Month: March 2013

Can you imagine Microsoft offering expert hackers a challenge, with big financial incentives, to try and hack Windows. Huh!? Yeah, right!! You gotta admit, if you want security, Chrome would be the way to go!

No Winning Exploit Found For Chrome OS At Annual Hacking Competition, Pwnium 3

“Google’s operating system Chrome OS survived all attempts to hack it at this year’s Pwnium 3 competition, which took place at the CanSecWest security conference in Vancouver, BC this week. Google, which was offering up $3.14159 million in prize money (get it, Pi money?), said that there was no winning entry, but it was in the process of evaluating some exploits for partial credit.

The focus for this year’s Pwnium 3 was on Chrome OS – and the big push from Google to focus on its operating system, recently introduced in the new, high-end Chromebook Pixel touchscreen laptop, also included increased rewards for hackers finding exploits as well. Although in previous years, rewards maxed out at $60,000 for Chrome browser exploits, the company had earmarked up to $3.14 million for hacks on the OS. That was largely just a clever marketing gimmick, however – the actual potential payouts were much lower:

The two reward levels offered this year included:

• $110,000: browser or system level compromise in guest mode or as a logged-in user, delivered via a web page.
• $150,000: compromise with device persistence — guest to guest with interim reboot, delivered via a web page.
• And, as always, partial credit was offered to those for incomplete or unreliable exploits.

The hacks had to be demonstrated against a base Wi-Fi model of the Samsung Series 5 500 Chromebook, running the latest stable version of the Chrome operating system. Hackers could use any of the installed software, including the kernel and drivers, to attempt their attacks.

A Google spokesperson confirmed the Pwnium 3 hacking contest completed without a winning entry, via the following statement:

Pwnium 3 has completed and we did not receive any winning entries. We are evaluating some work that may qualify as partial credit. Working with the security community is one of the best ways we know to keep our users safe, so we’re grateful to the researchers who take the time to help us in these efforts.

Chrome OS, which is a Linux-based operating system running a Chrome browser, may have been more difficult to hack thanks to ten bug fixes which arrived just before the competition. Six of these were high-level bugs and four earned payouts of $1,000-$2,000 from Google’s ongoing efforts to rewards researchers for finding bugs.

Pwnium 3 ran alongside the browser-focused Pwn2Own, which wraps up today. During day one of that event, all browsers except Safari proved vulnerable to attacks, but only because none of the entrants decided to take on Safari this year. The Chrome browser issue discovered yesterday has now been fixed. During day 2, Adobe Reader, Flash and Java also fell.”

Scan an object and then 3D print the object? So, is this a first generation Star Trek replicator?

MakerBot announces 3D ‘Digitizer’ prototype to scan your world, then print it out

“MakerBot founder Bre Pettis today announced the Digitizer Desktop 3D Scanner prototype it intends to sell alongside its Replicator 3D printers. The scanner uses a combination of cameras and lasers to scan an object and create a digital file that can then be printed using one of MakerBot’s replicators. The company says you won’t need any experience with design or 3D modeling software to make use of the scanner, and wants to see it used by businesses, educational facilities, and in the home. The Digitizer will launch this fall, Pettis said.

‘The MakerBot Digitizer is an innovative new way to take a physical object, scan it, and create a digital file — without any design, CAD software or 3D modeling experience at all — and then print the item again and again on a MakerBot Replicator 2 or 2X Desktop 3D Printer,’ Pettis said. The Digitizer is capable of scanning objects up to 8 inches by 8 inches in less than three minutes. As the Digitizer scans your object, it spins in a circle on top of a platform. ‘This is kind of like what happened when Flynn (in Tron) gets digitized into the game grid,’ Pettis said. ‘This takes us from being a 3D printer company into being a company that’s building out a 3D ecosystem.’

