chicksdaddy writes: "Veracode's blog has an interesting piece that looks at whether 'brogramming' — the testosterone and booze fueled coding culture depicted in movies like The Social Network — spells death for the 'engineering' part of 'software engineering'.
From the post: "The Social Network is a great movie. But, let’s face it, the kind of “coding” you’re doing when you’re “wired in”...or drunk... isn’t likely to be very careful or – need we say – secure...Whatever else it may have done, (brogramming's) focus on flashy, testosterone-fueled “competitive” coding divorces ‘writing software’ – free form, creative, inspirational – from ‘software engineering,’ its older, more thoughtful and reliable cousin."
The article picks up on Leslie Lamport's recent piece in Wired: "Why we should build software like we build houses" (http://www.wired.com.edgesuite.net/opinion/2013/01/code-bugs-programming-why-we-need-specs) — also very worth reading!"
chicksdaddy writes: "Google cemented its reputation as the squarest company around Monday (pun intended), offering prizes totaling Pi Million Dollars — that's right: $3.14159 million greenbacks — in its third annual Pwnium hacking contest, to be held at the CanSecWest conference on March 7 in Vancouver, British Columbia.
Google will pay $110,000 for a browser or system level compromise delivered via a web page to a Chrome user in guest mode or logged in. The company will pay $150,000 for any compromise that delivers "device persistence" delivered via a web page, the company announced on the chromium blog.
"We believe these larger rewards reflect the additional challenge involved with tackling the security defenses of Chrome OS, compared to traditional operating systems," wrote Chris Evans of Google's Security Team."
chicksdaddy writes: "The U.S. Department of Defense has stopped updating its main reference list of vital defense technologies that are banned from export, according to a new report from the Government Accountability Office (GAO), The Security Ledger reports.
The Militarily Critical Technologies List (MCTL) is used to identify technologies that are critical to national defense and that require extra protection — including bans on exports and the application of anti-tamper technology. GAO warned six years ago that the Departments of State and Commerce, which are supposed to use the list, found it too broad and outdated to be of much use. The latest report (GAO 13-157) finds that the situation has worsened: budget cuts forced the DOD to largely stop updating and grooming the list in 2011. Sections on emerging technologies are outdated, while other sections haven't been updated since 1999. Without the list to rely on, the DOD has turned to a hodgepodge of other lists, while officials in the Departments of State and Commerce who are responsible for making decisions about whether to allow a particular technology to be exported have turned to ad-hoc networks of subject experts. Other agencies are looking into developing their own MCTL equivalents, potentially wasting government resources duplicating work that has already been done, GAO found."
chicksdaddy writes: "Obesity is an epidemic in the United States. And it looks as if it may soon be a problem in malware circles, as well.
After years watching malware authors pack their poison into smaller and smaller packages, one forum frequented by those seeking help with virus infections says that they’re seeing just the opposite: simple malware wrapped within obscenely large executables – in one case, over 200 megabytes, according to a post on the French-language support forum Malekal.com.
According to Malekal, very large executables have been found in a string of recent infections reported to the site in recent days. The extra girth isn’t about added functionality, either. The 205 megabyte executable that was dropped would have zipped down to just 200K. So why go large? The current theory is that larger executables might be an effort to frustrate the realtime detection capabilities of modern AV clients, which grab new, suspicious files and send them (or a hash of the file) up to cloud based servers that will generate a new signature for the malware. Alternatively, IT staff may submit suspicious files by e-mail to their antivirus provider’s lab. In both cases, very large executables might frustrate efforts to develop a signature and detect the new threat."
chicksdaddy writes: "On the surface, the kinds of industrial control systems that run a power plant or factory floor are very different from, say, a drug infusion pump sitting bedside in a hospital intensive care unit. But two security researchers say that many of these systems have two important things in common: they’re manufactured by the same company, and contain many of the same critical software security problems.
In a presentation at a gathering of industrial control security experts in Florida, researchers Billy Rios and Terry McCorkle said an informal audit of medical devices from major manufacturers, including Philips and Siemens showed that medical devices have many of the same kinds of software security holes found in industrial control system (ICS) products from the same firms. The research suggests that lax coding practices may be institutionalized within the firms, amplifying their effects.
Rios (@xssniper), a security researcher at Google, and McCorkle (@0psys), the CTO of SpearPoint Security told attendees at S4 in Miami that they conducted their research out of curiosity and in an effort to branch out from investigating industrial control systems. Using eBay, they purchased second-hand medical devices, often from hospitals. They soon realized that many of names they came across were familiar: firms like General Electric, Siemens, Honeywell and Philips, among them.
