Cryptography

Apple has released a massive set of patches for a wide range of security vulnerabilities in a number of its products and components, including OSX Lion and QuickTime. The patches, which are rolled up in OS X 10.7.3, fix a slew of serious bugs, many of which can be used to execute remote code on vulnerable machines. Read more »

A new banking Trojan variant can bypass CAPTCHA, as demonstrated by a video posted today by security firm Websense on their Security Labs blog. Read more »

In what may become a precedent setting digital rights ruling, Judge Robert Blackburn of the United States District Court of Colorado ruled that compelling an individual to provide access to the encrypted contents of a device does not violate the US Constitution's prohibition of self incrimination. Read more »

By Eric Rescorla

You've of course heard by now that much of the Internet community thinks that SOPA and PIPA are bad, which is why on January 16, Wikipedia shut itself down, Google had a black bar over their logo, etc. This opinion is shared by much of the Internet technical community, and in particular much has been made of the argument made by Crocker et al. that DNSSEC and PIPA are incompatible. A number of the authors of the statement linked above are friends of mine, and I agree with much of what they write in it, but I don't find this particular line of argument that convincing. Read more »

There's an odd bit of behavior that some Windows systems will exhibit when certain kinds of installers are launched, automatically elevating the privileges of the installer process to system-level privileges. In theory, the issue shouldn't be exploitable because at one point in the process the system will generate an MD5 hash of a DLL that's to be loaded, and unless the attacker can replace that DLL with a malicious one that sports the same hash, an attack is impossible. But those constraints may not hold for all attackers, a researcher says. Read more »

VIEW SLIDESHOW Ten Tips For Protecting Your Devices From Seizure By U.S. Customs

Fourth amendment be damned. With U.S. Customs agents increasingly interested in the contents of digital devices like iPhones, iPads and laptops, The Electronic Frontier Foundation has issued guidance for getting your mobile device across the border safely and protecting the data on it should it get seized.  Read more »

A report from Alien Vault says that variants of the Sykipot Trojan have been found that can steal DOD smartcard credentials. Read more »

Governments in some countries have not been shy about trying to block their citizens from using the Tor network to access censored or sensitive Web content. The Chinese government has become quite proficient at this, and a recent analysis of the methods the country is using to accomplish this shows that officials are able to identify Tor connections in near real-time and shut them off basically at will. Read more »

Documents purportedly lifted from Indian government servers contain explosive allegations: that leading Western firms including Apple Corp., Research in Motion and Nokia provided the government with secret access to mobile devices their mobile operating systems- access that the Indian government then used to spy on official, high-level conversations about trade relations between the U.S. and China. Read more »

A new version of the OpenSSL package has been released, fixing six vulnerabilities, including a plaintext recovery attack on the DTLS implementation. There are two other cryptographic flaws fixed in OpenSSL 1.0.0f, and a few other less-serious problems. Read more »