Planet Security

July 29, 2010

Wi-Fi Business and TechnologyIs Cisco's WPA Migration Mode Leaving Wi-Fi Users at Risk?

Researchers at Black Hat this week warn about a potential threat in Cisco 1200-series wireless access points, but the enterprise networking giant downplays the danger.


The Register - Security Cell phone eavesdropping enters script-kiddie phase

Get your GSM snooping tools here

Black Hat  Independent researchers have made good on a promise to release a comprehensive set of tools needed to eavesdrop on cell phone calls that use the world's most widely deployed mobile technology.…

Financial CryptographyThe difference between 0 breaches and 0+delta breaches

Seen on the net, by Dan Geer: The design goal for any security system is that the number of failures is small but non-zero, i.e., N>0. If the number of failures is zero, there is no way to disambiguate good luck from spending too much. Calibration requires differing outcomes. I've been trying for years to figure out a nice way to describe the difference between 0 failures, and some small number N>0 like 1 or 2 or 10 in a population of a million. Dan might have said it above: If the number of failures is zero, there is no way to disambiguate good luck from spending too much. Has he nailed it? It's certainly a lot tighter than my long efforts ... Once we get that key piece of information down, we can move on. As he does: Regulatory compliance, on the other hand, stipulates N==0 failures and is thus neither calibratable nor cost effective. Whether the cure is worse than the disease is an exercise for the reader. An insight! For regulatory compliance, I'd substitute public compliance, which includes all the media attention and reputation attacks....

Privacy DigestWhite House proposal would ease FBI access to records of Internet activity

White House proposal would ease FBI access to records of Internet activity: Via Washington Post .

The Obama administration is seeking to make it easier for the FBI to compel companies to turn over records of an individual's Internet activity without a court order if agents deem the information relevant to a terrorism or intelligence investigation.

The administration wants to add just four words -- "electronic communication transactional records" -- to a list of items that the law says the FBI may demand without a judge's approval. Government lawyers say this category of information includes the addresses to which an Internet user sends e-mail; the times and dates e-mail was sent and received; and possibly a user's browser history. It does not include, the lawyers hasten to point out, the "content" of e-mail or other Internet communication.

But what officials portray as a technical clarification designed to remedy a legal ambiguity strikes industry lawyers and privacy advocates as an expansion of the power the government wields through so-called national security letters. These missives, which can be issued by an FBI field office on its own authority, require the recipient to provide the requested information and to keep the request secret. They are the mechanism the government would use to obtain the electronic records.

Advertisement: [ Read more ... ]

Privacy DigestWhy Do-Not-Track Isn't The Same As Do-Not-Call

Why Do-Not-Track Isn't The Same As Do-Not-Call: Via MediaPost Publications .

Federal Trade Commission Chairman Jon Leibowitz surprised many industry watchers yesterday when he told the Senate that the commission might recommend a do-not-track mechanism for behavioral targeting.

He elaborated that the system could take the form of a browser plug-in, and that either the FTC or a private group could oversee it; beyond that, further details will have to wait until the FTC issues a report later this year about online privacy.

Even without all of the particulars, the concept of a do-not-track list seems likely to alarm many online ad companies, if for no other reason than because of telemarketers' experience with the do-not-call registry. That list, which has proven hugely popular with consumers, now has 200 million phone numbers.

Advertisement: [ Read more ... ]

Hack in the boxPrivate details of 100m Facebook users leaked

The personal details of more than a fifth of Facebook’s estimated 500 million users have been “leaked” to the internet by campaigners highlighting its “terrifying” privacy fears. The list, which has been published in a downloadable file, contains the URL of every searchable Facebook user’s profiles, their names and unique ID. Campaigners warned the list, published on “Pirate Bay”, the world's biggest filesharing website, affected more than 100 million users on the social networking site. On Wednesday, the list was rapidly spreading across the internet being distributed and downloaded by more than 1,000 users, the BBC reported. One user described the list as "awesome and a little terrifying". But its publication provoked concern from privacy experts who said it proved Facebook’s “confusing” privacy settings were still apparent.

