Security News
Security RSS Feed
Google Chrome 4: Yes, it's fast, but is it usable?
As Betanews readers have responded to our stories about Chrome's JavaScript superiority...Does that mean we'd actually use this browser? Well...
Verizon Wireless launches new Android, Chocolate, and ruggedized phones
The lower-priced Eris joins the Droid, while the Chocolate gets a touchscreen and more music playback.
Early sales figures for Windows 7 nicely high, but do we know why?
Fans of triple-digit surges in figures quoted by Betanews will love this one, as it appears Microsoft rediscovered how to pull off a software launch.
Myka announces its latest Linux-based 'net top box'
Myka's ION brings Boxee, XMBC, and much more to HDTVs.
What hath Mac wrought? A remembrance after a quarter-century
The reason there's a Macintosh today is not because of some brilliant flash of engineering genius, but because Apple had the audacity to learn from its mistakes.
Early build of Moblin 2.1 improves connectivity, but not device support
The Linux Foundation's Atom-centric OS yesterday received a major overhaul with the project release of Moblin 2.1 for netbooks and nettops.
The iPhone's China syndrome: Sales of 5,000 and climbing
There's actually a country where Apple's device is not a godsend, where sales can be measured in the dozens.
New European counterpart to FCC will ensure 'a more neutral net'
Late Thursday night, the ruling telecom administrators of the EU's member nations signed away their final authority to a new entity overseen by the EC.
Sophos study suggests Windows 7 UAC's default setting is self-defeating
Without any anti-virus installed, a Sophos test showed, User Account Control was only capable of thwarting just one malware package out of ten samples chosen.
Indiscreet tweet trips awareness of Web SSL vulnerability
A group of high-level security engineers had been making progress on thwarting a low-level threat to the Web, until somebody blurted it all out on Twitter.
Sophos study suggests Windows 7 UAC's default setting is self-defeating
By Scott M. Fulton, III on November 5, 2009, 4:08 PM
24 Comments
A blog post Tuesday by Sophos senior security engineer Chester Wisniewski stated that recent Sophos tests revealed that User Account Control -- the part of Windows that prompts the user for permission before granting elevated privileges -- was ineffective in stopping common samples of malware from running, in a Windows 7-based system without virus protection.
Whereas two of the ten chosen malware samples for the test would not run in Win7 without UAC turned on at all, only one more sample (a low-prevalence worm code-named W32/Autorun-ATK) was thwarted by UAC. The other seven ran as though they were being blocked only by a stack of dominoes.
Continue reading Sophos study suggests Windows 7 UAC's default setting is self-defeating...
Indiscreet tweet trips awareness of Web SSL vulnerability
By Scott M. Fulton, III on November 5, 2009, 3:20 PM
Add Comment
Internet security engineers who had been meeting secretly to discuss a possible extension to Transport Layer Security (TLS) to thwart a possible low-level exploit, were compelled yesterday to reveal the existence of their meetings after another security engineer unconnected to their project went public with a conceptual framework of the very type of exploit they were working to pre-emptively patch.
The problem is essentially a repeat of what developers of TLS and its parent protocol, Secure Sockets Layer (SSL), have dealt with a handful of times in the past: the potential of man-in-the-middle attacks by malicious servers that can pass themselves off as security authenticators. As the team from wireless security service provider PhoneFactor discovered last August, it was possible using both Microsoft IIS 7.0 and Apache httpd Web servers to demonstrate a situation where a false TLS server authenticates itself to a genuine Web client, then authenticates itself to a genuine TLS server, effectively setting itself up as a go-between that's privy to the complete contents of what appears to the innocent client to be a fully encrypted SSL session.
Continue reading Indiscreet tweet trips awareness of Web SSL vulnerability...
Is AES encryption crackable?
By Jack M. Germain, TechNewsWorld on November 5, 2009, 11:06 AM
8 Comments
In the field of computer technology, some topics are so frequently and fiercely disputed that they almost resemble religious feuds -- Mac vs. PC, for instance, or open source vs. proprietary software.