Before Pettis revealed the actual Digitizer, he delved into some of the ways people around the world are using MakerBot. One dad made orthotics so his daughter could appear tall enough to ride a rollercoaster, payments startup LevelUp prototyped a new phone scanner, and Pettis himself made shot glasses. Some MakerBot-built products will have an even bigger impact on our lives, Pettis said. ‘Our biggest customer is NASA, which just makes the nerd in me so happy,’ he said. ‘They can make cheap prototypes on our machines before using their high end one.'”

This is my very favorite Open Source defragmenter! I install it on every system that I build. Keeping your disk drive defragged and optimized is a huge benefit in performance.

UltraDefrag Version 6.0

“UltraDefrag is a powerful Open Source Defragmentation tool for the Windows Platform. It can defragment any system files including registry hives and paging file. Also one of the main goals of UltraDefrag is doing the job as fast and reliable as possible.

• All disk processing algorithms were optimized for speed and efficiency.
• Support to optimize FAT disks was added.
• The ability to specify the file sorting order and criteria was added for optimization.
• Additional filters for fragment and file size were added.
• Optimization now makes use of all specified filters.
• The ability to minimize the window to the system tray was added.
• The ability to display the progress on the task bar icon was added for Windows 7® and above.
• File fragmentation reports are now no longer stored in the root folder of the drive, but in a sub-folder of the installation folder, so they are no longer left behind after removing UltraDefrag.
• The Explorer context menu handler is now configurable too.

This is a nice, clean, professional document that helps introduce a new user to the free, Open Source, LibreOffice. Very nice! Download it by “right-clicking” on the link below, and download the PDF.

LibreOffice 4.0 Getting Started Guide

LibreOffice is developing a Certification Program! Pretty neat!

LibreOffice Certification Program

“Certification is a key milestone for building the LibreOffice ecosystem, and increase the number of organizations capable of adding value around LibreOffice (and, hopefully, help to spread the adoption over proprietary and open source office suites). Certification is also going to be an additional opportunity for The Document Foundation, at least in the medium to long term, in order to sustain the growth of the ecosystem.

TDF certification model will be different from that of proprietary software companies, as TDF – for instance – cannot leverage discounts over list prices (one of the typical advantages of certified partners). Developing a new certification model is both a challenge and an opportunity, for TDF and for its partners.

TDF (informal) ecosystem already includes the resources for creating this new model of certification program, and to make it interesting for the market (i.e. individuals and companies which are not yet thinking about becoming TDF partners, but have the potential to do so). In any case, TDF certification will not be related to the sheer dimension of the business, although companies able to generate a larger business should also contribute more to the project.

Before starting to outline the certification program, it should be absolutely clear that it is not supposed to become a source of competition for TDF corporate sponsors (today: Canonical, RedHat and SUSE), for TDF partners like Lanedo, and for TDF members who provide VAS (value added services) to the market. On the contrary, it provides a method of regulating the quality of the services provided by these entities and a method of recognising that certain services conform to clear and transparent regulatory criteria. This will help build and sustain the ecosystem.

The main focus of the certification program is the corporate environment, although TDF – in the future – might also create an end user training program as a by-product of the corporate training (although most end users will ask for a basic training program, and possibly for a certification like ECDL, which might become a secondary source of income, based on trainings for the trainers). Although there might be a large request for end user certification, this is not as important as professional certification as it is not going to help building the ecosystem.

Individual Certifications:

Certified Developer

Is able to hack LibreOffice code to develop new features or provide L3 Support to enterprise users, researching and developing solutions to new or unknown issues, designing and developing one or more courses of action, evaluating each of these courses in a test case environment, and implementing the best solution to the problem. Once the solution is verified, it is delivered to the customer and given back to the community. Certified Core Developers need to be present TDF members, and part of their certification is peer review by the Engineering Steering Committee.

Certified Migration Professional

Is able to coordinate the migration process from MS Office to LibreOffice, working with the customer to manage the change in all aspects (integration, development of macros and templates, training and support) in order to have a smooth transition.

Certified Professional Trainer

Is able to teach the use of LibreOffice at basic, intermediate or advanced level.

