Security Weekly News 13 May 2011 – Full List

Category Index

Hacking Incidents / Cybercrime

 
A Facebook privacy flaw has led to personal information and photos of users being leaked to third parties.
According to research by Symantec, in certain cases Facebook iframe applications inadvertently leaked access tokens to third parties such as advertisers or analytic platforms. As of last month, it estimated that close to 100,000 applications were enabling this leakage, which could mean that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.
 
Iconics SCADA software open to code execution attacks
The US Computer Emergency Readiness Team is warning oil refineries, power plants, and other industrial facilities of a bug in a popular piece of software that could allow attackers to take control of their computer systems.
The vulnerability in the Genesis32 and BizViz products made by Massachusetts-based Iconics could allow attackers to remotely execute malicious code on machines that run these SCADA, or supervisory control and data acquisition, programs, the US CERT warned (PDF) on Wednesday. The programs are used to control equipment used in factories, water, wastewater and electric utilities, and oil and gas refineries.
 
This just might be the first time that a ‘virus’ has been said to go ‘viral’, in all senses of the word.
In what may be a case of Netizens making lemon juice out of virtual lemons, people have latched onto the ‘Nicole Santos’ virus that hit Facebook earlier today and turned it into an Internet meme that’s quickly growing in popularity.
 
Cybercriminals have cleverly hacked the English website of the major Russian newspaper Pravda (‘The Truth’).
The news site has been rigged with malicious scripts that target vulnerabilities in your computer, and can silently infect your system and execute code without your knowledge, Mikko Hypponen, chief research officer for the security firm F-Secure wrote.
 
Netflix fired a call center worker for stealing credit card numbers from customers of the online movie service.
The unnamed employee was fired after Netflix learned about the data theft on April 4, the company said in a letter to the office of the New Hampshire Attorney General that was published online this week.
The worker ‘accessed over approximately the past two months, without authorization, the credit card information of some Netflix customers who spoke with the individual over the telephone,’ Netflix Senior Counsel Sharon Williamson wrote.
 
A North Carolina man has been sentenced to three years in prison after admitting he planned to pocket as much as $200,000 by hacking into automatic teller machines.
Thor Alexander Morris, 20, targeted at least 35 ATMs in the Houston area that were vulnerable to attacks that let hackers administer them, according to court documents filed in the case. Once he took control, he planned to reprogram the machines to overpay him by changing the cash denominations for $20 bills to $1 bills. He pleaded guilty to the offense in January.
 
Cross-platform malware is still a rare occurrence, so when it’s detected, it usually attracts more attention than the malware engineered to affect only one particular platform.
A recent one, detected by McAfee and ‘named’ IncognitoRAT attacks both Windows and Mac OS users. So, how does it manage to do it?
 
Yesterday I wrote a blog boldly proclaiming one shouldn’t be a quiet professional. I felt it wasn’t very inspired and lacked a certain amount of substance, but the internet apparently had a different idea of its value.
 
Two veterans of Anonymous have acknowledged that members of the cyber-activist group are likely to have been behind the recent hacking attacks on Sony, in spite of the group’s official denials.
An individual or handful of supporters of Anonymous’ well-publicised operation to disrupt Sony services – dubbed OpSony – went further than the rest of the free-speech campaigners expected when they broke into the electronics company’s network and stole account details, according to one person within the group.
 
A website used to co-ordinate computer attacks on Sony and other big companies by members of Anonymous has itself come under assault in what security experts and veterans of the organisation see as evidence of a split within the hacking group.
The site, AnonOps.net, us­ually lists discussion groups for activities such as “denial-of-service” attacks, which flood targeted websites with meaningless traffic until they cannot be reached by the public.
But the site has been defaced with obscenities, and login names and internet addresses of more than 500 people alleged to have taken part in Anonymous activities have been posted on it.
 
