Tag Archives: MCTS Exams Training

MCTS, MCTS Certification, MCTS Training, Microsoft

Adobe adding security, privacy goodies to Flash Player 11

Adobe’s new Flash Player 11 will include support for 64-bit exploit migitation and support for SSL socket connections.

MCTS Certification, MCITP Certification

Microsoft MCTS Certification, MCITP Certification and over 2000+
Exams with Life Time Access Membership at https:://www.actualkey.com

Battling to cope with the hacker bullseye on its back, Adobe plans to add new security and privacy features to the next iteration of its ubiquitous Flash Player, including  support for SSL socket connections and the introduction of 64-bit ASLR (Address Space Layout Randomization).

Adobe said the new Flash Player 11, expected in early October, will include the SSL socket connection support to make it easier for developers to protect the data they stream over the Flash Player raw socket connections.

[ Adobe to rush out Flash Player patch to thwart zero-day attacks ]

Flash Player 11 will also include a secure random number generator.follow Ryan Naraine on twitter

Adobe’s Platform Security Strategist Peleus Uhley explains:

Flash Player previously provided a basic, random number generator through Math.random. This was good enough for games and other lighter-weight use cases, but it didn’t meet the complete cryptographic standards for random number generation. The new random number generator API hooks the cryptographic provider of the host device, such as the CryptGenRandom function in Microsoft CAPI on Windows, for generating the random number. The native OS cryptographic providers have better sources of entropy and have been peer reviewed by industry experts.

[ Adobe admits to 80 ‘code changes’ in Flash Player patch ]

The company is also adding 64-bit support in Flash Player 11, a move that Uhley says will bring some security side-benefits.

If you are using a 64-bit browser that supports address space layout randomization (ASLR) in conjunction with the 64-bit version of Flash Player, you will be protected by 64-bit ASLR. Traditional 32-bit ASLR only has a small number of bits available in the memory address for randomizing locations. Memory addresses based on 64-bit registers have a wider range of free bits for randomization, increasing the effectiveness of ASLR.

On the privacy side, Adobe is adding a private browsing mode to allow users to stay incognito while viewing Flash files.   A mobile control panel is also being added to Android devices to easier for users to manage their Flash Player privacy settings on their Android devices.

MCITP, mcitp certification, MCITP Training, MCTS, MCTS Certification, MCTS Training, Microsoft

Microsoft delivers new Internet Explorer 10 test build for Windows 8

Microsoft released a new developer preview of IE 10 this week for Windows 8 testers only. The new platform preview can work as a plug-in-free “Metro-style” app, or a Desktop app that still supports plug-ins.

MCTS Certification, MCITP Certification

Microsoft MCTS Certification, MCITP Certification and over 2000+
Exams with Life Time Access Membership at https:://www.actualkey.com

Microsoft released this week a new test version of its Internet Explorer (IE) 10 browser that is bundled with Windows 8: Platform Preview 3 (PP3).

Like previously released Platform Preview builds, the IE 10 PP3 is aimed at developers, not end user customers.

PP3 is accessible in Windows 8 in two ways: As a “Metro style” application and a  Microsoft Desktop App, i.e., one that is part of the classic/legacy mode of Windows 8. (“Metro style” refers to an app that is designed to take advantage of the new tile user interface and supporting operating-system infrastructure in Windows 8.)

The Metro IE 10 PP3 release does not support any browser plug-ins and extensions — including Adobe Flash and Microsoft Silverlight. But Desktop App IE 10 PP3 does allow plug-ins and extensions.

Windows Chief Steven Sinofsky explained the distinction in a blog post this week. From that post:

“In Windows 8, IE 10 is available as a Metro style app and as a desktop app. The desktop app continues to fully support all plug-ins and extensions. The HTML5 and script engines are identical and you can easily switch between the different frame windows if you’d like.”

The Metro version of IE 10, because it doesn’t support plug-ins and extensions, “improves battery life as well as security, reliability, and privacy for consumers,” according to the blog post.

Microsoft is advising Windows 8 customers who need to access consumer sites and line of business applications that require legacy ActiveX controls to use IE 10 in the Desktop App to get to these sites.

Microsoft did not update this week the IE 10 test build that works on Windows 7 and Windows Vista. That version of IE 10 is still at the PP2 milestone. Microsoft officials said that a PP3 update for Vista and Windows 7 users would be released “at a future date.”

The PP3 version IE10 includes support for CSS Text Shadow, CSS 3D Transforms, CSS3 Transitions and Animations, CSS3 Gradient, SVG Filter Effects, HTML5 Forms and more. It also supports better offline application support via local storage with IndexedDB and the HTML5 Application Cache, as well as Web Sockets, HTML5 History, Async scripts, HTML5 File APIs, HTML5 Drag-drop, HTML5 Sandboxing, Web workers, ES5 Strict mode support.

Microsoft also updated its IE Test Drive site, as of this week, to be “touch-friendly,” and added some new multi-touchable demos like Particle Acceleration, Lasso Birds, and Touch Effects.

MCITP, mcitp certification, MCITP Training, MCSE, MCSE Certification, MCSE Training, MCTS, MCTS Certification, MCTS Training, Microsoft, Uncategorized

Defcon: The security penetration testing quagmire

How corporate security flaws are handled raises lots of questions

LAS VEGAS — The relationship between CISOs and security penetration testers is anything but clear-cut and raises ethical issues for both parties, a Defcon crowd heard from a former CISO.

Whether penetration testers should come in looking for the place where they can spectacularly break into the network or instead assess it clinically and point out potential vulnerabilities is the big decision CISOs have to make, says a CISO-turned penetration tester identified only as Shrdlu.

SELF TESTING: Metasploit 4.0 sets the stage for mass penetration testing

And the choice is the CISO’s, she says, because the CISO is paying the bills. “It’s not about your satisfaction,” she told a crowd that included many penetration testers.

She says that often penetration tests are mandated by regulations, and the network must pass in order to comply. In that case, she prefers a light touch by the tester, telling her informally about technical security shortcomings but not including them in the formal report that goes to the compliance auditor. “Tell me verbally what’s wrong and don’t write it down,” she says.

For example, if the help desk prompts users that they can’t login because they’ve gotten their username wrong, that’s a violation. But, she says, doing so saves a lot of help desk and employee time and is a good risk-business tradeoff. She doesn’t consider the practice a major breach of good practice.

“There are things I do on purpose and are not high-impact,” she says.

That drew protests from audience members, one of whom said it was unethical not to include security problems he finds and is possibly illegal because it is essentially lying to compliance auditors. “It sounds like avoiding regulatory scrutiny,” he said.

“That’s very fair,” Shrdlu responded. But she says most compliance regulations are vague enough that reports can be vague as well, indicating an unspecified problem without detailing it. She says penetration testers can prepare two reports, one for her use and a second for the auditor.

She says these dual reports are useful for public organizations where the reports may become public record. The vague one that doesn’t detail specific problems can be the public version and the detailed one can be called a working document and so avoid public scrutiny.

Another audience member said her approach could cause problems for penetration testers if a problem found but not mentioned is exploited. The tester would have no documentation that he’d done his job properly. Again, she fell back on the dual report, where the vague reference to the problem would provide cover for the penetration tester.

She says she’s found frustration with penetration testers who haven’t worked in corporate security and had to shore up problems testers have found. Often the problems present less of a risk to the organization than the time it would take to fix them is worth, she says. “I’m impatient with penetration testers that have never been on the fixing side,” she says. They need to be more aware of the big impact and the business impact of remedies. “There are things that just plain aren’t going to be fixed.”