This Blog has Moved!

This blog is moving to


Thank you for visiting! Content will remain here for archival purposes.

Keep an eye out for fake Yahoo Browser Plugins!

According to Sophos, Yahoo! recently released a browser search plugin called Yahoo! Axis for Chrome, Firefox, Safari, and IE 9.

During this release, Yahoo! accidentally included the private key used to sign the packages inside the Chrome extension package.  This means anyone who downloaded the package now has Yahoo!'s private signing key and could make their own copy of the plugin and insert malicious code.

As a safeguard, if you decide to use Yahoo! Axis, make sure you download the plugin only from Yahoo's official download site.


Warning: CaffeineSecurity dotcom is not mine!

Just a warning to everyone, there was a recent registration of CaffeineSecurity.com

This site is NOT me.

The domain was registered by proxy, so it's hard to tell who might actually own it.

Do you test your Antivirus updates before deployment?

If your system uses Avira Antivirus, you probably won't be reading this post today.

According to ZDnet, an Avira Antivirus update today crippled millions of computer systems.

This isn't the first time an Antivirus update has crippled Windows systems.  Back in 2010 McAfee pushed out a DAT update which sent computers into endless reboot cycles.

What can you do to help protect your organization against these disasters?  It's simple...test your software updates.  Even antivirus definition updates can cause catastrophic failures across your enterprise...

And just in case something slips through the cracks...have a backup plan.  Are you prepared for a worst case scenario where every active computer system in your organization is unusable?  How do you keep your organization running?  How do you recover from something that widespread in a timely manner, and restore normal business functionality?  Keep these questions in mind, and as we always said in Boy Scouts..."Be Prepared."

Android for the Paranoid: Fake GPS

This is the first article in a series of articles highlighting applications for security conscious users.

Today we're going to take a look at an Android application called "Fake GPS".

First, why does "Fake GPS" qualify as a security application?

Many Android applications are "location aware", meaning the application may not only find out where you are, but also report this information to the developer and advertisers, and possibly even post this information publicly.  Another serious issue is that by default Android's camera will embed your GPS location inside your photos.  This means when you post a photo online, everyone will know exactly where you are!

The solution to this problem is "Fake GPS".  When combined with the Android feature "Mock Location", this application allows you to trick your phone into thinking you're somewhere else.


The above photo appears to have been taken in Phoenix, Arizona.


And this photo appears to have been taken in Florida.

How can you see the embedded GPS coordinates?  With an EXIF viewer.

Here's the info for the first photo:

Fake GPS is very easy to use.  Simply use a scrollable/zoomable map and choose where you want the GPS coordinates to be set.  You can even go into the advanced options and have the GPS move in a random direction and speed.

So, if you're worried about someone tracking your every move with your cell phone, I highly recommend Fake GPS.

Hacking Your Digital Camera

Not all hacking is bad.  Sometimes hacking can be used to enhance the features of a product, instead of perform malicious actions.

One of my hobbies is photography.  Today I downloaded the "Canon Hack Development Kit" (CHDK) for my Canon Powershot S2 IS.

After a couple wrong versions, I finally downloaded the correct version for my camera, and was up and running.

The way the CHDK works is pretty ingenious.  The CHDK software is loaded into your camera's RAM by tricking your camera into thinking it's loading a firmware update.  However, instead of loading a firmware update, CHDK is temporarily loaded into memory much like running an application on your computer or phone - it's not loaded into memory the next time you turn off and turn back on your camera.

The features enabled with CHDK are pretty amazing.  My "point and shoot" camera now has some features which aren't available on my wife's professional camera, such as motion detection or extended time-lapse photography of up to 64 seconds (some cameras allow up to 30 minute time lapse!).

If you have a supported camera I highly encourage you to check it out.

My Letter to a Spammer

I decided to take the time to notify one of the businesses which has been spamming my blog with comments that I'm just not going to take it anymore.  Here is the letter in full.  Note that the company name is being withheld because I don't want them to get any more web traffic from my blog.


Hello,

This is to notify you that an unsolicited advertisement for your business was recently posted on my blog, Caffeine Security.

Please note that as a computer professional, I take spam seriously and it will not be tolerated.

Due to a recent increase in spam on my blog, I have implemented a new Terms of Use which I encourage you to review.  In short, any future unsolicited advertisements for your business will be subject to a $500 comment processing fee for each link posted.  Because your unsolicited advertisement was posted before this Terms of Use was in effect, any pre-existing advertisements are not subject to this processing fee.  However, all future unsolicited advertisements will be subject to this processing fee.  Third party advertising services and automated applications posting these comments on your behalf are considered your "agent", and accept these terms on your behalf.  If you do not wish to be subject to this fee in the future, I highly advise you discontinue unsolicited comment advertisements on blogs immediately.  If these advertisements are being posted by a 3rd party advertisement service, the recommended course of action is to notify this advertisement service immediately to discontinue unsolicited advertisements.

Thanks,

Ken
Caffeine Security

New Terms of Use - $500 Processing Fee for Comment Spam

Due to an increase in spam, I've had to add a Terms of Use page.

In summary, the Terms of Use for this site explicitly state that any unsolicited advertisements within comments agree to a $500 comment processing fee for each link within the comment.  Comments which are not unsolicited advertisements are exempt from this processing fee.