Other topics, though, don't see nearly the same level of high-profile debate. Take the invulnerability of the Advanced Encryption Standard (AES) encryption, for example. Governments and businesses place a great deal of faith in the belief that AES is so secure that its security key can never be broken. However, a team of researchers from Germany, France and Israel has recently demonstrated what may be an inherent flaw in AES -- theoretically, at least.
Faster or more secure? Microsoft publishes IE patch to Automatic Updates
By Scott M. Fulton, III on November 5, 2009, 10:40 AM
22 Comments
Given the choice between speed and security, Betanews readers this week have been siding with security, in a show of support that suggests that Windows Vista had the right idea after all. This morning, Windows XP, Vista, and Windows 7 users who have their Automatic Update notifications turned on manual will be making that choice, as Microsoft has published update 976749 -- released as a manual update on Monday -- to its Windows Update service, not as a "security update" or anything "critical" or even "important."
It's an "Update for Internet Explorer" whose purpose is to "resolve issues that may occur after installing the Internet Explorer cumulative security update issued as MS09-054" -- one of the major updates from the last Patch Tuesday round. The issue that update addressed is a very serious one, and Windows users who are concerned about their operating system possibly being vulnerable to a new class of attack, should apply that update and also apply the patch to that update, released this morning. Many users with Automatic Updates turned on full may wake up this morning with the update already having been applied.
Continue reading Faster or more secure? Microsoft publishes IE patch to Automatic Updates...
Performance drain: The first public perception test of the Windows 7 era
By Scott M. Fulton, III on November 4, 2009, 11:41 AM
64 Comments
The key selling point for Windows 7, as emphasized in a concerted advertising campaign that stretches across both TV and the Web, is that it's leaner, simpler, and faster. It doesn't have to complete the phrase "faster than..." because we all know how to complete that phrase. Microsoft's bet for Windows 7 is that users smart enough to complete that phrase, care.
So if some of the comments Betanews has been receiving about Internet Explorer's recent problems being a non-event, or a "YAWN," really did reflect reality, then Microsoft has already lost the bet.
Continue reading Performance drain: The first public perception test of the Windows 7 era...
Microsoft and Mozilla leave Web users tangled over 'variant' vulnerability
By Scott M. Fulton, III on October 19, 2009, 12:02 PM
22 Comments
In what is now indisputably the most important vulnerability addressed during last Tuesday's record round of Windows patches, the two companies most affected by the problem -- Microsoft and, to a lesser extent, Mozilla -- could not help but be caught in a tangle of miscommunication exacerbated to a large extent by overhype from a sea of blogs. As a result, it's everyday users who are left confused and bewildered, even though no known exploit for the vulnerability exists.
The problem involves both the ".NET Framework Assistant" add-on and "Windows Presentation Manager" plug-in made by Microsoft for Mozilla Firefox, both of which are installed automatically -- and without warning -- by Microsoft's .NET Framework 3.5 Service Pack 1. One of Microsoft's patches last week, as explained in a Microsoft bulletin, addresses the functionality of 3.5 SP1 that's made available through these Firefox extensions.
Continue reading Microsoft and Mozilla leave Web users tangled over 'variant' vulnerability...
Not that Windows is any enclave of safety: Microsoft's biggest Patch Tuesday
By Scott M. Fulton, III on October 14, 2009, 3:03 PM
11 Comments
A lot of the presentations at security (or perhaps more appropriately, "insecurity") conferences such as Black Hat are devoted to experiments or "dares" for hackers to break through some new version of digital security. After awhile, it gets to be like watching pre-schoolers daring one another to punch through ever-taller Lego walls. But in the midst of last July's briefings came at least one scientifically researched, carefully considered, and thoughtfully presented presentation: the result of a full-scale investigation by three engineers at a consultancy called Hustle Labs, demonstrating how the presumption of trust between browsers, their add-ons, and other code components can trigger the types of software failures that can become exploitable by malicious code.
