Archive for March 2008

Next Entries »

More JAVA Updates

March 5, 2008, 9:19 pm

We just finished rolling out Java 1.5 update 14. As we’ve come to expect with all updates, that means another update is right around the corner. SUN has not disappointed.
Sun JDK and JRE 5.0 Update 15

http://java.sun.com/javase/downloads/index_jdk5.jsp

Sun JDK and JRE 6 Update 5

http://java.sun.com/javase/downloads/index.jsp

SUN SDK and JRE 1.4.2_17

http://java.sun.com/j2se/1.4.2/download.html

Multiple vulnerabilities have been disclosed:

- Two privilege-escalation vulnerabilities affect Java Runtime
Environment Virtual Machine. An untrusted application downloaded from a
website may be able to elevate its privileges to read and write local
files or execute local applications.
- A privilege-escalation vulnerability affects Java Runtime Environment
(JRE) when processing XSLT transformations. An applet may be able to
exploit this to read unauthorized URI, potentially execute arbitrary
code, or cause denial-of-service conditions.
- Three buffer-overflow vulnerabilities affect Java Web Start. These
issues may be exploited by a malicious Java Web Start application to
elevate privileges and perform arbitrary actions as the currently
logged-in user.
- A privilege-escalation vulnerability affects Java Web Start. A
untrusted application may be able to grant read and write permission to
local files, or execute local application in the context of the currently
logged-in user.
- An unauthorized-access vulnerability affects Java Web Start. A
malicious Java Web Start application can exploit this issue to create
files on the vulnerable system. It may then be able to execute those
files to run arbitrary code in the context of the currently logged-in
user.
- A same-origin bypass vulnerability affects the Java Plug-in. An applet
may be able to exploit this issue to execute local applications that are
accessible to the user running the plugin.
- A privilege-escalation vulnerability affects Java Runtime Environment
in the image-parsing library. A malicious applet may be able to exploit
this to read and write to local scripts and execute local applications in
the context of the currently logged-in user.
- Two denial-of-service vulnerabilities affect the color management
library that may cause the Java Runtime Environment to crash.
- An unauthorized-access vulnerability affects the Java Runtime
Environment that may allow JavaScript code to make connections to network
services. This may aid in further attacks.
- A buffer-overflow vulnerability affects Java Web Start. A Java Web
Start application may be able to exploit this issue to elevate
privileges, read/write arbitrary files, and execute arbitrary local
applications in the context of the currently logged-in user.

(Symantec Deepsight Alert Service)

Tags: , ,
Category: General  |  Comment

Cox PIN

March 4, 2008, 10:38 am

My cable company Cox is now using a PIN to authenticate users when they contact support. Their KB article on the subject says this was required by the FCC to prevent pretexting.
To make things easy for the customer and for themselves, they print the PIN on the first page of the cable bill. How many customers do you think use one PIN for everything? For them Cox just wrote on paper their ATM PIN, building access code, and bike lock combo. That doesn’t seem like a great idea to me.

Tags:
Category: Uncategorized  |  2 Comments

Too Creepy for Business Mail

March 3, 2008, 3:30 pm

Does your business have policies about forwarding email to external servers? You may think you have policies but will you catch users who create their own server side forwarding rules in Outlook/Exchange?
One of our VPs decided that he wanted to get work email onto his shiny iPhone whether it was supported/allowed or not. He created a rule to forward his email to Google Mail. With Google Mail, nothing is ever really deleted, and you really don’t have any control over what Google does with the content. That ‘s not the place to be sending information the customer intends that you keep private.
There is a website Gmail is Too Creepy that covers some of the concerns of Google Mail. Strangely enough while googling for that URL, Google wouldn’t give me the result. They said I must have a virus on my computer if I’m trying to go to that website. Too creepy indeed!

Tags: ,
Category: General  |  1 Comment

Fighting Back Against Identity Theft

March 2, 2008, 1:05 pm

In February, Postmaster General John Potter sent a letter presumably to all addresses and enclosed a Identity Theft brochure from the Federal Trade Commission (FTC)
The Postmaster General’s letter reported that according to a FTC survey only 2% of all identity theft victims believed the theft of their identity was related to mail. Even so they sent this letter to educate consumers.
So many times when dealing with users the response is “I’ve got nothing to hide” or “I wont be a victim” or “I’ve got nothing worth protecting”. The Postmaster Generals letter points out that if someone steals your identity, it can effect your credit standing, your ability to buy a car or home, get a job or obtain medical care. Once victimized it is not easy to clean up.
The FTC brochure has a link to the FTC’s Identity Theft Site.
The brochure has three key sections.
Deter

  • Shred financial documents and paperwork before you discard them
  • Protect your social security number. Do not carry it in your wallet or write it on a check. Give it out only where necessary, or ask to use another identifier.
  • Don’t give out personal information on the phone, through the mail or over the Internet unless you know who you are dealing with.
  • Never click on links in unsolicited emails. Instead type in a web address you know. Use firewalls, anti-spyware and anti-virus software to protect your home computer; keep them up to date. Visit onguardonline.gov for more information
  • Don’t use an obvious password like your birth date, your mother’s maiden name or the last four digits of your social security number
  • Keep your personal information in a secure place at home, especially if you have roommates, employ outside help or are having work done in your home.

Detect
Be alert to signs that require immediate attention

  • Bills that do not arrive as expected
  • Unexpected credit cards or account statements
  • Denials of credit for no apparent reason
  • Calls or letters about purchases you did not make

Inspect your credit report (www.annualcreditreport.com) and your financial statements.
Defend
Defend against ID theft as soon as you suspect it.

  • Place a “fraud alert” on your credit reports.
  • Close any account that has been tampered with or established fraudulently.
  • File a police report
  • Report the theft to the FTC

Common Ways ID Theft Happens:

  1. Dumpster Diving.
  2. Skimming – skimmers are a special device that steals your credit/debit card numbers.
  3. Phishing
  4. Changing your address
  5. Theft of wallet/purse, mail, records
Tags: , , ,
Category: Awareness, General  |  1 Comment
Next Entries »