Security and the Net

News and opinions about security, the internet and more

Entries for the ‘Security’ Category

Flaws in ATM machines – or in malware analysis?

According to a report by TrustWave, new malware has been spotted that specifically attacks ATM machines. The malware can be used to perform various functions including copying magnetic cards and PIN numbers. Trustwave calls upon banks to inspect their ATM machines for malicious software: Given the impact this malware can have on an infected ATM […]

Leave a Comment

XSS against Google services: scary, but fixed fast

Let’s start with the bad news: a researcher known only by his nickname “Inferno” just announced he has found a cross-site scripting vulnerability on many Google services. While XSS attacks are, unfortunately, a common thing this one is far scarier than most. Since almost all Google services use a single cookie on the google.com domain […]

Comments (1)

The downside of automatic updates

Just days after a report co-authored by Google claimed that the automatic update feature of the Chrome browser help improve security by silently installing patches without asking for approval from the user, the managed to demonstrate the downside of this approach.

Leave a Comment

Silent updates: improving security?

A paper comparing the update mechanisms for several different webbrowsers was published by Google and ETH Zurich yesterday. The full text can be found here, with a blog post accompanying it. As expected, Firefox and Chrome are updated fastest; Firefox because of the in-your-face warnings when a new version is available, and Chrome because updates […]

Comments (1)

Borders in Cyberspace

In a recent column at SecurityFocus, cyber intelligence expert Jeffrey Carr discusses the diffuculties that researchers face when trying to determine the origin of attacks conducted over the internet. The problem is simple: there are lots of reports claiming attacks on important infrastructure that are “supposedly” coming from Chinese or Russian hackers. But because they […]

Comments (1)

Remote root exploit for Linux machines running SCTP applications

There appears to be a serious vulnerability in Linux kernel versions < 2.6.28-git8. This was reported as a potential denial-of-service issue in many places; but it now appears to be more serious than that. This site over at blogspot.com posted exploit code that supposedly allows an attacker to gain root privileges on machines running sctp […]

Leave a Comment

OAuth session fixation attack

Last week, Twitter temporarily stopped using OAuth authentication. The information they posted on their blog was pretty light on details, and the same thing goes for the security advisory that was posted later. Since then, more details and some better explanations of attack scenario’s have surfaced; let’s have a closer look at the security issue […]

Leave a Comment

Black Hat Europe update: Trust issues?

The “Kaminsky 2.0” at Black Hat today turned out to be ┬áthe talk from Daniel Mende and Enno Rey, dealing with vulnerabilities in the BGP and MPLS protocols. From what I can tell, there was no real news; most of the information they presented has been available for a while. The fact that BGP has […]

Leave a Comment

“Kaminsky 2.0” at Black Hat Europe tomorrow?

I’ve heard several reports, including one from a large Dutch news site, mention that a new security issue will be revealed at Black Hat Europe tomorrow. It is said to have the same impact as the DNS bug found by Dan Kaminsky last year. No further details have been provided, but since the full speaker […]

Leave a Comment

Amazon: technical glitch, censorship gone wrong, or was it a hacker?

This weekend, lots of writers saw their books disappear from Amazon’s bestseller lists. Somehow, the sales ranking for their books was removed. Since this ranking is an important way for potential buyers to select the contents of their shopping cart, this prompted several angry responses by authors.

Comments (1)