The Information Systems and Computer Applications examination covers material that is usually taught in an introductory college-level business information systems course.

Welcome to the Jungle


HOWTO: HTML5 Video that works (almost) everywhere


So I got this video from a friend, and I wanted to post it on my site, but I wanted to do it without using any Flash, or any plugins, and I wanted it to work on the iPhone, and Chrome, and Firefox, and IE…

Step 1: Convert the file.

First I took the file and used Miro Video Converter to make two versions of the file. The first version I made was using the “Theora” format. This is an Ogg format, and you basically only need to make it for the video to show up in Firefox. Future versions of Firefox will support the WebM format instead (Chrome supports it now), so when Firefox 4 comes out, use that format. Next, use Miro again and this time make a version using the iPhone preset. This basically creates an MP4 version of the file, but at the right resolution to have it show up on the iPhone. Annoyingly, the original file was from an iPhone, so it should have played, but it wouldn’t on mine. I suspect that the resolution difference between the iPhone 4 (used to make the photo) and the iPhone 3GS (which I have) is the problem. Regardless, I just used the preset to downscale the video resolution.

Step 2: Adjust WordPress’ settings

WordPress didn’t like me uploading these files. Turned out that it was because I’m on multisite. In the Network Admin screen, find the Network Settings menu option, go to the bottom of the page, and add the mp4 and ogv extensions to the list of allowed files. Also add webm while you’re there, for the future. Note: If you’re not on multisite but still have problems uploading the files, then add this line of code to your wp-config.php file, to turn on the unfiltered_upload capabilities for administrators:


Step 3: Check .htaccess settings

One of the things WordPress relies on to know if it’s a video or not is the MIME Type. Some servers have these properly configured, some don’t. Doesn’t hurt to help the process along by explicitly defining some of them in the .htaccess file. For good measure, I added a bunch of common ones, just to be sure:

AddType text/xml .xml
AddType video/mp4 .mp4 .m4v
AddType video/mpeg .mpeg .mpg
AddType video/quicktime .mov
AddType video/ogg .ogv
AddType video/webm .webm
AddType audio/mp4 .m4a .m4b .m4r
AddType audio/mpeg .mp3
AddType audio/playlist .m3u
AddType audio/x-scpls .pls
AddType audio/ogg .ogg
AddType audio/wav .wav

Step 4: Upload the videos

Easy one. Go into the Media->Library and upload your two videos. After doing that, get the URLs of both of them.

Step 5: Make the post

Make a new post and type in everything you want to type in. Then make sure you’re in the HTML editing mode, and add this code to the post:

<video width="640" height="360" controls>
  <source src="" type='video/mp4'></source>
  <source src="" type='video/ogg'></source>

There’s a few things there you’ll need to manually edit. Obviously the URLs need to point to your files. Also, it’s important that the MP4 one is first, some older iPad software doesn’t like it otherwise. The second one is the width and height. Now, like with posting images, these don’t have to exactly match the actual width and height of the video. The browser will use these sizes and scale the video accordingly. However, you’ll want to get the aspect ratio correct, so you don’t stretch or squish the video into the wrong sized box. And you can leave the height and width out entirely to not scale it, if you got your sizes correct in the video itself. But it’s a good idea to have them there regardless, to clue the browser into the size beforehand and speed up page rendering. Also note that the iPhone doesn’t care about those width and height tags, since it will just show the video full screen when you tap on it. Sidenote: Do NOT switch into Visual mode. TinyMCE will muck up this code, badly, and try to add a SWF player to it and Flash and a bunch of other stuff. This is probably by design, but I wanted to do this without Flash at all and see how that worked. Turns out to work fine in the browsers I tested. Finally, preview and publish as normal.


One thing I haven’t figured out is how to target the iPhone specifically with a separate file. With this setup, Chrome and IE are now showing the iPhone file, which is lower resolution than the OGV file (which is at original resolution). In this specific case, the video was poor and so it doesn’t make much difference, but I’d prefer to have a separate file specified that only iPhones used without having to resort to user agent targeting. EDIT: Turns out you can do this with a media query on the source that targets the iPhone. So here’s my new code:

<video width="640" height="360" controls>
  <source src="" type='video/mp4' media='only screen and (max-device-width: 480px)'></source>
  <source src="" type='video/mp4'></source>
  <source src="" type='video/ogg'></source>

The media attribute lets you specify a CSS3 Media Query. The max-device-width of 480px = iPhone. So desktop browsers will use the video.mp4 while the iPhone uses the video.iphone.mp4. I’ve confirmed that this works properly with Chrome. It’s interesting to see that browsers can do this reasonably well, even if you do have to make a few different versions of the video.

