"Vulnerabilities in how cookies were handled on LinkedIn profiles laid user profiles at risk of tampering, a security researcher said. Rishi Narang, a former senior consultant for financial service firm Deloitte and Touche said accounts could be hijacked for up to a year by intercepting cookies that tracked user sessions.
An attacker could keep accessing to an account on the site despite a password reset because cookies were still valid after the change.
Cookies were vulnerable to man-in-the-middle-attacks because the website reverted to hypertext transfer protocol after users logged in through its secure cousin, HTTPS."
Read more: http://www.scmagazine.com.au/News/258269,linkedin-profiles-at-hijack-risk.aspx
An attacker could keep accessing to an account on the site despite a password reset because cookies were still valid after the change.
Cookies were vulnerable to man-in-the-middle-attacks because the website reverted to hypertext transfer protocol after users logged in through its secure cousin, HTTPS."
Read more: http://www.scmagazine.com.au/News/258269,linkedin-profiles-at-hijack-risk.aspx
The graphics technology, used in browsers like Firefox and Chrome, can be used to access the most protected parts of a PC
"Security researchers at the U.K.'s Context Information Security have identified serious flaws in the WebGL graphics standard used by default in Firefox 4 and Google Chrome; they're also available in Apple's Safari browser. The researchers recommend disabling the technology, which helps generate 3D graphics on websites. The flaws could be used to open an attack vector on a PC's graphics drivers, which in turn open access to the OS kernel."
Read more: http://www.infoworld.com/t/web-security/webgl-flaws-give-hackers-new-point-entry-498
"Security researchers at the U.K.'s Context Information Security have identified serious flaws in the WebGL graphics standard used by default in Firefox 4 and Google Chrome; they're also available in Apple's Safari browser. The researchers recommend disabling the technology, which helps generate 3D graphics on websites. The flaws could be used to open an attack vector on a PC's graphics drivers, which in turn open access to the OS kernel."
Read more: http://www.infoworld.com/t/web-security/webgl-flaws-give-hackers-new-point-entry-498
The world's first easy-to-use crimeware kit signals cyber criminals' growing interest in targeting Apple with malware
"Apple has been cashing in on the increased attention it's garnered from the business and consumer worlds in recent years. Unfortunately, the ne'er-do-wells of the technology world continue to step up their attempts to get a piece of the action, targeting malware squarely at Mac users.
IT security experts, such as InfoWorld Security Adviser Roger Grimes, have argued that obscurity is the greatest security defense a platform can have, which is why Windows and Internet Explorer have historically been hit more successfully than Mac or Safari. Even just a couple of years ago, malware targeting the Mac -- such as MacSweeper, the first scareware for the Mac -- was something of a novelty, though the Mac OS had proven itself far from bulletproof. But as experts have predicted, Mac-honed malware is becoming more and more the norm.
One of the more notable developments of the Mac attracting cyber criminal attention is the emergence of what's purportedly the world's first do-it-yourself crimeware kit primed for Mac OS X. Recently announced in some closed underground forums, according to Danish IT security company CSIS Security Group, the tool enables users to build malware to turn victim Mac OS X machines into zombies with point-and-click simplicity."
Read more: http://www.infoworld.com/d/security/malware-and-hackers-increasingly-targeting-macs-780
"Apple has been cashing in on the increased attention it's garnered from the business and consumer worlds in recent years. Unfortunately, the ne'er-do-wells of the technology world continue to step up their attempts to get a piece of the action, targeting malware squarely at Mac users.
IT security experts, such as InfoWorld Security Adviser Roger Grimes, have argued that obscurity is the greatest security defense a platform can have, which is why Windows and Internet Explorer have historically been hit more successfully than Mac or Safari. Even just a couple of years ago, malware targeting the Mac -- such as MacSweeper, the first scareware for the Mac -- was something of a novelty, though the Mac OS had proven itself far from bulletproof. But as experts have predicted, Mac-honed malware is becoming more and more the norm.
One of the more notable developments of the Mac attracting cyber criminal attention is the emergence of what's purportedly the world's first do-it-yourself crimeware kit primed for Mac OS X. Recently announced in some closed underground forums, according to Danish IT security company CSIS Security Group, the tool enables users to build malware to turn victim Mac OS X machines into zombies with point-and-click simplicity."
Read more: http://www.infoworld.com/d/security/malware-and-hackers-increasingly-targeting-macs-780
"Acidgen, who is based in Sweden, found a stack buffer overflow bug in Magix Music Maker 16 software and promptly passed the information to Magix.
After several emails Acidgen also provided Magix with what he describes as a "nonharmful" proof-of-concept (PoC) to demonstrate how the flaw could be exploited. He told the outfit of his plans to publish the flaw and PoC after it was patched.
However Acidgen appears to have then got an email from company's lawyer threatening a lawsuit for "alleged extortion" for his plans to release a proof-of-concept on the flaw. Acidgen said the legal threat came out of nowhere. Last he heard was that the company was going to issue a patch. Then he got a really threatening lawsuit letter saying that they are going to press charges for extortion for the exploit code."
Read more: http://www.techeye.net/security/security-expert-acidgen-sued-for-vulnerability-warning
After several emails Acidgen also provided Magix with what he describes as a "nonharmful" proof-of-concept (PoC) to demonstrate how the flaw could be exploited. He told the outfit of his plans to publish the flaw and PoC after it was patched.
However Acidgen appears to have then got an email from company's lawyer threatening a lawsuit for "alleged extortion" for his plans to release a proof-of-concept on the flaw. Acidgen said the legal threat came out of nowhere. Last he heard was that the company was going to issue a patch. Then he got a really threatening lawsuit letter saying that they are going to press charges for extortion for the exploit code."
Read more: http://www.techeye.net/security/security-expert-acidgen-sued-for-vulnerability-warning
"It's astonishing that 10 years of technological progress have produced web application behemoths like Facebook, Twitter, Yahoo! and Google, while the actual technology inside the web browser remained relatively stagnant. Companies have grown to billion-dollar valuations (realistic or not) by figuring out how to shovel HTML over HTTP in ways that make investors, advertisers, and users happy.
The emerging HTML5 standard finally breathes some fresh air into the programming possible inside a browser. Complex UIs used to be the purview of plugins like Flash and Silverlight (and decrepit, insecure ActiveX). The JavaScript renaissance seen in YUI, JQuery, and Prototype significantly improve the browsing experience. HTML5 will bring sanity to some of the clumsiness of these libraries and provide significant extensions.
Here are some of the changes HTML5 will bring and what they mean for web security"
Read more: http://mashable.com/2011/04/29/html5-web-security/
The emerging HTML5 standard finally breathes some fresh air into the programming possible inside a browser. Complex UIs used to be the purview of plugins like Flash and Silverlight (and decrepit, insecure ActiveX). The JavaScript renaissance seen in YUI, JQuery, and Prototype significantly improve the browsing experience. HTML5 will bring sanity to some of the clumsiness of these libraries and provide significant extensions.
Here are some of the changes HTML5 will bring and what they mean for web security"
Read more: http://mashable.com/2011/04/29/html5-web-security/
