topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 1:39 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Tech News Weekly: Edition 44  (Read 16675 times)

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Tech News Weekly: Edition 44
« on: October 30, 2008, 06:38 PM »
The Weekly Tech News
TNWeekly01.gifHi all.
No meta-news this week, enjoy :)
As usual, you can find last week's news here.


1. NIST Competition To Replace SHA Complete
Spoiler
http://csrc.nist.gov/groups/ST/hash/sha-3/index.html
Via: http://www.schneier.com/blog/archives/2008/10/the_skein_hash.html
The NIST competition for a replacement for the SHA-2 hash family closes today. Unfortunately it doesn't seem that the list of candidates is available yet. Please post a reply if you happen to come by it. Keep your eyes peeled for info.

NIST has opened a public competition to develop a new cryptographic hash algorithm, which converts a variable length message into a short “message digest” that can be used for digital signatures, message authentication and other applications.  The competition is NIST’s response to recent advances in the cryptanalysis of hash functions. The new hash algorithm will be called “SHA-3” and will augment the hash algorithms currently specified in FIPS 180-2, Secure Hash Standard. Entries for the competition must be received by October 31, 2008.


2. Security Flaw Is Revealed in T-Mobile’s Google Phone
Spoiler
http://www.nytimes.com/2008/10/25/technology/internet/25phone.html
The first flaw has been uncovered in Google's Android platform.

Just days after the T-Mobile G1 smartphone went on the market, a group of security researchers have found what they call a serious flaw in the Android software from Google that runs it.

One of the researchers, Charles A. Miller, notified Google of the flaw this week and said he was publicizing it now because he believed that cellphone users were not generally aware that increasingly sophisticated smartphones faced the same threats that plague Internet-connected personal computers.


3. E-mail Attachment Malware Soars 800 Per Cent in 3 Months
Spoiler
http://www.itbusiness.ca/it/client/en/home/News.asp?id=50510
According to Sophos, E-mail malware has made a substantial comback in the previous quarter of this year.

The volume of malware attacks conducted via e-mail attachments increased about 800 per cent over the past three months as this low-grade hacking method was brought back from the grave, according to a U.K.-based security vendor.

This reverses an earlier trend. Previously, malware trends indicated hackers were moving away from sending infected attachments. Most attacks were carried out by embedding links to viruses or Trojans right into the e-mail.


4. Koobface Returns
Spoiler
http://www.computerworld.com.au/index.php/id%3b509001956%3bfp%3b4194304%3bfpid%3b1
http://news.cnet.com/8301-1009_3-10078353-83.html
The infamous Koobface Facebook threat is back, and is using Google's website to bypass Facebook protection (blacklisting is to 1990's).

Hackers initially unleashed Koobface in late July, but Facebook's security team soon slowed its spread by blocking the Web sites that were hosting the malicious Trojan software.

That has prompted the criminals to change tactics, according to Guillaume Lovet, a senior research manager with Fortinet. In this latest attack they have hosted files that appear to be YouTube videos on Picasa and Google Reader and used Facebook to send them to victims.

The links appear safe because they go to Google.com Web sites, but once the victim arrives on the Google Reader or Picasa page, he is invited to click on a video or a Web link. The victim is then told he needs to download special codec decompression software to view the video. That software is actually a malicious Trojan Horse program, which is blocked by most antivirus programs, according to Facebook.


5. 'Security-on-a-Stick' to Protect Consumers and Banks
Spoiler
http://www.physorg.com/news144519988.html
IBM have developed a USB-sized device that can be used to thwart attempted online banking fraud.

The "security-on-a-stick" solution — a handy USB-sized device with a display, a smart card reader and buttons — protects a user's e-banking transactions from even the most malicious attacks. With the new device, developed by an expert team at IBM's Zurich Research Lab, a user sees exactly what transaction data the banking server receives. Moreover, he or she can approve or cancel each transaction directly with the banking server using the buttons on the device.


6. New Address Spoofing Flaw Smudges Google's Chrome
Spoiler
http://www.theregister.co.uk/2008/10/26/google_chrome_address_spoofing/
Chrome is subject to yet another major vulnerability allowing websites to impersonate other websites.

Google's Chrome browser has been marred by yet another vulnerability, this one allowing attackers to impersonate websites of groups like the Better Business Bureau, PayPal or, well, Google.

Researcher Liu Die Yu of the TopsecTianRongXin research lab in Beijing says the spoofing vulnerability is the result of faulty code inserted by programmers from the Mountain View, California search behemoth.