Hack in the boxIT employers must invest in skills to stay ahead

IT employers must invest more in skills if the UK is to remain in the top eight countries for productivity by 2020, according to a report on skills in the UK. It says 10 million people need to improve their skills, but just half are likely to do so. The result is that the skills, number of jobs and productivity in the UK will suffer, according to the Ambition 2020 report by Investors in People. The technology industry will play a crucial role in preventing the UK's slide down the international rankings by improving workers' skills. Chris Humphries, chief executive of the UK Commission for Employment and Skills, which has strategic responsibility for Investors in People, said: "In the current economic climate, it's more important than ever that businesses are able to get the best out of their people. This means challenging and inspiring managers and employees at all levels to achieve their potential: employers have to be ambitious and act now to develop the skills they will need in future. This will improve their productivity and performance, benefitting them, their employees, and the IT and technology industry as a whole."

Hack in the boxApple to Honor Taiwanese Mac Mini Pricing Mishap

Earlier this week, the new unibody Mac mini went on sale in Taiwan. However, Apple accidentally listed the Mac mini with 8GBs of RAM for $19,900 NT (~ $621.77 in US currency), but was supposed to be priced at $47,000 NT (~ $1468.51 US). This of course, led to a blunder in Apple's history as the company raised the purchase price on orders from the $19,900 NT to $47,000 NT. As you might imagine, customers were none too happy about this. With many people threatening lawsuits, and complaints from a regional organization called the Consumer Foundation, Apple has decided to honor the mispriced Mac mini at $19,900 NT.

Hack in the boxSecond Student Sues School District Over Webcam Spying

A webcam scandal at a suburban Philadelphia school district expanded Tuesday to include a second student alleging his school-issued laptop secretly snapped images of him. The brouhaha commenced in February, when a student of Lower Merion School District was called into an administrator’s office. Sophomore Blake Robbins was shown a picture of himself that officials suggested was him popping pills. The family claimed it was candy. An invasion-of-privacy lawsuit followed, alleging the district had snapped thousands of pictures of its students using webcams affixed to the 2,300 Apple laptops the district issued. Some of the images included pictures of youths at home, in bed or even “partially dressed,” (.pdf) according to a filing in the case. Students’ online chats were also captured, as well as a record of the websites they visited.

Hack in the boxAndroid 2.2 for Samsung Galaxy S is leaked

USERS of Samsung's popular Linux powered smartphone, the Galaxy S, can now install the latest version of Android thanks to a leaked ROM. The Galaxy S is becoming one of the best selling smartphones ever, with Samsung managing to shift tens of thousands of the devices every day. It's been reported that the company has managed to flog more than half a million units to South Koreans in just a month. Not surprisingly, users are looking forward to getting Android 2.2 installed. The leaked ROM shows that Samsung is well on its way to updating the phone to the latest version of Android. Though the Galaxy S ships with Android 2.1, which was released in January, Android 2.2 offers among many other features the ability to run Adobe's Flash software. This added functionality combined with performance upgrades has had users clamouring for updates.

Hack in the boxFirefox's next big innovation: A new OS-like interface

During 2010, Firefox has had much of its momentum as an alternative Web browser stolen by Google Chrome. However, a new Firefox innovation called Tab Candy will make Firefox act more like a operating system, with much-improved multitasking and sharing capabilities. In fact, if the Firefox team can pull off all of the features of Tab Candy that it recently demonstrated, it would leapfrog Chrome in functionality. The Tab Candy functionality is being spearheaded by Aza Raskin, the Head of UX at Mozilla Labs. Raskin is the son of Macintosh creator Jef Raskin and he joined Mozilla in 2008 when his software company Humanized merged with Mozilla. Raskin said, “How many of us keep tabs open as reminders of something we want to do or read later? We’re all suffering from infoguilt. We need a way to organize browsing, to see all of our tabs at once, and focus on the task at hand.”

