Category Archives: In the News

Security issues should always be taken seriously. Then again, so should consistent exercise and taking regular breaks from madness. Notwithstanding, here's the recent news in the field of security.

Ongoing Sec – More Exploited Vulnerabilities Patched

Security Logo

12 November – Every freakin’ month (2nd Tuesday) there is a new set of Microsoft vulnerabilities, so much so that we have ignored reporting them.

But this month there is yet another set of Critical vulnerabilities that is being exploited in the field – read about it here at Krebs:

Zero-Days Rule November’s Patch Tuesday — Krebs on Security. This explains new Flash updates. [Your editor has eliminated Flash from his system…not worth the bother.]

But note: This does not cure the zero-day exploit that is capable of ruining your whole week~!~!~!

11 June – Another round for Adobe and Microsoft, explained by Krebs:

Adobe, Microsoft Patch Flash, Windows

14 May – Microsoft and Adobe today each released updates to fix critical security holes in their software. Microsoft’s patch batch tackles at least 33 vulnerabilities in Windows and other products, including a fix for a zero-day vulnerability in Internet Explorer 8 that attackers have been exploiting. Separately, Adobe pushed security updates for Flash Player, Adobe Reader, Acrobat and Adobe AIR.

So says Krebs On Security today. Get all the info: Microsoft, Adobe Push Critical Security Updates

6 May – Zero Day Exploit is not only in the open for IE8, but it is published for all hackers to study from.


If you must use a Windows computer, please change over to Firefox immediately (if you haven’t already.) Then read this:

Krebs On Security – Zero-Day Exploit Published for IE8

12 Feb – The normal tuesday repairs to the normallly insecure programs –

Fat Patch Tuesday — Krebs on Security

7 February – Critical Flash Player Update Fixes 2 Zero-Days — Krebs on Security |

These stories never end…not even interesting reading anymore. Just do the upgrades.

Updates are available for Windows, Mac, Linux and Android users. The latest Windows and Mac version is v. 11.5.502.149, and is available from this link. Those who prefer a direct link to the OS-specific downloads can grab them here. To find out if you have Flash installed and what version your browser may be running, check out this page.

16 Jan – Days after the critical Java fix, Kreb’s On Security announces that a new exploit not patch in the version 11 release is being sold on the black-hat black market. First, learn how-to and do turn-off Java until this is patch AND even then, only if you need it.
How to Unplug Java from the Browser — Krebs on Security

Second, read more about the sordid details here: New Java Exploit Fetches $5,000 Per Buyer — Krebs on Security

Security experts on Java: Fixing zero-day exploit could take ‘two years’ | ZDNet

Third: Point others to this site to learn “What Is Java” and how to use it if you absolutely must: What You Need to Know About the Java Exploit — Krebs on Security




13 Jan – Now it is Java wih the critical warnings…Read Kreb’s for the data, but one thing I noticed is that his link for the mac update was wrong and the auto-update that the Mac Java program points to gives an error. So here is the correct link for all OSs: Download Free Java Software, which should point to the right place. Here is where I got a successful Java for Mac download:
Oracle Ships Critical Security Update for Java — Krebs on Security Download Java for Mac OS X
Oracle Ships Critical Security Update for Java — Krebs on Security


8 January – Like the Australians needing new colors on their temperature maps as Ultra Hot turns to Double Extra Super Hot, Microsoft and Adobe are going to need new degrees above Critical and above Vulnerable. In this case, Microsoft should say, “Ultra Vulnerable Even After the Update”, As Krebs on Security explains: “… these vulnerabilities could be exploited to fully compromise vulnerable Windows systems without any help from users. …”

Read the entire piece since it has all the links for the Adobe Reader Flash Player plugin…and AIR and Acrobat…for both Windows and Mac OS.

Don’t delay…here is the link again: Adobe, Microsoft Ship Critical Security Updates — Krebs on Security

Australia adds new colour to temperature maps as heat soars | Environment | The Guardian


Continue reading Ongoing Sec – More Exploited Vulnerabilities Patched

[Update] Security Lesson – Sony PlayStation Breach

Weeks later, Sony still in trouble: Read Sony yet to fully secure its networks: expert | Reuters



For the past week, rumors about a potential breach of all customer information in the vast online PlayStation world has turned from ‘maybe’ to the worst possible situation. Read the Krebs On Security report for details: 

Millions of Passwords, Credit Card Numbers at Risk in Breach of Sony Playstation Network — Krebs on Security

While not directly associated with digital cinema, it shows the extent that hackers are able to cleverly exploit nuances of sophisticated code that even the largest corporations attempt to keep secure. One of the basic rules of encryption is that anyone can create a secure system that they themselves can’t breach.

One of the strengths of Open Source software is that a world community is able to research code to find and fix problems. This is the path that DCI and SMPTE tried to follow, using international standards such as AES and ___ for the packaging, transport and playout, to protect the intellectual property that we are all given to play to our customers.

