Bypassing code signing policy: welcome to the (Eko)party
ESET researchers Aleksandr Matrosov and Eugene Rodionov just gave a talk on Defeating x64: Modern Trends of Kernel-Mode Rootkits
HTTPS
SSL: Threatened by a BEAST of Prey
SSL isn't hopelessly broken, but the widespread use of TLS 1.0 means that SSL cannot be regarded as fully "secure"
Facebook Privacy: An Easy How-to Guide to Protecting Yourself
Introduction As the sun is setting and I breathe some of the night time air I am inspired to write about Facebook. Yes, *the* Facebook, the third largest country if it were a physical place with boundaries under a common rule of law and government. When many people use a service such as this, it
English Version of HTTPS video
As promised earlier (see http://www.eset.com/threat-center/blog/2009/10/07/https-revisited-spanish-video) an English version of ESET Latin-America’s demonstration video of a phishing attack using HTTPS is now available at http://www.eset-la.com/centro-amenazas/videos/phishing-https-english/. Those earlier blogs again: http://www.eset.com/threat-center/blog/2009/10/06/ssl-to-certify-web-security-is-not-to-guarantee-it http://www.eset.com/threat-center/blog/2009/10/04/truth-fiction-and-https Thanks, Sebastián! David Harley Director of Malware Intelligence ESET LLC
HTTPS revisited – Spanish video
Further to our blogs on HTTPS and SSL certificate issues – see http://www.eset.com/threat-center/blog/2009/10/06/ssl-to-certify-web-security-is-not-to-guarantee-it and http://www.eset.com/threat-center/blog/2009/10/04/truth-fiction-and-https – Sebastián Bortnik has been talking to us today about a video that ESET Latin-America have put together demonstrating a phishing attack using HTTPS. If your Spanish is better than mine, you can check it out here. However, we’ve been working on an
SSL: to certify web security is not to guarantee it
Hard on the heels of the translated blog by Sebastián Bortnik that I posted at the weekend comes news from the Register (http://www.theregister.co.uk/2009/10/05/fraudulent_paypay_certificate_published/) of a bogus Paypal SSL certificate released yesterday exploiting a bug in Microsoft’s crypto API that has remained unpatched for more than two months, when Moxie Marlinspike (can I have a handle
Truth, Fiction and HTTPS
Update, 19th October. I was recently contacted indirectly by Eddy Nigg of StartCom, who points out, quite rightly, that this issue is not specific to StartCom, nor a problem created by StartCom. He commented further in a comment to Dan Raywood’s article for SC Magazine arising from this blog entry, and I think it’s only