Filed under: Security

About 10 years ago I bought an incredibly expensive Samsung X10 laptop. It was one of the first powerful Centrino 'ultra lights', and along with the Sony Vaio range it cost a stupid amount of money -- but it rocked! It was fast, it could run games, and it only weighed 2 pounds!

And it had a fingerprint scanner. 'Ooooh!'

Yeah, it was slick, it was silver and fast -- but really, I'd just paid $2500 for a damn fingerprint scanner and boy did I feel cheated. I thought I'd get all the girls with that thing: 'Hey, babe, look, I can just swipe my finger across...' But no, no cigar. I don't even know why consumer products have biometric scanners -- in the office environment maybe, but at home?

Anyway! The actual news: you can now use your face to log onto your computer with KeyLemon. Sit down in front of your computer and voila: logged in! Firefox users will be able to log into social networks using their face, too. It's not just a one-time login either: KeyLemon keeps scanning whoever's in front of the computer, and if your face changes it logs you out! Also, on the off-chance that your laptop gets stolen, KeyLemon will continue to take photos of whoever's using it.

Don't forget your password though -- what if you undergo plastic surgery and can't login?

[via CNET -- download link (30 day trial)]

Today is Safer Internet Day, an annual event coordinated by the folks at InSafe -- who are all about promoting responsible Internet use. We've covered a number of great tools in the past that have the same aim, so what better day to take another look at them?

Web Of Trust (WOT, Pictured)
WOT is a community-powered trust and ratings system. With nearly 26 million sites rated to date, it's one of the most popular safe browsing tools you can find. Their browser add-on is available for Internet Explorer, Firefox, and Google Chrome. Once installed, you'll start seeing WOT's color coded ratings rings next to links to let you know if they're safe.

I have WOT installed in my browsers, and I recommend it wholeheartedly.

It has come to light that there is a security flaw in the NTVDM (NT DOS virtual machine), which is the process that runs when you open a command prompt (DOS window) on any 32-bit version of Windows. This flaw has existed since the very first version of the service on Windows NT and could allow a specially written 16-bit application to escalate the user's rights to that of administrator -- proof-of-concept code already exists for such an attack.

Microsoft has acknowledged the flaw in the NTVDM, but does not intend to immediately fix it. Instead, they have released a One Click Fix for this issue which changes a registry setting to prevent the NTVDM from launching.

The problem with this approach is that there are still 16-bit enterprise applications out there (both on client, and on servers) that work perfectly well and need to continue doing so. The options for companies relying on such legacy applications are limited: they can either stop using their applications (not really an option for some), or they are forced to live with the possibility that users could gain administrative rights on their machines.

The question boils down to whether Microsoft has an obligation to correct this problem in what is by today's standards an ancient piece of code that's sole purpose is to allow people to run ancient software. I would argue that while it's fair for Microsoft to stop shipping the NTVDM as they have in the latest version of Windows Server 2008, until they stop providing it across all of their operating systems, they need to support it and if that means fixing a very old security hole properly, then so be it.

I know, it's the story that never ends -- and really, don't expect it to end any time soon -- but here's another angle: what about Chinese hardware?

We now know that either the Chinese government, or a very large privately-funded clandestine operation from Asia, has been hacking Western governments, intelligence agencies, and businesses for a decade. What if the hardware they produce also has secret backdoors or comes pre-infested with trojan viruses?

The story on IT World lays down some pretty chilling precedents: did you know that Chinese intelligence agents approach business men at trade fairs in the UK and offer 'gifts' of digital cameras that come with viruses on them? What if the Chinese government has gotten to hardware manufacturers -- what if your Xbox 360 comes with a backdoor in it that lets them snoop on your home network? How about a chip on your motherboard or graphics card that phones home?

It's an interesting idea, made all the more scary because it's believable. For now, as far as we know, it's just espionage, an attack on governments and businesses -- but when will be the targets?

A vast amount of technology originates from China and Taiwan, and that's not going to stop soon -- if China's grasp is inescapable, why bother worrying?

