The company’s lab rats have come up with a feature that lets you demote folks from “friend” to acquaintance without them ever being the wiser.

This is one of those “why didn’t they do this earlier?” moments, but let’s not look the proverbial gift horse in the (cyber) mouth. For anyone stuck with a distant Facebook “friend” whose news feed is a veritable nonstop, play-by-play of their lives — yes, the very definition of too much sharing — Facebook now lets you boot them to an acquaintances list. They will still be listed as your Facebook friend so there’s no chance of hurt feelings. But the upshot is that you’ll see a lot less of their wonder-of-me moments in your News Feed every day.

This is part of an evolution that began after Facebook rolled out a subscribe button last September

Angry Birds has reached the final frontier in the newest twist on the popular game dubbed Angry Birds Space.

Launching today, the new game finds the birds sucked through a wormhole into another galaxy where as usual they have to shoot down their piggly nemeses. But in a nod to actual physics, Angry Birds Space taps into the gravity in force around interstellar objects to help the birds nail their targets.

Stuck on the surface of a moon, the birds have to land on the other side to bring down the pigs. Sending the birds off on the familiar slingshot displays a series of dots pinpointing their orbit, helping you better aim. And if the bird misses its mark the first time, the gravity of the moon will keep it in orbit, giving it another chance of landing on the right pig. You can even make trick shots in space that wouldn’t be otherwise be possible.

Like other editions of Angry Birds, the new game is definitely addictive.  And the nod to space physics adds a fun and “realistic” angle.

Angry Birds Space costs $5.95 for the PC and $4.99 for the Mac.

iPhone and iPod Touch users can grab the game for 99 cents, while iPad owners will find an HD version for $2.99 already optimized for the Retina Display. Android users can download a free ad-supported version at Google Play.

Dedicated versions are also available at $2.99 for the Amazon Kindle Fire and Barnes & Noble’s Nook tablet.

Netflix on Monday announced it’s bringing its “Just for Kids” programming to the PlayStation 3, giving parents viewing options for kids ages 12 and under.

PS3 owners now have access to the kid-friendly block of programming, which includes Kick Buttowski, Bob The Builder, Thomas the Tank Engine, Backyardigans, Caillou, Curious George, SpongeBob, Power Rangers and Arthur.

Netflix rolled out Just for Kids last August. The kid-friendly interface lets children browse media by character. Clicking on one of the figures opens a new window that shows media choices featuring that character. As with the site’s current “Watch Instantly” section, clicking on the thumbnail of a movie or television episode launches instant play.

Summary:

• This vulnerability affects: Adobe Flash Player 11.1.102.62 and earlier, running on all platforms (including Android)
• How an attacker exploits it: By enticing users to visit a website containing malicious Flash content
• Impact: In the worst case, an attacker can execute code on the user’s computer, potentially gaining control of it
• What to do: Download and install the latest version of Adobe Flash Player (version 11.1.102.63 for computers)

Exposure:

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including some mobiles like Android.

In an unexpected security bulletin released today, Adobe warned of an update that fixes two security vulnerabilities in Adobe Flash Player 11.1.102.62 and earlier, running on all platforms (including Android). Adobe’s bulletin doesn’t describe the flaws in much detail (one is a “memory corruption” and the other is an “integer error”) but it does warn that if an attacker can entice one of your users to visit a malicious website containing specially crafted Flash content, he could exploit the worst of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PCs.

Adobe calls this a “Priority 2” update, which means it fixes fairly critical flaws, but that attackers are not exploiting the flaws in the wild yet. Adobe suggests you patch these flaws within 30 days. I recommend that you try to do it within the week.

Solution Path

Adobe has released new versions of Flash Player (11.1.102.63 for computers and 11.1.11x.x for Android) to fix these issues. If you allow Adobe Flash in your network, you should download and install the new versions immediately:

• Download Flash Player for your computer [any platform]:

• Download Flash for Android 4.x [Visit from your Android device]
• Download Flash Player for Android 3.x and below [Visit from your Android device]

NOTE: Chrome ships with its own version of Flash, built-in. If you use Chrome as you web browser, you will also have to update it separately.

Facebook is pushing Timeline out to all 800 million of its users. And there’s no turning back to the “old” profile.

According to a Facebook blog post Tuesday — or rather, an update to the post published when Timeline became available to all users — you will have seven days to preview your Timeline and hide content you don’t want out in the open.