Shortcode Plugin

At the suggestion of ipstenu in the comments below, I made this into a shortcode plugin. You can download it here: HTML5 Video Shortcode. This plugin has the advantage of being ignored by TinyMCE. :)

Cómo aumentar el nivel de protección antivirus de Windows Defender


Centro De Seguridad De Windows Defender

Windows Defender es un antivirus bastante bueno, es una herramienta sólida y que al venir ya integrada en Windows tiene un impacto muy bajo en el rendimiento del sistema en comparación son soluciones de terceros. No decimos que sea perfecto, pero como solución de seguridad básica, gratuita e integrada perfectamente con Windows 10, queda muy bien parada.

Con la llegada de la Creators Update Microsoft le dio un lavado de cara a su herramienta antivirus y lo ha convertido en un Centro de seguridad completo con varias opciones para protegerte de diferentes amenazas o solucionar problemas en un par de clicks.

Una de las características más importantes de Windows Defender es la protección basada en la nube, ya que esta dice proporcionar mayor protección y de forma más rápida al tener acceso a los datos más recientes. Y con la Creators Update también puedes elegir manualmente el nivel de protección basada en la nube y aumentarlo, solo que el proceso es algo más complicado que marcar una casilla en el Centro de seguridad.


Es importante que sepas algunas cosas antes de comenzar. La primera es que para poder aumentar el nivel de protección de Windows Defender necesitarás editar el registro de Windows y tendrás que unirte al programa MAPS de Microsoft.

Al unirte al programa MAPS de Microsoft aceptarás que la empresa recopile varias piezas de información sobre las amenazas detectadas en tu equipo, y en algún momento quizás se recopile tu información personal, aunque Microsoft promete que no la usará para identificarte o contactarte.

Antes de proceder a editar el registro de Windows es importante que tengas cuidado en hacerlo de forma correcta o podrías dañar tu sistema de forma permanente. Te recomendamos crear un punto de restauración al que puedas volver en caso de que algo vaya mal.

Cambiar el nivel de protección en la nube de Windows Defender

Presiona la tecla de Windows + R y escribe “regedit” (sin las comillas) y presiona Enter. Esto abrirá el Editor del Registro de Windows.Regedit

Navega hasta la siguiente ruta:Ruta

Selecciona Nuevo, luego elige Clave, nombra la nueva carpeta Spynet y presiona Enter:

Nueva Clave De Registro

Ahora haz click derecho en Spynet, elige Nuevo, luego selecciona Valor de DWORD (32 bits) y cambia el nombre a SpynetReporting. Presiona Enter. Luego haz doble click en SpynetReporting y cambia la Información del valor de 0 a 2. Presiona Aceptar.


Con esto te habrás unido al programa de Microsoft MAPS. Ahora es momento de cambiar el nivel de protección antivirus basado en la nube.

Vuelve a abrir el editor del registro, navega hasta la misma ruta:Ruta

Haz click derecho sobre la carpeta Windows Defender, selecciona Nuevo y luego haz click en Clave. Nombra la nueva carpeta como MpEngine y presiona Enter.

Nuevo Dword

Ahora haz click derecho sobre MpEngine, selecciona Nuevo y luego elige Valor de DWORD (32 bits). Cambia el nombre de la clave a MpCloudBlockLevel y presiona Enter. Haz doble click sobre MpCloudBlockLevel y cambia el número en información del valor de 0 a 2 y presiona Aceptar.Mpengine

Una vez completados estos pasos, Windows Defender usará un nivel de protección más elevado a la hora de escanear y detectar archivos sospechosos en tu ordenador. Esperemos que estas opciones aparezcan tarde o temprano directamente en el Centro de seguridad para no tener que recurrir a editar el registro si queremos disfrutar de ellas.

