http://www.llrx.com/features/geolocation.htm
Nicole L. Black highlights how our net activities are carefully monitored and
meticulously tracked by some of the biggest players, including Google, Amazon,
Apple, Microsoft and Facebook.
Our individual online footprints, from the Web sites we visit, the items we purchase, the people with whom we communicate, to the locations where we access the Internet, are extremely valuable commodities that are increasingly sought after.
Wednesday, March 31, 2010
Tuesday, March 30, 2010
Please rob me!
by John Pyrik Mar 28, 2010 1:09 PM
When you leave the large cardboard box for your new HDTV at the curb for the garbage men, you are also letting theives know your house is worth robbing.
When you tell the world you are going somewhere using Twitter or Facebook, you are advertising your home has been left empty.
While new technology such as Google Latitude http://www.google.com/intl/en_us/latitude/intro.html makes it easier to hook up with friends, you may want to think about the potential issues that may arise in giving up your location.
Learn about "Locational Privacy" http://www.eff.org/wp/locational-privacy
When you leave the large cardboard box for your new HDTV at the curb for the garbage men, you are also letting theives know your house is worth robbing.
When you tell the world you are going somewhere using Twitter or Facebook, you are advertising your home has been left empty.
While new technology such as Google Latitude http://www.google.com/intl/en_us/latitude/intro.html makes it easier to hook up with friends, you may want to think about the potential issues that may arise in giving up your location.
Learn about "Locational Privacy" http://www.eff.org/wp/locational-privacy
Identity 'at risk' on Facebook - Apps steal data
Personal details of Facebook users could potentially be stolen, the BBC technology programme Click has found.
The popular social networking site allows users to add a variety of applications to their profile.
But a malicious program, masquerading as a harmless application, could potentially harvest personal data.
Facebook says users should exercise caution when adding applications. Any programs which violate their terms will be removed, the network said.
When you add an application, unless you say otherwise, it is given access to most of the information in your profile. That includes information you have on your friends even if they think they have tight security settings.
So, to become a victim, you dont' have to add the malicious app, you just have to be a friend of someone who has.
The only way to be completely protected from applications skimming information about you and your friends is to erase all the applications on your profile and opt to not use any applications in the future.
http://news.bbc.co.uk/2/hi/programmes/click_online/7375772.stm
The popular social networking site allows users to add a variety of applications to their profile.
But a malicious program, masquerading as a harmless application, could potentially harvest personal data.
Facebook says users should exercise caution when adding applications. Any programs which violate their terms will be removed, the network said.
When you add an application, unless you say otherwise, it is given access to most of the information in your profile. That includes information you have on your friends even if they think they have tight security settings.
So, to become a victim, you dont' have to add the malicious app, you just have to be a friend of someone who has.
The only way to be completely protected from applications skimming information about you and your friends is to erase all the applications on your profile and opt to not use any applications in the future.
http://news.bbc.co.uk/2/hi/programmes/click_online/7375772.stm
Sunday, March 28, 2010
Is your PC doing a hacker's dirty work?
The BBC has acquired control of 22,000 home computers as part of an investigation into hi-tech crime.
Check out the site for a short video
http://news.bbc.co.uk/2/hi/programmes/click_online/7938503.stm
Check out the site for a short video
http://news.bbc.co.uk/2/hi/programmes/click_online/7938503.stm
Sunday, March 21, 2010
Feds consider going undercover on social networks
March 16, 2010 11:17 AM PDT
by Declan McCullagh
The next friend request you receive might come from the FBI.
The Obama administration has considered sending federal police undercover on social-networking sites, including Facebook, MySpace, and Twitter.
A confidential U.S. Department of Justice presentation (PDF) on social-networking sites made public Tuesday said online undercover work can help agents "communicate with suspects," "gain access to nonpublic info," and "map social relationships."