After I posted my analysis of why the time is right for bad guys to begin attacking the Mac in earnest, I heard from two readers who had encountered in-the-wild attacks on Macs in their respective workplaces. In both cases, the results showed up via Google Image Search. (This is an increasingly common source of malware, as security researcher Brian Krebs points out in a well-timed blog post today.)
I was able to duplicate these results and encountered an identical attempt from this same campaign to convince me to install a rather nasty Trojan on a Mac
 
The term ‘Patch Tuesday’ has become widely known and is so intimately tied to Microsoft that it is no wonder that malware peddlers are using it to add an aura of legitimacy to their spammy emails:
 
Un exoperador del canal IRC de Anonymous publicó la dirección IP de más de un centenar de internautas conectados al mismo, lo que pone en riesgo y a merced de las autoridades la dirección geográfica desde la cual acceden cientos de miembros del popular grupo
 
Following last week’s release of the X Factor 2011 contestant database on BitTorrent, The Lulz Boat (LulzSec on Twitter) has today released the passwords and email addresses of dozens of FOX employees.
Other files uploaded by LulzSec today suggest that the data may have been obtained through a hidden PHP script planted on fox.com, which allowed unauthorised access to a live production database. The attackers also listed the locations and partial content of several PHP configuration files on the server.
 
NASA website hacked  [articles.timesofindia.indiatimes.com]
WASHINGTON: Software scammers offering cheap Adobe software have hacked into numerous web pages of NASA, just days before its final launch of the shuttle Endeavor, and Stanford University.

Unpatched vulnerabilities

 
Disable WebGL now, researchers warn  [www.theregister.co.uk]
The US Computer Emergency Readiness Team is advising users of the Mozilla Firefox and Google Chrome browsers to disable a recently added graphics engine that can be exploited to steal data or crash end user computers.
 
Binary Planting Through COM Servers

Software Updates

 
 
 
The Apache HTTP Server developers have released version 2.2.18 of the eponymous web server as a bug fix and security fix release. The security fix is needed because of a vulnerability to a Denial of Service (DoS) attack; the vulnerability is rated as moderate.
 
Since the start of April there has been a serious security problem in the Skype for Mac client which could allow an attacker to remotely get access to a shell. Skype released a fix in the middle of April but did not push out an update notification as it believed the problem was not being exploited.
 
Exim 4.76 RC1 uploaded  [lists.exim.org]
I regret to inform you that 4.76 is a security-fix release, again. In
this case, CVE-2011-1764: a format string attack in logging DKIM
information from an inbound mail may permit anyone who can send you
email to cause code to be executed as the Exim run-time user. No
exploit is known to exist, but we do not believe that an experienced
attacker would find the exploit hard to construct.
 
 
 
weblabyrinth  [code.google.com]
WebLabyrinth is a simple tool that creates a maze of bogus web pages to confuse web scanners. It’s main goal is to delay and occupy malicious scanners that scan websites in order for incident handlers to detected and respond to them before damage is done.
 
IIS7 Header Block Released  [security-sh3ll.blogspot.com]
Context Information Security have released a module for IIS 7 to block information leakage from HTTP headers. A standard web application penetration test recommends the removal of any version number information. Previously the IIS urlscan tool could be used to block this information, however, for IIS 7 this is no longer possible, therefore Context have released this module to block this information.
 
Exchange Log Analyzer  [archive.msdn.microsoft.com]
The ExLogAnalyzer is a framework that parses logs and triggers events based on the log entries. It can analyze (replay) logs across multiple servers and multiple log types in a single run. ExLogAnalyzer is extensible via per log type extension (which is the layer that maps the log syntax into semantics) as well as extensible via analyzers for such extensions. The goal of ExLogAnalyzer is to make it super easy for developers / customers to write their own analyzers which mine the logs to answer the question at hand. Note that the analyzers do not do any kind of parsing, but they process events raised by the extension and through the data made available to the event arguments, do the appropriate accounting. The ExLogAnalyzer was started as an internal project in Microsoft Exchange and has 3 log type extensions already implemented, but it is designed to work for any product once the appropriate extension is written. The community should be able to developer their own extensions and analyzers and share them or contribute them to the project.
 
logstash  [logstash.net]
logstash is a tool for managing events and logs. You can use it to collect logs, parse them, and store them for later use (like, for searching). Speaking of searching, logstash comes with a web interface for searching and drilling into all of your logs
 
We have just released a new tool called Microsoft Safety Scanner to help you diagnose if your computer is infected and clean it if possible. It is available from www.microsoft.com/security/scanner. The old online safety scanner from safety.live.com also now points to www.microsoft.com/security/scanner
So what is Microsoft Safety Scanner? It is a standalone, easy-to-use scanner, packaged with the latest signatures, updated many times a day. While it is not a replacement for a full antimalware solution with real-time protection, it offers detection and cleaning using the same set of signatures and technology utilized by both Microsoft Security Essentials and Forefront Endpoint Protection.

