How secure is Opera Unite?
The notion of converting conceivably every computer on the planet into a server is certainly not new. But almost everywhere the notion has been attempted, it's been exploited. Microsoft's ActiveX experiment in the mid-1990s was a notorious example of collective inattention to the entire topic of exploitability, though it's not the only one. Since then, millions have willingly made their Web clients into P2P servers in the interest of file-sharing -- authorized or not -- while some of them unknowingly exposed their file systems to the whole planet, exposing sensitive government documents in the process.
History tells us to be skeptical when any software purports to enable ordinary computers, especially Web browsers, to act as servers. This morning, Opera Software unveiled its Unite server networking protocols, which consist of extensions to the existing widget system for its Opera Web browser. The objective there is to enable any Opera user to be a server in her own right, potentially serving up blogs, tweets, and files. Opera's own bank of servers -- which are already put to use providing pre-rendered pages for its "Turbo" feature -- serves as an intermediate proxy for all communications between Unite-enabled browsers.
At long last, Apple patches its Java vulnerability
After nearly a year, Apple has chosen to issue patches for a notorious security flaw in Java long since addressed by other operating systems. The move follows the release late last month of a zero-day release by a security researcher frustrated by the lag in Apple's response to the problem, not to mention a blitz of highly negative press coverage (here and elsewhere) for a company that has historically claimed its products to be more than ordinarily secure.
Both Java 1.4.2_18 and Java 1.5.0_16 have been known to contain multiple vulnerabilities for quite some time. Those vulnerabilities could if exploited allow an attacked to gain elevated privileges on a system, from which s/he could execute other attacks, scoop up sensitive information, or undertake any of the usual sorts of mayhem. The problem was especially dangerous because it was "purely Java" in nature. That is, an exploit could be written in Java and executed on any platform running it -- Windows, Mac, whatever.
The DMCA is endangering American security
I've had the the government's 60-day Cyberspace Policy Review sitting on my desk for many days now, dutifully highlighted and marked up with notes about how this bit could turn out interesting and that section looks a lot like what we've previous heard from DC about cybersecurity and that passage over there appears to have been lifted from the questionable financial-loss statistics one hears from the RIAA and BSA and MPAA and such. And I see one gigantic self-inflicted wound that I fear the current administration will ignore like the last two have -- ignored it since 1998, in fact.
The cybersecurity review says we need to improve academic and industry collaboration on cybersecurity and other technology issues. It also states we should "expand university curricula; and set the conditions to create a competent workforce for the digital age."
New York to get cash from Symantec and Mcafee
Yesterday, the New York Attorney General's office announced a settlement effectively closing the investigation of McAfee's and Symantec's automatic antivirus subscription renewal practices. Several New Yorkers complained that they had purchased the software online, only to later have their subscription automatically renewed without their knowledge or consent.
In the settlement, McAfee and Symantec have to pay a combined $750,000 to the state of New York, and improve the visibility of their subscription terms and renewal policies so customers won't be caught unawares by recurring charges on their credit cards. This will involve notifying customers both before and after renewal of the subscription and offering a 60 day grace period for refunds.
T-Mobile: No, we did not say our security was breached
After an amended statement to the press yesterday regarding an apparent security incident, which appeared to confirm that an unauthorized entity had taken possession of its valuable customer information, T-Mobile now says in a statement to Betanews this afternoon that not only does the entity not possess customer information, but that no breach of security took place at all.
"Following a recent online posting that someone allegedly accessed T-Mobile servers, the company is conducting a thorough investigation and at this time has found no evidence that customer information, or other company information, has been compromised," the T-Mobile spokesperson told Betanews. "Reports to the contrary are inaccurate and should be corrected. T-Mobile continues to monitor this situation and as a precaution has taken additional measures to further ensure our customers' information and our systems are protected. As is our standard practice, customers can be assured if there is any evidence that customer or system information has been compromised, we would inform those affected as quickly as possible."
Colossal Patch Tuesday addresses 31 Windows, IE8 vulnerabilities
Just when it appeared Windows and its associated services were looking more stable month after month, Microsoft chose June to tackle a plethora of vulnerabilities including no fewer than 14 that its security engineers believe could be exploitable within the next 30 days.
Microsoft Security Response Center engineers Adrian Stone and Jerry Bryant were audibly panting as they delivered the news to Microsoft customers today. One critical remote code execution vulnerability that's being treated very seriously affects a much older version of the server product, Windows 2000 Server with Service Pack 4 serving as domain controllers, and running Lightweight Directory Access Protocol. "While it's ranked as a '1,' which means we expect it to be easily exploitable over the next 30 days after [the patch] is released," explained Security Program Manager Lead Adrian Stone, "...it was privately disclosed to us. A security researcher worked with MSRC responsibly to make sure that we did address the vulnerability and release it without any knowledge of the vulnerability to date. It's not being actively exploited, nor is there any data publicly available at this time that talks about [it] in in-depth, technical detail."
Could a T-Mobile data breach be traced to creaky machines?
Last Saturday, a group of hackers cited by Insecure.org claimed having pilfered "everything, their databases, confidential documents, scripts and programs from their servers, financial documents up to 2009," belonging to T-Mobile. If claims of a data breach are proven true, investigators should look to some of the machines brought into the company as part of previous deals with third-party providers to modernize the network.
They should also ask what part of "upgrade" the company doesn't understand.
FTC shuts down bad-actor ISP
Remember last autumn, when the McColo takedown made the spam go away and brought sweet, sweet (relative) peace to all our inboxes for a while? It's not likely that the closure of Pricewert will have that sort of direct effect on most of our lives, but a district court judge's ruling to have the plug pulled on the ISP will certainly improve the Internet in other ways.
