Articles about Security

Sophos study suggests Windows 7 UAC's default setting is self-defeating

A blog post Tuesday by Sophos senior security engineer Chester Wisniewski stated that recent Sophos tests revealed that User Account Control -- the part of Windows that prompts the user for permission before granting elevated privileges -- was ineffective in stopping common samples of malware from running, in a Windows 7-based system without virus protection.

Whereas two of the ten chosen malware samples for the test would not run in Win7 without UAC turned on at all, only one more sample (a low-prevalence worm code-named W32/Autorun-ATK) was thwarted by UAC. The other seven ran as though they were being blocked only by a stack of dominoes.

Continue reading

Indiscreet tweet trips awareness of Web SSL vulnerability

Internet security engineers who had been meeting secretly to discuss a possible extension to Transport Layer Security (TLS) to thwart a possible low-level exploit, were compelled yesterday to reveal the existence of their meetings after another security engineer unconnected to their project went public with a conceptual framework of the very type of exploit they were working to pre-emptively patch.

The problem is essentially a repeat of what developers of TLS and its parent protocol, Secure Sockets Layer (SSL), have dealt with a handful of times in the past: the potential of man-in-the-middle attacks by malicious servers that can pass themselves off as security authenticators. As the team from wireless security service provider PhoneFactor discovered last August, it was possible using both Microsoft IIS 7.0 and Apache httpd Web servers to demonstrate a situation where a false TLS server authenticates itself to a genuine Web client, then authenticates itself to a genuine TLS server, effectively setting itself up as a go-between that's privy to the complete contents of what appears to the innocent client to be a fully encrypted SSL session.

Continue reading

Is AES encryption crackable?

In the field of computer technology, some topics are so frequently and fiercely disputed that they almost resemble religious feuds -- Mac vs. PC, for instance, or open source vs. proprietary software.

Other topics, though, don't see nearly the same level of high-profile debate. Take the invulnerability of the Advanced Encryption Standard (AES) encryption, for example. Governments and businesses place a great deal of faith in the belief that AES is so secure that its security key can never be broken. However, a team of researchers from Germany, France and Israel has recently demonstrated what may be an inherent flaw in AES -- theoretically, at least.

Continue reading

Faster or more secure? Microsoft publishes IE patch to Automatic Updates

Given the choice between speed and security, Betanews readers this week have been siding with security, in a show of support that suggests that Windows Vista had the right idea after all. This morning, Windows XP, Vista, and Windows 7 users who have their Automatic Update notifications turned on manual will be making that choice, as Microsoft has published update 976749 -- released as a manual update on Monday -- to its Windows Update service, not as a "security update" or anything "critical" or even "important."

It's an "Update for Internet Explorer" whose purpose is to "resolve issues that may occur after installing the Internet Explorer cumulative security update issued as MS09-054" -- one of the major updates from the last Patch Tuesday round. The issue that update addressed is a very serious one, and Windows users who are concerned about their operating system possibly being vulnerable to a new class of attack, should apply that update and also apply the patch to that update, released this morning. Many users with Automatic Updates turned on full may wake up this morning with the update already having been applied.

Continue reading

Performance drain: The first public perception test of the Windows 7 era

The key selling point for Windows 7, as emphasized in a concerted advertising campaign that stretches across both TV and the Web, is that it's leaner, simpler, and faster. It doesn't have to complete the phrase "faster than..." because we all know how to complete that phrase. Microsoft's bet for Windows 7 is that users smart enough to complete that phrase, care.

So if some of the comments Betanews has been receiving about Internet Explorer's recent problems being a non-event, or a "YAWN," really did reflect reality, then Microsoft has already lost the bet.

Continue reading

Microsoft and Mozilla leave Web users tangled over 'variant' vulnerability

In what is now indisputably the most important vulnerability addressed during last Tuesday's record round of Windows patches, the two companies most affected by the problem -- Microsoft and, to a lesser extent, Mozilla -- could not help but be caught in a tangle of miscommunication exacerbated to a large extent by overhype from a sea of blogs. As a result, it's everyday users who are left confused and bewildered, even though no known exploit for the vulnerability exists.

The problem involves both the ".NET Framework Assistant" add-on and "Windows Presentation Manager" plug-in made by Microsoft for Mozilla Firefox, both of which are installed automatically -- and without warning -- by Microsoft's .NET Framework 3.5 Service Pack 1. One of Microsoft's patches last week, as explained in a Microsoft bulletin, addresses the functionality of 3.5 SP1 that's made available through these Firefox extensions.

Continue reading

Not that Windows is any enclave of safety: Microsoft's biggest Patch Tuesday

A lot of the presentations at security (or perhaps more appropriately, "insecurity") conferences such as Black Hat are devoted to experiments or "dares" for hackers to break through some new version of digital security. After awhile, it gets to be like watching pre-schoolers daring one another to punch through ever-taller Lego walls. But in the midst of last July's briefings came at least one scientifically researched, carefully considered, and thoughtfully presented presentation: the result of a full-scale investigation by three engineers at a consultancy called Hustle Labs, demonstrating how the presumption of trust between browsers, their add-ons, and other code components can trigger the types of software failures that can become exploitable by malicious code.

Engineers Mark Dowd, Ryan Smith, and David Dewey are being credited today with shedding light on a coding practice by developers that leaves the door open for browser crashes. The discovery of specific instances where such a practice could easily become exploitable is the focus of the most critical of Microsoft's regular second-Tuesday-of-the-month patches -- arguably the biggest of 13 bulletins addressing a record 34 fixes.

