default. Nielsen doesn't like Reset buttons either. There has been plenty of negative reaction to this call, generally hedged with respect to Nielsen's overall body of work: Jason Montgomery analyzed Nielsen in great detail, pointing out, for example, where he's merely changing the subject rather than making a valid criticism of password masking. Rik Ferguson points out unsubstantiated assertions in the case. Julio Canto simply says "Please do NOT stop password masking". Nielsen can at least count Bruce Schneier on his side. Schneier also downplays the danger of "shoulder surfing" and argues that the usability impact is severe. I have to say I'm unimpressed with Nielsen's (and Schneier's) arguments. Whenever I come to the rare form that doesn't mask I'm nervous about it, even if I'm home alone. Nielson argues that a talented and determined password thief could just watch your fingers as you type. This is true some times, but seems like a really weak argument to me. Why make an attack that's difficult much easier to do? And the keystrokes are exposed only for as long as you're typing. The password is exposed until the screen is cleared. One of the commentators also noted that malware that captures screens is defeated by password masking. I understand the usability complaints, but almost all security features come at some cost, often in usability. It's a trade-off. Nielsen hasn't made a good case that the trade-offs fall in favor of clear-text password display.

 


Minutes and Resoutions 2009-07-01

Posted by fantasai - July 2, 2009 on 1:45 pm | In w3.org | No Comments

 


Themes are GPL, too

Posted by Matt - July 2, 2009 on 12:50 am | In Wordpress Blog | No Comments

If WordPress were a country, our Bill of Rights would be the GPL because it protects our core freedoms. We’ve always done our best to keep WordPress.org clean and only promote things that are completely compatible and legal with WordPress’s license. There have been some questions in the community about whether the GPL applies to themes like we’ve always assumed. To help clarify this point, I reached out to the Software Freedom Law Center, the world’s preeminent experts on the GPL, which spent time with WordPress’s code, community, and provided us with an official legal opinion. One sentence summary: PHP in WordPress themes must be GPL, artwork and CSS may be but are not required.

Matt,

You asked the Software Freedom Law Center to clarify the status of themes as derivative works of WordPress, a content management software package written in PHP and licensed under version 2 of the GNU General Public License.

We examined release candidate 1 of WordPress 2.8, which you provided to us at http://wordpress.org/wordpress-2.8-RC1.tar.gz. The “classic” and “default” themes included in that release candidate comprise various PHP and CSS files along with an optional directory of images. The PHP files contain a mix of HTML markup and PHP calls to
WordPress functions. There is some programmatic logic in the PHP code, including loops and conditionals.

When WordPress is started, it executes various routines that prepare information for use by themes. In normal use, control is then transferred via PHP’s include() function to HTML and PHP templates found in theme package files. The PHP code in those template files relies on the earlier-prepared information to fill the templates for serving to the client.

On the basis of that version of WordPress, and considering those themes as if they had been added to WordPress by a third party, it is our opinion that the themes presented, and any that are substantially similar, contain elements that are derivative works of the WordPress software as well as elements that are potentially separate works. Specifically, the CSS files and material contained in the images directory of the “default” theme are works separate from the WordPress code. On the other hand, the PHP and HTML code that is intermingled with and operated on by PHP the code derives from the WordPress code.

In the WordPress themes, CSS files and images exist purely as data to be served by a web server. WordPress itself ignores these files[1]. The CSS and image files are simply read by the server as data and delivered verbatim to the user, avoiding the WordPress instance altogether. The CSS and images could easily be used with a range of HTML documents and read and displayed by a variety of software having no relation to WordPress. As such, these files are separate works from the WordPress code itself.

The PHP elements, taken together, are clearly derivative of WordPress code. The template is loaded via the include() function. Its contents are combined with the WordPress code in memory to be processed by PHP along with (and completely indistinguishable from) the rest of WordPress. The PHP code consists largely of calls to WordPress functions and sparse, minimal logic to control which WordPress functions are accessed and how many times they will be called. They are derivative of WordPress because every part of them is determined by the content of the WordPress functions they call. As works of authorship, they are designed only to be combined with WordPress into a larger work.