Business Case for Security

 
The study found significant disparities between how internally developed code is tested, when compared to code developed by third parties. First, only 44 percent of companies conduct automated code testing during development for third party code. However, 69 percent use automated code testing for internally developed software.
Second, only 35 percent of companies conduct risk, security or vulnerabilities assessments for third party code, compared to 70 percent of companies deploying these methods on their internally developed software.
‘Software security and integrity is probably the most challenging problem to solve in security today,’ says Pete Lindstrom, research director at Spire Security. ‘But the reality is that the tools used to analyze software code have a high signal to noise ratio and are not easy to use.’
 
Roger Grimes presents a useful tool for figuring out how susceptible your network might be to a password-cracking attack
Don’t be lulled into a false sense of security, though: A complex, six- to eight-character password may have been sufficient 10 years ago, but it’s certainly not today. Most of the Linux/Unix systems I’ve reviewed do not enable their account lockout policy. In the Windows world, the true administrator account cannot be locked out, and some software programs don’t log against the account lockout policy. Many companies are disabling the account lockout policy to prevent automated worms, such as Conficker, from locking out all the user accounts and causing an indirect DoS event.
 
Irish organisations are making progress in their approach to information security and the professionalism of people working in this area has also improved, the head of the Irish chapter of the ISSA has said.
Speaking to Siliconrepublic.com at the start of the group’s annual conference in Dublin yesterday, Owen O’Connor said: “We’re raising the bar year by year in terms of skill levels and people’s maturity levels.”
 
Emerging standards, industry initiatives could enable enterprises to collaborate on security
In the world of cybercrime, bad guys work together. They share information; they build attacks together.
Contrast this to most companies, in which event monitoring is often a set of disjointed data streams that someone in the local security department is responsible for reviewing. There is no coordination of monitoring activities between departments, platforms, or applications, let alone cross companies and countries — the way the criminals operate.
 
May 12, 2011
Microsoft released the Security Intelligence Report Volume 10, which highlights a polarization in cybercriminal behavior and a significant increase in the use of “marketing-like” approaches and deception tactics to steal money from consumers.
 
Breach Notification Guidance  [dataprotection.ie]
The Data Protection Commissioner has approved a personal data security breach Code of Practice to help organisations to react appropriately when they become aware of breaches of security involving customer or employee personal information. In the public sector, guidance from the Department of Finance on data security also advises departments and agencies to report data breaches immediately to this Office.
Notification of data security breaches to the Office of the Data Protection Commissioner allows us to advise organisations, at an early stage, how best to deal with the aftermath of a disclosure and how to ensure that there is no repetition. It also allows us to reassure members of the public that we are aware of the problem and that the organisation in question is taking the issue seriously.
 
These days anyone could be watching you, monitoring your every move, waiting to pounce and poach passwords to access your personal data.
‘There are new attacks every day, we see something like 90,000 new pieces of malicious codes coming into our labs every day — that’s one every second,’ said Graham Cluely, Senior Technology Consultant at the software security company, Sophos.
‘The main motive to all of this is to make money,’ he added. ‘They want your email passwords so they can begin to commit identity theft and raid your bank accounts.’
 
Wade Baker, director of risk intelligence for Verizon and creator, author and primary analyst for Verizon’s DBIR series, presented the analysis, findings and recommendations of the 2011 version of Verizon’s DBIR….
It (DBIR) means: “Data Breaches Investigations Report”. To resume very briefly, this document explains how sensitive data is stolen, by who and how. Today, most organizations want to have answers on the following questions: “Are we secure?” and “How to prove that we are secure?” (both must be answered with a limited resources and available date).
 
Cybersecurity still struggles between making a system usable and making it safe, according to Professor Fred Piper of Royal Holloway University of London’s Information Security Group.
Professor Piper has spent more than three decades in information security; his background is originally in cryptography and he has consulted widely on security projects. He gave the keynote address at the annual conference of the Information Systems Security Association’s Irish chapter, which started yesterday in Dublin and is running today.
 
