prxp writes: Recent riots in Brazil have taken the Brazilian Government completely by surprise, since most of its intelligence personnel have been assingned to work on the security of Fifa's Confederations Cup, according to "O Estado de São Paulo" (Google translation), one of Brazil's major newspapers. This is particularly ironic, since protesting against the way Fifa has managed Confederations Cup in Brazil accompanied with overspending by the brazilian Government is in the heart of these riots. Because of that, ABIN (the brazilian equivalent to CIA) "has assembled a last minute operation to monitor the Internet" where intelligence officials have been tasked to monitor protesters' every move "though Facebook, Twitter, Instagram, and WhatsApp" in order to "antecipate intineraries and size of riots" among other intel. The legality of such action is unknown, since Brazilian laws prohibit this kind of wiretapping.
prxp writes: "Brazil is a wonderful country that has many problems. When it comes to information security, many will recognize that Brazil has good and bad examples. We have no cybercrime law in Brazil and it is close to a consensus that we need one. It has been more than 10 years that our Congress is trying to pass laws on this regard with no success. This unsuccessful path is due mostly to a lack of proximity between politicians and the Brazilian information security community and internet freedom activists. Usually lawyers and law enforcement agents are the ones to provide the theoretical support for building these law proposals that end up facxing strong opposition from society for not seeing their true interests being held (e.g. Azeredo cybercrime law proposal, known as “AI5 Digital”). This political standoff between cybercrime law proposals and society rebellion has been broken last May/2012 when a well cherished Brazilian actress had her email account breached, leaking many intimate pictures depicting her nude body. That was the case of actress Carolina Dieckmann and because of her popularity Brazilian Congress has been pushed into action (and society into passive acceptance) to pass any cybercrime law, no matter how incorrect it was. Because of that Congress has been pushing forward without the due transparency and discussion a new cybercrime law proposal altering Brazilian Federal Penal Code in order to include the definition for the crime of breaching computer security. This proposal has already been approved by Brazilian House of Representatives under the code PL2793/2011 (http://www.camara.gov.br/proposicoesWeb/fichadetramitacao?idProposicao=529011), sent to and already approved by Brazilian Senate under the code PLC35/2012 (http://www.senado.gov.br/atividade/materia/detalhes.asp?p_cod_mate=105612), and sent back to the House for final approval. This letter is a cry for help to the international community to help us Brazilians change this law proposal, for it has been advancing inexplicably fast, already reaching its last legislative stage in less than six months (being voted definitely next November 6th 2012) and when passed into law it will criminalize the building and dissemination of any tool, computer software or hardware, that might be used as means of breaching computer security, no matter who uses it or if it will be used at all. You read it right: simply writing PoC’s, sniffers, scanners, payloads, etc; giving talks about them, selling them or simply giving them away will be a crime in Brazil after this law is in effect. Please, read on, it is important that you do."
Julie188 writes: "The McAfee.com website is full of security mistakes that could lead to cross-site scripting and other attacks, researchers said in a post on the Full Disclosure site on Monday. The holes with the site were found by the YGN Ethical Hacker Group, and reported to McAfee on Feb. 10, YGN says, before they were publicly disclosed to the security/hacking mailing list. Embarrassing? Yes, especially given that the company aggressively markets its own McAfee Secure service that is supposed to assure consumers that McAfee has scanned a website and found it to be safe."
prxp writes: "Today, as every ordinary Monday, I went to my e-mail box and checked messages from the security community in Full-Disclosure. As usual I came across an advisory pointing out some web security vulnerabilities that differently from usual certainly had my attention. I could say the post called my attention for its organization (not so common among web vuln disclosers), or because it included not only one but a myriad of different vulnerabilities, or maybe because these vulnerabilities included some unusual (and potentially dangerous) stuff like server side source code disclosure, or even because these vulnerabilities were not patched by the the vendor even after 15 full days it was informed about them. But no, those were not the reasons I had my eyes rolling. The thing that really got me is that all of this is not about any vendor, it is about Mcafee, a vendor well known by its anti-virus software but also by its web security service McAfee Secure. This service provides customers with the label “Verified by McAfee Secure” so they can put in their website as a mark of safety. According to McAfee: “The McAfee SECURE trustmark only appears when the website has passed our intensive, daily security scan. We test for possible personal information access, links to dangerous sites, phishing, and other online dangers.” In other words, the presence of this label means that the website is not vulnerable to the exact same vulnerabilities McAfee currently has."