Canadian’s Online Privacy At Risk

From the “I can’t believe this is Canada” file, the government is pushing a new “lawful access” bill, basically granting the police and government officials the rights and means to freely and on a hunch, spy on your internet usage.  Assuming that if you have nothing to hide, you should have no fear of arbitrary search and seizure, of course.

Michael Geist has a good article about the bill and why it is crazy.  The insanity first becomes evident when Public Safety Minister Vic Toews tells people “You can stand with us, or you can stand with the child pornographers“.   As if everyone with a desire for online privacy and against widespread internet surveillance is somehow automatically “for” child pron!  Yep, there is no middle ground here.  Line up with the rest of ’em, mate.

I agree with Tech Dirt’s post, this is totally ridiculous, and a cynical political move that assumes the Canadian public is stupid and will just roll over.  I sincerely hope that is not true, that there is enough outcry against this bill that it is thrown out faster than last week’s Metro.  Yes, it may be difficult and time consuming to obtain a judge’s consent in the form of a warrant, but you don’t just subtract an individual’s rights from the equation in the name of expediancy and convenience for law enforcement.  You cannot and should not assume that the entire public is suspect, and then launch a witch hunt to see who floats and who sinks! Continue reading →

HSBC Under Investigation For Money Laundering?

Things are not looking good for HSBC bank.  A former employee in New York has 1,000 pages of account records he claims are evidence of an international money-laundering scheme involving hundreds of billions of dollars.  HSBC is reportedly under investigation by a US Senate committee.

John Cruz delivered the customer account records to WND that he says he pulled from the HSBC computer system (uh-oh, I do believe that this may constitute a crime as well) before he was fired after two years at the bank, for “poor performance”.  John claims that he was let go because he insisted on pursuing a personal investigation.  Apparently the police were not interested.

The scheme purportedly involved moving money from accounts belonging to fake and real businesses opened in current and previous customer names that the customers were not aware of.  Businesses doing thousands of dollars of business annually were transfering millions of dollars through these accounts.  Oh I hope this turns out to be something else.  John is writing a book about it.  We really don’t need another banking scandal right now…

Busy Day For Patches

Happy Valentines Day everyone.  Our vendors are bringing us the gifts of security vulnerability patches.  Lots of them.  Yes, it’s extra work for our IT teams, but removing these vulnerabilities could mean that we all get to keep our jobs, and remain in business.  I was hearing on the news today that Nortel is now coming clean regarding the fact that hackers 0wn3d their network for roughly 10 years, with full and complete access to everything.

Wonder how they got that?

Where is Nortel today?  Something to think about…

Microsoft released the expected batch of 9 patches:

• MS12-008: Critical Remote Code Execution Vulnerabilities in Windows Kernel-Mode Drivers
• MS12-009: Important Elevation of Privilege Vulnerabilities in Ancillary Function Driver
• MS12-010: Critical Cumulative Security Update for Internet Explorer
• MS12-011: Important Elevation of Privilege Vulnerabilities in Microsoft SharePoint
• MS12-012: Important Remote Code Execution Vulnerability in Color Control Panel
• MS12-013: Critical Remote Code Execution Vulnerability in C Run-Time Library
• MS12-014: Important Remote Code Execution Vulnerability in Indeo Codec
• MS12-015: Important Remote Code Execution Vulnerabilities in Microsoft Visio Viewer 2010
• MS12-016: Critical Remote Code Execution Vulnerabilities in .NET Framework and Silverlight  (This one I would recommend holding off on, as Microsoft is expected to re-release after identifying a “metadata (logic) error”.)

Microsoft has also released Update Rollup 1 for Exchange Server 2010 SP2 http://www.microsoft.com/download/en/details.aspx?id=28809 to the Download Center.

Adobe released 2 Security Bulletins:

• APSB12-02: Critical Security update available for Adobe Shockwave Player.  This update addresses critical vulnerabilities in Adobe Shockwave Player 11.6.3.633 and earlier versions on the Windows and Macintosh operating systems.  These vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system.
• APSB12-04: Important Security update available for RoboHelp for Word.  This update addresses an important vulnerability in RoboHelp 9 (or 8) for Word on Windows.  A specially crafted URL could be used to create a cross-site scripting attack on Web-based output generated using RoboHelp for Word.

There have also been vulnerabilities and patches announced for Mozilla Thunderbird, Firefox, and an as yet unpatched local exploit POC code release for Yahoo Instant Messanger 11.5.

UPDATE: Oracle released also patches fixing 14 vulnerabilities in:

•  JDK and JRE 7 Update 2 and earlier
• JDK and JRE 6 Update 30 and earlier
• JDK and JRE 5.0 Update 33 and earlier
• SDK and JRE 1.4.2_35 and earlier
• JavaFX 2.0.2 and earlier

http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html

Start planning, testing, and patching, folks.