7. Opera Scrambles to Quash Zero-day Bug in Freshly-patched Browser
Spoiler
http://www.theregister.co.uk/2008/10/27/zero_day_opera_bug/
In similar news, Opera's most recent browser patch has led to an easily-exploited RCE vulnerability.

Just a few days after Opera Software patched critical vulnerabilities in its browser, researchers have identified another serious bug that allows attackers to remotely execute malicious code on the machines of people running the most recent version of the software. Opera has vowed to fix the flaw soon.

Among the bugs squashed in Opera 9.61 was a stored cross site scripting (XSS) vulnerability that allowed attackers to view victims' browsing history. That attack is no longer possible, but now researchers have discovered an even more serious exploit that's based on the same weakness.


8. ATO Loses CD With Private Details
Spoiler
http://news.cnet.com/8301-1009_3-10078353-83.html
The Australian Taxation Office has misplaced a disk containing the unencrypted tax details of 3122 trustees, and has failed to notify them of the breach until 3 weeks later. Interestingly enough, Australia still has no laws governing the handling or reporting of corporate data breaches. Yay for incompetent government!

The ATO admitted that the CD was not encrypted and victims were only notified three weeks later.

The disk contained the name, address and super fund tax file numbers for 3122 trustees and was being couriered to the ATO, but failed to reach the department.

The Tax Office was notified about the missing CD on October 3 but only sent out letters to the victims on October 24, offering to re-issue the tax file numbers for their super funds.


9. Court Rules Hash Analysis is a Fourth Amendment "search"
Spoiler
http://arstechnica.com/news.ars/post/20081029-court-rules-hash-analysis-is-a-fourth-amendment-search.html
The long-contested idea that using hashes to determine the content of computer files is classified under the Fourth Constitutional Amendment as a "search" has been upheld in court for the first time, though appeal is likely.

A good coder has as many uses for hash functions as George Washington Carver did for peanuts—but law enforcement is fond of these digital fingerprinting techniques as well, because they allow reams of data to be rapidly sifted and identified. Legal scholars, however, have spent a decade puzzling over whether the use of hash value analysis in a criminal investigation counts as a Fourth Amendment "search." A federal court in Pennsylvania last week became the first to rule that it does—but one legal expert says an appeal is very likely.


10. Windows 7's Streamlined UAC
Spoiler
http://arstechnica.com/journals/microsoft.ars/2008/10/30/arspdc-windows-7s-streamlined-uac
Although they're keeping that fugly UI, it seems Microsoft will be overhauling UAC in Windows 7.

One feature of Vista that came under more criticism than most was User Access Control. The feature, designed to make Windows more secure by both limiting the rights of Administrators and making it easier for regular Users to gain Administrator rights only when necessary, was deemed to be annoying and intrusive. As a result, some 10-15% of Vista users turn it off.

Vista SP1 smoothed a few of the more annoying UAC wrinkles, but retained the same fundamental mechanics. The two main problems with UAC:the screen going black momentarily whenever a confirmation prompt was displayed, and the need to reaffirm explicit user actions.

With Windows 7, Microsoft has tried to tone down UAC to make it less invasive while still affording the same protection.


11. Ubuntu 8.10 Intrepid Ibex Released
Spoiler
http://www.downloadsquad.com/2008/10/30/ubuntu-8-10-intrepid-ibex-released/
Bang-on-target Intrepid Ibex has gone final today, with many impressive new features.

Ubuntu 8.10 is available for download today. And because Ubuntu Linux is open source software and we've been following its development for the last 6 months, there aren't a ton of surprises. But that doesn't mean you shouldn't download it if you're running Ubuntu 8.04 or if you're looking for a new Linux distro to try. Because it does include a number of tweaks, bug fixes, and improvements. Here are just a few:

    * Improved support for connecting to 3G wireless networks
    * A utility for loading a fully working Ubuntu installation on a USB disk
    * There's a new System Cleaner utility that will help identify abandoned software packages (which could address one of my biggest pet peeves about most Linux distributions)
    * The Nautilus file manager now supports tabs


12. Tivo Set to Stream Netflix Movies by Christmas
Spoiler
http://blog.wired.com/business/2008/10/tivo-set-to-str.html
It appears TiVo and Netflix have finally pulled their fingers out and are testing their system for streaming Netflix movies directly to TiVo subscribers.