Engineers Mark Dowd, Ryan Smith, and David Dewey are being credited today with shedding light on a coding practice by developers that leaves the door open for browser crashes. The discovery of specific instances where such a practice could easily become exploitable is the focus of the most critical of Microsoft's regular second-Tuesday-of-the-month patches -- arguably the biggest of 13 bulletins addressing a record 34 fixes.
Continue reading Not that Windows is any enclave of safety: Microsoft's biggest Patch Tuesday...
Swedish ISP wins appeal in biggest test to date of EU anti-piracy law
By Scott M. Fulton, III on October 13, 2009, 3:54 PM
3 Comments
Last March, the European Commission voted to enact a continent-wide law compelling member countries to take bolder steps to enforce their own copyright infringement laws. One of the more controversial provisions of the Intellectual Property Rights Enforcement Directive (IPRED) has been to allow rights holders to petition member states' governments to act on their behalf. That provision has emboldened some rights holders and associations to act as evidence gatherers; and in Sweden, their right to do so was put to the test.
A group representing five publishers of audiobooks in Sweden were judged to be entitled to the identity of a single file-sharer. In a June decision, a district court in Solna ordered ISP ePhone to turn over the name of the file-sharer. It refused, and was forced in September to pay a fine of 750,000 kronor (about $107,400), one-tenth of which was to go to the publishers.
Continue reading Swedish ISP wins appeal in biggest test to date of EU anti-piracy law...
Typo blamed for country-wide Web site blackout in Sweden
By Scott M. Fulton, III on October 13, 2009, 3:06 PM
1 Comment
If the script that updates your DNS records for a zone leaves off the trailing period for each record, the DNS server can't properly attach the top-level domain name. That little tip is probably permanently etched onto the head of an administrator somewhere at Sweden's Internet Infrastructure Foundation. Late yesterday evening, that single omitted period caused Web sites with Sweden's .se TLD to be inaccessible for at least one hour, with some perhaps remaining inaccessible until the following evening before downstream routers refresh their caches.
A security bulletin issued by the Foundation this morning advises administrators noticing difficulties with accessing .se sites to use BIND 9.2.0's rndc flush command to clear memory of cached data prior to a reload. The firm issued a new zone file shortly after the incident, although it admitted it refrained from going through the usual security steps to clear the zone file since .se sites remained inaccessible. A new, fully cleared zone file has since been issued.
Continue reading Typo blamed for country-wide Web site blackout in Sweden...
Why is John Hodgman smiling? Data loss isn't the only Snow Leopard problem
By Scott M. Fulton, III on October 13, 2009, 12:04 PM
54 Comments
If Snow Leopard, the latest version of the Mac operating system released late last August, were seriously plagued with bugs, writes a volunteer contributor to Apple's discussion forum, the company would be besieged with complaints. But that may very well be the problem, as evidenced by this screenshot from a Snow Leopard user who attempted to formally report his problem to Apple through his operating system, and was met with this message: "An error has occurred. Please report the error to Apple Inc. by emailing the error detail to devbugs@apple.com."
As the user reported on Apple's forum, "I'd laugh if I wasn't in an apoplectic rage."
Continue reading Why is John Hodgman smiling? Data loss isn't the only Snow Leopard problem...
Danger signs: Now how secure does the cloud look?
By Carmi Levy on October 12, 2009, 5:57 PM
26 Comments
There are service outages, and then there are service outages. T-Mobile customers who carry the Sidekick smartphone are learning the hard way that there's a major difference between having no access to a service for a little while and losing every contact, calendar entry, and related shred of personal data they've got.
In the not too distant past, Google, Twitter, and Facebook have all experienced basic, quaintly simple service outages. Despite the headlines and general chaos associated with each incident, the bottom line impact was never all that onerous: When service returned, so did their users' data. For the most part, users were given an easy excuse to take a few hours off. And with the exception of Google's subscription services, most were free, so folks couldn't argue that they weren't getting their money's worth.
Continue reading Danger signs: Now how secure does the cloud look?...
