Mon01222018

Last updateThu, 21 Dec 2017 2pm

 

Introducing – Tools for Cinema Quality Assurance

cat_pr1_sm_jpg

Cinema Test Tools for the non-Technical Manager – Post Installation Quality Assurance Has Begun

Cinema Test Tools is a free resource for the cinema industry, tuned most particularly for the non-technical manager. The tools include several DCPs, all with interesting means of testing the sound and picture quality for the interested by lightly trained staff. The lessons on sound and light are written to provide a foundation to communicate with the technician who must respond quickly and well to the information that they discover.

The key is a free Managers Walk Through Checklist that correlates with the many DCPs. It helps bring an understanding of the many nuances of the auditorium's situation in a straightforward way. 

The superior man, when resting in safety, does not forget that danger may come. When in a state of security he does not forget the possibility of ruin. When all is orderly, he does not forget that disorder may come. Thus his person is not endangered, and his States and all their clans are preserved. Confucius Chinese philosopher & reformer (551 BC - 479 BC)

Security Alert – Firefox Users

Visit a site, find security issues and send them home to hackers.

What looks like, and acts like – and is – a legit Add-On for Firefox has been compromised to assist in the compromise of others. For more information on how the Microsoft .NET Framework Assistant does this, see: Botnet Enlists Firefox Users to Hack Web Sites — Krebs on Security

Basic Bubble Burst – Security Lessons

This week had several news features on the security pages, mostly to do with Windows (everything) and Adobe (Flash/Reader/Acrobat) and Oracle (Java) patching by emergency fiat instead of by well planned Patch Tuesdays. Good that they are catching up with the malware that plagued their software and clients with successful in-the-field attack vectors.

The point is always that the attackers just have to find oue hole in your system, while you have to protect not just on a linear basis – modem, firewall, VPN for example, or even a flat view of walling off everything on the field of play. You must protect a sphere, and actually a series of spheres.

Read more ...

PDF – Friend? or Zero Day Future?

Security stories rarely make the front page around here, but the presumed safe PDF file is going to hit the news. Zero-Day~! is a headline that you don't want to participate in, and one is predicted for PDF files in the near future. We should therefore remind ourselves of the basics.

Security people use the term "Attack Vector" to describe a route that a presumed malicious person uses to somehow gain control of a computer. The cuddly pdf has been a vector in the past, then Adobe gave it a "sandbox" – which is yet another term of security art. In this case, imagine a place where the program can look at and manipulate the incoming code before allowing it to do something. For example, a pdf is allowed to reproduce graphic files within the text. The program – very quickly – allows that graphic to load up in the internal sandbox only, decides that it is not a secret dagger aiming at the CPU, and lets it pass to the graphics chip.

What has happened in the past is that black hats are using things like graphics files to hide malicious code, like trojan horses or viruses. The idea is that the graphic is allowed, therefore this might slip through without triggering a virus checker. You'll often hear the word 'sandbox' and Javascript, because it is often manipulations of Javascript code in a pdf that is the problem.

The news is that someone has figured a way around the sandbox. They can show themselves using a script that exploits Adobe Reader. This someone is letting other blackhats know that the code might be available for their use if they just pay up. The full story can be read here: Experts Warn of Zero-Day Exploit for Adobe Reader — Krebs on Security. That's right, the bad guys are holding a virtual auction to see who wants to spread the most havoc.

There are a few solutions to this. Get everyone on a Mac, since this exploit is targetted onto Windows users, especially those who haven't upgraded to Reader 11. Even with Reader 11, go to Preferences in all versions of Reader and turn off Reader Javascript. Most likely you won't notice. 

Next solution is: don't allow PDF files onto production equipment, at all, anymore. Period. The files, no matter who you got them from, cannot be presumed to be innocuous.

If you are creating a file that you know will be going to editors or projectionists or people who might stick it onto production equipment, save it as a PDF/A file. LibreOffice and OpenOffice and Microsoft Office '07 and '10 all support this export file version of a pdf. The PDF/A file can't hide code because it doesn't allow certain things to run in it.

Stay Aware. 

Super 3D Watermarking Article

Technicolor's Security Newsletter Issue #20 has a superb article on watermarking stereoscopic 3D. It starts slow (first the dinosaurs died and they all turned into 3D pixels), but it ramps up fast and includes tiny Greek symbols for those who are inclined to such things.

But generally it fills in a lot of details that are not often discussed outside the hallowed halls:
 Watermarking 3D Movies, Security Newsletter 20, Security Newsletters - Technicolor

It doesn't mention it directly, but it is another wake-up call for getting a picture meta-data protocol and/or standard in the film-to-post realm.

