MSMVPS.COM

Tighter security coming in Firefox 4 - (Including silent updates?)

donna — Sat, 31 Jul 2010 19:35:13 GMT

A new JavaScript engine, HTML5, tabs on top, and a new add-on framework are not the only improvements that users can expect in Firefox 4. At Black Hat on Wednesday, a trio of security representatives from Mozilla detailed how the company plans to push the browser to be more secure for users while nudging developers toward safer coding practices.

One of the biggest fixes that's been implemented in the Firefox 4 beta (Windows | Mac | Linux) repairs a hole that affects all browsers, a decade-old vulnerability that was mentioned in the documentation for CSS2. The exploit is a CSS sniffing history attack, where malicious code can gain access to your browser history by manipulating link appearance and style. What made the bug so difficult to repair is that the simplest solution, to prevent all link style manipulation, would be like throwing the baby out with the bathwater, said Firefox's director of development, Jonathan Nightingale. Changing an already-visited link's colors is one the most-used features of the Web, and it would be catastrophic to prevent that.

Mozilla's David Baron figured out how to solve the problem with a three-pronged approach that focuses on the user instead of the Web site. His solution limits what aspect of links can be tweaked to color, then "lies" through JavaScript so that although the page queries the link and reports back what it would look like if it was unvisited, the one that Mozilla's engine draws is the correct one, whether it's been visited or not. This solution also limits the amount of computation that the rendering engine needs to do, said Nightingale, which allows the focus to remain on the content and reduces the overall "heavy lifting" required to render it properly. "By limiting the link, there's fewer options for [link exploits that look like] dancing bananas."

Nightingale added that Wednesday's release of Safari 5.0.1 has incorporated the fix.

Another type of bug addressed in the Firefox 4 beta is an XSS primary scripting exploit. [...]

Other changes in Firefox 4 promise to be less technical. Firefox's approach to browser updates is changing, and sounds like in some cases it will more closely resemble Google Chrome's automatic updates. "There are updates that we want you to know about, and that you'll have a choice to install or not, but there's also updates that we just want to get our security patches out," said Nightingale. Those silent updates will be rolled out first to Windows users because Windows experience the most security risks, he said, but Mac and Linux users will eventually see them, too.

CNET Download Blog

Tool will test for phone bugs - Airprobe

donna — Sat, 31 Jul 2010 19:06:31 GMT

A researcher released software at the Black Hat conference on Thursday designed to let people test whether their calls on mobile phones can be eavesdropped on.

The public availability of the software, dubbed Airprobe, means that anyone with the right hardware can snoop on other peoples' calls, unless the target telecommunications provider has deployed a patch that was standardized about two years ago by the GSMA, the trade association representing GSM (Global System for Mobile Communications) providers, including AT&T and T-Mobile in the United States.

For more on this story, read Can your calls be intercepted? This tool can tell on CNET News.

ZDNet

AirTight defends Wi-Fi WPA2 'vulnerability' claim

donna — Sat, 31 Jul 2010 19:01:03 GMT

A "publicity stunt?" Major threat? Or easily contained?

Executives at AirTight are defending their description of a little-known "vulnerability" in the 802.11 standard in the face of criticism following their demonstration of a Wi-Fi exploit at the Black Hat security conference. One WLAN vendor called the claim a "publicity stunt."

Others are saying the attack, which can only be mounted by an internal authorized WLAN user, is so limited in scope that it would be easier for an attacker to just use the unattended computer in a neighbor's cubicle or even bribe a fellow employee to access data.

"What those limitations really mean is that 'YES' there are much easier ways to get the data," says Jennifer Jabbusch, chief information security officer, Carolina Advanced Digital, a Cary, N.C. IT services company. "In a scenario like this, that data is most likely (more than 99.9% likely) to be [already] unencrypted on the wire. In addition to that, the close physical proximity [required] would mean an attacker could also just as easily walk over to the victim's machine and load a tool to collect data while they're at lunch or getting a soda in the break room. The wireless attack is 'going around your butt to get to your elbow,' as we say in the South."

She analyzed the AirTight exploit previously in her SecurityUncorked blog.

WLAN vendor Aruba Networks issued its own analysis, by Robbie Gill of the company's engineering department, which concluded, "The attack scenario described by AirTight is well known and old news – it was, in short, a publicity stunt."

Yesterday's detailed demonstration at Black Hat Arsenal, a demo area associated with the Black Hat info security conference, confirmed nearly all of the details that Jabbusch and others had been expecting. [See: "Wi-Fi WPA2 vulnerability FAQ".] It did little to convince observers that the exploit constituted a serious threat to enterprise wireless LAN security.

