Editor’s Dossier
More about Updates – A Necessary Evil?
Greeting VSNers,
Weather Report: Another beautiful day in paradise, the temp is in the 70′s and
late nights and early mornings are the best as the air just smells so fresh and
we get that Gulf breeze. Please don’t get weather envy, remember we have to
endure the hot hot summers. 
Very interesting discussion in Eyes Only regarding – you guessed it – updates,
definitely worthy of your eyes! It seems that just about everyone has an opinion
about updates. We know we have to do them because flaws and vulnerabilities have
to be patched and fixed. It does not mean we have to be happy about it.
A few issues back we discussed how the Internet works and talked about HTML.
(HTML stands for HyperText Markup Language, and is how you create web pages). A
markup language is a modern system for annotating a text. The idea and
terminology evolved from the “marking up” of manuscripts, i.e. the revision
instructions by editors, traditionally written with a blue pencil on authors’
manuscripts. Thanks Wikipedia). In this issue our contributing editor Deb
Shinder gives you the lowdown on the latest version – HTML 5.
This may seem a bit random and off the path of security, but bear with me, it
will be relevant. I was recently having a discussion with someone and she told
me how angry she was with someone and had dashed off an email to said person and
the response was nuclear. I have found over the years that this is not a good
way to handle an argument.
There is no way email or texting is the proper medium for controversial
subjects. In person, on the phone or even a hand-written letter is a better way
to communicate. You need some way to explain your thoughts and looking at the
person face to face is the best way. Email fails miserably if you try to patch
up an upset, so does texting. What does this have to do with security? It’s
pretty simple. Angry people do stupid things and that includes doing something
that just may hurt your security and protection of you and your family. Plus you
don’t necessarily want to anger the wrong person on these days of online
stalking, bullying and worse. My dad used to have a sign in his workshop that
said THINK BEFORE YOU SPEAK. Today you could readily change that to THINK BEFORE
YOU TEXT! It’s a good rule to teach your kids, don’t you think? Don’t send that
‘nastygram’, it will bite you in the butt.
Enjoy the latest issue of VIPRESecurityNews. And remember stay safe out there.
Best,
Larry Jaffe
Editor VIPRESecurityNews
P.S. You can write to me at any time, I want to know how you feel about Internet
security and if you have any ideas for articles or subjects you would like us to
cover. Email me feedback@SunbeltSecurityNews.com
Eyes Only Your Viewpoint on Security Issues
Updates Updated
Just read your last post to us all about Trip saying “keep your Adobe and Java
updated”. Well, if we must, not.
At some point, Adobe stops supporting old versions of Acrobat Reader etc. with
updates, and requires you to update to a whole new version (I’ve no idea where
Reader is now as I’ve stripped everything but Photoshop and Air out of my PC
years ago when they stopped supporting Reader 5.1) which always has different
(improved???) look and feel, incomprehensible menus full of annoying tools and
formats I don’t want – the upgrade path with Adobe is never smooth and the
(re)learning curve is always steep. I have to put up with it at work, but there
I can call on someone else if I really need to get something done in Adobe – at
home, I’ve no desire, and there are lots of other tools that do the same task
for less fuss.
Java – fine, I update every two or three months (when I allow Windows to update
as well) because I don’t want Java constantly searching for new updates every
week or day, just like I don’t want Windows interrupting my work every week to
download some patch to Silverlight if I happen to open an Excel document inside
a specially crafted web page, nah, nah, nah. For Windows, I only accept the
critical security items and other patches I definitely have the software for -
everything else goes into the ignore bin, and then log out as Administrator and
go back to working…
My wife’s Pfaff sewing program specifically mentions using only Java 1.1 as
that’s the only certified Java that will work on her software (which is now 3
years old) , but between us, we’ve been able to test newer versions of Java and
they still work, so we’re OK there. But that’s not always the case. At work, we
run a “transit tube” system that delivers medications and messages to different
departments in the hospital – got a brand new software update in February,
certified to work only with Java 5.0! Thankfully, we run that machine only on
the hospital intranet so risks are minimized, but certainly not eliminated!
