Thursday, January 28, 2016

Data Privacy Day Is Today and Every Day! #PrivacyAware

Data Privacy Day

The official Data Privacy Day theme is Respecting Privacy, Safeguarding Data and Enabling Trust.  Everyone needs to be concerned with protecting their privacy not only on Data Privacy Day but every day.

Below is an update of information I have provided previously on protecting your data privacy, with additional references included.  Take a closer look at why you would want to safeguard your data and steps we can all take for keeping our data safe.

Data

What information do you store on your computer?

Home computers have rapidly become the storage place not only for personal correspondence but also for financial data, including bank records and government tax return forms.  This information in the wrong hands can, and does, result in identity theft.  Learn how to encrypt folders on your computer that contain sensitive information from Windows Help, Encrypt or decrypt a folder or file.

What information do you share on social network sites?

Facebook is one of the largest social network sites where people connect with not only friends and family but also acquaintances.  These acquaintances may be people they "met" at other sites, forums or through friends and family.  However, they are only known virtually.

Not only is the information you share on sites like Facebook data, so is your home town, where you went to school, when you graduated, your birth date, address and telephone number as well as names and birth dates of family members.  If this information is public, it is the very information that identity thieves can use.

What about your smart phone?

Do you check in at every location as you go about your daily travels and share it on Twitter or Facebook?  Do you announce and document business or family trips?

Is your browser tracking your activities?

Check the settings in your browser of choice.

Information stored on your computer or shared on social networking sites includes data that needs to be safeguarded to protect your privacy.

Safeguarding Data

The message about having an up-to-date antivirus software and firewall has been well received by home computer users.  When helping with malware removal, it is has been a very long time since I have seen a computer without antivirus software and a firewall.  Computer users are also getting much more conscientious about installing security updates and keeping third-party software updated.

This is all good news, but malware writers are very clever and manage to find a way to infect computers.  In addition to the standard antivirus, firewall, updating what else can you do to safeguard your data?

In addition to keeping your computer and software programs updated, following are a some general suggestions for protecting the data on your computer:
  1. Protect your wireless router with a strong password.
  2. Don't open e-mail, instant message or Facebook attachments you are not expecting.
  3. Do not click anywhere on a pop-up or warning from a program you did not install.  Use the keyboard shortcut Alt + F4 to close the window.
  4. Pay close attention when installing software.  Do not blindly click through the screens or you may end up with more than you expected.
  5. Whenever possible, only download software programs from the vendor site.  Keep in mind that free is not always free.
  6. Always scan any file you download from the Internet.
  7. Have a back-up plan in place, particularly for documents, pictures and other files that cannot be replaced. 
  8. Use a complex password, not a "dictionary word" or family name.
What about safeguarding the data you share on social networking sites like Facebook?  

Facebook makes it easy to connect and share information with friends and family.  However, it is critical to ensure that you are not openly sharing personal information that could make you a target of identity theft.

See this excellent guide by Sophos, Facebook Security Best Practice, which not only covers information and setting recommendations but also explains the reasoning for the recommendations. 

Another resource that is helpful for Facebook users is Facecrooks, a source for not only privacy information but also the latest hoaxes that regularly circulate on Facebook. 

A few easy steps will keep both the data on your computer as well as the information you share both secure and private.

Resources



Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...



Tuesday, January 26, 2016

Pale Moon Version 26.0.0 Milestone Release!


Pale Moon

Pale Moon has been updated to version 26.0.0.  This is a milestone update as Pale Moon is now building on the new Goanna engine instead of Gecko.  


Note:  Although there has been extensive testing of this release, it is still possible to run into some website compatibility issues (usually because of websites doing useragent sniffing) and some sites displaying a mobile version if they do not recognize or incorrectly recognize the new browser engine. Please always try contacting the webmasters first before posting support requests at the Pale Moon Forums, since this is usually not something Pale Moon developers can assist with.

