Microsoft released on Sunday security advisory which revokes 3 digital certificates issued under the  Microsoft Root Certificate Authority. In separate messages (Security Research & Defense and Security Response Center blogs), Microsoft stated that this update mitigates the threat of Flame malware. Flame is recently discovered highly sophisticated spyware which infected computers throughout Middle East and supposedly came from the same source as Stuxnet. 

Microsoft security advisory (2718704):
http://bit.ly/McLPxg
Microsoft Security Research & Defense blog: 
http://bit.ly/Lmomc6
Microsoft Security Response Center blog:
http://bit.ly/Ku7CGc
About Flame:
http://bit.ly/M9aF5c

According to the CloudFlare blog, the hacker was able to compromise the password recovery and two factor authentication systems and eventually gained access to one of CloudFlare customer's account: "Google reports that they discovered a "subtle flaw affecting not 2-step verification itself, but the account recovery flow for some accounts. We've now blocked that attack vector to prevent further abuse."
Technical details about bypassing either Google password recovery or two factor authentication systems are unclear. 

CloudFlare blog:
http://bit.ly/K7QTCg
Google two factor authentication:
http://bit.ly/KD1cmi

Interesting article in SearchSecurity: "P2P encryption for mobile is not an technology endorsement, says PCI Council". So on the one hand, in their recent mobile payments guide for merchants, they present the P2PE as the only way to secure mobile payments. On the other hand, they say " We’re not endorsing specific technology here".  I am not sure I understand the point they are trying to make. 

Review of PCI mobile payments guidance for merchants:
http://bit.ly/JCOB4q
Article in SearchSecurity:
http://bit.ly/KRCjnU

Moxie Marlinspike and Trevor Perrin have submitted a proposal to the Internet Engineering Task Force (IETF). The draft document describes a new way of server certificate validation based on the trust accumulated and shared by multiple clients. The proposed TLS protocol extension is called Trust Assertions for Certificate Keys (TACK) and based on public key cryptography, however, it does not use the Public Key Infrastructure (certificates and certificate authorities).

The text of the proposal: 
http://bit.ly/JieksQ
The article in InfoSecurity magazine:
http://bit.ly/L0jWtj

It looks like OCSP Stapling currently is not the best alternative to classic CRL validation. First, because current implementation has serious limitation: only one certificate can be validated during the initial SSL/TLS handshaking session. However, as part of the server certificate checkup, the SSL client must validate the entire certificate chain -- until the root (self-signed) certificate -- which may contain more than one certificate. Second, it is not widely supported yet: not all the clients and server implementation are OCSP Stapling ready. For instance, it is still unclear whether Microsoft WCF hosting process (alternative to IIS) would support it - at least, it is not officially documented.

Original post 05/10/2012:
Future of the SSL certificate revocation validationweb-services-with-ssl.html 
My article about using SSL in .NET Web Services application:
http://www.gomzin.com/securing-net-web-services-with-ssl.html 

EMET (Enhanced Mitigation Experience Toolkit) is free Microsoft toolkit for application memory hardening. According to Microsoft, EMET is “designed to help prevent hackers from gaining access to your system”.
“For users who get attacked before the latest updates have been applied or who get attacked before an update is even available in cases such as 0 day attacks, the results can be devastating: malware, loss of PII, loss of business data etc. Security mitigation technologies are designed to make it impossible or more difficult for an attacker to exploit vulnerabilities in a given piece of software. EMET allows users to leverage these technologies on their system”.
When installed on target system and properly configured, it protects applications from known and zero day malware attacks. 
EMET Provided Mitigations:
- Structure Exception Handler Overwrite Protection (SEHOP)
- Dynamic Data Execution Prevention (DEP)
- Heapspray Allocations
- Null page allocation
- Mandatory Address Space Layout Randomization (ASLR)
- Export Address Table Access Filtering (EAF)
- Bottom-up randomization
It works on any Windows version starting from XP SP 3 / Server 2003 SP 1.
However, it is not “out of the box” tool and require custom configuration and testing.I am running it on my machine and so far it did not do anything wrong.

EMET Info Page:
http://support.microsoft.com/kb/2458544
EMET Download:
http://www.microsoft.com/en-us/download/details.aspx?id=29851
EMET Support Page:
http://social.technet.microsoft.com/Forums/en/emet/threads
EMET protecting 0-day attacks on Adobe:
http://www.eweek.com/c/a/Security/Microsoft-Security-Tool-Mitigates-Adobe-Zeroday-Vulnerability-140681/
Redmondmag.com review:
http://redmondmag.com/articles/2012/05/15/microsoft-releases-emet-3-security-tool-for-windows.aspx

PCI Security Standards Council just released "customized fact sheet" - guidance for merchants on how to securely implement mobile payments. According to this document called "Accepting Mobile Payments with a Smartphone or Tablet" (but for some reason referenced in press-release as "At a Glance: Mobile Payment Acceptance Security"), Point-to-Point Encryption solution -- validated and certified by P2PE QSA using recently launched PCI P2PE assessment program, and listed on PCI SSC website -- "may help you in your responsibilities under PCI DSS" and "leverages a mobile device’s display and communication functions to secure mobile payments". The only diagram in this document, which illustrates the architecture of mobile payment solution, shows P2PE solution provider accepting and processing merchant's mobile payment transactions.        

This is interesting and hot topic. Did you know that Google stopped the online validation of SSL server certificate revocations in Chrome browser? The situation with certificate revocation validation has been discussed by representatives of major browser software vendors during recent RSA conference. OCSP Stapling looks to me like most promising solution.

Attack vectors of Issues in May 2012 Microsoft Security Bulletin are mostly related to user interaction. There are no direct threats to applications (either client or server) running without user intervention.

All the presentations were pretty interesting. I would especially mark two of them though: 

Dual Channel Authentication
The idea is not new at all but there was well detailed explanation of the implementation. 
Presenter: Srikar Sagi from PayPal

Public Key Cryptography in Depth
Current situation and future of asymmetric cryptography with interesting review of RSA and ECC. 
Presenter: Chuck Easttom (www.chuckeasttom.com)

BTW, the lunch wasn't bad too!