NEWS - January 25, 2013

Google has released Chrome 24.0.1312.56 to the stable update channel of the open source browser. The new update closes five security holes, three of which are high severity, and fixes problems with mouse wheel scrolling.

Atte Kettunen of the Oulu University Secure Programming Group in Finland received $1000 for the discovery of a high severity use-after-free vulnerability in the font handling of the HTML5 canvas. Ted Nakamura of the Chromium development community found a Mac OS X-only crash problem with unsupported RTC sampling rates, also rated with a high severity. The last of the high-severity-rated holes, an unchecked array in Chrome's content blocking, was fixed by the Chrome Security Team. Two medium severity issues were also fixed.

The mouse wheel scrolling problem fixed in this update concerned situations where the browser would scroll one pixel per mouse wheel interaction when it was actually set to scroll one screen at a time. Install problems for multiple user setups under Windows when Chrome was installed with administrator privileges have also been remedied.

Chrome 24.0.1312.56 is available for Windows, Mac OS X and Linux, and as the Chrome Frame plugin for Microsoft's Internet Explorer browser. All versions of Chrome should update themselves automatically; on some mobile platforms the user will be prompted to perform the update. Chrome is built from the open source Chromium browser project run by Google.

http://www.h-online.com/security/news/item/Chrome-update-closes-holes-and-fixes-mouse-wheel-issues-1791381.html

Scores of programmers uploaded their private cryptographic keys to public source-code repositories on GitHub, exposing their login credentials to world+dog. The discovery was made just before the website hit the kill switch on its search engine or, more likely, the service collapsed under the weight of curious users trawling for the sensitive data.

The ability to search for private Secure Shell (SSH) keys on the popular open-source code haven came to light yesterday in tweets and other messages on social networks. At least some of the credentials can still be found using Google and other external web crawlers.

GitHub has more than 2 million users but only a minuscule proportion made the daft mistake of uploading their private instead of just their public crypto keys. Private keys reportedly exposed included the SSH login for a major website in China.

Continued : http://www.theregister.co.uk/2013/01/25/github_ssh_key_snafu/

Related:
GitHub search exposes uploaded credentials
GitHub Search Makes Easy Discovery of Encryption Keys, Passwords In Source Code
Do programmers understand the meaning of PRIVATE?

Homeland Security Secretary Janet Napolitano warned on Thursday that a major cyber attack is a looming threat and could have the same sort of impact as last year's Superstorm Sandy, which knocked out electricity in a large swathe of the Northeast.

Napolitano said a "cyber 9/11" could happen "imminently" and that critical infrastructure - including water, electricity and gas - was very vulnerable to such a strike.

"We shouldn't wait until there is a 9/11 in the cyber world. There are things we can and should be doing right now that, if not prevent, would mitigate the extent of damage," said Napolitano, speaking at the Wilson Center think tank in Washington and referring to the September 11, 2001, attacks.

Napolitano runs the sprawling Homeland Security Department that was created 10 years ago in the aftermath of September 11 and charged with preventing another such event.

Continued : http://www.reuters.com/article/2013/01/24/us-usa-cyber-threat-idUSBRE90N1A320130124

"Two men jailed for carrying out cyber attacks, including one online assault that cost payments giant PayPal at least £3.5m"

A student and a church volunteer have been jailed for carrying out cyber attacks with the hacking group Anonymous, including one online assault that cost the payments giant PayPal at least £3.5m.

Christopher Weatherhead, a Northampton University student, was sentenced to 18 months in prison on Thursday for his part in distributed denial of service (DDoS) attacks on PayPal, Visa and Mastercard in December 2010.

The 22-year-old, who used the online alias "Nerdo", was found guilty in December of playing a leading role in several cyber attacks by Anonymous.

Weatherhead was impassive as his punishment was delivered by the Southwark crown court judge, who was earlier warned that his "nerdiness" would make him a vulnerable target in prison.

Continued : http://www.guardian.co.uk/technology/2013/jan/24/anonymous-hackers-jailed-cyber-attacks

Also:
Anonymous conspirator gets 18-month jail term
2 Anonymous Hackers from the UK Sentenced to Jail for Cyberattacks on PayPal
Brit mastermind of Anonymous PayPal attack gets 18 months' porridge