When webcams go bad: Students sue school officials for remote spying | Between the Lines | ZDNet.com

Posted on February 20, 2010 by wjimenez275

Big Brother is coming in more ways than one. Technology is often a two-edged sword. In this case, this school district apparently decided that since they owned the laptops they could control it at all times.

If your laptop computer’s webcam could talk about what it sees, what would it say?

Students of a Pennsylvania school district are hauling educators to court over allegations that administrators remotely activated the webcams on school-issued laptops and used that remote access to spy on students and their family members. (Techmeme)

The civil suit (PDF) was filed last week against the Lower Merion School District in Ardmore, PA, its board of directors and the Superintendent. It alleges violations of the electronic Communications Privacy Act, The Computer Fraud Abuse Act, the Stored Communications Act, the Civil Rights Act, the Fourth Amendment of the U.S. Constitution, the Pennsylvania Wiretapping and Electronic Surveillance Act and Pennsylvania Common Law. In part, the suit reads:

Unbeknownst to Plaintiffs and the members of the Class, and without their authorization, Defendants have been spying on the activities of Plaintiffs and Class members by Defendants’ indiscriminant use of and ability to remotely activate the webcams incorporated into each laptop issued to students by the School District, This continuing surveillance of Plaintiffs’ and the Class members’ home use of the laptop issued by the School District, including the indiscriminant remote activation of the webcams incorporated into each laptop, was accomplished without the knowledge or consent of the Plaintiffs or the members of the class.

The suit notes that there are about 1,800 students in the district’s two high schools and that students were each assigned a laptop computer that was purchased, in part, through state and federal grants secured over the past few years. The suit also notes that all of the written documentation that accompanied the laptop made no reference to the district’s ability to remotely activate the embedded webcam.

The issue came to light in November when an assistant principal informed a student about improper behavior in his home and produced a photograph captured from the laptop’s webcam as proof. The suit did not specify the type of activity the student was engaged in.

Because the webcam would capture images of anything in its range, including the actions of other household members and their guests, the plaintiffs in the case extend to family members, as well as the students themselves.

Sam Diaz

Sam Diaz is a senior editor at ZDNet. See his full profile and disclosure of his industry affiliations.

via When webcams go bad: Students sue school officials for remote spying | Between the Lines | ZDNet.com.

Filed under: Instructional, PC Security, Uncategorized | Leave a comment »

Simple Passwords Remain Popular, Despite Risk of Hacking – NYTimes.com

Posted on January 26, 2010 by wjimenez275

If Your Password Is 123456, Just Make It HackMe

By ASHLEE VANCE

Published: January 20, 2010

Back at the dawn of the Web, the most popular account password was “12345.”

The New York Times

Today, it’s one digit longer but hardly safer: “123456.”

Despite all the reports of Internet security breaches over the years, including the recent attacks on Google’s e-mail service, many people have reacted to the break-ins with a shrug.

According to a new analysis, one out of five Web users still decides to leave the digital equivalent of a key under the doormat: they choose a simple, easily guessed password like “abc123,” “iloveyou” or even “password” to protect their data.

“I guess it’s just a genetic flaw in humans,” said Amichai Shulman, the chief technology officer at Imperva, which makes software for blocking hackers. “We’ve been following the same patterns since the 1990s.”

Imperva found that nearly 1 percent of the 32 million people it studied had used “123456” as a password. The second-most-popular password was “12345.” Others in the top 20 included “qwerty,” “abc123” and “princess.”

More disturbing, said Mr. Shulman, was that about 20 percent of people on the RockYou list picked from the same, relatively small pool of 5,000 passwords.

That suggests that hackers could easily break into many accounts just by trying the most common passwords. Because of the prevalence of fast computers and speedy networks, hackers can fire off thousands of password guesses per minute.

via Simple Passwords Remain Popular, Despite Risk of Hacking – NYTimes.com.

There are several password generation programs available that will make and remember random passwords for different sites and needs. I highly recommend them. The one I use is Roboform. You can read my blog entry about it here: Now What Was That Password Again?