Hack in the boxNew Intel technology to make it possible to download an HD movie in a second

As the technology industry prepares for the adoption of USB 3.0 (in anticipation of the increased speeds), Intel has been hard at work on technology that will be far faster. In fact, it is capable of transferring the entire printed catalog of material within the Library of Congress in only a minute and a half. The technology makes use of silicon and light to achieve this incredible feat. According to Gizmodo via Intel Tech Research, “Intel detailed their breakthrough to the press at an event today, marking the milestone of impressive 50 gigabits per second transfer speeds using an underlying technology that could go much, much further. We've covered the promise of fiber optic speeds before, but nothing like this. Intel CTO Justin Rattner explained just what "silicon photonics" even means, why the world needs it, and what it promises in the near future.”

Hack in the boxWhat's Missing From StarCraft II's Launch? Pirate Copies

StarCraft II has been circulating in beta since February 2010. A preload version's been downloadable for the past week. Boxed copies of the game went on sale last night at midnight. The game code's been hypothetically available, more or less in full, to software pirates for some time now. All that, and still not a (successfully) cracked copy in sight. That's not a little surprising, given StarCraft II's PC pedigree and offline play options. StarCraft II doesn't require an internet connection to plumb its solo mode. Unplug your computer from the net, fire up the game, type in your Battle.net account name, and once the game realizes it's been untethered, you're offered an offline play button. The game doesn't support local area network (LAN) play, and your achievements are obviously held local until you reconnect, but the solo campaign's all there and fully playable.

Security NinjaDay one at SecurityBSides Las Vegas

Hi everyone, I just wanted to write a quick post to say how much fun I’ve had at SecurityBSides Las Vegas today and how much I enjoyed speaking at this conference again. I also wanted to let you know about some of the talks I attended that I really enjoyed. The first talk I wanted to mention was [...]

Hack in the boxBarnaby Jack Demonstrates ATM ‘Jackpotting’

In a city filled with slot machines spilling jackpots, it was a “jackpotted” ATM machine that got the most attention Wednesday at the Black Hat security conference, when researcher Barnaby Jack demonstrated two suave hacks against automated teller machines that allowed him to program them to spew out dozens of crisp bills. The demonstration was greeted with hoots and applause. In one of the attacks, Jack reprogrammed the ATM remotely over a network, without touching the machine; the second attack required he open the front panel and plug in a USB stick loaded with malware.

Hack in the boxFacebook’s Security Slackness: A Cautionary Tale

With 500 million users offering up reams of personal data and ever-shifting and confusing privacy policies, Facebook is a tempting target for phishing and other nefarious activities. And it’s no wonder given the company’s attitude to security. When hackers find vulnerabilities in the service, don’t expect any help from Facebook, which has adopted a “blame the user” mentality that refuses to acknowledge any possibility of a flaw in its own infrastructure. I’ve learnt this the hard way after my Facebook account suffered from some sort of intrusion over the weekend. I managed to clean up the mess pretty quickly, but that was no thanks to Facebook itself. Trying to identify the source of the problem proved to be a lot trickier, largely because Facebook doesn’t want to engage in any kind of meaningful dialogue about security with anyone.

Hack in the boxWikileaks: Publication of Afghan informant details worth the risk

THE FOUNDER of WikiLeaks was forced last night to defend his decision to publish tens of thousands of uncensored intelligence documents. The Times revealed that the names, villages, relatives' names and even precise GPS locations of Afghans co-operating with Nato forces could be accessed easily from files released by WikiLeaks. Human rights groups criticised the internet site and one US politician said that the security breaches amounted to a ready-made Taliban hitlist. Julian Assange, the founder of the whistleblowing website, told The Times that he would "deeply regret" any harm caused by the disclosures.

