Security and spyware

Google finishes 2,048-bit security upgrade for Web privacy

Never again are you going to get a Google Web site whose security certificate is protected with comparatively weak 1,024-bit encryption.

The Net giant has secured all its certificates with 2,048-bit RSA encryption keys or better, Google security engineer Dan Dulay said in a blog post Monday. Certificates are used to set up encrypted communications between a Web server and Web browser.

That means two things. First, traffic will be harder to decrypt since 1,024-bit keys aren't in use at Google anymore. Second, retiring the 1,024-bit keys means the computing industry can retire the technology … Read more

Google pays coders to improve open-source security

Pushed both by corporate desires for better security and less wholesome motives, the market for finding security holes is getting bigger.

In an attempt to improve security for software it and many others use on the Internet, Google said Wednesday it's offering to pay programmers $500 to $3,133.70 for changes that make widely used open-source software less vulnerable to attack.

With the Chrome reward program and the vulnerability reward program, Google already offers two mechanisms to pay people for finding specific weaknesses in its browser and its online services. The new patch rewards program goes a step … Read more

Wells Fargo site hit by denial-of-service attack

Wells Fargo was the target of another distributed denial-of-service attack.

The bank's Web site was slowed down by the attack yesterday, affecting a certain number of customers, according to Fox Business News.

"Yesterday we saw an unusually high volume of Web site traffic which we believe was a denial of service attack," a Wells Fargo spokeswoman told CNET today. "The vast majority of customers were not impacted and customer information is safe. For customers who had difficulty accessing the site, we encouraged them to call us by phone, use ATMs or try logging on again as … Read more

What 420,000 insecure devices reveal about Web security

A researcher used a simple, binary technique to take control of more than 420,000 insecure devices including Webcams, routers, and printers running on the Internet -- and says that's just a hint of the potential for real trouble to get started.

In a SecLists posting yesterday, the unnamed researcher describes how he was able to take control of open, embedded devices on the Internet. The researcher did so by using either empty or default credentials such as "root:root" or "admin:admin", indicating how a surprisingly large number of devices connected to the Web … Read more

NBC Web site back up after hack attack

NBC's Web site is up and running again after being knocked offline by a cyberattack for several hours yesterday.

The NBC site was the victim of a form of malware known as the Citadel Trojan. This specific strain targets companies in an attempt to steal usernames, passwords and other sensitive data. People who visit sites infected by the trojan can find their own PCs infected as well.

In the past, Citadel typically attacked banks and financial firms but has since expanded its reach to a wider range of organizations.

NBC, which is part of cable giant Comcast, is still trying to figure out how the attack occurred, … Read more

Oracle pushes out new Java update to patch security holes

Oracle has rushed out a new Java security patch designed to plug up a range of holes in the software.

The February Critical Patch Update for Java SE addresses 50 security vulnerabilities, 44 of which affect the use of Java as a plug-in for Web browers, according to an Oracle blog posted Friday. If not properly patched, the plug-in could open the door for attackers to remotely execute code on a PC or Mac by directing users to malicious Web sites.

"The popularity of the Java Runtime Environment in desktop browsers, and the fact that Java in browsers is … Read more

Firefox to block Silverlight and Java -- but not Flash

To improve security and cut crashes, Firefox will block plug-ins including Microsoft Silverlight, Adobe Reader, Apple's QuickTime and Oracle's Java, Mozilla said.

Only the newest version of Adobe Systems' Flash Player will be run by default, said Michael Coates, Mozilla's director of security assurance, in a blog post yesterday.

Plug-ins extend a browser's ability to run software or handle different media and file formats, but that extra ability opens new avenues for attack. They've been a staple of Web development for years, but browser makers are working hard to reproduce their abilities directly with Web … Read more

Microsoft to patch IE zero-day flaw today

Microsoft will fix a zero-day hole in IE today almost a week after this month's regular Patch Tuesday updates.

Discovered late last month, the vulnerability could allow attackers to gain control of a Windows computer running one of the older versions of IE by directing users to malicious Web sites. In response, Microsoft had suggested several workarounds and even offered a "one-click fix" designed to mitigate the problem, but those were considered temporary solutions.

Today's update will fully resolve the issue, according to Microsoft. Scheduled for rollout at 10 a.m. PT, the fix will be … Read more

China tightens the screws on Internet users

The Chinese government is once again imposing new restrictions on Internet use.

A decision approved today by the Standing Committee of the National People's Congress institutes an "identity management policy," according to China's official Xinhua news agency. Such a policy requires Internet users to use their real names when registering with an online provider or mobile carrier.

Though most Chinese Internet users already use their real names to sign up for online accounts, the new policy makes it the law.

Li Fei, deputy director of the Commission for Legislative Affairs of the Standing Committee, did acknowledge … Read more

Facebook starts pushing out new privacy settings

Facebook has started dribbling out the latest changes to its ever-changing privacy controls.

New privacy notifications and menus are now greeting members as they log in to the social network, according to The Next Web. Facebook users in New Zealand seem to be the first on the list to have received these updates.

Based on screenshots published by TNW, members receive a new message alerting them to the changes and explaining how they can block specific users.

A privacy shortcut menu is now part of the main toolbar at the top of your Facebook page. Previously, you'd have to … Read more