Flaw in Web app frameworks pushes Microsoft to patch ASP.net promptly
Many Web app frameworks are vulnerable to a denial-of-service attack targeting the way they handle hash tables, researchers revealed Wednesday, prompting Microsoft to announce an "out-of-band" patch for its ASP.Net platform just hours later.
Hash tables are used to store and retrieve data rapidly, allocating the data to different slots in the table based on the results of a calculation -- the hash function -- performed on the data itself. Ideally, the hash function would return a different result, or hash, for each possible item of data, but this is not achievable in practice, so implementations of hash tables have to deal with "hash collisions," where two or more different pieces of data generate the same hash.
A collision slows the storage and retrieval of the data involved, the time taken for those operations typically increasing with the square of the number of items involved in the collision, according to Alexander Klink of German security consultancy N.runs and Julian Wälde of Darmstadt Technical University. Read more...
HTC Android handsets spew private data to ANY app
A data logger pushed out by HTC to Android handsets has opened up a vulnerability allowing any app with internet permissions to access private customer information.
The vulnerability was spotted by Trevor Eckhart, who informed HTC about it and waited five days for a response. Following that he decided to go public and gave Android Police the details along with demonstration code and a video showing how an application that is supposed to see almost nothing can now see almost everything.
So an application that is supposed to be restricted to accessing the internet - a common ability requested by freebie apps to collect advertisements - can also access the user's location and details of all their synchronised accounts, not to mention the list of running tasks, the state of Wi-Fi connections, and system logs.
The data is being collected by a system package called HtcLoggers.apk, installed by HTC onto a range of Android handsets for reasons that aren't clear. That logging package accumulates data all the time, but it also has an accessible interface that other applications can use to request specific information - it even has a "help" command for those who don't know what it is they want to know. Read more...
Apple cuts French App Store’s ‘Jew Or Not Jew’ App
Apple Inc. has removed a mobile app, called "Jew or Not Jew?", from its online App Store in France.
The app let users consult a database of celebrities and public figures to determine if they are Jewish or not. Its removal follows a complaint from a French anti-racism group that threatened to sue the iPhone and iPad maker.
The app, "Juif ou pas Juif?" in French, was selling for 0.79 euro cents ($1.08) in France until it was cut on Wednesday. SOS Racisme had argued that the app violated France's strict laws banning the compiling of people's personal details without their consent. Read more...
Facebook adds two-factor authentication, other new security features
Facebook enhances security of the site with two-factor authentication, improved HTTPS. But is it enough for security pros?
Just a day after security firm Sophos publicly took Facebook to task for lacking important security features, the social network has added some new security elements in what it says is an effort to "make Facebook a more trusted environment ."
In a blog post this week, Arturo Bejar, a director of engineering with Facebook, explained the new upgrades. The most noteworthy feature in the announcement is the introduction of two-factor authentication. According to the blog post, users who turn on the new feature will be asked to enter a code anytime the user tries to log into Facebook from a new device. Read more...