Filed under: Instructional, PC Security, Uncategorized | 1 Comment »

Microsoft urges Windows XP users to ditch old Flash version

Posted on January 16, 2010 by wjimenez275

Microsoft has had it with old versions of Adobe Flash and has issued Security Advisory 979267 to urge users to either uninstall old versions, or upgrade to the latest. More specifically, the software giant is asking users ditch Flash Player 6.0 as the multimedia player plugin contains multiple bugs. Microsoft rarely issues security advisories on third-party products, but since this version of Flash originally came bundled with Windows XP, Microsoft feels it needs to warn its users. Adobe discontinued security support for Flash Player 6.0 in 2006; the current version is Flash 10.0.42.34.The advisory outlines Microsoft’s stance very clearly, making sure to emphasize that the vulnerabilities only occur with the combination of the old version of Flash and old version of Windows other supported versions of Windows do not include the Flash. “The Adobe Flash Player 6 was provided with Windows XP and contains multiple vulnerabilities that could allow remote code execution if a user views a specially crafted Web page. Adobe has addressed these vulnerabilities in newer versions of Adobe Flash Player. Microsoft recommends that users of Windows XP with Adobe Flash Player 6 installed update to the most current version of Flash Player available from Adobe.” The good news is that the advisory says Microsoft is “not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time.”The security advisory was posted on Patch Tuesday, the same day Microsoft releases security patches for all of its software for the month. This month though, the company only posted a single bulletin, Microsoft Security Bulletin MS10-001. It affects all supported versions of Windows, but is only rated as “Critical” for Windows 2000, and “Low” for all later versions. As a result, the Adobe Flash flaw is slightly more serious and should take priority.

via Microsoft urges Windows XP users to ditch old Flash version.

Filed under: Instructional, PC Security | 1 Comment »

Acer Recalls Notebook Computers Due to Burn Hazard

Posted on January 10, 2010 by wjimenez275

Acer Recalls Notebook Computers Due to Burn Hazard

WASHINGTON, D.C. – The U.S. Consumer Product Safety Commission, in cooperation with the firm named below, today announced a voluntary recall of the following products. Consumers should stop using recalled products immediately unless otherwise instructed.

Name of Product: Certain Acer Aspire-series Notebook Computers

Units: About 22,000

Manufacturer: Acer America Corporation, of San Jose, Calif.

Hazard: An internal microphone wire under the palm rest can short circuit and overheat. This poses a potential burn hazard to consumers.

Incidents/Injuries: Acer has received three reports of computers short circuiting, resulting in slight melting of the external casing. No incidents occurred in the United States. No injuries have been reported.

Description: The recalled notebook computer models are the Acer AS3410, AS3410T, AS3810T, AS3810TG, AS3810TZ and AS3810TZG. The computer’s screen size is about 13.3 inches measured diagonally. Not all units are affected. Consumers should contact Acer to determine if their unit is included in the recall.

Sold at: ABS Computer Technologies, D&H Distributing, Fry’s Electronics, Ingram Micro, Radio Shack, SED/American Express, Synnex Corporation, SYX Distribution, Tech Data Corporation and other retailers nationwide and Amazon.com from June 2009 through October 2009 for between $650 and $1,150.

Manufactured in: China

Remedy: Consumers should stop using the recalled notebook computers immediately and contact Acer to determine if their notebook is affected and to receive a free repair.

Consumer Contact: For additional information, contact Acer toll-free at (866) 695-2237 anytime, or visit the firm’s Web site at www.acer.com

via Acer Recalls Notebook Computers Due to Burn Hazard.

Filed under: Instructional, PC Security, Uncategorized | 1 Comment »

Adobe confirms PDF zero-day attacks. Disable JavaScript now | Zero Day | ZDNet.com

Posted on December 16, 2009 by wjimenez275

Adobe confirms PDF zero-day attacks. Disable JavaScript now | Zero Day | ZDNet.com.

[UPDATE:  Adobe plans to patch this issue on January 12, 2010 ]

Malicious hackers are exploiting a zero-day (unpatched) vulnerability in Adobe’s ever-present PDF Reader/Acrobat software to hijack data from compromised computers. According to an advisory from Adobe, the critical vulnerability exists in Adobe Reader and Acrobat 9.2 and earlier versions.  It is being exploited in the wild.

We can tell you that this exploit is in the wild and is actively being used by attackers and has been in the wild since at least December 11, 2009. However, the number of attacks are limited and most likely targeted in nature. Expect the exploit to become more wide spread in the next few weeks and unfortunately potentially become fully public within the same timeframe. We are fully aware of all the details related to the exploit but do not plan to publish them for a few reasons:

  1. There currently is no patch or update available that completely protects against this exploit.
  2. There is little to no detection of these malicious PDF files from most of the major Antivirus vendors.

