Category Archives: Security

Still haven’t disabled Java in your web browser?

Java security: Still an issue for web browsers

Java security risk 2013According to US-CERT Alert TA13-010A, a major vulnerability re: how Java 7 restricts permissions of various Java applets could possibly allow attackers and hackers to run arbitrary commands on a vulnerable ciomputer system. All web browsers still using Java 7 plug-ins are affected; we recommend that you disable Java in your web browser(s) now if you have not done so already. Also, the Java Deployment Toolkit plug-in and Java Web Start could also potentially be used to attack unsecure PCs.

Online attackers have wasted no time seizing on a critical vulnerability in Oracle’s Java software framework that makes it possible to install malware on computers running Windows, Mac OS X, or Linux.

using computerSo far, all of the exploits reported to be in the wild attack Windows PCs, but according to Errata Security CTO David Maynor, it’s not hard exploit Mac and Linux machines that have the latest version of Java from Oracle installed. Neither platform has it installed by default, however. The vulnerability has nothing to do with JavaScript.
(Source: Attack targeting critical Java bug added to hack-by-numbers exploit kitArs Technica Risk Assessment, Security, and Hacktivism)

Given the potential seriousness and pervasiveness of the attacks—and Oracle’s reputation for being slow on the draw in response to Java vulnerabilities—experts say that everyday Internet users should probably just disable Java entirely. Like, right now.

"Java has been the most exploited program for well over a year now and it simply isn’t worth the risk," Chet Wisniewski of the security firm Sophos told me in an email. "I would recommend removing Java entirely, if you can."

That’s not as problematic as it might sound. Java is not as popular on websites as it once was, and the average browser will rarely run across it, Wisniewski says. Sadly, it does mean that my old favorite Java game, Voodoo Bowl, is out of the question.
(Source: Why You Should Probably Disable Java on Your Browser Right NowSlate [Dec 2012])

How to disable Java in your web browser

Here are basic instructions on how to disable Java in popular web browsers.

How to disable Java in Firefox web browser

In Firefox, select Tools from the main menu, then select Add-ons, then click the Disable button next to any listed Java plug-ins.

How to disable Java in Google Chrome web browser

Google Chrome logoIn Google Chrome, type Chrome://Plugins into your browser’s address bar, then click the Disable button which should appear beneath any offending Java plug-ins.

How to disable Java in Safari web browser

In Safari, tap Safari (main menu bar), then hit Preferences, then the Security tab and uncheck the button next to Enable Java.

NOTE: If your browser was not listed above and you are not sure how to disable Java in your web browser(s), you’ll find plenty of instructions by Googling,” How to disable Java in [your web browser].”

If you are still using IE (Microsoft Internet Explorer) then we must ask, Why on earth are you still using it?

Switch to Google Chrome or Mozilla Firefox, already!

Hey. it’s just a suggestion. Happy computing… and thanks for visiting!

Resources: Still haven’t disabled Java in your web browser?

Tor Project: Security and anonymity

Possibilities for anonymous email & anonymous blogging

These are notes I took as I poked around to discover how much trouble it would be to create a reasonably anonymous email and a reasonably anonymous blog. The Tor Project stood out. The security level need not be too high; I was mainly interested in keeping average and slightly above average users from being able to quickly determine the identity of the blogger.

Tor Project

Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis.

Tor overview

Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. Tor provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy.

Individuals use Tor to keep websites from tracking them and their family members, or to connect to news sites, instant messaging services, or the like when these are blocked by their local Internet providers. Tor’s hidden services let users publish web sites and other services without needing to reveal the location of the site. Individuals also use Tor for socially sensitive communication: chat rooms and web forums for rape and abuse survivors, or people with illnesses.

Why you need Tor

Using Tor protects you against a common form of Internet surveillance known as “traffic analysis.” Traffic analysis can be used to infer who is talking to whom over a public network. Knowing the source and destination of your Internet traffic allows others to track your behavior and interests. This can impact your checkbook if, for example, an e-commerce site uses price discrimination based on your country or institution of origin. It can even threaten your job and physical safety by revealing who and where you are. For example, if you’re traveling abroad and you connect to your employer’s computers to check or send mail, you can inadvertently reveal your national origin and professional affiliation to anyone observing the network, even if the connection is encrypted.

How does traffic analysis work? Internet data packets have two parts: a data payload and a header used for routing. The data payload is whatever is being sent, whether that’s an email message, a web page, or an audio file. Even if you encrypt the data payload of your communications, traffic analysis still reveals a great deal about what you’re doing and, possibly, what you’re saying. That’s because it focuses on the header, which discloses source, destination, size, timing, and so on.

A basic problem for the privacy minded is that the recipient of your communications can see that you sent it by looking at headers. So can authorized intermediaries like Internet service providers, and sometimes unauthorized intermediaries as well. A very simple form of traffic analysis might involve sitting somewhere between sender and recipient on the network, looking at headers.

Resources: Anonymous email, anonymous blogging

Andy Baio: Think You Can Hide, Anonymous Blogger? Two Words: Google Analytics -Wired
Hide My Ass – Anonymous Email – Free disposable email service for receiving emails anonymously
Google Analytics A Potential Threat to Anonymous Bloggers – Waxy
How to Blog Anonymously Using TOR
How to make an anonymous blog (Part 2) – Jay Whale
A Technical Guide to Anonymous Blogging: Security measures for hiding your identity online – Tech Soup
How To Send Anonymous Emails – Tech Cast

Resources: Tor

Tor Project
Tor for Windows 2.2.35-5
Internet Tool Downloads: Tor – PC World,64951-order,4/reviews.html

This post was started on Monday, February 13, 2012.

Encrypt your sensitive data with TrueCrypt freeware

Most people probably have at least a few sensitive files on their computers, whether at home, work, or elsewhere. I’d also venture to guess that most people are not very security-minded, and thus have not taken the extra step of encrypting those sensitive digital assets – often because a faulty assumption is made: that encryption is too difficult, too risky, too expensive, or too something.

Enter TrueCrypt: Virtually idiot-proof encryption freeware! Yes, TrueCrypt is both high quality and open source; it’s excellent AND free.

I downloaded TrueCrypt and will be installing it shortly. I’m not going to write instructions (this time at least, as I often do for technical procedures that I recommend to others) that explain how to encrypt your sensitive files with TrueCrypt, simply because someone else has already written detailed instructions for absolute beginners, even showing screenshots of the exact steps on how to use TrueCrypt to set up your securely encrypted drive or volume. Excellent: I’ll probably need it.

Be sure to check out the Introduction to TrueCrypt and the Beginner’s Tutorial.

There are some excellent articles about using TrueCrypt in the Resources section (below). It did not take long for this blogger to determine that TrueCrypt is for real, that it is simple enough for beginners to use, and that notably reputable techies are both using TrueCrypt themselves and recommending it to others.

If you would like to check out additional articles about using TrueCrypt, well, you know exactly how and where to find them. Happy trails!

Resources: Secure encryption with TrueCrypt open source software

Sunday, November 20, 2011