From HolisticInfoSec.org: Online finance flaw: At least AIG got this one right – a good example (finally!) on how to handle vulnerability reports.
Via the Security4All blog: The Untold Story of the World’s Biggest Diamond Heist – very cool and a good reminder that you must consider the resources an attacker is willing to invest when you are planning your defense. Bonus points to Wired for having a “full page” option, rather than making you click trough an endless flow of ads.
Slides about Metadata and GPS Tracking have been posted to PaulDotCom. They make an interesting read.
Via the F-Secure weblog: Evil searching whitepaper – this means that the webhoneypot will be able to collect relevant data. Two other papers about similar topics: Dissecting Web Attacks [PDF from Blackhat DC 2009] and Inside the Malicious World of Blog [PDF].
On The Old New Thing one can read about the problems with updating drivers using Windows Update. What can I say? One more reason to go open-source: because it gives you the right to redistribute.
From hackety.org: vvvv – “vvvv is a toolkit for real time video synthesis”. And, it is written in Delphi 🙂
Differences between IE8 Compatibility View and IE7 – interesting (also the debates in the comment). On a related note: Microsoft claims that IE8 is often faster in loading pages than other browsers – while I don’t dispute their claims, the fact is that the delay between pressing Ctrl+T and the new tab being created is still so big compared to any other browser that it is annoying (you can’t just Ctrl+T and start typing).
From the ESET Threat Blog: When is a Hoax not a Hoax? Plus points for mentioning snopes.com, the ultimate source to debunk stupid chain letters.
From spl0it.org: InfoSec World 2009 – Total Browser Pwnag3 Slides – scary (embedded below of the readers convenience)
Continuing with scary stuff, here is part 1 and part 2 of “A Case Study in Restore Nightmares” from the Evil Fish blog. This is the level for small and big companies. In the same spirit from terminal23 we have The Company that Did Everything Wrong (part 2).
From the-interweb.com comes a link to Reverse Engineering Reddit. Added to my RSS reader 🙂 Current favorite post: Public service announcement: the anti-virus industry does not write malware. If you think that they do, you are wrong. Please stop perpetuating this stupid myth – thank you.
A fun (an totally addictive :-)) little Flash game: Magnet towers. There are a couple of shortcomings (no pause button, sound is only mutable during the game, sometimes pieces are under the mute button, no concept of multiple lives/level – you always have start from scratch).
From skunkworks with the comment “Asimov would have liked it”:
In fact Asimov recognized long ago that robots which are too similar to humans make us feel uncomfortable. It is better (from a psychological standpoint) to make robots of different form-factors.
McAfee Debuts ‘Combating Threats’ Series – unfortunately it doesn’t seem to offer much more than the descriptions which are already accessible on their site (yes, there are some screenshots in them, but that’s pretty much it).
Via Glasblog: the Anubis sandbox now offers clustering based on behavior – interesting. There are quite a few methods to cluster malware, the problem is to do it in a scalable way (a competitive solution should be able to cope with at least 20 000 samples per day).
On the DVLabs blog we have Pwn2Own 2009 Day 1 – Safari, Internet Explorer, and Firefox Taken Down by Four Zero-Day Exploits – frightening.
On the Microsoft Security Research & Defense blog we have the GS cookie protection – effectiveness and limitations – it is a very nice explanation of when stack canaries can and can not help.
Parrot 1.0.0 has been released – if you don’t know, Parrot aims to be a VM implementing multiple dynamic languages, and it also is the main implementation of Perl 6 currently. Speaking of Perl 6, check out the Perl 6 series from Gabor Szabo.
From the Virtual PC Guy’s weblog comes When not to run Antivirus on the host machine. A nice complementing article is Whitelisting in Control Systems, which links to a short whitepaper from Coretrace. Of course there are problems with whitelisting too, but in static environments (like the navy or ATM machines) it is a much better option than blacklisting.
From splitbrain.org comes the link to The hero factory. A fun (an well executed) project, however they don’t specify how and under what license the image can be used. I know that I’m nitpicking here, but I’ve became sensitive to such issues lately. I’ve emailed them (the contact address was also quite hard to find) and suggested to select a version of Creative Commons, however they didn’t respond as of yet.
A similar site is Simpsonize Me. They offer a list of conditions under which the image can be used.