Security updates:
  • Added support for 128-bit Camellia-GCM ciphers in addition to the existing CBC ciphers to offer a more internationally diverse choice of secure encryption ciphers than just AES.
  • Added an advanced, active XSS (cross-site scripting) filter. Pale Moon will now check for XSS attacks and block XSS content in the resulting pages. This is brand-new technology and feedback on this filter specifically (e.g. bugs, false positives, etc.) should be posted in the dedicated thread on the forum for this feature. Please also see that thread for details on how to use and control this filter.
  • Distrusted several root certificates in accordance with security best practice.
  • Aligned cookie acceptance with RFC 6265 §4.1.1. We still make an exception for allowing spaces and double quotes in cookie values, but this will be made more strict in the future for full spec compliance. If you are a web designer and use cookies, please verify that you are RFC compliant in terms of both cookie names and cookie values, or the browser may reject them.
  • Removed several hazardous modules like the maintenance service and the identity module.
  • Ported all security updates from Mozilla that are applicable/relevant to our code base (up to and including all security issues made known to us until now). Considering v26 has been kept updated over its long development until release, the list of fixes/CVEs would be too exhaustive to list in these release notes individually.
For information on included fixes/changes, see the Release Notes.

Minimum system Requirements (Windows):
  • Windows Vista/Windows 7/Windows 8/Server 2008 or later
  • A processor with SSE2 support
  • 256 MB of free RAM (512 MB or more recommended)
  • At least 150 MB of free (uncompressed) disk space
Pale Moon includes both 32- and 64-bit versions for Windows:
Other versions:

    Update

    To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.





    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...












    Firefox 44 Released With Security Updates


    Firefox
    Mozilla sent Firefox Version 44.0 to the release channel.  The update includes three (3) critical, one (1) high, six (6) moderate and one (1 low security updates.

    Firefox ESR was updated to version 38.6.0.

    Fixed in Firefox 44



    What’s New

    New

    • Improved warning pages for certificate errors and untrusted connections
    • Enable H.264 if system decoder is available
    • Enable WebM/VP9 video support on systems that don't support MP4/H.264
    • In the animation-inspector timeline, lightning bolt icon next to animations running on the compositor thread
    • Support the brotli compression format via HTTPS content-encoding
    • Screenshot commands allow user choice of pixel ratio in Developer Tools

    Fixed

    • Windows XP and Vista screensaver doesn't disable when watching videos (Bug 1193610)

    Changed

    • To support unicode-range descriptor for webfonts, font matching under Linux now uses the same font matching code as other platforms
    • Use a SHA-256 signing certificate for Windows builds, to meet new signing requirements
    • Firefox has removed support for the RC4 decipher
    • Firefox will no longer trust the Equifax Secure Certificate Authority 1024-bit root certificate or the UTN - DATACorp SGC to validate secure website certificates
    • Stricter validation of web fonts
    • On-screen keyboard support temporarily turned off for Windows 8 and Windows 8.1

    References


    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...













    Tuesday, January 19, 2016

    Oracle Java Quarterly Critical Security Update, January 2016

    java


    Oracle released the scheduled critical security updates for its Java SE Runtime Environment software and, once again, released a subsequent update that includes "bug fixes". 

    Unwanted "Extras"

    Although most people do not need Java on their computer, there are some programs and games that require Java.  In the event you need to continue using Java, How-to Geek discovered a little-known and  unpublicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras that Oracle has long included with the updates.  Although the Ask Toolbar has been removed, tha does not preclude the pre-checked option for some other unnecessary add-on.

    Do the following to suppress the sponsor offers:
    1. Launch the Windows Start menu
    2. Click on Programs
    3. Find the Java program listing
    4. Click Configure Java to launch the Java Control Panel
    5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
    6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.
    Java suppress sponsor offers

    Windows XP

    For information on Java support for Windows XP, organizations and individuals who must continue using Windows XP and have Java installed are referred to the Oracle blog post, The future of Java on Windows XP (Henrik on Java).