Few topics in the infosec world create as much heat as the classic ‘vulnerability assessment vs. penetration test’ debate, and it’s no different in the web application security space. Sadly, the discussion isn’t usually around which is better. That would actually be an improvement. Instead the debate is usually semantic in nature, i.e. the flustered participants are usually disagreeing on what the terms actually mean. Step 1: agree on terms.
So, I’ll be ambitious here and will tackle both subcomponents of the debate here: 1) what the terms actually mean, and 2) which is better for organizations to pursue.
 
Your Vertical Is . . .  [blogs.forrester.com]
Companies often demand to know what their peers in a particular vertical market are doing within the realm of information security before making new decisions. “We’re in retail” or “healthcare” or “financial services” they will say, “and we want to do what everyone else in our industry is doing.” Why? The TCP/IP revolution has changed everything, including how vertical markets should be viewed. In the old analog world, you could define yourself by your product or service, but no longer. Today it doesn’t matter if your company sells plastic flowers or insurance – what defines you is your data and how you handle it.
 
Technical/Physical Reality  [pinvoke.wordpress.com]
A few days ago I was outside grilling some food with my family. My son, now 2ish, hadn’t ever been outside during this process- so we obviously wanted to keep him safe from the grill. After some verbal queues, I decided to take some chalk and drew two foot(ish) circle around the area I was grilling.
Why? Physical reality

Web Technologies

 
WebGL is a new web standard for browsers which aims to bring 3D graphics to any page on the internet. It has recently been enabled by default in Firefox 4 and Google Chrome, and can be turned on in the latest builds of Safari. Context has an ongoing interest in researching new areas affecting the security landscape, especially when it could have a significant impact on our clients. We found that:
1. A number of serious security issues have been identified with the specification and implementations of WebGL.
 
Breaking CAPTCHA can be a job ..  [www.freelancer.co.nz]
 
Here is a wonderful post from Lanmaster53. You need to make this site one of your favorites.
Log poisoning has been used for years to upgrade local file inclusion vulnerabilities to remote command execution. In most cases, web server logs are used to execute such an attack. Most admins have become wise to the technique and do a decent job of preventing this. However, an equal amount of attention is not always paid to authentication logs.
 
OpenID Attribute Exchange flaw  [www.net-security.org]
The OpenID Foundation has issued an alert for all sites using OpenID that don’t confirm that the information passed through Attribute Exchange – the service extension for exchanging identity information between endpoints – was signed.
Apparently, when the information is not signed, an attacker is able to modify it.
 
A couple of days ago Graham Cluley wrote about a new Twitter scam claiming to tell you how many hours you have spent on the network.
About 5 hours ago the TimeChecker2.6 application was still spreading on Twitter but at tmate.plhighlights.cu.cc the oauth_token key was missing from the redirect. This probably means that Twitter ended up suspending the rogue application
 
Well, that did not take long at all. The Chrome version of Angry Birds has only been live for a few hours and it’s already been hacked to give players access to all of the levels. Web developer Wes Bos saw the potential to make a slight change to the web cache and had a working hack in a short time
 
Microsoft said something really NEAT  [fuzzyaliens.com]
The guys and girls over at Microsoft’s Security Development Lifecycle team have been thinking about combining security and user experience engineering into their process. While this is undoubtedly a snarky thing to say, I’m going to say it:
Welcome, Microsoft, to the Fuzzy Aliens way of thinking! You’re now addressing security the way I’ve been doing since 2007!
 
Internet Explorer has an Advanced option named Do not save encrypted pages to disk. By default, this option is unchecked (except for Windows Server systems) and I recommend you leave it that way.
In IE9, this option does exactly what it says it does-resources received from HTTPS URLs are not placed in the Temporary Internet Files Cache and temporary files are not created for these resources. This option is universal for HTTPS responses; their headers (e.g. Pragma, Cache-Control) are not consulted.
While that might sound appealing to some readers, it’s important to realize that this will break any scenario where a file is needed.
 
