I have been an Oakley customer for years now but, I’m starting to have MAJOR second thoughts. I purchased a pair of Oakley eyeglasses (Blender 2.0) in January and I had to take it back to the optometrist twice to have the frames fixed when they cracked. Just this evening it happened again.
The flaw that has become my albatross is in the frail plastic joint on the arm. The roaring piece of crap is painful to have to contend with.
Well, I managed to fight my way through the armies of security types to get my delegate bag. This year the bag has a rather nice portfolio that we can use for notes. Right alongside it is the same little note pad that Trigeo hands out every year and at every conference I show up for. Gone is the massive print out of the conference proceedings from years gone past. That damn thing could have stopped a bullet. I should note that it was not in the bag last year either. On behalf of forests everywhere, thanks Black Hat.
The proceedings are included on CD which is FAR easier to carry on the plane. (and yes, I know that they do that every year)
One of the more frustrating aspects of SCADA security is the lack of any real open dialog. There are folks such as Digital Bond and Patriot that have been trying. But, with an industry that is very used to being detached from the rest of the IT world it is refreshing to see an attempt by some folks to build an open SCADA forum. The Open SCADA Security Project stands to become a strong force to help bring the SCADA sector kicking and screaming into the current time frame.
From the SCADA Security site:
The Open SCADA Security Project is an initiative to create an open SCADA security community. It is dedicated to providing an open forum, enabling organizations to increase SCADA security. The security recommendations are intended to be applicable to real world environments.
SCADA technology underpins automated chemical, broadcasting, rail, power, gas, water and oil plant systems. The security of these devices are essential for both safety and business continuity. Problems are often cross-industry and globally shared. This reality makes it imperative for practical and open resources to be available to those who are responsible for securing these infrastructures.
Be sure to give the site a look if you are at all involved in SCADA systems and their security.
Tags: SCADA, SCADA Security
For those off you who might not yet be aware the latest version of Firefox, Thunderbird and SeaMonkey are out to address a security problem with unescaped URIs that are passed to external programs.
esper Johansson pointed out that Mozilla did not percent-encode spaces and double-quotes in URIs handed off to external programs for handling, which can cause the receiving program to mistakenly interpret a single URI as multiple arguments. The danger depends on the arguments supported by the specific receiving program, though at the very least we know Firefox (and Thunderbird) 2.0.0.4 and older could be used to run arbitrary script (see MFSA 2007-23). The vast majority of programs do not have dangerous arguments, though many could still be made to do something unexpected.
A similar issue with URIs passed to external handlers was reported by Billy Rios and Nate McFeters. When running Firefox on Windows XP with IE7 installed, URIs for certain common protocols (such as mailto:) that contain a %00 do not launch the protocol handler registered for that scheme but instead launch a file handling program based on the file extension at the end of the URI. Coupled with the issue reported by Jesper Johansson this appears to allow execution of any program installed at a known location and limited argument passing that might be enough to exploit a system.
Read on.
Tags: Mozilla, Firefox, Unescaped URI
Good morning all. The briefings portion of Black Hat begins tomorrow and it appears that it will not disappoint this year.
And now, the news…
Click here to subscribe to Liquidmatrix Security Digest!
Tags: News, Daily Links, Security Blog, Information Security, Black Hat, DefCon, Facebook, Data Security, Carders
Always having a skeptical eye on social networks we find this article from CNET on Facebook.
From CNET:
As Facebook evolves from a university social network into an enterprise tool, VeriSign iDefense security experts are warning that the platform is turning into a prime attack vector for cybercriminals.
Ryan Olson, a United States-based analyst for VeriSign’s iDefense operations against the proliferation of malicious code, said that while thousands of applications being developed by third parties for Facebook users are enriching the social network’s functionality, the Facebook Platform provides a perfect channel for distributing malicious software.
“The potential is there, and the framework is there,” Olson said.
“Rather than putting it in our terms of service that you promise not to breach our security and putting the onus on us, we are just going to open it up slowly over time,” Facebook founder Mark Zuckerberg said in June.
