Privacy, Security Archive

Android App Security Risk

  Submitted by Governa Privacy, Security 52 Comments
About 20 percent of third-party apps available through the Android marketplace allow third-party access to sensitive data, and can do things like make calls and send texts without the owners' knowledge, according to a recent security report from security firm SMobile Systems. There's no indication that any of the highlighted apps is malicious, but the report does underscore the inherent risks of a more open ecosystem as opposed to Apple's oppressive yet more controlled environment, with every app being vetted before availability.
Read More

Linux Security – a Few Useful, Tactical Tips

Privacy, Security 64 Comments
I've bored the readers of my personal website to death with two rather prosaic articles debating the Linux security model, in direct relation to Windows and associated claims of wondrous infections and lacks thereof. However, I haven't yet discussed even a single program that you can use on your Linux machine to gauge your security. For my inaugural article for OSNews, I'll leave the conceptual stuff behind, and focus on specific vectors of security, within the world of reason and moderation that I've created and show you how you can bolster a healthy strategy with some tactical polish, namely software.
Read More

Windows XP Remote Assistance Exploit Discovered

  Submitted by fran Privacy, Security 6 Comments
An insecurity expert has has discovered a vulnerability in older versions of Windows which pesky attackers could exploit to take over control of your PC. Somewhat ironically, the vulnerability afflicts the Help and Support Center for Windows XP and Server 2003, which users may still - just about - be able to use to get online technical support.
Read More

Ironfox: Sandboxed Firefox for MacOSX

  Submitted by andreas Privacy, Security 9 Comments
The MacOSX sandbox functionality is not talked about, and there exists almost zero documentation on the subject. As Google Chrome uses it to contain it browser, so could any other app. The goal of the ironfox project is to provide the user with a secured Firefox, but still let the user browse the web without the sandbox interfering. It does this by white-listing all the actions that Firefox may do. Should the user's browser be compromised by a vulnerability in Flash or Java, the sandbox would prevent it from leaking any data or executing binaries, preventing system compromise. To break the sandbox the attacker would likely need to have a exploit for the browser and a kernel exploit that would work within the context of the sandbox. The policy is included in the package and should give the user great insights in the workings of the sandbox. It only works in 10.6 but could be backported to 10.5 without much trouble, as both have the seatbelt/sandbox kernel module.
Read More

Facebook Finally Gets it with New, Simpler Privacy Controls

  Submitted by aargh Privacy, Security 12 Comments
"Facebook has introduced its newly overhauled privacy controls, and most critics should be pleased this time around. The company noted during a press conference Thursday that the site today is very different from how it was when it first started in 2004, admitting that the privacy controls had grown into something of a Frankenstein monster as the company kept adding on features. Thanks to feedback from users, CEO Mark Zuckerberg said, Facebook has completely revamped its offerings and has begun slowly rolling out the change to users."
Read More

Malware Overwriting Desktop App Updaters

Privacy, Security 13 Comments
For the first time security researchers have spotted a type of malicious software that overwrites update functions for other applications, which could pose additional long-term risks for users. The malware, which infects Windows computers, masks itself as an updater for Adobe Systems' products and other software such as Java, wrote Nguyen Cong Cuong, an analyst with Bach Khoa Internetwork Security (BKIS), a Vietnamese security company, on its blog.
Read More

RSA 1024-bit Private Key Encryption Cracked

  Submitted by gogothebee Privacy, Security 7 Comments
"Three University of Michigan computer scientists say they have found a way to exploit a weakness in RSA security technology used to protect everything from media players to smartphones and ecommerce servers.RSA authentication is susceptible, they say, to changes in the voltage supply to a private key holder. The researchers - Andrea Pellegrini, Valeria Bertacco and Todd Austin - outline their findings in a paper titled "Fault-based attack of RSA authentication", to be presented 10 March at the Design, Automation and Test in Europe conference."
Read More

‘Severe’ OpenSSL Vulnerability Busts Public Key Crypto

Privacy, Security 20 Comments
Computer scientists say they've discovered a "severe vulnerability" in the world's most widely used software encryption package that allows them to retrieve a machine's secret cryptographic key. The bug in the OpenSSL cryptographic library is significant because the open-source package is used to protect sensitive data in countless applications and operating systems throughout the world. Although the attack technique is difficult to carry out, it could eventually be applied to a wide variety of devices, particularly media players and smartphones with anti-copying mechanisms.
Read More

