Security Roundup

Some interesting security related stories.

U.S. Database Exposes Social Security Numbers The Social Security numbers of tens of thousands of people who received loans or other financial assistance from two Agriculture Department programs were disclosed for years in a publicly available database, raising concerns about identity theft and other privacy violations.

Google draws privacy complaint to FTC “Google’s proposed acquisition of DoubleClick will give one company access to more information about the Internet activities of consumers than any other company in the world,” the complaint reads. “Moreover, Google will operate with virtually no legal obligation to ensure the privacy, security and accuracy of the personal data that it collects.”

This one could potentially be big, if the data that Google collects from the browsing habits of people with their toolbar, the information they gather from people searching their site(s), the data they collect from their ads on a major portion of the internet, the data they collect from their online programs, like Gmail, Google Docs & Spreadsheets, etc, the data they collect from people using Google Checkout, the data they collect from Youtube and all of the embedded videos, if this data is used by people working for Google or by someone who is able to access it from the outside, it is staggering, I am sure, the amount of information they could compile and use on people.

A hacker managed to break into a Mac and win a $10,000 prize as part of a contest started at the CanSecWest security conference in Vancouver.

Depends on your definition I guess, sitting there with nothing running, no one could get into them, on the second day, they sent contestants urls via email and one hacker was able to exploit a vulnerability in Safari and open a back door that gave him access to everything. While they did not crack the OS itself, it did crack a tool that many people use on such a system, it’s the same as all of the IE vulnerabilities that get exploited, though they certainly have the better track record over Windows. Here is more from zdnet.

MacBook Pro hijacked with Safari zero-day Hackers Dino Dai Zovi and Shane Macaulay teamed up to hijack a MacBook Pro laptop at the CanSecWest security conference here, effectively pouring cold water on the Mac faithful’s belief that the machines are impenetrable. Dai Zovi, a former Matasano researcher who has been credited in the past with finding Mac OS X vulnerabilities, exploited a zero-day flaw in the built-in Safari browser to take complete control of the machine.

Seeing through walls Have you considered that someone could be reading what’s on your monitor from a few rooms away? It’s unlikely, but possible, as work by Cambridge University computer security researcher Markus Kuhn shows.

ISP Kicks Out User Who Exposed Vulnerability; Doesn’t Fix Vulnerability Apparently, a college student discovered and published a pretty major vulnerability found in the routers the company uses, allowing anyone to access the routers remotely. Rather than thank the customer for finding and highlighting a pretty serious vulnerability, the company has cut off his service and threatened him with lawsuits. Oh yeah, they also haven’t bothered to fix the vulnerability — despite it being published 7 weeks ago. The reasoning from the ISP is astounding. They claim that since they can’t find any evidence that anyone ever used the vulnerability, he must have discovered it by “illegal” means. Who knew that simply probing for security vulnerabilities was illegal? And, of course, the ISP told the guy he’s not allowed to talk about its legal threat to him — which isn’t actually legally binding. It’s not clear if the ISP doesn’t understand what it’s done or simply doesn’t want to fix the vulnerability.

Interact with the security community CanSecWest, the world’s most advanced conference focusing on applied digital security, is about bringing the industry luminaries together in a relaxed environment which promotes collaboration and social networking. The conference lasts for three days and features a single track of thought provoking presentations, each prepared by an experienced professional and talented educator who is at the cutting edge of his or her field. We give preference to new and innovative material, highlighting important, emergent technologies, techniques, or best industry practices.

1 Comment »

No comments yet.

RSS feed for comments on this post. | TrackBack URI

Leave a comment