Microsoft: Upgrade from Windows XP or risk infinite “zero-days”

August 19, 2013 – 5:30 PM

Microsoft is intensifying its efforts asking users to scrap Windows XP, the 12-year-old operating system for which the software giant is ending support next April.

Tim Rains, director of Microsoft Trustworthy Computing, authored a blog post last week reminding customers of the perils that could await them should they continue running XP, which debuted in 2001, once Redmond stops patching the platform. Users should upgrade to Windows 7 or 8.

“There is a sense of urgency because after April 8[, 2014], Windows XP Service Pack 3 (SP3) customers will no longer receive new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates,” Rains wrote. “This means that any new vulnerabilities discovered in Windows XP after its ‘end of life’ will not be addressed by new security updates from Microsoft.”

Rains said that when a vulnerability is patched in one of Microsoft’s supported operating system versions, attackers typically reverse engineer the fix in hopes of creating an exploit that could target users who failed to apply the update.

When Microsoft ends support for XP, it will be likely that such as vulnerability would affect even outdated Windows versions. And without any possibility for a patch, attackers will essentially have free reign on XP endpoints.

Source:
http://www.scmagazine.com/microsoft-upgrade-from-windows-xp-or-risk-infinite-zero-days/article/307937/

Researchers show how to slip malware into Apple’s App Store

August 17, 2013 – 10:28 AM

Apple’s App Store can seem like Fort Knox, with Apple reviewing each and every app before making it live. This fastidious approach works, for the most part, but it isn’t a perfect process. MIT Technology Review reports that researchers from Georgia Tech recently managed to get a malware-infected app approved by Apple and placed in the App Store.

Dubbed Jekyll, but submitted to Apple as an app for Georgia Tech News, the app had the ability to transform itself over time. “The app did a phone-home when it was installed, asking for commands. This gave us the ability to generate new behavior of the logic of that app which was nonexistent when it was installed,” said Long Lu, who was part of the team that created the app.

According to Lu, they were able to tell that Apple ran that app for no more than a few seconds before approving it. This is because the app contained fragments of code, hidden beneath legitimate app operations, that pieced themselves together after running it. Apple didn’t run the app long enough for this to happen.

And Jekyll was hiding some pretty nasty malware. It could send e-mails and text messages, tweet, take photos, steal personal information and device ID numbers, and attack other apps, all without the user ever knowing. It even had a way to direct Apple’s Safari browser to a webpage filled with additional malware. Not the sort of thing you want on your phone or tablet.

Source:
http://gigaom.com/2013/08/17/researchers-show-how-to-slip-malware-into-apples-app-store/

Google Cloud Storage now provides server-side encryption

August 15, 2013 – 7:03 PM

We know that security is important to you and your customers. Our goal is to make securing your data as painless as possible. To help, Google Cloud Storage now automatically encrypts all data before it is written to disk, at no additional charge. There is no setup or configuration required, no need to modify the way you access the service and no visible performance impact. The data is automatically and transparently decrypted when read by an authorized user.

If you require encryption for your data, this functionality frees you from the hassle and risk of managing your own encryption and decryption keys. We manage the cryptographic keys on your behalf using the same hardened key management systems that Google uses for our own encrypted data, including strict key access controls and auditing. Each Cloud Storage object’s data and metadata is encrypted with a unique key under the 128-bit Advanced Encryption Standard (AES-128), and the per-object key itself is encrypted with a unique key associated with the object owner. These keys are additionally encrypted by one of a regularly rotated set of master keys. Of course, if you prefer to manage your own keys then you can still encrypt data yourself prior to writing it to Cloud Storage.

Server-side encryption is already active for all new data written to Cloud Storage, whether for creating new objects or overwriting existing objects. Older objects will be migrated and encrypted in the coming months.

Source:
http://googlecloudplatform.blogspot.com/2013/08/google-cloud-storage-now-provides.html

Adblock Plus for Internet Explorer Officially Out of Beta

August 13, 2013 – 5:48 PM

Adblock Plus, the #1 most popular browser extension for blocking annoying online advertisements, today confirmed that Adblock Plus for Internet Explorer (IE) is officially out of beta and available for download worldwide.

Adblock Plus for IE is an add-on for Microsoft’s Internet Explorer browser which adds functions that Internet Explorer’s built-in tracking protection and InPrivate filtering don’t provide.

Adblock Plus blocks annoying banner ads and pop-ups on web pages, video ads on YouTube, and ads on Facebook. In addition to blocking the ads themselves, Adblock Plus also blocks advertisers from tracking your browsing habits and lets you be on the Web anonymously. And finally, Adblock Plus can be configured to block domains known to spread malware, therefore protecting your computer against spyware, adware and other threats.

“We have been available for years on Firefox, Chrome, Android and Opera, but we could no longer ignore Internet Explorer users. If we want to change the world, we need to support one of the largest web browser communities in that world, and that that’s still IE,” said Till Faida, managing director of Adblock Plus and the open-source project that supports it. “Our goal is to ‘make the Internet better for everyone’ by encouraging websites to run user-friendly, responsible advertisements instead of intrusive banners, overlays, and pop-ups. Users can still opt to white-list certain sites, but we created Adblock Plus to give every user control over which kinds of ads they are willing to accept, and then we block all the rest.”

The Adblock Plus add-on works on all current versions of Internet Explorer all the way back to version 6, and is compatible with all versions of Windows (note: like all add-ons for Windows 8, Internet Explorer must be launched from the desktop screen and not the Metro screen in order for the add-ons to function properly).

Source:
http://www.heraldonline.com/2013/08/13/5110868/adblock-plus-for-internet-explorer.html

The Pirate Bay releases censorship-thwarting browser

August 13, 2013 – 5:04 AM

The operators of The Pirate Bay, one of the most (in)famous piracy sites on the Internet, have decided to celebrate the site’s 10th anniversary by releasing a web browser that allows users to access TPB or other sites censored in their country.

“PirateBrowser is a bundle package of the Tor client (Vidalia), Firefox Portable browser (with foxyproxy addon) and some custom configs,” they explained on the browser’s official website.

“No bundled ad-ware, toolbars or other crap, just a Pre-configured Firefox browser,” they wrote on the blog post announcing the release of PirateBrowser.

They made sure to note that even though the browser users the Tor network, it won’t allow you to surf the net anonymously.

The browser will look very familiar to Firefox users but to others as well. It sports pre-loaded bookmarks to The Pirate Bay as well as to other torrent sites that are blocked in a number of countries.

Only the Windows version is currently available for download, but Mac and Linux versions will follow.

Source:
https://www.net-security.org/secworld.php?id=15387