Data Privacy Day

January 28 is the date set aside annually as Data Privacy Day.  The official Data Privacy Day theme is: Respecting Privacy, Safeguarding Data and Enabling Trust.

 Let us take a closer look at why we would want to safeguard our data and steps we can all take for keeping our data safe.

Data

What information do you store on your computer?

Home computers have rapidly become the storage place not only for personal correspondence but also for financial data, including bank records and government tax return forms.  This information in the wrong hands can, and does, result in identity theft.

What information do you share on social network sites?

Facebook is one of the largest social network sites where people connect with not only friends and family but also acquaintances.  These acquaintances may be people they "met" at other sites, forums or through friends and family.  However, they are only known virtually.

Not only is the information you share on sites like Facebook data, so is your home town, where you went to school, when you graduated, your birth date, address and telephone number as well as names and birth dates of family members.  If this information is public, it is the very information that identity thieves can use.

What about your smart phone?  Do you check in at every location as you go about your daily travels and share it on Twitter or Facebook?  Do you announce and document business or family trips?

Information stored on your computer or shared on social networking sites includes data that needs to be safeguarded to protect your privacy.

Safeguarding Data

The message about having an up-to-date antivirus software and firewall has been well received by home computer users.  When helping with malware removal, it is has been a very long time since I have seen a computer without antivirus software and a firewall.  Computer users are also getting much more conscientious about installing security updates and keeping third-party software updated.

This is all good news, but malware writers are very clever and manage to find a way to infect computers.  In addition to the standard antivirus, firewall, updating what else can you do to safeguard your data?

In addition to keeping your computer and software programs updated, following are a some general suggestions for protecting the data on your computer:

1. Protect your wireless router with a password.
2. Don't open e-mail, instant message or Facebook attachments you are not expecting.
3. Do not click anywhere on a pop-up or warning from a program you did not install.  Use the keyboard shortcut Alt + F4 to close the window.
4. Pay close attention when installing software.  Do not blindly click through the screens or you may end up with more than you expected.
5. Whenever possible, only download software programs from the vendor site.  Keep in mind that free is not always free.
6. Always scan any file you download from the Internet.
7. Have a back-up plan in place, particularly for documents, pictures and other files that cannot be replaced. 
8. Use a complex password, not a "dictionary word" or family name.

What about safeguarding the data you share on social networking sites like Facebook?  

Facebook makes it easy to connect and share information with friends and family.  However, it is critical to ensure that you are not openly sharing personal information that could make you a target of identity theft. 

See this excellent guide by Sophos, Facebook Security Best Practice, which not only covers information and setting recommendations but also explains the reasoning for the recommendations. 

Another resource that is helpful for Facebook users is Facecrooks, a source for not only privacy information but also the latest hoaxes that regularly circulate on Facebook.

A few easy steps will keep both the data on your computer as well as the information you share both secure and private.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Mozilla Firefox 18.0.1 Released

Firefox 18.0.1 was sent to the release channel today by Mozilla to solve several bugs. 

What's New

• FIXED -- 18.0.1: Problems involving HTTP Proxy Transactions (Associated bugs)
• FIXED -- 18.0.1: Unity player crashes on Mac OS X (bug 828954)
• FIXED -- 18.0.1: Disabled HIDPI support on external monitors to avoid rendering glitches (bug 814434)

The Release Notes include additional changes and fixed features in version 18.  For a complete note of all fixes, see the Bug Fixes in the link below in References.

Update

To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu.

If you do not use the English language version, Fully Localized Versions are available for download.

References

• Common questions after updating Firefox
• Security Updates
• Mozilla Firefox Release Notes
• Mozilla Security Blog:  Revoking Trust in Two TurkTrust Certificates
• Bug Fixes 

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

MS13-008 Released for Security Advisory 2794220

Microsoft released an out-of-band security update to address the issue described in  Security Advisory 2794220.

The update is to address an issue that affects Internet Explorer versions 6, 7 and 8.  Internet Explorer versions 9 and 10 are not affected.  

This update is critical if you have Internet Explorer versions 6, 7 or 8 installed on your computer.  Windows XP users of IE6 or IE7 should update to IE8 as soon as possible.  Windows Vista and Windows 7 users should be using IE9.

Note:  The Advance Notice for this update to Internet Explorer versions 6-8 indicated if the Microsoft Fix it was applied, it was not necessary to uninstall it prior to updating IE. 

The advice provided now is to disable the Fix it after updating as it is no longer required.

