Information Security all in one place!

Home User

Kaspersky Labs: New Generation of Ultimate PC Protection; for Home


Kaspersky Lab, a leading developer of secure content and threat management solutions today announced a new version of its flagship product for at-home PC protection — Kaspersky PURE 2.0 Total Security. Using Kaspersky Lab’s award-winning anti-malware protection and an array of additional security tools, Kaspersky PURE 2.0 Total Security is the easiest way to keep multiple PCs secure, irreplaceable digital assets protected, and children safe and responsible online.

Central Home PC Management

Ideal for households with multiple computers, including families with children, Kaspersky PURE uses Home Network Management to easily protect, manage and monitor every PC in the household from a single machine.

From one PC, you can:

— Run all scans, updates, and backup tasks on every PC in the house automatically or on-demand

— Fix security issues without getting up from your desk

— Manage parental controls from anywhere in the house, so your kids are protected even when they’re out of view

— Conveniently update the Kaspersky PURE licenses throughout your home

Total Package of Security Tools

Kaspersky PURE also includes everything you need to secure your online identity and protect your irreplaceable digital property. When you install Kaspersky PURE, our extra layers of security mean you can say good-bye to overpriced and inefficient niche products.

This is great work. I am demoing the product now and will post my review shortly. Very excited about how this will shape the home and small business central management landscape. Will vendors pile on?

 

More on this breaking news can be found here: http://www.marketwatch.com/story/kaspersky-lab-announces-new-generation-of-ultimate-pc-protection-for-your-home-2012-03-26

Advertisements

Apple: Aims to Flick the Privacy Flea


Apple Will Require Apps to Obtain User Permission Before Accessing Contact Data

US legislators sent a letter to Apple CEO Tim Cook asking why the company does not require iOS developers to obtain permission from users before apps download users’ contacts. The inquiry follows close behind news that the Path app downloaded users’ address books without their permission. Apple has responded to the question with a promise to change that policy so apps requiring use of address book data request that information explicitly.

apps

*More on this story here:

*More on this story here:

[Editor’s Comment  (SANs.org):

“I wonder if they will be in time to avoid a major disaster. I was surprised to read on slashdot that your data was safer on unapproved apps for jailbroken iPhones than on approved apps from Apple’s store”:

http://apple.slashdot.org/story/12/02/15/0036242/unauthorized-ios-apps-leak-private-data-less-than-approved-ones]

 

***Back story on NetsecurityIT.com:

  1. https://netsecurityit.wordpress.com/2012/02/09/path-ios-app-stores-address-books-on-its-servers/
  2. https://netsecurityit.wordpress.com/2012/02/09/update-path-apologizes-for-storing-address-books-on-its-servers/

Yahoo! Messenger v11.5 – Buffer Overflow Vulnerability


Yahoo! Messenger v11.5 – Buffer Overflow Vulnerability

Severity: High         Risk: High

Area of Impact: Drag & Drop – Message Box

Details of the Vulnerability:

Yahoo! Messenger Icon

Image via Wikipedia

A Buffer Overflow vulnerability has been detected on Yahoo Instant Messenger v11.5 client software.
The bug is located on the drag & drop message box function of the software when processing special crafted file transfers.
The vulnerability allows an local attacker to crash the software & all bound yahoo components.

Thus creating the buffer overflow

Proof of Concept: Testing purposes only!!

This vulnerability can be exploited by security enthusiasts. More details can be found here:

http://www.vulnerability-lab.com/get_content.php?id=432  
****The information provided in this advisory is provided as it is without any warranty.

Hack in Progress: Watch the vulnerability in action

No report from Yahoo as of yet. We will keep you posted on all the details.


Microsoft Showing it’s Love – in Advance


Microsoft Security Bulletin Advance Notification for February 2012:

Microsoft has blessed us again with another Patch Tuesday. Here is advanced notification of 9 Bulletins for Valentine’s Day.

IE update likely the one users will want to apply ASAP, say researchers


9 Security related bulletins have been issued to close 21 Vulnerabilities

  • 4 Critical – Microsoft Windows (2) – Remote Code Execution,  Microsoft Windows – Internet Explorer (1) – Remote Code Execution, Microsoft .NET Framework (1) – Remote Code Execution, Microsoft Silverlight (1) – Remote Code Execution
    English: M in blue square (similar to seen on )
  • 5 Important –  Microsoft Windows (2) – Remote Code Execution,  Microsoft Windows (1) – Elevation of Privilege, Microsoft Office – Windows Server Software (1) – Elevation of Privilege,  Microsoft Office  (1) – Elevation of Privilege

The full version of the Microsoft Security Bulletin Advance
Notification for February 2012 can be found at: http://technet.microsoft.com/security/bulletin/ms12-feb.