NetworkWorld

Dell Tech Swipes Nude Photos of Gullible Customer

donna — Sat, 31 Jul 2010 18:32:45 GMT

Dell is apparently eager to compete with Best Buy and Walmart for the title of most despised retailer in the country. A few months back, a tech support rep got in trouble for turning on a woman's webcam without her permission. Then, last month, the company got nabbed knowingly shipping faulty PCs. And, just this week, the Texas-based manufacturer was caught shipping motherboards infected with malware. Now, a woman from California is alleging that a support technician for Dell stole nude photos of her from her PC and posted them online, and then charged $800 worth of computer gear to her credit card for another woman in Tennessee.

This is not a cut-and-dry case of a misbehaving tech rep, though. This drama has actually been going on for almost a year, and only now is Tara Fitzgerald coming forward with her accusations. Try and follow the sequence of events, and make sense of Fitzgerald's often questionable judgment.

Switched

Did Dell tech support display woman's naked pics?

Fitzgerald wanted to send some pictures of herself to her boyfriend, but she couldn't find them on her Dell computer.

Her urgent need to find these pictures drove her, quite naturally, to call Dell tech support. Her call was answered, she said, by a gentleman in Mumbai, India, named Riyaz Shaikh.

Shaikh, who, by the time you finish this tale, might not turn out to be a gentleman, after all, offered to remotely access her computer so that he could find the pictures for her. Fitzgerald said she watched him as he located her snapshots.

It was another fine day in the helpful history of tech support. However, this success was ruined somewhat, when Fitzgerald allegedly received an e-mail from an unidentified source telling her that her pictures were now freely available for anyone to see on the Web. They were on a site called "bitchtara." [...]

News10 contacted Dell, it received the following reply: "We investigated the issue, which involved a technical representative at one of Dell's vendors. We contacted the vendor about the allegation and can confirm that the representative no longer handles Dell calls. We've been in contact with Ms. Fitzgerald regarding this issue and continue to investigate her claims to best assist in a resolution."

CNET

Sites Feed Personal Details To New Tracking Industry

donna — Sat, 31 Jul 2010 18:27:30 GMT

The largest U.S. websites are installing new and intrusive consumer-tracking technologies on the computers of people visiting their sites—in some cases, more than 100 tracking tools at a time—a Wall Street Journal investigation has found.

The tracking files represent the leading edge of a lightly regulated, emerging industry of data-gatherers who are in effect establishing a new business model for the Internet: one based on intensive surveillance of people to sell data about, and predictions of, their interests and activities, in real time.

The Journal's study shows the extent to which Web users are in effect exchanging personal data for the broad access to information and services that is a defining feature of the Internet.

In an effort to quantify the reach and sophistication of the tracking industry, the Journal examined the 50 most popular websites in the U.S. to measure the quantity and capabilities of the "cookies," "beacons" and other trackers installed on a visitor's computer by each site. Together, the 50 sites account for roughly 40% of U.S. page-views.

The 50 sites installed a total of 3,180 tracking files on a test computer used to conduct the study. Only one site, the encyclopedia Wikipedia.org, installed none. Twelve sites, including IAC/InterActive Corp.'s Dictionary.com, Comcast Corp.'s Comcast.net and Microsoft Corp.'s MSN.com, installed more than 100 tracking tools apiece in the course of the Journal's test.

The Journal also surveyed its own site, WSJ.com, which doesn't rank among the top 50 by visitors. WSJ.com installed 60 tracking files, slightly below the 64 average for the top 50 sites.

The Wall Street Journal

If you use IE, enable "InPrivate Filtering"

Use Hosts file to block ads. Use Adblock Plus for FF or use AdBlock IE for IE

Texas Imperial Software DefCon 18 challenge

Alun Jones — Sat, 31 Jul 2010 16:23:00 GMT

I rarely write about my business on the blog here, and perhaps I should do so some more.

I mentioned in the post earlier today of how I’d “hacked” my badge (“hacked” in the sense of “that’s not programming, that’s typing”) to display the Texas Imperial Software and WFTPD logos, and the wftpd.com domain hosting our web site.

Also, that I’ll be wearing my bright orange Texas Imperial Software t-shirt.

So, here’s the competition:

Take a photo of the Texas Imperial Software logo either from my shirt or my badge, post it to your blog (or other web-site), along with a description of where you saw me, and a link to Texas Imperial Software’s web site, http://www.wftpd.com, send me an email with a link to your site, and when I get back to the office, I’ll email you a free copy of WFTPD Pro – and as long as your page stays there for six months, you’ll get free updates the same as the rest of our customers.

