wiredmikey writes “WikiLeaks has reported that its Web site is currently under a mass distributed denial of service attack. The attack comes around the time of an expected release of classified State Department documents, which the Obama administration says will put ‘countless’ lives at risk, threaten global counterterrorism operations and jeopardize US relations with its allies.”
Read more of this story at Slashdot.
justice4all writes “Google is working on a fix to a zero-day flaw discovered by British security expert Thomas Cannon that could lead to user data on a mobile phone or tablet device being exposed to attack. Cannon informed Google before posting information about the flaw on his blog. ‘While doing an application security assessment one evening I found a general vulnerability in Android which allows a malicious website to get the contents of any file stored on the SD card,’ Cannon wrote. ‘It would also be possible to retrieve a limited range of other data and files stored on the phone using this vulnerability.’” Sophos’s Chester Wisniewski adds commentary on how this situation is one of the downsides to Android’s increasing fragmentation in the mobile marketplace.
Read more of this story at Slashdot.
CWmike writes “A computer security researcher says he plans to release code Thursday that could be used to attack some versions of Google’s Android phones over the Internet. The attack targets the browser in older, Android 2.1-and-earlier versions of the phones. It is being disclosed Thursday at the HouSecCon conference by M.J. Keith, a security researcher with Alert Logic. Keith says he has written code that allows him to run a simple command line shell in Android (video) when the victim visits a website that contains his attack code. The bug used in Keith’s attack lies in the WebKit browser engine used by Android. Google said it knows about the vulnerability. ‘We’re aware of an issue in WebKit that could potentially impact only old versions of the Android browser,’ Google spokesman Jay Nancarrow confirmed in an e-mail. ‘The issue does not affect Android 2.2 or later versions.’ Version 2.2 runs on 36.2 percent of Android phones, Google says”
Read more of this story at Slashdot.
Trailrunner7 writes “The nation of Myanmar, formerly known as Burma, found its access to the Internet severed by a massive denial of service attack, according to a report by Arbor Networks. The source or motivation of the attack isn’t known, but it is believed that the distributed denial of service (DDoS) attacks have targeted the country’s Ministry of Post and Telecommunication (or PTT), the main conduit for Internet traffic in and out of the authoritarian nation.”
Read more of this story at Slashdot.
wiredmikey writes “A former University of Akron student was sentenced Friday to 30 months in prison, followed by 3 years of supervised release for conducting denial of service attacks on the sites of several prominent conservative figures as well as infecting several systems with botnet software. Mitchell L. Frost, age 23, of Bellevue, Ohio admitted that between August 2006 and March 2007, he initiated denial of service attacks on web servers hosting the sites of political commentators, including Bill O’Reilly, Rudy Giuliani, Ann Coulter, and others.”
Read more of this story at Slashdot.
In yet another black eye for social networking site Facebook, the site disclosed Friday that several developers were selling user data to a third-party. User IDs, or unique identifiers given to every registered member of the site, allow an application to look up a user’s public personal information.
As a result of the discovery the offending developers have been placed on a six-month suspension. While not identifying those at fault, the company did say at least one data broker — RapLeaf, Inc. — came forward to assist in the investigation. It was not immediately clear if RapLeaf was the purchasing broker, although it agreed to delete any user IDs in its possession.
“Facebook has never sold and will never sell user information,” engineer Mike Vernal wrote in a blog post on the site. “We also have zero tolerance for data brokers because they undermine the value that users have come to expect from Facebook.”
Less than a dozen developers will be suspended as a result of the company’s internal investigation, Vernal reported. These companies would also be subject to “audits” to ensure continuing compliance.
The issue was first disclosed in mid-October after the Wall Street Journal reported that tens of millions of these user IDs had been compromised. However, at that time Facebook did not say that developers may have been intentionally disclosing these identifiers for profit.
Regardless, the site again stressed that private information was not at risk, just the data that a user may have made publicly available. It also has spurred the company to launch a new way of identifying user IDs anonymously which all developers would be required to use by January 1. APIs to take advantage of this new functionality would be released next week.
“In taking these steps, we believe we are taking the appropriate measures to ensure people stay in control of their information, while providing developers the tools they need to create engaging social experiences,” Vernal said.
geek4 writes with this excerpt from eWeek Europe: “An analysis of Google Android Froyo’s open source kernel has uncovered 88 critical flaws that could expose users’ personal information. An analysis of the kernel used in Google’s Android smartphone software has turned up 88 high-risk security flaws that could be used to expose users’ personal information, security firm Coverity said in a report published on Tuesday. The results, published in the 2010 edition of the Coverity Scan Open Source Integrity Report, are based on an analysis of the Froyo kernel used in HTC’s Droid Incredible handset. … While Android implementations vary from device to device, Coverity said the same flaws were likely to exist in other handsets as well. Coverity uncovered a total of 359 bugs, about one-quarter of which were classified as high-risk.”
Read more of this story at Slashdot.
GMGruman writes “Every few weeks, it seems, Facebook is caught again violating users’ privacy. A code error there, rogue business partners there. The truth, as InfoWorld’s Bill Snyder explains, is that Facebook will keep on violating your privacy, no matter what its policies say, what promises it makes, or how shocked it claims to be at the latest incident. The reason is simple: Selling personal information on its users is how it makes money, and Facebook is above all a business.”
Read more of this story at Slashdot.
Trailrunner7 writes “The open-source Linux operating system contains a serious security flaw that can be exploited to gain superuser rights on a target system. The vulnerability, in the Linux implementation of the Reliable Datagram Sockets (RDS) protocol, affects unpatched versions of the Linux kernel, starting from 2.6.30, where the RDS protocol was first included.” The article goes on to say, though, that “Linux installations are only vulnerable if the CONFIG_RDS kernel configuration option is set, and if there are no restrictions on unprivileged users loading packet family modules, as is the case on most stock distributions,” and that Linus Torvalds has committed a fix.
Read more of this story at Slashdot.
