Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Thad]

Well, again, it came up again in the Olympic thread.

[Brentai]

So avast! is popping up critical alerts for opening Yahoo! right now.

However this is resolved, one entity with an awkwardly punctuated name is going to get burned.

[MadMAxJr]

It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container, and adds links to further copies of the malware, all without modifying the .MP3 extension."

Malware authors are getting really scary.  Thankfully if you use VLC for everything, this one can't really harm you, as far as I can tell.

What's next, some kind of Malware that makes your every keypress a credit card purchase?

[Royal☭]

Infected files launch IE and load a page

Ahh...

[Saturn]

It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container, and adds links to further copies of the malware, all without modifying the .MP3 extension."

Malware authors are getting really scary.  Thankfully if you use VLC for everything, this one can't really harm you, as far as I can tell.

What's next, some kind of Malware that makes your every keypress a credit card purchase?

 i have a fucking funny feeling that the author of that thing got paid by mediadefender or another of those anti-piracy guys to fuck with P2P

[sei]

It worries me that the top google result for "avast" looks like a phishing domain.

http://vvww-avast.com/?t=AVAST1U

[Thad]

Seeing some headlines today about Kaminsky speaking at the Black Hat Conference.  He's talking about a major DNS flaw that allows domain spoofing -- for the laymen in the audience, that could mean you type in google.com and get a scam site.  LA Times has a non-technical rundown; The Reg has a technical one; Wired talks about how it's been good for OpenDNS, which doesn't have the problem.

From LA Times (emphasis mine):

The Secure Sockets Layer, signified by "https://" at the beginning of a website address, could be circumvented, as one example. Impostors could fool the authentication companies, such as Verisign, and so get an approved digital certificate shown to site visitors, though Kaminsky said those companies have revamped their procedures. A large number of firms simply sign their own certificates, which an impostor could do, without dissuading consumers from continuing.

"Everywhere you look, SSL shoots itself in the face," Kaminsky said.

...What he said.

It's been described as the greatest security hole in Internet architecture since 1997.  And Kaminsky's response was deft; he discovered it back in March and alerted all the major players in the business and helped them close the hole before he announced it publicly a month ago.

Reg sums it up:

[W]e'd hate to think what might have happened if a less scrupulous person had stumbled on the bug first[.]

[Thad]

NYT: the patch is still vulnerable; it's harder to crack, but still possible.  (Since it's NYT, the language is a little Dick and Jane, but I assume they've merely increased the number of possible transaction ID's.)

The bottom line is that some of the most basic protocols the Internet runs on are ancient, dating back to a time when people didn't even consider things like identity theft.  (Imagine where we'd be right now if E-Mail had been designed from the ground up to verify sender addresses.)

We haven't heard the last of this.  Kaminsky has saved the Internet for now, but it's a Band-Aid.

[sei]

http://www.youtube.com/watch?v=eq7qxECor_8

Lessig on the existence of a (presently dormant) Internet-targeting analog to the Patriot Act.

[sei]

The avast! UI is a rare atrocity.

It looks like a media player designed by a 14 year old, replete with obnoxious sound effects when one mouses over different button and an equally irritating siren that sounds upon detection of a suspected threat.

Those buttons I mentioned lack tooltips.  While it's not hard to memorize what they represent, it's obnoxious, especially for a new user.

It has multiple components, like some other AV packages, but avast! has decided itself worthy of placing two separate icons resident in the systray.

While scanning, it detected a security tool that's not a virus, and gave me a pop-up announcement (note: not a post-scan group of items that users can manage at their convenience).  I hit continue (vs stop) and it went from 80+% done back to 4%.

 

I also tried Avira AntiVir and found it very well-behaved.

[Thad]

Brian X. Chen at Wired questions the quality control process for the iPhone App Store.

[Thad]

BetaNews: Windows security flaw so critical they've released a patch outside the normal patch cycle.  Affects all versions of Windows, but Vista and Server 2008 are more secure than XP.

NYT says that security firms have already used the patch to reverse-engineer an exploit, and if the good guys can do it, the bad guys can too.

Notably:

And one of the architects of Microsoft's security testing program had a frank assessment of the situation Thursday, saying that the company's "fuzzing" testing tools should have discovered the issue earlier. "Our fuzz tests did not catch this and they should have," wrote Security Program Manager Michael Howard in a blog posting. "So we are going back to our fuzzing algorithms and libraries to update them accordingly. For what it's worth, we constantly update our fuzz testing heuristics and rules, so this bug is not unique."

Oh good, Microsoft's fuzzing tools can't detect obvious stack overflow vulnerabilities and there are likely to be more out there.

[AČ]

What I read:

NYT says that security firms have already used the patch to reverse-engineer an exploit, and if the Scatman can do it, so can you.

[Brentai]

Oh hey, another networking service that has no business being enabled by default.

[Thad]

MS has a new security report out.  Coverage: CNet, Network World, WaPo.

[Thad]

Wired has a followup on the Kaminsky story.  It's a little overblown ("A-Team" is in the headline, and it goes to some lengths to lionize Kaminsky), but it's a good read.

[Thad]

Out-of-cycle critical IE patch tomorrow.

[Thad]

Security researchers break MD5-based SSL.

Oh, if only we had already known for the past four years that MD5 was vulnerable!

[Thad]

Surprise!  It turns out that popping up a nag screen every time the user tries to modify the system doesn't help a whole hell of a lot if you're still running everything as Administrator and not prompting for a password.  Especially if it just so happens that you also make a scripting language that can send inputs that the OS can't tell apart from an actual user's keystrokes.

Microsoft's response is, of course, "It's not a bug, it's a feature."

You can't make this shit up.

[Mothra]

I have a tendency to get a bit paranoid so uh, this could just me baselessly overthinking things, but say your roommate is in charge of the wireless network and router and all that jazz, and is hells of computer savvy. With such limitless power, is it conceivable this individual could spy on one's searches, computer content, stuff like that? N-not to imply I search for anything but updated weather reports, breaking dinosaur-related developments and The Wall Street Journal Online, of course. Just wondering.

...

I... I may have perhaps once at one point by accident searched the internet for pornography. I was not proud of it, nor did I enjoy the images that forced themselves onto my computer screen, I was hopped up on drugs and thought to hell with the consequences.

Anyways I've got spybot and clamwin and four massive panning cameras mounted in all corners of my room so I wouldn't think such a thing would be on my end. Would you please computassure me