Java updated last week, still vulnerable today

java downloads

Oracle’s Java platform seems to be in an endless battle with Adobe Flash to see which can take the crown as the most compromised platform on your computer. Last week Oracle rolled out 42 patches for known security holes — and this was just another day for the oft-attacked software.

Now Security Explorations of Poland has announced it has found a new Reflection API vulnerability that affects all Java versions, including 7u21, which was just released last Tuesday. “It can be used to achieve a complete Java security sandbox bypass on a target system,” Gowdiak wrote on the Full Disclosure mailing list on Monday.

Attackers can exploit this latest vulnerability to achieve a complete Java security sandbox escape, Gowdiak says, adding that he also sent proof-of-concept code to Oracle demonstrating an exploit.

There is no telling when Oracle will patch this latest flaw, but the company generally follows a Microsoft-like approach, rolling out updates in one big release.

Really, the best solution is to simply uninstall Java if you have no need for the service.  Also, do not confuse Java with Javascript, which is mostly safe. Java can also be disabled within your browser —  a move I recommend you making.

VUDU had a Break-In – Informs Customers 18 Days Later

VUDU logoThose of you who have been using VUDU to watch movies may have received a rather scary email recently. No, the company didn’t get hacked. Instead, what happened was a physical break-in to their offices. Whoever did it walked away with multiple hard drives that contained important data such as customer names, encrypted passwords, addresses, and phone numbers. In other words, the hard drives had some of the personal information that most people would not want a random stranger to get a hold of.

VUDU says that the passwords that were on the hard drives were encrypted, so there’s that. The company also says that there were no full credit card numbers on the hard drives that were stolen. Even so, VUDU has reset customer’s passwords. They posted a blog about the situation that says:

There was a break-in at the VUDU offices on March 24, 2013, and a number of items were stolen, including hard drives. Our investigation thus far indicates that these hard drives contained customer information, including names, email addresses, postal addresses, phone numbers, account activity, dates of birth, and the last four digits of some credit card numbers. It’s important to note that the drives did NOT contain full credit card numbers, as we do not store that information. If you have never set a password on the VUDU site and have only logged in through another site, your password was not on the hard drives. While stolen drives included VUDU account passwords, those passwords were encrypted. We believe it would be difficult to break the password encryption, but we can’t rule out that possibility given the circumstances of this theft. Therefore, we have reset all customer passwords.

March 24, 2013 was…. let’s see… 18 days ago! That’s a really long time to wait before letting customers know that their personal information may, potentially, be in the hands of whomever broke into the VUDU offices and stole the hard drives! Their blog goes on to say:

We are still in the process of sending email messages.

This means that there could very well be some VUDU customers who have not yet been informed about the break-in. That’s rather shocking! Typically, the sooner a company lets customer’s know that their data may be in the hands of thieves, the better. I feel bad for the people who are going to read a blog about the break-in before VUDU contacts them about it. Why did they wait so long? Again, their blog has an answer:

We notified law enforcement immediately when the break-in was discovered, and have worked closely with them on the investigation. We have also worked to reconstruct the information that was included on the drives to ensure we had an accurate assessment.

Perhaps the company is aware of the potential damage customers may face due to the break-in and the length of time VUDU waited before letting people know about it. They have made arrangements for customers to be automatically eligible to receive identity protection services from AllClear ID. You can find out more about the AllClear service, what it provides, and how to enroll on VUDU’s blog. It doesn’t mention if the service is free or if there will be a charge for using it (only that customers are “eligible”).

Evernote User Passwords have been Compromised

Evernote logoUsers of Evernote were recently sent an email that said that the company had decided to implement a password reset. It required 50 million users to reset their passwords. Why? The answer is the usual one when a company urges users to change their passwords – Evernote got hacked over the weekend.

This explains the difficulties that my husband and I had when we went grocery shopping. He uses Evernote to create grocery lists (instead of writing it down on paper). Usually, this works really well. However, when we got to the store and he tried to open Evernote, it wasn’t functioning as he expected it to. Oh, no! Could hackers be reading our grocery lists? If so, then they must be awfully bored.

