Apple Blasted For Not Blocking Stolen Certificates
Comments Off on Apple Blasted For Not Blocking Stolen Certificates
A security researcher blasted Apple for what he called “foot dragging” over the DigiNotar certificate fiasco, and urged the company to act fast to update Mac OS X to protect users.
“We’re looking at some very serious issues [about trust on the Web] and it doesn’t help matters when Apple is dragging its feet,” said Paul Henry, a security and forensics analyst with Arizona-based Lumension.
Unlike Microsoft, which updated Windows Tuesday to block all SSL (secure socket layer) certificates issued by DigiNotar, Apple has not updated Mac OS X to do the same.
DigiNotar, one of hundreds of firms authorized to issue digital certificates that authenticate a website’s identity, admitted on Aug. 30 that its servers were compromised weeks earlier. A report made public Monday said that hackers had acquired 531 certificates, including many used by the Dutch government, and that DigiNotar was unaware of the intrusion for weeks.
Because almost all the people who were routed to a site secured with one of the stolen certificates were from Iran, many experts suspect that the DigiNotar hack was sponsored or encouraged by the Iranian government, which could use them to spy on its citizens.
Microsoft isn’t the only software maker to block all DigiNotar certificates: Google, Mozilla and Opera have also issued new versions of their browsers — Chrome, Firefox and Opera — to completely, or in Opera’s case, partially prevent users from reaching websites secured with a DigiNotar certificate.
Users of Safari on Mac OS X, however, remain at risk to possible “man-in-the-middle” attacks based on the fraudulently obtained certificates.
Because Safari relies on the underlying operating system to tell it which certificates have been revoked or banned entirely, Apple must update Mac OS X. The Windows edition of Safari, which has a negligible share of the browser market, taps Windows’ certificate list: That version is safe to use once Microsoft’s Tuesday patch is applied.
Apple Website Is Ripe For Hacking
July 4, 2011 by admin
Filed under Around The Net
Comments Off on Apple Website Is Ripe For Hacking
According to the Ethical Hacking group YGN, Apple’s website for developers is virtually wide open and gives the opportunity for hackers to introduce malware such asphishing attacks to gain access to subscriber’s vital personal information.
One group known as Networkworld identified three holes on Apple’s website that arbitrary URL redirects, cross-site scripting and HTTP response splitting. That said, these holes could allow hackers to arbitrarily redirect to other websites and make phishing attacks against developers login credentials more successful.
Download Defense Added To Chrome Browser
Comments Off on Download Defense Added To Chrome Browser
Google has updated Chrome to version 12, adding a new feature that warns users when they’ve downloaded files from dangerous Web sites.
New to Chrome 12 is a tool that flags questionable files pulled from the Web. Chrome now shows an alert when users download some file types from sites that are on the Safe Browsing API (application programming interface) blacklist, which Google maintains.
The messages reads: “This file is malicious. Are you sure you want to continue?” If they wish, users can ignore the warning and install the file on their system’s hard drive.
“This warning will be displayed for any download URL that matches the latest list of malicious websites published by the Safe Browsing API,” said Google last April when it debuted the feature in an earlier edition of Chrome.
Safe Browsing already identifies suspicious or unsafe sites, then adds them to a blacklist. Chrome, Mozilla’s Firefox and Apple’s Safari all tap into Safe Browsing to warn users of risky sites before they actually visit them.
Google Moves Quickly To Plug Data Leaks
May 24, 2011 by admin
Filed under Smartphones
Comments Off on Google Moves Quickly To Plug Data Leaks
Google confirmed that it’s starting to roll out a server-side patch for a security vulnerability in most Android phones that could allow hackers to access important credentials at public Wi-Fi hotspots.
“Today we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in Calendar and Contacts,” said a Google spokesman in an emailed statement. “This fix requires no action from users and will roll out globally over the next few days.”
Google will apparently apply the fix to its servers since it does not need to push out an over-the-air update to Android phones.
Experts applauded Google’s fast reaction.
“It’s impressive how quickly Google fixed this,” said Kevin Mahaffey, chief technology officer and a co-founder of San Francisco-based mobile security firm Lookout. “Google’s security team, especially on Android, is very, very quick to deal with issues.”
Whatever Google is implementing will shut the security hole that three German researchers publicized last week.
According to the University of Ulm researchers, who tested another researcher’s contention last February that Android phones sent authentication data in the clear, hackers could easily spoof a Wi-Fi hotspot — in a public setting such as an airport or coffee shop — then snatch information that users’ phones transmitted during synchronization.
In Android 2.3.3 and earlier, the phone’s Calendar and Contacts apps transmit information via unencrypted HTTP, then retrieve an authentication token from Google. Hackers could eavesdrop on the HTTP traffic at a public hotspot, lift authentication tokens and use them for up to two weeks to access users’ Web-based calendars, their contacts and also the Picasa photo storage and sharing service.