Hack in the boxMicrosoft To Release Updated EMET Security Tool

Microsoft announced today that it is planning to release a new version of its security mitigation tool for ISVs and Windows users. Enhanced Mitigation Experience Toolkit (EMET) 2.0, when released in "upcoming weeks," will contain six mitigation protections, according to Microsoft's announcement. The mitigations block general techniques used by hackers that try to exploit vulnerabilities commonly found in software. Version 2.0 will be an update to the Enhanced Mitigation Evaluation Toolkit 1.0.2, which was announced in October. For this new upcoming release, Microsoft plans to change the name of the tool slightly, dropping the word "evaluation" in the older toolkit name for "experience" in the new one.

Hack in the boxBitBlaze tool boosts bug-hunting productivity 10-fold

Researchers and developers -- and for that matter, hackers -- can dramatically slash the time it takes to root out exploitable security vulnerabilities by using an open-source toolkit created at UC Berkeley, a noted bug hunter said today at Black Hat. BitBlaze can cut the time required to identify a hackable bug from days or even weeks to just hours, said Charlie Miller, an analyst with Independent Security Evaluators (ISE), a Baltimore-based security consultancy. Miller presented his findings at the security conference that kicked off Wednesday in Las Vegas. "It's not really hard to find bugs anymore," said Miller in an interview earlier this week as he prepared for Black Hat. "The problem is that we find all these crashes using fuzzing, but we don't know what to do with them. The hardest part is prioritizing them and the underlying vulnerability that caused the crash."

Hack in the boxApple Updates Safari, Turns on Extensions

Apple released an update to its Safari web browser Wednesday. Safari 5.0.1 is available from Apple as a free download for Windows and for Mac OS X (Leopard or better). Mac users can also find it in Software Update. This is an incremental upgrade, but it comes with one big new feature: Safari now has a real platform for third-party extensions, a feature that Firefox and Chrome have had for some time. Safari 5 arrived in early June, and in addition to dozens of other enhancements (including the much-discussed Reader feature) it included a new architecture for creating lightweight browser extensions that enhance and personalize web pages and web services. Wednesday’s update now lets you install and run those extensions. Apple has also launched a new Extensions Gallery where you can browse the available extensions and download them.

Hack in the boxDell unveils security hardware and services

Dell on Wednesday beefed up its security offerings with new hardware and services, which could help the company to strike more long-term service engagements with customers. The security offerings are part of a new product portfolio targeted at medium-sized businesses, Dell said. The portfolio brings together security management, deployment and vulnerability assessment tools to protect data and IT infrastructures. The portfolio includes managed security services through a partnership with SecureWorks. SecureWorks provides a hardware- and software-based security information management platform that collects data and events from devices and uses that information to identify threats. SecureWorks will provide the hardware, which will work with industry-standard servers, clients and networking gear.

Hack in the boxSuspected 'Mariposa Botnet' creator arrested

US, Spanish and Slovenian law enforcement authorities on Wednesday announced the arrest of the suspected creator of the "Mariposa Botnet," a vast network of virus-infected computers used by criminal hackers. The suspect, a 23-year-old Slovenian citizen identified only as "Iserdo," was arrested by Slovenian police last week, the FBI, the Slovenian Criminal Police and the Spanish Guardia Civil said in a joint statement. Three suspected Mariposa Botnet operators -- Florencio Carro Ruiz, Jonathan Pazos Rivera, and Juan Jose Bellido Rios -- were arrested in Spain in February and are facing prosecution for computer crimes. A botnet is a network of malware-infected computers that can be controlled remotely and used to carry out attacks or other operations.

Hack in the boxConcentration camp website hacked

Neo-Nazis have hacked into Germany's Buchenwald concentration camp website, defacing it and redirecting visitors to a revisionist site, the camp's memorial foundation director said on Wednesday. The internet vandals hijacked the welcome page at www.buchenwald.de, in remembrance of victims of one of the largest and most notorious concentration camps on German soil in World War II, said foundation director Volkhard Knigge. The site, which was partially accessible late on Wednesday, was defaced with slogans such as "Brown is beautiful" - in reference to the shirts worn by Nazi stormtroopers - and "We will return", Knigge said.

