Kaspersky Lab, a leading developer of secure content and threat management solutions today announced a new version of its flagship product for at-home PC protection — Kaspersky PURE 2.0 Total Security. Using Kaspersky Lab’s award-winning anti-malware protection and an array of additional security tools, Kaspersky PURE 2.0 Total Security is the easiest way to keep multiple PCs secure, irreplaceable digital assets protected, and children safe and responsible online.
Central Home PC Management
Ideal for households with multiple computers, including families with children, Kaspersky PURE uses Home Network Management to easily protect, manage and monitor every PC in the household from a single machine.
— Run all scans, updates, and backup tasks on every PC in the house automatically or on-demand
— Fix security issues without getting up from your desk
— Manage parental controls from anywhere in the house, so your kids are protected even when they’re out of view
— Conveniently update the Kaspersky PURE licenses throughout your home
Total Package of Security Tools
Kaspersky PURE also includes everything you need to secure your online identity and protect your irreplaceable digital property. When you install Kaspersky PURE, our extra layers of security mean you can say good-bye to overpriced and inefficient niche products.
This is great work. I am demoing the product now and will post my review shortly. Very excited about how this will shape the home and small business central management landscape. Will vendors pile on?
More on this breaking news can be found here: http://www.marketwatch.com/story/kaspersky-lab-announces-new-generation-of-ultimate-pc-protection-for-your-home-2012-03-26
Apple Will Require Apps to Obtain User Permission Before Accessing Contact Data
US legislators sent a letter to Apple CEO Tim Cook asking why the company does not require iOS developers to obtain permission from users before apps download users’ contacts. The inquiry follows close behind news that the Path app downloaded users’ address books without their permission. Apple has responded to the question with a promise to change that policy so apps requiring use of address book data request that information explicitly.
*More on this story here:
[Editor’s Comment (SANs.org):
“I wonder if they will be in time to avoid a major disaster. I was surprised to read on slashdot that your data was safer on unapproved apps for jailbroken iPhones than on approved apps from Apple’s store”:
***Back story on NetsecurityIT.com:
Microsoft Security Bulletin Advance Notification for February 2012:
Microsoft has blessed us again with another Patch Tuesday. Here is advanced notification of 9 Bulletins for Valentine’s Day.
IE update likely the one users will want to apply ASAP, say researchers
- 4 Critical – Microsoft Windows (2) – Remote Code Execution, Microsoft Windows – Internet Explorer (1) – Remote Code Execution, Microsoft .NET Framework (1) – Remote Code Execution, Microsoft Silverlight (1) – Remote Code Execution
- 5 Important – Microsoft Windows (2) – Remote Code Execution, Microsoft Windows (1) – Elevation of Privilege, Microsoft Office – Windows Server Software (1) – Elevation of Privilege, Microsoft Office (1) – Elevation of Privilege
The full version of the Microsoft Security Bulletin Advance
Notification for February 2012 can be found at: http://technet.microsoft.com/security/bulletin/ms12-feb.
This bulletin advance notification will be replaced with the February bulletin summary on February 14, 2012. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification
- First Microsoft Patch Tuesday of 2012 (netsecurityit.wordpress.com)
**Trendnet Responds: Comment left below from Trendnet in response to the most recent vulnerability.
TRENDnet has posted the resolution to the security breach on their IP cameras: You can check information on affected TRENDnet IP cameras at:http://www.trendnet.com/products/features.asp?featureid=52. You can download critical firmware along with detailed update instructions for the affected TRENDnet IP cameras athttp://www.trendnet.com/downloads/.
Consolecowboys.org blogger “someLuser” (yes that is his tag)has identified a security vulnerability in some TRENDnetIP cameras which permits inquisitive web users to access them without authentication. He discovered the vulnerability whilst exploring the firmware on his TV-IP110w camera using a tool called binwalk.