Facebook says you’ll receive a notification at the top of your home page when Timeline has landed in your account. That seven-day preview period is the same for users who activate Timeline and those whose accounts are activated automatically.

Users have seven days to clean up their profiles before their Timeline goes live, transforming the bulletin board-like profile into a visual scrapbook of their lives.

With Timeline, all users are required to add a second, bigger magazine-esque “cover photo” in addition to the profile photo. The profile photo has changed in size from a rectangle or square to a thumbnail that resembles a driver’s license photo. Social apps, which automatically share a user’s activity, are one of Timeline’s key features.

Last week, Facebook rolled out 60 new Timeline apps for food, fitness, entertainment, shopping, fashion, ticketing, job searches, and more. Music streaming service Pandora and “read later” app Instapaper did not join the rollout.

What is your opinion on Timeline?

With more and more online activities and applications, you are faced with usernames and passwords everywhere. Here are some points to remember when setting-up your accounts.

• Change your password(s) after a security breach – If a site you use ever has a security breach where attackers gain access to passwords (hashed or not), change your password immediately.
• Use strong passwords – I believe passwords should be greater than 10 characters. One easy way you can create long passwords, with enough entropy, is by using passphrases, or more specifically something I call pass-sentences.
• Use different passphrases on different web sites – This is crucial aspect of password security, especially when considering these types of web breaches. If you, like most people, use the same password for many different web sites. If you have been using the same password everywhere you should change your password on every site (and make it different this time). That said, many people find this advice hard to implement in practice; which brings me to the next tip…
• Leverage password vault software – Password vaults make it easier for you to manage multiple passwords securely. They are not perfect. If you use multiple machines and OSs, you may have trouble finding password management software that meets all your needs. Plus, password vaults become a single point of potential failure, as they almost literally store all the keys to your kingdom. It’s extremely important to use secure password vaults, and protect them. That said, they offer the only practical solution to managing multiple passwords today. This article suggests a few good ones to use (I have used KeePass myself).

Summary:

• This vulnerability affects: Adobe Reader and Acrobat X 10.1.1 and earlier, on Windows, Mac, and UNIX computers
• How an attacker exploits it: By enticing your users into viewing maliciously crafted PDF documents
• Impact: An attacker can execute code on your computer, potentially gaining control of it
• What to do: Windows users should install Adobe’s Reader and Acrobat X 10.1.2 or 9.5 updates as soon as possible (or let Adobe’s Updater do it for you).

Exposure:

During yesterday’s Patch Day, Adobe released one security bulletin describing six vulnerabilities in Adobe Reader and Acrobat X 10.1.1 and earlier, running on all supported platforms.  Adobe doesn’t describe these flaws in much technically detail, but most of them involve memory corruption issues within Reader and Acrobat components. If an attacker can entice you into opening a specially crafted PDF file, he can exploit these types of issues to execute code on your computer, with your privileges. If you have root or system administrator privileges, the attacker gains complete control of you machine.

In a previous post, we described an out-of-cycle Adobe update that fixed two zero day vulnerabilities in Reader and Acrobat 9.4.6 and earlier. Those zero day flaws also affect Reader and Acrobat X. However, Adobe decided not to releases the X updates at the time, since they believe that X’s built-in protection mechanisms would prevent attackers from exploiting the flaws in the real world. Today’s Reader update also corrects those two outstanding issues in Reader and Acrobat X.

Solution Path

Adobe has released Reader and Acrobat X 10.1.2 (and 9.5 for legacy users) to fix these vulnerabilities. You should download and deploy the corresponding updates immediately, or let the Adobe Software Updater program do it for you.

• Adobe Reader X 10.1.2
  • For Windows
  • For Mac
• Adobe Acrobat X 10.1.2
  • Standard and Pro for Windows
  • Pro Extended for Windows
  • Pro for Mac

Like clockwork, Microsoft has posted the first Patch Day of the new year.

As they forewarned in their advanced notification last week, Microsoft released seven security bulletins today, which include six updates for Windows and one update for a Microsoft development tool (specifically an AntiXSS library). They only rate one of the Windows bulletins as Critical, but some of the Important bulletins also fix significant flaws that could allow attackers to execute code (though with more user interaction or difficulty).

