Security & Privacy

Delete yourself from the Web by iPhone

Sometimes, there is truth in advertising. Today's case-in-point: Abine's DeleteMe Mobile, which, as the name suggests, vigorously petitions Internet data brokers to remove personally identifying information from their databases.

Previously only available as a Web service, the app debuts on iOS with an Android version in the works. As CNET reported last year, DeleteMe is a partially human-powered service where Abine employees take on the onerous duty of contacting data brokers on your behalf. That's an important step because many of them have been known to add your data again, just months after removing it, according to … Read more

Homeland Security still advises disabling Java, even after update

Despite an emergency software update issued yesterday by Oracle, the U.S. Department of Homeland Security is still advising computer users to disable Java on their Web browsers, fearing that an unpatched vulnerability remains.

Oracle released a software update on Sunday to address a critical vulnerability in Oracle's Java 7 after the DHS' Computer Emergency Readiness Team issued an advisory last week recommending users disable the cross-platform plugin on systems where it was installed. The flaw could allow a remote, unauthenticated attacker to execute arbitrary code when a vulnerable computer visits a Web site that hosts malicious code designed … Read more

Secret document on FISA snooping law released -- sort of

The Electronic Frontier Foundation has been successful in having a secret document released by the U.S. government, that helps U.S. authorities to interpret the federal snooping law, the Foreign Intelligence Services Act (FISA).

The trouble is, the document is pretty much entirely all redacted. (So much for transparency...)

In a nutshell, last month the U.S. Congress reauthorized the FISA Amendments Act for another five years, allowing the U.S. government and its law enforcement agencies to conduct "unconstitutional surveillance," according to the EFF. However, the law is complicated and lengthy, and there is a "… Read more

Microsoft to patch IE zero-day flaw today

Microsoft will fix a zero-day hole in IE today almost a week after this month's regular Patch Tuesday updates.

Discovered late last month, the vulnerability could allow attackers to gain control of a Windows computer running one of the older versions of IE by directing users to malicious Web sites. In response, Microsoft had suggested several workarounds and even offered a "one-click fix" designed to mitigate the problem, but those were considered temporary solutions.

Today's update will fully resolve the issue, according to Microsoft. Scheduled for rollout at 10 a.m. PT, the fix will be … Read more

Oracle releases software update to fix Java vulnerability

Oracle released an emergency software update today to fix a security vulnerability in its Java software that could allow attackers to break into computers.

The update, which is available on Oracle's Web site, fixes a critical vulnerability in Oracle's Java 7 that could allow a remote, unauthenticated attacker to execute arbitrary code. The attack can be induced if someone visits a Web site that's been set up with malicious code to take advantage of the hole.

Oracle said the update modifies the way Java interacts with Web applications.

"The default security level for Java applets and … Read more

New malware exploiting Java 7 in Windows and Unix systems

A new Trojan horse called Mal/JavaJar-B has been found that exploits a vulnerability in Oracle's Java 7 and affects even the latest version of the runtime (7u10).

The exploit has been described by Sophos as a zero-day attack since it has been found being actively used in malware before developers have had a chance to investigate and patch it. The exploit is currently under review at the National Vulnerability Database and has been given an ID number CVE-2013-0422, where it is still described as relatively unknown:

"Unspecified vulnerability in Oracle Java 7 Update 10 and earlier allows … Read more

Windows RT jailbreak tool unleashed online

Microsoft Windows RT

Windows RT was recently hacked to allow it to run unsigned desktop apps, and now it seems anyone can run that same hack via a simple batch file.

Someone dubbed Netham45 has packaged the hack into a batch file that users can trigger on their Windows RT tablets. That hack enables people to launch unsigned desktop applications compiled for ARM-based RT devices.

The tool takes advantage of a hack revealed earlier this week by someone identified only as clrokr. In a blog, clrokr explained how he was able to change a value in the Windows RT kernel … Read more

California AG issues first-in-U.S. mobile app privacy guidelines

California's attorney general issued long-promised guidelines on mobile privacy today. The "Privacy on the Go (PDF)" report address the varied interests in smartphone and mobile app development, including app developers, carriers, ad networks, and operating system makers.

"We are now offering this set of privacy practice recommendations to assist app developers, and others, in considering privacy early in the development process," Attorney General Kamala Harris wrote in an introduction to the guidelines.

Sarah Downey, online privacy analyst at online privacy firm Abine, agreed that it's important to get the various mobile interests focused on … Read more

Java flaw draws Web attacks, reports say

Security researchers have spotted a new vulnerability in the widely used Java software that could give attackers access to your computer.

The US-CERT group today issued an alert saying that Java 7 Update 10 and earlier versions of the software contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code. The attack can be induced if someone visits a Web site that's been set up with malicious code to take advantage of the hole.

This weak spot is already being attacked "in the wild" -- that is, it's a real-world threat … Read more