“The same PLC (programmable logic controller) vulnerability that you see on iCS software, you also see on medical device software,” Rios told Security Ledger in a phone interview. "I don't want to say (the security issues) are more ridiculous in the medical field, but we came across some ridiculous things.""
chicksdaddy writes: "Researchers at RSA say that a new phishing toolkit allows attackers to put a velvet rope around scam web pages – bouncing all but the intended victims.
The new toolkit, dubbed “Bouncer,” was discovered in an analysis of attacks on financial institutions in South Africa, Australia and Malaysia in recent weeks. It allows attackers to generate a unique ID for each intended victim, then embed that in a URL that is sent to the victim. Outsiders attempting to access the phishing page are redirected to a “404 page not found” error message.
Other phishing kits have used IP address blacklists to block anti malware companies from viewing their malicious pages, but this is the first known use of whitelisting, RSA said.
The phishing attacks that RSA technicians discovered that used the Bouncer kit were designed to harvest login credentials from financial services firms. The whitelisting feature may well work, especially given the volume of potential phishing pages that security companies review each day. Getting a 404 message may be enough to get a forensic investigator or security researcher to move on to the next phishing site, rather than investigating."
chicksdaddy writes: "The University of Michigan will be among the first to offer graduate students the opportunity to study the security of advanced medical devices.
The course, EECS 598-008 “Medical Device Security” will teach graduate students in UMich’s Electrical Engineering and Computer Science program “the engineering concepts and skills for creating more trustworthy software-based medical devices ranging from pacemakers to radiation planning software to mobile medical apps.” It comes amid heightened scrutiny of the security of medical device hardware and software, as more devices connected to IP-based hospital networks and add wireless monitoring and management functionality, according to a report by The Security Ledger.
The new course comes amid rapid change in the market for sophisticated medical devices like insulin pumps, respirators and monitoring stations, which increasingly run on versions of the same operating systems that power desktops and servers. In 2011, the US Food and Drug Administration (FDA) reported that software failures were the root cause of a quarter of all medical device recalls."
chicksdaddy writes: "A security researcher who was looking for vulnerabilities in Facebook’s platform instead stumbled on a much larger hole that could affect scores of firms who rely on a secure file transfer platform from Accellion, The Security Ledger reports.
Writing on his blog on Monday, Israeli researcher Nir Goldshlager said he discovered the password reset vulnerability while analyzing a Accellion deployment that is used, internally, by Facebook employees. Goldshlager used public knowledge of the Accellion platform to access a hidden account creation page for the Facebook deployment and create a new Facebook/Accellion account linked to his e-mail address.
After analyzing Accellion's password reset feature, he realized that — with that valid account — he could reset the password of any other Facebook/Accellion user with some cutting and pasting and a simple HTTP POST request, provided he knew the user's login e-mail address — effectively hijacking the account.
Goldshlager said he informed Facebook and that the hole has been patched by Facebook and Accellion. However, other Accellion customers using private cloud deployments of the product could still be vulnerable."
It’s unclear as to why Google has gone all anti-Microsoft as of recent but it may have to do with Microsoft turning the screws on Android vendors and forcing patent royalties to be paid for each device sold. Either way, the consumer is once again harmed as these two giants try to become the mobile alpha-dog.
chicksdaddy writes: "It’s already common knowledge that hackers and other “bad guys” comb through worker profiles on LinkedIn, Facebook and other sites to help craft targeted attacks. But could your social networking profile provide more useful information – like your password? Independent security researcher Itzik Kotler thinks so.
Kotler is the creator of Pythonect, a new, experimental dataflow programming language based on Python. Using it, he said he’s been able to derive passwords from the public content of individuals’ LinkedIn profiles.
Kotler’s method was straight forward: he used Google’s Custom Search Engine to find all the employees for a given company. For the profiles that are returned, Kotler then scraped their personal information for analysis- a job made easier by LinkedIn’s adoption of the Google hCard microformat, which is used to display the contact details of people, companies, organizations, and places in easy-to-read form on search results pages. The resulting data was then crunched the resulting data using Pythonect.
The strategy isn’t the most efficient means of breaking into an account, Kotler admits, but it does suggest that the treasure troves of personal data we make available online could be useful as more than just fodder for social engineering attacks. Kotler did a Q&A about Pythonect with The Security Ledger."
abhatt writes: Google has discovered fraudulent SSL certificate for its google.com domain in late December ! Further, in an recent update, it has announced the issue to other browser makers and has taken steps to update its Chrome browser to detect the fraudulent certificate.