Yet another case for backing up your data: Snow Leopard
By Tim Conneally on October 12, 2009, 5:50 PM
40 Comments
Apparently not only are Sidekick users losing their personal data. Now, in a separate incident, Snow Leopard (OS X 10.6) users are also finding their data fully wiped.
The bug was actually discovered within a week of Snow Leopard's launch back in August, when users found that logging out of their account, into a "guest" account, and then back into their personal account would completely erase the content from their home drive (Documents, Movies, Pictures, Music, Sites).
Continue reading Yet another case for backing up your data: Snow Leopard...
Fake entries in new e-mail/password lists point to unsophisticated phishing
By Scott M. Fulton, III on October 7, 2009, 11:47 AM
4 Comments
If last weekend's unsolicited posting of about 10,000 supposed Hotmail addresses and passwords to a legitimate developers' Web site did not contain some addresses that were fake, the theory that a hacker may have obtained those addresses through an attack on Microsoft's servers might continue to hold water. That theory lost ground today, after more addresses from major services other than Hotmail -- including Gmail, Yahoo, AOL, Earthlink, and Comcast -- appeared without warrant on Pastebin.com, a site for developers to share debugging information.
In what could be the first publicly shared forensic report on the original Hotmail list, security researcher Bogdan Calin with server security software maker Acunetix reported that of the 10,028 entries that appeared in that list (which was apparently partial, including usernames that only began with A and B), 185 of the entries actually had blank passwords. That in and of itself could not have come from a server's own list of valid passwords, thus lending much credence to the theory that the responses came from a phishing scam.
Continue reading Fake entries in new e-mail/password lists point to unsophisticated phishing...
Microsoft acknowledges Live ID accounts breach
By Scott M. Fulton, III on October 6, 2009, 10:29 AM
16 Comments
Yesterday, Neowin's Tom Warren discovered a list of what appeared to be Windows Live Hotmail account credentials, posted last weekend to a location where you wouldn't expect such a list to appear: a collaborative debugging code sharing site for low-level software developers called pastebin.com. Warren reported the news to the world at the same time he reported it to Microsoft.
Still, Microsoft acknowledged the problem late yesterday, but attributed the source of the problem to "a likely phishing scheme." If such a scheme does exist, then its first victim today was poor pastebin.com, whose proprietor Paul Dixon (LordElph) was forced to take the site offline due to the sudden surge of activity.
Continue reading Microsoft acknowledges Live ID accounts breach...
Single point of failure blamed for Verizon FiOS, DSL outage
By Scott M. Fulton, III on October 5, 2009, 11:15 AM
5 Comments
A single stalled router is being blamed by Verizon officials for a service outage that impacted customers of its high-speed Internet service, including fiberoptic FiOS, in New York and Massachusetts.
The outage occurred at approximately 3:15 pm EDT, according to a message Friday afternoon from the company's chief PR executive, Eric Rabe. He acknowledged that routers typically fail over to adjacent ones, but in this instance, this one didn't.
Continue reading Single point of failure blamed for Verizon FiOS, DSL outage...
FBI offers advice during new National Cyber Security Awareness Month
By Tim Conneally on October 2, 2009, 6:22 PM
Add Comment
This October has been declared National Cyber Security Awareness Month, a month in which Americans are encouraged to learn more about the "national security priority" that is the US communications infrastructure.
"Cyber attacks and their viral ability to infect networks, devices, and software must be the concern of all Americans," President Barack Obama said yesterday. "This month, we highlight the responsibility of individuals, businesses, and governments to work together to improve their own cybersecurity and that of our Nation. We all must practice safe computing to avoid attacks. A key measure of our success will be the degree to which all Americans educate themselves about the risks they face and the actions they can take to protect themselves and our Nation's digital infrastructure."
Continue reading FBI offers advice during new National Cyber Security Awareness Month...
P2P warning bill passes House committee, will go to the floor
By Scott M. Fulton, III on October 2, 2009, 4:23 PM
5 Comments
Perhaps the most oft-used defense by defendants charged with the proliferation of unauthorized files -- including some which actually belonged to them or were entrusted to their care -- by way of P2P file-sharing programs has been, "I didn't know." That was the defense invoked by US government employees, and even their direct reports, when classified documents turned up on LimeWire two years ago.
