June 30, 2011
The security software company Symantec, publishers of Norton Anti-Virus and many other products, has posted an interesting report on its official blog about the recent growth in spam focused on social networks. The firm monitored and analyzed social network spam for three popular sites — Facebook, Twitter, and YouTube — from April 1 through June 15 of 2011.
During this period, Facebook-related spam made up 40% of the total sample, Twitter-related spam made up 37%, and spam related to YouTube made up 23%. The mix of attacks, however, varied through time. There was a distinct pattern of a sharp increase in attacks on a particular site,sustained for perhaps 15-20 days, then a decline, and a switch of attack target to another site. The spammers may launch an attack on, say, Facebook users, and work it hard for a short time, then switch to a different target, say Twitter, when word spreads about the Facebook attack.
The spam tends to follow a pattern that will be very familiar toanyone who has worked in this area.
Social network spam uses legitimate email notification templates from the social networking sites. The message alleges that the user has some unread messages or pending invites and a fake link is provided. The bogus link will direct users to a website that forces the download of malicious binaries, purports to be selling cheap enhancement drugs and replica products, pushes fake gambling casino sites, or advertises online adult dating sites
The principal country of origin is the US; many of the messages appear to come from compromised machines used in “botnets”; some also comes from apparently compromised individual accounts. Many of the spam E-mails purport to be notifications of pending notifications or messages on the social networking site.
Needless to say, the immense growth and popularity of these networks makes them attractive to spammers.
June 29, 2011
Apple has released new versions of the Java run-time software for Mac OS X. As Mac users probably know, Apple packages and releases its own Java updates, which means there is typically a delay between the availability of a new version (for Windows, Linux and UNIX) from Oracle, and the release of Apple’s version. This new release from Apple corresponds to Java version 6 update 26, released by Oracle on June 7. That release fixed a number of security vulnerabilities, and was designated a Critical Patch update by Oracle.
Apple has two updated versions available: Java for Mac OS X 10.6 Update 5 and Java for Mac OS X 10.5 Update 10. (Why Apple insists on assigning its own update numbers, rather than using the “official” Oracle numbering, is beyond my grasp.) Details of the security fixes are given in the “Security Content” pages for Mac OS X 10.6 and Mac OS X 10.5.
I recommend installing this update as soon as you conveniently can. As I noted in a post last fall, it’s not clear that everyone needs Java, but if you have it, you should keep it up to date; it is one of the popular attack vectors for the Bad Guys.
June 29, 2011
Opera Software has released a new version, 11.50, of its Opera web browser for Mac OS X, Windows, and Linux/UNIX. The new version incorporates an updated user interface, a new version of the Presto rendering engine, and numerous other improvements and bug fixes. The details are given in the Release Notes / Change Logs, by platform:
There is also a What’s New page summarizing recent changes.
Current Opera users can get the new version using the built-in update mechanism; alternatively, versions for all platforms are available from the download page.
June 28, 2011
The Mozilla organization has released a new major version, 5.0, of its Thunderbird E-mail client, available for Windows, Mac OS X and Linux. This version incorporates a number of new or improved features, including:
- More responsive and faster to start up and use
- Thunderbird is based on the new Mozilla Gecko 5 engine
- New Add-ons Manager
- Revised account creation wizard to improve email setup
- New Troubleshooting Information page
- Tabs can now be reordered and dragged to different windows
There are also numerous bug fixes, plus security and stability improvements. More details are available in the Release Notes.
You can get the new version via the built-in update mechanism, or you can get versions for all platforms in many languages from the download page.
June 28, 2011
Google today released a new stable version of its Chrome browser, version 12·0·742·112, for all platforms (Linux, Mac OS X, Windows, and Chrome Frame). This release fixes seven security vulnerabilities, six of which are rated High severity. Its embedded Flash player has also been updated to version 10.3.181.34; this Flash update does not appear to be security-related. Further details are in the release announcement on the Chrome Releases blog.
Windows users should get the new version via the built-in automatic update mechanism; you can verify that your system has been updated by clicking on the tools menu (the little wrench), and then on “About Google Chrome”. Linux users can get the updated package using their distros’ usual update tools.
Because of its security content, I recommend getting the new version as soon as you conveniently can.
June 28, 2011
Adobe has released a new version, 10.3.181.34, of its Flash Player for all platforms (Mac OS X, Windows, Linux, and Solaris). This does not seem to be a security update; according to the Release Notes,
Adobe Flash Player 10.3.181.34 addresses compatibility issues with some content using cross-domain policy files.
Windows and Mac users should be able to obtain the updated version via the built-in update mechanism; alternatively, versions for all platforms can be downloaded here.
June 27, 2011
I’ve written here before about the security vulnerabilities introduced by authentication “secrets” that are easy to guess, like the answers to security questions; and by bad passwords and password policies. Now,Daniel Amitay, a student, blogger, and applications developer for Apple iOS devices (such as the iPhone) has posted the results of an experiment he did to examine the four-digit “pass codes” users set to secure their iPhones. It will probably not come as a complete surprise to learn that users’ selection of these codes is just as lousy as their password selection.
The ten most common codes, which account for 15% of all passcodes in the sample, were:
Most of these are obvious patterns on the phone’s keypad. The exceptions are ‘1998’, probably a date, and ‘5683’, which, as Mr. Amitay points out, corresponds to the letters ‘L-O-V-E’. (The phrase “iloveyou” is a very common password in other contexts.) Passcodes of the form ‘199x’ (that is, a year in the 1990s) were also very common.
As Mr. Amitay points out, this means that, just by trying the 10 most common passcodes, a thief has about a 15% chance of unlocking a given iPhone, without triggering any security alarms.
A thief (or just a prankster) could safely try 10 different passcodes on your iPhone without initiating the data wipe. With a 15% success rate, about 1 in 7 iPhones would easily unlock …
As Princeton Professor Ed Felten has pointed out, the use of passwords for security persists as a “Worst Practice”, because it is easy for the developers, who do not bear the costs of bad security.