Facebook is pushing Timeline out to all 800 million of its users. And there’s no turning back to the “old” profile.

According to a Facebook blog post Tuesday — or rather, an update to the post published when Timeline became available to all users — you will have seven days to preview your Timeline and hide content you don’t want out in the open.

Facebook says you’ll receive a notification at the top of your home page when Timeline has landed in your account. That seven-day preview period is the same for users who activate Timeline and those whose accounts are activated automatically.

Users have seven days to clean up their profiles before their Timeline goes live, transforming the bulletin board-like profile into a visual scrapbook of their lives.

With Timeline, all users are required to add a second, bigger magazine-esque “cover photo” in addition to the profile photo. The profile photo has changed in size from a rectangle or square to a thumbnail that resembles a driver’s license photo. Social apps, which automatically share a user’s activity, are one of Timeline’s key features.

Last week, Facebook rolled out 60 new Timeline apps for food, fitness, entertainment, shopping, fashion, ticketing, job searches, and more. Music streaming service Pandora and “read later” app Instapaper did not join the rollout.

What is your opinion on Timeline?

With more and more online activities and applications, you are faced with usernames and passwords everywhere. Here are some points to remember when setting-up your accounts.

• Change your password(s) after a security breach – If a site you use ever has a security breach where attackers gain access to passwords (hashed or not), change your password immediately.
• Use strong passwords – I believe passwords should be greater than 10 characters. One easy way you can create long passwords, with enough entropy, is by using passphrases, or more specifically something I call pass-sentences.
• Use different passphrases on different web sites – This is crucial aspect of password security, especially when considering these types of web breaches. If you, like most people, use the same password for many different web sites. If you have been using the same password everywhere you should change your password on every site (and make it different this time). That said, many people find this advice hard to implement in practice; which brings me to the next tip…
• Leverage password vault software – Password vaults make it easier for you to manage multiple passwords securely. They are not perfect. If you use multiple machines and OSs, you may have trouble finding password management software that meets all your needs. Plus, password vaults become a single point of potential failure, as they almost literally store all the keys to your kingdom. It’s extremely important to use secure password vaults, and protect them. That said, they offer the only practical solution to managing multiple passwords today. This article suggests a few good ones to use (I have used KeePass myself).

Summary:

• This vulnerability affects: Adobe Reader and Acrobat X 10.1.1 and earlier, on Windows, Mac, and UNIX computers
• How an attacker exploits it: By enticing your users into viewing maliciously crafted PDF documents
• Impact: An attacker can execute code on your computer, potentially gaining control of it
• What to do: Windows users should install Adobe’s Reader and Acrobat X 10.1.2 or 9.5 updates as soon as possible (or let Adobe’s Updater do it for you).

Exposure:

During yesterday’s Patch Day, Adobe released one security bulletin describing six vulnerabilities in Adobe Reader and Acrobat X 10.1.1 and earlier, running on all supported platforms.  Adobe doesn’t describe these flaws in much technically detail, but most of them involve memory corruption issues within Reader and Acrobat components. If an attacker can entice you into opening a specially crafted PDF file, he can exploit these types of issues to execute code on your computer, with your privileges. If you have root or system administrator privileges, the attacker gains complete control of you machine.

In a previous post, we described an out-of-cycle Adobe update that fixed two zero day vulnerabilities in Reader and Acrobat 9.4.6 and earlier. Those zero day flaws also affect Reader and Acrobat X. However, Adobe decided not to releases the X updates at the time, since they believe that X’s built-in protection mechanisms would prevent attackers from exploiting the flaws in the real world. Today’s Reader update also corrects those two outstanding issues in Reader and Acrobat X.

Solution Path

Adobe has released Reader and Acrobat X 10.1.2 (and 9.5 for legacy users) to fix these vulnerabilities. You should download and deploy the corresponding updates immediately, or let the Adobe Software Updater program do it for you.

• Adobe Reader X 10.1.2
  • For Windows
  • For Mac
• Adobe Acrobat X 10.1.2
  • Standard and Pro for Windows
  • Pro Extended for Windows
  • Pro for Mac

Like clockwork, Microsoft has posted the first Patch Day of the new year.

As they forewarned in their advanced notification last week, Microsoft released seven security bulletins today, which include six updates for Windows and one update for a Microsoft development tool (specifically an AntiXSS library). They only rate one of the Windows bulletins as Critical, but some of the Important bulletins also fix significant flaws that could allow attackers to execute code (though with more user interaction or difficulty).

One noteworthy aspect of today’s Patch Day is that two of the bulletins fix flaws within some Microsoft security mechanisms. One update fixes a flaw in SafeSEH, a Windows security mechanism that makes it more difficult for attackers to leverage buffer overflow or memory corruption flaws. Another bulletin fixes an information disclosure flaw in AntiXSS, a developer library that Microsoft offers to ASP.NET coders. AntiXSS is essentially an encoding library that helps web developers sanitize user input in their web applications. Sanitizing such input helps prevent your web application from suffering from cross-site scripting (XSS) vulnerabilities.

Though I find the security mechanism issues more interesting, the most severe bulletin in today’s batch corrects two serious issues in Windows’ media handling components. By enticing you to play maliciously crafted media, and attacker could exploit these issues to execute code on your computer, potentially gaining full control of it.

You can learn more about today’s updates in Microsoft’s January summary bulletin, which lists the bulletins from the most to least severe. Microsoft’s severity ratings seem right on to me, this month, so I recommend you apply the updates in that order.