Remember how it was possible to upload files with arbitrary names & contents cross domain? The method had one, but crucial limitation – it did not include any credentials. In other words, the POST message would be sent to server without any cookies / HTTP auth, so it would most likely be discarded by the attacked application. You could upload a file (precisely, that’s a CSRF File Upload), but, in most cases, the receiving application would drop it. Until now 🙂
 
People occasionally ask why LLVM-compiled code sometimes generates SIGTRAP signals when the optimizer is turned on. After digging in, they find that Clang generated a ‘ud2’ instruction (assuming X86 code) – the same as is generated by __builtin_trap(). There are several issues at work here, all centering around undefined behavior in C code and how LLVM handles it.
This blog post (the first in a series of three) tries to explain some of these issues so that you can better understand the tradeoffs and complexities involved, and perhaps learn a few more of the dark sides of C. It turns out that C is not a ‘high level assembler’ like many experienced C programmers (particularly folks with a low-level focus) like to think, and that C++ and Objective-C have directly inherited plenty of issues from it.
 
Google engineers are planning to move the entire Chrome browser to Native Client (NaCl), a new and more powerful sandboxing technology that is currently being developed by the company.
Google Chrome is already being revered as the most secure browser due to the sandbox that separates its rendering processes from the rest of the operating system.
In current form, the browser’s components that handle Web code parsing access Windows APIs through a tightly controlled brokering process.
 
Spot the Vuln – Notes  [software-security.sans.org]
 
 

Network security

 
Hacking the WPA Airwaves  [pauldotcom.com]
It is interesting how many people believe that their wireless is secure because they are using WPA. Well we did a test recently and were able to basically password guess our way with a dictionary attack using either a straight dictionary or a rainbow table. The cool thing is I bought an ALFA usb antenna and could sit down at the corner coffee place and still see my wireless access point.
 
Abstract: Disk encryption has become an important security measure for a multitude of clients, including governments, corporations, activists, security-conscious professionals, and privacy-conscious individuals. Unfortunately, recent research has discovered an effective side channel attack against any disk mounted by a running machinecite{princetonattack}. This attack, known as the cold boot attack, is effective against any mounted volume using state-of-the-art disk encryption, is relatively simple to perform for an attacker with even rudimentary technical knowledge and training, and is applicable to exactly the scenario against which disk encryption is primarily supposed to defend: an adversary with physical access
 
A while ago one of our researchers read about a Chinese trojan being spammed out using a unicode trick that would actually reverse some characters in the filename, thus making the file appear to not have executable extension.
We have now received some such trojans, and have investigated this issue in more detail.
The files appear in email attachments like the one below:
 
I don’t use exploits much anymore. Business process problems, logic flaws, configuration errors, social engineering and phishing, trust relationships, and really customized and complex chained vulnerabilities which have little to nothing to do with memory corruption is what I do. A lot of organizations have firewalls and patching down pretty well so traditional exploits are much less lucrative. HD and crew have added some of these things to MSF, but often these attacks are so complex and one off that they are not very ‘frameworkable’
 
Targeted/semi-targeted attacks have been utilizing exploits against Microsoft’s ‘RTF Stack Buffer Overflow Vulnerability’ (CVE-2010-3333) since last December. The vulnerability was patched last November in security bulletin MS10-087.
Many of the attacks we’ve seen which exploit CVE-2010-333 have used topical subject lines.
And this week is no different. So of course, there’s an Osama bin Laden RTF exploit circulating in the wild which uses the subject: ‘FW: Courier who led U.S. to Osama bin Laden’s hideout identified’.
 
 
Sony’s PlayStation Network was breached between April 17 and April 19 and was taken offline by Sony on April 20. At the time of this writing, the service is still not available and it might not be available until the end of May. Much speculation has ensued on what has actually happened and the information released by Sony does not always match up with what is published elsewhere in print or on the Internet. What is clear is that more than 70 million user records have been stolen.
 
One of my favorite tools in my toolbox is the Vulnerability Scanner Nessus, in part because of it’s accuracy and because I’m part of one of the teams that works adding new cool stuff to it during the day. So I was super happy to see it included as part of Backtrack. Ever since I started working professionally in security Nessus has been part of my toolkit, once nessuscmd was out it became more integral in to my workflow because I could automate stuff for my customers
 
New and Improved gloodin!  [pauldotcom.com]
 
SSH Tunnelling Example  [blog.infosanity.co.uk]
Towards the end of last year I spent a few hours trialling SSH tunnels, I knew how the process worked but hadn’t had much cause to use it in anger; so my lab got some use instead, and a post was written covering the basics; SSH port forwarding 101.
Since I now know how to quickly and successfully implement a tunnel, it turns out that I previously had plenty of cause to use tunnels in the past, I just didn’t know SSH tunnels were the right tool for the job. A couple of recent conversations has made me realise others don’t always know the flexibility of tunnels either so I wanted to try and describe a common scenario to highlight the usefulness of tunnels.