	Disable
	Fix this problem       Microsoft Fix it 50972

References:

• MSRC Blog:  MS13-008 Released for Security Advisory 2794220
• Microsoft Security Bulletin MS13-008 - Critical : Security Update for Internet Explorer (2799329)]

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Advance Notification for Update to Address Security Advisory 2794220

On Monday, January 14, 2013, Microsoft is planning to release an out-of-band critical security update for the issue described in  Security Advisory 2794220.

The update is to address an issue that affects Internet Explorer versions 6, 7 and 8.  Internet Explorer versions 9 and 10 are not affected. 

Although Microsoft has seen only a limited number of customers affected by the issue, the potential exists that more could be affected.  Thus, it is advised that the update be installed as soon as possible. 

Even with the update, if your operating system is Windows Vista or Windows 7, update to Internet Explorer 9.  For Windows XP, your system will be more secure if you update to Internet Explorer 8.

If you applied the Fix it released in Security Advisory 2794220, it will not need to be uninstalled before applying the security update.

References

• MSRC Blog:  Advance Notification for Update to Address Security Advisory 2794220
• Tech Net Advisory: Microsoft Security Advisory (2794220) Vulnerability in Internet Explorer Could Allow Remote Code Execution

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Out-of-Band Oracle Java Critical Security Update Released

 The advice of the U.S. Department of Homeland Security, US-CERT, security software vendors and others advising that Java be uninstalled appears to have spurred the early release of an out-of-band security update for Java SE.

Ahead of the Critical Patch Update Pre-Release Announcement which had the update scheduled for Tuesday, January 15, 2013, the update for Java version 7 update 11 has been released.

Edit Note:  Additional vulnerabilities have been found in the latest Java update, which did little other than adjust the settings to the Java Control Panel.  See Java, The Never-Ending Saga for additional information on removing or disabling Java.

If you uninstalled Java, consider that you really may not need it on your computer.  On the other hand, if there are programs you use or websites that you visit that require Java, it is strongly advised that the update be applied as soon as possible.  

Java Security Recommendations

1)  In the Java Control Panel, set the security to high.
2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

(Image via Sophos Naked Security Blog)

3)  If you use Firefox, install NoScript and only allow Java on those sites where it is required.

Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

Download Information

Download link:  Java Version 7 Update 11

Verify your version:  http://www.java.com/en/download/testjava.jsp

Note: UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.

Critical Patch Updates

For Oracle Java SE Critical Patch Updates, the next scheduled dates are:

• 19 February 2013
• 18 June 2013
• 15 October 2013

References

• Java SE 7 Update Release Notes
• Critical Patch Updates, Security Alerts and Third Party Bulletin 
• Oracle Critical Patch Update Pre-Release Announcement - January 2013
• Oracle Security Alert CVE-2013-0422

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Java Zero-Day (Again), Time To Disable/Remove Java

Once again there are reports of a Java zero-day vulnerability being actively exploited in the wild.  All versions of Java are impacted, including the most recent release, JRE 7, Update 10.

With any version of Java installed on your computer, visiting a malicious link can result in a serious malware infection.  Significantly, the exploit is not operating system and, although currently targeting Windows systems, can also run the same code on Mac OS X or Linux.

Edit Note:  The recent Java update 11 did little other than adjust the settings to the Java Control Panel.  Additional vulnerabilities have been found in that latest Java update.  See Java, The Never-Ending Saga for additional information on removing or disabling Java. 

Recommendations

1.  Uninstall Java. 

First and foremost, most home computer users do not need Java installed on their computer.  In the past, Java was needed for websites to be properly displayed. However, that is generally not the case now.  I uninstalled Java several years ago and have not had a need for it.

To remove Java, navigate to Control Panel\All Control Panel Items\Programs and Features (Add/Remove Programs on Windows XP). Select for removal all instances of Java, including:

Java 7 Update 10 (or earlier)
Java Auto Updater
JavaFX 2.2.4 (or earlier)

Confirm that the folders shown below have also been removed.  If not, delete the folders manually.

C:\Program Files\Java
C:\Users\%UserName%\AppData\LocalLow\Sun

2.  Disable Java

The update to Java JDK 7u10 includes the option to disable Java in the browser.  Thus, if you have a business need to use Java, play online games or use OpenOffice, disable Java.  All you need to do is uncheck the box "Enable Java content in the browser" in the Java Control Panel.

