Apple Blasted For Not Blocking Stolen Certificates

A security researcher blasted Apple for what he called “foot dragging” over the DigiNotar certificate fiasco, and urged the company to act fast to update Mac OS X to protect users.

“We’re looking at some very serious issues [about trust on the Web] and it doesn’t help matters when Apple is dragging its feet,” said Paul Henry, a security and forensics analyst with Arizona-based Lumension.

Unlike Microsoft, which updated Windows Tuesday to block all SSL (secure socket layer) certificates issued by DigiNotar, Apple has not updated Mac OS X to do the same.

DigiNotar, one of hundreds of firms authorized to issue digital certificates that authenticate a website’s identity, admitted on Aug. 30 that its servers were compromised weeks earlier. A report made public Monday said that hackers had acquired 531 certificates, including many used by the Dutch government, and that DigiNotar was unaware of the intrusion for weeks.

Because almost all the people who were routed to a site secured with one of the stolen certificates were from Iran, many experts suspect that the DigiNotar hack was sponsored or encouraged by the Iranian government, which could use them to spy on its citizens.

Microsoft isn’t the only software maker to block all DigiNotar certificates: Google, Mozilla and Opera have also issued new versions of their browsers — Chrome, Firefox and Opera — to completely, or in Opera’s case, partially prevent users from reaching websites secured with a DigiNotar certificate.

Users of Safari on Mac OS X, however, remain at risk to possible “man-in-the-middle” attacks based on the fraudulently obtained certificates.

Because Safari relies on the underlying operating system to tell it which certificates have been revoked or banned entirely, Apple must update Mac OS X. The Windows edition of Safari, which has a negligible share of the browser market, taps Windows’ certificate list: That version is safe to use once Microsoft’s Tuesday patch is applied.

Read More….

Twitter Security Lagging,Says Experts

The fast-growing microblogging site Twitter is lagging behind some other Internet services in using methods to help secure the accounts of users, security experts say.

Weaknesses in Twitter’s security became apparent on the U.S. July 4 Independence holiday as a still unidentified hacker took control of a Fox News Twitter account and tweeted falsely claiming that U.S. President Barack Obama was dead.

While the hijacking of Twitter accounts is not new, the false Tweets about Obama generated headlines around the world.

The Secret Service is investigating the matter. Fox News has said does not know how the attacker gained control of its account, but complained that it took Twitter more than five hours to return control of the account to Fox.

“What Twitter needs to do now is to commit to a thorough review of their security practices,” said Daniel Diermeier, a professor at Northwestern University’s Kellogg School of Management. “For Twitter this is a very serious problem.”

Security experts said the attack might have been prevented if Twitter had offered two-factor authentication technology to secure its accounts.

Read More….

Google Moves Quickly To Plug Data Leaks

Google confirmed that it’s starting to roll out a server-side patch for a security vulnerability in most Android phones that could allow hackers to access important credentials at public Wi-Fi hotspots.

“Today we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in Calendar and Contacts,” said a Google spokesman in an emailed statement. “This fix requires no action from users and will roll out globally over the next few days.”

Google will apparently apply the fix to its servers since it does not need to push out an over-the-air update to Android phones.

Experts applauded Google’s fast reaction.

“It’s impressive how quickly Google fixed this,” said Kevin Mahaffey, chief technology officer and a co-founder of San Francisco-based mobile security firm Lookout. “Google’s security team, especially on Android, is very, very quick to deal with issues.”

Whatever Google is implementing will shut the security hole that three German researchers publicized last week.

According to the University of Ulm researchers, who tested another researcher’s contention last February that Android phones sent authentication data in the clear, hackers could easily spoof a Wi-Fi hotspot — in a public setting such as an airport or coffee shop — then snatch information that users’ phones transmitted during synchronization.

In Android 2.3.3 and earlier, the phone’s Calendar and Contacts apps transmit information via unencrypted HTTP, then retrieve an authentication token from Google. Hackers could eavesdrop on the HTTP traffic at a public hotspot, lift authentication tokens and use them for up to two weeks to access users’ Web-based calendars, their contacts and also the Picasa photo storage and sharing service.

Read More…

80% Of Browsers Found To Be At Risk Of Attack

About eight out of every ten internet browsers run by consumers are vulnerable to attack by exploits of already-patched bugs, a security expert said today.

The poor state of browser patching stunned Wolfgang Kandek, CTO of security risk and compliance management provider Qualys, which presented data from the company’s free BrowserCheck service Wednesday at the RSA Conference in San Francisco.

“I really thought it would be lower,” said Kandek of the nearly 80% of browsers that lacked one or more patches.

BrowserCheck scans Windows, Mac and Linux machines for vulnerable browsers, as well as up to 18 browser plug-ins, including Adobe’s Flash and Reader, Oracle’s Java and Microsoft’s Silverlight and Windows Media Player.

When browsers and their plug-ins are tabulated together, between 90% and 65% of all consumer systems scanned with BrowserCheck since June 2010 reported at least one out-of-date component, depending on the month. In January 2011, about 80% of the machines were vulnerable.  Read more….

« Previous Page