Database Security

 
Sony’s PlayStation Network was breached between April 17 and April 19 and was taken offline by Sony on April 20. At the time of this writing, the service is still not available and it might not be available until the end of May. Much speculation has ensued on what has actually happened and the information released by Sony does not always match up with what is published elsewhere in print or on the Internet. What is clear is that more than 70 million user records have been stolen.

Cloud Security

 
Risk expert warns industry has no model for calculating risk
While companies like Microsoft were touting the growth and benefits of cloud computing at the recent Cloud Connect conference here in Silicon Valley, one speaker gave what he called his “wet blanket” presentation warning of a big hole in the cloud business model.
The cloud computing industry lacks a method for calculating the risk of a cloud computing accident and a mechanism for sharing that risk, said Drew Bartkiewicz, CEO and founder of CyberFactors, a risk assessment service that rates cloud providers on risk and also helps companies determine the risk of moving their data to the cloud.
 
To some customers of computing storage, processing and online services, the “cloud” seems no different from the traditional information technology services they have used for years. Amazon’s cloud computing outage last week, and the associated downtime and data loss suffered by a number of Internet web sites, highlights how public cloud computing services are different – and how the contracts for those services are different, too. Here are just three ways that typical cloud contracts may not be adequate to protect a customer’s interests in the cloud.

Mobile Security

 
Should the payment information be stored in your SIM card (where carriers have access to it) or in an NFC (Near Field Communications)? This is scary, once your credit card is stored in your phone, mobile attacks will EXPLODE. This will be the new way for attackers to get CC info. Gone will be the days of planting devices in the store. Attackers will now either attack your phone, or attack the carrier or mobile provider to get credit cards
 
Android: SSH Tunnel is free, open source, and provides one-click SSH tunneling for the entire system or individual apps. The app’s official purpose is to allow users in China to bypass what’s been called ‘the Great Firewall,’ but it can be used by anyone who’d like to ensure private browsing.

Privacy / Human rights

 
WASHINGTON – Using intermediaries and inexpensive computer disks, Osama bin Laden managed to send emails while in hiding, without leaving a digital fingerprint for U.S. eavesdroppers to find.
His system was painstaking and slow, but it worked, and it allowed him to become a prolific email writer despite not having Internet or phone lines running to his compound.
Bin Laden’s system was built on discipline and trust. But it also left behind an extensive archive of email exchanges for the U.S. to scour. The trove of electronic records pulled out of his compound after he was killed last week is revealing thousands of messages and potentially hundreds of email addresses, the AP has learned
 
The Council of the European Union has released the controversial presentation on a ‘virtual Schengen border’ – the proposal to create a ‘Chinese wall’ around the Internet in Europe. The proposal was discussed by the Council in February.
The documents were released to Article 19.
The presentation, as well as the accompanying letter make fascinating reading. The key points are:
 
Police have bought software that maps suspects’ movements in space and time, in a step towards the futuristic crime detecting imagined in Minority Report. Photograph: John Anderton/AP
Britain’s largest police force is using software that can map nearly every move suspects and their associates make in the digital world, prompting an outcry from civil liberties groups.
The Metropolitan police has bought Geotime, a security programme used by the US military, which shows an individual’s movements and communications with other people on a three-dimensional graphic. It can be used to collate information gathered from social networking sites, satellite navigation equipment, mobile phones, financial transactions and IP network logs.
 
Refuses to name warrantless wiretap partners
The FBI has finally come clean on the real reason it doesn’t want to name phone and internet service providers that participate in a sweeping surveillance program that taps international communications without a warrant: Customers would get mad and dump or sue the providers.
This rare piece of honesty came in a recently filed court declaration (PDF) from a top FBI official arguing why the agency shouldn’t have to supply the names in response to a Freedom of Information request filed by the American Civil Liberties Union.
 
A Facebook privacy flaw has led to personal information and photos of users being leaked to third parties.
According to research by Symantec, in certain cases Facebook iframe applications inadvertently leaked access tokens to third parties such as advertisers or analytic platforms. As of last month, it estimated that close to 100,000 applications were enabling this leakage, which could mean that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.
 