Federal police agencies organized under the Justice Department include the FBI, the U.S. Marshals, the Drug Enforcement Administration, and the Bureau of Alcohol, Tobacco, Firearms, and Explosives.
The 33-page presentation noted that Twitter has a "stated policy of producing data only in response to legal process," while saying Facebook is "often cooperative with emergency requests."
By contrast, an IRS document about social-networking sites was more cautious about Internet undercover work. It says agents are allowed to conduct Internet searches for taxpayers and review information from public Web sites--but that they are not allowed to "misrepresent your identify (sic) or obtain information from a Web site using a fictitious identity to register."
That advice appears to apply to routine investigations. In some cases, as CNET reported in late 2008, Congress has authorized undercover IRS agents to run businesses for an extended sting operation, to open their own personal bank accounts with U.S. tax dollars, and so on.
For years, FBI agents have gone undercover on the Web for child porn sting operations. One technique that the bureau has used involves logging in to a discussion forum, posting hyperlinks that purport to be illegal videos of minors having sex, and then raiding the homes of anyone willing to click on them.
One possible hurdle that the lawyers at the Justice Department noted in their presentation, which was given by John Lynch and Jenny Ellickson, both attorneys in the department's Computer Crime and Intellectual Property Section, is the possibility of violating a Web site's terms of service, if an agent lies about his identity.
This is called prosecutors being too clever by half: in the Lori Drew case, the Justice Department claimed (PDF) that violating MySpace terms of service was a criminal offense.
The problem today? Many Web sites require that subscribers use their real name. Facebook's terms of service require users to agree not to "create an account for anyone other than yourself without permission." At Twitter, "impersonation is against the terms of service." Even some newspapers such as the Los Angeles Times say "using a name other than your own legal name in association with the submission of user content is prohibited."
A federal judge eventually ruled (PDF) that a strict interpretation of criminal law would be unreasonable, but it remains an unsettled legal question.
"The good example set by the IRS is in stark contrast to the U.S. Marshals and the Bureau of Alcohol, Tobacco, Firearms and Explosives," wrote Marcia Hofmann, an attorney at the Electronic Frontier Foundation, which obtained the documents through the Freedom of Information Act and released them this week. "Neither organization found any documents on social-networking sites in response to EFF's request, suggesting they do not have any written policies or restrictions upon the use of these Web sites."
Update 4:45 p.m. PDT: Andrew Noyes, a spokesman for Facebook, sent me this statement: "Facebook regularly works with law enforcement agencies when they are investigating criminal activity. We have developed materials to help officials understand Facebook and the proper ways to request information from Facebook to aid investigations. We scrutinize every single law enforcement request; require a detailed description of why the request is being made; and if it is deemed appropriate, share only the minimum amount of information. We strive to respect the balance between law enforcement's need for information and the privacy rights of our users, and as a responsible company we adhere to the letter of the law." It doesn't quite answer what I asked, which was: "How many law enforcement requests do you folks receive a year, and for what types of stored data do you require a search warrant? Also, under what circumstances do you disclose user data without a valid subpoena or search warrant?"
by Declan McCullagh
The next friend request you receive might come from the FBI.
The Obama administration has considered sending federal police undercover on social-networking sites, including Facebook, MySpace, and Twitter.
A confidential U.S. Department of Justice presentation (PDF) on social-networking sites made public Tuesday said online undercover work can help agents "communicate with suspects," "gain access to nonpublic info," and "map social relationships."
Federal police agencies organized under the Justice Department include the FBI, the U.S. Marshals, the Drug Enforcement Administration, and the Bureau of Alcohol, Tobacco, Firearms, and Explosives.
The 33-page presentation noted that Twitter has a "stated policy of producing data only in response to legal process," while saying Facebook is "often cooperative with emergency requests."
By contrast, an IRS document about social-networking sites was more cautious about Internet undercover work. It says agents are allowed to conduct Internet searches for taxpayers and review information from public Web sites--but that they are not allowed to "misrepresent your identify (sic) or obtain information from a Web site using a fictitious identity to register."
