One of the difficulties faced by IT security professionals is keeping up with the latest security vulnerabilities in operating systems, databases, and applications.
If an attacker knows a vulnerability and you don’t, your may not be able to effectively defend against the new vulnerability. This is especially true of applications which are accessible from the Internet.
Many sources of security news document vulnerabilities only in general terms. This often does not give the security administrator enough information to effectively defend their systems from attack.
As a result, most security professionals keep up-to-date by attempting to monitor the hacking community. The hacking community, however, consists of tens of thousands of different individual and groups working in a decentralized and unorganized manner.
As such, it is difficult or impossible for any single security professional to keep up with new vulnerabilities discovered by the entire hacking community.
Milw0rm.com is an excellent resource to help with that problem. Milw0rm.com lists vulnerabilities, along with exploits and shellcode. These are organized by platform and by type of access required.
With such a big launch and so much media attention it’s only natural that the iPhone has drawn the eye of hackers of all sorts. And it didn’t took long until the first hacks were revealed for the iPhone.
For example if you remove the SIM preloaded in to the iPhone and replace it with an older, disabled SIM, you can use the iPhone as a WiFi device, without any need of being connected to a telephone network. Or even better take a look at this video that shows an iPhone that can make phone calls using a Australian Telstra SIM.
A legal decision was made by a court in Belgium that Scarlet, one of country’s biggest ISPs must actively filter users access. This was done after SABAM (a union that represents Belgian artists and composers) took action in court against Scarlet (formerly known as Tiscali).
SABAM hopes this will create a precedent in the matter, and although in the U.S courts constantly decided that ISPs are not responsible to actively filter what users access, in Europe the court’s decision might have a more important meaning. And although there is no need to worry just yet, one must keep in mind that against recent privacy talk ISPs in Europe might be forced to keep information about users for longer periods of time.
Speaking of privacy many are fearing that measures like these, when the ISP is directly meddling with data certain users handle, might not be such a good idea. No one likes the thought that someone else will know everything they do online. But technical experts that were appointed by the court to find ways of blocking copyrighted content, say only the pirated material will be watched. All other activities you do online won’t be watched. As technical solutions they came up with several proposals, one of them being the one that MySpace uses now.
“The solutions identified by the expert are ‘technical instruments’ that limit themselves to blocking or filtering certain information transmitted on the network of TISCALI (SCARLET). They do not constitute a general obligation to monitor the network.”
And if Scarlet doesn’t comply in 6 months, fines will be up to $4,300 per day. But I think they will comply, as they have no other choice. This is an important victory for copyright enforcement organizations that already see piracy eradicated.
Were you ever put in the position of needing a certain file just after you deleted it? Or have you everl accidentally deleted several important files on your hard disk? We’re humans and we can make mistakes as this is unavoidable. However, there are several ways to recover files you just deleted.
Since the HDD is a magnetic storage medium, when we delete files, they’re not actually deleted. The memory zone assigned to them is only released and other applications can store files on that memory zone. Supposing no other application stores data on that memory zone, your deleted files may still be available on short term, but you need a special application in order to recover them.
SoftLogica presents HandyRecovery, an interesting software application that analyzes your hard drive for recently deleted files and recovers them throughly. At the push of a button, this application can list all of your recoverable files and can also display the percentage in which those files can be recovered.
The benefits are obvious. Accidents can be fixed if acted fast upon, and that shouldn’t be so hard if you have the correct application for the matter. The trial version is limited to one recovered file/day, but you can get the full version for only $39 and unlimited recoveries.
Unlike other applications of this kind, this one supports various file systems, including FAT12, FAT16, FAT32, NTFS and EFS. Other features as advanced filtering and recovery are available too. As a plus, you can view each file’s memory access location if you feel the need to go advanced. If you’re impressed, just have a look at the product and I can guarantee that you won’t be disappointed.