HTML elements are intermingled with PHP in the two themes presented. These snippets of HTML interspersed with PHP throughout the theme PHP files together form a work whose form is highly dependent on the PHP and thus derivative of it.

In conclusion, the WordPress themes supplied contain elements that are derivative of WordPress’s copyrighted code. These themes, being collections of distinct works (images, CSS files, PHP files), need not be GPL-licensed as a whole. Rather, the PHP files are subject to the requirements of the GPL while the images and CSS are not. Third-party developers of such themes may apply restrictive copyrights to these elements if they wish.

Finally, we note that it might be possible to design a valid WordPress theme that avoids the factors that subject it to WordPress’s copyright, but such a theme would have to forgo almost all the WordPress functionality that makes the software useful.

Sincerely,
James Vasile
Software Freedom Law Center

[1] There is one exception. WordPress does reads CSS and image files to create previews of templates for the template selection portion of the administrative interface. Even in that case, though, nothing in those files calls any WordPress functions, is treated as a command by PHP, or alters any other WordPress data structure. These files are read as data and used to create an image and display a miniaturized version of a webpage to the user.

Even though graphics and CSS aren’t required to be GPL legally, the lack thereof is pretty limiting. Can you imagine WordPress without any CSS or javascript? So as before, we will only promote and host things on WordPress.org that are 100% GPL or compatible. To celebrate a few folks creating 100% GPL themes and providing support and other services around them, we have a new page listing GPL commercially supported themes.

 


Court Rules For Kaspersky Over Dead Zango

Posted by Security Watch - July 1, 2009 on 12:57 pm | In PCMag Security | No Comments Zango died some months ago and yet suffered another setback recently. One of Zango's distasteful actions in defense of their adware and other malicious practices was to sue anti-malware companies, and Kaspersky in particular, for designating their software as malicious and, as a result, deleting it. This suit has been making its way through the courts for years. Just recently Kaspersky announced that the U.S. Court of Appeals for the 9th Circuit fond that Kaspersky acted within the safe harbor provisions of the CDA (Communications Decency Act) in designating Zango's software as "objectionable material" and is therefore entitled to "Good Samaritan immunity." The actual opinion may be found here. Theoretically an appeal to the Supreme Court is possible, but it's hard to see the holders of what assets Zango has left going through with that.

 


Month of Twitter Bugs Begins

Posted by Security Watch - July 1, 2009 on 11:43 am | In PCMag Security | No Comments Just as promised, researcher Aviv Raff has begun the Month of Twitter Bugs. Every day in July will bring a new bug in an outside service using the Twitter API. The first entry describes multiple vulnerabilities in bit.ly service. bit.ly is a URL shortener popular on Twitter. My own main Twitter client twhirl integrates bit.ly for shortening URLs. The 4 bugs are all cross-site scripting bugs and one remains unpatched. Raff is unimpressed with the speed with which bit.ly has addressed these problems. As many have observed recently, URL shortening services such as bit.ly are trusted by users and yet they obscure not only a lot of complexity but the destination site. Building one securely is a lot more work than just redirecting the URL. [Update: Not long after the post the unpatched bug has been patched.]

 


Typography & Fonts Cheat Sheets & Quick Reference Pages

Posted by admin - July 1, 2009 on 11:26 am | In Web Graphics | No Comments There are so many things already in your head, why clog it up with even more information. Typography, Type, and Web Fonts Cheatsheets and Quick Reference Guides should help you keep your brain unclogged. Take advantage of this collection of Typography cheat sheets.

 


More Michael Malware

Posted by Security Watch - July 1, 2009 on 9:32 am | In PCMag Security | No Comments

The first one was a simple Trojan dropper. Now Symantec has identified a mass-mailing worm that uses the death of Michael Jackson as a lure.

  mj.pngSymantec identifies the malware as W32.Ackantta.F@mm. It comes in a ZIP file attachment named "Michael songs and pictures.zip" which contains another file named "MichaelJackson
songsandpictures.doc.exe".

