How to browse the Internet safely at work

Credit to Author: Jovi Umawing| Date: Tue, 05 Feb 2019 16:00:44 +0000

This Safer Internet Day, we’re presenting a guideline to employees on how to navigate the online trenches safely, whether they’re on their desktop computers, company-owned laptops, or mobile devices. Who wants to be the one responsible for a breach? No one.



(Read more…)

The post How to browse the Internet safely at work appeared first on Malwarebytes Labs.

Read more

Chrome bug that lets sites secretly record audio and video is not a flaw Google says

Credit to Author: Darlene Storm| Date: Wed, 31 May 2017 06:31:00 -0700

If your web browser was recording audio and video of you without any indication it was doing so, would you consider that invasion of privacy a security issue? Chrome doesn’t.

After AOL web developer Ran Bar-Zik discovered that a website can record audio and video without the red recording light appearing on the Chrome tab, he reported the bug

But since users are the crux of problem, Google doesn’t classify it as a security flaw. That’s because before any audio or video recordings, a user has to give a site permission before it can access a user’s webcam or microphone.  

To read this article in full or to leave a comment, please click here

Read more

Google patches Chrome bug from fizzled Pwn2Own hack

Credit to Author: Gregg Keizer| Date: Thu, 30 Mar 2017 12:03:00 -0700

Google yesterday updated Chrome to patch several vulnerabilities, including a bug in the browser’s JavaScript engine that a Chinese team tried to exploit at a recent hacking contest.

The update to version 57.0.2987.133 contained fixes for five vulnerabilities, one marked “Critical” — the most serious rating in Google’s system — and the others tagged “High.”

Of the four vulnerabilities ranked High, one was attributed to “Team Sniper,” one of five groups from Chinese company Tencent Security that participated in this year’s edition of Pwn2Own, one of the world’s best-known hacking contests. Pwn2Own ran March 15-17 alongside the CanSecWest conference in Vancouver, British Columbia.

To read this article in full or to leave a comment, please click here

Read more

LastPass fixes serious password leak flaws

Credit to Author: Lucian Constantin| Date: Wed, 22 Mar 2017 14:21:00 -0700

Developers of the popular LastPass password manager rushed to push out a fix to solve a serious vulnerability that could have allowed attackers to steal users’ passwords or execute malicious code on their computers.

The vulnerability was discovered by Google security researcher Tavis Ormandy and was reported to LastPass on Monday. It affected the browser extensions installed by the service’s users for Google Chrome, Mozilla Firefox and Microsoft Edge.

According to a description in the Google Project Zero bug tracker, the vulnerability could have given attackers access to internal commands inside the LastPass extension. Those are the commands used by the extension to copy passwords or fill in web forms using information stored in the user’s secure vault.

To read this article in full or to leave a comment, please click here

Read more

Mozilla beats rivals, patches Firefox's Pwn2Own bug

Credit to Author: Gregg Keizer| Date: Mon, 20 Mar 2017 17:26:00 -0700

Mozilla last week patched a Firefox vulnerability just a day after it was revealed during Pwn2Own, the first vendor to fix a flaw disclosed at the hacking contest.

“Congrats to #Mozilla for being the first vendor to patch vuln[erability] disclosed during #Pwn2Own,” tweeted the Zero Day Initiative (ZDI) Monday. ZDI, the bug brokerage run by Trend Micro, sponsored Pwn2Own.

Mozilla released Firefox 52.0.1 on Friday, March 17, with a patch for the integer overflow bug that Chaitin Security Research Lab leveraged in an exploit at Pwn2Own on Thursday, March 16. The Beijing-based group was awarded $30,000 by ZDI for the exploit, which combined the Firefox bug with one in the Windows kernel.

To read this article in full or to leave a comment, please click here

Read more

Google discloses unpatched IE flaw after Patch Tuesday delay

Credit to Author: Lucian Constantin| Date: Fri, 24 Feb 2017 10:44:00 -0800

Google’s Project Zero team has disclosed a potential arbitrary code execution vulnerability in Internet Explorer because Microsoft has not acted within Google’s 90-day disclosure deadline.

This is the second flaw in Microsoft products made public by Google Project Zero since the Redmond giant decided to skip this month’s Patch Tuesday and postpone its previously planned security fixes until March.

Microsoft blamed the unprecedented decision to push back scheduled security updates by a month on a “last minute issue” that could have had an impact on customers, but the company hasn’t clarified the nature of the problem.

To read this article in full or to leave a comment, please click here

Read more

True privacy online is not viable

Credit to Author: Evan Schuman| Date: Tue, 21 Feb 2017 03:00:00 -0800

Privacy-concerned consumers desperately want a magic bullet, some simple thing they can use that will protect their identities and their web activity. And although there are a plethora of offerings today that make such a claim — VPNs, privacy-focused browsers such as Tor, privacy search engines such as DuckDuckGo, quite a few services that claim to anonymize anyone’s activity — the practical realities of human behavior make such privacy claims bogus.

Let me stress that almost all of these services do indeed help a person remain anonymous from the casual, untrained observer (the typical roommate, spouse, co-worker, boss, etc.). But any consumer who thinks that these tools will thwart a law enforcement agent, motivated cyberthief or identity thief, or anyone who is willing to spend the time to track you down is in for unhappiness.

To read this article in full or to leave a comment, please click here

Read more

JavaScript-based attack simplifies browser exploits

Credit to Author: Lucian Constantin| Date: Wed, 15 Feb 2017 10:13:00 -0800

Researchers have devised a new attack that can bypass one of the main exploit mitigations in browsers: Address space layout randomization (ASLR). The attack takes advantage of how modern processors cache memory and, because it doesn’t rely on a software bug, fixing the problem is not easy.

Researchers from the Systems and Network Security Group at Vrije Universiteit Amsterdam (VUSec) unveiled the attack, dubbed AnC, Wednesday after having coordinated its disclosure with processor, browser and OS vendors since October.

ASLR is a feature present in all major operating systems. Applications, including browsers, take advantage of it to make the exploitation of memory corruption vulnerabilities like buffer overflows more difficult.

To read this article in full or to leave a comment, please click here

Read more

Cisco starts patching critical flaw in WebEx browser extension

Cisco Systems has started to patch a critical vulnerability in its WebEx collaboration and conferencing browser extension that could allow attackers to remotely execute malicious code on computers.

The company released a patched version of the extension — 1.0.7 — for Google Chrome on Thursday and is working on similar patches for the Internet Explorer and Mozilla Firefox versions.

The vulnerability was found by Google security researcher Tavis Ormandy and stemmed from the fact that the WebEx extension exposed functionality to any website that had “cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html” in its URL or inside an iframe. Some of that WebEx functionality allowed for the execution of arbitrary code on computers.

To read this article in full or to leave a comment, please click here

Read more