As Vista is seen as a secure Operating System, lately Symantec and Kaspersky started talking about possible security issues regarding Apple’s Leopard. For now OS X is relatively secure as the bulk of spyware and virus creators concentrate on Windows. This is mainly due to the fact that Windows is much more used that OS X, thus making it more desirable to infect/crack.
In this, Safari seems to be the black sheep, even if it hadn’t sucked so bad after the launch on Windows. The fact that Safari now runs on Windows, OS X and will run on the iPhone too, it will create a major breach. And I’m sure there will be plenty of people that will try to find vulnerabilities, just remember that Safari on Windows was hacked in the first two hours after the launch.
Here’s what Marc Fossi from Symantec declares:
“On June 29th, these two platforms will converge when Apple’s iPhone is released in the US. The release will potentially make writing malicious code for both an Apple product and a mobile device irresistible to some attackers. The iPhone will represent a robust mobile device platform based on OS X that allows users to send and receive HTML email and surf the Net with the Safari Web browser. Projections made by various analysts suggest that iPhone adoption will be quite high. This allows attackers to target a larger audience with malicious code designed to run on the devices,”
So even if Apple will keep the security patches coming, I don’t know just how much user data will be lost before holes in the security systems will be filled. If I were you I’d improve on security until 29th this month.
Recently companies are continuously looking for new markets to place their ads. So companies that formerly operated exclusively within the Internet, now use new ways to reach new markets. Take Google for example, that provides ads in newspapers and offers relations about local businesses over the phone.
But there must be a limit to all this. And Redmoon, a Texas based ISP just crossed it. What they basically do is to use the NebulaAD software, which places ads on any page you access. So if you’re in the Redmoon network you’ll see ads on every page you access, ads that are integrated within the content of the pages you see. Page creators and owners won’t even know that ads are placed on their pages and of course they don’t receive any revenue for the profit made like this.
And rest assured, the profit is quite substantial. Not having to share revenue with page owner all the money obtained from advertising go straight to Redmoon. And although there are methods to filter unwanted ads from your browsing experience I’m sure there is little if none support to this (only if we consider copyright violation of content world wide, this is a very serious problem).
As an active web developer and content creator it’s scary to think my work will be altered without my consent and even worse, that others will un-rightfully profit from it. Also as a heavy duty browser it’s confusing not knowing what is user generated and what is placed there by others to their own profit.
After 180 days since it was released, Vista proves to be more secure than other Operating Systems, such as OS X, Ubuntu 6.06 LTS or even Windows XP at their beginning. Here you can find a report that shows all the data regarding security issues in Vista’s first 6 months. The count only takes in consideration flaws that concern the Operating System directly and not other components that come by default with it (such as Vista Mail or Internet Explorer 7). So if you count like that there were only 12 vulnerabilities of which only five of them were labeled as Critical.
That doesn’t actually mean Vista is more secure, the most it can mean the code was better written so few flaws were left. Microsoft developers want to maintain with Vista half the number of vulnerabilities Windows XP had. And until now their on the right track as XP had 36 vulnerabilities in its first six months.
This is a plus for Vista as it can pass as being the most ’secure’ OS to date, though that’s not exactly accurate as I was saying above.
Last week was quite interesting for Apple fans with the WWDC, iPhone news, the launch of Leopard and last but not least the release of Safari on Windows. As with every major event there was a lot of debate around Safari beta 3.0, a lot of pros and cons but the matter is not settled yet.
At first it might look as a good move from Apple to release their very own Internet Browser, but they have to compete with other powerful browsers that are already on the market, such as Firefox and Internet Explorer. So even if Safari is quite a powerful browser we have to keep in mind that it’s only a newcomer and also it has to adapt to Windows. Even if Safari was known to be more secure on OS X, now the software can’t call the same functions in the same way. Consequently security bugs were reported only hours after the release. But Apple clearly stated they want to release a secure product since day one, though it wasn’t as secure as they wanted it to be patches were released a couple of days later to fix major leaks, thus showing that developers are interested in offering a reliable product as soon as possible.