The malware spreads not only through e-mail but through the AutoRun facility on removable drives.

 


Chat with HostGator this Thursday at 5 PM CT

Posted by Douglas - June 30, 2009 on 7:13 pm | In Hostgator Blog | No Comments

Update: This took place and was a big success. HostGator employees answered a ton of questions about backups, VPS solutions, Windows hosting, affiliates, and more. We appreciate people taking the time to come by and ask questions.

This upcoming Thursday (July 2, 2009) at 5 PM CT (Houston-time), HostGator is going to be hosting an Open Session where potential and existing customers alike can come chat with HostGator employees and each other.

The Open Session is going to be pretty informal, but for some context, some things we do want to do include:

  • Question and answer session with HostGator employees
  • Tips and suggestions on how to get the most out of your HostGator account and website from our best support people
  • Suggestions from customers about how HostGator can improve (customer service, Terms of Service, procedures and policies, etc.)

This is the first time HostGator has done something like this, but we think it will serve as a great opportunity to talk to our customers and hear their questions, opinions, and suggestions. If you have any particular items you’d like us to discuss or research, feel free to leave them in the comments.

Oh, and we’re also going to be giving out some free hosting during the session for both attending and participating.

Logistics:
We’re going to try hosting this session with TalkShoe, which allows us and other folks to call in using the phone and/or chat or listen online. If it works, we’ll continue to use TalkShoe. If not, we’ll explore other options. If you live outside of the US central timezone, check out this site for a list of corresponding times around the world. When Thursday at 5 PM CT rolls around, head over to this page for instructions on how to join the session (it’s very simple).

Overview:
What: HostGator Open Session
When: Thursday, July 2, 2009 at 5 PM CT
Where: HostGator on TalkShoe

 


Firefox 3.5 Private Browsing Clumsy Compared to Competition

Posted by Security Watch - June 30, 2009 on 12:14 pm | In PCMag Security | No Comments

Firefox 3.5 is here! Our glowing review discusses the many improvements and you can download it now by clicking here (US English Windows).

It's possible that when the main Firefox 3.5 story comes out later today it will include security advisories, but for now none of these are being listed on the Mozilla Security Advisories page.

 


Firefox 3.5 Released

Posted by Alex - June 30, 2009 on 11:14 am | In CSS Web Design | No Comments Mozilla Firefox 3.5 Released. New features, enhanced performance and security improvements. Go get it!

 


Webmaster Central YouTube update for June 22nd - 26th

Posted by Michael Wyszomierski - June 30, 2009 on 5:22 am | In Google Web Central | No Comments

 


The hidden danger of online videos

Posted by Yan Liang - June 29, 2009 on 8:16 pm | In Mcafee Security | No Comments

An investigation by the Swiss police uncovered child pornography had been downloaded from a Swiss hip-hop music website to around 2,300 computers in 78 countries.

It was announced today that apparently the videos of minors engaged in sexual acts were hidden in the Swiss site where the principal content was defined as “perfectly legal.” See full article at: http://tech.yahoo.com/news/nm/20090629/wr_nm/us_swiss_pornogrpahy_1

This is yet another report of inherent danger of viewing videos online, with YouTube being the most popular method for distributing personal videos, what’s considered inappropriate is mixed up with a lot of good content. How should parents guide their families while navigating around these sites and not prevent them from viewing appropriate videos?

McAfee’s latest offering McAfee Family Protection has a unique feature to screen out inappropriate YouTube videos. Parents can either block YouTube filtering altogether or define the keywords and phrases so the search results can be blocked as well. For parents who simply do not know where to start, McAfee Family Protection will provide its own default filtering rules to block sexually suggestive or inappropriate content from being played.