With that said we can tell you that this vulnerability is actually in a JavaScript function within Adobe Acrobat [Reader] itself. Furthermore the vulnerable JavaScript is obfuscated inside a zlib stream making universal detection and intrusion detection signatures much more difficult.

In the interim, Adobe PDF Reader/Acrobat users are urged to immediately disable JavaScript:

Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript

Or, better yet, use an alternative PDF Reader software program.

Filed under: Instructional, PC Security | Leave a comment »

HUGE VIRUS COMING ! PLEASE READ & FORWARD !

Posted on December 15, 2009 by wjimenez275

Just a note – I posted this in 2009 at this time and I see it’s going around this year again. The e-mail that touts this virus is a hoax.

With a subject line like that, how could I ignore it? I received an e-mail from a friend who asked if this was real? According to the message, Norton, Snopes, CNN, Microsoft and McAfee are all legitimizing this so it must be true, right? Well, in this case, it’s partially right in that it’s a warning to be careful. However, there are a lot of scare tactics used which should tell you that the content isn’t true. Read the e-mail message below and I’ll explain myself afterwards.

Hi,

A check made with Norton Anti-Virus indicates that they are gearing up for this virus!

Snopes was checked as well, and it is for real. Get this E-mail message sent around to all your contacts ASAP.

PLEASE FORWARD THIS WARNING AMONG YOUR FRIENDS, FAMILY AND CONTACTS!

You should be alert during the next few days. Do not open any message with an attachment entitled ‘POSTCARD FROM HALLMARK,’ regardless of who sent it to you. It is a virus which opens A POSTCARD IMAGE, which ‘burns’ the whole hard disc C drive of your computer.

This virus will be received from someone who has your e-mail address on his/her contact list. That is the reason why you need to send this e-mail to all your contacts. It is better to receive this message 25 times than to receive the virus and open it!

If you receive a mail called’ POSTCARD,’ even if it is sent to you by a friend, do not open it! Shut down your computer immediately. This is the worst virus announced by CNN.

It has been classified by Microsoft as the most destructive virus ever. This virus was discovered by McAfee yesterday, and there is no repair yet for this kind of virus. This virus simply destroys the Zero Sector of the Hard Disc, where the vital information is kept.

COPY THIS E-MAIL, AND SEND IT TO YOUR FRIENDS.
REMEMBER: IF YOU SEND IT TO THEM, YOU WILL BENEFIT ALL OF US

In this case, it says the virus will be delivered via an electronic card.  One of the ways that malware can get onto a computer is by clicking on a link or opening an attachment in an e-mail that will then download and try to install the payload. One way that the malware writers try to get you to click on the link is by making it look like it’s an e-card from a friend or family member. That’s been going on for sometime. So, that being said, you need to be careful anytime/everytime you think about clicking on a link in an e-mail, especially if it’s an e-card greeting. Legitimate greetings will tell you to go to a website and enter a code to see the greeting so you won’t have to click on a link.

Any time you get an e-mail message telling you to pass it on to everyone you know, especially since everyone is preparing for it and Snopes says it’s true (even though in this case Snopes really doesn’t even discuss it), question it. Go to an antivirus website and check their “hot” virus list. Mcafee’s Threat Center, Symantec Threat Explorer, US Government Threat Center will let you know what’s the current threats are. Then, you can decide whether to pass it on to everyone in your contacts or not.

Consider this with any message that you get “to pass on”. There was a warning from people about Facebook letting Google index everything about you starting that day. I saw the warning in several e-mails, a couple of groups and on Facebook.  I little detective work showed that Facebook had actually been doing that for the past 2 years, but not with “everything”, only with what the user has designated to be shared to everyone. What is set to be seen by only friends doesn’t and won’t be indexed.

So, if you receive a warning, take it as such and check the validity. Feel free to e-mail me and I’ll let you know if it’s legitimate or not and if so, what you need to do to protect yourself. Comments?

Filed under: Instructional, PC Security, Uncategorized | 2 Comments »

Shop online? You may have been ripped off – OC Watchdog : The Orange County Register

Posted on November 23, 2009 by wjimenez275

Shop online? You may have been ripped off

November 18th, 2009, 12:06 pm · posted by Teri Sforza, Register staff writer

So you’re booking your flight, or ordering your movie tickets, or paying for your pizza online. It’s a mainstream web site. No worries.

You type in your credit card information, click the “purchase” button, and enjoy your flight/movie/pizza. But a few months later, mystery charges of $10 to $20 a month appear on your bank statement, for membership in a club you have no memory of joining.