That advice appears to apply to routine investigations. In some cases, as CNET reported in late 2008, Congress has authorized undercover IRS agents to run businesses for an extended sting operation, to open their own personal bank accounts with U.S. tax dollars, and so on.
For years, FBI agents have gone undercover on the Web for child porn sting operations. One technique that the bureau has used involves logging in to a discussion forum, posting hyperlinks that purport to be illegal videos of minors having sex, and then raiding the homes of anyone willing to click on them.
One possible hurdle that the lawyers at the Justice Department noted in their presentation, which was given by John Lynch and Jenny Ellickson, both attorneys in the department's Computer Crime and Intellectual Property Section, is the possibility of violating a Web site's terms of service, if an agent lies about his identity.
This is called prosecutors being too clever by half: in the Lori Drew case, the Justice Department claimed (PDF) that violating MySpace terms of service was a criminal offense.
The problem today? Many Web sites require that subscribers use their real name. Facebook's terms of service require users to agree not to "create an account for anyone other than yourself without permission." At Twitter, "impersonation is against the terms of service." Even some newspapers such as the Los Angeles Times say "using a name other than your own legal name in association with the submission of user content is prohibited."
A federal judge eventually ruled (PDF) that a strict interpretation of criminal law would be unreasonable, but it remains an unsettled legal question.
"The good example set by the IRS is in stark contrast to the U.S. Marshals and the Bureau of Alcohol, Tobacco, Firearms and Explosives," wrote Marcia Hofmann, an attorney at the Electronic Frontier Foundation, which obtained the documents through the Freedom of Information Act and released them this week. "Neither organization found any documents on social-networking sites in response to EFF's request, suggesting they do not have any written policies or restrictions upon the use of these Web sites."
Update 4:45 p.m. PDT: Andrew Noyes, a spokesman for Facebook, sent me this statement: "Facebook regularly works with law enforcement agencies when they are investigating criminal activity. We have developed materials to help officials understand Facebook and the proper ways to request information from Facebook to aid investigations. We scrutinize every single law enforcement request; require a detailed description of why the request is being made; and if it is deemed appropriate, share only the minimum amount of information. We strive to respect the balance between law enforcement's need for information and the privacy rights of our users, and as a responsible company we adhere to the letter of the law." It doesn't quite answer what I asked, which was: "How many law enforcement requests do you folks receive a year, and for what types of stored data do you require a search warrant? Also, under what circumstances do you disclose user data without a valid subpoena or search warrant?"
Monday, March 15, 2010
From my Instructor - John Pyrik
"Investigators not only collect information, they analyze it. This may seem like a trite observation, but we sometimes forget about this aspect of our jobs because analysis becomes such an automatic part of the work that we do it unconsciously.
Leaving aside (for the time being) the type of analysis done by investigators when they try to fill in the missing pieces of a puzzle, lets focus on analysis as it relates to assessing the reliability of information.
In other words, how do we determine truth from fiction?
This is a daily issue for any investigator dealing with complainants, suspects, and informants. Over time, an experienced investigator develops a heavy-duty "BS detector". Mine, for example, was first developed in the murky world of intelligence and further refined by years dealing with smooth-talking con artists in the securities industry.
The problem most investigators have though is that their "BS detectors" work best when they are interviewing someone, not necessarily when they are reading something. In short, it is usually easier for an experienced investigator to tell someone is lying in person than in print."
For me, I learned the "BS detectors" from my follow classmates in BCIT over the years. =D
Leaving aside (for the time being) the type of analysis done by investigators when they try to fill in the missing pieces of a puzzle, lets focus on analysis as it relates to assessing the reliability of information.
In other words, how do we determine truth from fiction?
This is a daily issue for any investigator dealing with complainants, suspects, and informants. Over time, an experienced investigator develops a heavy-duty "BS detector". Mine, for example, was first developed in the murky world of intelligence and further refined by years dealing with smooth-talking con artists in the securities industry.
