Just days after a report co-authored by Google claimed that the automatic update feature of the Chrome browser help improve security by silently installing patches without asking for approval from the user, the managed to demonstrate the downside of this approach.
A paper comparing the update mechanisms for several different webbrowsers was published by Google and ETH Zurich yesterday. The full text can be found here, with a blog post accompanying it. As expected, Firefox and Chrome are updated fastest; Firefox because of the in-your-face warnings when a new version is available, and Chrome because updates are installed automatically without any user intervention at all.
[Read the rest of this entry...]
In a recent column at SecurityFocus, cyber intelligence expert Jeffrey Carr discusses the diffuculties that researchers face when trying to determine the origin of attacks conducted over the internet. The problem is simple: there are lots of reports claiming attacks on important infrastructure that are “supposedly” coming from Chinese or Russian hackers. But because they might as well be coming from hacked systems in China that are being used from within a completely different country, there is no way to prove this.
Jeffrey proposes what, at first glance, seems to be a reasonable way to solve this: [Read the rest of this entry...]
A French site posted screenshots that supposedly show Twitter’s admin pages earlier today. While the fact that somebody apparently managed to gain access to one of their admin accounts is not really newsworthy any longer given Twitter’s recent track record, the screenshots themselves are interesting to look at. [Read the rest of this entry...]
There appears to be a serious vulnerability in Linux kernel versions < 2.6.28-git8. This was reported as a potential denial-of-service issue in many places; but it now appears to be more serious than that.
This site over at blogspot.com posted exploit code that supposedly allows an attacker to gain root privileges on machines running sctp applications. If you’re running anything using the SCTP protocol this would be a good time to upgrade. And make sure you keep up-to-date with future updates as well; according to several people there are more possible weaknesses in the sctp code.
Please note that the vulnerability is in the Linux kernel, so anyone running sctp applications is vulnerable until they have upgraded their kernel to a more recent version. Fortunately, there are not many applications using sctp yet. For more information about the protocol see wikipedia or the relevant RFC.
Last week, Twitter temporarily stopped using OAuth authentication. The information they posted on their blog was pretty light on details, and the same thing goes for the security advisory that was posted later. Since then, more details and some better explanations of attack scenario’s have surfaced; let’s have a closer look at the security issue that was found and the potential ways this might be abused. If you have 15 minutes to spare, watch the latest episode of TheSocialWeb first:
Apart from the media attention that it’s been getting for the last year or two, there are some other telltale signs that Twitter is here to stay. The most important one is, of course, that hackers find it an interesting target. The worms that were released so far were merely a test; I have no doubts that there are more security issues, and that more advanced attacks are already being prepared, or maybe even in use. But there are a couple of other things that caught my attention this week: [Read the rest of this entry...]
As announced last month at the preview event, Apple has finally added support for subscribing to iCal (.ics) calendars to the iPhone OS. This is a feature I’ve been missing from the first day I started using the iPhone: up until now the only way to synchronize a calendar was using a desktop app and syncing with that.
The new feature allows you to access any .ics file you’d like over either http or https, synchronizing it automatically over-the-air (both wifi and 3G) without requiring extra software such as NuevaSync. This is how to configure it if you have access to a beta of the 3.0 firmware: [Read the rest of this entry...]
With the race to reach 1 million followers between Ashton Kutcher and CNN over, let’s look back at the runner-up that was on track to beat both to the finish line: @basementdad.
During a conference call with investors about Google’s Q1 earnings, CEO Eric Schmidt made some interesting comments about YouTube. To give you some background about this: last week, David Silversmith published estimates about how much Google is losing on YouTube, which came down to over a million dollars a day: [Read the rest of this entry...]