No, sometimes it’s simply not possible or desirable to keep up to date with
latest patches. That’s why I rely on VIPRE, and Kaspersky before that, and
probably wouldn’t hesitate to recommend Norton either. Lots of overhead, makes
the machine slow, but with safe practices, one can keep trouble-free with the
software you want to run, not what some major developer wants you to run. – AP
Editor’s Note: Back atcha! Trip’s comeback! (Trip is our System Response
Manager)
Hi Andre, Thank you for your response to my advisory. When it comes to staying
up to date, it makes no difference what software you may have that is dependent
on older versions. As long as you understand that leaving outdated versions of
these exploitable products will leave you more susceptible to infection.
When these companies release updates as regularly as they do it is because they
have identified some hole that will allow some malicious software writer the
ability to instruct the old outdated version to execute whatever code the bad
guys want. This is the very reason updates are released so often. Major
releases which are for product improvements are released a couple times a year.
Almost all of the updates that are released in between the major upgrades are
security patches.
I cannot speak to the complexity of their new versions, or to the learning
curve, but the black and white of the situation is that with outdated products
that allow remote code execution without user knowledge through exploits hackers
find in their software open users up to infection.
Java updates much more frequently than every couple months. This means that
they are finding exploit vectors that they want to protect you from all the
time. So if you are only updating every couple of months, it means that you
have two months’ worth of unlocked doors on your machine with the hope that some
malware will not find its way in through. It’s like going on vacation and
leaving your front door unlocked and hoping that no neighborhood kids figure out
your mistake.
These exploits open up users to what is called 0 day attacks. These are threats
that are released and are so new that almost no AV product will be capable of
stopping it because nobody has seen it yet.
If you are using some software that requires a specific outdated version to be
installed in order to operate, my recommendation would bet to not let that
machine have access to the outside world. Keeping it secluded on an internal
network is fine, but doing any kind of web surfing from that machine is just
asking for trouble. If you have any questions, please don’t hesitate to ask.
Operations: What You Need To Know
Free Malware Removal
Malicious software is tricky and sometimes, these critters get through all your
layers of protection. However, did you know that we will remove malware that has
gotten into your computer for free? All you need is a valid subscription to
VIPRE and our team of malware removal specialists will get the bad guys out. Our
team will assist any customer that becomes infected while under VIPRE’s
protection. Just go online and fill out the support form and a member of our
Malware Removal Team will get back to you right away. You don’t have to pay for
this incredible service.
VIPRE Support
Free Support
Like our Malware Removal Team above our Support Team is also at your service.
You don’t have to call in or send emails or wait in line, just fill out our
support page and you will automatically create a support “case”. So should you
be experiencing technical issues with your GFI product please feel free to fill
out a support request and a technician will be happy to assist you.
VIPRE Support
Stay on top of all the real-time threats: GFI Malware Research Lab
Deb’s Deep Dive
HTML5: What’s it all about?
The HyperText Markup Language, or HTML, is the native language spoken on the
web. Those of us who are old enough remember when creating a web page meant
learning its nuances, and it became second nature to insert tags such as for
bold type and to turn the boldface off. Web browsers read those tags and
convert them into the formatting you see on web pages. Then along came WYSIWYG
(What You See Is What You Get) web editors and a whole generation of casual web
designers grew up without having to give HTML a thought.
But over the years, the language was evolving and getting more sophisticated,
morphing from a simple language for displaying text and images to a much more
complex one supporting cascading style sheets and a variation called XHTML. If
you read tech publications, you’ve probably heard rumblings about HTML5, the
latest version. It brings big changes – and some say it can potentially change
the web completely. Some folks are excited about that and some – especially web
designers who don’t want to learn something new – are afraid of it. But what
does it mean to you, a “user” of the web?
We’ve seen the web change from just another Internet application to an
application platform. The premise of Google’s Chrome operating system is that
the web is all you need, and while not everyone is buying that, there’s no
denying that it plays a bigger role in our computing lives than it did a decade
ago. Web sites do much more than just display information now – we can interact
with them in real time in a myriad of different ways. We can play games, watch
videos, chat, and much more. But all of these new capabilities are built on a
variety of different technologies, most of which require you to download
additional software or “plug-ins” for your web browser.
Some sites use Sun’s Java, some use Adobe’s Flash, some use Microsoft’s
Silverlight. You’ve probably had the experience of going to a web site that
would display on one of your computers but not on another. What HTML5 aims to do
(or at least one of the goals) is provide a way for web developers to create
sophisticated sites and web applications that will work properly and seamlessly
on all browsers and all computers.