Furthermore, it’s true that many sites may have legitimate content hence blocking rules aren’t applicable, they could be embedding inappropriate videos like the case in Switzerland – MFP will apply the same rules to filter YouTube content even it’s embedded in other sites.

Share/Save/Bookmark

 


Is your kid a Cyberbully or being cyberbullied?

Posted by Tracy Mooney - June 29, 2009 on 7:01 pm | In Mcafee Security | No Comments

Last year my son was using the computer during his “allotted time” when I noticed something strange…he got up and walked away from the computer! I joke, but this really was strange behavior for him (because he is usually glued to it). So I asked him if he was okay. He said he was fine, but I noticed he was really agitated. He finally admitted that both he and his girlfriend were being harassed online by his girlfriends ex-boyfriend.

During the course of the nationwide television and radio interviews last week, with Jay Opperman, to kick off the Cyber Summer Safety Challenge, two questions came up repeatedly: What is Cyberbullying and how do we talk to our kids about it and what software is available to help protect our kids?

According to the experts that I’ve spoken with, cyberbullying is using a computer or mobile device to send hurtful or cruel messages to others. It is basically the online version of the schoolyard behavior we remember from when we were kids. Unfortunately, kids think this type of online behavior is “normal.” Without a conversation with mom or dad about how it is not normal they may participate in or worse yet, suffer in silence.

According to a McAfee/Harris Interactive poll, 20% of kids have participated in cyberbullying. Parry Aftab, McAfee’s Family Internet Safety Advisor, has done some polls with her organization Wiredsafety.org and thinks the numbers are significantly higher – nearly 80% of kids have experienced or participated in cyberbullying.

This has become such a big issue that the Ad Council has taken the subject on as a campaign. Show your kids the Ad Council commercial on cyberbullying if they haven’t seen it as an easy way to introduce the subject. Here is some advice that I have used with my children:

1. This kind of online behavior is unacceptable and if anyone is sending or posting hurtful messages or pictures about them then they are to let me know.

2. Explain that there are ways to block other people (whether friends or strangers) from sending instant messages and (with some cellphone providers) text messages.

3. Kids should Stop whatever they are doing, Block the user from sending instant messages, and go Tell an adult.

Sometimes, it is important to simply pay attention to your kids – as in the case with my son. Although he knew what to do, he felt like he provoked the teen at sometime and therefore he somehow needed to “end” the fight. My husband and I had to remind him that he didn’t owe this boy anything and that he didn’t deserve to be mistreated.

In addition to having conversations with your kids about cyberbullying, you may want to consider a web filtering software like McAfee Family Protection. It may put you at a little more ease as your kids interact with people on the web. It allows you to set time limits, records and alert you when personal information such as your home address or phone number has been posted on social networking sites such as Facebook or My Space and records IM chats.

This software acts as a tool to help parents manage their kids internet experience and adjust the settings so it is right for everyone in the family – even Grandma. You still should use it along with your McAfee Antivirus suite to protect your PC against viruses, adware, spyware, etc.

Hopefully you will find these tips about cyberbullying and software useful. I would love to hear your questions and comments on the subject. Have you found a good way to discuss cyberbullying with your child? Let me know!

Tracy
cybermom@mcafee.com
www.mcafee.com/cybermom

Share/Save/Bookmark

 


Panda Cloud AV Products Emerge

Posted by Security Watch - June 29, 2009 on 3:14 pm | In PCMag Security | No Comments panda_is_2010_xp_main_update.png

Shortly after they came to us with initial test results on Kaspersky Internet Security 2010, AV-Test.org gave us similar tests on Panda Internet Security 2010. These initial results look good.

Click here for Panda's press release on the release of their 2010 products which move detection into Panda's "cloud."

 


Photo Blogging Software : Photoblogging Applications to install on your server or on your home computer

Posted by admin - June 29, 2009 on 2:18 pm | In Web Graphics | No Comments If you are considering adding a photoblog to your website, you don't have to install Wordpress because there are many other options out there for you and your site. If you didn't realize how many photoblogging applications are out there, then this list will open your eyes.