It appears that the transition from PlayStation 2 to PlayStation 3 allowed some glitches into the code. These were apparently discovered when hackers worked to allow PlayStation 2 users to enter the online system that had cut them off. Code in the PlayStation 3 developers kit provided the tools. Where Sony didn’t use enough outside help to give oversight by “White Hat Hackers”, “Black Hat Hackers filled the gap. Now, only as an after thought post-catastrophe, outside help is being asked to help secure a newly designed system.

This is relevant to the DCienma world as we transfer from Series I to Series II projectors, external to internal media blocks (IMBs to the cognoscente) and maintaining InterOp format deliver while transferring to SMPTE compliant formats and equipment. 

The lesson is: Learn more. Pay Attention. The other basic rule of security is Constant Vigilance, which requires a trained staff from top to bottom. That includes corporate executives, local management, chief techs, chief projectionist and each person in the stream who touches a security key.

Good luck to us all. The studio personnel are not the top of this chain. The artists, the producers, the writers and their lawyers are the top of the chain who are trusting us to keep their materials secure. As a professional in the industry, don’t let your name be on the list of defendants in a lawsuit for breach of duty.

Beware the Firesheep

Firesheep: Making Web-connection hijacking easy

One of the joys of living in the Internet age is the increasing ubiquity of Wi-Fi hotspots. More and more businesses – particularly those where consumers congregate – are offering Wi-Fi access. It’s often free, as well as being free of any password requirements or encryption.

While that’s convenient, it’s also dangerous. Security experts have long warned that connecting to a non-encrypted hotspot leaves you vulnerable to attack. It’s a warning that most Wi-Fi users gleefully ignore, as they sign in to check their Facebook walls, scan e-mail messages or browse their Twitter streams.

Continue reading Beware the Firesheep

Remote wiping technology Hard Disks

Toshiba has announced the launch of its wipe technology for self-encrypting hard disk drives. As a tool for DCinema, this isn’t immediately interesting, but it adds a potential tool for future security.

According to Toshiba, Wipe for Toshiba Self-Encrypting Drive allows sensitive user data to be securely erased when a system is powered-down, or when a SED hard disk drive is removed from the system. The feature can also be used to securely erase user data prior to returning a leased system, system disposal or re-purposing.

Continue reading Remote wiping technology Hard Disks

Know How Androids Crack

There was news about older versions of the iPhone OS being maliciously cracked. Now, news of the Android in a worse situation.

Protecting Users Against This Kind of Attack—This attack takes advantage of the poor way that Android GUI displays permissions requests and takes advantage of the fact that Google does not attempt to vet apps before they appear on the Android Market (and allows them to be distributed elsewhere as well.) The best way to mitigate against it is to educate users of the importance of examining and understanding all permissions requests that an app presents, and warning them that some permission requests may not be visible without scrolling down list, before deciding whether to install the app or not. In particular, users should probably be advised not to install any application that asks for permission to change APN settings.

Continue reading Know How Androids Crack

!!! Browser Auto-Complete–All Vulnerable

This article takes a while to say that all browsers, except possibly Internet Explorer 8, are vulnerable to a simple attack that will cough up any data you have in your auto-complete file. That is, names, password, credit data? (who keeps credit card data in auto-complete? Have you checked your auto-complete file recently?)

Read the article: Auto-complete: browsers disclose private data – Update

Comments on original proof of concept site says some Mac OSX systems are giving the data, yet some not, even with Auto-Complete turned on.

Advice: Turn off Auto-Complete in all browsers until this is solved…regardless of what a pain in the ass this is. Oh, and don’t go to those hacker sites.

Security: Connect the Dots–Ongoing

The twin stars around which digital cinema revolves are quality and security. The first allows some leniency; for example, 3D cinema movie quality is only close to the specification required of 2D movies. But security is meant to be multi-layered and well beyond ‘good enough’. From lens to lens, the expectation is that each player will do their part to contribute to a secure whole.

Fortunately, such security is part of a general industry effort that constantly looks for and responds to problems. Unfortunately, there is a lot of nuance that require a professional eye to spot trends. In a field full of artists on very tight schedules and increasingly tight budgets, the art of security can take a lower priority if the ramifications are not known. 

Continue reading Security: Connect the Dots–Ongoing

More SSL Flaws Found by MS

Users of Internet Information Services (IIS) < 6.0 in default mode are not affected by potential man-in-the-middle attack…kinda…must use workarounds…Microsoft advises not to use their workarounds though. In fairness to MS, this is old SSL exploit news that they are acknowledging affects all their current OSs. 

Read the ars technica report…and read a newspaper instead of using wifi at the coffeeshop, or at your clients…or on the trian.

Microsoft warns of TLS/SSL flaw in Windows

By Emil Protalinski | Last updated February 9, 2010 4:12 PM

Microsoft has issued Security Advisory (977377) to address a publicly disclosed vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. The TLS and SSL protocols are implemented in several Microsoft products, both client and server. Currently Microsoft has concluded that it affects all supported versions of Windows: Windows 2000 SP4, Windows XP (32-bit and 64-bit), Windows Server 2003 (32-bit and 64-bit), Windows Vista (32-bit and 64-bit), Windows Server 2008 (32-bit and 64-bit), Windows 7 (32-bit and 64-bit), and Windows Server 2008 R2. Microsoft says it will update the advisory as the investigation progresses.