Ok, now Adobe has released a security update for Flash, which applies to Flash versions for Windows, Macintosh, Linux, and Android operating systems, as well as Google Chrome and Internet Explorer browsers.
How to keep up with all these security updates? You have several choices.
In the Adobe security bulletin about this Flash vulnerability that you can read at http://www.adobe.com/support/security/bulletins/apsb13-04.html, Adobe recommends that you verify the version of Flash running on your device.
What is Universal Plug and Play? It is a protocol that allows network devices to talk to each other and it often runs on devices unless it is turned off. I have listed a few examples of devices that might have it enabled, which include such devices as home routers, printers, smart TVs, IP cameras, and home automation systems, but there could be many other types of devices that could have it turned on.
The first thing to check is your home router. How do you find out if your router is vulnerable? Rapid7 is a security research firm that has a free website-based tool that will check your router, available here http://upnp-check.rapid7.com/. Click the button “Scan My Router.” You do not have to install any software. It should take about 30 seconds to run.
If you want to check more than your router, there is a program on that page that you can download and run.
There is also a link to a page listing answers to frequently asked questions as well as a link to a more in-depth, technical explanation if you’re interested.
If you have Java running on your computer, you may have noticed that Oracle–maker of Java–has recently put out a security update for Java. This is a good thing and Oracle got the update out earlier than they had anticpated.
However, what you may not have noticed when you installed the update, is that they include what Ed Botts calls “foistware.” This is because Java includes the Browser Add-on from Ask.com when you update Java unless you specifically UNCHECK the box that gives your permission to install it. If you’re not paying attention, you can accidentally install this lousy toolbar. I’m not a big fan of toolbars anyway, and this one is really bad. You can try it out [don’t click on any sites unless you are absolutely sure you know the site] by going to http://www.ask.com/ and searching for something. You will see a lot of ads–a lot of dubious ads.
For more information, read Ed Botts’ column, http://www.zdnet.com/a-close-look-at-how-oracle-installs-deceptive-software-with-java-updates-7000010038/.
The important thing: uninstall the Ask.com toolbar if you installed it.
A new vulnerability reported at bugtraq on December 11, 2012, has just come to my notice. The compromise occurs if you visit a website displaying an ad containing the exploit, even so-called safe sites like YouTube or the New York Times. If you have any version of Internet Explorer open on a compromised website–even if the page is minimized or you’re not on the page–your mouse cursor movements can be tracked.
Microsoft’s position as stated in this article http://www.securityweek.com/microsoft-ie-mouse-tracking-exploit-poses-little-risk is that this vulnerability would be very difficult to exploit.
There is a demo of this issue in Internet Explorer at http://iedataleak.spider.io/demo. All I could see displayed was when the CTRL, SHIFT, or ALT keys were pressed; no other keys displayed. I could, however, tell when the browser window was dragged to my other screen. Note: Spider.io has a demo game set up. In order to play the game, they want you to log in with your Twitter account. I do not recommend signing into any site with credentials from Facebook, Twitter, LinkedIn, or any other social media site.
As stated in the article, the demo does not work if the URL is entered into a Firefox web browser.
My suggestion is to only use Internet Explorer if necessary, and to close any browser–IE, Firefox, Chrome, whatever–when you are done using it, especially if it has ads on it.
A data broker is someone who collects information on people. Exactly where does a data broker get that information and what do they with the information once they have it? The easy answer is they get this information from a variety of sources— both public and nonpublic—and resell it to other companies.
The FTC is requiring nine data brokerage companies to explain how they get this information and what they do with it. The nine companies that the FTC is requiring answers from are:
In the US, information that is collected and used for credit, employment, insurance, or housing is protected by the Fair Credit Reporting Act (also known as FCRA). Medical information is protected by the Health Information Portability and accountability Act (HIPAA). There are no laws that govern the privacy of other types of data that can be gleaned from public records and purchased from other companies. The FTC states that the collected information is used to benefit consumers in many ways, such as fraud protection, and that this collected information also enables companies to better market their products and services.
But what about privacy?
The FTC wants data brokers to give consumers more transparency, in other words:
You can find more information about this topic at the FTC website: http://ftc.gov/opa/2012/12/databrokers.shtm
In March, 2012, the FTC published a guide for businesses and policymakers entitled “Protecting Consumer Privacy in an Era of Rapid Change.” To access this guide, click this link: http://ftc.gov/os/2012/03/120326privacyreport.pdf
Oracle, maker of Java, does not have a good track record for fixing holes in Java. A new Java security hole that apparently targets Java 7 (however, some researchers think it also apparently targets some versions of Java 6) was discovered recently. What options do you have for fixing the problem?
This vulnerability affects Macs as well as PCs. Only visiting “safe” sites will not help you avoid this issue.
Oracle released an update to fix this issue last night.
Don’t wait! Save your computer, save your information.
Peter G. Neumann, an 80-year-old computer scientist working at SRI International, and Robert N. Watson, a computer security researcher based at Cambridge University’s Computer Laboratory, are heading a team who are working on a five-year project for the Pentagon’s Defense Advanced Research Projects Agency (DARPA) CRASH program to redesign computers and networks to make them secure. CRASH stands for Clean-slate design of Resilient, Adaptive, Survivable Hosts. The project is called CTSRD (CRASH-worthy Trustworthy Systems R&D).
Dr. Neumann quotes Albert Einstein when talking about computer security, “Everything should be made as simple as possible, but no simpler.”
The NY Times has a great article on Dr. Neumann and his project at http://www.nytimes.com/2012/10/30/science/rethinking-the-computer-at-80.html?pagewanted=all&_r=0 You can read the first paper that Dr. Neumann and Dr. Watson published about CTRSD at http://www.csl.sri.com/users/neumann/law10.pdf
This article in the NY Times talks about why TSA treats laptops differently than smartphones, tablets, and netbooks when you’re going through airport security lines. http://travel.nytimes.com/2012/04/08/travel/the-mystery-of-the-flying-laptop.html?pagewanted=1&ref=travel
Several online blogs have written about Seattle’s “Creepy Cameraman.” He takes videos of people in public places without asking their permission first. You can read about him and watch some of his videos here: http://www.geekwire.com/2012/seattles-creepy-cameraman-pushes-limits-public-surveillance/
The guy taking the videos reminds people who object that surveillance cameras are everywhere, as if that makes his videotaping without asking permission perfectly all right.
Would you allow someone to videotape you in public? What would you do to stop him or her? The people in the video who objected didn’t seem to make any difference to the cameraman. Should someone using a camera have to ask permission before filming a person going about their ordinary life in public–eating in restaurants, walking in malls, sitting in their cars?
What if the person is doing something–not illegal–but that they don’t want publicized? Possibilities include having an affair, getting medical treatment, going into a building of an employer’s competitor, gambling, drinking …
You might also want to check out these articles on Google’s Project Glass, also known as Google Goggles http://www.technologyreview.com/review/428212/you-will-want-google-goggles/ and http://venturebeat.com/2012/04/04/google-glass-augmented-reality/. The NY Times describes the project here http://bits.blogs.nytimes.com/2012/04/04/google-begins-testing-its-augmented-reality-glasses/. These glasses–as well as many other current electronic devices–would allow someone using them to photograph or videotape someone or something unobtrusively.
As technology changes so rapidly around us, the lines blur more around our personal privacy and security.
Intentional Privacy 