Chuck Norris Botnet Attacks Linux-Based Routers

Privacy, Security 12 Comments
Discovered by Czech researchers, the Chuck Norris botnet has been spreading by taking advantage of poorly configured routers and DSL modems. The malware got the Chuck Norris moniker from a programmer's Italian comment in its source code: 'in nome di Chuck Norris', which means 'in the name of Chuck Norris'. Chuck Norris is unusual in that it infects DSL modems and routers rather than PCs. It installs itself on routers and modems by guessing default administrative passwords and taking advantage of the fact that many devices are configured to allow remote access. They're behind the times, though. It should've been the Epic Beard Man Botnet. Move over, Chuck.
Read More

Researcher Cracks Trusted Platform Module Security Chip

  Submitted by Kurt Liebezeit Privacy, Security No Comments
"At the Black Hat DC Conference 2010 security researcher Christopher Tarnovsky of FlyLogic Engineering has demonstrated a way to defeat the Trusted Platform Module chips widely used to secure data in computers, identity cards, gaming systems like the Xbox 360, cable set-top boxes, and other electronics. TPM modules are widely used in enterprise, health care, government, and military applications to protect data through encryption, particularly on portable devices that might be easily lost or stolen. Although Tarnovsky's process is labor intensive and requires both specialized equipment and a significant period of physic access to the device to be cracked, his step-by-step instructions do outline how to get data out of a TPM-protected system, including encryption keys and manufacturing information that could be used to create pre-cracked counterfeit chips."
Read More

You Have Zero Privacy Anyway — Get Over It

Privacy, Security 79 Comments
I was reminded of Sun Microsystems' Scott McNealy's infamous sound byte (used as the title of this article) when I read about Google CEO Eric Schmidt's foot-in-mouth moment during a recent CNBC interview (YouTube Link). Here's what Schmidt said: "I think judgment matters. If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place. If you really need that kind of privacy, the reality is that search engines -- including Google -- do retain this information for some time and it's important, for example, that we are all subject in the United States to the Patriot Act and it is possible that all that information could be made available to the authorities."
Read More

Security Predictions for 2010

Privacy, Security 14 Comments
Websense has made ten predictions about security/vulnerability trends for 2010. There's no crystal ball, so we're not talking about malicious innovation, but mostly a recognition that certain nefarious activities are gaining traction and will expand in the near future. Of particular interest to OSNews readers: exploitations of Windows 7 and IE 8 vulnerabilities, the beginning of the end of the Mac's reprieve on security issues, and increasing targeting of mobile devices (beyond Rickrolling your iPhone, presumably). Read on to learn OSNews 2010 security predictions.
Read More

Tech Titans Meet in Secret to Plug SSL Hole

  Submitted by Flatland_Spider Privacy, Security No Comments
"Researchers say they've uncovered a flaw in the secure sockets layer protocol that allows attackers to inject text into encrypted traffic passing between two endpoints. The vulnerability in the transport layer security protocol allows man-in-the-middle attackers to surreptitiously introduce text at the beginning of an SSL session, said Marsh Ray, a security researcher who discovered the bug. A typical SSL transaction may be broken into multiple sessions, providing the attacker ample opportunity to sneak password resets and other commands into communications believed to be cryptographically authenticated. Practical attacks have been demonstrated against both the Apache and Microsoft IIS webservers communicating with a variety of client applications. A consortium of some of the world's biggest technology companies have been meeting since late September to hash out a new industry standard that will fix the flaw. A draft is expected to be submitted on Thursday to the Internet Engineering Task Force."
Read More

Serious Vulnerability Found in SVN

  Submitted by TommyCarlier Privacy, Security 9 Comments
From Smashing Magazine: "A few months ago, Anton Isaykin, in collaboration with the company 2comrades, found a huge vulnerability that is quite typical of big projects (we do not name names here). To test it, they obtained the file structures and even the source code of about 3320 Russian websites and some major English-language websites. Serious vulnerabilities like this aren't supposed to exist nowadays. Every serious or visible exploit is found and fixed quickly. But here we will show you something simple and ordinary yet very dangerous."
Read More