Privacy, Security Archive

Duqu trojan contains unknown programming language

"And just when you thought the whole Stuxnet/Duqu trojan saga couldn't get any crazier, a security firm who has been analyzing Duqu writes that it employs a programming language that they've never seen before." Pretty crazy, especially when you consider what some think the mystery language looks like "The unknown c++ looks like the older IBM compilers found in OS400 SYS38 and the oldest sys36.The C++ code was used to write the tcp/ip stack for the operating system and all of the communications."

Trusting Your Hardware

When was the last time you reverse-engineered all the PCI devices on your motherboard?. . . Enters the game-changer: IOMMU (known as VT-d on Intel). With proper OS/VMM design, this technology can address the very problem of most of the hardware backdoors. A good example of a practical system that allows for that is Xen 3.3, which supports VT-d and allows you to move drivers into a separate, unprivileged driver domain(s). This way each PCI device can be limited to DMA only to the memory region occupied by its own driver.

Google, Facebook circumvent P3P standard

According to Microsoft, Google is circumventing the P3P third party cookie standard. P3P is kind of an odd standard (complex, not user-friendly, and it requires some serious computer knowledge to know what the heck it actually does and means), but hey, what the heck. Of course, Microsoft rides on the coattails of what happened over the weekend, and it's clear PR because not only has this been known for years, Google is - again - not the only one doing this; Facebook, for instance, does the same thing (and heck, Microsoft's own sites were found guilty). Still, this is not acceptable, and even if it takes Microsoft PR to get there, let's hope this forces Google and Facebook to better their ways.

Facebook, Google, others circumvent Safari privacy restrictions

Well, paint me red and call me a girl scout: Facebook, Google, and several other advertising networks are using a loophole to make sure third party cookies could still be installed on Safari and Mobile Safari, even though those two browsers technically shouldn't allow such cookies. Google has already ceased the practice, and in fact, closed the loophole in WebKit itself months ago.

‘Cancel or allow’ overload

"A hybrid solution that takes the best parts of iOS's one-by-one acceptance and Android's expressed and obvious intents seems like a proper model here. In fact, Apple has many of the pieces in place elsewhere." This is a big issue. Nor Android's model (just list a bunch of confusing permissions), nor Apple's model (individual modal dialogs for each permission) is particularly workable - I doubt regular users check them on Android before installing an application, and in the case of iOS, Apple didn't think it was necessary to secure the address book, so every application has access to it without alerting users. Justin Williams proposes a hybrid solution.

Security Flaw In Windows Phone: Signs of Things to Come?

A malicious message sent to Windows Phone's message hub can disable the handset in a manner reminiscent of the "nuking" attack from the Windows 95 days. At the point the bad message is received, the phone reboots, and worst of all, it appears that the message hub application is permanently disabled. Back when people used to only use their phones to call and text, you'd perhaps think that having your phone reboot on you would be no big deal. But these days I find myself often as not composing some important missive.

CarrierIQ Rootkit Found on Android

So, this has been causing a bit of a major dungstorm - and rightly so. As it turns out, many carriers are installing a piece of non-removable privacy-invading spyware on their smartphones called CarrierIQ. It doesn't matter whether you have a webOS, Android, BlackBerry or iOS device - carriers install it on all of them. Luckily though, it would appear it really depends on your carrier - smartphones in The Netherlands, for instance, are not infested with CarrierIQ. Update: As John Gruber rightfully points out, ever so verbosely, the headline here isn't particularly well-chosen. The article makes all this clear, but the headline doesn't. It's my birthday today, so my head wasn't totally in it - my apologies! Update II: Just got a statement from an HP spokesperson: "HP does not install nor authorize its partners to embed Carrier IQ on its webOS devices."

Facebook Settles with FTC

"The social networking service Facebook has agreed to settle Federal Trade Commission charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public. The proposed settlement requires Facebook to take several steps to make sure it lives up to its promises in the future, including giving consumers clear and prominent notice and obtaining consumers' express consent before their information is shared beyond the privacy settings they have established."

HTC Android Phones Leak Personal Data to Any App With Internet Permissions

If you are running a HTC Android smartphone with the latest updates applied, chances are your personal data is freely accessible to any app you have given network access to in the form of full Internet permissions. This vulnerability isn't a backdoor or some inherent flaw in Android, it is instead HTC failing to lock down its data sharing policies used in the Tell HTC software users have to allow or disallow on their phone. The problem being, not only is your data vulnerable when Tell HTC is turned on, it's just as vulnerable when it is turned off.

MySQL.com Hacked to Serve Malware

Well, this is embarrassing. MySQL.com has been hacked (fixed by now), and was turned into a platform serving malware to unsuspecting visitors. The criminals did this by injecting a script which redirected visitors to a website which uses the BlackHole exploit pack, which probes the browser used and serves up an appropriate exploit. Computer security blogger Brian Krebs saw root access to MySQL.com being offered for $3000 only a few days ago.

DigiNotar Files for Bankruptcy

After having its SSL and EVSSL certificates deemed untrustworthy by the most popular browsers, VASCO announced that DigiNotar, filed a voluntary bankruptcy petition and was declared bankrupt today. This is unsurprising, since a report issued by security audit firm Fox-IT, who has been hired to investigate the now notorious DigiNotar breach, revealed that things were far worse than we were led to believe.

Comodo Hacker: I Hacked DigiNotar Too; Other CAs Breached

"The hack of Dutch certificate authority DigiNotar already bore many similarities to the break-in earlier this year that occurred at a reseller for CA Comodo. Bogus certificates were issued for webmail systems, which were in turn used to intercept Web traffic in Iran. Another similiarity has since emerged: the perpetrator of the earlier attacks is claiming responsibility for the DigiNotar break-in. Calling himself ComodoHacker, the hacker claims that DigiNotar is not the only certificate authority he has broken into. He says that he has broken into GlobalSign, and a further four more CAs that he won't name. He also claimed that at one time he had access to StartCom."