What can you do with the free copy of WFTPD Pro? You can host your own secured FTP server, using the FTP over TLS protocol defined in RFC 4217, and also known as FTPS. Of course, what I’m guessing you’re going to do is hack on it – and that’s OK, providing that you notify me by email before(*) publishing your results. If you turn that hacking into a paper for a con, give me the opportunity to support your presentation, whether that’s with rebuttal, fixes, or mere apologies (sorry, can’t afford money).

The closest thing I have to a catch for this is that it has to be your own unique photo – I’ll be comparing all submissions for similarity, and the best way to avoid duplicates is to have someone else take the photo for you, and put yourself in the picture. And don’t forget, I don’t read your blog, so you have to email me a link to it.

Thanks for participating,

Alun.
~~~~

(*) I’d prefer the Google-recommended sixty days to fix stuff, but if you’re the kind of hacker who believes all vendors need public spanking, then by all means post immediately after emailing me. After all, it’s not like you couldn’t do that with the trial version anyway. But if you do that, I’ll be all grumpy about it, and won’t buy you a drink next time I see you.

Technorati Tags: defcon,defcon 18,ftp,wftpd,free,ftps,Texas Imperial Software

Sauvez le musée Français de la photographie à Bievres

Mtoo — Sat, 31 Jul 2010 15:17:00 GMT

Le Musée Français de la Photographie a vu le jour à Bièvres (91) en 1964, grâce à l'ingénieur français Jean Fage et à son fils André Fage, dans le but de présenter au public une collection d'appareils photo, d'accessoires et d'images, patiemment constituée depuis le début des années 50. La même année, Jean Fage crée l'Association du Musée Français de la Photographie, une association Loi de 1901 dont l'objet est de fédérer l'action de nombreux passionnés de l'image, sensibles à la dimension historique de la photographie.

Sous l'impulsion de Jean Fage, l'association a accéléré le développement de la collection, qu'il s'agisse de matériels photographiques ou d'images, notamment grâce à l'apport de collections privées individuelles, dont les propriétaires ou les héritiers ont souhaité se joindre au mouvement engagé par les deux fondateurs du Musée. En 1983, une commission d'experts internationaux, mandatée pour formuler un avis sur la collection du Musée Français de la Photographie, a considéré que l'ensemble d'appareils photographiques qui lui a été montré constitue par sa qualité et sa quantité l'une des plus importantes collections publiques connues dans le monde. La commission a également remarqué que cette collection est particulièrement représentative des dernières décennies du XIXe siècle et du XXe tout entier. Enfin, elle a souligné que l'ensemble constitué par les appareils français représente à lui seul une collection unique au monde.

Toutefois, ce patrimoine de grande valeur reste en grande partie méconnu. Car les locaux actuels du Musée Français de la Photographie, situés à Bièvres, en région parisienne, ne peuvent exposer qu'environ 10% de l'ensemble de la collection. La majeure partie de cet héritage unique reste donc encore aujourd'hui à l'écart des yeux du public. Les membres de l'Association du Musée Français de la Photographie, qui prolongent aujourd'hui l'action de Jean et André Fage, consacrent donc leur énergie à faire prendre conscience au public, comme aux autorités compétentes, de l'immense trésor historique que représente la collection.

Le souhait de l'Association est de donner enfin à la collection Fage l'écrin qu'elle mérite, conformément à la volonté exprimée par Jean Fage. Aujourd'hui, toutefois, des projets en cours se voient remis en question, faisant planer un doute pour l'avenir. La construction d'un musée suffisamment vaste, localisé sur la commune de Bièvres, carrefour historique de la photographie, apparaît pourtant aujourd'hui comme le seul moyen légitime de faire vivre la collection initiée par Jean et André Fage, témoin indispensable de l'Histoire de la photographie, comme de celle du XIXe et du XXe siècle, dont elle est le reflet indissociable.

Pour aider le musée à rester à Bievres, signez la pétition ici : http://www.visuelab.com/asso-photo-bievres.fr/petitionreader.pdf

Le site de l’association du musée est ici : http://www.visuelab.com/asso-photo-bievres.fr/

Le site Facebook ici : http://www.facebook.com/pages/Association-du-Musee-Francais-de-la-Photographie/104827469548363?v=info

Laurent Gébeau

I’m at DefCon–what’s on your badge?

Alun Jones — Sat, 31 Jul 2010 12:05:00 GMT

I’ve been at DefCon 18 for some of Friday – and as with Black Hat, it’s my first time.

I’ve decoded the bar code on the badge, but have no idea what it means (is it the name of Vera’s brother?), and I’ve got a fair idea what the Japanese text is encouraging us to do.

And, just to demonstrate that I can follow simple instructions, you’ll notice that my badge doesn’t look like your badge:

I should add that this isn’t anything particularly clever that I’ve done here, I haven’t solved any riddles or puzzled my way through anything, just managed to read some relatively simple (but somewhat code-ish) instructions. I hope to see many of you with similarly customised badges.