    Update

    If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

    Download Information

    Download link:  Java SE 8u71

    Java SE 8u72 can be found here.  Select the appropriate version for your operating system.

    Verify your version:  http://www.java.com/en/download/testjava.jsp

    Notes:
    • UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.
    • Starting with Java SE 7 Update 21 in April 2013, all Java Applets and Web Start Applications should be signed with a trusted certificate.  It is not recommended to run untrusted/unsigned Certificates.  See How to protect your computer against dangerous Java Applets

    Critical Patch Updates

    For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:
    • 19 April 2016
    • 19 July 2016
    • 18 October 2016
    • 17 January 2017

    Java Security Recommendations

    For those people who have desktop applications that require Java and cannot uninstall it, Java can now be disabled in Internet Explorer.  See Microsoft Fix it to Disable Java in Internet Explorer.

    1)  In the Java Control Panel, at minimum, set the security to high.
    2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

    Java Security

    3)  If you use Firefox or Pale Moon, install NoScript and only allow Java on those sites where it is required.

    Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

    References





    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...



    Adobe Flash Player Update

    Adobe Flashplayer

    Adobe has released Version 20.0.0.286 of Adobe Flash Player for Microsoft Windows and Macintosh.  The update is to to address important functional issues impacting Flash Player users.


    Google Chrome and Windows 8.x/10 Internet Explorer and Microsoft Edge will receive the update through the Google and Microsoft update mechanisms.

      Warning:  Although Adobe suggests downloading the update from the Adobe Flash Player Download Center, that link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras. 

        Notes:
        • If you use the Adobe Flash Player Download Center, be careful to uncheck any optional downloads that you do not want.  Any pre-checked option is not needed for the Flash Player update.
        • Uncheck any toolbar offered with Adobe products if not wanted.
        • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
        • The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.

        Verify Installation

        To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

        Do this for each browser installed on your computer.

        To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

        References




        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...





        Tuesday, January 12, 2016

        Adobe Reader Quarterly Security Update

        Adobe
        Adobe has released the quarterly security update for Adobe Reader and Acrobat XI for Windows and Macintosh. The update addresses numerous critical vulnerabilities and should be installed as soon as possible.

        Release date: January 12, 2016
        Vulnerability identifier: APSB16-02
        CVE numbers:  CVE-2016-0931, CVE-2016-0932, CVE-2016-0933, CVE-2016-0934, CVE-2016-0935, CVE-2016-0936, CVE-2016-0937, CVE-2016-0938, CVE-2016-0939, CVE-2016-0940, CVE-2016-0941, CVE-2016-0942, CVE-2016-0943, CVE-2016-0944, CVE-2016-0945, CVE-2016-0946, CVE-2016-0947
        Platform: Windows and Macintosh

        Update or Complete Download

        Update checks can be manually activated by choosing Help > Check for Updates.
          Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

          End of Support:  Adobe Acrobat X and Adobe Reader 

          Adobe Acrobat X and Adobe Reader X are no longer supported (see here). Adobe recommends Adobe Acrobat DC (FAQ) and Adobe Acrobat Reader DC (FAQ).  However, another alternate is available to replace Adobe Reader 

          If you are still using Windows XP and have Adobe Reader installed, please note that there will be no additional security updates for it.  I suggest uninstalling it and install an alternate reader.  Personally, I like Sumatra PDF.  It isn't a target and doesn't include unwanted extras with the install or updates.  

          Enable "Protected View"

          Due to frequent vulnerabilities, it is recommended that Windows users of Adobe Reader and Acrobat ensure that Protected View is enabled.  Neither the Protected Mode or Protected View option is available for Macintosh users.

          To enable this setting, do the following:
          • Click Edit > Preferences > Security (Enhanced) menu. 
          • Change the "Off" setting to "All Files".
          • Ensure the "Enable Enhanced Security" box is checked. 