The problem most investigators have though is that their "BS detectors" work best when they are interviewing someone, not necessarily when they are reading something. In short, it is usually easier for an experienced investigator to tell someone is lying in person than in print."
For me, I learned the "BS detectors" from my follow classmates in BCIT over the years. =D
Sunday, March 14, 2010
Quote of the day from CM
"Life is a game, play it....Life is too precious, do not destroy it." - Mother Teresa
Quote of the day from CM
"Experience is a brutal teacher, but you learn. My God, do you learn." - C.S. Lewis
Friday, March 12, 2010
National Do Not Call List
https://www.lnnte-dncl.gc.ca/insnum-regnum-eng
Register here so they will not call again....I hope
Register here so they will not call again....I hope
Google Goggles
Crazy stuff!!!
Now you can use pictures to search the web....from your cellphone!!!
http://www.google.com/mobile/goggles/#landmark
Now you can use pictures to search the web....from your cellphone!!!
http://www.google.com/mobile/goggles/#landmark
Quote of the day from CM
"Oh what a tangled web we weave, when first we practice to deceive." - Sir Walter Scott
Thursday, March 11, 2010
Quote of the day from CM
"If I am what I have, and if I lose what I have, who then am I?" - German Psychologist Erich Fromm
Monday, March 8, 2010
No more facebook stalkings !! -- 2
Awesome read, check out the paper that talks about social networking sites.
http://www.schneier.com/blog/archives/2010/03/de-anonymizing.html
March 8, 2010
De-Anonymizing Social Network Users
Interesting paper: "A Practical Attack to De-Anonymize Social Network Users."
Abstract. Social networking sites such as Facebook, LinkedIn, and Xing have been reporting exponential growth rates. These sites have millions of registered users, and they are interesting from a security and privacy point of view because they store large amounts of sensitive personal user data.
In this paper, we introduce a novel de-anonymization attack that exploits group membership information that is available on social networking sites. More precisely, we show that information about the group memberships of a user (i.e., the groups of a social network to which a user belongs) is often sufficient to uniquely identify this user, or, at least, to significantly reduce the set of possible candidates. To determine the group membership of a user, we leverage well-known web browser history stealing attacks. Thus, whenever a social network user visits a malicious website, this website can launch our de-anonymization attack and learn the identity of its visitors.
The implications of our attack are manifold, since it requires a low effort and has the potential to affect millions of social networking users. We perform both a theoretical analysis and empirical measurements to demonstrate the feasibility of our attack against Xing, a medium-sized social network with more than eight million members that is mainly used for business relationships. Our analysis suggests that about 42% of the users that use groups can be uniquely identified, while for 90%, we can reduce the candidate set to less than 2,912 persons. Furthermore, we explored other, larger social networks and performed experiments that suggest that users of Facebook and LinkedIn are equally vulnerable (although attacks would require more resources on the side of the attacker). An analysis of an additional five social networks indicates that they are also prone to our attack.
http://www.schneier.com/blog/archives/2010/03/de-anonymizing.html
March 8, 2010
De-Anonymizing Social Network Users
Interesting paper: "A Practical Attack to De-Anonymize Social Network Users."
Abstract. Social networking sites such as Facebook, LinkedIn, and Xing have been reporting exponential growth rates. These sites have millions of registered users, and they are interesting from a security and privacy point of view because they store large amounts of sensitive personal user data.
In this paper, we introduce a novel de-anonymization attack that exploits group membership information that is available on social networking sites. More precisely, we show that information about the group memberships of a user (i.e., the groups of a social network to which a user belongs) is often sufficient to uniquely identify this user, or, at least, to significantly reduce the set of possible candidates. To determine the group membership of a user, we leverage well-known web browser history stealing attacks. Thus, whenever a social network user visits a malicious website, this website can launch our de-anonymization attack and learn the identity of its visitors.
