Monday, March 29, 2010

Microsoft Wireless Keyboards (New Security Risk)

Microsoft Wireless Keyboards Fall! (New Security Risk)

Well it was bound to happen. Just a matter of time before someone created a proof of concept in attacking wireless devices like keyboards. Too bad companies like Microsoft believe such devices are safe and use such crappy encryption techniques. Like this article mentions XOR is a crappy encryption algorithm and Microsoft should not be using it. There are plenty of public encryption algorithms out there which are much..much stronger.

On the flip side its a good thing Security researchers are proving such attacks. Better good guys then bad guys :-) I'm sure we'll see more on this down the road. As hackers move from mainstream attack vectors to new pastures we'll no doubt have new security countermeasures to stop such hardware attacks. But step 1 is better encryption of data stream between device and receiver.

Monday, March 8, 2010

Energizer Battery Charger Contains Remote Access Backdoor

Energizer Battery Charger Contains Remote Access Backdoor | threatpost

This is not the first time a seemingly innocent consumer product contained a trojan. Just another example of a company not doing their due diligence. Instead Energizer probably contracted the lowest bidder to create some add-on piece of software for their consumer product. In this case Energizer's USB battery charger product. I understand the concept of outsourcing however when you're placing your reputation and Energizer has a big one you should ensure you're entrusting it to a reputable vendor. Ultimately Energizer executives are responsible for this embarrassing situation. They should have done their homework. Perhaps the lawsuits that come out of this situation will make them realize the error of their ways. Only time will tell. C'mon corporate America smarten up.

Top 10 Most Vulnerable Apps of 2009

Here is a link: Top 10 Most Vulnerable Apps of 2009 | threatpost

With recent Flash, iPhone/iPad tug of war between Apple and Adobe I'm certainly not surprised why Apple and Steve Jobs have taken their respective position given the findings of this report. It certainly reaffirms what Steve Jobs has recently said that Flash is a buggy resource intensive piece of software. I've been around the block and certainly knew Flash, Shockwave and Adobe Reader require countless updates but did not believe for one minute it would be the #1,2 and 3rd most vulnerable piece of software in 2009.

It certainly doesn't help Adobe in their fight for Flash remaining vital and dominant in the future. With HTML5, it seems Flash may become irrelevant sooner rather than later. We've already had converts like Virgin America drop Flash support in favour of HTML5. With results like these I think Adobe should be doing a lot more to fix their reputation and improve overall security. Is Adobe another Microsoft before their software security initiative a few years ago? Perhaps only time will tell.

The other surprising fact of this report was Quicktime and Safari making the list at number 4 and 5. I've never really liked Quicktime, I've always preferred VLC so I'm not heart broken. But ever since switching to Mac I've really enjoyed Safari. I like its interface, performance and integration into OS X. However lately I've been rethinking my Safari strategy in light of multiple confirmations by security researchers of its short comings. Such things worry me and believe it or not I'm testing Google Chrome. I've been using it for a couple of weeks, so far so good. I won't say there have been no problems but general browsing is really good. And the fact Google Chrome was the only browser not compromised at the 2009 CanSecWest Security Conference helps me accept it as a good and safe alternative to Safari.

I think a turf war between Apple and Adobe is here and inevitable as both fight for dominance over mobile Internet content. What comes of it only time will tell. But certainly both companies have to do a better job in securing their products and guarding their customers.

Wednesday, March 3, 2010

New M86 Security Labs Report Finds 60% of Malicious URLs Pass Unnoticed Through Anti-Virus Scanners and URL Filtering: M86 Security

New M86 Security Labs Report Finds 60% of Malicious URLs Pass Unnoticed Through Anti-Virus Scanners and URL Filtering: M86 Security

I'm really not surprised by these findings. The number one and biggest problem with any security software like you're typical Internet Security Suite is it's a 'Reactive' technology. This means its always behind the curve never in front of it. This means the best you can hope for in terms of detection rates is 98-99% but never with 100% certainty.

Whenever I talk with users and explain this fact they are always shocked. Why is this so surprising to people? Vulnerabilities exist because code is written by humans; therefore you will always have mistakes in code creating the smallest openings for exploitation. Security software is written by humans therefore it will never be perfect and because its a reactive technology it will never catch the latest and greatest zero day exploit.

However security software vendors can help by implementing one small change. Stop marketing their tools as the best and only tool for a safe and secure Internet experience because such marketing hype creates a false sense of security leading everyday users to believe they can do no wrong. Such false sense of security makes people complacent and not think about security. I wish government would wake up and force vendors to disclose such details. We have labeling laws for everything else why don't we have it for software or security appliances. Users should know what they're getting up front before they're taken in by all the hype and spin.

In fact I don't believe things will change anytime soon but only get worse. That is until users wake up from la-la land and become aware their actions have consequences. Ultimately the security fight will not get any better until users take responsibility for their actions and actually think about email, attachments, web sites and general computer best practices.

Until that day security software will fall farther behind and a new sucker will be born every nanosecond. We've all been taught lessons by our parents 'don't talk to strangers' type stuff. Why is it so hard for people to learn similar lessons when it comes to computers and Internet safety?