Cody Taylor

Catalyst writes “SWFScan is a free Flash security tool (download here), released by HP Software, which decompiles all versions of Flash and scans them for over 60 security vulnerabilities. The scan detects things like XSS, SQL inside of the Flash app, hard-coded authentication credentials, weak encryption, insecure function calls, cross-domain privilege escalation, and violations of Adobe’s security recommendations. There is also this video explaining a real, and amusing, attack against a Flash app. These issues are fairly widespread, with over 35% of SWF applications violating Adobe security advice.”

Read more of this story at Slashdot.

Lucas123 writes “In what could be the start of a national health information exchange system, the Social Security Administration became the first federal agency to go live with a public-private electronic health records information exchange that will cut wait time for 2.6 million Americans who apply for benefits each year by weeks or months. The electronic exchange runs on a database operated by a non-profit organization in Virginia and open-source software deployed at the Social Security Administration. ‘The goal of the NHIN effort is to enable secure access to health care data and real-time information sharing among physicians, patients, hospitals, laboratories, pharmacies and federal agencies … regardless of location or the applications that are being used.'”

Read more of this story at Slashdot.

suraj.sun writes “A pair of Argentinian researchers have found a way to perform unveil a BIOS level malware attack capable of surviving even a hard-disk wipe. Alfredo Ortega and Anibal Sacco from Core Security Technologies — used the stage at last week’s CanSecWest conference to demonstrate methods for infecting the BIOS with persistent code that will survive reboots and re-flashing attempts. The technique includes patching the BIOS with a small bit of code that gave them complete control of the machine. The demo ran smoothly on a Windows machine, a PC running OpenBSD and another running VMware Player.”

Read more of this story at Slashdot.

The high-tech digital electricity distribution and transmission system known as the “Smart Grid” can be hacked, cybersecurity experts say, resulting in a massive blackout.

Houston 2600 sends this excerpt from the Register about an open-source security assessment tool Microsoft presented at CanSecWest: “Microsoft on Friday released an open-source program designed to streamline the labor-intensive process of identifying security vulnerabilities in software while it’s still under development. As its name suggests, !exploitable Crash Analyzer (pronounced ‘bang exploitable crash analyzer’) combs through bugs that cause a program to seize up, and assesses the likelihood of them being exploited by attackers. Dan Kaminsky, a well-known security expert who also provides consulting services to Microsoft, hailed the release a ‘game changer’ because it provides a reliable way for developers to sort through thousands of bugs to identify the several dozen that pose the greatest risk.”

Read more of this story at Slashdot.

CNet reports on legislation currently being drafted that would transfer federal cybersecurity responsibilities away from the Department of Homeland Security. Instead, they would fall under the authority of the Executive Office of the President, creating an Office of the National Cybersecurity Advisor. A tech commission recommended relieving the DHS of cybersecurity responsibilities late last year, saying it simply wasn’t prepared to deal with organized online threats. More recently, the director of the DHS’s National Cybersecurity Center resigned, citing interference from the NSA. The new legislation would “put the White House National Cybersecurity Advisor in charge of coordinating cyber efforts within the intelligence community and within civilian agencies, as well as coordinating the public sector’s cooperation with the private sector. The adviser would have the authority to disconnect from the Internet any federal infrastructure networks — or other networks deemed to be ‘critical’ — if found to be at risk of a cyberattack. The private sector will certainly speak out if this provision is included in the final draft of the bill, a representative of the technology industry who spoke on condition of anonymity said.”

Read more of this story at Slashdot.

narramissic writes “Researchers with security consultancy IOActive have created a worm that could quickly spread among Smart Grid devices, small computers connected to the power grid that give customers and power companies better control over the electricity they use. ‘[The worm] spread from one meter to another and then it changed the text in the LCD screen to say “pwned,”‘ said Travis Goodspeed, an independent security consultant who worked with the IOActive team. In the hands of a malicious hacker, this code could be used to cut power to Smart Grid devices that use a feature called ‘remote disconnect,’ which allows power companies to cut a customer’s power via the network. The robustness of US power networks has been a hot-button issue after a technical glitch in 2003 caused a cascading power failure in the eastern United States and Canada that affected 55 million people.”

Read more of this story at Slashdot.

Security and privacy are some of the major concerns these days while choosing a web browser to use. So much so that all the major players in the “browser wars” are providing or developing a private browsing mode.

The Narrative Fallacy writes “John Markoff has a story at the NY Times speculating about what will happen on April 1 when the Conficker worm is scheduled to activate. Already on an estimated 12 million machines, conjectures about Conficker’s purpose ranges from the benign — an April Fool’s Day prank — to far darker notions. Some say the program will be used in the ‘rent-a-computer-crook’ business, something that has been tried previously by the computer underground. ‘The most intriguing clue about the purpose of Conficker lies in the intricate design of the peer-to-peer logic of the latest version of the program, which security researchers are still trying to completely decode,’ writes Markoff. According to a paper by researchers at SRI International, in the Conficker C version of the program, infected computers can act both as clients and servers and share files in both directions. With these capabilities, Conficker’s authors could be planning to create a scheme like Freenet, the peer-to-peer system that was intended to make Internet censorship of documents impossible. On a darker note, Stefan Savage, a computer scientist at the University of California at San Diego, has suggested the possibility of a ‘Dark Google.’ ‘What if Conficker is intended to give the computer underworld the ability to search for data on all the infected computers around the globe and then sell the answers,’ writes Markoff. ‘That would be a dragnet — and a genuine horror story.'”

Read more of this story at Slashdot.

theodp writes “After Gov. Tim Kaine intervened on his behalf, Vivek Kundra was quietly reinstated to his Federal CIO post on Tuesday after a brief leave following an FBI raid on Kundra’s former DC office (Kundra was not implicated). Now, the Washington Post reports that the City of DC plans to fire 23 Technology Office contractors and place 4 employees on leave in the aftermath of the arrests of a Security manager and contractor on bribery charges last week. Another government employee has since been arrested for his role in the scam, and the mayor has promised that the tech office will undergo a ‘full and formal review.'”

Read more of this story at Slashdot.