The implications of our attack are manifold, since it requires a low effort and has the potential to affect millions of social networking users. We perform both a theoretical analysis and empirical measurements to demonstrate the feasibility of our attack against Xing, a medium-sized social network with more than eight million members that is mainly used for business relationships. Our analysis suggests that about 42% of the users that use groups can be uniquely identified, while for 90%, we can reduce the candidate set to less than 2,912 persons. Furthermore, we explored other, larger social networks and performed experiments that suggest that users of Facebook and LinkedIn are equally vulnerable (although attacks would require more resources on the side of the attacker). An analysis of an additional five social networks indicates that they are also prone to our attack.
No more facebook stalkings !! -- 1
Attack Unmasks User Behind The Browser
Researchers develop proof-of-concept that exploits social networking patterns to 'deanonymize' online users
Feb 23, 2010 | 05:32 PM
By Kelly Jackson Higgins
DarkReading
A group of researchers have discovered a simple way to reveal the identity of a user based on his interactions with social networks.
The 'deanonymization' attack uses social network groups as well as some traditional browser history-stealing tactics to narrow down and find the user behind the browser. The researchers were able to deanonymize more than half of the users in their initial test using their attack method, which entailed their joining and crawling groups within social networks, such as Germany's Xing business social network and Facebook, using a fake profile. They then matched pilfered browsing histories with social-network group members to "fingerprint" and identify them.
"Without using the group info, an attack that only uses history stealing is infeasible in a real-world scenario. So, in fact, it is the combination of history-stealing and group information that is novel," says Gilbert Wondracek, a post-doctoral researcher with the International Secure Systems Lab of the Vienna University of Technology in Austria, who co-developed the proof-of-concept.
Criminals could use this for phishing and targeted attacks. The attack requires only that the victim visit a malicious Website that contains the attack code -- there's no malicious link, per se. "We could put the attack code on a Website that contains a political, dating, religious, [or other] forum. If someone posts anonymously to this Website, there is a chance that we could find out the social network profile for this person," Wondracek says. "Since social network profiles contain a wealth of info and, per definition, the friends of this person, blackmailing is also an option."
Wondracek says he and fellow researcher Thorsten Holz had wondered how the well-known history-stealing technique could used to unmask online users via their social networking profiles. History stealing allowed them to peek at a user's URL browsing history to see if he had visited specific social network groups -- sports-related or other groups that friend or fan organizations, for instance -- that the researchers had joined.
"We can now perform an intersection and find out that there are just a few people in the whole social network that belong to exactly these ... groups. The group fingerprint is rather unique among all users," Wondracek says.
Then the attacker uses history-stealing once again to check for links that are similar to each member of the groups.
The researchers say that while their PoC was for Xing, it can work with any other social network. They crawled 7,000 public groups in Xing and found around 1.8 million users belong to at least one group. "These users are vulnerable to our attack," Holz blogged recently.
Volunteers from Xing can participate in the experiment via the researchers' demo Website here. The more regularly a Xing user participates in groups on the social network, the more likely he will be deanonymized by the PoC.
There is no fix for this attack, but workarounds include turning off browsing history or using private-browsing mode. Wondracek says the only protection social networks could provide is to change the way their Web applications use hyperlinks to move information from one point of their site to another in "keep state." Xing has implemented this as part of its response to the attack research, he says.
"I was -- and am still -- quite surprised that, a, getting the group data was so easy, and, b, almost all social networks use URLs that leak private information," Wondracek says."The attitude behind this is pretty scary from our maybe naive point of view."
The researchers will present their paper (PDF) on their preliminary results on the attack in May at the 31st IEEE Symposium on Security & Privacy.
Researchers develop proof-of-concept that exploits social networking patterns to 'deanonymize' online users
Feb 23, 2010 | 05:32 PM
By Kelly Jackson Higgins
DarkReading
A group of researchers have discovered a simple way to reveal the identity of a user based on his interactions with social networks.