If P2P technology truly can and should be used for legitimate purposes, as many of its engineers and practitioners believe, then the very least it can do for users is inform them of what and where files will be shared. That's the aim of a House bill re-introduced last March by Congresswoman Mary Bono Mack (R - Calif.), the widow of entertainer and Congressman Sonny Bono. After over a year's deliberation (taking the bill's predecessors into account), Rep. Bono's bill -- the Informed P2P User Act -- passed the House Energy and Commerce Committee yesterday, and is on its way to a full House floor debate.
Continue reading P2P warning bill passes House committee, will go to the floor...
Opponents of ICANN plan fear expedited domain takedowns
By Scott M. Fulton, III on October 2, 2009, 3:06 PM
Add Comment
Just days prior to the expiration of the final Joint Project Agreement between the Internet Corporation for Assigned Names and Numbers and the US Dept. of Commerce, effectively letting the DOC's oversight over ICANN lapse, the CEO of ICANN, Rod Beckstrom, informed ranking Republican members of the House Judiciary Committee and its key Subcommittee on Courts and Competition, that ICANN had no intention of terminating its long-term relationship with the US Government. But Beckstrom's lack of detail in response to a direct question from Reps. Lamar Smith (R - Texas) and Howard Coble (R - N.C.) suggested that neither he nor ICANN was in a mood to extend -- or in the congressmen's words, "memorialize" -- the relationship between the private, non-profit entity in charge of the Internet's Domain Name System (DNS), and the government body that gave rise to it.
"It is important to note that the conclusion of the [Joint Project Agreement] is not a termination of ICANN's relationship with the United States Government," Beckstrom wrote the congressmen (PDF available here, courtesy Domain Name Journal), "nor is ICANN an advocate of that possibility. I am in discussion with the NTIA [division of the DOC] to establish a long-standing relationship to accommodate principles including the beliefs that ICANN should remain a non-profit corporation based in the United States, and should retain an ongoing focus on accountability and transparency."
Continue reading Opponents of ICANN plan fear expedited domain takedowns...
Sweeping content security enhancements tested on Firefox 3.7
By Scott M. Fulton, III on October 2, 2009, 11:59 AM
14 Comments
Initial development is nearly complete on an entirely new kind of Web browser code execution policy management system, which may yet become part of Firefox 3.7 (the point release following the next one in line), a Mozilla spokesperson informed Betanews. When implemented, browsers such as Firefox will be capable of restricting certain classes of embedded code from execution, and Web sites can advertise to browsers in advance which classes of code its pages contain.
The end result, the developers of Mozilla's Content Security Policy (CSP) hope, is that policy-enhanced browsers will be completely immune from cross-site scripting (XSS) attacks from malicious sources, by virtue of restricting themselves to either only executing inline code from trusted, certified sites, or not executing any such code at all.
Continue reading Sweeping content security enhancements tested on Firefox 3.7...
US gov't, ICANN declare joint agreement concluded, international era begins
By Scott M. Fulton, III on September 30, 2009, 4:44 PM
13 Comments
The US Dept. of Commerce will no longer have a direct oversight role over the independent corporation responsible for maintaining the Internet's domain name system (DNS) and top-level domain (TLD) registry. This announcement came from ICANN on the very day -- essentially, the last minute -- of the Commerce Dept.'s official oversight of the group.
Under the terms of an Affirmation of Commitments document released by ICANN today, the United States will maintain a seat on ICANN's Government Advisory Committee, an 109-member league of nations, not all of which actively participate. But that's it. The periodic review process for accountability that ICANN underwent since its establishment by the DOC in 1998, will now shift to what new ICANN CEO Rod Beckstrom describes as "an international committee of parties chosen by the chairman of our Governmental Advisory Committee."
Continue reading US gov't, ICANN declare joint agreement concluded, international era begins...
Popular Stories on Betanews