In recognition of the graphics I have on my badge, I’ll be wearing my Texas Imperial Software shirt on Saturday, too.

Here’s an even tighter close-up:

Know thy customer

gary — Sat, 31 Jul 2010 11:42:00 GMT

I was reading an excellent article by David S. Platt called " Using WPF for Good and Not Evil " in which he takes a sample application written to show off Windows Presentation Foundation (WPF) and tells what he feels are the good and bad points of the program. One thing that I read that really resonated with me was "Platt’s First, Last, and Only Law of User Experience Design states, “KNOW THY USER, FOR HE IS NOT THEE.” " He wrote this about software developers...(read more)

Business ISP Star UK Finds Workers Use Office Internet for Personal Stuff

donna — Sat, 31 Jul 2010 09:42:26 GMT

The latest independent survey of 1,000 workers from business ISP Star UK has found that 72% of British workers spend their lunch hour online and performing activities like shopping, banking, catching up with the latest sport or chatting to their friends on email or Facebook.

The research was conducted after Star noticed that the network bandwidth usage for business Internet traffic in their data centres was consistently peaking between 12:00 – 14:00hrs, which is normally when British workers should be enjoying their lunch breaks.

The most popular lunchtime habits for 63% of people are checking their personal email accounts, engaging in online shopping and banking (62%), and 31% catch up with friends on social networking sites like Facebook – unsurprisingly this trend was higher ( 40%) for younger workers between the ages of 16 to 34 years.

ISPReview

Farmville Will Get You in Trouble with IT Police

donna — Sat, 31 Jul 2010 09:39:47 GMT

Farmville is arguably the biggest social game the world has seen. Well, maybe that's a bit much, but it is a popular game. It so popular in fact, that many people will play it at work. However, doing so might get you into trouble with the IT police.

According to a security report by Cisco, employees are breaking company policies by playing social networking games, and, by doing so, could be opening up networks to outside attacks.

Cisco's 2010 Midyear Report found that 7-percent of those who admitted to using Facebook at work also fessed up to spending an average of 68 minutes each day playing 'FarmVille.'

FarmVille isn't the only game Facebookers play, as they are also sucked up into playing 'Mafia Wars' (5-percent for 52 minutes each day) and 'Cafe World' (4-percent for 36 minutes each day).

Technorati

Guard Dog Inc. Partners With Javacool Software LLC, Creators of Popular ‘SpywareBlaster’ Program

donna — Sat, 31 Jul 2010 09:37:30 GMT

Guard Dog, Inc. today announces a significant advance in its mission to protect consumers with a truly complete level of security against threats of identity theft through a recent partnership with Javacool Software LLC (JCS). In keeping with the company’s commitment to provide the best protection and solutions against online identity theft threats JCS’s popular software, SpywareBlaster, will be provided to all Guard Dog members to help protect them online.

“It has always been our primary objective to provide both current and future members of our identity theft protection service with the most comprehensive protection,” states Guard Dog Inc. Chief Executive Officer James Watson. “This partnership is one of many clear strategic moves towards Guard Dog achieving that objective. This is a never-ending process of building layers of protection and it is critical to include online partners in that process. SpywareBlaster is a proven anti-spyware, anti-malware system and when combined with Guard Dog’s unique, full-featured pro-active approach; the combination provides serious protection against identity theft.”

There are many key features that make SpywareBlaster a perfect fit for the Guard Dog product line. SpywareBlaster works alongside any existing security software on a PC to help provide a strong “layered defense” against spyware, malware and other threats. It also prevents the installation of ActiveX-based spyware and other dangerous programs, blocks spying and tracking via cookies, and restricts the actions of potentially unwanted Web sites. Unlike many other security tools, the performance-friendly SpywareBlaster software does not remain running in the background to slow down your PC.

“We are extremely pleased to announce our cooperative agreement with Guard Dog ID,” said a Javacool company spokesperson. “Over the years we have been approached by numerous companies that wanted to enter into a partnership program. The only one that was clearly in the best interests of our customers and our SpywareBlaster product was Guard Dog. We have been in talks with Guard Dog over the last three months and have a good understanding of their product and how SpywareBlaster fits into the equation. We are very excited to be a part of it.”

With more than 60 million free downloads since the company’s launch in 2002, having this agreement with Javacool furthers the distance between Guard Dog ID and its competitors. The company now truly offers a full suite of comprehensive identity theft protection, including key protection against online threats.

