Privacy, Security Archive

"It is time for us to make a change. ClamAV is now mature software and we are confident that Sourcefire will successfully continue its development, move it forward and maintain the integrity of its infrastructure. Matt Watchinski, who has headed Sourcefire's Vulnerability Research Team for 10 years, will continue to lead this project. Joel Esler, the company's Open Source community manager, will also be your main point of contact and advocate."

Bad day for LinkedIn: not only did 6 million of their passwords get stolen and published online (as SHA1 hashes, but still), their iOS and Android applications uploaded your calendars to LinkedIn (after opting in, though). The Sensationalist Headline of the Day Award goes to Ars Technica. I guess everyone's starting to feel the sting of The Verge's fully deserved success.

"A massive, highly sophisticated piece of malware has been newly found infecting systems in Iran and elsewhere and is believed to be part of a well-coordinated, ongoing, state-run cyberespionage operation. The malware, discovered by Russia-based anti-virus firm Kaspersky Lab, is an espionage toolkit that has been infecting targeted systems in Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories and other countries in the Middle East and North Africa for at least two years. Dubbed 'Flame' by Kaspersky, the malicious code dwarfs Stuxnet in size." Since I'm not particularly well-versed in the subject, maybe someone can answer this question for me: if country A creates a malware infection like this to spy on and/or harm computers in country B, can it be construed as an act of war under existing international law?

OSNews sponsor Tradepub has a special offer for our readers: Normally $9.95, the "Scrappy Information Security Kit", containing: "Scrappy Information Security", "Best Practices and Applications of TLS/SSL," "A Window into Mobile Device Security", and "The Cloud: Promises and Realities" (registration required).

When was the last time you reverse-engineered all the PCI devices on your motherboard?. . . Enters the game-changer: IOMMU (known as VT-d on Intel). With proper OS/VMM design, this technology can address the very problem of most of the hardware backdoors. A good example of a practical system that allows for that is Xen 3.3, which supports VT-d and allows you to move drivers into a separate, unprivileged driver domain(s). This way each PCI device can be limited to DMA only to the memory region occupied by its own driver.

According to Microsoft, Google is circumventing the P3P third party cookie standard. P3P is kind of an odd standard (complex, not user-friendly, and it requires some serious computer knowledge to know what the heck it actually does and means), but hey, what the heck. Of course, Microsoft rides on the coattails of what happened over the weekend, and it's clear PR because not only has this been known for years, Google is - again - not the only one doing this; Facebook, for instance, does the same thing (and heck, Microsoft's own sites were found guilty). Still, this is not acceptable, and even if it takes Microsoft PR to get there, let's hope this forces Google and Facebook to better their ways.

"A hybrid solution that takes the best parts of iOS's one-by-one acceptance and Android's expressed and obvious intents seems like a proper model here. In fact, Apple has many of the pieces in place elsewhere." This is a big issue. Nor Android's model (just list a bunch of confusing permissions), nor Apple's model (individual modal dialogs for each permission) is particularly workable - I doubt regular users check them on Android before installing an application, and in the case of iOS, Apple didn't think it was necessary to secure the address book, so every application has access to it without alerting users. Justin Williams proposes a hybrid solution.

A malicious message sent to Windows Phone's message hub can disable the handset in a manner reminiscent of the "nuking" attack from the Windows 95 days. At the point the bad message is received, the phone reboots, and worst of all, it appears that the message hub application is permanently disabled. Back when people used to only use their phones to call and text, you'd perhaps think that having your phone reboot on you would be no big deal. But these days I find myself often as not composing some important missive.

In order to not end up with ten different posts or endless updates to the previous one, I'm using this post to assemble all the official responses from both carriers and device makers alike concerning the CarrierIQ rootkit/spyware/whatever. Update: Added official statement from HP regarding webOS (see bottom).

So, this has been causing a bit of a major dungstorm - and rightly so. As it turns out, many carriers are installing a piece of non-removable privacy-invading spyware on their smartphones called CarrierIQ. It doesn't matter whether you have a webOS, Android, BlackBerry or iOS device - carriers install it on all of them. Luckily though, it would appear it really depends on your carrier - smartphones in The Netherlands, for instance, are not infested with CarrierIQ. Update: As John Gruber rightfully points out, ever so verbosely, the headline here isn't particularly well-chosen. The article makes all this clear, but the headline doesn't. It's my birthday today, so my head wasn't totally in it - my apologies! Update II: Just got a statement from an HP spokesperson: "HP does not install nor authorize its partners to embed Carrier IQ on its webOS devices."

DigitalPersona has open sourced its new MINEX-certified FingerJetFX fingerprint feature extraction technology. FingerJetFX, Open Source Edition (OSE), is free, portable software that device manufacturers and application developers can use to convert bulky fingerprint images into small, mathematical representations called fingerprint "templates" for efficient storage or comparison.

An iOS security researcher who submitted a tainted iPhone application meant to expose a weakness in Apple's App Store security process has been suspended from Apple's developer program. And rightly so -- he violated clear terms of service. But what does that say about the security of all those random apps on your iPhone, iPad and iPod?

Taunting tweets, provocative pics, iPad-spam chats -- InfoWorld's JR Raphael sheds light on the stupid slip-ups that led to five recent high-profile hacker arrests. 'Clever as they often are, hackers can turn boneheaded pretty quickly and slip up in silly ways, leaving authorities a virtual road map pointing right to their doorsteps.'

If you are running a HTC Android smartphone with the latest updates applied, chances are your personal data is freely accessible to any app you have given network access to in the form of full Internet permissions. This vulnerability isn't a backdoor or some inherent flaw in Android, it is instead HTC failing to lock down its data sharing policies used in the Tell HTC software users have to allow or disallow on their phone. The problem being, not only is your data vulnerable when Tell HTC is turned on, it's just as vulnerable when it is turned off.