(Image via Sophos Naked Security Blog)

In the event Java is needed for software installed on your computer, there should be a prompt for it.  In that situation, launch the Java Control Panel and re-check the option to enable Java.  Then, remove the check again when finished.

References

• Protect against latest Java zero-day vulnerability right now: Mal/JavaJar-B | Naked Security
• Nasty New Java Zero Day Found; Exploit Kits Already Have It | threatpost
• Kill that Java plugin now! New 0-day exploit running wild online • The Register

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Adobe Flash Player and AIR Critical Security Updates

Adobe Flash Player was updated to address critical security vulnerabilities.  These updates address a vulnerability that could cause the application to crash and potentially allow an attacker to take control of the affected system.

Update Information

The newest versions are as follows:

Windows XP, Windows Vista, Windows 7:  11.5.502.146
Windows 8:  11.3.378.5
Macintosh:  11.5.502.146
Linux: 11.2.202.261

Release date: January 8, 2013
Vulnerability identifier: APSB13-01
Priority: See table below
CVE number: CVE-2013-0630
Platform: All Platforms

Flash Player Update Instructions

Flash Player for Windows, Macintosh and Linux

Although Adobe suggests downloading the update from the Adobe Flash Player Download Center or by using the auto-update mechanism within the product when prompted, if you prefer, direct download links are available.

• Flash Player For Internet Explorer 7, 8 & 9:  http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_active_x.exe
  
  Flash Player for Internet Explorer 10: Microsoft updated Security Advisory 2755801.  If you do not have Automatic Updates enabled, the Flash Player update can be downloaded from the Download Center at Update for Internet Explorer Flash Player for Windows 8 Release Preview (KB2758994).
  
  
• Non-IE (Opera, Firefox, Etc.):  http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_plugin.exe
• Flash Player Uninstaller:  http://download.macromedia.com/get/flashplayer/current/support/uninstall_flash_player.exe

Notes:

• Adobe AIR 3.5.0.880 and earlier versions for Windows, Adobe AIR 3.5.0.890 and earlier versions for Macintosh and Adobe AIR 3.5.0.880 for Android.  See Determine version | Adobe AIR runtime. 
• Beginning with Adobe Flash Version 11.3, the universal 32-bit installer will include the 32-bit and 64-bit versions of the Flash Player.  
• If you use the Adobe Flash Player Download Center, be careful to uncheck the optional McAfee Security Plus box.  It is not needed for the Flash Player update.
• Uncheck any toolbar offered with Adobe products if not wanted.
• If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
• The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.

Adobe Flash Player for Android

The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.

Verify Installation

To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

Do this for each browser installed on your computer.

To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

References

• Adobe Priority Ratings
• Adobe Security Advisory: Security updates available for Adobe Flash Player
• Release Notes:  Flash Player® 11.5 AIR® 3.5

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Adobe Reader Critical Security Update

Adobe released security updates for Adobe Reader and Acrobat XI (11.0.0) and earlier versions for Windows and Macintosh.  Also released were security updates for Adobe Reader 9.5.1 and earlier 9.x versions for Linux.

These updates address critical vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Release Details

• Release date: January 8, 2013
• Vulnerability identifier: APSB13-02
• Priority Rating: See table below
• CVE numbers: CVE-2013-0601, CVE-2013-0602, CVE-2013-0603, CVE-2013-0604, CVE-2013-0605, CVE-2013-0606, CVE-2013-0607, CVE-2013-0608, CVE-2013-0609, CVE-2013-0610, CVE-2013-0611, CVE-2013-0612, CVE-2013-0613, CVE-2013-0614, CVE-2013-0615, CVE-2013-0616, CVE-2013-0617, CVE-2013-0618, CVE-2013-0619, CVE-2013-0620, CVE-2013-0621, CVE-2013-0622, CVE-2013-0623, CVE-2013-0624, CVE-2013-0626, CVE-2013-0627
• Platform: All

Update or Complete Download

• Update
• Download Adobe Reader

References

• System Requirements
• PSIRT Blog
• Release Notes | Acrobat, Reader

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Microsoft Security Bulletin Release for January 2013

Microsoft released seven (7) bulletins addressing 17 vulnerabilities in Microsoft Windows, Office, Developer Tools and Windows Server.

Two bulletins are identified as Critical and five as Important.  