You probably heard about Apple’s refusal to build Flash support into its Safari
browser on the iPhone and iPad, although Adobe recently released v4.5 of its
Flash Media Server that allows broadcasters to stream Flash-based video in an
Apple format (Flash-based games and animations still won’t work).
Still, Flash has long been known for its security vulnerabilities, and there
has been much talk of HTML5 as a “replacement” for Flash. That’s really a misnomer, since Flash, Silverlight, etc. are actually elements
that are embedded in an HTML web page so they can easily coexist. The new video
element in HTML5 will make it unnecessary to use Flash or Silverlight for basic
video, but they may still be used when certain features are needed.
Will HTML5 really change everything? It will make it easier for web designers
to make their pages more interactive, because according to one oft-quoted
pundit, “In HTML5, an ad is an app, a tweet is an app, everything is an app.”
For example, instead of having to click a link to go to Amazon to buy a book
that’s being reviewed on the web page you’re reading, you could buy the book
directly from inside that page. Some even say HTML5 could mean the end of the
popular social networking sites.
Whatever it brings with it, there’s no doubt that HTML5 is the future of the
web. Get ready for a wild and wooly ride.
‘Til next week,
Deb Shinder, Contributing Editor
Dirty Tricks
Phone scammers target PC users with phony virus reports
Note: We have been writing about this for months… glad do see ZDNet join in!
Summary: Online con artists are targeting PC users worldwide in a brazen scam.
It starts with a phone call from a “tech support specialist” who warns that your
computer is infected with a virus. To fix things, all you have to do is give the
caller remote access to your PC. Here’s what happens next.
Read More
Happy Patch Tuesday
Microsoft will issue four security bulletins on Tuesday, November 8 to address
four vulnerabilities in Windows. Just one of the flaws is rated critical; it
affects Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008
R2.
Read More
“Devilrobber” Trojan Targets Mac OS X for Bitcoins
A new Mac OS X Trojan being distributed on torrent sites like Paratypic aims to
steal Bitcoin virtual currency, security researchers are warning. The malware,
called DevilRobber, is bundled inside several Mac applications made available by
attackers on file-sharing networks, including a Mac OS X image editing app
called GraphicConverter version 7.4, Graham Cluley, senior technology consultant
at anti-virus (AV) firm Sophos, said in a blog post Saturday. Once on a machine,
the malware attempts to steal a user’s Bitcoin digital wallet.
Read More
Internet Privacy Tools Too Confusing For Most Users
Note: Obviously they did not interview our readers!
Users wishing to stop advertisers from tracking their online behaviors face
major hurdles, according to a report released this week by Carnegie Mellon
University.
Read More
Zone – Cool Products & Other Stuff
I am always looking for some hot stuff to share with our readers maybe you are
too. Hit me back at feedback@counterspynews.com.
Koi Tower
A fish lover added an observation tower to his koi pond. The fish enter and swim
up the tower at will. Evidently they like the view:
Watch Video
Personal E-copter
The World’s first manned flight of an electric multicopter. I want one!
Watch Video
Magic Girl
Every magician likes to involve a pretty girl in his magic tricks but it’s not
often that the pretty girl is also a magician herself:
Watch Video
Pandora’s Inbox
This is a very cool cartoon. Think before you click!
Read More
Recognizing Speech
Very interesting article about speech recognition – “It is, therefore, a
tremendous feat to marry the rigid world of computers to the squishy, volatile
world of spoken language. And yet your new smartphone, $200 on contract, just
managed to accomplish it in seconds.”
Read More
Tesla Previews Sedan, Promises Speeds Faster Than a Porsche
During a preview event at Tesla Motors’ Fremont, California factory, CEO Elon
Musk offers a closer glimpse and test drives of the 4-door Model S. Find out
what makes the all-electric sedan a safer, faster, more spacious and comfortable
ride.
Read More
Reader JD Digs Text’nDrive
I’m driving right now and a voice just read me your message out loud. I’m using
an app called Text’nDrive to avoid touching my phone while driving and thought
you should install it to… It’s Free!
Read More
Your Ride Is Right around the Corner
Today, RelayRides connects people who need a car with vehicle owners whose rides
would otherwise just be sitting idle. Just need to run a few errands? Why deal
with car ownership or the hassle of traditional carsharing when RelayRides lets
you borrow your neighbors’ cars from as low as $5/hr. Or if you own a car, don’t
just let it sit around when you could be making up to $7,000/year loaning it out
safely and securely.
Read More
Recent Comments