Category Archives: Latest Warnings

Blocking JavaScript in the Browser

May 25, 2011

Most Web sites use JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. To protect yourself, it is critically important to have an easy method of selecting which sites should be allowed to run JavaScript in the browser.

It is true that selectively allowing JavaScript on known, “safe” sites won’t block all malicious scripting attacks: Even legitimate sites sometimes end up running malicious code when scammers figure out ways to sneak tainted, bogus ads into the major online ad networks. But disallowing JavaScript by default and selectively enabling it for specific sites remains a much safer option than letting all sites run JavaScript unrestricted all the time.

Krebs’s 3 Basic Rules for Online Safety

May 20, 2011

56 Comments

Yes, I realize that’s an ambitious title for a blog post about staying secure online, but there are a handful of basic security principles that — if followed religiously — can blunt the majority of malicious threats out there today.

Critical Flash Player Update Plugs 11 Holes

May 13, 2011

48 Comments

Adobe has released another batch of security updates for its ubiquitous Flash Player software. This “critical” patch fixes at least 11 vulnerabilities, including one that reports suggest is being exploited in targeted email attacks. In the advisory that accompanies this… Read More »

Security Fixes for Microsoft Windows, Office

May 10, 2011

19 Comments

Microsoft issued just two updates today to fix at least three security flaws in its Windows and Microsoft Office products, a merciful respite following last month’s record-setting patch push. One of the patches issued today earned a critical rating, the company’s most serious.

Breach at Michaels Stores Extends Nationwide

May 10, 2011

59 Comments

Earlier this month, arts & crafts chain Michaels Stores disclosed that crooks had tampered with point-of-sale devices at store registers as part of a scheme to steal credit and debit card numbers and associated PINs. But new information on the investigation shows that stores all across the country have since discovered compromised payment terminals.

Security Group Claims to Have Subverted Google Chrome’s Sandbox

May 9, 2011

48 Comments

A French security research firm boasted on Monday that it had discovered a two-step process for defeating Google Chrome’s sandbox, the security technology designed to protect the browser from being compromised by previously unknown security flaws. Experts say the discovery, if true, marks the first time hackers have figured out a way around the vaunted security layer, and almost certainly will encourage attackers to devise similar methods of subverting this technology in Chrome and other widely used software.

In an advisory released today, VUPEN Security said “We are (un)happy to announce that we have official Pwnd Google Chrome and its sandbox.” The post includes a video showing the exploitation of what VUPEN claims is a previously undocumented security hole in Chrome v.11.0.696.65 on Microsoft Windows 7 SP1 (x64).

Scammers Swap Google Images for Malware

May 6, 2011

84 Comments

A picture may be worth a thousand words, but a single tainted digital image may be worth thousands of dollars for computer crooks who are abusing weaknesses in Google’s Image Search service to foist malicious software.

For several weeks, a number of readers have complained that clicking on Google Images search results redirected them to Web pages that pushed rogue anti-virus or “scareware” through misleading security alerts and warnings. On Wednesday, the SANS Internet Storm Center posted a blog entry saying they, too, were receiving reports of Google Image searches leading to fake anti-virus. According to SANS, the attackers have compromised an unknown number of sites with malicious scripts that create garbage Web pages filled with the top search terms from Google Trends. The malicious scripts also fetch images from third-party sites and include them in the junk pages alongside the relevant search terms, so that the automatically generated Web page contains legitimate-looking content.

LastPass Forces Users to Pick Another Password

May 5, 2011

35 Comments

LastPass.com, a free password management service that lets users unlock access to all of their password protected sites with a single master password, is forcing all of its approximately 1.25 million users to change their master passwords after discovering that… Read More »

‘Weyland-Yutani’ Crime Kit Targets Macs for Bots

May 2, 2011

51 Comments

A new crimeware kit for sale on the criminal underground makes it a simple point-and-click exercise to develop malicious software designed to turn Mac OSX computers into bots. According to the vendor of this kit, it is somewhat interchangeable with existing crimeware kits made to attack Windows-based PCs.

Millions of Passwords, Credit Card Numbers at Risk in Breach of Sony Playstation Network

April 26, 2011

59 Comments

Sony warned today that intruders had broken into its PlayStation online game network, a breach that may have jeopardized the user names, addresses, passwords and credit card information on more than 70 million customers.

In a post to the company’s PlayStation blog, Sony spokesman Patrick Seybold said the breach occurred between April 17 and April 19, and that user information on some PlayStation Network and Qriocity music streaming accounts was compromised. The company said it had engaged an outside security firm to investigate what happened, that it was rebuilding its system to better secure account information, and that it would soon begin notifying customers about the incident by email.