The email Evernote sent to its users says:

Evernote’s Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.

It goes on to say that this is the reason why they are implementing a password reset. So, if you opened Evernote today, and wondered why it was asking you to reset your password, now you know. Evernote says that they have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed. It also says:

The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted).

There are helpful suggestions on the Evernote website (where the email it sent to users was posted) that give advice about how to create a more secure password. It also points out that you should not click on “reset password” requests in emails, and should instead go directly to the service itself to do that.

Abine shows off better web security

abine logoAbine is a start-up based in Boston that is aiming to enhance the online security of everyday users with things like privacy, encryption and more.

There is a lot involved here and you will likely need to watch the video to understand where Abine is going – alias phone numbers, which the mobile app can block on a per-caller basis. The company also offers Do Not Track, Delete and Encryption services. Some portions of the service Abine runs are free, while others are paid services.

Interview by Jeffrey Powers of Geekazine and Scott Ertz of F5 Live

Support our Show Sponsor:
30% off your new order @ GoDaddy:
gnc30
1.49 .com New or Renewal geek149
$1.00 / mo WordPress Hosting with a free domain! Promo Code: press4
$1.00 / mo Economy Hosting with a free domain! Promo Code: geeks12
GoDaddy Promo Codes always save you money, check out my Promo Codes Today

FinderCode

FinderCodeFinderCode is a lost and found recovery system. It works off of QR codes tags. A single kit is $24.5 and comes with seven tags in it, there is a medium tag that is a keyring for keys, a small tag with a ring for cameras, binoculars and other gear and five adhesive tags. You can put a tag on any personal item. You then register the item at the FinderCode website. If you lose the item, then the person who finds it can scan the QR code or enter the alpha numeric text into the web site. Once they do that a text is then sent to you telling you the item is found and because the geo-location is embedded in the tag where the item is. There is the option to use Fed Ex if you can’t easily get to the location.

The FinderCode runs $24.95 per package at is available through the website and through Office Depot

Interview by Jeffrey Powers of Geekazine. and by Scott Ertz of F5 Live.

Support our Show Sponsor:
30% off your new order @ GoDaddy: gnc30
1.49 .com New or Renewal geek149
$1.00 / mo WordPress Hosting with a free domain! Promo Code: press4
$1.00 / mo Economy Hosting with a free domain! Promo Code: geeks12
GoDaddy Promo Codes always save you money, check out my Promo Codes Today

Rocstor Encrypted External Hard Drives

Rocstor LogoRocstor specialise in data storage and secure encryption solutions: that’s encrypted external hard drives to you and me, but it’s an increasingly important market. Andy and Scott talk to Anthony Rink from Rocstor about how their products can keep your data safe.

Rocstor offers a range of external data storage products with real-time encryption built-in as standard. The encrypted drives meet FIPS Level 2, meaning that it’s hardware-encrypted (not software) and that any tampering of the drive to get at the crypto keys is obviously apparent. To suit different circumstances, some models use tokens, others PINs and some use both with ruggedised and waterproof units also available. Depending on features, $250-$300 gets you 1 TB of secure external storage.

Interview by Andy McCaskey of SDR News and Scott Ertz of F5 Live for the TechPodcast Network.

Support our Show Sponsor:
30% off your new order @ GoDaddy: gnc30
1.49 .com New or Renewal geek149
$1.00 / mo WordPress Hosting with a free domain! Promo Code: press4
$1.00 / mo Economy Hosting with a free domain! Promo Code: geeks12
GoDaddy Promo Codes always save you money, check out my Promo Codes Today

 

Dynamics ePlates: Credit Card for Today’s World

Dynamics Dynamics Inc has developed cards for Visa that have chips embedded into them. The battery inside the card will last at least four years. There is a user interface including buttons and a magnetic stripe that changes so user can make different choices at the point of sale.  The user can easily change the awards available on the cards through the website. There are currently fifty different award partners that the card can be connected to. You also receive the rewards a lot faster than you do with a normal card because of the system they have establish. These cards are more secure than normal cards due to the fact that the information is stored in an embedded processor on the card

Dynamics Inc is also developing a card that has security code embedded in it. You have to punch in the code for the card to become active. When the right code is punched in the card number appears and the magnetic stripe becomes active After a period of time the number disappears and stripe erases. F’or further information and sign up for a card go to Dynamics Inc website or the UMB Bank website.

