Outdated plugins are a major source of security and stability risk for web users, and some studies have put the proportion of users with older versions as high as 80%.

Just visit mozilla.com/plugincheck/ to run a plugin check for your browser.

You should also check out SecBrowsing, another powerful tool that helps you keep your browser and plugins up-to-date. If you are using Google Chrome, there is a SecBrowsing extension that alerts you if plugins are out-of-date.

Just visit secbrowsing.appspot.com to run a browser plugin check. Afterwards SecBrowsing will automatically provide you with quick links/fixes for your browser plugins that are vulnerable. If you are using Google Chrome, there is an extension that periodically checks if your browser is running any out-of-date, vulnerable plugins (e.g., Java, Flash) and notifies you if you do.

SecBrowsing’s source code is available on Google Code. Also check out SecBrowsing’s blog for regular news on browser-related security issues.

You can follow SecBrowsing on Twitter here.

Back in 2008, Google released a nice feature inside Gmail’s settings where you could opt to enable https throughout your session. That made you feel a little bit safer when browsing your emails using a public WiFi at your local coffee shop. However, the usage of SSL/TLS protocol has one main drawback which is imposing some extra overhead. Thus causing some extra latency. This latency could be noticeable a few years ago when the average broadband speed did not exceed 1 Mbps in contrary to nowadays. So after researching the security/latency tradeoff, Google decided to roll out default https for all Gmail users for the sake of security (you can still turn it off at any time but https will still be “on” when you login).

About two months ago, I came across with a couple of interesting articles at the h-online.com regarding a vulnerability in SSL/TLS protocol which could lead to password theft. It is surprising that something we used to trust for years now has been compromised. At first I thought “what the heck..?!”. Indeed, what’s the point of choosing to use https or not at all. Well, the truth is that if you are investing in 100% security you are wasting your money. Unfortunately there is no such thing as 100% secure (at least for the time being). The good news is that there seems to be a solution to the TLS vulnerability. According to H-online:

The Internet Engineering Task Force (IETF) has ammended the RFC 5246 specification (Transport Layer Security [TLS] Protocol Version 1.2) and introduced a new renegotiation_info TLS extension which will store a connection’s cryptographic information.

If you ask me, there is nothing even close to 100% secure. The harsh truth is even when quantum cryptography will be applicable somehow, end-to-end security will still suffer from various kinds of attacks. Still having second thoughts every time you try to login somewhere..? In that case you should check out ForceHTTPS (a Firefox add-on) which forces https “every” time you hit the enter button.

ForceHTTPS allows sophisticated users to transparently retrofit security onto some insecure sites that support HTTPS.

[ photo via anonymouscollective ]

• A fix for the Trackback Denial-of-Service attack that is currently being seen.
• Removal of areas within the code where php code in variables was evaluated.
• Switched the file upload functionality to be whitelisted for all users including Admins.
• Retiring of the two importers of Tag data from old plugins.

Peter also gave some piece of advice to all those who think their WordPress site has been compromised by an exploit, to check the WordPress Exploit Scanner. A WordPress plugin that searches the files on your website, and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames.

Go ahead, give it a try. Upgrade to WordPress 2.8.5 and try out the WordPress Exploit Scanner if you are suspicious about your WordPress installation.

• Enabled pf by default in the rc.conf.
• Removed pf scrub rules, and only do one kind of packet reassembly. Rulesets with scrub rules need to be modified because of this.
• Regular rules can now have per-rule scrub options.
• Added new “match” keyword which only applies rule options but does not change the current pass/block state.
• Make all pf operations transactional to improve atomicity of reloads.
• Stricter pf checking for ICMP and ICMPv6 packets.
• Various improvements to pfsync to lower sync traffic bandwidth and optionally allow active-active firewall setups.
• Fix pf scrub max-mss for IPv6 traffic.

You can find more details about all the new features shipping with this release here.

Last but not least, as Jeremy S. Anderson said:

There are two major products that come out of Berkeley: LSD and UNIX. We don’t believe this to be a coincidence.

About a year ago (Nov. 18, 2008), Microsoft announced plans for a free anti-malware solution code-named “Morro”. As Microsoft stated, Morro would provide comprehensive protection from malware including viruses, spyware, rootkits and trojans. More specifically:

This new solution, to be offered at no charge to consumers, will be architected for a smaller footprint that will use fewer computing resources, making it ideal for low-bandwidth scenarios or less powerful PCs.

Two days ago Microsoft released the final version of its Security Essentials aka Morro. You can download it here. It is available for Windows XP 32‐bit, Windows Vista/WIN7 32‐bit and Windows Vista/WIN7 64‐bit. For the time being, Microsoft Security Essentials is available in many languages.

Some of the key features include:

• Comprehensive malware protection
• Simple, free download*
• Automatic updates
• Easy to use

*You should also note that your PC must run genuine Windows to install Microsoft Security Essentials.

I am really curious about Morro‘s performance over the next few months.

[ photo via wolkanca ]

As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.

[ via ]