Ongoing Sec - More Exploited Vulnerabilities Patched

Security Logo

12 November – Every freakin' month (2nd Tuesday) there is a new set of Microsoft vulnerabilities, so much so that we have ignored reporting them.

But this month there is yet another set of Critical vulnerabilities that is being exploited in the field – read about it here at Krebs:

Zero-Days Rule November’s Patch Tuesday — Krebs on Security. This explains new Flash updates. [Your editor has eliminated Flash from his system…not worth the bother.]

But note: This does not cure the zero-day exploit that is capable of ruining your whole week~!~!~!


11 June – Another round for Adobe and Microsoft, explained by Krebs:

Adobe, Microsoft Patch Flash, Windows


14 May – Microsoft and Adobe today each released updates to fix critical security holes in their software. Microsoft’s patch batch tackles at least 33 vulnerabilities in Windows and other products, including a fix for a zero-day vulnerability in Internet Explorer 8 that attackers have been exploiting. Separately, Adobe pushed security updates for Flash Player, Adobe Reader, Acrobat and Adobe AIR.

So says Krebs On Security today. Get all the info: Microsoft, Adobe Push Critical Security Updates


6 May – Zero Day Exploit is not only in the open for IE8, but it is published for all hackers to study from.

 

If you must use a Windows computer, please change over to Firefox immediately (if you haven't already.) Then read this:

Krebs On Security – Zero-Day Exploit Published for IE8


12 Feb – The normal tuesday repairs to the normallly insecure programs –

Fat Patch Tuesday — Krebs on Security


7 February – Critical Flash Player Update Fixes 2 Zero-Days — Krebs on Security |

These stories never end...not even interesting reading anymore. Just do the upgrades.

Updates are available for Windows, Mac, Linux and Android users. The latest Windows and Mac version is v. 11.5.502.149, and is available from this link. Those who prefer a direct link to the OS-specific downloads can grab them here. To find out if you have Flash installed and what version your browser may be running, check out this page.


16 Jan – Days after the critical Java fix, Kreb's On Security announces that a new exploit not patch in the version 11 release is being sold on the black-hat black market. First, learn how-to and do turn-off Java until this is patch AND even then, only if you need it.
How to Unplug Java from the Browser — Krebs on Security

Second, read more about the sordid details here: New Java Exploit Fetches $5,000 Per Buyer — Krebs on Security

Security experts on Java: Fixing zero-day exploit could take 'two years' | ZDNet

Third: Point others to this site to learn "What Is Java" and how to use it if you absolutely must: What You Need to Know About the Java Exploit — Krebs on Security

 


 

 

13 Jan – Now it is Java wih the critical warnings...Read Kreb's for the data, but one thing I noticed is that his link for the mac update was wrong and the auto-update that the Mac Java program points to gives an error. So here is the correct link for all OSs: Download Free Java Software, which should point to the right place. Here is where I got a successful Java for Mac download:
Oracle Ships Critical Security Update for Java — Krebs on Security Download Java for Mac OS X
Oracle Ships Critical Security Update for Java — Krebs on Security


 

8 January – Like the Australians needing new colors on their temperature maps as Ultra Hot turns to Double Extra Super Hot, Microsoft and Adobe are going to need new degrees above Critical and above Vulnerable. In this case, Microsoft should say, "Ultra Vulnerable Even After the Update", As Krebs on Security explains: "... these vulnerabilities could be exploited to fully compromise vulnerable Windows systems without any help from users. ..."

Read the entire piece since it has all the links for the Adobe Reader Flash Player plugin...and AIR and Acrobat...for both Windows and Mac OS.

Don't delay...here is the link again: Adobe, Microsoft Ship Critical Security Updates — Krebs on Security

Australia adds new colour to temperature maps as heat soars | Environment | The Guardian


 

Read more ...

Subcategories

There are a lot of experts in security out there. What they write is often dry as a bone. But there are a few sites that stay on top of the events, and express themselves in ways that us mere mortals can comprehend.

Bruce Schneier -  He wrote the books, he writes the newsletters, he has the blog. Top of the list for a reason. The link is to his monthly CryptoGram...subscribe now.

Hagai Bar-el - Information Security Specialist whose websites focus on security engineering and on managing innovation processes. Good source for definitions. There is also a blog and RSS feed.

Handbook of Applied Cryptology - All Chapters are free for the download. Get them off the cloud now.

We are putting millions of dollars of library materials into the hands of people trained to believe that MP3s and everything else should be free. We give them all the late hours unsupervised. What is wrong with this picture?

Security issues should always be taken seriously. Then again, so should consistent exercise and taking regular breaks from madness. Notwithstanding, here's the recent news in the field of security.

Security is mostly a superstition. It does not exist in nature.... Life is either a daring adventure or nothing.
~ Helen Keller (1880 - 1968), The Open Door (1957)