Four years in the making, the Tivo/Netflix streaming partnership is finally ready for prime time. Tivo began testing software Thursday and expects to have the entire Netflix streaming collection available to subscribers of both services by early December.

The companies originally announced plans to serve Netflix movies-on-demand to Tivo boxes in 2004 but shelved plans due to a lack of available content.


Ehtyar.

Darwin

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 6,984
    • View Profile
    • Donate to Member
Re: Tech News Weekly: Edition 44
« Reply #1 on: October 30, 2008, 06:45 PM »
Another fine newsletter. Many thanks, ehtyar! Scary about the increase in malware attachments in e-mail - must warn my parents to be vigilant.

tomos

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 11,959
    • View Profile
    • Donate to Member
Re: Tech News Weekly: Edition 44
« Reply #2 on: October 30, 2008, 06:57 PM »
thanks Ethyar!

more fun and games in Australia I see ;)
was a bit confused for a moment as to why analysing hash[ish] would be a "search" (and what that had to do with tech :D)
Tom
« Last Edit: October 31, 2008, 03:35 AM by tomos »

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: Tech News Weekly: Edition 44
« Reply #3 on: October 30, 2008, 07:02 PM »
Thanks guys :) Sometimes I do go a little off-track indeed, I just thought it was interesting and worthy of inclusion. Actually, what does everyone think about those slightly off-topic articles?

Ehtyar.

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,747
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Tech News Weekly: Edition 44
« Reply #4 on: October 30, 2008, 08:02 PM »
Thanks Ehtyar.

Darwin

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 6,984
    • View Profile
    • Donate to Member
Re: Tech News Weekly: Edition 44
« Reply #5 on: October 30, 2008, 08:48 PM »
Actually, what does everyone think about those slightly off-topic articles?

I like 'em, but I digress...

Davidtheo

  • Participant
  • Joined in 2008
  • *
  • Posts: 119
    • View Profile
    • Donate to Member
Re: Tech News Weekly: Edition 44
« Reply #6 on: October 31, 2008, 01:25 AM »
Great job on this weeks news.  :Thmbsup: I liked the 'Security-on-a-Stick' to Protect Consumers and Banks. But what banks support it?

ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,922
    • View Profile
    • Donate to Member
Re: Tech News Weekly: Edition 44
« Reply #7 on: October 31, 2008, 01:34 AM »
Thank you again :)

Loved the following phrase:

the result of faulty code inserted by programmers from the Mountain View, California search behemoth.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Tech News Weekly: Edition 44
« Reply #8 on: October 31, 2008, 01:34 AM »
Actually, what does everyone think about those slightly off-topic articles?
I like 'em, but I digress...
:D :D :D

Could somebody briefly explain what "Fourth Amendment Search" means? I have a feeling that this could actually be one of the more important newsletter items.

As always, thanks for the effort, Ehtyar. Also, the spoiler-button format really works for me :)
- carpe noctem

zridling

  • Friend of the Site
  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 3,299
    • View Profile
    • Donate to Member
Re: Tech News Weekly: Edition 44
« Reply #9 on: October 31, 2008, 03:20 AM »
Man, that's the most efficient news cover format I think I've ever come across. Thanks again!

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Tech News Weekly: Edition 44
« Reply #10 on: October 31, 2008, 03:35 AM »
great stuff.
small bug: clicking on the links now serves no purpose.

tomos

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 11,959
    • View Profile
    • Donate to Member
Re: Tech News Weekly: Edition 44
« Reply #11 on: October 31, 2008, 03:39 AM »
Thanks guys :) Sometimes I do go a little off-track indeed, I just thought it was interesting and worthy of inclusion. Actually, what does everyone think about those slightly off-topic articles?

I edited my post for clarity ..
was a bit confused for a moment as to why analysing hash[-ish] would be a "search" (and what that had to do with tech :D)
i.e.
I wasnt saying it off-topic at all (personally I dont mind/enjoy off-topic anyways)
Tom

jgpaiva

  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 4,727
    • View Profile
    • Donate to Member
Re: Tech News Weekly: Edition 44
« Reply #12 on: October 31, 2008, 05:11 AM »
On 10:Windows 7's Streamlined UAC
YAY!! I'm glad to know they're trying to improve it. Unfortunatelly, I still don't see anything like the "allow this program to have always admin privileges without asking me" option. That means I won't get warnings for stuff I do with explorer.exe, but I get with XYplorer :(

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Tech News Weekly: Edition 44
« Reply #13 on: October 31, 2008, 05:32 AM »
On 10:Windows 7's Streamlined UAC
YAY!! I'm glad to know they're trying to improve it. Unfortunatelly, I still don't see anything like the "allow this program to have always admin privileges without asking me" option. That means I won't get warnings for stuff I do with explorer.exe, but I get with XYplorer :(
That would be a glaring security hole - see my comments in the NortonUAC thread(s).