          Adobe Protected View
          Image via Sophos Naked Security Blog

          References



          Home
          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...






          Microsoft Security Bulletin Release for January, 2016


          Microsoft released nine (9) bulletins.  Six (6) bulletins are identified as Critical and the remaining three (3) are rated Important in severity.

          The updates address vulnerabilities in Microsoft Windows, Microsoft Edge, Internet Explorer, Microsoft .NET Framework, Microsoft Office, Visual Basic and Microsoft Silverlight.

          Details about the 25 CVEs can be found in the below-referenced TechNet Security Bulletin.  If you are prioritizing updates, the most critical appears to be MS16-05 which indicates "more severe of the vulnerabilities could allow remote code execution if a user visits a malicious website".  Attention is also directed to MS16-001 which has the last updates for versions of Internet Explorer that have reached end of support.

          Critical:
          • MS16-001-- Cumulative Security Update for Internet Explorer (3124903) 
          • MS16-002-- Cumulative Security Update for Microsoft Edge (3124904) 
          • MS16-003-- Cumulative Security Update for JScript and VBScript to Address Remote Code Execution (3125540) 
          • MS16-004-- Security Update for Microsoft Office to Address Remote Code Execution (3124585) 
          • MS16-005-- Security Update for Windows Kernel-Mode Drivers to Address Remote Code Execution (3124584) 
          • MS16-006-- Security Update for Silverlight to Address Remote Code Execution (3126036) 

          Important:
          • MS16-007-- Security Update for Microsoft Windows to Address Remote Code Execution (3124901) 
          • MS16-008-- Security Update for Windows Kernel to Address Elevation of Privilege (3124605) 
          • MS16-010-- Security Update in Microsoft Exchange Server to Address Spoofing (3124557)

          Additional Update Notes

          • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 
          • Windows 8.x and Windows 10 -- Non-security new features and improvements for Windows 8.1 and Windows 10 are included with the updates.

          References


            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...







            Saturday, January 02, 2016

            Another Adobe Flash Player Update!

            Adobe Flashplayer

            Adobe released a quick update only for the ActiveX version of Flash Player for IE on Windows 7 and earlier to version 20.0.0.270.  The update was to address a problem with Flash Player improperly loading in applications that have it embedded.

            Google Chrome and Windows 8.x/10 Internet Explorer or Microsoft Edge will receive the update through the Google and Microsoft update mechanisms. No update for the plug-in version.

              Warning:  Although Adobe suggests downloading the update from the Adobe Flash Player Download Center, that link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras. 

              Notes:
              • If you use the Adobe Flash Player Download Center, be careful to uncheck any optional downloads that you do not want.  Any pre-checked option is not needed for the Flash Player update.
              • Uncheck any toolbar offered with Adobe products if not wanted.
              • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
              • The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.

              Verify Installation

              To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

              Do this for each browser installed on your computer.

              To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

              References




              Remember - "A day without laughter is a day wasted."
              May the wind sing to you and the sun rise in your heart...




              Friday, January 01, 2016

              A New Year's Wish and Microsoft MVP

              2016
              The beginning of a new year tends to spark good intentions by many people to make changes in their life style, to do more of something or less of other things.  Whatever your plan for the new year is, I wish friends, family and Security Garden readers a very happy, healthy and successful 2016.

              For myself, the new year has become more than a celebration of the beginning of a new year.  It has included the excitement of receiving a special email from Microsoft.  Although nothing can beat the incredible feeling of the first time that email is received, it does continue to be very rewarding to know that the efforts spent in sharing information and helping people clean their infected computers has been recognized.  So, thank you, Microsoft and MVPGA for the Microsoft MVP Award!

              Microsoft MVP Banner


              Dear Corrine Chorney,

              Congratulations! We are pleased to present you with the 2016 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Consumer Security technical communities during the past year.


              MVP Award Overview


              Remember - "A day without laughter is a day wasted."
              May the wind sing to you and the sun rise in your heart...