Surprise! You’ve been a victim of consumer fraud – thanks to that web site you trusted.

The practice is pervasive, and has cost unsuspecting consumers $1.4 billion, according to “Aggressive Sales Tactics on the Internet and Their Impact on American Consumers,” an investigative report released Tuesday by the U.S. Senate Committee on Commerce, Science, and Transportation. (You can read the full report here: online-ripoffs; and can find supporting documents here.)

Companies named in the report – and apparently profiting on the scam – include 1-800-Flowers.com, Inc.; AirTran Holdings, Inc.; Classmates.com, Inc.; Continental Airlines, Inc.; FTD, Inc.; Fandango, Inc.; Hotwire, Inc.; Intelius, Inc.; MovieTickets.com, Inc.; Orbitz Worldwide, Inc.; Pizza Hut, Inc.; Priceline.com, Inc.; Redcats USA, Inc.; Shutterfly, Inc.; US Airways Group, Inc.; and VistaPrint USA, Inc. (But that’s not all of them; there are many, many, many more.)

How does the scam work? Consider the experience of Chris Steffen of Los Angeles, who bought movie tickets through Movietickets.com in April 2007.

“I‘m not sure how or when this happened and I‘m sure part of it is oversight or my own fault,” Steffen wrote in a complaint. ”But somehow through the purchasing of movie tickets through your site I was signed up for Reservation Rewards and charged 10 dollars a month membership for multiple months. This means that when I ordered tickets through your service, the cost to me was not only the price of the tickets, but the inadvertent cost of being enrolled in a service plan I was not aware of.”

Read the rest of the article here –  Shop online? You may have been ripped off – OC Watchdog : The Orange County Register.

Filed under: Instructional, PC Security | Leave a comment »

Online Holiday Shopping Tips

Posted on November 19, 2009 by wjimenez275

The holiday season is approaching quickly and many of us will be shopping online. It’s important that consumers understand the potential security risks and know how to protect themselves and their information.
The following tips are provided to help promote a safe, secure online shopping experience:

  • Secure your computer. Make sure your computer has the latest security updates installed. Check that your anti-virus/anti-spyware software is running and receiving automatic updates. If you haven’t already done so, install a firewall before you begin your online shopping.
  • Upgrade your browser. Upgrade your Internet browser to the most recent version available. Review the browser’s security settings. Apply the highest level of security available that still gives you the functionality you need.
  • Ignore pop-up messages. Set your browser to block pop-up messages. If you do receive one, click on the “X” at the top right corner of the title bar to close the pop-up message. If that doesn’t work, close your browser. Never accept a pop-up window’s notice that your computer is infected. That should only come from your installed and updated anti-virus program. What? You say you don’t have an anti-virus program? Read my previous post on that here.
  • Secure your transactions. Look for the “lock” icon on the browser’s status bar and be sure “https” appears in the website’s address bar before making an online purchase. The “s” stands for “secure” and indicates that the webpage is encrypted. Some browsers can be set to warn the user if they are submitting information that is not encrypted.
  • Use strong passwords. Create strong passwords for online accounts. Use at least eight characters, with numbers, special characters, and upper and lower case letters. Don’t use the same passwords for online shopping websites that you use for logging onto your home or work computer. Never share your login and/or password.
  • Do not e-mail sensitive data. Never e-mail credit card or other financial/sensitive information. E-mail is like sending a postcard and other people have the potential to read it.
  • Do not use public computers or public wireless to conduct transactions. Don’t use public computers or public wireless for your online shopping. Public computers may contain malicious software that steals your credit card information when you place your order. Criminals may be monitoring public wireless for credit card numbers and other confidential information.
  • Review privacy policies. Review the privacy policy for the website/merchant you are visiting. Know what information the merchant is collecting about you, how it will be used, and if it will be shared or sold to others.
  • Make payments securely. Pay by credit card rather than debit card. Credit/charge card transactions are protected by the Fair Credit Billing Act. Cardholders are typically only liable for the first $50 in unauthorized charges. If online criminals obtain your debit card information they have the potential to empty your bank account.
  • Use temporary account authorizations. Some credit card companies offer virtual or temporary credit card numbers. This service gives you a temporary account number for online transactions. These numbers are issued for a short period of time and cannot be used after that period. – Read a nice article here on the use of virtual credit cards. Additionally, PayPal offers free disposable credit cards numbers. You can read about that here.
  • Select merchants carefully. Limit your online shopping to merchants you know and trust. Confirm the online seller’s physical address and phone number in case you have questions or problems. If you have questions about a merchant check with the Better Business Bureau or the Federal Trade Commission.
  • Keep a record. Keep a record of your online transactions, including the product description and price, the online receipt, and copies of every e-mail you send or receive from the seller. Review your credit card and bank statements for unauthorized charges.