 


Info From Microsoft on Update Notifications and Install-at-Shutdown Behavior

Posted by Security Watch - June 29, 2009 on 10:50 am | In PCMag Security | No Comments You've all spoken up loud on the reports of Windows installing updates automatically when told not to. Microsoft has issued an acknowledgement of the reports, if not an actual response to them. They say they are investigating the reports, and with problems like this one, which appears to be sporadic at best, it can take a while to tell for sure exactly what's going on. The Microsoft report states the problem as a vaguer one about the notification message in the tray not being accurate. First it states what should be the correct behavior: First, you only get the notification that updates are available for installation when all of the available updates are downloaded and ready to install. So if they appear to be available on Windows Update but not through Automatic Updates, that could be the explanation. Second, you may get a notification of downloaded and available, but not yet installed updates, in the shutdown dialog. You will only see updates in this case which can be installed automatically with no user intervention unlike, for example, a service pack or IE version. It seems you can turn this last feature off. As I mentioned in the initial blog, some of the chatter about this issue casts suspicion on times when update traffic is high, as in this past month when the overall volume of updates was very large. At such times Microsoft does a lot of work to monitor and manage traffic with their servers, and perhaps it's possible that an error in this management could cause problems of the type we're seeing. This is the allegation made in the one comment to the new Microsoft blog.

 


The Michael Jackson Malware

Posted by Security Watch - June 29, 2009 on 9:47 am | In PCMag Security | No Comments It's inevitable now, with any high-profile news event that there will be spam and malware campaigns to take advantage of them. Thus it has been with the death of Michael Jackson. F-Secure reports that there have been a couple of malware campaigns and they show an example of one of them, which they detect as Trojan.Win32.Buzus.bjyo. There is nothing technically interesting about these attacks. They are mundane, pedestrian Trojan droppers. The one F-Secure writes up is a file named Michael-www.google.com.exe. This file has been distributed through photos-google.com and possibly also through photo-msn.org, facebook-photo.net and orkut-images.com. Don't visit these sites. If you run Michael-www.google.com.exe it drops reptile.exe and winudp.exe, which are backdoor IRC bots, and which display a fake error message dialog box: "Picture cannot be displayed." There have been others and there will be more and they're not all worth writing about. The important thing is that you be skeptical of links and sites that play on hot news topics, especially from search engines, since we know well how these can be manipulated to serve malicious results.

 


How to Add Images to Your Website in Serif WebPlus X2

Posted by thesitewizard.com - June 28, 2009 on 11:18 pm | In Site Wizard | No Comments

The second chapter of the Serif WebPlus X2 Tutorial is now online. This chapter deals with how you can add things like your website's logo, photos, product images, background images and so on to your web page. It also introduces the concept of a stacking order to the objects on your web page.

(For those who don't know, Serif WebPlus X2 is a point-and-click visual web editor that you can use to create a website.)

 


Traffic drops and site architecture issues

Posted by Luisella Mazza - June 27, 2009 on 10:39 pm | In Google Web Central | No Comments

 


WordPress 2.8.1 Beta 2

Posted by Ryan Boren - June 26, 2009 on 3:06 pm | In Wordpress Blog | No Comments

2.8.1 Beta 2 is ready for testing.  Download it, check out the changes since beta 1, and review all tickets fixed in 2.8.1.  We especially suggest, recommend, and beg that plugin developers test their plugins against beta 2 and let us know of any issues.  Notable fixes in beta 2:

  • Translation of role names fixed
  • wp_page_menu() defaults to sorting by the user specified menu order rather than the page title
  • Upload error messages are now correctly reported
  • Autosave error experienced by some IE users is fixed
  • Styling glitch in the plugin editor fixed
  • SSH2 filesystem requirements updated
  • Switched back to curl as the default transport
  • Updated the translation library to avoid a problem with mbstring.func_overload

Thanks again for testing WordPress.