The 'deanonymization' attack uses social network groups as well as some traditional browser history-stealing tactics to narrow down and find the user behind the browser. The researchers were able to deanonymize more than half of the users in their initial test using their attack method, which entailed their joining and crawling groups within social networks, such as Germany's Xing business social network and Facebook, using a fake profile. They then matched pilfered browsing histories with social-network group members to "fingerprint" and identify them.
"Without using the group info, an attack that only uses history stealing is infeasible in a real-world scenario. So, in fact, it is the combination of history-stealing and group information that is novel," says Gilbert Wondracek, a post-doctoral researcher with the International Secure Systems Lab of the Vienna University of Technology in Austria, who co-developed the proof-of-concept.
Criminals could use this for phishing and targeted attacks. The attack requires only that the victim visit a malicious Website that contains the attack code -- there's no malicious link, per se. "We could put the attack code on a Website that contains a political, dating, religious, [or other] forum. If someone posts anonymously to this Website, there is a chance that we could find out the social network profile for this person," Wondracek says. "Since social network profiles contain a wealth of info and, per definition, the friends of this person, blackmailing is also an option."
Wondracek says he and fellow researcher Thorsten Holz had wondered how the well-known history-stealing technique could used to unmask online users via their social networking profiles. History stealing allowed them to peek at a user's URL browsing history to see if he had visited specific social network groups -- sports-related or other groups that friend or fan organizations, for instance -- that the researchers had joined.
"We can now perform an intersection and find out that there are just a few people in the whole social network that belong to exactly these ... groups. The group fingerprint is rather unique among all users," Wondracek says.
Then the attacker uses history-stealing once again to check for links that are similar to each member of the groups.
The researchers say that while their PoC was for Xing, it can work with any other social network. They crawled 7,000 public groups in Xing and found around 1.8 million users belong to at least one group. "These users are vulnerable to our attack," Holz blogged recently.
Volunteers from Xing can participate in the experiment via the researchers' demo Website here. The more regularly a Xing user participates in groups on the social network, the more likely he will be deanonymized by the PoC.
There is no fix for this attack, but workarounds include turning off browsing history or using private-browsing mode. Wondracek says the only protection social networks could provide is to change the way their Web applications use hyperlinks to move information from one point of their site to another in "keep state." Xing has implemented this as part of its response to the attack research, he says.
"I was -- and am still -- quite surprised that, a, getting the group data was so easy, and, b, almost all social networks use URLs that leak private information," Wondracek says."The attitude behind this is pretty scary from our maybe naive point of view."
The researchers will present their paper (PDF) on their preliminary results on the attack in May at the 31st IEEE Symposium on Security & Privacy.
Quote of the day from CM
"Oh what a tangled web we weave, when first we practice to deceive." -Sir Walter Scott
Canadian paper money going plastic!!!
Finally...the new bank notes gonna be cool (just like the ones from Hong Kong)
http://www.680news.com/news/national/article/32514--canadian-paper-money-going-plastic
By: Jaime Pulfer
It'll last longer, be harder to copy and be better for you.
The federal finance minister has announced our paper money is going to be replaced with polymer bills.
The bills will feel different but, they'll last up to three times longer.
Next year our cotton paper bills will be replaced with a synthetic polymer.
Several countries including Austrialia have already started using the plastic money.
It costs more to print but overall the hardiness of the bills will reduce the cost because we won't have to print as many.
It also means our currency will be less grubby.
The smooth surface will carry around less dirt.
It won't absorb sweat and other liquids and will be more germ-resistant.
The money will also be waterproof, so leaving that $20-bill in the pocket of your jeans and putting them through the wash won't be as devastating.
The Bank of Canada said new bills will contain more elaborate security features, including clear windows, making them harder to counterfeit.
http://www.680news.com/news/national/article/32514--canadian-paper-money-going-plastic
By: Jaime Pulfer
It'll last longer, be harder to copy and be better for you.
