Security

Microsoft offers advice to deal with IE security bug

Users of Internet Explorer versions 6 through 9 are grappling with another security flaw without a fix, but Microsoft has a few suggestions to help shore up protection.

Uncovered this past weekend, the security hole could compromise the PCs of IE users who surf to a malicious Web site. Microsoft said it's already aware of attacks that have tried to take advantage of this weakness.

Since no fix is yet available, it's up to users of IE to protect themselves. A new Microsoft Security Advisory offers several recommendations.

To start, the usual advice always applies. Make sure you'… Read more

Virgin Mobile user accounts are easily hacked, developer claims

A developer is taking Virgin Mobile USA to task, arguing that its username and password handling put users at risk.

Kevin Burke yesterday took to his personal blog to report that Virgin Mobile's authentication process only allows for users to input numbers as their account PIN. What's worse, he says, the password is limited to six numbers, leaving "only one million possible passwords you can choose."

"This is horribly insecure," Burke wrote. "Compare a 6-digit number with a randomly generated 8-letter password containing uppercase letters, lowercase letters, and digits -- the latter has … Read more

New Internet Explorer weakness already exploited in attacks

A previously unknown security hole in Internet Explorer 7, 8 and 9 is being actively exploited to deliver a back door trojan known as "Poison Ivy," researchers warned.

Security blogger Eric Romang, who uncovered the vulnerability this weekend, wrote on his blog yesterday:

I can confirm, the zero-day season is really not over yet. Less than three weeks after the discovery of the Java SE 7 0day, aka CVE-2012-4681, potentially used by the Nitro gang in targeted attacks, a potential Microsoft Internet Explorer 7 and 8 zero-day is actually exploited in the wild. Romang found an attack that … Read more

Chat app used by activists has security flaws, say critics

Several bloggers allege that the WhatsApp mobile chat program has weak security that puts users, which include human-rights activists, at risk.

In a series of posts on blogs and public Web pages, security and mobile researchers have been piling on the criticism of WhatsApp. Unfortunately, representatives of WhatsApp have not commented on the recent allegations, though criticism cropped up in May and even last year. WhatsApp did not respond to an e-mail from CNET seeking comment today. The company is unlisted in the San Francisco phone directory. We will update this post if we hear back.

The main complaints with … Read more

Twitter hires security expert Charlie Miller

Twitter is creating a security dream team. Charlie Miller, famous for his hacks on the iPhone and MacBook Air, finding holes in iOS and devising ways to hijack Android phones with NFC, will be starting his new job at the microblogging company next week.

Miller will be working with encryption expert Moxie Marlinspike, who was hired by Twitter last year.

"Monday I start on the security team at Twitter. Looking forward to working with a great team there!" Miller tweeted this morning.

Miller told CNET today that he can't talk about his new job until he gets … Read more

Huawei to Australia: Give us a break

Huawei, the Chinese mobile company hoping to make its way to the U.S. and elsewhere, expressed disappointment with the Australian government today for not being included in the country's National Broadband Network.

Speaking before the Australian parliamentary intelligence committee, Huawei Australia chairman John Lord said that his company was "disappointed" to learn that it was blocked from participation in the country's $38 billion NBN project. According to Reuters, Lord claimed that Huawei was given no reason for its exclusion and no chance to address any concerns that might have arisen.

A big company -- it … Read more

Forget passwords. Your palm could be key to security

Passwords could become a thing of the past if new technology from Intel makes its way to laptops and mobile devices, Reuters reports.

The traditional security method, even when linked to different verification methods, remains an exploit that cybercriminals can pursue. Connectivity online often means that users will keep to the same password, or similar variants -- and once one account is breached, that information can be used to tap into financial information, online payment systems, or sensitive work documents.

But if Intel's prototype "Client-Based Authentication Technology" is successful, biometrics may be the latest defense against cyberattacks.… Read more

Report: Half of Android devices have unpatched holes

More than 50 percent of Android devices have serious vulnerabilities that are unpatched because carriers are often slow to update the software, a mobile security researcher says.

"Since we launched X-Ray [Android app used for scanning for vulnerabilities], we've already collected results from over 20,000 Android devices worldwide. Based on these initial results, we estimate that over half of Android devices worldwide have unpatched vulnerabilities that could be exploited by a malicious app or adversary," Jon Oberheide, chief technology officer at Duo Security, wrote in a blog post. The results are then extrapolated using Google's … Read more

Microsoft finds malware hidden in new computers in China

Microsoft has found malware on new computers its employees purchased in various cities in China as part of an investigation into the security of the supply chain. That finding led researchers to a botnet called Nitol and a court order giving the company permission to take technical measures to disrupt the botnet.

The effort, dubbed Operation b70, began in August 2011 when it decided to see if there was any merit to claims that counterfeit software and malware were being installed on computers by suppliers before they hit the retail shelves in China. So, the company had employees go into … Read more

Activist for Anonymous arrested during online chat

Barrett Brown, who has served as a spokesman for various Anonymous hacking operations, was arrested last night during a raid on his home while he was in the middle of an online chat.

He was taken into custody by the Dallas County Sheriff's Department shortly before 11 p.m. CT but was in the custody of the FBI by midday today, a spokeswoman for the sheriff's department told CNET.

She said she didn't know why he was taken into custody, saying only that no offenses were listed in the report. An FBI spokeswoman said she did not … Read more