Vulnerabilities & attacks

Fake celeb LinkedIn profiles lead to malware

A security researcher has discovered fake profiles for celebrities on LinkedIn that have links to malicious code, according to a blog posting on Trend Micro's site.

The celebrity profiles that are not to be trusted include ones created using the names: Beyonce Knowles, Victoria Beckham, Christina Ricci, Kirsten Dunst, Salma Hayek, and Kate Hudson. They were uncovered by Trend Micro Advanced Threats Researcher Ivan Macalintal.

In its blog posting late on Monday, Trend Micro said it was continuing its investigation. The links on the professional networking site attempt to lure viewers by purporting to be nude shots of the … Read more

Hackers hit MacRumors keynote coverage

Some nasty pranksters, likely associated with Web forum 4Chan, have hacked into Apple gossip mainstay MacRumors' live-blog coverage of Tuesday's Macworld keynote. Hosted on a separate domain, MacRumorsLive.com, the site was plagued by offensive messages about Apple CEO Steve Jobs' health and general inanity (i.e. "SEX ME") before finally succumbing to "technical difficulties."

It remains uncertain whether the pranksters actually brought down the site, or whether MacRumors voluntarily took it down to keep things under control.

It's pretty clear, however, that this was the work of 4Chan, which has gained both respect … Read more

Alarm systems at risk: UL establishes a higher security requirement for magnetic switches

The U.S. product safety testing organization Underwriters Laboratories has redefined the security requirements for magnetic switches used in many alarm systems because some of these devices can be easily defeated. If your facility employs reed switches or Balanced Magnetic Switches (the high-security version of these devices) you may wish to review the requirements of the new standard. UL 634 has established a second security level (2) to define more stringent requirements to protect against covert attack. Current BMS switches are covered under Level 1.

It appears that only one switch can currently meet the new Level 2 section of … Read more

'Curse of silence' smartphone flaw disclosed

A denial-of-service attack that limits the number of SMS messages that can be received by Nokia smartphones has been disclosed and demonstrated.

Dubbed the "curse of silence" by German security researcher Tobias Engel, the attack occurs when Nokia Series 60 phones are sent a malformed e-mail message via SMS (Short Message Service). Engel demonstrated the attack on Tuesday at the Chaos Communication Congress in Berlin, according to a blog post by security vendor F-Secure.

An advisory made public by Engel on Tuesday gave details of the attack. After receiving a message from a sender with an e-mail address … Read more

Defense contractors eye cybersecurity bonanza

The industry side of the military industrial complex is on the scent of the federal government's cybersecurity dollars.

Bloomberg has a year-end rundown on the efforts of the big defense contractors to tap into a market that could swell to $11 billion by 2013. Boeing and Lockheed, for instance, both set up new cyberdefense business units in the last six months, the news agency says, while Raytheon in the last 18 months has acquired a trio of network security providers and is looking to boost the number of its certified security engineers by 50 percent in 2009.

"The … Read more

Web browser flaw could put e-commerce security at risk

By Jonathan Stray

Updated at 3:30 p.m. PST with Microsoft comment, at 1:50 p.m. PST with VeriSign comment, at 10 a.m. PST with comment from cryptography expert Paul Kocher, and at 9 a.m. PST to reflect that presentation has taken place and include comment from cryptography expert Bruce Schneier.

BERLIN--A key piece of Internet technology that banks, e-commerce sites, and financial institutions rely on to keep transactions safe suffers from a serious security vulnerability, an international team of researchers announced on Tuesday.

They demonstrated how to forge security certificates used by secure Web sites, … Read more

Microsoft denies vulnerability in Windows Media Player

Updated: at 10 a.m. January 5 to correct alleged vulnerability to denial of service.

Microsoft on Monday denounced reports that a vulnerability exists in Windows Media Player that could pose a security risk for users.

Microsoft said in a company blog post that it had investigated reports that surfaced on the Internet last week and found them to be "false." The flaw is "reliability issue with no security risk to customers," the company said on its Security Vulnerability Research & Defense blog.

The investigation followed claims published Wednesday on the Bugtraq security mailing list by … Read more

Taking the classical approach to security

Ari Juels' fascination with numbers is the stuff of fiction, literally.

The chief scientist and director of RSA Laboratories recently completed a novel in which the protagonist is hired by the U.S. government to counter the efforts of Pythagoreans, a Greek group that believed in the supremacy of numbers--subscribing to the notion that by mastering numbers, one could understand and control the forces of the universe.

That concept, he told ZDNet Asia during a recent visit to Singapore, had been "a little silly" until cryptography developed to a stage where "mastery of certain mathematical problems could in principle lead to considerable power over computing resources and consequently over our lives."

The book, which will be launched at the RSA Conference 2009 in San Francisco in April, was in essence, the coming together of two of Juels' interests--computer security and classical literature. He graduated from Amherst College in 1991 with degrees in Latin Literature and Mathematics.

Thirty-eight-year-old Juels, who joined RSA in 1996, shed some light on recent RFID (radio frequency identification) issues in e-passports, identity documents, and transport-related systems, as well as how to balance security and privacy.

Q: What are you currently working on? Juels: With the acquisition of RSA by EMC, we've turned our attention to some of the special security problems that storage systems present. In particular, we've looked at...the ability of a client to verify that a file that is stored on remote servers is still there--intact. We've been able to develop a protocol which accomplishes the seemingly paradoxical property of enabling a client to verify that a file is completely intact--that every bit is there, not a single bit has been changed--without downloading the file. In fact, the archiving service can send a very short proof--some tens of bytes--and that's enough for the client to establish that the file is completely retrievable. That's been a major area of research for us.

Is there a name for this concept? Juels: There've been several names. I guess the most recent is an acronym called HAIL, for High Availability and Integrity Layer.… Read more

MIT students to help Boston secure subway fare system

Three MIT students who were sued by the Massachusetts Bay Transit Authority over their research into subway card vulnerabilities are now working with the transit authority to improve the fare collection system.

The lawsuit against the students was dismissed after a judge lifted a gag order in August that prevented the students from discussing their work. The students had planned to present their research at the Defcon hacker conference in Las Vegas on August 10, but canceled their presentation after a judge granted the MBTA's request for an injunction the day before.

"This is a great opportunity for … Read more