One noteworthy aspect of today’s Patch Day is that two of the bulletins fix flaws within some Microsoft security mechanisms. One update fixes a flaw in SafeSEH, a Windows security mechanism that makes it more difficult for attackers to leverage buffer overflow or memory corruption flaws. Another bulletin fixes an information disclosure flaw in AntiXSS, a developer library that Microsoft offers to ASP.NET coders. AntiXSS is essentially an encoding library that helps web developers sanitize user input in their web applications. Sanitizing such input helps prevent your web application from suffering from cross-site scripting (XSS) vulnerabilities.

Though I find the security mechanism issues more interesting, the most severe bulletin in today’s batch corrects two serious issues in Windows’ media handling components. By enticing you to play maliciously crafted media, and attacker could exploit these issues to execute code on your computer, potentially gaining full control of it.

You can learn more about today’s updates in Microsoft’s January summary bulletin, which lists the bulletins from the most to least severe. Microsoft’s severity ratings seem right on to me, this month, so I recommend you apply the updates in that order.

I’ll post a more detail, consolidated Windows alert here, shortly. However, I’ll probably not post a detailed alert about the AntiXSS update,  since I suspect few of our readers and customers use it. That said, if you are a security minded ASP.NET developer that does leverage this library, you should definitely refer to Microsoft’s bulletin for its patch.

I hope everyone had a relaxing and enjoyable Christmas and New Years!

According to their advanced notification post, Microsoft plans to release seven security bulletins on Tuesday, January 11. Six of the bulletins fix flaws in Windows or its components, while the remaining bulletin corrects vulnerabilities in one of Microsoft’s developer tools. Microsoft only rates one of the Windows bulletins as Critical, while the rest are Important.

Microsoft Patch Day has become a bit routine over the years (which is a good thing for a patch cycle), but this one does have a slightly noteworthy addition. One of the Important Windows bulletins fixes a “Security Feature Bypass” vulnerability. These types of vulnerabilities don’t really let attackers gain control of your systems, they just bypass security features that might make it easier for attackers to exploit other flaws. As a security professional, I tend to find flaws in security systems interesting as we can learn from them as an industry (similar to the way that mathematicians hammering public crypto algorithms can result in stronger encryption systems).

As usually, I’d apply Microsoft’s Critical patches first. Lately, the order of severity Microsoft has reported in their summaries has matched mine. So I recommend following their order.

I’ll be able to share more details about Microsoft’s bulletins next Tuesday. Make sure to check back here then.

Over the years, we’ve had to deal with vulnerabilities and weaknesses in wireless security protocols, such as the deprecation of the WEP protocol due to design flaws.  Now, a standard that was designed to make wireless security easier, actually makes it less secure.

For those of you who haven’t heard of Wi-Fi Protected Setup (WPS), it is a standard created by the Wi-Fi Alliance to make it easier for home users to configure security settings on their access points, making the task less foreboding for the non-technical.

In concept, I think this is a great idea. I know many average home users that run open access points simply because they find the tech lingo (WPA2, PSK, AES, TKIP, etc.) too overwhelming, or because they can’t be bothered with strong passwords. Making wireless security easier for the average Joe is noble goal. However, in practice WPS will make your WAP less secure.

According to research by Stefan Viehböck (also discovered independently by another researcher as well), technical flaws in WPS make it embarrassingly simple to brute force a WPS PIN. Without going into too much technical detail, the WPS protocol responds to failed authentication attempts in a way that will both tell you if the first four digits of the PIN are correct, as well as disclose the eighth digit of the PIN. This severely reduces the number of guesses necessary to learn a WPA PIN. Rather than providing the 100,000,000 possible combinations (10⁸⁾ that an eight digit pin should offer, this flaw allows attackers to find the PIN with only 11,000 guesses (10⁴ + 10³). Computers can go through 11,000 combinations in no time. Furthermore, many devices that use WPS apparently don’t lockout failed authentication attempts. If an attacker knows your wireless router’s WPS PIN, he can use it to retrieve the router’s wireless network password. So if you use WPS, you should expect  any attacker within range of your Wi-Fi signal can access your network.

The good news is that WPS is not an industry-wide standard. Only some wireless routers and access points use it. If you’d like more details on this issue, US-CERT has released a coordinated alert about it, including some of the router brands that are affected. This includes some well know consumer brands like Belkin, Netgear, D-Link, and others. Since this is a protocol level design flaw, there is no fix. If you use a wireless router that leverages WPS, you should stop using WPS. If you have questions about you Wi-Fi security, please contact us and we can help.