Hack in the boxExclusive Sneak Peek: DefCon Ninja Party Badge

A hacker group known as the Ninjas has created what may be the best DefCon badge ever. The badge allows wireless ninja battle between badge holders. Unlike the official badge, attendees can’t buy this one: it’s free. DefCon, the world’s largest hacker convention, is more than just a group of hackers getting together to exchange the latest exploit code and hacking techniques. It’s a time for hackers who may only see one another once a year, to socialize face to face. One of the most exclusive venues for fraternizing at DefCon is the Ninja party. To attend the party attendees have to know one of the Ninjas and they have to give them a badge. In years past, a Ninja would give a party attendee a sticker or a paper invite that would get them in to the party. Last year the Ninjas took the party invite to the next level when they created their own custom badge for their party attendees. This year, badge designers Amanda Wozniak and Brandon Creighton decided to take the badge to the next level, and then some. What started as a sketch on a napkin ended up as an amazing hacker gaming and development platform.

SANS Internet Storm CenterThe 2010 Verizon Data Breach Report is Out, (Thu, Jul 29th)

This year's data breach report continues this valuable narrative. This years report is based on a larger case sample than in previous years, thanks to a partnership with the United States Secret Service, who contributed information on a few hundred of their cases this year. Many of the findings echo those of previous years (excerpts below).


Who is behind Data Breaches?

70% resulted from external agents

48% caused by insiders

11% implicated business partners

27% involved multiple parties



How do breaches occur?

48% involved privilege misuse

40% resulted from hacking

38% utilized malware

28% involved social tactics

15% comprised physical attacks



What commonalities exist? (this was the interesting section for me)

98% of all data breached came from servers

85% of attacks were not considered highly difficult

61% were discovered by a third party

86% of victims had evidence of the breach in their log files

96% of breaches were avoidable through simple or intermediate controls

79% of victims subject to PCI DSS had not achieved compliance



Come on! Not only don't folks seem to be implementing some basic protections, but when they're told that they've been compromised (in their log files), no-one is listening! I guess this isn't much different than in previous years, but it'd be nice to see a positive trend here.



I'm not sure that I believe the low numbers for government data breaches (4%). I guess the report can only summarize data from cases that are seen by the incident handlers.
Find the full report here ==http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf
Take a few minutes to read it over coffee this morning - Ifound it a good read, and just about the right length for that first cup !
=============== Rob VandenBrink, Metafore ===================== (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

CNET News.com - SecurityExpert: Critical system flaws a 'ticking time bomb'

Combining legacy SCADA systems that have their own weaknesses with Internet technologies is a dangerous mix for protecting systems that provide energy, water and other basic needs, Black Hat presenter says.

Yahoo! News: Computer Security and VirusesBunker-busting ATM attacks show security holes (AP)

Barnaby Jack demonstrates an attack on two automated teller machines during the Black Hat technology conference in Las Vegas on Wednesday, July 28, 2010. The attacks demonstrated Wednesday targeted standalone ATMs. But they could potentially be used against the ATMs operated by mainstream banks. (AP Photo/Isaac Brekken)AP - A hacker has discovered a way to force ATMs to disgorge their cash by hijacking the computers inside them.


Yahoo! News: Computer Security and VirusesInternet upgraded to foil cyber crooks (AFP)

The Internet has undergone a AFP - The Internet has undergone a key upgrade that promises to stop cyber criminals from using fake websites that dupe people into downloading viruses or revealing personal data.


CNET News.com - SecurityBlack Hat shines light on security (roundup)

Las Vegas is the setting this week for two of the most popular annual security events. First comes Black Hat for the professional crowd, followed by the more antic Defcon gathering.

The Register - Security NoScript 2.0 beefs border patrol

'Saves your router's ass'

NoScript daddy Giorgio Maone has released version 2.0 of his popular Firefox add-on, a means of blocking JavaScript, Java, Flash, and other plug-in or script content from untrusted websites.…

CNET News.com - SecuritySecurity researcher demonstrates ATM hacking

IOActive's Barnaby Jack reveals at Black Hat how he found ways to remotely log into ATMs without a password and force them to spit out cash.

