Best Parental Control

Wikibooks Cryptography Textbook

softsecurity.com In focus — Thu, 11 Mar 2010 20:26:36 +0000

Over at Wikibooks, they’re trying to write an open source cryptography textbook.

Wanted: Trust Detector

softsecurity.com In focus — Thu, 11 Mar 2010 14:17:12 +0000

It’s good to dream:

IARPA’s five-year plan aims to design experiments that can measure trust with high certainty — a tricky proposition for a psychological study. Developing such experimental protocols could prove very useful for assessing levels of trust within one-on-one talks, or even during group interactions.

A second part of the IARPA proposal might involve using new types of sensors and software to gauge human facial, language or body signals that might help predict trustworthiness. Perhaps facial recognition technology that could deduce emotions or facial tics might help, not to mention better lie detectors.

IARPA is the Intelligence Advanced Research Projects Activity, the U.S. intelligence community’s answer to DARPA.

I’ve Got a Spy On You

Francis Duncan — Thu, 11 Mar 2010 07:54:00 +0000

Filed under: Sharing Info Online, Internet Dangers, Technology, Articles of Interest

There is a debate about how or if parents should use spyware on their kids’ computer to find out what their kids are doing online. This is a debate between parents, but is not a legal debate. Apparently a high school in Philadelphia took this idea to another level.

A Pennsylvania school district is being investigated by the FBI for remotely activating the web cams on the laptops they issued to students. The school district says that they were wanting to track online behavior when the students were supposed to be doing homework. The parents of these students disagree, saying it was a clear privacy violation. It is still unknown how the FBI will find, but I would not at all be surprised to find this a question posed to either the state’s or the U.S. Supreme Court.

What do you think? Privacy violation or good intentions communicated poorly?

Permalink | Email this | Linking Blogs | Comments

Nose Biometrics

softsecurity.com In focus — Wed, 10 Mar 2010 21:47:12 +0000

Really:

Since they are hard to conceal, the study says, noses would work well for identification in covert surveillance.

The researchers say noses have been overlooked in the growing field of biometrics, studies into ways of identifying distinguishing traits in people.

“Noses are prominent facial features and yet their use as a biometric has been largely unexplored,” said the University of Bath’s Dr Adrian Evans.

“Ears have been looked at in detail, eyes have been looked at in terms of iris recognition but the nose has been neglected.”

The researchers used a system called PhotoFace, developed by researchers at the University of the West of England, Bristol and Imperial College, London, for the 3D scans.

The Limits of Identity Cards

softsecurity.com In focus — Wed, 10 Mar 2010 15:09:08 +0000

Good legal paper on the limits of identity cards: Stephen Mason and Nick Bohm, “Identity and its Verification,” in Computer Law & Security Review, Volume 26, Number 1, Jan 2010.

Those faced with the problem of how to verify a person’s identity would be well advised to ask themselves the question, ‘Identity with what?’ An enquirer equipped with the answer to this question is in a position to tackle, on a rational basis, the task of deciding what evidence will be useful for the purpose. Without the answer to the question, the verification of identity becomes a sadly familiar exercise in blind compliance with arbitrary rules.

The Network Security Podcast, Episode 188

softsecurity.com In focus — Wed, 10 Mar 2010 06:11:26 +0000

Can you hear that? That’s the sound of air escaping as we all finally recover from the RSA conference. Rich and Martin are back, and Zach… never left (but did celebrate a birthday last week). We do a quick recap of RSA and then dig into the security news… much of which had nothing to [...]