The federal finance minister has announced our paper money is going to be replaced with polymer bills.
The bills will feel different but, they'll last up to three times longer.
Next year our cotton paper bills will be replaced with a synthetic polymer.
Several countries including Austrialia have already started using the plastic money.
It costs more to print but overall the hardiness of the bills will reduce the cost because we won't have to print as many.
It also means our currency will be less grubby.
The smooth surface will carry around less dirt.
It won't absorb sweat and other liquids and will be more germ-resistant.
The money will also be waterproof, so leaving that $20-bill in the pocket of your jeans and putting them through the wash won't be as devastating.
The Bank of Canada said new bills will contain more elaborate security features, including clear windows, making them harder to counterfeit.
Sunday, March 7, 2010
Saturday, March 6, 2010
Quote of the day from CM
"When a father gives to his son, both laugh; when his son gives to his father, both cry." -William Shakespeare
Friday, March 5, 2010
Quote of the day from CM
"Hope is the worst of evils, for it prolongs the torments of man." - Friedrich Nietzsche
Thursday, March 4, 2010
Quote of the day from CM
"Hope is the thing with feathers, that perches in the soul, and sings the tune without the words, and never stops at all." - Emily Dickinson
Windows XP users: Don't press F1
By Christopher Null
If you're browsing the web today and see a notice that you should press the F1 key (the traditional button used to get "help" in any application), don't do it.
Microsoft is warning of a brand new exploit that can cause computers running Windows XP and using the Internet Explorer web browser to become infected with malware at the push of a button: Specifically, the F1 button.
The flaw is part of the way Visual Basic and Windows Help are implemented within IE, the upshot being that a clever hacker can code a dialog box that will allow the running of any code the hacker wants. Traditionally this means installing any kind of malware or virus on the victim's PC that a hacker desires.
The good news is that this exploit isn't extremely dangerous because it does require user interaction to install itself. Unlike some recent exploits, merely visiting an infected website won't cause harm to your computer: You actually have to "push a button" to be affected.
The bad news is that the F1 button has always been seen as harmless, more so than simply clicking "OK" on the average prompt you might see. When dismissed, the prompt can also be coded to pop up repeatedly, so getting rid of it might not be simple.
Microsoft is advising users that, until a patch can be written and released, users are advised not to press the F1 key while web browsing. No matter how many pop-ups and alerts a user receives, as long as F1 is not pressed this attack will not succeed.
Microsoft has not announced a timeline for the fix, but its next patch release is due on March 9. Hang tight, but don't ask for "help."
Another M$ pos.....
If you're browsing the web today and see a notice that you should press the F1 key (the traditional button used to get "help" in any application), don't do it.
Microsoft is warning of a brand new exploit that can cause computers running Windows XP and using the Internet Explorer web browser to become infected with malware at the push of a button: Specifically, the F1 button.
The flaw is part of the way Visual Basic and Windows Help are implemented within IE, the upshot being that a clever hacker can code a dialog box that will allow the running of any code the hacker wants. Traditionally this means installing any kind of malware or virus on the victim's PC that a hacker desires.
The good news is that this exploit isn't extremely dangerous because it does require user interaction to install itself. Unlike some recent exploits, merely visiting an infected website won't cause harm to your computer: You actually have to "push a button" to be affected.
The bad news is that the F1 button has always been seen as harmless, more so than simply clicking "OK" on the average prompt you might see. When dismissed, the prompt can also be coded to pop up repeatedly, so getting rid of it might not be simple.
Microsoft is advising users that, until a patch can be written and released, users are advised not to press the F1 key while web browsing. No matter how many pop-ups and alerts a user receives, as long as F1 is not pressed this attack will not succeed.
Microsoft has not announced a timeline for the fix, but its next patch release is due on March 9. Hang tight, but don't ask for "help."
Another M$ pos.....
Subscribe to:
Posts (Atom)