Google SEARCH Goes SSL
Google is finally taking privacy seriously to a degree by offering its users a secure form of searching while using Google Search. Moving forward users will have the opportunity to enable SSL (Secure Socket Layer) for added security. Be advised, the service will only cover the Google search and clicks made through Google to other non-secured sites will be visible.
‘Do Not Track’ Internet Legislation, Advances
Comments Off on ‘Do Not Track’ Internet Legislation, Advances
California is a moving closer to making into law the first Do Not Track legislation in the U.S., aimed at protecting Internet users from invasive advertising.
The proposed Senate bill, SB-761, passed a Senate Judiciary Committee vote late Tuesday, but it still has a long road ahead before having a chance of being signed into law. It now moves on to the Appropriations Committee, and must also pass the Senate and State Assembly before being sent to Governor Jerry Brown’s desk.
Still, it’s the first time such a bill has made it out of committee, and that’s a big deal, according to John Simpson, director of Consumer Watchdog’s Privacy Project. “This is the first time that a ‘do not track’ bill has actually had a hearing and been debated and then voted forward in the legislative process,” he said.
The bill would give California consumers a simple way of opting out of data collection systems that keep track of their online activities. “It puts up a no trespassing sign on our device,” Simpson said.
Opponents of the bill, including Google, the Direct Marketing Association, and the wireless industry group CTIA, say it puts an unnecessary burden on online commerce.
Online marketers love this type of data because it helps them fashion highly effective targeted advertising. But many consumers don’t want to hand marketers every detail of what they do on the Web.
Under the proposed law, users would have a way — possibly a through a browser setting — of telling Web sites not to track them. If a company disregarded this and collected data without permission, it could face stiff fines.
FTC Singles Out Google’s Chrome
Federal Trade Commission Chairman Jon Liebowitz this week singled out Google for not adopting “Do Not Track,” the privacy feature that allows consumers the ability to opt out of online tracking by Web sites and marketing entities.
In an interview Monday with Politico, Liebowitz called out Google for not supporting Do Not Track in its Chrome browser.
Noting that Do Not Track had gathered momentum, Liebowitz said, “Apple just announced they’re going to put it in their Safari browser. So that gives you Apple, Microsoft and Mozilla. Really the only holdout — the only company that hasn’t evolved as much as we would like on this — is Google.”
Do Not Track has been promoted by the FTC and by privacy advocates including the Electronic Frontier Foundation (EFF), as the best way to help consumers protect their privacy.
The technology requires sites and advertisers to recognize incoming requests from browsers as an opt-out demand by the user. The information is transmitted as part of the HTTP header.
As Liebowitz said, Microsoft and Mozilla have added Do Not Track header support to their Internet Explorer 9 (IE9) and Firefox 4 browsers. While Apple hasn’t confirmed that the next version of Safari will include Do Not Track, developers have reported finding the feature in early editions bundled with Mac OS X 10.7, aka “Lion,” the upgrade slated to ship this summer.
Firefox 4 Coming Next Week
Mozilla’s Firefox 4, the latest offering of the second most popular Web browser in the world, will be officially released on March 22, 2011.
It’s been a long time coming. The first Firefox 4 beta was released July 6, 2010. At the time, Mozilla was aiming to deliver a release candidate this past autumn.
Launching several months late isn’t ideal but Google’s release practices have made Firefox’s tardiness look worse. Google launched Chrome 5 on May 21, 2010. On March 8, 2011, Google released Chrome 10. Is Firefox now five generations behind Chrome? Hardly. The four major Web browsers — Chrome 10, Firefox 4, Internet Explorer 9, and Safari 5 — are more comparable and competitive than ever before.
Johnathan Nightingale, director of Firefox development, says Firefox has more than 400 million users worldwide and a 30% global market share.
NetApplications, an Internet metrics company, suggest that figure is closer to 22% and flat, if not falling. The most significant number Nightingale cites is six: “Firefox 4 is fast,” he said. “It’s blazing fast. Six times faster than any Firefox we’ve done before.”
Other browser makers make similar claims too, though some of those claims are more actively disputed than others, like Microsoft’s assertions about hardware acceleration. Read more……
80% Of Browsers Found To Be At Risk Of Attack
Comments Off on 80% Of Browsers Found To Be At Risk Of Attack
About eight out of every ten internet browsers run by consumers are vulnerable to attack by exploits of already-patched bugs, a security expert said today.
The poor state of browser patching stunned Wolfgang Kandek, CTO of security risk and compliance management provider Qualys, which presented data from the company’s free BrowserCheck service Wednesday at the RSA Conference in San Francisco.
“I really thought it would be lower,” said Kandek of the nearly 80% of browsers that lacked one or more patches.
BrowserCheck scans Windows, Mac and Linux machines for vulnerable browsers, as well as up to 18 browser plug-ins, including Adobe’s Flash and Reader, Oracle’s Java and Microsoft’s Silverlight and Windows Media Player.
When browsers and their plug-ins are tabulated together, between 90% and 65% of all consumer systems scanned with BrowserCheck since June 2010 reported at least one out-of-date component, depending on the month. In January 2011, about 80% of the machines were vulnerable. Read more….