 


AV-Test.org Results in on Kaspersky Internet Security 2010

Posted by Security Watch - June 26, 2009 on 9:45 am | In PCMag Security | No Comments AV-Test.org, a German testing organization known for thorough testing of anti-malware products, has issued their first test results of the just-released Kaspersky Internet Security 2010. The release of the 2010 products is a "staggered" release, according to a Kaspersky spokesperson, who added "..., these products won't be launched in the U.S. until mid-August." AV-Test tested the English and German versions of the 2010 products.

 


Facebook Tests Message Controls

Posted by Security Watch - June 26, 2009 on 8:59 am | In PCMag Security | No Comments Facebook has launched a beta test of new privacy control features in Publisher that give users more control over who sees what they post to their page. The point is to allow you to grant access to content with more control, not just to your friends or to everyone. Ironically though, the beta is open to those who have set their status updates and profile privacy settings to be visible to "Everyone". When you create content in the Publisher you can click the lock icon in the Publisher to access a menu through which you can make content visible to (this language is Facebook's from their blog):
  • Everyone: Anyone, on or off, of Facebook can see it.
  • Friends and Networks: People you have confirmed as friends and people in any school or work networks that you've joined can see it.
  • Friends of Friends: Anyone who is friends with a friend of yours can see it.
  • Friends: Only people you have confirmed as friends can see it.
  • Custom: Choose any friend or Friend List to include or exclude from seeing that piece of content.
Note that Custom means you can pick and choose individuals, which is pretty fine-grained control. This makes some interesting things possible in Facebook that were not in the past. The default setting in Publisher is Everyone, which leads Wired to conclude that the main point is, once again, to be more like Twitter, but I'm not so sure. I know that if I use the new Publisher I'll be picky with my content.

 


PDF Vulnerabilities and Attack Surface

Posted by Security Watch - June 26, 2009 on 8:14 am | In PCMag Security | No Comments Will Dormann on the CERT site takes note of two similar, but distinct sets of vulnerabilities in Adobe Reader and Foxit Reader and the lessons they give about attack surface.

 


Spam2.0: Fake user accounts and spam profiles

Posted by Jason Morrison - June 26, 2009 on 4:06 am | In Google Web Central | No Comments

 


Time to Update our “Defense in Depth” Definition - Part One

Posted by Elan Winkler - June 25, 2009 on 7:58 pm | In Mcafee Security | No Comments

We all seem to take for granted that changes happen very quickly in the online world, yet for some reason we haven’t updated our definition of “defense in depth” in over a decade.

Originally borrowed from military lingo, in information security defense in depth represents the use of multiple computer security techniques to help mitigate the risk of one component of the defense being compromised or circumvented. An example could be anti-virus software installed on individual workstations when there is already virus protection on the firewalls and servers within the same environment. Different security products from multiple vendors are usually deployed to defend different potential vectors within the network, helping prevent a shortfall in any one defense leading to a wider failure; also known as a “layered approach.”

I go out and talk to customers at various industry and guest speaking engagements, and I still hear people using this basic definition. They insist that they need multiple vendors at different points in the network. And, when “state of the art” was anti-virus (as in the Wikipedia example above), sure, that made sense. Signature .dat files came out at different times and some vendors were better with some types of malware than others. So having vendor “A” at the gateway, and vendor “B” on the desktop was the smart choice.

But now? Anti-virus is still a necessity but it is no longer the first or only line of defense. There are now multitudes of technologies that are specifically designed to protect every possible door and window into the enterprise. Some of these new technologies are deployed inside the enterprise and others are global services offered by vendors. And the attackers are smarter as well … mixing and matching attack vectors so that one type of technology is insufficient to stop a threat.

Today’s defense in depth needs to focus on deploying and managing disparate technologies that are capable of catching threats that use more than one attack vector.

In my next posting, I’ll talk more about these types of technologies and the issues involved in deploying and managing them from multiple vendors.

Share/Save/Bookmark

 


Next Page »