July 28, 2010

The Register - Security Armed with exploits, ATM hacker hits the jackpot

'Game over' vulns spew cash on demand

Black Hat  A startling percentage of the world's automated teller machines are vulnerable to physical and remote attacks that can steal administrative passwords and personal identification numbers to say nothing of huge amounts of cash, a security researcher said Wednesday.…

Free On-Demand Webcast - Virtualizing the Hard Stuff

McAfeee Avert Labs BlogRemote Jackpot – Hacking ATMs

Isn’t it just everybody’s dream: to walk up to an ATM, swipe your card, get a flashy screen reading ‘We Have A Winner’ and the machine spewing out all it’s money? That dream just became reality.

At least in a great presentation from Barnaby Jack at the Black Hat Briefings in Vegas called ‘Jackpotting Automated Teller Machines Redux’. The talk the got pulled last year, allowing him another year of research to extend it. He did two demos. One walking up to an ATM, opening it, plugging in a USB device and restarting it and the other one to remotely bypass authentication, installing a rootkit over the network, giving him complete control over the machine and managing it remotely or by typing a secret combination of keys on the machine to get access to the rootkit. Or swiping a special card. The rootkit would also capture the data from any card inserted and send it to the C&C Server (still standing for Command and Control, not for Credit Card).

A very flashy presentation, but what’s behind it?

Most people tend to ignore the fact that a lot of today’s devices and machines are running fairly standard computers and operating systems internally. ATM machines, cars, medical devices, even your TV may have such a computer inside, allowing updates over a network. Software unfortunately has flaws. The more complex, the more flaws, so sometimes updates are necessary to add new functionality, instead of replacing a device with a new one, fixing flaws found, etc.

In the first case the attack is made easy as most, if not all vendors of ATMs are using a master key to unlock them, giving easy access to the motherboard. Using master keys is definitely bad security practice but other solutions may be really difficult in practice. And allowing code from a USB device to run is what makes the attack possible. In the demo it took only 5 seconds and a reboot.

In this other case a flaw in the authentication was used to make unauthorized changes, running the attackers program. But the principle was just the same as with millions of other computers each quarter that become victims of an attack and part of a botnet.

So these computers need some protection against unauthorized changes. Running AV on them is obviously not a good solution; it would need constant updating and would make a heavy impact on the systems you want to protect. So the future is in using Application Control, Configuration Control and Change Control to lock down those systems, so you can still make authorized updates and changes but not run unauthorized code from an attacker.

Ok, so much for now. I’ve seen some ATMs in the lobby that I need to look at ;)

ItoolBox Networking and InfrastructureFunctional Design Specification Document – Part 3 – Lvl 2 Functional Spec

1. ***Project Acronym*** LEVEL 2 FUNCTIONAL SPECIFICATIONS *** Include high-level description here. *** The following are the subsystems described in this section: · *** Subsystem (1) *** · *** Subsystem (2) *** Refer to the appendix entitled : ...

ItoolBox Networking and InfrastructureFunctional Design Specification Document – Part 2 – Functional Spec

1. ***Project Acronym*** LEVEL 1 FUNCTIONAL SPECIFICATIONS The Level 1 of the ***Project Acronym*** Functional Specifications corresponds to the ***Project Acronym*** System Context and to the ***Project Acronym*** System Level (1). 1.1. ***Projec...

The Register - Security Scareware victims seldom fight back

Too embarrassed or too ignorant?

Victims of rogue anti-virus scams rarely attempt to claw back fraudulent credit card payments for worthless software packages, according to new research.…

InforworldFree mobile apps can cost users their privacy

Free mobile apps can cost users their privacy

As if IT admins weren't busy enough securing end-users' computers, servers, and the network, they now need to come up with ways to protect end-users' phones.

