Security and the Net

News and opinions about security, the internet and more

What if every major browser had the same bug?

Any security professional will tell you that diversity is a good thing; if you use enough different products, it is highly unlikely that all of them will have the same security issue. While this is mostly correct, Amit Klein at Trusteer just released a report (PDF) about a privacy issue that affects all major browsers (Internet Explorer, Firefox, Chrome, Safari and Opera) in almost the same way.


[Read the rest of this entry…]

iPhone 3GS security improvements

One of the announcements Apple made during this week’s WWDC conference was that the iPhone 3GS will include an extra security feature aimed mostly at enterprise deployments: “encryption” that will enable a remote wipe feature. The only thing missing are details about what will be encrypted; this text is the only information I’ve managed to find on Apple’s website so far:

iPhone 3G S offers highly secure hardware encryption that enables instantaneous remote wipe. You can even encrypt your iTunes backups.


[Read the rest of this entry…]

Is a physical server more secure than a virtualized one?

The answer to that question should be obvious, but it became a headline earlier today when word got out about a big hack affecting 100.000 sites. All data for these sites was removed when servers at were brought down by a zero-day exploit in LXLabs’ HyperVM software.


[Read the rest of this entry…]

Astalavista “hacker community” hacked.

Earlier this week, the self-proclaimed “hacker community” Astalavista (not to be confused with the other Astalavista) has been targeted by hackers itself. While this site isn’t as popular as it was years ago, I’d consider this a rather high-profile target; in this case, the so-called “anti-sec group” thought so as well. They posted this message after hacking the site:

Why has Astalavista been targeted?
Other than the fact that they are not doing any of this for the “community” but for the money, they spread exploits for kids, claim to be a security community (with no real sense of security on their own servers), and they charge you $6.66 per months to access a dead forum with a directory filled with public releases and outdated / broken services. We wanted to see how good that “team of security and IT professionals” really is.

[Read the rest of this entry…]

Flaws in ATM machines – or in malware analysis?

According to a report by TrustWave, new malware has been spotted that specifically attacks ATM machines. The malware can be used to perform various functions including copying magnetic cards and PIN numbers. Trustwave calls upon banks to inspect their ATM machines for malicious software:

Given the impact this malware can have on an infected ATM environment, Trustwave highly recommends ALL financial institutions with ATMs under management perform analysis of their environment to identify if this malware or similar malware is present.

[Read the rest of this entry…]

Can you use photos posted on Flickr in a news article?

Of course you can; a more important question would be whether or not it’s legal. This is a question that will be decided in Dutch courts soon; Adam Curry has filed a lawsuit against a tabloid that used a picture of him flying a small airplane while smoking what might be a joint. In the suit, he is asking for € 5000 in fees for the use of the image, even though he posted it online himself.  [Read the rest of this entry…]

FBI exploring Second Life

Just when I thought the hype surrounding Second Life was over, the FBI has apparently started exploring virtual worlds. So far, their efforts have been rather modest (a couple of virtual billboards with the Most Wanted list and other information), but if this “pilot test” is successful is might be expanded:
fbi_billboard [Read the rest of this entry…]

Are adult sites safe? How misquoting can change a story

This week, I saw reports on a couple of fairly large news sites and blogs about a study that supposedly shows porn sites contain far less malware than “normal” websites. While this makes for nice headlines, I was interested in this study and spent some time looking for the actual data used to reach this conclusion.

adult_warning [Read the rest of this entry…]

Some suggestions for newspapers

Just about every newspaper is currently looking for a new revenue model to make money online. Most suggestions are pretty black-and-white; either work with a subscription model or make the content available for free and make money by advertising. Unfortunately, the issue is not that simple:

  • Users are not accustomed to paying for subscriptions for their news
  • Advertising alone does not generate enough revenue to produce high-quality content

[Read the rest of this entry…]

XSS against Google services: scary, but fixed fast

Let’s start with the bad news: a researcher known only by his nickname “Inferno” just announced he has found a cross-site scripting vulnerability on many Google services. While XSS attacks are, unfortunately, a common thing this one is far scarier than most. Since almost all Google services use a single cookie on the domain for authentication, this attack makes it possible to do many nasty things. [Read the rest of this entry…]