Continue reading

Swedish ISP wins appeal in biggest test to date of EU anti-piracy law

Last March, the European Commission voted to enact a continent-wide law compelling member countries to take bolder steps to enforce their own copyright infringement laws. One of the more controversial provisions of the Intellectual Property Rights Enforcement Directive (IPRED) has been to allow rights holders to petition member states' governments to act on their behalf. That provision has emboldened some rights holders and associations to act as evidence gatherers; and in Sweden, their right to do so was put to the test.

A group representing five publishers of audiobooks in Sweden were judged to be entitled to the identity of a single file-sharer. In a June decision, a district court in Solna ordered ISP ePhone to turn over the name of the file-sharer. It refused, and was forced in September to pay a fine of 750,000 kronor (about $107,400), one-tenth of which was to go to the publishers.

Continue reading

Typo blamed for country-wide Web site blackout in Sweden

If the script that updates your DNS records for a zone leaves off the trailing period for each record, the DNS server can't properly attach the top-level domain name. That little tip is probably permanently etched onto the head of an administrator somewhere at Sweden's Internet Infrastructure Foundation. Late yesterday evening, that single omitted period caused Web sites with Sweden's .se TLD to be inaccessible for at least one hour, with some perhaps remaining inaccessible until the following evening before downstream routers refresh their caches.

A security bulletin issued by the Foundation this morning advises administrators noticing difficulties with accessing .se sites to use BIND 9.2.0's rndc flush command to clear memory of cached data prior to a reload. The firm issued a new zone file shortly after the incident, although it admitted it refrained from going through the usual security steps to clear the zone file since .se sites remained inaccessible. A new, fully cleared zone file has since been issued.

Continue reading

Why is John Hodgman smiling? Data loss isn't the only Snow Leopard problem

If Snow Leopard, the latest version of the Mac operating system released late last August, were seriously plagued with bugs, writes a volunteer contributor to Apple's discussion forum, the company would be besieged with complaints. But that may very well be the problem, as evidenced by this screenshot from a Snow Leopard user who attempted to formally report his problem to Apple through his operating system, and was met with this message: "An error has occurred. Please report the error to Apple Inc. by emailing the error detail to devbugs@apple.com."

As the user reported on Apple's forum, "I'd laugh if I wasn't in an apoplectic rage."

Continue reading

Danger signs: Now how secure does the cloud look?

There are service outages, and then there are service outages. T-Mobile customers who carry the Sidekick smartphone are learning the hard way that there's a major difference between having no access to a service for a little while and losing every contact, calendar entry, and related shred of personal data they've got.

In the not too distant past, Google, Twitter, and Facebook have all experienced basic, quaintly simple service outages. Despite the headlines and general chaos associated with each incident, the bottom line impact was never all that onerous: When service returned, so did their users' data. For the most part, users were given an easy excuse to take a few hours off. And with the exception of Google's subscription services, most were free, so folks couldn't argue that they weren't getting their money's worth.

Continue reading

Yet another case for backing up your data: Snow Leopard

Apparently not only are Sidekick users losing their personal data. Now, in a separate incident, Snow Leopard (OS X 10.6) users are also finding their data fully wiped.

The bug was actually discovered within a week of Snow Leopard's launch back in August, when users found that logging out of their account, into a "guest" account, and then back into their personal account would completely erase the content from their home drive (Documents, Movies, Pictures, Music, Sites).

Continue reading

Fake entries in new e-mail/password lists point to unsophisticated phishing

If last weekend's unsolicited posting of about 10,000 supposed Hotmail addresses and passwords to a legitimate developers' Web site did not contain some addresses that were fake, the theory that a hacker may have obtained those addresses through an attack on Microsoft's servers might continue to hold water. That theory lost ground today, after more addresses from major services other than Hotmail -- including Gmail, Yahoo, AOL, Earthlink, and Comcast -- appeared without warrant on Pastebin.com, a site for developers to share debugging information.

In what could be the first publicly shared forensic report on the original Hotmail list, security researcher Bogdan Calin with server security software maker Acunetix reported that of the 10,028 entries that appeared in that list (which was apparently partial, including usernames that only began with A and B), 185 of the entries actually had blank passwords. That in and of itself could not have come from a server's own list of valid passwords, thus lending much credence to the theory that the responses came from a phishing scam.

Continue reading

Microsoft acknowledges Live ID accounts breach

Yesterday, Neowin's Tom Warren discovered a list of what appeared to be Windows Live Hotmail account credentials, posted last weekend to a location where you wouldn't expect such a list to appear: a collaborative debugging code sharing site for low-level software developers called pastebin.com. Warren reported the news to the world at the same time he reported it to Microsoft.

Still, Microsoft acknowledged the problem late yesterday, but attributed the source of the problem to "a likely phishing scheme." If such a scheme does exist, then its first victim today was poor pastebin.com, whose proprietor Paul Dixon (LordElph) was forced to take the site offline due to the sudden surge of activity.

Continue reading

Single point of failure blamed for Verizon FiOS, DSL outage

A single stalled router is being blamed by Verizon officials for a service outage that impacted customers of its high-speed Internet service, including fiberoptic FiOS, in New York and Massachusetts.

The outage occurred at approximately 3:15 pm EDT, according to a message Friday afternoon from the company's chief PR executive, Eric Rabe. He acknowledged that routers typically fail over to adjacent ones, but in this instance, this one didn't.

Continue reading

© 1998-2026 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.