And even then, is there even a way we can combat it?

Since it's introduction last week, people have been clamoring for more information on the iPad. Apple has released a video and has posted some basic specs and pricing, but more information has been hard to come by. Scammers have started to pick up on this and have been looking for ways to exploit users searching for iPad websites.

BBCNews reports that handful of security firms have been spotting attempts to "trick" search engines into providing people with rogue links. People that click these links will be redirected to pages that scan their computer looking for holes and vulnerabilities.

So how is this happening? People have started crafting fake websites that will show up high in search results for "Apple" or "iPad", etc. Users will be redirected to sites peddling fake security software, asking them to sign up for credit cards and claiming that more information and rumors on the iPad are just a few clicks away.

The same common sense rules apply for preventing this from happening. Be careful when opening links and as always, make sure you're computer has the latest security patches and updates.

Scamming and exploitation of users is nothing new, especially around high profile "trending" events. A similar scam recently occured involving the earthquake in Haiti.

Your world is about to be rocked.

If you're not a hardened, tinfoil hat-wearing the-apocalypse-is-nigh conspiracy theorist, you soon will be. Wired has just published a stunning article detailing a really scary report from computer forensic firm Mandiant. The story brings to light some disturbing truths about the always-connected, always-on world we live in.

As an Internet nerd, I actually found the details numbly humbling. It made me think about a silent war, a cold war that is warming the ground we walk and air we breath -- but has not yet bubbled forth to be joined in the field of war. Reading Wired's story and thinking about the depth and detail and concerted effort required to pull off such a hack scares me.

You should read the full article for complete details, but here's a quick breakdown of the attacks employed against targets such as Google, U.S. oil companies, defense contractors and counter-terrorism departments:

• A new form of attack is being leveraged by hackers, called Advanced Persistent Threats (APT) -- think of APT as a 'ticking bomb', an apparently-benign piece of software that can be turned on at any time. These APTs can avoid detection and remain dormant for months or years, only turning on when the 'coast is clear'. In this most recent case, an unpatched zero-day attack on Internet Explorer 6 was the entry point.
• These attacks are theft-oriented -- the sole purpose behind these APT attacks are to get at sensitive data: email, Word documents, Powerpoint presentations, spreadsheets, etc. Corporate secrets, counter-intelligence, you name it.

In a new post on Twitter's Status blog, Twitter points out that a sudden surge in followers on a few select accounts was due to a large number of insecure passwords being used by regular Twitter users. What's happening is that users are re-using passwords that they've used on other sites, and some of those other sites turn out to have not been secure.

That's the thing; as soon as any of the sites you log in to gets compromised, the email address or username and password associated with it can be tried by the bad guy on various other services. Since most people re-use passwords, there's a high likelihood that they will gain access to your account. From there, who knows what kind of damage they might cause. If you're lucky, you'll notice something's amiss.

This should be a wake-up call for all users who use the exact same password, or a predictable variant at each site they log in to. If you haven't already, right now is as good a time as will ever be to make sure you're using unique passwords for all of your online services. You never know when one of them might get compromised.

So you like the speed of Google Chrome, but you want a browser that doesn't communicate quite so much data to the borg collective? Because Chrome is built on the open source Chromium project, there are plenty of options for you.

Third-party developers have taken steps, like removing the unique tracking ID Google slaps on each Chrome install, search suggestions, and other bits which communicate various things about you back to Google HQ. Granted these builds don't do anything about the numerous other ways Google tracks you, but they're a decent starting point.

For instance, two of the E-book readers (Google Books and Amazon Kindle) can monitor what you're reading. Google's Book Search Project takes tracking reading habits to a new level, logging what you searched for, the page you read, how long you viewed the page, and where you searched next.

All of the E-book readers, Google Books, Amazon Kindle, B&N Nook, and Sony Reader can keep track of book searches and book purchases. Most troubling is the fact that the information collected on your book selections, searches, and purchases could be shared outside the company without your consent (applies to the Kindle, Nook and Reader).

