Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror

Submission Summary: 0 pending, 48 declined, 12 accepted (60 total, 20.00% accepted)

Security

Submission + - Mozilla to protect Adobe Flash users (h-online.com) 1

Submitted by
juct
juct writes: "Firefox is going to check the version of installed Adobes Flash plug-ins and warn users if it discovers an outdated version with potential security holes. Mozilla confirmed this new security feature and said that the Flash version check was part of a wider commitment to "protect users from emerging threats online". Only recently a study confirmed, that 80 per cent of users surf with a vulnerable version of Adobe's plug-in."
Security

Submission + - Secure USB sticks cracked (heise-online.co.uk) 1

Submitted by
juct
juct writes: "Manufacturers of USB sticks and cards with fingerprint readers promise us that their data safes can only be opened with the right fingerprint. In their tests, heise Security found that it is easy to bypass the authentication and get access to the protected data. This works by sending a single USB command — Command Descriptor Block — that changed the accessible partition. They found the vulnerability in the MyFlash FP1 from A-Data (USB-ID 1307:1169) and the 1GB Secure Card (USB-ID 7009:1765) sold by 9pay. The JetFlash 210 and 220 fingerprint sticks from Transcend use the chips in question and also provide access to the protected partition after transmission of a single USB command. The UT176 made by CySecure could also suffer from the same flaw, though they have not tested it yet."
Security

Submission + - Cracking a crypto hard drive case (heise-online.co.uk)

Submitted by
juct
juct writes: "An AES label alone does not ensure that your data are protected. heise examined a hard drive enclosure with an RFID key that is quite typical for lots of similar products. They found that the 128-bit AES hardware encryption claimed in adverts, was in fact a simple XOR encryption that they were able to break easily with a known plaintext attack. (Editors: resubmitted with correct links this time — sorry for the one I screwed up)"
Security

Submission + - Antivirus protection worse than a year ago (heise-security.co.uk)

Submitted by
juct
juct writes: "In a test of 17 antivirus products, the german magazine c't concluded, that the effectiveness has fallen off, and more and more pests can now slip past these barriers. Most of the products perform reasonably well if they can rely on their database of signatures. But if they have to detect new malware with heuristics, the results were worse than last year. Besides this c't did the first comprehensive test of behaviour blocking in antivirus products and found that more than half of them did not react on suspicious behaviour at all. The test itself is available only in the printed magazine, heise Security published a summary."
Security

Submission + - Spying on the TOR anonymisation network (heise-security.co.uk)

Submitted by
juct
juct writes: "The long standing suspicion, that the anonymizing network TOR is (ab)used to catch sensitive data by Chinese, Russian and American government agencies as well as hacking groups gets new support. Members of the Teamfurry community found TOR exit-nodes which only forward unencrypted versions of certain protocols. These peculiar configurations invite speculation as to why they are set up in this way. Another tor exit node has been caught doing MITM attacks using fake SSL certificates."
Security

Submission + - Firefox and IE still not getting along (heise-security.co.uk)

Submitted by
juct
juct writes: "A new demo shows how Firefox running under Windows XP SP2 can be abused to start applications. For this to work, however, Internet Explorer 7 needs to be installed. This severe security problem promises another round in the "who-is-to-blame-war" between Mozilla and Microsoft. Mozilla currently is leading the race for a patch, as they have one ready in their bugzilla database."
Security

Submission + - Holes in Firefox password manager (heise-security.co.uk)

Submitted by
juct
juct writes: "Although the Mozilla developers have fixed a known hole in the password manager of Firefox & Co, a door remains open for exploitation. According to an article on heise Security attackers can still use JavaScript to steal passwords. However, the real problem might not be Firefox' password manager. If users can set up their own pages containing script code on a server, the JavaScript security model breaks. Heise Security demonstrates the possible password theft in a demo."
Security

Submission + - FBI used CIPAV for secret online search (heise-security.co.uk)

Submitted by
juct
juct writes: "The FBI has used PC spyware for the first time to reveal the identity of an offender who sent bomb threats to a high school in Washington state. According to heise Security a declaration from the FBI official who applied for the search warrant describes the mode of operation of the spyware which the FBI is using under the abbreviation CIPAV (Computer and Internet Protocol Address Verifier)."
Security

Submission + - PHP security expert resigns

Submitted by
juct
juct writes: "PHP security holes have a name — quite often it was Stefan Esser who found and reported them. Now Esser quit the PHP security team. He feels that his attempt to make PHP safer "from the inside" is futile. Basic security issues are not adressed sufficiently by the developers. Zeev Suraski, Zend's CTO of course disagrees and points his finger at inexperienced programmers. But given the number of remote code execution holes in PHP apps this year, Esser might have a point. And he plans to continue his quest for security holes in PHP. Only that from now on, he will publish them after reasonable time — regardless if a patch is available or not."

Slashdot Top Deals

Once it hits the fan, the only rational choice is to sweep it up, package it, and sell it as fertilizer.

Close