The vulnerability is horizontal privilege escalation. The PIN reset function – while updating the PIN for the current user – also attaches all the personal data in the POST request. This allows the attacker to tamper with the request, exchanging his username with the victim’s username and setting a new PIN for the victim.
Apple has apparently decided to kill support for OS X Snow Leopard, the 2009 operating system that has resisted retirement for more than a year.
On Monday, Apple did not update Safari 5.1 when it patched the later Safari 6 and 7 for newer editions of OS X, including 2011’s Lion, 2012’s Mountain Lion and this year’s Mavericks.
Safari 5.1, which was last updated in September to version 5.1.10, is the most-current Apple browser for Snow Leopard.
Historically, Apple has patched Safari longer than the supporting operating system, so when the Cupertino, Calif. company calls its quits for the browser, it’s already decided to retire the pertinent OS.
In July 2011, for example, Apple patched Safari 5.0 for the final time, updating the browser to version 5.0.6. That edition was the last that ran in OS X Leopard, which was released in October 2007.
Apple provided the final update to Leopard in June 2011.
Ever wondered how do they do underwater cable splicing?
Many, many layers of protection, including several of jute wrapping. The video centers on splicing a new cable to an existing one in the San Francisco Bay to bring the wonder of telephony to a man-made island created for the Golden Gate International Expo.
The narrator makes these men out to be heroes, and when you see how much lead they came into contact with, you’ll understand what he means. Each of the 1,056 individually insulated wires must be spliced by hand. After that comes a boiling out process in which petrolatum is poured over the splice to remove all moisture. Then, a lead sleeve is pulled over the connections. Molten lead is poured over the sleeve and smoothed out by hand.
At this point, the splice is tested. The sleeve is punctured and nitrogen gas is pumped in at 20psi. Then comes the most important step: the entire sleeve is painted with soap suds. Any gas that escapes will make telltale bubbles.
Once they are satisfied with the integrity of the sheath, they wrap the whole thing in what appears to be lead cables and pound them into submission. Surely that would be enough, don’t you think? Nope. They weld the cables all around and then apply two coats of tar-treated jute wrapping, which retards saltwater corrosion considerably.
According to Dennis Publishing Lab’s, Microsoft Security Essentials fail to detect 39% of malware.
Dennis Technology Labs (DTL) tested nine home security products on a Windows 7 PC, including Security Essentials, which is distributed free to Windows users and built into Windows 8 in the form of Windows Defender.
While the other eight packages all achieved protection scores of 87% or higher – with five scoring 98% or 99% – Microsoft’s free antivirus software protected against only 61% of the malware samples used in the test.
Microsoft conceded last year that its security software was intended to offer only “baseline” performance, saying it wanted to “give customers a good reason to pay for their [security] products” because that would create greater diversity in the market and make life harder for malware writers.
Nevertheless, the company insisted that Security Essentials provided “strong, comprehensive defence against malicious code and attacks”.
Norton Internet Security received the strongest protection rating in DTL’s tests, detecting 99% of the malware used. Taking into account false positives against legitimate software, Kaspersky Internet Security 2014 provided the best overall level of protection.
Many web developers know about SSL/HTTPS, but it is very common to see it only partially deployed, or not deployed where it should be. This basic guide by @Erik Romijn on when and how to deploy SSL/HTTPS will help you avoid the most common mistakes.
The IETF has a dedicated crypto review board, the CFRG, which approves or pokes holes in the cryptography used by other IETF standards.
The chair of the IETF CFRG is an NSA employee (Kevin Igoe, one of the authors of the SHA1 hash standard).
I just learned these things a couple weeks ago. I am not generally a believer in the theory that NSA actively subverts Internet standards. But even I think that it’s crazy for an NSA employee to chair the CFRG.
In case you’re wondering: Trevor Perrin is widely respected professional cryptographer. Most cryptographers work for university math departments. Perrin worked for years as a staffer for Paul Kocher, the godfather of side channel attacks, at Cryptography Research. He’s the designer of the new forward secrecy ratchet for OTR (Axolotl) and the TACK TLS extension, and a behind-the-scenes contributor to other IETF crypto standards. Perrin wrote the pure-Python “tlslite” TLS implementation. If you were to draw a “family tree” of crypto know-how in the software security profession, a surprisingly huge chunk of it would be rooted in Perrin (and Nate Lawson and Kocher); for instance, virtually every modern TLS break came from ideas that Perrin popularized. 64 current Matasano Crypto Challenges, probably 50 of them I can trace to Perrin and Lawson. Trevor Perrin is someone you should pay attention to.
As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry, Reuters has learned.
Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a “back door” in encryption products, the New York Times reported in September. Reuters later reported that RSA became the most important distributor of that formula by rolling it into a software tool called Bsafe that is used to enhance security in personal computers and many other products.