So you’ve been hearing lately about how some Android applications are going rogue, and being used to steal user’s data and infiltrate their phones, to sit idly by only to wreak havoc when the user least expects it (ok, so maybe I exaggerated a little there). But there has been a lot of buzz lately about certain apps not playing by the rules, or including certain calls to leach user information. A lot of this buzz has been spun as backlash against Google for allowing these types of applications to exist (instead of having some asininely draconian filtering process like some ‘other’ phone provider).
Category: general
Details of this month’s Patch Tuesday updates here: http://www.microsoft.com/technet/security/bulletin/ms10-jul.mspx This month, we get a fairly light load of patches for Windows and Office, but there are a few remote code execution vulnerabilities that are addressed. So, if you run Windows and/or Office, apply these patches as soon as possible. If you’re running Windows XP or Windows Server 2003, you should address these patches post haste, as there is a code execution vulnerability affecting the Microsoft Help and Support Center that is currently being exploited in the wild. (http://www.microsoft.com/technet/security/bulletin/ms10-jul.mspx) Also, don’t forget to restart your system when the updates are finished installing – don’t be lazy like me and hit “postpone” too much!
The .ORG top level domain (TLD) recently received its DNSSEC signature, and now has the ability to provide integrity information about its underlying domains. This is important because it’s the first TLD to get signed. This also means it might be somewhat of a guinea pig, as any uncaught issues or bugs will probably show up when people invariably start trying to break the system. We covered DNSSEC a bit in a previous post, and it is interesting to see how much progress has been made since then. DNSSEC isn’t new. In fact, it’s been around for a quite some time in one unfinished form or another. It wasn’t until the Kaminsky DNS cache issue a few years ago that[…]
A beta release of HTTPS Everywhere was released today. It’s a collaborative project between those at the Tor project and the EFF. Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS. It’s good to see a project like this, especially after giants like Google finally step up and start offering more secure search features in their search engine. It’s only in beta so far, but it does look very promising. One area to[…]
Recently at Gemini we evaluated basic security implications of deploying a particular large-scale desktop virtualization package. Many people have heard of “virtual machines” that enable you to run different operating systems concurrently on one physical computer. But enterprise virtualization solutions go far beyond that scenario, enabling companies to do everything from stream specific applications from a server rather than installing them or have users share the same desktop configuration running on a central server. Companies can even mix and match various types of virtualization in the same environment. The variety of virtualization options means each situation can carry specific security demands. But certain benefits and risks factor into many deployment decisions. On the positive side, virtualization can simplify maintenance and[…]
A couple weeks ago, NASA announced it was all but done with certification and accreditation (C&A), calling it “cumbersome and expensive.” Many were intrigued by such a statement – not because it was wrong, but because it represented a potentially interesting shift in the status quo, done in a somewhat rebellious manner. NASA instead favors a “risk-based approach” that relies more heavily on continuous monitoring. NASA also cited significant cost savings from cutting back C&A activities. Seemingly in direct response to this outburst, NIST has now released an update to their continuous monitoring FAQ, specifically pointing out that C&A activities are a necessary component of risk-based management of systems, and highlighting that continuous monitoring alone is insufficient. One of the[…]