Ryan Naraine

Free COFEE Helps Law Enforcement Forensics

Microsoft has announced plans to give away free versions of its COFEE (Computer Online Forensic Evidence Extractor) utility to help law enforcement agencies in cyber-crime investigations. COFEE uses digital forensic technologies to help investigators gather evidence of live computer activity at the scene of a crime, regardless of technical expertise.

Mozilla Temporarily Blocklists MS Firefox Add-On

Mozilla temporarily added the dangerous Microsoft .NET Framework Assistant add-on to its blacklist over the weekend, a move that effectively disabled the dangerous extension and plug-in for all Firefox users. However, after some clarifications from Redmond, the add-on was unblocked.


The Big Story podcast with Ryan Naraine – October 19, 2009 In the debut installment of the ‘Big Story’ podcast, Threatpost editor-in-Chief Ryan Naraine chats with Mozilla VP of Engineering Mike Shaver (right) on his decision to blacklist – then unblock – the controversial Microsoft-created Firefox add-ons.

Remember that Microsoft .NET Framework Assistant add-on that Microsoft sneaked into Firefox without explicit permission from end users?
Well, the code in that add-on has a serious code execution vulnerability that exposes Firefox users to the “browse and you’re owned” attacks that are typically used in drive-by malware downloads.

A new version of phpMyAdmin has been released to plug two serious security holes that could lead to SQL injection and cross-site scripting attacks.
According to an advisory from the maintainers of the open-source tool, one of the vulnerabilities allow remote hackers to inject arbitrary web script or HTML via a crafted MySQL table name.

Since moving to a monthly schedule in October 2003, Microsoft has released about 400 security bulletins based on an informal count of releases in its bulletin archives. The bulletins address about 745 vulnerabilities across almost every Microsoft product.
About 230, or more than half of the bulletins, addressed security vulnerabilities that were described by Microsoft as “critical.” This definition is what Microsoft typically uses for vulnerabilities that allow attackers to take full administrative control of a system from a remote location. Read the full story [Jaikumar Vijayan/Computerworld]

Just 4% of users of corporate systems abide by IT security policies, even when that system handles very sensitive private information according to an academic survey [pdf] that has revealed humans to be the main flaw in any security system.

Researchers at the University of Wisconsin-Madison and  IT University, Copenhagen found that just 4% of the people surveyed obey best practice rules for passwords. The rest use the same passwords for different systems or use words that appear in the dictionary or write their passwords down on post-it notes beside the computer.  Read the full story [out-law.com]

In May, President Obama completed his long-awaited “cyberspace policy review,” concluding that cyberspace is a strategic asset that must be safeguarded from attack as a national security priority. 
The president promised to appoint a permanent “cyber czar” who would coordinate the work of federal agencies charged with protecting us. But since “acting cyber-security czar” Melissa Hathaway resigned in August, the post has been unfilled.  Why?   Read the full op-ed [LA Times/James D. Zirin]