ArchimediusNetwork Automation is Inevitable

The network industry could be entering yet another new stage of innovation and growth, fueled by a flood of new demands and an increasingly likely new tech refresh cycle driven by increasing network infrastructure automation and control.  At the core of this new cycle is a flood of new devices being attached to the network, [...]

InforworldDell angles for service contracts with new security offerings

Dell on Wednesday beefed up its security offerings with new hardware and services, which could help the company to strike more long-term service engagements with customers.

The security offerings are part of a new product portfolio targeted at medium-sized businesses, Dell said. The portfolio brings together security management, deployment and vulnerability assessment tools to protect data and IT infrastructures.

Privacy DigestExclusive Sneak Peek: DefCon Ninja Party Badge

Exclusive Sneak Peek: DefCon Ninja Party Badge: Via Threat Level.

LAS VEGAS — A hacker group known as the Ninjas has created what may be the best DefCon badge ever. The badge allows wireless ninja battle between badge holders. Unlike the official badge, attendees can’t buy this one: it’s free.

DefCon, the world’s largest hacker convention, is more than just a group of hackers getting together to exchange the latest exploit code and hacking techniques. It’s a time for hackers who may only see one another once a year, to socialize face to face. One of the most exclusive venues for fraternizing at DefCon is the Ninja party. To attend the party attendees have to know one of the Ninjas and they have to give them a badge.

In years past, a Ninja would give a party attendee a sticker or a paper invite that would get them in to the party. Last year the Ninjas took the party invite to the next level when they created their own custom badge for their party attendees. This year, badge designers Amanda Wozniak and Brandon Creighton decided to take the badge to the next level, and then some. What started as a sketch on a napkin ended up as an amazing hacker gaming and development platform.

Advertisement: [ Read more ... ]

CNET News.com - SecurityDHS tries to defuse privacy criticism, asks for help

At Black Hat, Homeland Security's second in command receives mixed response when trying to downplay privacy concerns, asks attendees for help.

InforworldApple patches up Safari and rolls out extensions

Apple patches up Safari and rolls out extensions

When Jeremiah Grossman, CTO of WhiteHat Security, announced last week that he had found a security hole in the Safari browser, he certai

F-Secure - News from the LabAdobe joins Microsoft's MAPP program

Greetings from Black Hat 2010!

black hat 2010

So far the biggest announcement has been that Adobe will join MAPP (Microsoft Active Protections Program) and will start sharing vulnerability information for all Adobe products through it. This means that MAPP partners, such as F-Secure, can get advance notifications of vulnerabilities in products such as Adobe Reader or Flash, enabling us to better protect our users.

Regular readers of our blog will know that we have often been quite critical of Adobe. But here we want to give them full credit for a good move.

The conference has just started and there should be more interesting stuff coming up. I will be delivering my talk tomorrow. It's titled "You Will Be Billed $90,000 For This Call".

Signing off,
Mikko

On 28/07/10 At 08:16 PM

F-Secure - News from the LabRogue AV Masquerades as a Firefox/Flash Update

It seems that rogue peddlers have gotten tired of their old tricks in pushing rogueware into the user's system. It used to be a fake scanning page, that leads to a warning, then a fake AV.

Now, it comes as the Firefox "Just Updated" page. You know that page that instantaneously appears right after you update your Firefox browser? And you open Firefox for the first time? Just like that. But with a catch of course. There is a message telling the user than even if their Firefox got updated, their Adobe Flash Player isn't. So they still have to update. Pretty helpful…

Firefox Update

And the user doesn't need to click anything, the download dialog box immediately appears as soon as the page loads…

Binary

When the user runs the file… Bad old rogue AV…

Security Tool

Somehow the rogue guys couldn't decide if it's going to be Firefox or Flash Player… so it became a little bit of both.

Note: The malicious site is already blocked and the rogue is detected in our latest database updates.

