Dennis Fisher

From Light Blue Touchpaper (Richard Clayton)

On 11 November 2008 McColo, a Californian server hosting company, was disconnected from the Internet. This took the controllers for 6 major botnets offline. It has been widely reported that email spam volumes were markedly reduced for some time thereafter. But did disconnecting McColo only get rid of “easy to block” spam? Read the full story [Light Blue Touchpaper].

Whitfield Diffie, the inventor of public-key cryptography, moderates a panel of security experts, including Howard Schmidt, Steve Crocker, Chris DiBona and Eric Grosse, discussing a variety of security topics.

Kun Liu from IBM Research discusses the potential for developing privacy-aware social networking applications through the measurement and monitoring of privacy risks.

From The H Security

The Luxembourg security specialists G-SEC have published details of a vulnerability in the majority of browsers which will either crash the browser or consume so much memory that it makes the computer virtually unusable. The trick is simple. Using JavaScript’s DOM (Document Object Model), create a selection menu on the web page; a select element. Then assign to that select element’s length attribute a very high value, as a result there is a continuous allocation of memory. The length attribute specifies the number of menu items the select element should contain, and according to the specification (and common sense) should be read only, but in many cases, it is writeable. Read the full story [The H Security].

Attackers have begun using the unpatched vulnerability in Microsoft’s Office Web Components in SQL injection attacks. The vulnerability, which only became public this week, affects millions of users running a number of different versions of Windows, Office and Internet Explorer. The SANS Internet Storm Center said it is receiving reports of SQL injection attacks exploiting the vulnerability and using obfuscated code.

From Google Online Security Blog (Macduff Hughes)
There’s been some discussion today about the security of online accounts, so we wanted to share our perspective. These are topics that we take very seriously because we know how important they are to our users. We run our own business on Google Apps, and we’re highly invested in providing a high level of security in our products. While we can’t discuss individual user or customer cases, we thought we’d try to clear up any confusion by taking some time to explain how account recovery works with various types of Google accounts and by revisiting some tips on how users can help keep their account data secure. Read the full story [Google Online Security Blog].

From Bits (Claire Cain Miller and Brad Stone)
Twitter, which is generally quite private about its business plans, has fallen prey to an attack by a hacker who has apparently exposed confidential corporate information.
The hacker claims to have private documents including confidential contracts with Nokia, Samsung, Dell, AOL and Microsoft; the resumes of people who have applied to work at Twitter; personal information about Twitter employees including credit card numbers; future business plans; and floor plans and security codes for Twitter’s offices. Read the full story [NYTimes.com].