Lengthy lists of freely accessible video streams are already circulating on the web. Random sampling by most testers found that most of the cameras were indeed freely accessible, providing views of offices, living rooms and children’s bedrooms. For demonstration purposes, someLuser has put together a Python script which uses server search engine Shodan to find cameras. Navigating to a camera web server URL displays the video stream recorded by the camera – this occurs whether or not a password has been set.
TRENDnet has already responded by providing a firmware update promising “improved security”, which can be downloaded from its support page. Many other TRENDnet cameras also appear to be affected – according to someLuser, the firmware for the company’s TV-IP121W, TV-IP252P, TV-IP410WN, TV-IP410, TV-IP121WN and TV-IP110WN models has been updated. Anyone using one of these cameras should update the firmware without delay.
You can find the firmware for your device here: http://www.trendnet.com/langge/downloads/category.asp?iType=32
- Trendnet Home Security Breach Raises Concern (ibtimes.com)
- Trendnet home security cam flaw exposes video feeds on net (gansec.com)
Mozilla closes critical holes in Firefox, Thunderbird and SeaMonkey:
Following the release of new versions of its open source Firefox web browser, Thunderbird email client and SeaMonkey suite, Mozilla has detailed the security fixes included in each of the updates. According to the project’s Security Center page for Firefox, version 10.0 closes a total of 8 security holes in the browser, 5 of which are rated as “Critical” by Mozilla.
The critical issues include an exploitable crash when processing a malformed embedded XSLT stylesheet, potential memory corruption when decoding Ogg Vorbis files, XPConnect security checks being bypassed by frame scripts, a use after free error in child nodes from nsDOMAttribute and various memory safety hazards. These vulnerabilities could be exploited remotely by an attacker to, for example, execute arbitrary code on a victim’s system.
Additionally, Firefox 10 closes two “High” impact issues that could lead to information disclosure or an attacker violating the HTML5 frame navigation policy by replacing a sub-frame for phishing attacks. A moderate severity bug when exporting a user’s Firefox Sync key to a “Firefox Recovery Key.html” file that caused it to be saved with incorrect permissions was also fixed.
Based on the same Mozilla Gecko platform as Firefox 10, version 2.7 of the SeaMonkey “all-in-one internet application suite” fixes all of the same vulnerabilities, while Thunderbird 10 addresses all but one as it is not affected by the moderate incorrect permissions bug because it does not use Firefox Sync.
An update to the 3.6.x legacy branch of Firefox, version 3.6.23, fixes four of the above critical issues and a low impact bug related to an overly permissive IPv6 literal syntax which was previously repaired in Firefox 7.0, Thunderbird 7.0 and SeaMonkey 2.4. The developers note that Firefox 3.6.26 “now enforces RFC 3986 IPv6 literal syntax”, adding that the change “may break links written using the non-standard Firefox-only forms that were previously accepted”. The 3.1.18 update to the 3.1.x branch of Thunderbird also corrects these issues.
their contractors and other third party partners comply with the state’s data breach law. The law took effect on March 1, 2010, but the portions of compliance requirements were phased in. The last part, third-party
compliance, is what is taking effect just over a month from now. There
will need to be language in the contracts with third parties requiring
them to take reasonable steps to protect the information. Companies will
not be required to audit third-party partners for compliance, but it is
recommended that their contracts specify they reserve the right to
conduct an audit if they choose. The contract language also needs to
specify that the third-party will notify the companies immediately in
the event of a breach and destroy or return data when the contract is
terminated. The law applies to all companies that store data of
Massachusetts residents, whether or not that company is based in the
state. The law was scheduled to take effect in January 2009, but the
deadline has been extended twice.
Read More: http://tinyurl.com/DataProtectionLaw-MA
- Final Phase of Mass. Data Protection Law Kicks in March 1 (oracleidentity.wordpress.com)
- One in Three Massachusetts Residents’ Records Breached (homesecuritysource.com)
- Data Protection & Breach Readiness Guide (brianpennington.co.uk)
- Massachusetts data privacy law, outwards and upwards (atrilife.wordpress.com)
- Kelly seeks information about consumer impact of data breach at Zappos.com (gloucestercitynews.net)