Access control and authentication - News, Features, and Slideshows

News

• Researchers bypass the restrictions of Mac OS X default sandbox profiles

  The restrictions imposed by Mac OS X generic application sandbox profiles can be easily bypassed, researchers from Core Security Technologies found.

• Amazon adds app for easier two-factor authentication

  Amazon Web Services has added the option to use applications to create codes for its Multi-Factor Authentication (MFA) service, the company said on Wednesday.

• Ongoing drive-by download campaign hijacked MIT server

  A server belonging to the Massachusetts Institute of Technology was commandeered by hackers who used it to launch attacks against other websites as part of a larger drive-by download campaign, according to antivirus vendor BitDefender.

• Duqu exploits zero-day Windows kernel vulnerability to infect computers

  Security researchers from the CrySyS laboratory in Hungary have located an installer for Duqu, the <a href="http://www.pcworld.com/businesscenter/article/242114/duqu_new_malware_is_stuxnet_20.html">Stuxnet-inspired threat</a> that has kept the security industry on its toes for the past couple of weeks, and determined that it exploits a previously unknown vulnerability in the Windows kernel.

• Researchers defeat CAPTCHA on popular websites

  Researchers from Stanford University have developed an automated tool that is capable of deciphering text-based anti-spam tests used by many popular websites with a significant degree of accuracy.

• IBM anoints Q1 Labs technology as centerpiece of security portfolio

  IBM intends to make the security information and event management (SIEM) technology gained through the acquisition of Q1 Labs, which was officially closed yesterday, the centerpiece of IBM's broad security product portfolio.

• Researchers demo cloud security issue with Amazon AWS attack

  Researchers from the Horst Goertz Institute (HGI) of the Ruhr-University Bochum (RUB) in Germany have demonstrated an account hijacking attack against Amazon Web Services (AWS) that they believe affects other cloud computing products as well.

• Researchers demo cloud security issue with Amazon AWS attack

  Researchers from the Horst Goertz Institute (HGI) of the Ruhr-University Bochum (RUB) in Germany have demonstrated an account hijacking attack against Amazon Web Services (AWS) that they believe affects other cloud computing products as well.

• Exploit-powered Android Trojan uses update attack

  A new variant of the DroidKungFu Android Trojan is posing as a legitimate application update in order to infect handsets, according to security researchers from Finnish antivirus vendor F-Secure.

• Adobe to fix Flash flaw that allows webcam spying

  Adobe is working on a fix for a Flash Player vulnerability that can be exploited via clickjacking techniques to turn on people's webcams or microphones without their knowledge.

• Facebook API abuse can expose private user data, say hackers

  Facebook is ignoring a serious shortcoming in the way it limits application developers' access to information about Facebook users, according to a pair of hackers.

• SpyEye steals banking codes by sending them to wrong phone

  Researchers from browser security vendor Trusteer have identified a new variant of the SpyEye financial Trojan that tricks online banking users into changing the phone numbers associated with their accounts.

• XSS web attacks could live forever, researcher warns

  Websites that accidentally distribute rogue code could find it harder to undo the damage if attackers exploit widespread browser support for HTML5 local storage and an increasing tendency for heavy users of Web apps never to close their browser.

• GlobalSign plans to reopen Tuesday despite web server hack

  GlobalSign expects to bring its certificate-issuing systems back online on Monday, and resume business Tuesday, it said over the weekend. The U.S. certificate authority (CA) stopped issuing new SSL certificates last Tuesday in order to audit its security, after being named as a target by the hacker who claimed to have attacked Dutch CA DigiNotar.

• Google's two-step authentication goes worldwide

  Google <a href="http://googleblog.blogspot.com/2011/07/2-step-verification-stay-safe-around.html">said Thursday</a> that it has rolled out its two-step authentication sign-in system to 40 languages across over 150 countries.