Less than two weeks after promoting version 11 to the WebKit-based browser’s stable branch, the Google Chrome development team has released the first Chrome 12 beta, version 12.0.742.30. Previously only available in the Chrome developer channel (aka the Dev Channel), the Beta Channel release includes a number of new features, some of which are targeted at developer
 
Google and Facebook are warning legislators of dire consequences if California passes a ‘do not track’ bill. The proposed law would require companies doing online business in the Golden State to offer an ‘opt-out’ privacy mechanism for consumers.
Senate Bill 761 ‘would create an unnecessary, unenforceable and unconstitutional regulatory burden on Internet commerce,’ says the letter in opposition to the measure. ‘The measure would negatively affect consumers who have come to expect rich content and free services through the Internet, and would make them more vulnerable to security threats.’
 
The Syrian government is trying to identify activists who use social media to coordinate protests by orchestrating nation-wide man-in-the-middle attacks.
The Electronic Frontier Foundation (EFF) has received several reports from Syrian users who spotted SSL errors when trying to access Facebook over HTTPS.
The errors were caused by a fake digital certificate served to users, which the EFF has managed to obtain.
All this is indicative of a so-called man-in-the-middle attack, where the attacker is positioned between the victim and the Internet and can alter their traffic.
 
Hace ya muchos años, en una de esas raras épocas de mi vida en la que llevaba el pelo corto, era profesor de cursos de gestión de sistemas. Daba clases de redes, de Windows, servidores web, etcétera, lo que me permitió conocer a mucha, mucha gente. Muchos de aquellos alumnos han acabado convirtiéndose en amigos, clientes e incluso compañeros de trabajo en Informática64.
 
TSA baby pat down pic  [i.imgur.com]

General

 
Stolen Camera Finder  [www.schneier.com]
Here’s a clever Web app that locates your stolen camera by searching the EXIF data on public photo databases for your camera’s serial number.
 
Zeus Botnet manual leaked  [pastehtml.com]
 
Automated Vulnerability Disclosure with upSploit  [resources.infosecinstitute.com]
Recently there have been a number of high profile vulnerabilities and problems found in software as well as in hardware. The way they have been disclosed has varied greatly. This leads to confusion for vendors, who obviously do not want to offer services with critical vulnerabilities in them – that would just be stupid.
Some researchers release a vulnerability without allowing any time for the vendor to fix the problem, referred to as full disclosure. Someone else may allow 30 / 60 / 180 days, referred to as responsible or coordinated disclosure. When it comes to these disclosure types, each researcher has their own way of doing things and relies on their own judgment as to what is an appropriate delay. They are not bound by any laws or ethics other than their own.
 
Pico: no more passwords!  [www.lightbluetouchpaper.org]
Passwords are no longer acceptable as a security mechanism. The arrogant security people ask users that passwords be memorable, unguessable, high entropy, all different and never written down. With the proliferation of the number of passwords and the ever-increasing brute-force capabilities of modern computers, passwords of adequate strength are too complicated for human memory, especially when one must remember dozens of them. The above demands cannot all be satisfied simultaneously. Users are right to be pissed off.

Funny

 
 
Viruses in PCs vs Macs  [www.cad-comic.com]
 
Honest Logos  [designerscouch.org]
 
NEWINGTON – A police department laptop computer containing “a fair amount of records” was stolen from a marked cruiser and an on-board camera was damaged while the cruiser was left at an auto dealership for service, said Chief Jon Tretter.
The theft from and damage to the “brand new” cruiser occurred last week when it was parked overnight at Portsmouth Chevrolet where it was left for work on decorative trim, said Tretter. The police chief said he’s been advised that it’s unlikely anyone could access personal information stored on the stolen laptop because the battery is so old it barely functions without a companion power cord.
 
Apple logos (Spanish)  [www.seguridadapple.com]
 
 
iphone tracking  [www.cagle.com]
 
 
 
 
Obi-Wan Kenobi Is Dead, Vader Says  [www.galacticempiretimes.com]
 
New Skype Logo  [img.imgur.com]
 
 
 
Remove kaspersky  [i.imgur.com]
 
 
Marie Curie  [xkcd.com]
 
 
Chain of command  [xkcd.com]