22:58 Tiller Beauchamp on the Recon 2008 conferenceGuest Editorial by Tiller Beauchamp
Earlier this month I had the opportunity to present RE:Traceat the Recon conference, a reverse engineering conference held every other year in Montreal, Canada. The conference consisted of three days of training and three days of talks in a single track. Topics include reversing polymorphic malware, overcoming code obfuscation and anti-debugging [...] >>>
21:36 Firefox 2 dirty dozen: Critical vulnerabilities patchedMozilla has shipped a high-priority update for Firefox 2, warning that there are at least five serious vulnerabilities that could lead to code execution attacks.
With Firefox 2.0.0.15, Mozilla fixes at least 12 documented vulnerabilities — five rated critical – that could put users at risk of arbitrary file upload, arbitrary code execution, URL spoofing [...] >>>
21:03 Remote code execution flaw in VLC Media PlayerResearchers at Secunia have found a “highly critical” vulnerability that puts users of the cross-platform VLC Media Player at risk of remote code execution attacks.
The vulnerability is confirmed in version 0.8.6h on Windows. Prior versions may also be affected. A patch is expected soon from the VLC team.
According to statistics from VLC, the download [...] >>>
20:12 PCI-DSS 1.1 points to outdated OWASP Top 10OK, I’m not going to freak out about this too bad… I’ve already pointed out enough problems with PCI, but I did find it morbidly entertaining. My good friend Jeremiah Grossman (pictured at right) blogged today about the PCI-DSS 1.1 section 6.5, which covers “prevention of common coding vulnerabilities in software development processes”, and noted [...] >>>
19:36 Anti-malware blocker, cross-site scripting protections coming in IE 8When Microsoft’s Internet Explorer 8 hits the Beta 2 milestone in August, the browser makeover will feature a full-fledged anti-malware blocker and new protections against some forms of cross-site scripting attacks.
The existing phishing filter IE 7 has been renamed SmartScreen Filter and will include blacklist-based blocking of known exploit sites.
The SmartScreen anti-malware feature is URL-reputation-based, [...] >>>
19:11 Security World: Understanding the Web browser threatGroup of researchers from three organizations including Google, IBM ISS and CSG ETH Zurich just published a paper titled: "Understanding the Web browser threat: Examination of vulnerable online Web br... >>>
19:10 Sony PlayStations site SQL injected, redirecting to rogue security softwareThe latest high trafficked web site to fall victim into the continuing waves of massive SQL injection attacks courtesy of copycats and the ASProx botnet, is Sony’s PlayStation U.S site according to a recent post at SophosLabs’s blog :
“Researchers at IT security firm Sophos have warned lovers of video games that pages on the US-based [...] >>>
19:00 Security World: 250GB fire-safe/waterproof hard driveSentrySafe released 250GB FIRE-SAFE/Waterproof Hard Drive to protect data from fire and water disasters and computer crashes. SentrySafe has partnered with Maxtor Storage Solutions to develop the inno... >>>
16:37 Blizzard introducing two-factor authentication for WoW gamersPassword stealing malware targeting popular MMORPGs such as World of Warcraft for instance, has become so prevalent, that video game developers are taking their authentication model a step further, by introducing two-factor authentication into play. And while marketable, is the new authentication layer actually useful in a real life situation? Depends. From Blizzard’s press release [...] >>>
15:33 You need a PI license to repair computers?This is just silly! I wonder if some Texas lawmaker isn’t proactively protecting his pr0n collection from the computer repair guys?
If a computer repair technician needs a private investigator’s license, what do real forensics specialist need? I’d hate to be the test case, but this really needs to see a court room. >>>
08:40 McAfee S.P.A.M. experiment and more ridiculous HackerSafe failuresStay with me here readers, I’m stringing two stories about McAfee together here, a little outof the ordinary, so I hope it makes sense. If you aren’t interested in the tech details (of which there are very little), please do read fora good laugh.
Network World reported thatMcAfee conducted an experiment into what would happen if [...] >>>
08:02 Security World: E-mail spam morphs in first half of 2008E-mail spam went through an important change in terms of content and distribution medium during the first half of 2008, according to BitDefender, an award-winning provider of antivirus software and da... >>>
07:43 Researcher claims thousands of identities stolen during Social Engineering pentestsKelly Jackson Higgins of Dark Reading, reported on research conducted by Joshua Perrymon, hacking director for PacketFocus Security Solutions and CEO of RedFlag Security, who has been performing social engineering exploitsfor numerous clientsin the past yearandhas apparently stolen thousands of identities with a 100 percent success rate.
The Dark Reading article goes on, quoting Perrymon as [...] >>>
06:26 Network Security Podcast, Episode 110Ever have one of those days where just about nothing seems to go right? That just about describes today. Rich had to bail tonight due to family obligations, though it sounds like it’s the fun type of obligation, not like having dinner with Aunt Ethel or something. We had a guest lined [...] >>>
04:35 Google ships open-source Web security assessment toolThe Google security team has released a free, open-source Web app security assessment tool capable of flagging vulnerabilities and potential security threats in Internet-facing applications.
The tool, called Ratproxy, is described as a passive Web application security audit tool designed toanalyze legitimate, browser-driven interactions with tested Web applications — to automatically pinpoint, annotate, and prioritize
potential flaws [...] >>>
03:19 Security World: Free forensic tool suiteMaryland-based Jones Dykstra & Associates is offering free download of their new computer forensics software tool suite, JDAFTS.
JDAFTS, which stands for Jones Dykstra & Associates Forensic Tool... >>>
03:00 Dan Wallach on Electronic Voting MachinesIt's been a while since I've written about electronic voting machines, but Dan Wallach has an excellent blog post about the current line of argument from the voting machine companies and why it's wrong.
Unsurprisingly, the vendors and their trade organization are spinning the results of these studies, as best they can, in an attempt to downplay their significance. Hopefully, legislators and election administrators are smart enough to grasp the vendors behavior for what it actually is and take appropriate steps to bolster our election integrity.
Until then, the bottom line is that many jurisdictions in Texas and elsewhere in the country will be using e-voting equipment this November with known security vulnerabilities, and the procedures and controls they are using will not be sufficient to either prevent or detect sophisticated attacks on their e-voting equipment. While there are procedures with the capability to detect many of these attacks (e.g., post-election auditing of voter-verified paper records), Texas has not certified such equipment for use in the state. Texass DREs are simply vulnerable to and undefended against attacks.