The ruling was made at the request of the FTC, which has a long history of history with Pricewert. The ISP is believed to have engaged in a variety of offenses -- botnets, yes, but also malware distribution, fake pharma sites, investment scams, and some of the very worst kinds of pornography. (Yeah, they had that. Yeah, they had that too.) Takedown requests made to the ISP -- operating under a variety of names, including 3FN, Triple Fiber Network, APX Telecom, APS Telecom, and APS Communication -- have been either ignored or dodged by shifting the content to another bank of IP addresses under Pricewert's control.
StrongWebmail apparently hacked after issuing $10K challenge
Who among us doesn't love a good hack? After putting forth a $10,000 come-and-get-us challenge, it's possible that StrongWebmail CEO Darren Berkovitz is rethinking his stance on that. The company, which makes voice-based authentication software, dared hackers to break into Mr. Berkovitz's Web-mail account and report back details from an upcoming date on his calendar. A week later, a team of high-profile security researchers contacted a reporter with precisely that information.
The contest even gave hackers a head start, providing the target e-mail address (Support@StrongWebmailCorp.com) and that account's password. The idea was to point out StrongWebmail's unique value proposition -- voice verification through a pre-registered mobile number. The idea is that one's account setup includes a phone number at which the system can reach you. When you attempt to login to check mail, the system phones you with a three-digit number, which acts as a final verification before you hop into the inbox. The authentication is provided by Beverly Hills-based Telesign, which offers similar services to various Web sites.
Why suing auditors won't solve the data breach epidemic
The life of a security auditor has its high points, of course -- travel, getting paid to break stuff, and more travel -- but there's a lot about that job that doesn't recommend it. You're going into someone else's place of business and trying to figure out what they're doing wrong, so you can write a big report that goes to their bosses? I don't care how personable you are, this isn't on the Dale Carnegie list of How To Win Friends.
Nor, in a disturbing number of situations, is it on the list of ways to Influence People. Take a pack of security auditors out for a beer sometime. (You will not have to ask twice, and if you get two beers in them they'll tell you about that mid-sized city whose network is end-to-end pwned right now and that international airport that has an ongoing problem with stolen IDs -- no names, of course, but plenty of other detail. After that, you'll want another beer just for yourself.) When they're done scaring you, they'll start trading tales of clients who simply refused to accept a bad audit.
Trend Micro's Housecall 7.0 opens in beta
Trend Micro today opened the public beta of Housecall 7.0, the latest iteration of the security company's Web-based malware scanner.
The Housecall 7.0 beta offers a different UI from the current stable version (6.6), and does no longer requires a Java or ActiveX plugin, but instead uses a standalone client that taps into the Trend Micro Smart Protection Network, the company's cloud-based reputability and threat database which the company debuted one year ago.
McAfee warns of the risks, dangers, and threats posed by online song lyrics
Anne Hathaway was cute as a button with that guitar on NBC's Late Night last night, explaining to Jimmy Fallon how she was teaching herself to play by watching YouTube videos and searching for chords online. But kind friends need to warn her that one wrong step in her searches could lead to serious trouble. That's according to a recent report from security researchers at McAfee, who say that searches for some types of song information are most likely to lead to a nasty computer infection.
"The World's Most Dangerous Search Terms," released last week, says that searches on song lyrics returned, on average, one site in twenty that could (if visited) infect the guest's machine with some species of malware. In some cases, a page of search results might have an many as 25% of its results plagued with infection. That "maximum risk" number was the highest for any category the survey covered.
Apple's vulnerability patch count: 10 QuickTime, 1 iTunes, 0 Java
Is Cupertino straining at gnats while much larger objects float in the punchbowl? Security professionals might wonder, as Apple on Monday released a 7.6.2 update to QuickTime that patches ten security holes in that player. The notorious Java hole reported last year and exploited at pwn2own in February remained untouched.
Many of the patches address -- what else? -- buffering issues. A problem brought to Apple's attention by a researcher working with TippingPoint's Zero Day Initiative, in which a heap buffer overflow could be triggered by a maliciously crafted FLC file, has been addressed. Compressed PSD files could also be used to trigger a buffer overflow; that's been taken care of. (Another score for the Zero Day Initiative, by the way, which gets full or partial credit for six vulnerabilities addressed this time around.) Heap buffer overflow issues with MS ADPCM-encoded movie files, CRGN (Clipping Region) atom types in movie files, and JP2 files also met their makers.
Microsoft reports high-risk vulnerability in DirectX
Pre-Vista versions of Windows are vulnerable to a hole in Microsoft DirectX that's currently under limited attack, the company has announced. The vulnerability in quartz.dll could allow an attacker to strike through QuickTime playback plug-ins for any browser using the affected platform.
The problem, according to the security advisory, lies in the QuickTime Movie Parser Filter that DirectShow uses to process files in that format, specifically in the quartz.dll file. It's available for exploitation even if the system doesn't have QuickTime installed. For the moment, there's no patch, but a post on Microsoft's Security Research & Defense blog details the currently recommended workarounds.
Small-town thinking leads to a healthcare privacy smashup
I swear I don't mean for Lockdown to turn into the "What The Hell Are They Thinking?" weekly security rant, but as that legendary site used to say, a fish, a barrel, and a smoking gun. This week, we travel to Yakima, Washington, which on further reflection may turn out to have been our first mistake.
Yakima isn't Seattle, or even Tacoma -- it's about two hours away from either of those cities, and in either case its 81,214 residents live on the other side of a rather large mountain range that separates lovely Western Washington from the flatlands of the central area. The point is that while they're not entirely in the sticks out there, the local options for medical care in Yakima are a bit more limited than those to which you might be accustomed. Keep that in mind, if you would. There will be a quiz.
© 1998-2026 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.