Clickjacking a critical issue in Adobe Flash Player

Adobe issued a critical security advisory Tuesday warning of potential “clickjacking” in its Flash Player and offered a workaround, a month after two researchers initially disclosed the problem. Through the Flash Player, attackers could gain access to computers’ microphones or cameras after unsuspecting users click on hidden links or dialog boxes. Until Adobe addresses the problem in the next version of the player (a patch is expected by the end of October in Flash 10), it recommends that users prevent attacks by selecting “always deny” in the player’s settings manager. In his blog, researcher Robert Hansen explains that clickjacking is a new type of attack and includes several variants. “Some of it requires cross domain access, some doesn’t,” he said in the blog. “Some overlays entire pages over a page, some uses iframes to get you to click on one spot. Some require JavaScript, some don’t. Some variants use CSRF to preload data in forms, some don’t.” (Computerworld, BetaNews)

RealDVD remains in legal limbo

RealDVD will remain unavailable for purchase for at least a month after a judge declined to lift a restraining order on sales of the DVD copying software. RealNetworks introduced the program last week, but on Friday, the Motion Picture Association of America convinced US District Judge Marilyn Patel to block sales of the program until the lawsuit is settled. RealDVD lets users rip copy-protected DVDs to their hard drives by also copying the protections. RealNetworks says the program is legal and prevents piracy by adding its own DRM to the movies, which are then playable only in the ReadDVD player. (CNET)

AMD spins off manufacturing division

Advanced Micro Devices split its operations Tuesday with the announcement that it’s spinning off its manufacturing division into a new entity, The Foundry Company. The new company will be backed by the Advanced Technology Investment Company of Abu Dhabi, and plans to open a new fabrication facility in Saratoga County, N.Y., as well as upgrade its former AMD plant in Dresden, Germany. The move enables AMD to concentrate on chip design, such as its Fusion technology, which combines a CPU and GPU onto one processor. (The Associated Press)

Tool allows man-in-the-middle attacks on secure connections

A new open source hacking tool can automate man-in-the-middle attacks on banking, e-mail, and social networking sites that mix cleartext http with https. Security expert Jay Beale demonstrated his tool at the SecTor conference in Toronto this week, showing how The Middler can clone users’ sessions, passing https traffic through unmodified while injecting JavaScript into the cleartext traffic to obtain or change information. “Many companies misunderstand that encrypting only the application’s password form leaves their users very vulnerable to man-in-the-middle attacks,” Beale said in his presentation. (Dark Readings)

Mifare Classic smart card open to attacks

According to two research papers published Monday, attackers can easily crack the Mifare Classic access card, a popular RFID smart card used to restrict access at government facilities and military installations, with a few simple tools. The Register reports that Mifare Classic’s proprietary encryption scheme has a weakness that lets crackers guess its key with an RFID reader, a modest-strength PC, and roughly 10 minutes. (The Register)

Data mining not an effective counterterrorism tool

Data mining isn’t an effective tool for counterterrorism, and government programs that use such methods should provide extra oversight to prevent invasions of privacy and “false positives,” the National Research Council said in a report sponsored partly by the US Department of Homeland Security. The research organization concluded that data mining can be useful for tracking specific subjects, but automated techniques that look for unusual patterns would yield lots of erroneous data. (CNET)

Microsoft thinks big for business intelligence

Microsoft plans to upgrade its SQL Server 2008 with technology for the large data warehousing market and provide “managed self-service analysis” that will be easier to use. The company made the announcement at its second annual Business Intelligence Conference in Seattle on Monday, unveiling its plans to integrate recently acquired DATAllegro. SQL Server will now be able to handle data spanning hundreds of terabytes and thousands of concurrent users. Microsoft also wants to “democratize” business intelligence for the average worker. “If you know how to use Word and Excel, then you’ll be able to use our BI — that’s our commitment to customers,” said Stephen Elop, president of the Microsoft Business Division. (Computerworld).

Wi-Fi growth expected to reach one billion

Wi-Fi chips will be installed in one billion consumer electronic CE devices by 2012, according to a study by high-tech market research firm, InStat. Digital televisions are expected to account for most of the growth in the Wi-Fi market, the result of a 26 percent annual growth rate. “The sheer volume of digital TV shipments will make it a strong market, despite a relatively low Wi-Fi attach rate,” InStat analyst Victoria Fodale said.
The report also predicts that cellular handsets will surpass mobile PCs as the primary Wi-Fi devices by 2011. (Cnet)

New PCI Standard Released


The PCI Security Standards Council has released new security guidelines for unattended payment terminals (UPT) that accept personal identification numbers (PINs) at places such as kiosks, self-service ticketing machines, and fuel pumps. The PIN Entry Device (PED) security standards will require more rigorous testing by approved labs on encrypted PIN pads. The council has yet to release a date for compliance by retailers. (Dark Reading)

Study Finds Large Number of Security Incidents Go Unreported


A survey of roughly 300 attendees at the RSA Conference in 2008 found that more than 89 percent of security incidents went unreported in 2007. The survey identified security incidents as “unexpected activity that brought sudden risk to the organization and took one or more security personnel to address.” The survey respondents identified lost or stolen devices as the number one security challenge to combat (49 percent), followed by nonmalicious employee error (47 percent) budget constraints (44 percent), external hacking (38 percent), executive buy-in (26 percent), and insider threat (22 percent). (InformationWeek)

Showing 3,701 - 3,710 of 4,530 results.
Items per Page 10
of 453