EarthTimes

FTC Issues Final Rule to Protect Consumers in Credit Card Debt

donna — Sat, 31 Jul 2010 09:35:04 GMT

Amendments to Telemarketing Sales Rule Prohibiting Debt Relief Companies From Collecting Advance Fees Will Take Effect in October 2010

Starting on October 27, 2010, for-profit companies that sell debt relief services over the telephone may no longer charge a fee before they settle or reduce a customer’s credit card or other unsecured debt.

“At the FTC we strive every day to make sure America’s middle class families get straight deals for their dollars,” Chairman Jon Leibowitz said. “This rule will stop companies who offer consumers false promises of reducing credit card debts by half or more in exchange for large, up-front fees. Too many of these companies pick the last dollar out of consumers’ pockets – and far from leaving them better off, push them deeper into debt, even bankruptcy.”

Three other Telemarketing Sales Rule provisions to take effect on September 27, 2010, will:

require debt relief companies to make specific disclosures to consumers;
prohibit them from making misrepresentations; an
extend the Telemarketing Sales Rule to cover calls consumers make to these firms in response to debt relief advertising.

FTC

FTC's List of Corporate Privacy Abusers Shows Advertisers Can't Be Trusted With Data Security

donna — Sat, 31 Jul 2010 09:32:33 GMT

The FTC yesterday published a list of companies that used unfair, deceptive, false or misleading claims about consumer privacy that caused “substantial consumer injury,” and the names on it will surprise you. Sure, many of the companies are mortgage scammers and spam phishers. But lots of them are household and blue-chip brands such as Twitter, TJ Maxx (TJX), Microsoft (MSFT) and Dave & Busters.

The list proves that advertisers cannot be trusted to regulate themselves when it comes to tracking and targeting consumers on the web or on mobile devices. There are currently few rules controlling how advertisers can use personal information gathered from consumers electronically, and if self regulation worked the FTC would not have brought action against these companies for privacy abuses (see pages 7 and 8):

Twitter

Dave & Buster’s

LifeLock

ValueClick

CVS Caremark

The TJX Cos. (TJ Maxx)

Reed Elsevier

DSW

BJ’s Wholesale Club, Inc.

Nationwide Mortgage Group

Petco Animal Supplies

Guess?

Microsoft Corp.

Lexis Nexis

In addition, the FTC has brought:

… 15 actions charging website operators with collecting information from children without parents’ consent, as well as 15 spyware cases and dozens of actions challenging illegal spam, …

BNET

Android dev rejects rogue app claims, still highlights risks

donna — Sat, 31 Jul 2010 09:27:00 GMT

Mobile app developer Jackeey Wu defended himself against claims of producing Android spyware apps today while also underscoring some of the risks of Google's mobile OS. He noted that some of the permissions his Wallpapers allegedly requested, such as for the web browser history and SMS message records, aren't in the actual app. As requesting private information automatically flags the app in Android Market before the install, it's virtually impossible to collect such information in secret, Wu said.

What few permissions Wu needs, such as basic phone access, are to help make features such as favorites work properly as a user changes devices. There's no connection to user data, he said.

Lookout, the research team that had first made the accusations, has since scaled back its claims and in an update said there wasn't any evidence of rogue behavior.

Electronista

Commtouch to Acquire the Antivirus Division of Authentium‎

donna — Sat, 31 Jul 2010 09:24:43 GMT

Commtouch today announced that it has signed a definitive Asset Purchase Agreement to acquire the assets, products, licenses, and operations of the Command antivirus division of Authentium, Inc., a Florida-based company.

Command antivirus -- which also includes technology to protect against spyware, Trojan downloaders, and other threats -- is strongly synergetic with the rest of Commtouch's product portfolio. With the addition of antivirus technology as a new, third product line, Commtouch will be offering a comprehensive set of solutions for inbound and outbound messaging and Web security to its customers, which are networking and security vendors and service providers.

The Command antivirus division currently provides its technology to a notable number of leading service providers and vendors, including Google, McAfee, and Microsoft. Certified by Checkmark, West Coast Labs, and a winner of multiple Virus Bulletin awards, Authentium's Command antivirus technology boasts a small footprint and a highly efficient event-processing system.

Commtouch is expected to pay $4.6 million in cash and an additional "earnout" contingent upon the achievement of certain revenue milestones through December 31, 2011, which may bring the total amount to approximately $8 million.

The acquisition is expected to be accretive starting the first quarter post-closing, and should contribute positively to Commtouch's non-GAAP top and bottom line in 2011.

PR-USA.net

[MS Security Bulletins] "Out-of-Band" Release - 2nd August 2010

