Cryptography

Two independent researchers are proposing an extension for TLS to provide greater trust in certificate authorities, which have become a weak link in the entire public key infrastructure after some big breaches involving fraudulent SSL certificates. Read more »

In a bulletin, the Department of Homeland Security (DHS) is warning healthcare organizations about the threat posed by insecure, network attached medical devices and the proliferation of smart phones, tablet PCs and other mobile devices in medical settings. Read more »

The recent trend of attackers using stolen digital certificates to make their malicious executables look legitimate is continuing unabated, with researchers now having come across a series of variants of the Etchfro Trojan that are using certificates taken from several companies and issued by VeriSign, Thawte and other certificate authorities. Read more »

The Dutch government has asked DigiNotar, the Dutch certificate authority that was broken into last summer, for €8.7 million ($11M USD) to recoup money it spent buying new certificates, according to several Dutch news reports. The Dutch interior ministry asked for €1 million in January, yet the number “has now risen to €8.7 million,” according to the company’s curator Rocco Mulder in an interview with Dutch news site nu.nl.

 Read more »

There's a serious weakness in certain versions of Apple OS X that causes the operating system to store users' login credentials for the FileVault encrypted storage in plaintext. The bug, which is found in older versions of FileVault present on OS X Lion 10.7.3 systems, enables anyone with admin access to the machine to get the login password for the FileVault system. The flaw also can be exploited when a machine is in FireWire disk mode and accessible to another computer. Read more »

A new project that was setup to monitor the quality and strength of the SSL implementations on top sites across the Internet found that 75 percent of them are vulnerable to the BEAST SSL attack and that just 10 percent of the sites surveyed should be considered secure. Read more »

FBI investigators have broadened their probe into emailed bomb threats at the University of Pittsburgh to an anonymous remailer in Austria.

Earlier this week, at the request of U.S. authorities, police visited Christian Mock, an Austrian provider who offers anonymous remailing services. Authorities had a court order allowing them to "create a forensic disk image" of the remailer. "Therefore, I had to destroy any exisiting keys and create new keys," he announced in the alt.privacy.anon-server Google Group. Read more »

In what looks like the IT equivalent of the Deepwater Horizon oil spill disaster, purloined data and documents, including source code belonging to the U.S. software firm VMWare, continue to bubble up from the networks of a variety of compromised Chinese firms, according to "Hardcore Charlie," an anonymous hacker who has claimed responsibility for the hacks.

Google has released an update for Chrome that repairs a problem when users attempt to connect to sites over HTTPS. In some instances, the browser will return an error messages that tells the user that the requested site's server certificate is invalid even when that's not the case.  Read more »

Justin MorehouseCorporate executives and other high value employees traveling abroad need to be on guard for attempts to compromise their mobile devices, and could even have their mobile phone compromised before they even disembark the plane following their arrival, according to security researcher Justin Morehouse. 

A thirst for intellectual property and trade secrets, and a bugeoning market of sophisticated mobile surveillance tools means that executives need to begin thinking and acting like spies in order to avoid being spied upon themselves, according to a presentation at the OWASP AppSec DC 2012 conference in Washington DC on Thursday.