Gerrymandering game shows you hot it works

Flowing Data

Gerrymandering is the practice of manipulating boundaries in such a way that favors a political party. If you slice and group in various ways, you can end up with different election results.

How many different ways can you draw boundaries though? And can results really change that much, depending on you draw the boundaries? District, by Christopher Walker, is a puzzle game that shows you how it works. The goal: Group circles in such a way that favors your color.

Give it a go.

Tags: game, gerrymandering, government

Keylogger Found in Audio Driver of HP Laptops, Says Report

 An anonymous reader writes: The audio driver installed on some HP laptops includes a feature that could best be described as a keylogger, which records all the user’s keystrokes and saves the information to a local file, accessible to anyone or any third-party software or malware that knows where to look. Swiss cyber-security firm modzero discovered the keylogger on April 28 and made its findings public today. According to researchers, the keylogger feature was discovered in the Conexant HD Audio Driver Package version and earlier. This is an audio driver that is preinstalled on HP laptops. One of the files of this audio driver is MicTray64.exe (C:\windows\system32\mictray64.exe). This file is registered to start via a Scheduled Task every time the user logs into his computer. According to modzero researchers, the file “monitors all keystrokes made by the user to capture and react to functions such as microphone mute/unmute keys/hotkeys.”

Read more of this story at Slashdot.

Byte Podcast 549 – Reporte de Seguridad 2017 de ESET


Esta semana, en Byte Podcast, las noticias incluyen el resumen del Reporte de Seguridad 2017 de ESET y una actualización sobre lo que pasa en Estados Unidos sobre la neutralidad de la red.
Les doy mi recomendación particular de lo que ustedes le pueden regalar a sus madres este 10 de mayo.
Ya están en línea los ganadores de los Webby Awards, y la ceremonia de premiación se acerca.
Hablamos de Software Libre y el apoyo que IBM da a las comunidades, a partir de una reunión en la Ciudad de México con usuarios de Postgresql.

My API preferred for the Myuzik share


SoundWire Audio Communication System

How To Delete Your Data From Google’s ‘My Activity’

Last summer Google revealed personalized data dashboards for every Google account, letting users edit (or delete) items from their search history as well as their viewing history on YouTube. Now Slashdot reader Lauren Weinstein writes: Since posting “The Google Page That Google Haters Don’t Want You to Know About” last week, I’ve received a bunch of messages from readers asking for help using Google’s “My Activity” page to control, inspect, and/or delete their data on Google. The My Activity portal is quite comprehensive and can be used in many different ways, but to get you started I’ll briefly outline how to use My Activity to delete activity data. CNET points out you can also access the slightly-creepier “Google Maps location history” by clicking the menu icon in the upper left corner and selecting “Other Google activity.” But Weinstein writes, “I have no problems with Google collecting the kinds of data that provide their advanced services, so long as I can choose when that data is collected, and I can inspect and delete it on demand. The portal provides those abilities and a lot more.”

Read more of this story at Slashdot.

Hardening Windows 10 with zero-day exploit mitigations

 Cyberattacks involving zero-day exploits happen from time to time, affecting different platforms and applications. Over the years, Microsoft security teams have been working extremely hard to address these attacks. While delivering innovative solutions like Windows Defender Application Guard, which provides a safe virtualized layer for the Microsoft Edge browser, and Windows Defender Advanced Threat Protection, a cloud-based service that identifies breaches using data from built-in Windows 10 sensors, we are hardening the Windows platform with mitigation techniques that can stop exploits of newly discovered and even undisclosed vulnerabilities. As Terry Myerson reiterated in his blog post, we take our commitment to security innovation very seriously.

A key takeaway from the detonation of zero-day exploits is that each instance represents a valuable opportunity to assess how resilient a platform can be—how mitigation techniques and additional defensive layers can keep cyberattacks at bay while vulnerabilities are being fixed and patches are being deployed. Because it takes time to hunt for vulnerabilities and it is virtually impossible to find all of them, such security enhancements can be critical in preventing attacks based on zero-day exploits.

