Monday, September 29, 2014

Confirmed: Windows 9 to be a free upgrade for Windows 8 users

Maybe now I can take Microsoft off my companies-I-love-to-hate list.

I made the mistake upgrading to Windows 8. Besides the really shitty interface, the install process blew away my email files (I use Eudora), all the Office apps (which I had to repurchase because the authentication codes were in the email files that got blown away), several non-Microsoft apps, my iPod library (which I later recovered), and who knows what else.

Also, security sucks. Despite update Norton files, I get more pop-ups and ads opening new windows than I've ever experienced.

Off course, after the experience of installing Windows 8, I'm leery of installing another Windows OS. I know now what files and apps to backup, but it's the unknowns that scare me.

Friday, September 26, 2014

Anatomy of an Apple Launch

I hate Apple, and Amazon, and Google, and now Microsoft, and Walmart, ..., so I love reading this stuff. And here, "The Informer" gets it absolutely right.

Thursday, September 25, 2014

Major Vulnerability Affecting Linux, UNIX and Mac OS X

According to Ian Pratt, co-founder at Bromium:
"The "shellshock" bash vulnerability is a big deal. It's going to impact large numbers of internet-facing linux/unix/OS X systems as bash has been around for many years and is frequently used as the 'glue' to connect software components used in building applications. Vulnerable network-facing applications can easily be remotely exploited to allow an attacker to gain access to the system, executing with the same privilege the application has. From there, an attacker would attempt to find a privilege escalation vulnerability to enable them to achieve total compromise.

"Bash is part of the infrastructure, something so pervasive that many sysadmins wouldn't necessarily even know that the security of their applications depend on it.  Any applications known to be using CGI scripts that call system or popen are at particularly risk -- many php, perl and python scripts will fall into this category. Some python modules call os.system without the application doing so explicitly.  Simply disabling bash is typically not an option, though it may help to change applications' default shell to some other bourne shell compatible shell such as 'sh' or 'dash' (though beware -- 'sh' is actually the same binary as bash on some systems). However, if an application invokes bash explicitly it will still be vulnerable.

"Even client systems that don't explicitly run network facing services may be vulnerable too, by way of software such as the DHCP client that may pass data received from a DHCP server through bash. This means that malicious WiFi hotspots could potentially compromise vulnerable systems.

"All Linux/Unix/OS X sysadmins should be scrambling to update bash on all their systems, prioritizing those exposed to untrusted networks.

"Bash is a very complex and feature-rich piece of software that is intended for interactive use by power users.  It does way more than is typically required for the additional role for which it is often employed in gluing components together in applications. Thus it presents an unnecessarily broad attack surface -- this likely won't be the last vulnerability found in bash. Application developers should try to avoid invoking shells unless absolutely necessary, or used minimalist shells where required."

PBS Nova: Rise of the Hackers

Great show last night. Quantum computing will kill security as we know it; but quantum cryptography will trump it and win.

Tuesday, September 9, 2014

Have You Been VNCeen?

This just in from Lara Lackie at Eskenzi PR:

""Hacker summer camp" has come and gone. The annual pilgrimage to Las Vegas (for events like DEF CON, Black Hat and BSides) makes it pretty clear that what happens in Vegas certainly doesn’t stay there, and this year was no exception. Sometimes these stories become water-cooler chatter. Sometimes they’re recounted in buzzing IRC channels, and sometimes they light up Twitter and even major media outlets.

"One of the stories that had the Internet buzzing was that of "thousands of people oblivious to the fact that anyone on the Internet can access their computers." Oftentimes titles like this wind up being hyperbole, however that isn’t the case here.

"On the Saturday of DEF CON, there was a panel on “Mass Scanning the Internet: Tips, Tricks, Results.” I, unfortunately, didn’t make it in to the presentation, however a short time later the tweets were all over my timeline.

"These tweets showed images of peoples’ home automation systems, people watching movies and (what appears to be) an industrial control system for an ice rink. These are just a few examples, but more and more tweets kept popping up with images like these. Among them were all sorts of things that were likely not meant for the eyes of random Internet onlookers.

"These screenshots were not the result of some crazy 0day-laden hacking spree or the computers of RAT victims. Rather, the screenshots were the result of simply scanning the Internet for VNC (remote viewing/access) servers that didn’t require any kind of authentication.

"In what was hardly a hacker summer camp first, the panelists received complaints that what they were doing was illegal. They responded saying that’s not the case. Lancope StealthWatch labs feel that this is missing the point. The point is that all of these machines are out there for anyone who wants to look. And people DO look.

"Lancope’s StealthWatch Labs has monitored attempted remote admin connections to show that the sort of activity talked about at DEF CON is actually happening all the time.

"They have a full blog post discussing their findings and give advice on what to do in order to reduce the number and quality of opportunities presented to those who might be scanning your network.

"To read the blog in full, please click here."

Jeff Stapleton to Speak at Biometrics Unplugged and at SecureWorld

Jeff Stapleton, author of Security without Obscurity: A Guide to Confidentiality, Authentication, and Integrity, is speaking at these conferences:

Biometrics Unplugged on September 15 in Tampa, FL

SecureWorld on Oct 29-30 in Dallas

Monday, September 8, 2014

Manufacturers Losing Intellectual Property to Security Breaches

While this isn't new, spies have been stealing IP since there's been IP to steal, the techniques have changed. And while the PRC seems to be villain #1, our so-called allies, such as Israel and France, are just as active.

So, what's a person to do? You can start with Trade Secret Theft, Industrial Espionage, and the China Threat.

This book provides an overview of economic espionage as practiced by a range of nations from around the world—focusing on the mass scale in which information is being taken for China's growth and development. It supplies an understanding of how the economy of a nation can prosper or suffer, depending on whether that nation is protecting its intellectual property, or whether it is stealing such property for its own use. The text concludes by outlining specific measures that corporations and their employees can practice to protect information and assets, both at home and abroad.