Cliff Hobbs at myITforum.com — Sat, 31 Jul 2010 08:37:47 GMT

Looks like Microsoft are going to do an " out-of-band " for the following patch on Monday: This is an advance notification of one out-of-band security bulletin that Microsoft is intending to release on August 2, 2010. The full version of the Read More......(read more)

Black Hat Amazon code question part 2

Alun Jones — Sat, 31 Jul 2010 08:21:02 GMT

Thanks for the comments so far on the first day’s code question at Black Hat.

I’ll leave it a little while before posting the comments and answers, because it’ll give you a chance to think it through for yourself if you haven’t already done so.

Meanwhile, here’s the code example for day 2. What’s wrong with it?

wchar_t *fillString(
    wchar_t content, unsigned int repeat)
{
    wchar_t *buffer;
    size_t size;
    if (repeat > 0x7fffffffe)
        return 0;
    size = ( repeat + 1 ) * sizeof content;
    buffer = (wchar_t *) malloc ( size );
    if ( buffer == 0 )
        return 0;
    wmemset(buffer, content, repeat);
    buffer[ repeat ] = 0;
    return buffer;
}

The language is C++, and as with the previous example, assume that everything that is not given above is perfect.

In case it is important, this was tested on an x86 system, although the flaw will also show up in x64. We were repeatedly asked that question.

ALERT: Out of band security update to be released on August 2

sandi — Sat, 31 Jul 2010 03:19:02 GMT

Details here:
http://www.microsoft.com/technet/security/bulletin/ms10-aug.mspx

“This is an advance notification of one out-of-band security bulletin that Microsoft is intending to release on August 2, 2010. The bulletin addresses a security vulnerability in all supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, that is currently being exploited in malware attacks.”

Please install this patch as soon as you can once it is released.

If you used the workaround to mitigate the vulnerability (that is, if your shortcuts look like this or this , then you will need to undo that workaround before installing the security update.

Microsoft released a “fixit” to automatically apply, or remove, the workaround that broke *.LNK files – you can find the “fixit” here:
http://support.microsoft.com/kb/2286198

System Center Configuration Manager en Windows 2008 R2

Leandro Amore — Sat, 31 Jul 2010 03:05:39 GMT

A partir de SP2 esta soportada la instalación de SCCM en Windows 2008 R2. Pero tiene algunos problemas con el WebDav. Como sabrán, la versión de IIS en Windows 2008 es 7.0 y no incluye WebDav, sino que hay que bajarlo como un complemento adicional. En Read More......(read more)

New Tool Allows Websites To Keep Serving Pages After Infection

donna — Fri, 30 Jul 2010 20:20:35 GMT

When Web pages are infected with malicious code, the current security practice is to block the entire page and warn users not to go there. But what if the infected page is on a legitimate site that needs that page up in order to do business?

In a presentation here Wednesday, a Black Hat speaker proposed a new technology that strips out malware from infected Web pages, effectively allowing sites to continue to serve Web content even after a page has been infected.

The new "mod_antimalware" Web server module, which is outlined in a white paper at Black Hat, is designed to recognize malware by its behavior on a website, says Neil Daswani, CTO of upstart security vendor Dasient and co-author of the paper.

"When a PC gets infected with malware, you don't tell the user to stop using it," Daswani says. "But that's basically what happens to Web pages that get infected -- the whole page is blocked, and your site may even be blacklisted, all because one element on one page is infected."

Mod_antimalware monitors Websites for malicious behavior, such as redirecting users to other sites or attempting to download Trojan horses, Daswani explains. It then identifies the code that instigated the malicious behavior and strips it off the page, allowing the rest of the Web content to continue being served safely.

DarkReading

Government rules out upgrading from Internet Explorer 6

donna — Fri, 30 Jul 2010 20:14:32 GMT

Government to persevere with browser despite high-profile vulnerabilities and advice from France and Germany

The government has ruled out scrapping the use of Internet Explorer 6 on department computers, saying it will persevere with the bullet-riddled browser despite its high-profile vulnerabilities.

Responding to an online petition with more than 6,000 signatures urging government departments to upgrade away from IE6, the government said such a move would be "a very large operation" potentially at "significant potential cost to the taxpayer".

"It is therefore more cost-effective in many cases to continue to use IE6 and rely on other measures, such as firewalls and malware-scanning software, to further protect public sector internet users," reads the statement.

The petition, set up by Dan Frydman, director of Inigo Media, launched the day after Google announced it would be phasing out support for the Microsoft browser after the company's corporate network was broken into by Chinese hackers using a vulnerability in IE6. The (pre-election) cabinet office signalled its intention to stick with IE6 in January this year, despite governments in both France and Germany advising people to stop using it.

