Yet ANOTHER Adobe Zero-Day

I haven’t been able to keep up with the most recent Adobe threats, as there have been so many in the last month or two.  Here is the latest Flash vulnerability that now has exploit code in the wild AND apparently, a MetaSploit module to keep the script kiddies busy and happy.

Multiple vulnerabilities have also been recently identified in Shockwave Player, which could allow malicious code to run on the affected system by exploiting memory corruption and buffer overflow conditions.  Some of these vulnerabilities are rated critical by the vendor.  Exploit details were posted for CVE-2010-3653 and functioning exploit code is available in tools such as Metasploit.

I’m thinking it is time once again to get completely rid of Adobe products from my systems.  Shockwave and Flash are cool for web-based eye candy, but when they start introducing this kind of risk, their value is certainly in question.  Reader and Acrobat have already been replaced on my systems.  I hope Adobe can clean up their act, as they are now acquiring other companies and products…

Advertisements

Canada Introduces High-Tech Crime Legislation

Two bills are being re-introduced in the House of Commons that would provide law enforcement and national security agencies with up-to-date tools to fight crimes such as gang- and terrorism-related offences and child sexual exploitation.

“New and evolving technologies provide new ways of committing crimes, making them harder to investigate,” said Minister Nicholson. “We must ensure that law enforcement has the means to bring to justice those who would break the law. Twenty-first-century technology demands twenty-first-century tools for police to effectively investigate crime.”

The proposed Investigative Powers for the 21st Century Act would provide law enforcement agencies with new, specialized investigative powers to help them take action against Internet child sexual exploitation, disrupt on-line organized crime activity and prevent terrorism by:

  • enabling police to identify all the network nodes and jurisdictions involved in the transmission of data and trace the communications back to a suspect. Judicial authorizations would be required to obtain transmission data, which provides information on the routing but does not include the content of a private communication;
  • requiring a telecommunications service provider to temporarily keep data so that it is not lost or deleted in the time it takes law enforcement agencies to return with a search warrant or production order to obtain it;
  • making it illegal to possess a computer virus for the purposes of committing an offence of mischief; and
  • enhancing international cooperation to help in investigating and prosecuting crime that goes beyond Canada’s borders.

“We are giving our police the tools they need to keep up with criminals who are increasingly using new technology in carrying out their crimes.  Read the entire article at PublicSafety.gc.ca

POS / ATM Skimming On The Rise

According to an article on the BankInfoSecurity site, security experts say that we will continue to see an increase in skimming in the US in the months ahead, particularly against ATMs.  This trend tends to be mirrored in Canada.  Lingering magnetic-stripe technology is to blame.

The typical ATM skimming attack spans 1 to 2 hours, making catching the crooks extremely difficult, and losses per incident average $30,000, according to ADT Security Solutions.  ADT also estimates these attacks cost financial institutions and their customers 10 times more than robberies.  According to ACI Worldwide’s Card Fraud Guide, overall card fraud continues its rise, up to $2.04 billion in 2007.  Debit card losses rose to $1.05 billion in 2007.

As European nations convert to the EMV chip standard, more and more skimming fraud is expected to come to North America, where mag-stripe cards remain the norm.  To get more information, to read about potential solutions, and to see a timeline of 2010 skimming events, click on the link above to visit the article.

So, how are these guys doing it?  BankInfoSecurity also provides an article outlining the top 4 skimming scams:

  • #1: Hand-Held POS Skimming
  • #2: POS  Swaps
  • #3: ATM and Unattended Self-Service Terminal Skimming
  • #4: Dummy ATMs

 Be very cautious where you use your credit and debit cards this coming holiday season, and remember that your bank offers methods for changing the PIN right at the ATM if you suspect a vendor is skimming or has been compromised, or in the branch if you suspect an ATM has been compromised.  It only takes a second to change that PIN, and it _is_ your money!