Security

Using attacks similar to those used to break .Net PassPort, a group of students at the Ruhr Universitat Bochum in Germany claim to have stolen CardSpace's security tokens from a compromised machine. But Microsoft dismisses the attack, saying an attacker would need a user's help.

CardSpace is included within .NET Framework 3.0 and allows users to create personal information cards that are shared with participating Web sites for authentication. A user creates a CardSpace card for a site and the .NET software then obtains a digitally signed XML token from the site issuer. What the students in … Read more

Microsoft has issued an advisory warning Windows users who have installed the Apple Safari for Windows browser that their systems may be vulnerable to attack.

The Safari "carpet bombing" attack was first described by Nitesh Dhanjani last month, but dismissed by Apple as a serious threat. Under Dhanjani's scenario, a user would surf using Apple Safari for Windows to a maliciously crafted Web site such as http://malicious.example.com/. Dhanjani says Safari does not know how to render content-type of blah/blah, so it starts downloading carpet_bomb.cgi, executing the downloaded files with the same rights … Read more

Imagine getting an e-mail from a friend or family member with the following subject line: "ITS IMPORTANT YOU GET BACK ME TODAY."

CNET is aware of a couple of Hotmail users who have recently gotten locked out of their accounts. In one case, someone who had hacked into an account sent a desperate-sounding e-mail asking for money under the account holder's name.

Microsoft had no direct comment.

The body of one of the e-mails, sent to a CNET reporter, reads:

"I am in a hurry writing this mail. I had a trip to oxfordshire, United Kingdom … Read more

On this week's EIC Squared podcast, ZDNet's Larry Dignan and I discuss the celebrity interviews at the D6 conference, hosted by Walt Mossberg and Kara Swisher. Unfortunately, I called in from the San Diego airport United Airlines gate area, so you'll hear crying children and the ticker taker coaxing me to get on the plane. Larry gives the lowdown on Dell's earnings and the most recent security issues, patches from Apple, and the Comcast hack.

Mozilla hopes to set a world record for the most downloads within a 24-hour period on the day Firefox 3 is released (currently expected to be in June).

The online edition of Guinness Book of World Records does not list a current record for most downloads within 24 hours.

The final release candidates for Firefox 3 are showing a number of improvements, including greater rendering speed, the use of fewer resources, and more baked-in security features than other browsers.

To help Mozilla set a world record, the foundation recommends the following:

The process of logging into your stock portfolio online is about to get a lot more personal, according to Acxiom.

The Little Rock, Ark.-based data warehouse company last week announced FactCheck-X Authenticate, a new biographical authentication service that asks users random questions based on their personal lives. But some privacy advocates say the added layer of security is not worth the extra intrusion into our personal lives.

Acxiom's Web site says its "products and services help companies improve their results by providing greater insight into what drives their business--their customers, specifically their needs and wants." Jennifer … Read more

A paper presented at a security conference in Europe over the weekend has Cisco and the security community debating the reality of rootkits over the Cisco Internetwork Operating System (IOS) network. Devices affected include routers and voice over IP phones.

At the EUSecWest conference in London, Core Security researcher Sebastian Muniz presented what he called the "Da IOS Rootkit," a binary modification to the IOS image. "The main feature of Da IOS Rootkit is the universal password," Muniz said in an interview on the EUSecWest Web site. "Every call to the different password validation routines … Read more

Update 11:10 a.m. May 30: Despite earlier reports, version 9.0.124.0 of Adobe Flash Player has no new bugs. For the latest news, click here.

Legitimate Web sites hosting Adobe Flash Player content may be compromised to embed JavaScript that redirects users to a Chinese malware server, says Symantec. Affected versions of Adobe Flash Player include 9.0.124 .0 (latest version) and 9.0.115.0.

Symantec says that under certain conditions embedded JavaScript within the player will redirect users to dota11.cn. In an alert on Tuesday, Symantec said specific details about the vulnerability … Read more

Spammers will do just about anything to get their e-mail through corporate and desktop filters. According to MessageLabs, they're now using Google Docs, a perfectly legitimate way to publish to the Web. Only what they're publishing is the same old wares--this time, it's enhancement pills. This week I talked with Matt Sergeant, senior anti-spam technologist with MessageLabs, who told me how they they've tracking one Google Doc since May 8, 2008.

Later in the conversation, Sergeant talks about the resurgence of Storm. Only a few weeks ago, MessageLabs reported a notable decrease in computers infected with the Storm botnet. … Read more