In this blog, we look at two recent kernel-level zero-day exploits used by multiple activity groups. These kernel-level exploits, based on CVE-2016-7255 and CVE-2016-7256 vulnerabilities, both result in elevation of privileges. Microsoft has promptly fixed the mentioned vulnerabilities in November 2016. However, we are testing the exploits against mitigation techniques delivered in August 2016 with Windows 10 Anniversary Update, hoping to see how these techniques might fare against future zero-day exploits with similar characteristics.


CVE Microsoft Update Exploit Type Mitigation in Anniversary Update
CVE-2016-7255 MS16-135 (Nov, 2016) Win32k Elevation of Privilege Exploit Strong  validation of tagWND structure
CVE-2016-7256 MS16-132 (Nov, 2016) Open Type Font Exploit Isolated Font Parsing (AppContainer)
Stronger validation in font parsing


CVE-2016-7255 exploit: Win32k elevation of privilege

In October 2016, the STRONTIUM attack group launched a spear-phishing campaign targeting a small number of think tanks and nongovernmental organizations in the United States. The campaign, also discussed in the previously mentioned blog post, involved the use of the exploit for CVE-2016-7255 in tandem with an exploit for the Adobe Flash Player vulnerability CVE-2016-7855.

The attack group used the Flash exploit to take advantage of a use-after-free vulnerability and access targeted computers. They then leveraged the type-confusion vulnerability in win32k.sys (CVE-2016-7255) to gain elevated privileges.

Abusing the tagWND.strName kernel structure

In this section, we’ll go through the internals of the specific exploit for CVE-2016-7255 crafted by the attacker. We will show how mitigation techniques provided customers with preemptive protection from the exploit, even before the release of the specific update fixing the vulnerability.

Figure 1. Exploit and shellcode phases of this attack


Modern exploits often rely on read-write (RW) primitives to achieve code execution or gain additional privileges. For this exploit, attackers acquire RW primitives by corrupting tagWND.strName kernel structure.  This exploit method is a trend discussed in security conferences and visible to those who investigated actual attacks. For example, we detailed similar findings in a presentation about the Duqu 2.0 exploit at Virus Bulletin 2015.

By reverse engineering its code, we found that the Win32k exploit used by STRONTIUM in October 2016 reused the exact same method. The exploit, after the initial Win32k vulnerability, corrupts tagWND.strName structure and uses SetWindowTextW to write arbitrary content anywhere in kernel memory.

Figure 2. SetWindowTextW as a write primitive


The exploit abuses this API call to overwrite data of current processes and copy token privileges of the SYSTEM. If successful, the exploit enables the victim process—iexplore.exe, in this example—to execute with elevated privileges.

Figure 3. Internet Explorer with SYSTEM privileges


Mitigating tagWND exploits with stronger validation

To mitigate the Win32k exploit and similar exploits, the Windows Offensive Security Research Team (OSR) introduced techniques in the Windows 10 Anniversary Update that prevent abusive use of tagWND.strName. This mitigation performs additional checks for the base and length fields, making sure that they are in  the expected virtual address ranges and are not usable for RW primitives. In our tests on Anniversary Update, exploits using this method to create an RW primitive in the kernel are ineffective. These exploits instead cause exceptions and subsequent blue screen errors.

Figure 4. Windows 10 Anniversary Update mitigation on a common kernel write primitive


With the upcoming Windows 10 Creators Update, Windows Defender ATPintroduces numerous forms of generic kernel exploit detection for deeper visibility into targeted attacks leveraging zero-day exploits. Technical details about the enhanced sensor will be shared in a forthcoming blog post.

CVE-2016-7256 exploit: Open type font elevation of privilege

As early as June 2016, unidentified actors began to use an implant detected as “Henkray” in low-volume attacks primarily focused on targets in South Korea. Later, in November 2016, these attackers were detected exploiting a flaw in the Windows font library (CVE-2016-7256) to elevate privileges and install the Henkray backdoor on targeted computers with older versions of Windows.

The font samples found on affected computers were specifically manipulated with hardcoded addresses and data to reflect actual kernel memory layouts. This indicates the likelihood that a secondary tool dynamically generated the exploit code at the time of infiltration.