Ubuntu CVE Tracker

softsecurity.com In focus — Wed, 10 Mar 2010 01:11:09 +0000

Today I was looking at some of the various vendor security and advisory sites and I noticed at the top of the Ubuntu site: For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker. I had not seen the Ubuntu CVE Tracker before, so I checked out, very interested because of the fact that certain sites continue to assert and report that some Linux distributions do not have any Unpatched issues. For example, take a look at the page Vulnerability Report: Ubuntu Linux 9.10 on secunia.com (9.10 is Ubuntu Karmic Koala, released on October 29, 2009) and you?ll see a couple of interesting summary statistics as shown here: Looks good, eh? However, if you take a look at the CVE tracker, you get a view that is a bit different: You can see the Risk Color Key, but it is about what you?d expect. Red is High or Critical, orange is Medium and yellow is Low. The asterisk means that this is a package maintained by Canonical instead of a 3rd-party. I didn?t bother to do a count, but I can see that the number of ?needed? fixes is somewhat larger than zero, however, I did not see an RED = High vulnerabilities, so I did check on more thing ? I wondered how these severity ratings mapped to CVSS as used by the National Vulnerability Database (ie, http://nvd.nist.gov). I spot-checked a few: CVE-2009-4537, kernel, Orange(Medium) by Canonical, High(7.8) by CVSS CVE-2009-4565, sendmail, Orange(Medium) by Canonical, High(7.5) by CVSS CVE-2010-0408, apache2, Orange(Medium) by Canonical, Medium(5.0) by CVSS CVE-2010-0433, openssl, Orange(Medium) by Canonical, Medium(4.3) by CVSS CVE-2007-5901, krb5 (kerberos), Yellow(Low) by Canonical, High(10.0) by CVSS There were 474 CVE entries, so I didn?t do a comprehensive check, but it turns out that there are more than a few of these unfixed vulnerabilities that are rated High by CVSS.

Marc Rotenberg on Google’s Italian Privacy Case

softsecurity.com In focus — Tue, 09 Mar 2010 20:36:00 +0000

Interesting commentary:

I don’t think this is really a case about ISP liability at all. It is a case about the use of a person’s image, without their consent, that generates commercial value for someone else. That is the essence of the Italian law at issue in this case. It is also how the right of privacy was first established in the United States.

The video at the center of this case was very popular in Italy and drove lots of users to the Google Video site. This boosted advertising and support for other Google services. As a consequence, Google actually had an incentive not to respond to the many requests it received before it actually took down the video.

Back in the U.S., here is the relevant history: after Brandeis and Warren published their famous article on the right to privacy in 1890, state courts struggled with its application. In a New York state case in 1902, a court rejected the newly proposed right. In a second case, a Georgia state court in 1905 endorsed it.

What is striking is that both cases involved the use of a person’s image without their consent. In New York, it was a young girl, whose image was drawn and placed on an oatmeal box for advertising purposes. In Georgia, a man’s image was placed in a newspaper, without his consent, to sell insurance.

Also important is the fact that the New York judge who rejected the privacy claim, suggested that the state assembly could simple pass a law to create the right. The New York legislature did exactly that and in 1903 New York enacted the first privacy law in the United States to protect a person’s “name or likeness” for commercial use.

The whole thing is worth reading.