Investigations have further revealed that there were 2 and not one fraudulent certificates that were issued for the domain Google.com !
chicksdaddy writes: "The recently reported attack on the prestigious Council of Foreign Relations may be part of a larger campaign of targeted attacks that also includes a California based maker of low emission micro turbines, a security researcher reports.
Capstone Turbine, which makes environmentally friendly gas-powered turbines is believed to have served attacks identical to those served by the CFR, including the use of a previously unknown (zero day) Internet Explorer hole, according to Eric Romang, a Luxembourg-based security expert.
According to The Security Ledger, Romang's investigation of the drive-by download attack served by the CFR website uncovered malicious files on the Capstone site similar to those used on the CFR site. He said the compromise at Capstone predates the attack against the Council of Foreign Relations ‘s web site by more than two months, suggesting that the attacks were both wider and older than initially reported. Romang’s research also suggests that the CFR hack occurred earlier than was first reported – perhaps December 21st or earlier."
chicksdaddy writes: "A security researcher is warning WordPress uses that a popular plugin may leave sensitive information from their blog accessible from the public Internet with little more than a Google search.
The researcher, Jason A. Donenfeld, who uses the handle “zx2c4” posted a notice about the add-on, W3 Total Cache on the Full Disclosure security mailing list on Sunday, warning that many WordPress blogs that had added the plugin had directories of cached content that could be browsed by anyone with a web browser and the knowledge of where to look. The content of those directories could be downloaded, including directories containing sensitive data like password hashes, Donenfeld wrote.
W3 Total Cache is described as a “performance framework” that speeds up web sites that use the WordPress content management system by caching site content, speeding up page loads, downloads and the like. The plugin has been downloaded 1.39 million times and is used by sites including mashable.com and smashingmagazine.com, according to the WordPress web site."
chicksdaddy writes: "What’s hot in spamming circles today? Google’s “rich snippets” microdata and micro formatting technology, which is being used to make compromised spam sites look legitimate. Writing on the Unmask Parasites blog, (http://blog.unmaskparasites.com/2012/12/20/rich-snippets-in-black-hat-seo/) Denis Sinegubko said that spammers are using the ability of the Google search engine to parse so-called “structured data” in what he describes as a “massive SEO” campaign involving compromised WordPress and Joomla web sites. He says Google’s “rich snippets” ratings microdata figures prominently in the scam. After compromising the legitimate “doorway” web sites, the hackers install PHP code that is used to “cloak” the site: detecting search engine crawlers and replacing keywords and site content with SEO-optimized spam content. Part of the content that is added are special "ratings" microdata that Google treats as legitimate and converts into ratings that appear in search results list. For unsuspecting users, the result is that compromised sites display what appear to be legitimate user reviews that make the link in question look legitimate and popular.
It is unclear whether Google is aware of the misuse of the rich snippets microdata feature. According to information posted online, rich snippets are supposed to reflect the actual content of the site, but Security Ledger writes that it appears that Google isn't bothering to scrutinize the "ratings" to see if they're legitimate."
chicksdaddy writes: "Social networks like Facebook and mobile devices like the iPhone have fundamentally changed the way children use the Internet, requiring a whole new set of online privacy protections for vulnerable minors. That was the message on Wednesday as the U.S. Federal Trade Commission (FTC) issued new guidelines for implementing the Children’s Online Privacy Protection Act (COPPA).
Among other things, the changes expand the list of information that cannot be collected from children without parental consent to include photographs, videos and audio recordings of children and geo-location information.
“Unless you get parental consent, you may not track children and use their information to build massive profiles of online behavior,” said FTC Chairman Leibowitz.
The new rules are a major revision to the COPPA rule, which was first passed in 1998. The law is a kind of privacy Bill of Rights and applies to children 13 years old and younger.
Other new rules bar advertisers from collecting geo-location information from kids, strengthen security requirements for kids’ data and close a loophole that allowed third parties to collect personal information from kids using plug-ins to kid directed mobile- applications and web sites. The update also extend COPPA to clearly cover persistent cookies that can track users across multiple web sites and third parties that contract with website operators.
Not covered under COPPA: mobile app stores, which have a broad audience and aren't targeted explicitly at the under-13 set. Stay tuned for more legislation to expand the protections afforded by COPPA to teenagers, the lawmakers said."