Guest post by John Viega
Today there’s been a lot of buzz about the clever new attack on public key infrastructure from Alex Sotirov and a team of researchers. In the attack, the bad guy ends up with his own Certification Authority (CA) that is fully trusted according to every major browser. People are [...]
Guest post by Chris Eng
In the wake of this morning’s 25C3 presentation by Alex Sotirov and Jacob Appelbaum, most of the coverage I’ve read so far has focused on the technical details and real-world impact of their findings. Rightly so — their paper describing the attack is a fascinating read filled with enough gory details [...]
Year-end lists are quite popular at this time of the year — here’s our own top threats in 2008.
Most Prolific: Mass Compromises
Attacks were targeted to a specific group of users and were targeted at popular Web sites. Diverse Web sites — entertainment, political, online shopping, social networking — were all used to spread malware. Compromises [...]
By now, most of us are aware of the potential privacy risks posed by Web cookies. But according to a new paper published by security consultancy iSec Partners, traditional browser-based cookies aren’t the only technology used to store user data anymore. A number of browser plug-ins offer similar capabilities — and because plug-ins are nonstandard browser components, users are often unaware that these silent conversations are even taking place.
Using computing power from a cluster of 200 PS3 game consoles and about $700 in test digital certificates, a group of hackers in the U.S. and Europe have found a way to target a known weakness in the MD5 algorithm to create a rogue Certification Authority (CA), a breakthrough that allows the forging of [...]