March 2010 Security Bulletin Release

softsecurity.com In focus — Tue, 09 Mar 2010 20:02:03 +0000

Today we are releasing two Important security bulletins addressing eight vulnerabilities in Windows and Microsoft Office. Both bulletins have an aggregate Exploitability Index rating of ?1? so we recommend that customers deploy these updates as soon as possible. The Microsoft Exploitability Index provides additional information to help customers prioritize deployment of monthly security bulletins. A summary of today?s security updates can be found on the Microsoft Security Bulletin webpage. MS10-016 addresses one vulnerability in Windows Movie Maker. Both Windows XP and Windows Vista ship with affected versions (2.1 and 6.0 respectively). Version 2.6 is also vulnerable and can be freely downloaded and installed from the web. Customers who install 2.6 on any supported platform, including Windows 7, will be offered the update. In order to take advantage of the vulnerability, a user would need to open a specially crafted Movie Maker project file. These are files with the .mswmm file extension. The MS10-016 bulletin also calls out Microsoft Producer 2003 in the affected products list. Producer 2003 is a free download with limited distribution. At this time, we are not offering an update for Producer 2003. Our standard approach is to produce updates that can be deployed automatically for all affected products at the same time but Producer 2003 does not offer a means for automatic update. Based on our investigation, we determined that the best way to protect the vast majority of customers was to release an update addressing the components that shipped with Windows. While we continue to investigate Producer 2003, we recommend that customers either uninstall the application or apply an available Microsoft Fix It to disassociate the project file type from the application to add an extra layer of security. MS10-017 affects all currently supported versions of Microsoft Office Excel. It also affects Office 2004 and Office 2008 for Mac, the Open XML File Format Converter for Mac, supported versions of Excel viewer and SharePoint 2007. As with most Office vulnerabilities, a user would have to open a specially crafted file in order to be exploited. Since both of today?s bulletins require user interaction, we give them both a ?2? on our deployment priority scale: Our Severity and Exploitability Index slide offers additional guidance to help customers prioritize this month?s bulletins: In the following video, Adrian Stone and I give a brief overview of today?s bulletins: More listening and viewing options:
Windows Media Video (WMV) Windows Media Audio (WMA) iPod Video (MP4) MP3 Audio High Quality WMV (2.5 Mbps) Zune Video (WMV) Today we also re-released MS09-033 to add Virtual Server 2005 to the affected products list. Customers who have already installed the update for affected products do not have any additional actions. Additionally, we continue to to monitor the threat landscape around Security Advisory 981169 regarding a vulnerability in VBScript that could allow remote code execution. We are not currently aware of any active attacks but encourage customers to review the advisory and apply the suggested workarounds where possible. Customers that are running Windows 7, Windows Server 2008, Windows Server 2008 R2, and Windows Vista are not affected. Please join us tomorrow for a public webcast where Adrian Stone and I will go in to detail on these bulletins and answer customer questions with the help of the engineers who worked to produce them so please plan to join us. Date: Wednesday, March 10
Time: 11:00 a.m. PST (UTC -8)
Registration: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032427711 Thanks! Jerry Bryant
Sr. Security Communications Manager Lead *This posting is provided "AS IS" with no warranties, and confers no rights.*

Security Advisory 981374 Released

softsecurity.com In focus — Tue, 09 Mar 2010 18:28:00 +0000

Hi everyone,
Today we released Security Advisory 981374 addressing a publicly disclosed vulnerability in Internet Explorer 6 and Internet Explorer 7. Internet Explorer 8 is not affected by this issue. Customers using Internet Explorer 6 or 7 should upgrade to Internet Explorer 8 immediately to benefit from the improved security features and defense in depth protections. Additionally, Internet Explorer 5.01 on Windows 2000 is not affected.

At this time, we are aware of targeted attacks seeking to exploit this vulnerability against Internet Explorer 6. Internet Explorer Protected Mode in Internet Explorer 7 running on Windows Vista helps to mitigate the impact of this issue. Additionally, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. Please review the Security Advisory for additional workarounds which include modifying the Access Control List (ACL) on iepeers.dll (the affected component), setting the Internet and local Intranet security zones to “high”, configuring Internet Explorer to prompt before running Active Scripting, and enabling Data Execution Prevention (DEP) where possible which makes it difficult to successfully exploit the vulnerability.

As always, we are investigating this issue and will take appropriate action to protect customers when we have finalized a solution. This may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.
Anyone believed to have been affected can visit: http://www.microsoft.com/protect/support/default.mspx and should contact the national law enforcement agency in their country. Those in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-727-2338 (PCSAFETY). Additionally, customers in the United States should contact their local FBI office or report their situation at: www.ic3.gov. Customers should follow the guidance in the advisory and our Protect Your PC guidance of enabling a firewall, getting software updates, and installing antivirus software (learn more by visiting the Protect Your PC web site). International customers can find their Regional Customer Service Representative http://support.microsoft.com/common/international.aspx.
We are also working with our Microsoft Active Protections Program (MAPP), the Microsoft Security Response Alliance (MSRA), authorities and other industry partners to help provide broader protections for customers. Together with our partners, we will continue to monitor the threat landscape and will take action against any web sites that seek to exploit this vulnerability.
The Security Advisory will be updated with any new developments so if you are not already subscribed to our comprehensive alerts, please do so in order to be alerted by email when new information is added.
Please review the advisory for additional details and if the situation changes, we will provide an update here on the MSRC blog.
Jerry Bryant
Sr. Security Communications Manager Lead
*This posting is provided “AS IS” with no warranties, and confers no rights.*