Interview by Andy McCaskey of SDR News and RV News Net, and Daniel J Lewis of the The Noodle.mx Network and the Audacity to Podcast

Support our Show Sponsor:
30% off your new order @ GoDaddy: gnc30
1.49 .com New or Renewal geek149
$1.00 / mo WordPress Hosting with a free domain! Promo Code: press4
$1.00 / mo Economy Hosting with a free domain! Promo Code: geeks12
GoDaddy Promo Codes always save you money, check out my Promo Codes Today

Lowe’s Iris Home Automation Program for Security

Kevin Meagher from Lowe’s  talked to Todd and Daniel about the Lowe’s Iris Program.  The idea behind the Lowe’s Iris program is to bring home automation to the masses. The base program which is a security program starts at $175. You control the program through a smart phone or a computer. The base program is very easy to set up you simply plug the base unit into the router, hang the sensors up and do the setup and you are ready to go. The total setup should take about an hour to complete. Lowe’s is working with their vendors to make sure that the vendors devices work with Iris.  If you’re looking for device that can run under Iris just look for the Iris logo.

There is no subscription for the entry-level program. The more advanced program which is known as Magic is an all-inclusive program and is available for $10 a month. The Iris program is fairly new and its development is continuing.

Interview by Todd Cochrane of Geek News Central for the TechPodcast Network and Daniel J Lewis of The Audacity to Podcast

Support our Show Sponsor:
30% off your new order @ GoDaddy: gnc30
1.49 .com New or Renewal geek149
$1.00 / mo WordPress Hosting with a free domain! Promo Code: press4
$1.00 / mo Economy Hosting with a free domain! Promo Code: geeks12
GoDaddy Promo Codes always save you money, check out my Promo Codes Today

Iris Security Smart Home

Iris is a new home security system being offered through Lowes, the home improvement giant that has stores around the country. The Iris system is not new, but a lot more upcoming features were unveiled at the Consumer Electronics Show in Las Vegas and Andy McCaskey stopped by the booth to take a look.

Iris is about more than just security. It is also home automation. For instance, the system can tie into your irrigation system and keep your plants watered. Each feature will require a separate controller, but the good news is that each is affordable — think X-10 type pricing, but with better features. You can even put a tag on your dog’s collar to control pet doors. All of this can be handled from an app via iOS or Android.

All of this is available for $15 per month. You will need to purchase the individual sensors, but that is, of course, a one time cost. Those interested can visit this Lowes site for more information.

Interview by Andy McCaskey of SDR News and RV News Net

Support our Show Sponsor:
30% off your new order @ GoDaddy:
gnc30
1.49 .com New or Renewal geek149
$1.00 / mo WordPress Hosting with a free domain! Promo Code: press4
$1.00 / mo Economy Hosting with a free domain! Promo Code: geeks12
GoDaddy Promo Codes always save you money, check out my Promo Codes Today

You May Have to Reset Your Twitter Password

twitter-bird-white-on-blueDid you get a rather ominous sounding email from Twitter today? If so, you are not alone. Twitter sent out email today to users whom it felt may have been affected by the unauthorized attempts to access Twitter user data. I first heard of this because my husband received one of these scary sounding emails. Shortly after he dealt with it, a few of his friends on Twitter mentioned that they got the email, too.

There is a post on the Twitter Blog called “Keeping Our Users Secure”. It says:

This week, we detected unusual access patterns that led us to identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens, and encrypted/salted versions of passwords – for approximately 250,000 users.

If one of the 250,000 was you, then Twitter either already has sent you an email about it, (or will be doing so shortly). The social media company suggests that affected users change their password. There are details about what Twitter considers the characteristics of a strong password to include on their blog.

Twitter also repeats the advisory from the United States Department of Homeland Security that encourages users to disable Java on their browsers. Twitter does not specifically state who the attack came from, but it does say this:

This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked.