Tuesday, December 23, 2008

Seasons Greetings

Everyone at Telspace Systems would like to wish you and your families a very happy and peaceful festive season.

Looking back on 2008, Telspace Systems had a very successful and bumper year. Early in the year, Charlie and I jet packed to Hack in the Box in Dubai where we hosted an intensive 2-day training session on Bluetooth and Wireless Hacking. During the same trip, I presented ‘Hacking the Bluetooth Stack for Fun, Fame and Mayhem’ which went off without a hitch.

Telspace Systems was a big role-player in this year’s local ITWeb Security Summit – not only did we present on “Hacking Wireless Modems” and break the story to the press, but we were involved in Johnny Long’s Hackers for Charity initiative. By Day 2 of this prestigious conference, Telspace Systems had convinced most of the delegates to do their part for the underprivileged. For those of you that are planning to attend this conference in 2009, get ready to witness a similar initiative ;)

Nearer to the end of the year, Charlie and I again set off overseas – this time to SecTor in Canada (Toronto). Again teaching delegates the art of hacking wireless and Bluetooth, we finished off the conference with a presentation on hacking internal proxies.

Finally, we have just learned that we have been chosen as a Technology Top 100 qualifier for 2009, making it the third year in a row we have been selected for this honour. 2009 holds many new training courses and great new services for our clients and we look forward to presenting these to you.

It has been an absolute pleasure working with you this year – without your continued support many of our achievements would not be possible.

Have a safe and wonderful New Year’s.

Wednesday, December 17, 2008

Dino hits the airwaves

Following his successful interview on Reuben Goldberg's The Internet Economy on Classic fM in October, Dino was contacted to discuss this weekend's Saturday Star story Hacked! on 702 Talk Radio.

He was on air at 7:40 yesterday morning and spoke to David O'Sullivan about the security of open source and ethical hacking as a business.

Dino will be interviewed on Classic fM again in January, and I will make sure to post an announcement regarding dates and times as soon as we know what they are.

Have an awesome almost-holiday week, and keep tuning in!

Wednesday, December 10, 2008

Microsoft goes out with a bang

Microsoft’s last patch for the year is a biggie – it is addressing no less than 28 security vulnerabilities.

Released yesterday, this patch solves the following issues:

• Six security holes in the ActiveX controls for Microsoft Visual Basic 6.0's Runtime Extended Files, all of which could allow remote code execution if a user visited a malicious website.
• Four memory-corruption issues in Internet Explorer
• Two other fixes addressed a total of 11 vulnerabilities in Microsoft Word and Excel
• Fixes for security issues in Microsoft's graphics library, Windows' search functionality, Windows Media Components and a vulnerability in Microsoft Office SharePoint Server.

More info is available here.

Make sure you download your updates!

Monday, December 1, 2008

Recent Facebook mail notification = FAIL

Facebook users received an email notification last week asking that email notification settings which had been 'lost' be updated - followed by an embedded link. Was this a phishing scam, or was the email legit?

Being in the industry, we know to stay away from any emails asking for personal details to be updated/confirmed/changed as it is more often than not slimy phishers looking to score. Banks even expressly state that they will never EVER under any circumstances ask for details to be updated via any email link, as they are most often targeted and the most lucrative for scammers.

Facebook has certainly not gone under miscreants' radar, given the millions of users it has. Since the Facebook explosion, warnings of phishing scams and successful attenmpts have graced news sites everywhere - and offering users the knowledge they need to distinguish fake mails from real ones.

So now - given the press and multitude of people they service, why would Facebook send all their users a mail that looks so suspiciously like a phishing one? Let's run it through a quick evaluation...

Firstly, the language they use is quite phisher-esque - "Unfortunately, the settings that control which email notifications get sent to you were lost." Uhm... lost? This statement is broad, not backed up by any reasons as to why it happened, or what the details of the problem. Besides, there was no media coverage of the technological 'glitch' or issue that caused millions of setting to be simply 'lost'.. It scores 5 phishy points on its own.

Secondly, the embedded link, which is a big no-no when it comes to getting personal details, scores another 5 points. We all know, that even though the link may look liike it points to the actual site, once clicked, it can easily redirect us to a spoofed site.

Thirdly, the signature - 'The Facebook Team' - is so impersonal. If such a serious technological error did indeed occur, I think Facebook users deserve to have someone a bit higher up with an actual name and title to send them a mail. I mean, if Facebook can 'lose' my email notification settings in some unknown and mysterious way, what is to say that next time it will not be my personal details that disappear or my photos that get wiped out? Or, God forbid, I lose my friends! I'll give that one a score of 6 just for sheer cheekiness..

Let's just say, even based on these three points alone, I would simply press delete and feel a small sense of one-upmanship by having foiled yet another potential Internet crime and never give it a second thought.

Obviously, they are trying to downplay the problem, which could be a large contributor to the way the email was written. But Facebook should know better. In my opinion, they should have bypassed the email route altogether and rather had an alert or pop-up within the application itself. If they had sent a mail to my Facebook inbox, I also would have regarded it with a lot more positive interest.