Response post by — Mina & Christine

On 28/07/10 At 08:48 AM

Yahoo! News: Computer Security and VirusesDHS Exec Takes Hard Questions on Cybersecurity (PC World)

PC World - The U.S. Department of Homeland Security sent its highest-ranking official ever to speak at the Black Hat conference this week, and its Deputy Secretary Jane Holl Lute ended up fielding a few tough questions from skeptical computer security professionals in attendance.

SANS Internet Storm CenterApple Releases Safari 4.1.1 and 5.0.1 addressing several vulnerabilities. http://support.apple.com/kb/HT4276, (Wed, Jul 28th)

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

SANS Internet Storm CenterOracle announced GNOME Display Manager password disclosure weakness, (Wed, Jul 28th)

According to this announcement:

http://secunia.com/advisories/40780/

The problem is that passwords may in certain cases be logged to /var/log/messages while running GNOME Display Manager in debug mode (disabled by default)



This was originally reported on 02-15-2009 here:

https://bugzilla.gnome.org/show_bug.cgi?id=571846

A patch was issued the same day. A supported patch was issued 05-14-2010.



The secunia advisory did not have many details.

The sunblog link provided did not have very much information.

http://blogs.sun.com/security/entry/cve_2010_2387_password_disclosure



The CVE is reserved and not available yet.

The rest of the information is apparently in the Customer Are.



Does this mean we can count on a no public disclosure policy for SUN products now that Oracle owns them?













(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Yahoo! News: Computer Security and VirusesSuspected 'Mariposa Botnet' creator arrested (AFP)

US, Spanish and Slovenian law enforcement authorities on Wednesday announced the arrest of the suspected creator of the notorious AFP - US, Spanish and Slovenian law enforcement authorities on Wednesday announced the arrest of the suspected creator of the "Mariposa Botnet," a vast network of virus-infected computers used by criminal hackers.


Zone-Hhttp://www.zaniascenter.gr

http://www.zaniascenter.gr defaced by TheWayEnd

Zone-Hhttp://www.islamaster.com/facebook-platform/facebook-platform/footprints/

http://www.islamaster.com/facebook-platform/facebook-platform/footprints/ defaced by ColdHackers

Security NinjaMy SecurityBSides Presentation and Demos

Hi everyone, I’ve just completed my presentation at SecurityBSides Las Vegas and I had a lot of fun doing the presentation. I must say that doing live demonstrations that exploit vulnerabilities in open source applications and then fixing the vulnerable code gave me a great buzz even if the prep work did give me a few [...]

Zone-Hhttp://www.emmanuel.org.sg

http://www.emmanuel.org.sg defaced by 1923Turk

Zone-Hhttp://designingdutchmen.co.nz/web/

http://designingdutchmen.co.nz/web/ defaced by HaCkErS eV!L

Zone-Hhttp://www.heritagehoa.net

http://www.heritagehoa.net defaced by AlbanianHackersGr0up

Zone-Hhttp://www.kspixs.com/blog/

http://www.kspixs.com/blog/ defaced by S.V Crew

hackadayFlipping pancakes

[Petar and Sylvain] are teaching this robot to flip pancakes. It starts with some kinesthetic learning; a human operator moves the robot arm to flip a pancake while the robot records the motion. Next, motion tracking is used so that the robot can improve during its learning process. It eventually gets the hang of it, as you can see after the break, but we wonder how this will work with real batter. This is a simulated pancake so the weight and amount at of force necessary to unstick it from the pan is always the same. Still, we loved the robotic pizza maker and if they get this to work it’ll earn a special place in our hearts.

[Thanks Ferdinand via Flabber]


Zone-Hhttp://triton.ir

http://triton.ir defaced by loser_ir

Zone-Hhttp://www.ezel.co.tv

http://www.ezel.co.tv defaced by sKy_DanqeR

Zone-Hhttp://www.jxsp.gov.cn/bbs/

http://www.jxsp.gov.cn/bbs/ defaced by Ma3sTr0-Dz

Zone-Hhttp://www.misrnews.com

http://www.misrnews.com defaced by BrOx-Dz