Posted 02/04/10 at 06:06:10 PM by Jason Barry

Microsoft issued a Security Advisory (980088) to warn users of a vulnerability in Internet Explorer (shocking) that could potentially expose all local files on a filesystem with a known name and location.

The vulnerability was discussed and proof of concept code was written and demonstrated at the Black Hat DC conference by Jorge Luis Alvarez Medina, a security consultant with Core Security Technologies.

Microsoft responded with details and causes of the vulnerability, most notably pointing to disabling the Protected Mode within IE or running versions of IE that don’t include a Protected Mode. This amounts to vulnerability across Internet Explorer 5.01 and IE6 SP1 on Windows 2000 SP4, as well as IE6, IE7, and IE8 on supported editions of Windows XP and Windows Server 2003. However, Protected Mode is running by default on IE7 and IE8 on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 and prevents the issue.

Microsoft noted that they are unaware of attacks using the vulnerability and recommended users upgrade to the latest version of IE. You can find more details in the security advisory and knowledge base article to make sure you are protected.

Read More

Posted 07/30/09 at 11:03:45 AM by Paul Lilly

Two high-profile security professionals -- security researcher Dan Kaminsky and former hacker Kevin Mitnick -- were targeted by hackers this week in what appears to be an attempt to call into question the duo's credibility right on the eve of the Black Hat and DefCon security conference.

"There are people who just live press release by press release," the hackers wrote in note posted on Kaminsky's website. "And on top of it all, somehow you STILL have not got rid of Kevin Mitnick. The industry cares about virtualization one year and iPhones the next, every year forgetting the lessons it should have picked up in the last."

The hackers also stole personal data and posted it online, which included private emails between Kaminsky and other security researchers, very personal chat logs, and a list of files Kaminsky downloaded that pertain to dating and other topics, Wired reports.

After discovering a flaw in the DNS protocol, Kaminsky received the Pwnie award for the "Most overhyped security vulnerability" at Black Hat 2008. Mitnick was once considered "the most wanted computer criminal in United States history" by the government but has been accused by some in the hacking community as living off a dated reputation.

Read More

Posted 07/28/09 at 03:00:50 PM by Paul Lilly

During the Black Hat conference in Las Vegas this week, Microsoft plans to provide a progress report on the security initiatives that it launched last summer, as well as release new security tools to better equip IT professionals and security researchers.

"There's a race between attackers and defenders and if we want to win, we have to share information, said Mike Reavey, director of the Microsoft Security Response Center.

One way the software maker plans to do this is by releasing the Microsoft Office Visualization Tool, a utility which provides a graphical overview of the Office binary file format. According to Microsoft, the software will make it easier for programmers to understand how attacks target Office files, noting that most malware attacks application vulnerabilities and not the OS itself.

"In order to build protections, you have to understand how a specific file format is meant to be used, so then you can understand how it's being misused," Reavey added.

During the conference, Microsoft also plans to release Project Quant, an online information resource designed to provide organizations with a framework for evaluating the cost of patch management processes. In addition, the company also plans to release the Microsoft Security Update Guide, a publication that explains the entire Microsoft update process, and a publish a report titled, "Building a Safer, More Trusted Internet Through Information Sharing."

Read More

Posted 02/19/09 at 09:00:09 PM by Mark Edward Soper

So you thought the facial recognition technology built into your laptop would keep your business and personal information safe? Bwa-ha-ha! Today, the Black Hat DC 2009 security conference found out  that, as Vietnam-based security researcher Nguyen Minh Duc puts it, Your Face is NOT Your Password.

Nguyen's paper reveals (PDF link) that it's relatively simple to hack facial recognition systems included in webcam-equipped laptops from Lenovo (Veriface III), ASUS (SmartLogon v1.0.0.0005), and Toshiba (Face Recognition 2.0.2.32). Methods used included using photographs in place of live faces (Facebook, anyone?) and performing brute-force attacks by changing lighting and photo angles in a digitized face until the system permits access.

Are you counting on facial-recogntion technology to keep your stuff safe? Is your company? Join us after the jump for your chance to sound off on this latest "unbreakable," but now broken, access-control technology.

Read More