“You use such developer applications at your own risk,” Facebook states on its privacy statement.
While Facebook third-party developers do not necessarily have access to Facebook members’ personal details, whether users agree to install an application is ultimately a caveat emptor scenario.
The Senator from Alaska, Ted Stevens, who is famous for wanting to build a bridge to nowhere and referring to the internet as the “series of tubes” has had a run in with the law. The FBI and IRS swooped in on the Senator’s home as they look into how he managed to pay for a renovation.
“All I can say is that agents from the FBI and IRS are currently conducting a search at that residence,” said Dave Heller, the assistant special agent in charge of the FBI’s Anchorage office. The search began earlier this afternoon, he said. It’s the only such search warrant currently being served, he said.
Throughout the afternoon, a number of federal agents could be seen outside the house, along with a half-dozen government SUVs and other vehicles. Other agents were inside, with curtains drawn.
It couldn’t immediately be determined what, if anything, was being taken from the house. Some of the agents could be seen photographing the house’s exterior and surrounding property, including electrical outlets.
Agents at the house wouldn’t answer questions. Neighbors said the agents arrived around 11 a.m., and that a commercial locksmith company was called to open the door.
The crux of the situation is that allegedly an oil company, Veco, provided Stevens’ home with renovations.
Tags: Ted Stevens, FBI, IRS, Corruption
I was in the GAP earlier today to pick up a pair of shorts (it’s hot as hell in Vegas) and I was struck by something rather odd. Now, let me preface this by saying that the GAP has had some significant financial problems of late and it is a vaild question to wonder how long they will continue to stay in business.
That being said when I emerged from the change room I was greeted by a overly cheerful young woman who asked it if I would like to save 20% on my purchase. Never being one to turn down a bargain I said sure. She asked if I had a VISA or Mastercard and my Social Security Number.
Um, pardon?
I explained to her that I did not as I’m a Canadian. She frowned and said that she was sorry that they needed the SSN in order to give the discount. I was rather alarmed that the GAP wants to record SSN’s from their customers. When I got up to the cash I listened intently as this question was posed to a few more shoppers. They handed over their information with blazing speed never once asking why the company needed/wanted the information. So, now the GAP had their credit card info (to be expected) their ZIP code AND their social security number.
From the SSA website:
You should be very careful about sharing your number and card to protect against misuse of your number. Giving your number is voluntary even when you are asked for the number directly. If requested, you should ask:
* Why your number is needed;
* How your number will be used;
* What happens if you refuse; and
* What law requires you to give your number.
Being the conspiracy fan that I am I immediately wondered if this was a program to use identity theft to bail out the ailing company. Of course that would be absurd.
Still…
Managed to get the news out today. A little late but, it will be a crazy week here in Vegas so I will try to stay on top of things as much as possible.
And now, the news…
Click here to subscribe to Liquidmatrix Security Digest!
Tags: News, Daily Links, Security Blog, Information Security, Black Hat, DefCon, Cisco, KisMAC, Forensics
Just in from Heise:
German security expert and reverse engineer Thomas Dullien of Sabre Labs, better known by his pseudonym of Halvar Flake, has revealed that he has been refused entry to the USA for the forthcoming Black Hat conference. Following a four and a half-hour interview with immigration authorities, he was sent home. Flake had been engaged by the conference organisers to give a session on “Analyzing Software for Security Vulnerabilities” as part of a series of pre-conference training sessions. According to Flake’s blog entry on the incident, numerous representatives of US government agencies were due to take part in the session.
He was apparently refused entry because he did not have an H1B visa, required for such activities. Dullien states that he has travelled to Black Hat training sessions without a visa for years under the terms of the visa waiver program. He appears to have simply been fortunate that no-one noticed that, from the point of view of the immigration authorities, he was an employee of the Black Hat conference for this period.
Bad luck that.
Tags: Halvar Flake, Black Hat, US Customs, Black Hat Courses
Add to Google
Add to my Yahoo
Add to MSN
Add to Bloglines
Add to Newsgator
Explore
Security Bloggers Network (a FeedBurner Network)
