Month: May 2011

Google has been touting how secure Chrome is, and has had a challenge out there for a while to take it on, well somebody did find a way!

Google Chrome Browser Cracked by Security Researchers

“A team of security experts at Vupen Security, a specialist in vulnerability research for defensive and offensive security, claimed they have successfully cracked Google’s Chrome browser and its sandbox, denting Google’s claim that its browser is as secure as the company says. A video on Vupen’sWeb site shows the exploit in action with Google Chrome v11.0.696.65 on Microsoft Windows 7 SP1 (x64). The user is tricked into visiting a specially crafted web page hosting the exploit, which will execute various payloads to ultimately download the Calculator from a remote location and launch it outside the sandbox (at Medium integrity level).

For security reasons, the exploit code and technical details of the underlying vulnerabilities will not be publicly disclosed, the security team said in a post on their Web site, and noted they are exclusively shared with their government customers as part of their vulnerability research services. Vupen also disclosed the exploit works on both Chrome versions 11.x and 12.x. It was tested with Chrome v11.0.696.65 and v12.0.742.30.

‘The exploit shown in this video is one of the most sophisticated codes we have seen and created so far as it bypasses all security features including ASLR/DEP/Sandbox (and without exploiting a Windows kernel vulnerability), it is silent (no crash after executing the payload), it relies on undisclosed (0day) vulnerabilities discovered by Vupen and it works on all Windows systems (32-bit and x64),’ the Vupen Vulnerability Research Team wrote in the post. ‘While Chrome has one of the most secure sandboxes and has always survived the Pwn2Own contest during the last three years, we have now uncovered a reliable way to execute arbitrary code on any default installation of Chrome despite its sandbox, ASLR and DEP.'”

Of course, this just means that Google will “harden it” even more, and I think it will remain the most secure browser out there!

Microsoft bought Skype for $8.5 billion in cash (no stock swaps this time!) I use Skype, in fact, I have a “Skype-In” number for Dr. Bill Bailey.NET. I have also used Skype for video recording of netcasts as well. So, I am pretty “jazzed” that they are expanding their service on to other devices. More power to them! And, now that they have been purchased by Microsoft, I expect they will be BIGGER than ever! Wow.

Skype Confirms: We’re Coming to Xbox, Outlook, Windows Phone & More

“In the wake of today’s confirmed acquisition of Skype by Microsoft Corp., tech press, analysts and armchair quarterbacks alike have been busy speculating why Microsoft would buy Skype (and why it spent $8.5 billion to do so.) While we can’t address the price of the deal, we do know as of this morning, exactly what Microsoft plans to do with Skype…at least in part.

Skype, the company states, will be coming to Xbox and Kinect, Windows Phone, Lync and Outlook, plus other Windows devices and communities.

According to a Skype blog post put up first thing this morning, the popular communications company will be integrated into many of Microsoft’s products and services, but it will not remove support for its product on non-Microsoft platforms, thankfully. That means that mobile apps like the iPhone and Android app will still be maintained, as will the Mac desktop application. How often those products will be updated, however, is unknown.

‘Skype will support Microsoft devices like Xbox and Kinect, Windows Phone and a wide array of Windows devices,’ the blog post states, referring cryptically to ‘Windows devices,’ instead of saying ‘computers running the Windows operating system,’ for example, which is a bit curious, we think. The post then continues, ‘Microsoft will connect Skype users with Lync, Outlook, Xbox Live and other communities.'”

How cool is this!!!!

The Maquis Took Down Bin Ladin!

“In one of the most epic news failures ever, a German reporter credited the Maquis of Star Trek for taking down Bin Laden. Trek Movie found this, and it’s absolutely hilarious. SEAL Team 6 is credited for being part of the raid that took out Osama Bin Laden, and for their report on the story the German channel did a quick Google search for “Seals Team VI” and found a patch that to them looked like it may be used for the actual team. The skull in particular was pretty convincing. Too bad they didn’t realize that it was a Klingon skull.”

But, they did a great job and announced it, and caught it early! Kudos to them!

LastPass Password Troubles: What Happened?

LastPass is the latest company to find itself in the middle of a data security situation, but is your information in danger?As PCMag security analyst Neil Rubenking explained yesterday, the nature of the LastPass warning makes it unlikely that your passwords have been accessed by hackers; a fact that LastPass CEO Joe Siegrist confirmed in a Thursday interview with PCWorld.

‘We don’t think there’s much of any chance of [compromised passwords] at this stage,’ Siegrist said. ‘If there was, it would be on the orders of tens of users out of millions that could be in that scenario, just because of the amount of data that we saw moved. But it’s hard for us to be 100 percent definitive without knowing everything.’ As LastPass explained in a blog post, the company on Tuesday noticed a ‘network traffic anomaly’ on one of its non-critical machines. That alone wasn’t a major red flag; it happens occasionally either via an employee or automated script, LastPass said. The problem, however, was that the company could not identify the root cause. LastPass also found a ‘similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server).’

As a result, LastPass decided to ‘be paranoid and assume the worst’ and asked that its customers change their master password. As PCMag’s Rubenking explained, LastPass provides users with a single, very strong ‘master’ password, and then remembers all your other Web site passwords. It can also fill in Web forms with your personal information. Your personal data and saved passwords are stored online in encrypted form, but your master password isn’t stored anywhere. If you forget it, you’re out of luck.

Having all of its users change their master passwords at the same time, however, led to a server overload at LastPass. The company allowed people to log in via ‘offline’ mode, so they could carry on with their business as LastPass worked through the email validation/password change process.

I think LastPass did a great job protecting it’s users! A security company “being paranoid” is a GOOD thing!

Alert! To all you Skype user’s on the Mac, there are exploits that can hurt you on teh Mac, and this is a big one!

Report: Skype’s Mac Client Has Dangerous Exploit

“The Skype client for Apple Mac computers has a zero-day vulnerability that allows an attacker to gain remote control of a victim’s Mac, according to a security researcher.

Skype was alerted to the vulnerability about a month ago but has yet to issue a fix, Gordon Maddern reported Friday on the Pure Hacking blog.

Since the publication of Maddern’s findings, Skype has promised a fix ‘early next week,’ according to ZDNet UK. ‘We are aware of this and will release a fix early next week to resolve the issue. We take our users’ privacy very seriously and are working quickly to protect Skype users from this vulnerability,’ Skype wrote in an email to the website.

After accidently discovering the vulnerability in a Skype chat with a colleague, Maddern said he successfully tested the ‘extremely wormable and dangerous’ exploit on more Macs but found that Skype’s Windows and Linux clients were not affected. The security researcher then used penetration testing tools and was able to remotely take over a Mac through the Skype vulnerability, he said.

Maddern said he contacted Skype to alert them to the issue but decided to publish the basic facts of his discovery because “that was over a month ago and there still has not been a fix released.”