Posts Tagged ‘security’
2010
11.27
Tags: best practice, security, stuxnet, virus
Posted in code, security, sysadmin | No Comments »
Just a quick grouping of resources relating to Stuxnet resources and analysis after the targeted infections of the frequency converters of the Vaasa, Finland based Vacon (though Vacon publicly denies this) and Iranian company Fararo Paya.
The bottomline takeaway – never use default passwords (partical attack vector of the PLCs and SCADAs), and keep systems patched (4 zero-day Windows-based attacks). And don’t allow USB devices on a production network (the entry point of the 0.5Mb virus written in C and C++)… (more…)
2010
07.25
Tags: collections, facebook, firmware, fonts, kindle, password, pdf, security, twitter, upgrade
Posted in Did you know, mobile, Other, security, sysadmin | 1 Comment »
Remember to upgrade your Kindle from Amazon – there’s a new firmware upgrade available, taking the system to version 2.5.2 (24.3MB – you may want to transfer via USB…) (more…)
2010
05.14
Tags: events, security, security summit, web security
Posted in bash, code, conferences, javascript, linux, mysql, open source software, php, security, synch.cc, sysadmin, windows | No Comments »
So the Security Summit 2010 has come to an end. Featuring speakers such as Moxie Marlinspike, Joe Grand and Jeremiah Grossman (again), it’s a pity to say that there wasn’t much new that was presented. With repeated concerns about input- and output-validation, as the OWASP Top 10 for 2010 highlight and were used as a repeated example, and a call for a holistic approach to a company’s security posture, the idea of making the thought (and practice) of security part of the organisation’s culture came through over and over again. (more…)
2010
05.09
Tags: events, security, security summit, web security
Posted in conferences, security, sysadmin | No Comments »
So, it’s that time of the year again – Security Summit 2010 in Sandton, Johannesburg. Items on the agenda include:
- The business of security – Threat horizon 2010 and beyond, legislation (PPI), risk, compliance, standards (PCI), security metrics, social networking, web application security, web services, web 2.0 and more.
- Technical/operational security – Top 10 hacks, botnets, trojans, smartphone security, cloud computing, virtualisation, SaaS, practical return-oriented programming techniques, web application server attacks, defeating SSL, exploiting Microsoft DEP and more. (more…)
2010
03.01
Tags: excel, password, protection, security
Posted in code, security | 3 Comments »
Elmcomsoft has a variety of really good brute-force and dictionary-based password attacks on the full Office suite, including a distributed version to run in the cloud (which I wrote about some time ago). As cool as the software is, it doesn’t allow the removal of cell-based or sheet-based passwords (which kinda sucks), and the password.xla file which seems to be the big thing from staxx.com requires a whole whack of goodies to run on Office 2007 natively.
Enter the same macro that McGimpsey & Associates published in 2004 (reproduced here as per their GPL licence) that removes all internal Excel Passwords: (more…)
2010
01.19
Tags: google, hack, internet explorer, operation aurora, security
Posted in security, sysadmin, windows | 2 Comments »
The attack (Operation Aurora) on around 20 companies in the US, including Google, Adobe, Juniper Networks and others using the zero-day exploit of Internet Explorer is partly linked to social engineering — as the carefully crafted emails were plausibly created and structured, users bought into it. Once the machine was owned after the payload was released, the affected machine would contact a Command and Control (C&C) server that would send back specific instructions based on Workgroup name and machine environment (OS etc), accepting and transmitting data via a home-made encryption based piggy-backed onto the 443 port — typically reserved for the HTTP SSL transfer of data. (more…)
2010
01.06
Tags: 2010, 2012, banks, integrity, rollover, security, y2k
Posted in Did you know, General, mobile, security | No Comments »
Ain’t that a kick in the head! Rollover from 2009 to 2010 has not been processed correctly on many systems, including Symantec’s Endpoint Protection Manager, they have confirmed in a statement
An issue has been identified in the Symantec Endpoint Protection Manager (SEPM) server whereby all types of SEP definition content [AV/AS, IPS] with a date greater than December 31, 2009 11:59pm are considered to be “out of date”.
Remember that we spoke about Symantec in the glorious (dodgey) Virus Scanner Comparison.
Australian POS systems have jumped from 2009 to 2016 (pity about the malformed dec2hex function they must have been using (or forgot to use?), and up to 30mil users in Germany can’t use their bank cards at ATMs or POS machines due to invalid date calculations.
In addition, there also seems to be the occasional SMS (or text message) running through networks which have issues with future-stamped timestamps, causing a wide variety of reporting and integrity issues…
Hm, I wonder what implications the 2011-2012 rollover will bring with it (cue Mayan death-drone…)
2009
11.25
Tags: google, privacy, security
Posted in Did you know, security | 1 Comment »
Die Zeit berichtet, daß Datenschützer, auch mittels Bußgelder bis zu €50 000, von dem Gebrauch Google Analytics abraten möchten. “Google Inc. räumt sich ausdrücklich, in seinen beim Einsatz zu akzeptierenden Regularien das Recht ein, die über den einzelnen Nutzer mittels einer eindeutigen Kennung gewonnenen Daten mit anderen, bereits gespeicherten Daten” etwa aus Google Mail “zu verknüpfen und diese Informationen an Dritte weiterzugeben.” Der Hauptpunkt dieser Entscheidung hängt damit zusammen, daß der Benutzer sich nicht ausdrücklich einverstanden erklären muß, bevor die Privatdaten (etwa geografische Lage, Rechnereinstellungen) einfach an Dritte übertragen werden. Die Debatte läuft, mal sehen, was drauß wird!
In short, to re-iterate what I wrote above in a short point: As you do not explicitly opt in to the use of Google Analytics, German lawmakers are trying to dissuade/stop the use of GA on sites in Germany with the added incentive of fines up to €50 000 so as to protect individual’s personal privacy rights.
2009
11.24
Tags: cloud computing, IaaS, PaaS, SaaS, security, server
Posted in conferences | 4 Comments »
With the usual eats (ok, the brownies are good – chewey, but not gooey) welcoming those who chose to attend, the presentations at the Cloud Computing Conference 2009 promise three potentially interesting presentations: a case study by iBurst, one by the University of the Witwatersrand, and a presentation about the potential security risks that cloud computing inherently presents. (more…)