Cryptography


Inside The Google Chrome OS Security Model

Google plans to use a combination of system hardening, process isolation, verified boot, secure auto-update and encryption to thwart malicious hackers from planting malware on its new Google Chrome OS.

UK Police Arrest 2 in Zbot Plot

Authorities in the U.K. have arrested two people in connection with using a notorious Trojan in a scheme to steal online banking information. The man and the woman, both 20, were arrested by the Metropolitan Police Service in Manchester, according to police. The duo is accused of using the Zeus Trojan, also known as Zbot, in a plot to steal information. It is believed the Trojan was configured to record victim’s online bank account information and passwords, as well as credit card numbers and other information. Read the full article. [eWEEK]

Privacy Concerns Raised About Smart Grids

Technologists already are worried about the security implications of linking nearly all elements of the U.S. power grid to the public Internet. Now, privacy experts are warning that the so-called “smart grid” efforts could usher in a new class of concerns, as utilities begin collecting more granular data about consumers’ daily power consumption. Read the full article. [Washington Post]


They’re the Internet equivalent of storm chasers, spending endless hours scanning and sleuthing, looking for the telltale signs of botnets. Here’s an inside look at the battle against cybercrime’s weapons of mass infection. Read the full article. [CSOonline.com]

The recent ACM Cloud Computing Security Workshop in Chicago was devoted specifically to cloud security. Speakers included Whitfield Diffie, a cryptographer and security
researcher who, in 1976, helped solve a fundamental problem of
cryptography: how to securely pass along the “keys” that unlock
encrypted material for intended recipients. Diffie, now a visiting professor at Royal Holloway, University of
London, was until recently a chief security officer at Sun
Microsystems. He sat down with Technology Review’s chief
correspondent. Read the full article. [Technology Review]

Injection attacks top the 2010 OWASP Top 10 list of Web application security threats, including SQL, OS, and LDAP injection, followed by cross-site scripting (XSS), broken authentication and session management, insecure direct object references, cross-site request forgery (CSRF), security misconfiguration, failure to restrict URL access, unvalidated redirects and forwards, insecure cryptographic storage, and insufficient transport layer protection. The list is considered a “release candidate” that will be published in its final form in 2010. Read the full article. [Dark Reading]

A zero-day flaw in the TLS and SSL protocols, which are commonly used to encrypt web pages, has been made public. The flaw allows an outsider to hijack a legitimate user’s browser session and successfully impersonate the user, the researchers said in a technical paper.  Read the full story [zdnet.co.uk]

Yesterday, a “Your iPhone’s been hacked because it’s really insecure! Please visit doiop.com/iHacked and secure your phone right now!” message popped up on the screens of a large number of automatically exploited Dutch iPhone users, demanding $4.95 for instructions on how to secure their iPhones and remove the message from appearing at startup.  Read the full story [Dancho Danchev/ZDNet]

Microsoft has released
a free tool for retroactively hardening applications against known
attacks, without recompiling the program with a special compiler flag.
The Enhanced Mitigation Evaluation Toolkit
(EMET) allows developers and administrators to activate specific
protection mechanisms in compiled binaries without requiring access to
the source code. The tool is currently able to prevent or impede four
attack techniques. Read the full story [The H Online]  See Microsoft blog post on EMET [technet.com]

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.