Bulletin Number	Bulletin Title	Bulletin KB
MS13-001	Vulnerability in Microsoft Windows	2769369
MS13-002	Vulnerabilities in Microsoft Windows	2756145
MS13-003	Vulnerabilities in System Center	2748552
MS13-004	Vulnerabilities in .NET Framework	2769324*
MS13-005	Vulnerability in Microsoft Windows	2778930
MS13-006	Vulnerability in Microsoft Windows	2785220
MS13-007	Vulnerability in Microsoft Windows	2769327

*If you have problems with .NET Framework updates, it is recommended that you install this update separately with an shutdown/restart.

Support

The following additional information is provided in the Security Bulletin:

• The affected software listed have been tested to determine which versions are affected. Other versions are past their support life cycle. To determine the support life cycle for your software version, visit Microsoft Support Lifecycle.
• Security solutions for IT professionals: TechNet Security Troubleshooting and Support
• Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center
• Local support according to your country: International Support

References

• MSRC: Predictions and the January 2013 Bulletin Release
• TechNet: Microsoft Security Bulletin Summary for January 2013
• Security and Safety Center:  Microsoft security updates for January 2013 

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Mozilla Firefox 18.0.0 Released With Critical Security Updates

Firefox 18 was sent to the release channel today by Mozilla.  Included in the update are twelve (12) critical, seven (7) high and one (1) Moderate security update.

Based on the extensive list of security updates, it is recommended that the update be applied as soon as possible.  Included in the update is the revocation in trust of two TURKTRUST certificates.

Security Updates Fixed in Firefox 18

MFSA 2013-20 Mis-issued TURKTRUST certificates
MFSA 2013-19 Use-after-free in Javascript Proxy objects
MFSA 2013-18 Use-after-free in Vibrate
MFSA 2013-17 Use-after-free in ListenerManager
MFSA 2013-16 Use-after-free in serializeToStream
MFSA 2013-15 Privilege escalation through plugin objects
MFSA 2013-14 Chrome Object Wrapper (COW) bypass through changing prototype
MFSA 2013-13 Memory corruption in XBL with XML bindings containing SVG
MFSA 2013-12 Buffer overflow in Javascript string concatenation
MFSA 2013-11 Address space layout leaked in XBL objects
MFSA 2013-10 Event manipulation in plugin handler to bypass same-origin policy
MFSA 2013-09 Compartment mismatch with quickstubs returned values
MFSA 2013-08 AutoWrapperChanger fails to keep objects alive during garbage collection
MFSA 2013-07 Crash due to handling of SSL on threads
MFSA 2013-06 Touch events are shared across iframes
MFSA 2013-05 Use-after-free when displaying table with many columns and column groups
MFSA 2013-04 URL spoofing in addressbar during page loads
MFSA 2013-03 Buffer Overflow in Canvas
MFSA 2013-02 Use-after-free and buffer overflow issues found using Address Sanitizer
MFSA 2013-01 Miscellaneous memory safety hazards (rv:18.0/ rv:10.0.12 / rv:17.0.2)
MFSA 2012-98 Firefox installer DLL hijacking

What's New

• NEW -- Faster JavaScript performance via IonMonkey compiler
• NEW -- Support for Retina Display on OS X 10.7 and up
• NEW -- Preliminary support for WebRTC

The Release Notes include additional changes and fixed features in version 18.  As with previous versions, the update includes a long list of Bug Fixes, referenced below.

Update

To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu.

If you do not use the English language version, Fully Localized Versions are available for download.

References

• Common questions after updating Firefox
• Security Updates
• Mozilla Firefox Release Notes
• Mozilla Security Blog:  Revoking Trust in Two TurkTrust Certificates
• Bug Fixes 

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

WinPatrol® 2013 Update, v26.1.2013

I asked and Bill did it! 

Bill Pytlovany ‏@BillP

I confess thousands have requested a WinPatrol feature that I never added until this week when @SecurityGarden asked for it. :)

Yes, WinPatrol now has a minimize option.  Although it is certainly easy enough to click on another program to change focus, too often when helping people with WinPatrol, I caught myself closing WinPatrol Explorer, only having to relaunch it again.  I asked Bill if he would consider adding a minimize button.  As shown in the above screen clip, 
Bill came through.  Thank you, Bill.

Bug fixes include the" First Detected" Date for Active Tasks and when hiding the Scotty System Tray icon.

Additional new features include the following:

Delayed Start List Option:  

"Run As Adminstrator" for any programs launched by WinPatrol in Delayed Start list.

Restart Windows 8 to Advanced Repair/Restore mode:  

Note:  This feature is only available with WinPatrol PLUS.