This bulletin advance notification will be replaced with the February bulletin summary on February 14, 2012. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification


Advisory: Backdoor in TRENDnet IP cameras


**Trendnet Responds: Comment left below from Trendnet in response to the most recent vulnerability.

TRENDnet has posted the resolution to the security breach on their IP cameras: You can check information on affected TRENDnet IP cameras at:http://www.trendnet.com/products/features.asp?featureid=52. You can download critical firmware along with detailed update instructions for the affected TRENDnet IP cameras athttp://www.trendnet.com/downloads/.

Consolecowboys.org blogger “someLuser” (yes that is his tag)has identified a security vulnerability in some TRENDnetIP cameras which permits inquisitive web users to access them without authentication. He discovered the vulnerability whilst exploring the firmware on his TV-IP110w camera using a tool called binwalk.

English: A candidate icon for Portal:Computer ...

Lengthy lists of freely accessible video streams are already circulating on the web. Random sampling by most testers found that most of the cameras were indeed freely accessible, providing views of offices, living rooms and children’s bedrooms. For demonstration purposes, someLuser has put together a Python script which uses server search engine Shodan to find cameras. Navigating to a camera web server URL displays the video stream recorded by the camera – this occurs whether or not a password has been set.

TRENDnet has already responded by providing a firmware update promising “improved security”, which can be downloaded from its support page. Many other TRENDnet cameras also appear to be affected – according to someLuser, the firmware for the company’s TV-IP121W, TV-IP252P, TV-IP410WN, TV-IP410, TV-IP121WN and TV-IP110WN models has been updated. Anyone using one of these cameras should update the firmware without delay.

You can find the firmware for your device herehttp://www.trendnet.com/langge/downloads/category.asp?iType=32


Mozilla – Critical holes fixed in their three big players


Mozilla closes critical holes in Firefox, Thunderbird and SeaMonkey:

Following the release of new versions of its open source Firefox web browser, Thunderbird email client and SeaMonkey suite, Mozilla has detailed the security fixes included in each of the updates. According to the project’s Security Center page for Firefox, version 10.0 closes a total of 8 security holes in the browser, 5 of which are rated as “Critical” by Mozilla.

English: Firefox word mark. Correct clear spac...

Image via Wikipedia

The critical issues include an exploitable crash when processing a malformed embedded XSLT stylesheet, potential memory corruption when decoding Ogg Vorbis files, XPConnect security checks being bypassed by frame scripts, a use after free error in child nodes from nsDOMAttribute and various memory safety hazards. These vulnerabilities could be exploited remotely by an attacker to, for example, execute arbitrary code on a victim’s system.

Additionally, Firefox 10 closes two “High” impact issues that could lead to information disclosure or an attacker violating the HTML5 frame navigation policy by replacing a sub-frame for phishing attacks. A moderate severity bug when exporting a user’s Firefox Sync key to a “Firefox Recovery Key.html” file that caused it to be saved with incorrect permissions was also fixed.

Based on the same Mozilla Gecko platform as Firefox 10, version 2.7 of the SeaMonkey “all-in-one internet application suite” fixes all of the same vulnerabilities, while Thunderbird 10 addresses all but one as it is not affected by the moderate incorrect permissions bug because it does not use Firefox Sync.

An update to the 3.6.x legacy branch of Firefox, version 3.6.23, fixes four of the above critical issues and a low impact bug related to an overly permissive IPv6 literal syntax which was previously repaired in Firefox 7.0, Thunderbird 7.0 and SeaMonkey 2.4. The developers note that Firefox 3.6.26 “now enforces RFC 3986 IPv6 literal syntax”, adding that the change “may break links written using the non-standard Firefox-only forms that were previously accepted”. The 3.1.18 update to the 3.1.x branch of Thunderbird also corrects these issues.

All users are advised to upgrade to the current stable versions.


Massachusetts Data Protection Law to Include Third Parties as of March 1


As of March 1, 2012, all companies that retain and store data about
Massachusetts residents must be able to demonstrate that they and all

English: Seal of the Commonwealth of Massachusetts

their contractors and other third party partners comply with the state’s data breach law. The law took effect on March 1, 2010, but the portions of compliance requirements were phased in. The last part, third-party
compliance, is what is taking effect just over a month from now. There

will need to be language in the contracts with third parties requiring
them to take reasonable steps to protect the information. Companies will
not be required to audit third-party partners for compliance, but it is
recommended that their contracts specify they reserve the right to
conduct an audit if they choose. The contract language also needs to
specify that the third-party will notify the companies immediately in
the event of a breach and destroy or return data when the contract is
terminated. The law applies to all companies that store data of
Massachusetts residents, whether or not that company is based in the
state. The law was scheduled to take effect in January 2009, but the
deadline has been extended twice.

 

Read More: http://tinyurl.com/DataProtectionLaw-MA