I’ll post a more detail, consolidated Windows alert here, shortly. However, I’ll probably not post a detailed alert about the AntiXSS update,  since I suspect few of our readers and customers use it. That said, if you are a security minded ASP.NET developer that does leverage this library, you should definitely refer to Microsoft’s bulletin for its patch.

I hope everyone had a relaxing and enjoyable Christmas and New Years!

According to their advanced notification post, Microsoft plans to release seven security bulletins on Tuesday, January 11. Six of the bulletins fix flaws in Windows or its components, while the remaining bulletin corrects vulnerabilities in one of Microsoft’s developer tools. Microsoft only rates one of the Windows bulletins as Critical, while the rest are Important.

Microsoft Patch Day has become a bit routine over the years (which is a good thing for a patch cycle), but this one does have a slightly noteworthy addition. One of the Important Windows bulletins fixes a “Security Feature Bypass” vulnerability. These types of vulnerabilities don’t really let attackers gain control of your systems, they just bypass security features that might make it easier for attackers to exploit other flaws. As a security professional, I tend to find flaws in security systems interesting as we can learn from them as an industry (similar to the way that mathematicians hammering public crypto algorithms can result in stronger encryption systems).

As usually, I’d apply Microsoft’s Critical patches first. Lately, the order of severity Microsoft has reported in their summaries has matched mine. So I recommend following their order.

I’ll be able to share more details about Microsoft’s bulletins next Tuesday. Make sure to check back here then.

Over the years, we’ve had to deal with vulnerabilities and weaknesses in wireless security protocols, such as the deprecation of the WEP protocol due to design flaws.  Now, a standard that was designed to make wireless security easier, actually makes it less secure.

For those of you who haven’t heard of Wi-Fi Protected Setup (WPS), it is a standard created by the Wi-Fi Alliance to make it easier for home users to configure security settings on their access points, making the task less foreboding for the non-technical.

In concept, I think this is a great idea. I know many average home users that run open access points simply because they find the tech lingo (WPA2, PSK, AES, TKIP, etc.) too overwhelming, or because they can’t be bothered with strong passwords. Making wireless security easier for the average Joe is noble goal. However, in practice WPS will make your WAP less secure.

According to research by Stefan Viehböck (also discovered independently by another researcher as well), technical flaws in WPS make it embarrassingly simple to brute force a WPS PIN. Without going into too much technical detail, the WPS protocol responds to failed authentication attempts in a way that will both tell you if the first four digits of the PIN are correct, as well as disclose the eighth digit of the PIN. This severely reduces the number of guesses necessary to learn a WPA PIN. Rather than providing the 100,000,000 possible combinations (10⁸⁾ that an eight digit pin should offer, this flaw allows attackers to find the PIN with only 11,000 guesses (10⁴ + 10³). Computers can go through 11,000 combinations in no time. Furthermore, many devices that use WPS apparently don’t lockout failed authentication attempts. If an attacker knows your wireless router’s WPS PIN, he can use it to retrieve the router’s wireless network password. So if you use WPS, you should expect  any attacker within range of your Wi-Fi signal can access your network.

The good news is that WPS is not an industry-wide standard. Only some wireless routers and access points use it. If you’d like more details on this issue, US-CERT has released a coordinated alert about it, including some of the router brands that are affected. This includes some well know consumer brands like Belkin, Netgear, D-Link, and others. Since this is a protocol level design flaw, there is no fix. If you use a wireless router that leverages WPS, you should stop using WPS. If you have questions about you Wi-Fi security, please contact us and we can help.

If you thought you had your online banking security situation under control, along comes this chilling blog entry from security vendor Trusteer about some really nasty stuff they observed over the holiday break. And especially for those of you that have chosen paperless statements, you want to read it carefully and understand the exploit.

Basically, the bad guys have figured out a full-service series of attacks that take money from your debit card account and then proceed to show you a series of screens that cover up the transaction. They use a variety of malware tools to insert themselves in the middle of your transactions to steal your account information, then quickly debit your account. The next time you login to your bank, you are seeing the faked screens that don’t display this transaction.

If you are still one of the people that receive the paper statements in the mail, you will spot it, but only if you are really careful about reconciling your account. If you don’t get the printed statements, you may never see the transactions from the fraudster.

As Amit Klein writes on the company’s blog, “The malware hides the fraudulent transactions in the view transactions page, as well as artificially changing the total fraudulent transaction amount to balance the totals. As a result, the deceived customer has no idea that their account has been taken over, nor that any fraudulent transactions have taken place.” Yikes!

Make sure your browser is up to date and if you have the option to install anti-phishing protection, now would be a good time to make sure that it is working. Most modern browsers have this enabled but it is worth reviewing if you are scared enough by this exploit. Happy holidays, everyone.

Verizon customers who make single payments by phone or online will be charged a $2 fee per payment starting January 15. The new fee is intended to offset the cost of processing these payments.

“The fee will help allow us to continue to support these single bill payment options in these channels,” Verizon said in a statement.

Other Verizon payment options such as electronic check, AutoPay and payment kiosks are still free.

Customer representatives for Sprint and AT&T said that those companies charge no similar additional fee for paying by phone or online. The AT&T representative said there is, however, a fee for paying a bill through a customer service representative by phone.

Will Verizon’s $2 fee affect you? If so, will it motivate you to choose an alternate payment option, or do you find single payments by phone or Internet worth the extra couple of bucks? Let us know in the comments.