The good news is you do have options. You can laugh in the face of the commercial behemoths and get a free, open source FBReader (for Windows/Linux) which collects no data on your book selections or searches. Another option: you can go to a bookstore and purchase an old fashioned paper book, with cash preferably.

Today is International Data Privacy Day, and some of the big names in the online world are stepping up and... acknowledging issues of data privacy. Google has released a video highlighting the ways it uses some of that personal data it collects about you to make your life easier, and then explains that you can opt out of some of Google's data collection policies.

Microsoft has released the results of a study on data privacy. The study looked at how HR managers and recruiters in the US, UK, France, and Germany look at the information available about job seekers online. The results? 70% of HR professionals in the US have rejected a candidate based on information they found online. But fewer than 15% of the consumers surveyed worried that anything they posted online would affect their getting a job.

In other words: Be afraid. Be very afraid. Because it looks like you're really not worried enough.

Remember that slick new option Sebastian spotted a while back which allows you to reply to Facebook comments via your email? As it turns out, that convenience may pose a serious security risk.

When a comment is posted, Facebook generates a unique email address which then listens for replies. Therein lies the problem: F-Secure Labs have discovered that the email -- which is displayed in plain sight -- can be replied to by anyone from any email address.

They don't even have to be your friend on Facebook (depending on how your privacy settings are configured, of course). If they can see your wall, they can see your reply addresses.

Big deal? Well, the big deal is that it could turn into a juicy target for phishers, spammers, and other Internet lowlifes. There's enough crap on Facebook already, so here's hoping they sort this issue out in a hurry.

Poor Matti. F-Secure's guinea pig wall now has a few more than the one response you see in the header image...

A recent tip suggested that even when disabled the Google Toolbar sends data to Google without the user knowing. After doing some digging I've found this is only the case if, while using IE8 the user fails to restart the browser after disabling the toolbar from the "Manage Add-ons" window.

This is certainly possible, but the browser does warn the user to restart immediately after saving the changes. In fact, going to the add-ons screen is the slow way to disable the toolbar -- the easiest way is to click Tools>Toolbars then uncheck the Google toolbar. This stops it from sending the information back to Google immediately.

So, while I don't believe Google is being nefarious, after the news of their recent hacking and some of the reasons it was possible, it's a good time to talk about how to monitor what sort of information is being sent through tools like the Google Toolbar.

Microsoft has already fessed up -- admitting that a vulnerability in Internet Explorer was a key component in the Chinese attacks on companies including Google and Yahoo. Today, a post at Wired revealed some very disappointing news: Microsoft knew about the exploit as far back as September of 2009.

Microsoft's senior security officer Jerry Bryant had this to say: "Our investigation into this responsibly reported vulnerability began early September...We became aware of the recent attacks in mid January and as part of our investigation determined the vulnerability being used in these attacks was similar to the one investigated in September."

Apparently the official plan from Redmond was to patch the hole in a cumulative update this February -- a full six months after it was discovered. In the wake of the attacks, however, they were forced into action and released an out-of-band patch for IE.

What's your take on this news?

Six months seems like an extremely long time to make millions of customers wait for you to release a patch to a flaw which is considered to pose a severe risk.

Most of our users have already made the switch - maybe it's time for the rest of the world to look at an alternative browser.

There have been more than a few blog posts lately talking about how websites can use Flash cookies to keep tabs on you even if you're visiting their site using your browser's private browsing mode. It would appear, however, that the crew at Adobe thinks this is something which should change.

According to a post on NeoWin, Adobe is working to make sure that Flash 10.1 will play nice with the private browsing offered in most current browsers. Once you close your session, Flash Player will automatically clear the pertinent locally cached files. Visited a site with a Flash-powered login system? Any locally stored objects (LSOs) they create will also be purged.

On top of that, non-private instances of the Flash player won't have access to data created by those running in private sessions.

Right now, Adobe has things working with Google Chrome, Firefox 3.5 (or newer) and Internet Explorer 8. While Safari offers a private mode, support isn't quite there just yet. Expect to see it arrive before Flash 10.1 is released to the public.