There’s certainly a request for Safari as one million copies were downloaded in the first 48 hours. But these first figures are heavily influenced by the novelty factor and it’s important how many of these users will actually stick with Safari, not only try it and then switch back to Firefox or IE.
Speaking of competition, Safari is the fastest browser out there (as Apple claims) and it supports ‘modern’ standards such as HTML, JS, CSS, Java or SVG.
The results above show:
Performance measured in seconds. Testing conducted by Apple in June 2007 on a 2.16GHz Intel Core 2 Duo-based iMac system running Windows XP Professional SP2, configured with 1GB of RAM and an ATI Radeon X1600 with 128MB of VRAM. HTML and JavaScript benchmarks based on VeriTest’s iBench Version 5.0 using default settings. Testing conducted with a beta version of Safari; all other browsers were shipping versions. Performance will vary based on system configuration, network connection, and other factors.
But you don’t have to own a top notch PC to run Safari, developers say the minimum requirements are Windows XP or Widows Vista as an operating system and 256MB of RAM with at least 500MHz Pentium processor. So in theory any decent, web-ready computer could run it, but I’m not that sure it will be as fast
Steve Jobs said at WWDC that Safari has now 5% of the Internet Browser market. I think that’s an optimistic figure but that’s what he said. Clearly what Apple wants to do is increase that figure, as things look now the superior speed is somewhat counterbalanced by obvious security issues. On the other hand, Safari will be the only way third party applications are going to get on the iPhone so being able to use Safari on Windows might be an advantage when coming to that.
All that being said I think Safari had a good start and surely it has whatever resources are necessary to compete with the big players on the Browser market. There are other important factors to take into consideration such as, how fast will other applications become Safari compatible and how swift bug support will be. Considering all that I don’t think Apple made a wrong move by introducing Safari to Windows, even more since it might have a chance if it plays its cards well.
Convinced? Download now. Already used it? Please share opinions on your experience.
Apple’s launch of Safari on Windows was a huge success with one million downloads in the first 48 hours ( read more if you don’t believe me).
As you all know by now, Safari 3.0 beta for Windows had some severe security issues that were discovered first few hours after the release. Most of them were DoS (denial of service) related and some allowed execution of unauthorized code from a remote host.
Now, only three days after the ‘faulty’ release Apple came out with a brand new 3.0.1 release that covers three major vulnerabilities (as described by Apple):
CVE-ID: CVE-2007-3186
Available for: Windows XP or Vista
Impact: Visiting a malicious website may lead to arbitrary code
execution
Description: A command injection vulnerability exists in the Windows
version of Safari 3 Public Beta. By enticing a user to visit a
maliciously crafted web page, an attacker can trigger the issue which
may lead to arbitrary code execution. This update addresses the
issue by performing additional processing and validation of URLs.
This does not pose a security issue on Mac OS X systems, but could
lead to an unexpected termination of the Safari browser.
CVE-ID: CVE-2007-3185
Available for: Windows XP or Vista
Impact: Visiting a malicious website may lead to an unexpected
application termination or arbitrary code execution
Description: An out-of-bounds memory read issue in Safari 3 Public
Beta for Windows may lead to an unexpected application termination or
arbitrary code execution when visiting a malicious website. This
issue does not affect Mac OS X systems.
CVE-ID: CVE-2007-2391
Available for: Windows XP or Vista
Impact: Visiting a malicious website may allow cross-site scripting
Description: A race condition in Safari 3 Public Beta for Windows
may allow cross site scripting. Visiting a maliciously crafted web
page may allow access to JavaScript objects or the execution of
arbitrary JavaScript in the context of another web page. This issue
does not affect Mac OS X systems.
You should get the bug free ( known bugs that is ) 3.0.1 version of Safari for Windows, here, or via the auto-update Safari feature.