Unless XYplorer is shoddily coded, you should get the same warnings/elevations in that as you do in explorer.
- carpe noctem

housetier

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 1,321
    • View Profile
    • Donate to Member
Re: Tech News Weekly: Edition 44
« Reply #14 on: October 31, 2008, 05:37 AM »
yay thanks!

jgpaiva

  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 4,727
    • View Profile
    • Donate to Member
Re: Tech News Weekly: Edition 44
« Reply #15 on: October 31, 2008, 05:45 AM »
That would be a glaring security hole - see my comments in the NortonUAC thread(s).

Unless XYplorer is shoddily coded, you should get the same warnings/elevations in that as you do in explorer.
From what I understand from the article mentioned, they have added an option not to get warnings from "user actions", where they include for example creating folders in system dirs. With this option on, you only get prompts from programs, meaning that creating a folder with explorer wouldn't get a prompt, but doing it with XY would.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Tech News Weekly: Edition 44
« Reply #16 on: October 31, 2008, 05:51 AM »
jgpaiva: if it's implemented that way (explorer-specific exception in UAC), that's fscking retarded. Find a loophole to inject code into explorer.exe, boom, UAC more or less avoided.
- carpe noctem

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: Tech News Weekly: Edition 44
« Reply #17 on: October 31, 2008, 06:34 AM »
Thanks everyone as always for your kind words, they're what makes this worth doing  :-*
Great job on this weeks news.  :Thmbsup: I liked the 'Security-on-a-Stick' to Protect Consumers and Banks. But what banks support it?
I've read that most major banks support dongle technology for their corporate customers, but I'm not aware of any that supply the technology to private account holders.
Could somebody briefly explain what "Fourth Amendment Search" means? I have a feeling that this could actually be one of the more important newsletter items.
For the long winded version, see the wiki article. (tomos and f0d man read in) The short version is that the fourth amendment requires that officers of the law present probable cause and obtain a search warrant for any form of search they wish to undertake. Since the digital age has come upon us with legislation lagging so far behind it, it has been for the judge to decide what constitutes "search" of a digital medium. Until now, taking a hash of a file on someone's PC was not considered a "search" as per the fourth amendment, and thus required there to be no probable cause in order to do so. Until now, the authorities have used (read: abused) this loophole in order to "search" a suspects files by hashing any suspicious files, and comparing the hash to that of content known to them (in this case, kiddy porn pics) and hoping for a match, thus avoiding the requirement of a warrant and probable cause.
Indeed this is quite the important article.
great stuff.
small bug: clicking on the links now serves no purpose.
Hehe, thanks mouse man :) (assuming I took that comment the right way)

Ehtyar.
« Last Edit: October 31, 2008, 06:37 AM by Ehtyar »

CWuestefeld

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,009
    • View Profile
    • Donate to Member
Re: Tech News Weekly: Edition 44
« Reply #18 on: October 31, 2008, 09:08 AM »
Actually, what does everyone think about those slightly off-topic articles?
There wasn't anything there that I perceived as off-topic. Everything there ought to be of some interest to people in the computer software community.

For my really-off-topic 2 cents: remember that Aussie ATO thing the next time you hear Washington spouting about the need for Real ID to actually keep us more secure.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Tech News Weekly: Edition 44
« Reply #19 on: November 01, 2008, 02:36 AM »
Ehtyar: thanks for the summary - important indeed!
- carpe noctem

J-Mac

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 2,918
    • View Profile
    • Donate to Member
Re: Tech News Weekly: Edition 44
« Reply #20 on: November 02, 2008, 12:31 AM »
Basically the Fourth Amendment to the US Constitution provides protection from "unreasonable search and seizure", requiring, as Ehtyar mentioned, any governmental law enforcement officer to have "probable cause" that a crime has been committed and that evidence of the same can only be gotten by searching and seizing the evidence from a person or his/her property. Often seen in movies and TV shows where police must wait to obtain a search warrant that specifically lists exactly what they are searching for and where they are permitted to search.

Nice concept about the hash ruling, but I really doubt that ruling will stand, unfortunately.

Jim