Frydman responded to today's government decision on his blog, expressing disappointment that the possibility of an upgrade across any department was ruled out so off-handedly. "What I was looking for was a recommendation to upgrade away from IE6," he says. "A recommendation isn't hard, it's cheap and easy and isn't an admission of guilt. It puts the onus on the government departments to modernise, to innovate and to take care of [on] their own.

Guardian.co.uk

Well, you are putting your organization or department at RISK.

Free Android apps scrape personal data, send it to China

donna — Fri, 30 Jul 2010 20:08:00 GMT

Millions have downloaded 'suspicious' wallpaper apps, says mobile security firm

Between one and four million users of Android phones have downloaded wallpaper apps that swipe personal data from the phone and transmit it to a Chinese-owned server, a mobile security firm said today.

According to San Francisco-based Lookout, a large number of free wallpaper apps in the Android Market scrape the phone number; the user-specific subscriber identifier, also know as the IMSI (International Mobile Subscriber Identity); the phone's SIM card's serial number; and the currently-entered voicemail number from the phone.

That information is then transmitted to a server that Internet records show is registered to a resident of Shenzhen, a city in China's Guangdong province, just north of Hong Kong.

Over 80 wallpaper apps created by a pair of developers -- "callmejack" and "IceskYsl@1sters!" -- include code that accesses users' personal data, said Kevin Mahaffey, chief technology officer and a co-founder of Lookout.

"All that is sent to a Chinese server in clear text," said Mahaffey in an interview prior to Black Hat, where he and CEO John Hering presented findings of what the company called the "App Genome Project," an attempt to analyze the code of some 300,000 applications available in the Android Market and Apple's iPhone App Store.

In a Friday entry on Lookout's blog, Mahaffrey published pieces of the data-scraping code found in the wallpaper apps, as well as an example of the HTML request made to the Chinese server by those programs.

ComputerWorld

Is Twitter Less Secure Than E-mail?

donna — Fri, 30 Jul 2010 20:02:54 GMT

Barracuda Networks is out this week with new research attempting to quantify how much malicious activity occurs on Twitter. Barracuda defines the Twitter "crime rate" as the percentage of accounts created per month that are eventually suspended by the company.

Barracuda presented its research here at the BSides event, down the Strip from the Black Hat security conference.

In total, Barracuda looked at more than 25 million accounts and found that the crime rate for the first half of 2010 is only 1.67 percent. Barracuda saw the crime rate on Twitter fluctuate from month to month, peaking in October 2009 when the rate checked in at 12 percent.

David Maynor, a research scientist at Barracuda Networks, told InternetNews.com that Twitter has not published a rigid set of guidelines specifying why accounts are deleted, though spammers and phishers are likely candidates for deletion.

While some Twitter accounts may have been set up by those with malicious intent, others may have been compromised by third-party applications, a situation Twitter is trying to address by moving to the OAuth. Maynor said that OAuth can be helpful, but won't necessarily make much of a difference to the Twitter crime rate.

"OAuth is the first step toward building a more secure infrastructure," Maynor said. [...]

Compared to other forms of online communications, Twitter's crime rate ranks somewhere in the middle.

"The crime rate on Twitter is more than it is on Facebook but less than it is on e-mail," Judge said.

InternetNews

Google tops comparative review of malicious search results

donna — Fri, 30 Jul 2010 19:58:09 GMT

According to a newly released report by Barracuda Labs, based on a two-month study reviewing more than 25,000 trending topics and 5.5 million search results, Google remains the most popular search engine used by malicious attackers, relying on poisoned keywords.

The company, which also sampled Yahoo Search, Bing, and Twitter, contributes Google’s leading position to the fact that Google remains the market share leader in online search, and consequently the most targeted search engine.

Key highlights of the study:

Overall, Google takes the crown for malware distribution – turning up more than twice the amount of malware as Bing, Twitter and Yahoo! combined when searches on popular trending topics were performed. Google presents at 69 percent; Yahoo! at 18 percent; Bing at 12 percent; and Twitter at one percent.

The average amount of time for a trending topic to appear on one of the major search engines after appearing on Twitter varies tremendously: 1.2 days for Google, 4.3 days for Bing, and 4.8 days for Yahoo!

Over half of the malware found was between the hours of 4:00 a.m. and 10:00 a.m. GMT. The top 10 terms used by malware distributors include the name of a NFL player, three actresses, a Playboy Playmate and a college student who faked his way into Harvard.