What to do if you encounter problems with an online shopping site:
If you have problems shopping online contact the seller or site operator directly. If those attempts are not successful, you may wish to contact the following entities:

the Attorney General’s office in your state
your county or state consumer protection agency
the Better Business Bureau at: www.bbb.org
the Federal Trade Commission at: www.ftc.gov/

For additional information about safe online shopping, please visit the following sites:

Filed under: Instructional, PC Security, PC Tips and Tools | Leave a comment »

Dangerous “unpatchable” flaw discovered in Adobe Flash – TechSpot News

Posted on November 18, 2009 by wjimenez275

A newly discovered flaw in the Flash suite could put both users and servers at risk, according to some recent reports. Adobe has verified the hole, which lies inside any Flash-based application that allows people to upload their own content. Though some details are omitted, the flaw would allow someone to upload a malicious Flash object to a site, which in turn would be downloaded and processed by people visiting the site. According to one security expert, any site relying on user uploads through Flash could be vulnerable.

Adobe is contending that it is not entirely their issue. Other active scripting could also be made vulnerable, such as JavaScript or Silverlight, along with any site that relies on these to provide a mechanism for users to upload files. Because of that, Adobe said the problem is not fixable through a Flash update. Instead, it is on the shoulders of administrators whose servers use Flash. Adobe also suggests it is the responsibility of app developers to be security-minded and prevent this sort of thing from happening.

This isn’t the first severe flash flaw to emerge this year. Only a few months ago, a “critical” vulnerability was discovered and published. Earlier in the year, Adobe was tackling a host of other security issues with Flash as well. This newly-discovered vulnerability could prove to be the worst yet — and it doesn’t help that Adobe is claiming the flaw is “unpatchable”. A solution must be discovered, but it may be something that has to happen on a developer, browser or OS level instead of through Flash.

The only current defense users can employ against such attacks is to stop using Flash, or failing that, restrict its use to sites known to be safe with tools such as the NoScript add-on for Mozilla’s Firefox, or ToggleFlash for Microsoft’s Internet Explorer.

via Dangerous “unpatchable” flaw discovered in Adobe Flash – TechSpot News and
Flash flaw puts most sites, users at risk, say researchers

Filed under: PC Security, Uncategorized | Leave a comment »

Fake security software in millions of computers: Symantec by Reuters: Yahoo! Tech

Posted on October 19, 2009 by wjimenez275

There’s a lot of money to be made in malware. That’s what keeps it going….

WASHINGTON (Reuters) –

Tens of millions of U.S. computers are loaded with scam security software that their owners may have paid for but which only makes the machines more vulnerable, according to a new Symantec report on cybercrime.

Cyberthieves are increasingly planting fake security alerts that pop up when computer users access a legitimate website. The “alert” warns them of a virus and offers security software, sometimes for free and sometimes for a fee.

“Lots of times, in fact they’re a conduit for attackers to take over your machine,” said Vincent Weafer, Symantec’s vice president for security response.

“They’ll take your credit card information, any personal information you’ve entered there and they’ve got your machine,” he said, referring to some rogue software’s ability to rope a users’ machine into a botnet, a network of machines taken over to send spam or worse.

Symantec found 250 varieties of scam security software with legitimate sounding names like Antivirus 2010 and SpywareGuard 2008, and about 43 million attempted downloads in one year but did not know how many of the attempted downloads succeeded, said Weafer.

“In terms of the number of people who potentially have this in their machines, it’s tens of millions,” Weafer said.

It was also impossible to tell how much cyberthieves made off with but “affiliates” acting as middlemen to convince people to download the software were believed to earn between 1 cent per download and 55 cents.

TrafficConverter.biz, which has been shut down, had boasted that its top affiliates earned as much as $332,000 a month for selling scam security software, according to Weafer.

“What surprised us was how much these guys had tied into the whole affiliated model,” Weafer said. “It was more refined than we anticipated.”

(Reporting by Diane Bartz; editing by Gunna Dickson)

via Fake security software in millions of computers: Symantec by Reuters: Yahoo! Tech.

Filed under: Instructional, PC Security, Uncategorized | 3 Comments »

« Previous PageNext Page »