Windows 7's ability to selectively elevate privileges is under scrutiny
In Microsoft's ongoing effort to alleviate users' discomfort with Windows Vista's security nags, the company may be re-introducing a potential powder keg of new problems, as researchers continue to discover.
In his continuing investigation of the UAC bypasses being tested for Windows 7, developer Rafael Rivera points out another potentially serious problem: As developer Leo Davidson noted in a recent blog post, some binaries in Windows 7 are given the ability to present XML-based manifests of themselves that give themselves a privilege called autoelevate.
FinCEN gets so-so security report card from GAO
The Treasury Department bureau responsible for watching for money laundering isn't watching its security closely enough, according to GAO auditors. Worse, much of FinCEN's problems lie with the notoriously security-poor IRS.
FinCEN needs to step up its documentation efforts and its implementation of security control, according to a report from the US Government Accountability Office.
Sony's new 'mofiria' aims for more accurate biometric ID
Sony today unveiled a new finger vein authentication technology called "mofiria." In comparison to other biometric authentication techniques, vein authentication is more accurate and harder to forge, Sony contended in a statement, explaining that finger veins are different in each person and each finger, and that veins don't change over the years.
The new "mofiria" technology uses a CMOS sensor to "diagonally capture scattered light inside the finger veins, making a plane layout possible." After the vein pattern is extracted from the captured image of the finger vein, data from the pattern is compressed, enabling storage of the biometric identifier on a mobile device or gateway security system, for example. Sony is looking to commercialize the new biometric technology within the 2009 fiscal year.
Who picks the badware? Dispute erupts after Google glitch
For about 40 minutes early Saturday morning, a URL with a single forward slash was inadvertently checked into a list of potential malware sites operated by Google, with some help...maybe...from StopBadware.org.
As a result, its search results partner, Google, was flagging nearly every Web site on the planet as a potential conveyor of malware, from about 6:40 am to 7:25 am PST.
Fannie Mae dodges a contractor's logic bomb
A disgruntled contractor at Fannie Mae, fired for coding incompetence, attempted to stash a logic bomb on the mortgage giant's servers. Fortunately, it was incompetently implemented, and the 35-year-old accused man is in custody.
Rajendrasinh Babubha Makwana, an Indian national, was employed by a subcontractor for OmniTech as a Unix engineer at Fannie Mae's Urbana, Maryland facility, according to an affidavit sworn by the FBI agent investigating the case. On October 24 at about 1:30 pm, Makwana was fired by Fannie Mae for inadvertently writing a script that switched up permissions on the company's Unix servers. He told his supervisors at OmniTech and turned in his badge and laptop to Fannie Mae around 4:45 pm that day.
The oldest trick in the book, literally, defeats UAC in Windows 7
Though the fellows sounding the warning today are the best in the business, it didn't take a lot of know-how to develop a proof-of-concept that the new User Access Control panel can be disabled by VBScript.
Windows 7 is still in the public beta process, and will be for some months to come. The purpose of true beta testing is to isolate and identify serious problems (we should know). So it's to any researcher's credit that a potentially threatening problem be brought into the open prior to Microsoft finalizing the code for everyday use.
Digital road sign hacked to read, 'Zombies Ahead'
[Photo credit: i-hacked.com]
PCs get compromised sometimes, and mobile phones, too. But now, in Texas, transportation officials are confirming an exploit against a different type of "device." Instead of proclaiming something like, "Road Closure," a digital sign in Austin was temporarily changed last week to say, "Zombies Ahead."
Senator wants stimulus bill to include Internet predator tracking
It isn't the same measure as US Rep. Peter King's controversial camera phone bill, but Sen. Barbara Mikulski has now proposed other legislation also aimed at using technology to help thwart sexual predators. Specifically, Mikulski has added $50 million to the Economic Stimulus bill for "Internet Crimes Against Children (ICAC) initiatives.
The senator's plan calls for using federal investigators to "follow the trail of child pornography traffic back through the Internet to rescue children." Meanwhile, Grier Weeks, executive director of the National Association to Protect Children (NAPC) -- a group that supports the proposal -- is referring to child rescue as an "economic stimulus" activity. "Law enforcement jobs are as important as bridge builders' jobs," he said in a statement today.
Malicious users steal data on 4.5M British job-seekers
With the theft of confidential resume information from the UK's version of Monster.com, Great Britain has now undergone its biggest data theft in history, according to The Times of London.
The data on job seekers stolen by hackers from Monster.co.uk included names, passwords, phone numbers, birth dates, and ethnicity, for example, the Web site admitted earlier this week. Registrations on the job site have soared with the rising layoffs of the economic downturn. In an earlier large data breach in the UK, the British government lost the details on 25 million child-benefit recipients in 2007.
Mac Trojan hits pirated copies of Adobe Photoshop
Although Apple's Macintosh environment has long been touted by its fans as "more secure" than Windows, a Trojan enabling remote control of Mac machines struck a second time this week.
Earlier found only in illegal copies of Apple's iWork Suite, the Trojan has now turned up in pirated copies of Adobe Photoshop for Mac OS X. Actually, the Trojan doesn't even exploit any OS vulnerability. Instead, it disguises itself as part of the installer package for the application, so it is installed along with the application. Once installed, the malware launches a back door program, thereby allowing an attacker to remotely conduct misdeeds such as copying data.
AT&T and Comcast are surprise participants in RIAA anti-piracy plan
Ironically enough, ISPs Comcast and AT&T are reportedly supporting the RIAA's new three-strikes plan, a quietly emerging measure to thwart music pirating among US residents by disconnecting pirates from their ISPs.
Like music industry groups in Britain, France, and elsewhere, the US-based RIAA is now starting to abandon its previous policy of suing suspected pirates in favor of severing these users from the Internet.
ICANN group ponders fixes to fast-flux abuse
"Fast flux" is a technique used by highly respectable service providers and content networks to handle serious traffic loads. It has also become a favored tool of scammers and spammers.
ICANN this week released a report detailing its initial efforts to save this technique from being commandeered by the bad guys.
Pirates get to keep their ISP accounts...in the UK, anyway
It looks as though the UK won't cut off music pirates from the Internet after all, even though the global music industry is now promoting this form of punishment over fines and prison.
UK Culture Secretary Andy Burnham stated last year that the government had "serious legislative intent" to force ISPs to sever the Internet connections of music pirates. But in a recent interview with The Times of London, Intellectual Property Minister David Lammy said the UK government has now decided not to forge laws that would disconnect pirates.
Wired.com discovers Google Docs flaw, but that's not the only one
A writer at Wired.com this week pointed to a document editing issue in Google Apps, and that's just the latest in a list of security holes -- of varying severity -- uncovered by users of Google's suite.
Other users have complained, for example, about Google document ownership getting assigned to the wrong people, an inability to delete images of Google documents, and the lack of SSL encryption for docs published in the Standard Edition.
On the anti-piracy beat with Cryptography Research
Psst! Hey buddy! Wanna buy a Snoy TV, an Appel Mic, or a bottle of Vaigra? Probably not -- not only are counterfeit products inferior, they can be downright hazardous. Paul Kocher wants to help ensure you never do.
Kocher, known well to security geeks as one of the architects of the SSL 3.0 protocol (and one of the theorists behind differential power analysis as a crypto-cracking strategy), is working these days to quash piracy and counterfeiting. He was at CES with Cryptography Research Inc. earlier this month to talk about tech that integrates anti-counterfeiting technology into systems such as computers, televisions, and set-top boxes.
© 1998-2026 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.