security.crudtastic.com

The last two days have been pretty busy. I have been analyzing the latest Adobe vulnerability. It all began when HD alerted me to a post on Mila Parkour’s “contagio malware dump” blog. After giving the blog post a once over, it was pretty clear that he had discovered a live sample of a previously unpublished and currently unpatched vulnerability. The clearest indicator was the screen shot of the Adobe Reader “About” dialog with dropped files showing. Great image! This most definitely piqued my interest.

Read the rest of jduck’s post on the Metasploit blog

My old chum Chris called me on the weekend to tell me about this .. the call was full of a lot of street-talk and keepin’ it real .. you know, cause that’s how the kids roll these days (like wearing a kilt)!

Symantec’s attempts to link up with Snoop Dogg to launch a cybercrime rap contest have descended into farce after it emerged that vulnerabilities with a dedicated site can be easily rickrolled.

Read all about the awesomeness that is Snoop Dogg and Security HERE

WORD TO YOUR MOTHER!

Today Microsoft are pleased to announce the availability of the Enhanced Mitigation Experience Toolkit (EMET) version 2.0.  Users can click here to download the tool free of charge. 

For those who may be unfamiliar with the tool, EMET provides users with the ability to deploy security mitigation technologies to arbitrary applications.  This helps prevent vulnerabilities in those applications (especially line of business and 3rd party apps) from successfully being exploited.  By deploying these mitigation technologies on legacy products, the tool can also help customers manage risk while they are in the process of transitioning over to modern, more secure products.  In addition, it makes it easy for customers to test mitigations against any software and provide feedback on their experience to the vendor.

Read the full story on the TECHNET BLOG

The Pentagon has opened the kimono on what it described as the “most significant breach of US military computers ever,” in which a flash drive in 2008 was used to infect large numbers of computers, including those used by the Central Command overseeing combat zones in Iraq and Afghanistan.

When the device was plugged into a military laptop located on an undisclosed base in the Middle East, malicious code soon linked highly sensitive machines to networks controlled by an unnamed foreign intelligence agency, Deputy Defense Secretary William J. Lynn III wrote in the first official account of the episode.

Read the full story on theregister.co.uk

Sophos have been working to provide some useful tools to help to educate web users about the risks of social media sites.

There’s a Social Networking toolkit with videos and presentations that you can use to educate yourself or your workforce. And, they’ve also created a groovy little widget you can add to your webpages to share handy Safe Web Browsing browsing tips.

All this stuff is free and might just stop a few more people clicking that oh-so-appealing pop-up window or installing that rogue Facebook app that silently updates statuses and spams all their “friends”.

via Graham Cluey’s blog [SOPHOS]

Plenty of people are familiar with the dangers which can be associated with sharing your location online – whether it be by Twitter updates (“I’m at Heathrow airport, Terminal 3, waiting to go on two week’s holiday..”), Foursquare (“I just ousted @gcluley as the mayor of Sophos on @foursquare!”) and the newly launched Facebook Places.

But a new website called I Can Stalk U demonstrates how easy it is to unwittingly reveal your location – just by sharing a digital photo from your smartphone.

Many people may be unaware that lots of smart phones geo-tag photos that they take with information about where they were taken. The location data isn’t visible to the naked eye in the photo, it’s embedded as encoded meta-data inside the picture, alongside information about what type of camera was used, camera settings, and so forth.

That means, anyone who accesses your digital photos can (if you haven’t wiped the location meta-data) work out where you were when you take the snapshot.

And as many people upload their pictures virtually instantly to Twitter via services like TwitPic, someone could find out where you are even if you had no intention of sharing that information with the world.

You can imagine how that could be very dangerous – imagine if you had a jealous ex-partner, or if you were a celebrity with hundreds of demented fans keen to “hang out” with you.

The I Can Stalk U website appears to have been set up to raise awareness of the security problem, rather than to cause mischief, and they have helpfully provided information about how to disable geo-tagging on some of the most common smartphones.

As the world wide web increasingly becomes the world where web, with location playing an ever more important role in the information we glean from the internet, it will become increasingly important for net users to consider how this information is shared, and ensure that they are not unwittingly sharing it with unauthorised parties.

via Graham Cluey’s Blog [SOPHOS]

Remember all the controversy over electronic voting machines? Well, prepare to be paranoid once again. Researchers from the University of Michigan and Princeton University managed to hack a touch-screen direct-recording electronic (DRE) voting machine called the Sequoia AVC Edge to run Pac-Man, reminding me why I didn’t trust electronic voting machines in the first place.

The researchers hacked the supposedly “secure” voting machine by reformatting the memory card in the machine to boot in DOS instead of the default embedded operating system. Apparently the entire process of reformatting and writing config.sys files took only three afternoons. Not only that, but the security seals that are suppose to keep people from tampering with the machine can apparently be left completely intact after a fun afternoon of hacking. Doesn’t that make you feel confident about your next election? (Next thing you know the deceased will be voting–oh wait, that’s happened before. Never mind.)

Securing Data in the Cloud: Download now

This isn’t the first time voting machine security has been called in to question, and it probably won’t be the last. Some states, such as Virginia, have already banned DREs; hopefully other states will begin to follow suit. If not, I’m putting Pac-Man on my ballot in 2012!

via NetworkWorld, Switched and Engadget