Interestingly, based on the data gathered, the most popular topic of choice for cybercriminals were spyware related searches, followed by entertainment news, with hosting sites, P2P and proxies related searches showing a significant growth. What’s worth highlighting while interpreting the data, is that it’s only valid for a specific period of time. How come? [...]

Zero Day Blog at ZDNet

Happy bitchday from Facebook

donna — Fri, 30 Jul 2010 19:33:42 GMT

From Graham Cluley's Blog at Sophos:

Yesterday my colleague Pablo Teijeira, who is based in our Madrid office, logged into Facebook as normal and was confronted with a rather unusual message in place of the usual reminder of whose birthday it was today:

Rather than "Hoy es cumple de" ("Today is the birthday of") the Spanish language version of Facebook was saying "f*ck you bitches". Charming.

Pablo dropped me a line, wondering if I knew if Facebook had been hacked or if there was some other sinister explanation.

Well, the good news is that it wasn't malware and it was more done as a prank than with malicious intent. Facebook has relied upon volunteers to translate its site, and if enough people vote for an incorrect translation it can automatically replace the legitimate wording.

It's all very well harnessing the power of the net to get your website translated, but maybe Facebook should put a few more checks in place before the system is abused again in future - perhaps with more malicious intentions.

By the way, the Turkish translation version of Facebook was also abused in a similar way [...]

Black Hat gets its video feed hacked

donna — Fri, 30 Jul 2010 19:31:44 GMT

A security expert found a way to catch the talks at Black Hat for free, thanks to bugs in the video streaming service used by the security conference.

Michael Coates, the head of Web security for Mozilla, said he discovered several problems while trying to sign up for the US$395 service. As he went through the sign-up procedure, he was "quickly sidetracked by a few oddities in the design," he wrote in a blog post describing the incident.

He poked around a bit more and discovered that he could register an account without providing anything more than an e-mail address, and then use that account on a test login page to access the videos for free.

"Now, to be fair, Black Hat didn't operate this video service themselves," Coates wrote. "But its still a bit ironic that the largest hacking conference in the world has this security hole in their video streaming service."

Black Hat's video streaming was provided by Inxpo this year.

ComputerWorld

QuickTime Player Allows Movie Files to Trigger Malware Download

donna — Fri, 30 Jul 2010 19:27:31 GMT

Quicktime Player (version 7.6.6) allows movie files to trigger download of files, and cybercriminals are using this to download malware from malicious websites.

Trend Micro Threat Research Engineer Benson Sy encountered two .MOV files (001 Dvdrip Salt.mov, salt dvdrpi [btjunkie][xtrancex].mov) that both used the recent movie, Salt of Angelina Jolie. It looks suspicious enough because of its relatively small size compared to regular movie files.

When the movie files are loaded to Quicktime player, it doesn’t show any live action scenes but leads users to download malware pretending to be either an update codec or another player installation. It is still under investigation whether the malware is using vulnerability or a known functionality to download the malware.

TrendLabs Malware Blog

Reading older aircraft MDL files (at least partly)

arno — Fri, 30 Jul 2010 19:10:00 GMT

The screenshot above shows some success with reading the older aircraft MDL files. In this case it is a CFS2 aircraft (they use the same MDL structure as FS98 and FS2000). This models comes out quite good. Unfortunately not all models load that well. Many of them only show partly or not at all after importing. This seems to be caused by the fact that aircraft MDL files have a lot more conditional display than the scenery objects that ModelConverterX normally reads.

So I will first have to think of a best way to handle these conditions, else it is not possible to read aircraft MDL files usefully. Luckily this was already on the wishlist for other objects as well. I would like to add the ability to switch variables on or off from within ModelConverterX and that you then see the object change. If that is not possible I will probably let the user set the value of all variables used before importing. But the first option would be more powerful of course.

So time to do some thinking and hopefully I can implement this feature soon....

Well, it is only shows how data mining works

donna — Fri, 30 Jul 2010 18:59:16 GMT

Details from 100 million Facebook profiles posted online

Why it happened?

1. The user did not lock/secure their info? Maybe.

2. The user really allow sharing their info? Possible since it's called sharing and they want it shared. Their choice.

3. They know what is FB for and they know the catch? Maybe or No. You know... not every user reads privacy agreements/terms/policies.

What's the catch? Data mining. Profilers/Scammers/Thieves has easy targets. Yours is theirs. Theirs is theirs.