Certified L1 Support Professional

Is able to handle basic customer issues, gathering the customer’s information and determining the customer’s issue by analyzing the symptoms and figuring out the underlying problem. Technical support specialists in this group typically handle straightforward and simple problems like verifying the proper hardware and software set up, and assisting with application menus. In a corporate environment, the goal for this group is to handle 70%-80% of the user problems before finding it necessary to escalate the issue to L2 support.

Certified L2 Support Professional

Is able to assist L1 support personnel in solving basic technical problems and investigating elevated issues by seeking for known solutions related to these more complex issues. If a problem is new or a solution cannot be determined, is responsible for raising this issue to L3 support. Technical support specialists in this group typically handle complex functional problems. Within a migration project, is able to develop macros and/or templates reproducing those developed for MS Office, in order to offer to end users of the suite the same functionalities they were used to.”

Java is having a bad – quarter! Another Zero Day security issue for Java!

Another Java Zero-Day Found, Dump That Browser Plugin

Researchers have uncovered yet another zero-day vulnerability in Java, and attackers are currently exploiting it in the wild.

The security flaw, if triggered, leads to arbitrary memory read-and-write in the Java Virtual Machine, Darien Kindlund and Yichong Lin, two researchers at FireEye, wrote on the FireEye Malware Intelligence Lab blog Thursday. If successful, the attack code downloads a McRAT dropper and information-stealing Trojan onto the victim’s computer. It is a different type of flaw than some of the others we’ve seen recently.

FireEye said several of its customers saw the attack against browsers with Java enabled. The security flaws are in Java v.1.6 Update 41 and the latest Java v1.7 Update 15, which was just released Feb. 19, according to FireEye. The researchers have already disclosed the vulnerability to Oracle (CVE-2013-1493). No other information is currently available from Oracle.

More Zero-Days
FireEye researchers summed up the prevailing sentiment well in the post’s title, ‘YAJ0: Yet Another Java 0-Day.’ While Java has been a popular attack target for a long time, there seems to be an exploision of Java zero-days being exploited in the wild over the past two months. It’s the same cat-and-mouse game we’ve seen with other companies. A zero-day is found, the company patches it, a new zero-day is found. Wash, rinse, and repeat.

Oracle, the company well-known for its reluctance to release patches out-of-schedule, has released several emergency updates in the past year because the bugs have been so serious. The company released a scheduled update Feb. 19, but it is likely this bug will spur yet another emergency patch.

Turn It Off, Or Limit It
Are you tired of the whole merry-go-round and want a way to jump off? Turn off Java in the browser. Disable the plugin. We show you how to disable Java. Are you one of the many, many, people who need Java for work and school purposes and can’t turn off Java in the browser?

Here is what you can do. You disable Java in your default, primary browser. The browser you use the most should not have Java at all. And then you install the browser you don’t use all that often—most people generally have more than one browser installed on their computers, anyway—and enable Java in that. The important thing here, though, is that you don’t, never ever, absolutely never, use that browser to go to any site other than that handful of sites you need to run Java on. You need to use Blackboard? You fire up the Java-browser. You need to look up something that was mentioned during the Blackboard session? Instead of clicking, copy the link, fire-up your default browser, and paste it in.

It adds a lot of extra steps, and I can tell you that it is tremendously annoying. But I feel safer knowing that I am reducing my chances of getting hit with a watering hole attack. Think about all those mobile developers at Facebook, Twitter, Microsoft, and Apple. They visited a iOS developer Web site (probably a site they visited with regularity, considering their jobs) with browsers that had Java enabled, and were compromised.

If you are annoyed enough, you will do the next step, which is pressure the company to stop using Java. ‘There is no longer any reason for Websites to be using Java applets,’ Chester Wisniewski, of Sophos, told me at the RSA Conference this week. You can pressure IT to start switching to a different product. As customers, you can tell the vendor to come up with a non-Java alternative, or when it comes time to renew the subscription or contract, you will cancel and go to a different product. Money talks.

Wisniewski said he didn’t make the decision to recommend turning off Java lightly. He considered the ramifications carefully and came to the conclusion that at the moment, it was the safest thing to do.”