Figure 5. Auto-generation of font file with exploit


This secondary executable or script tool, which has not been recovered, appears to prepare and drop the font exploit, calculating and preparing the hardcoded offsets needed to exploit the kernel API and the kernel structures on the targeted system. Through deep forensic inspection of the binary data found in samples, we extracted all the hardcoded offsets and ascertained the kernel version targeted by this exploit: Windows 8 64-bit.

Function table corruption for initial code execution

The font exploit uses fa_Callbacks to corrupt the function table and achieve initial code execution. The callback is called from the CFF parsing function. The following snippet shows a corrupted ftell pointer to a nt!qsort+0x39 location in kernel code.

Figure 6. fa_Callbacks table corruption


The following snippet shows the code that calls the corrupt function pointer leading to a kernel ROP chain.

Figure 7. fa_Callbacks.ftell function call code


When the corrupted function is called, the control jumps to the first ROP gadget at nt!qsort+0x39, which adjusts stack pointer and initializes some register values from stack values.

Figure 8. First ROP gadget


After the first gadget, the stack points to a kernel ROP chain which calls to ExAllocatePoolWithTag call to reserve shellcode memory. Another ROP gadget will copy the first 8 bytes of the stage 1 shellcode to the allocated memory.

Figure 9. Copying the stage 1 shellcode


Shellcode and privilege escalation

The stage 1 shellcode is very small. Its main function is to copy the main body of the shellcode to newly allocated memory and run them with a JMP RAX control transfer.

Figure 10. Stage 1 shellcode


The main shellcode runs after the copy instructions. The main shellcode—also a small piece of code—performs a well-known token-stealing technique. It then copies the token pointer from a SYSTEM process to the target process, achieving privilege escalation. Both the SYSTEM process and target process PIDs, as well as certain offsets for the kernel APIs needed by the shellcode, are hardcoded in the font sample.

Figure 11. Token replacement technique


Mitigating font exploits with AppContainer

When opening the malicious font sample on Windows 10 Anniversary Update, font parsing happens completely in AppContainer instead of the kernel. AppContainer provides an isolated sandbox that effectively prevents font exploits (among other types of exploits) from gaining escalated privileges. The isolated sandbox considerably reduces font parsing as an attack surface.

Figure 12. AppContainer protects against untrusted fonts in Windows 10 Anniversary Update


Windows 10 Anniversary Update also includes additional validation for font file parsing. In our tests, the specific exploit code for CVE-2016-7256 simply fails these checks and is unable to reach vulnerable code.

Figure 13. Windows 10 font viewer error


Conclusion: Fighting the good fight with exploit mitigation and layered detection

While fixing a single-point vulnerability helps neutralize a specific bug, Microsoft security teams continue to look into opportunities to introduce more and more mitigation techniques. Such mitigation techniques can break exploit methods, providing a medium-term tactical benefit, or close entire classes of vulnerabilities for long-term strategic impact.

In this article, we looked into recent attack campaigns involving two zero-day kernel exploits. We saw how exploit mitigation techniques in Windows 10 Anniversary Update, which was released months before these zero-day attacks, managed to neutralize not only the specific exploits but also their exploit methods. As a result, these mitigation techniques are significantly reducing attack surfaces that would have been available to future zero-day exploits.

By delivering these mitigation techniques, we are increasing the cost of exploit development, forcing attackers to find ways around new defense layers. Even the simple tactical mitigation against popular RW primitives forces the exploit authors to spend more time and resources in finding new attack routes. By moving font parsing code to an isolated container, we significantly reduce the likelihood that font bugs are used as vectors for privilege escalation.

In addition to the techniques mentioned in this article, Windows 10 Anniversary Update introduced many other mitigation techniques in core Windows components and the Microsoft Edge browser, helping protect customers from entire classes of exploits for very recent and even undisclosed vulnerabilities.

For effective post-breach detection, including cover for the multiple stages of attacks described in this blog post, sign up for Window Defender ATP. The service leverages built-in sensors to raise alerts for exploits and other attack activity, providing corresponding threat intelligence. Customers interested in the Windows Defender ATP post-breach detection solution can find more information here.

Microsoft would like to thank KrCERT for their collaboration in protecting customers and for providing the sample for CVE-2016-7256.


Matt Oh and Elia Florio, Windows Defender ATP Research Team



Jan 18, 2017 – Corrected the spelling of Henkray backdoor.