Right-click on any file with WinPatrol and select "Restart Windows for Repair in Safe Mode."

Although the latest version update includes Windows 8 features, WinPatrol runs on Windows XP, Vista and Windows 7, Windows 8 including x64 versions.

Go here for additional information about the update and to download WinPatrol.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Security Advisory 2798897 Released, Certificate Trust List Updated

Microsoft released Security Advisory 2798897 to provide notification regarding a a fraudulent digital certificate issued by TURKTRUST Inc.

TURKTRUST Inc. incorrectly created two subsidiary Certificate Authorities: (*.EGO.GOV.TR and e-islem.kktcmerkezbankasi.org). The *.EGO.GOV.TR subsidiary CA was used to issue a fraudulent digital certificate to *.google.com.

Actions:

Windows Vista and newer:

With up-to-date security updates, your computer was protected with the installation of Microsoft Knowledge Base Article 2677070, released on June 12, 2012.

The update provides an automatic updater feature which includes a mechanism that allows Windows to specifically flag certificates as untrusted. With this feature, Windows checks daily for updated information about certificates that are no longer trustworthy.  In the past, movement of certificates to the untrusted store required a manual update.

If you have not installed KB 2677070, it is strongly advised that you do so as soon as possible.

Windows XP and Windows Server 2003: 

Because the automatic updater feature is not applicable to Windows XP and Windows Server 2003, it is necessary for users of these systems to manually check for updates.

References:

• MSRC: Security Advisory 2798897 released, Certificate Trust List updated
• Tech Net Advisory: Microsoft Security Advisory (2798897) Fraudulent Digital Certificates Could Allow Spoofing
• KB 2677070:  An automatic updater of revoked certificates is available for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Security Bulletin Advance Notice for January 2013

On Tuesday, January 8, 2013, Microsoft is planning to release seven (7) bulletins addressing twelve (12) vulnerabilities.

Two bulletins are identified as Critical and address vulnerabilities in Microsoft Windows, Office, Developer Tools and Microsoft Server Software.  The five remaining bulletins are rated Important and will address issues in Microsoft Windows, .NET Framework and Microsoft Server Software.

As happens each month, Microsoft will also release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

References

• MSRC Blog:  Advance Notification Service for the January 2013 Security Bulletin Release
• TechNet: Microsoft Security Bulletin Advance Notification for January 2013

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

2013 - Microsoft MVP, Pay it Forward, #WWFD

How well I remember the January 2006 e-mail congratulating me on being presented with the Microsoft® MVP Award.  I knew that I had been nominated but, at the time, had no idea how the award cycle worked so the award came as a complete shock.

Recalling that first award, it arrived following a particularly difficult time in "real life", resulting in a sort of personal renewal to dig in and continue with renewed enthusiasm.

Once again, I have been faced with a troublesome time -- this an event that had a profound effect on our local community, the Christmas Eve shooting of four volunteer firefighters from the neighboring West Webster Fire District (#WWFD) when volunteer firefighters Mike (Chip) Chiapperini and Tomasz Kaczowka lost their lives and Theodore Scardino and Joseph Hofstetter were seriously injured.

Since the Christmas Eve tragedy, one thing aside from the coming together of the "Brotherhood" that stood out was the support of people not only in the local community but also across the U.S. and Canada.  There was a resounding repetition locally and throughout the U.S. and Canada of unselfish occurrences of "Pay it forward" as people attempted to demonstrate appreciation to local and visiting firefighters, first responders, police and others in public service.  Hundreds upon hundreds of people volunteered their time to the community during this trying time.

What I continued to reflect on as the end of 2012 approached was not only those who volunteer in our community but also how many people volunteer time and expertise to help others in both life-threatening situations and in every day life.  I couldn't help but feel that I wasn't doing my part.

When I received the e-mail this morning recognizing my volunteer efforts in Consumer Security, helping people with infected computers, it slowly dawned on me.  Perhaps I am doing some good, freely helping others.

Although I don't put my life on the line, it is an incredible honor that my volunteer contributions have again been recognized by Microsoft® with the award as 2013 Microsoft MVP:

"Dear Corrine Chorney,

Congratulations! We are pleased to present you with the 2013 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Consumer Security technical communities during the past year."

Let the heroes of West Webster and around the world, the "random acts of kindness" serve as inspiration and challenge to you to Pay it Forward in 2013, volunteering or helping others in some small way.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More