January, 2012

Edinburgh IT Support company, Consider IT, has recently learned that security software publisher Symantec has confirmed it was recently the victim of a cyber attack, resulting in the theft and disclosure of product source code. Via its website, the company affirmed Anonymous’ claims, citing a source code heist dating back to 2006. The post goes on to suggest that users running Norton Antivirus Corporate Edition, Norton Internet Security, Norton SystemWorks, Symantec Endpoint Protection 11.0, or Symantec AntiVirus 10.2 apply the latest maintenance patches.

Earlier this month, the online-collective Anonymous stated, via Twitter, that it possessed portions of the code in question and planned to release it in support of a class-action lawsuit filed by consumers – the suit claims Symantec employed scare tactics to encourage users to purchase its wares. If you have the company’s pcAnywhere solution deployed, Symantec suggests only using it for “business critical purposes,” as this software is “at increased risk.” Those looking to stay up-to-date on the breach and what Symantec is doing to ameliorate its effects can get the blow-by-blow from the source link below.

The security vendor said at the time that because the code is old, customers running Norton products today should not be in any increased danger of cyberattacks. However, the company admitted that users of pcAnywhere, which has not changed as much as the Norton products over the past few years, might face an increased risk because of the leak.

A patch for pcAnywhere 12.5 was released on Tuesday in order to address two security vulnerabilities that could lead to arbitrary code execution or privilege escalation. The flaws were reported privately to Symantec by security researchers Tal Seltzer and Edward Torkington.

Lewis Peckover, who set up a little web tool that displays all the “HTTP header information” sent to sites by web browsers, highlighted yesterday that O2 include your mobile phone number whenever you visit a website whilst running over the 3G network.

Users of the social news site, Reddit.com, confirm this problem also happens with Tesco Mobile.

For O2 and Tesco customers browsing on a 3G connection, these headers also include their personal telephone number in an x-up-calling-line-id line. Enterprising website owners can easily keep a copy of the HTTP header information sent over by visiting browsers and tie it to IP addresses and logins, if applicable.

O2 commented on their Twitter feed:

@lewispeckover Hi Lewis. The mobile number in the HTML is linked to how the site determines that your browsing from a mobile device #O2Guru  (https://twitter.com/#!/O2/status/161872584634408960)

Edinburgh IT Support company, Consider IT, would like to make clients and visitors aware of a recent McAfee vulnerability that has been confirmed by McAfee themselves.

McAfee is promising to fix a vulnerability in its anti-malware service after it was alerted to a flaw that allows systems where the product was installed to be turned into spammers.

The spamming problem from this software resulted in major inconvenience for some McAfee customers, whose email was blocked after their IP addresses appeared on blacklists. McAfee’s forums show some of these customers complaining here and here.

In a blog post (here), McAfee said:

The patch will be released on January 18 or 19, as soon as we have finished testing. Because this is a managed product, all affected customers will automatically receive the patch when it is released.

McAfee says both the issues are restricted to SaaS for Total Protection and don’t affect any of its other products.

A care provider with offices in Northern Ireland and the Isle of Man has taken action to improve its data protection practices following a joint ruling by the Information Commissioner’s Office (ICO) and the Office of the Data Protection Supervisor (ODPS) for the Isle of Man.

Praxis Care Limited breached both the UK Data Protection Act and the Isle of Man Data Protection Act by failing to keep peoples’ data secure. An unencrypted memory stick, containing personal information relating to 107 Isle of Man residents and 53 individuals from Northern Ireland, was lost on the Isle of Man in August 2011. Some of the information was sensitive and related to individuals’ care and mental health.

The device has not been recovered. However, Praxis has informed all affected individuals about the loss and no complaints have been received by the regulators.

The company has now committed to making sure that all portable devices used to store personal data are encrypted. Any personal information that is no longer needed will also be disposed of securely in line with the company’s updated data security guidance.

Christopher Graham, UK Information Commissioner, said:

“Carrying people’s personal information around on an unencrypted memory stick is clearly unacceptable. The fact that some of the personal details stored on the device were out of date and so surplus to requirements makes this breach all the more concerning.

“The ICO will continue to work closely with other data protection regulators where it is clear that a data breach extends across national boundaries.”

Iain McDonald, Isle of Man Data Protection Supervisor, said:

“Today’s joint action aims to send a clear message to organisations that a lax attitude to data security will not be tolerated by either the ODPS or the ICO. We will continue to work with regulators in other countries to ensure that our residents’ personal information is protected.”