Zero Day

A roadmap for the Twitter CSO

Adam O'Donnell — Wed, 07 Jan 2009 20:30:00 +0000

The folks at Twitter had to deal with an attack from both phishers and hackers over the past few days. As someone who has been in their shoes many times before, I deeply sympathize with their team and I understand the amount of work that they need to do. For those of you [...]

Bogus LinkedIn profiles serving malware

Dancho Danchev — Wed, 07 Jan 2009 00:31:40 +0000

A currently active malware campaign is taking advantage of bogus LinkedIn profiles impersonating celebrities in an attempt to trick users into clicking on links serving bogus media players. LinkedIn is among the latest social networking services considered as a valuable asset in the arsenal of the blackhat SEO knowledgeable cybecriminal, simply because this approach works. [...]

Thousands of Israeli web sites under attack

Dancho Danchev — Tue, 06 Jan 2009 22:58:06 +0000

In the wake of the escalating conflict between Israel and Hamas, it didn’t take long before pro-Hamas supporters organized themselves and started to defacing thousands of pro-Israeli web sites in order to use them as vehicles for propaganda — Israel is meanwhile hijacking TV signals. For the time being, pro-Israeli sites remain automatically probed for web [...]

Twitter phishing… inside Twitter

Adam O'Donnell — Sun, 04 Jan 2009 23:01:36 +0000

Over the weekend I received a handful of reports of individuals using Direct Messages inside of Twitter to phish for Twitter accounts and passwords. A cluster of compromised Twitter accounts are sending out person-to-person phishing messages inside the Twitter network. These messages and the target website are similar to standard social network phishing messages, except [...]

Real plugs critical holes in Helix Server

Ryan Naraine — Fri, 02 Jan 2009 20:16:27 +0000

RealNetworks has shipped a new version of its Helix Server to plug at least four vulnerabilities that introduce code execution and denial-of-service risks. The flaws affect Helix Server Version 11.x, Helix Server Version 12.x, Helix Mobile Server Version 11.x and Helix Mobile Server Version 12.x. Three of the four bugs are considered “highly critical” because [...]

Adobe Flash, Apple Safari fail privacy test

Ryan Naraine — Fri, 02 Jan 2009 19:53:46 +0000

Third party plug-ins like Adobe Flash do a poor job of cleaning traces of your browser sessions, rendering private-browsing features somewhat useless, according to a new study by researcher Katherine McKinley. McKinley, a researcher at iSec Partners, created a tool for testing the functionality of clearing private data after a browser session and browsing in private [...]

Military contractor “cyber-defense” gold rush begins

Adam O'Donnell — Fri, 02 Jan 2009 19:38:54 +0000

Sensing a shift in upcoming defense priorities, Lockheed and Boeing are both launching information security product divisions. Bloomberg is reporting that both Lockheed Martin and Boeing are building security product groups to address the military’s needs in defending cyberspace. I doubt that the military requires technology to “defend cyberspace” that is fundamentally different technology than [...]

MD5/rogue CA attack: The sky is not falling

Ryan Naraine — Wed, 31 Dec 2008 15:25:16 +0000

Guest post by John Viega Today there’s been a lot of buzz about the clever new attack on public key infrastructure from Alex Sotirov and a team of researchers. In the attack, the bad guy ends up with his own Certification Authority (CA) that is fully trusted according to every major browser. People are [...]

An easy fix ignored

Ryan Naraine — Tue, 30 Dec 2008 23:07:40 +0000

Guest post by Chris Eng In the wake of this morning’s 25C3 presentation by Alex Sotirov and Jacob Appelbaum, most of the coverage I’ve read so far has focused on the technical details and real-world impact of their findings. Rightly so — their paper describing the attack is a fascinating read filled with enough gory details [...]

SSL broken! Hackers create rogue CA certificate using MD5 collisions

Ryan Naraine — Tue, 30 Dec 2008 14:00:44 +0000

Using computing power from a cluster of 200 PS3 game consoles and about $700 in test digital certificates, a group of hackers in the U.S. and Europe have found a way to target a known weakness in the MD5 algorithm to create a rogue Certification Authority (CA), a breakthrough that allows the forging of [...]