Tech News Weekly: Edition 44

http://csrc.nist.gov/groups/ST/hash/sha-3/index.html
Via: http://www.schneier.com/blog/archives/2008/10/the_skein_hash.html
The NIST competition for a replacement for the SHA-2 hash family closes today. Unfortunately it doesn't seem that the list of candidates is available yet. Please post a reply if you happen to come by it. Keep your eyes peeled for info.

NIST has opened a public competition to develop a new cryptographic hash algorithm, which converts a variable length message into a short “message digest” that can be used for digital signatures, message authentication and other applications.  The competition is NIST’s response to recent advances in the cryptanalysis of hash functions. The new hash algorithm will be called “SHA-3” and will augment the hash algorithms currently specified in FIPS 180-2, Secure Hash Standard. Entries for the competition must be received by October 31, 2008.

http://www.nytimes.com/2008/10/25/technology/internet/25phone.html
The first flaw has been uncovered in Google's Android platform.

Just days after the T-Mobile G1 smartphone went on the market, a group of security researchers have found what they call a serious flaw in the Android software from Google that runs it.

One of the researchers, Charles A. Miller, notified Google of the flaw this week and said he was publicizing it now because he believed that cellphone users were not generally aware that increasingly sophisticated smartphones faced the same threats that plague Internet-connected personal computers.

http://www.itbusiness.ca/it/client/en/home/News.asp?id=50510
According to Sophos, E-mail malware has made a substantial comback in the previous quarter of this year.

The volume of malware attacks conducted via e-mail attachments increased about 800 per cent over the past three months as this low-grade hacking method was brought back from the grave, according to a U.K.-based security vendor.

This reverses an earlier trend. Previously, malware trends indicated hackers were moving away from sending infected attachments. Most attacks were carried out by embedding links to viruses or Trojans right into the e-mail.

http://www.computerworld.com.au/index.php/id%3b509001956%3bfp%3b4194304%3bfpid%3b1
http://news.cnet.com/8301-1009_3-10078353-83.html
The infamous Koobface Facebook threat is back, and is using Google's website to bypass Facebook protection (blacklisting is to 1990's).

Hackers initially unleashed Koobface in late July, but Facebook's security team soon slowed its spread by blocking the Web sites that were hosting the malicious Trojan software.

That has prompted the criminals to change tactics, according to Guillaume Lovet, a senior research manager with Fortinet. In this latest attack they have hosted files that appear to be YouTube videos on Picasa and Google Reader and used Facebook to send them to victims.

The links appear safe because they go to Google.com Web sites, but once the victim arrives on the Google Reader or Picasa page, he is invited to click on a video or a Web link. The victim is then told he needs to download special codec decompression software to view the video. That software is actually a malicious Trojan Horse program, which is blocked by most antivirus programs, according to Facebook.

http://www.physorg.com/news144519988.html
IBM have developed a USB-sized device that can be used to thwart attempted online banking fraud.

The "security-on-a-stick" solution — a handy USB-sized device with a display, a smart card reader and buttons — protects a user's e-banking transactions from even the most malicious attacks. With the new device, developed by an expert team at IBM's Zurich Research Lab, a user sees exactly what transaction data the banking server receives. Moreover, he or she can approve or cancel each transaction directly with the banking server using the buttons on the device.

http://www.theregister.co.uk/2008/10/26/google_chrome_address_spoofing/
Chrome is subject to yet another major vulnerability allowing websites to impersonate other websites.

Google's Chrome browser has been marred by yet another vulnerability, this one allowing attackers to impersonate websites of groups like the Better Business Bureau, PayPal or, well, Google.

Researcher Liu Die Yu of the TopsecTianRongXin research lab in Beijing says the spoofing vulnerability is the result of faulty code inserted by programmers from the Mountain View, California search behemoth.

http://www.theregister.co.uk/2008/10/27/zero_day_opera_bug/
In similar news, Opera's most recent browser patch has led to an easily-exploited RCE vulnerability.

Just a few days after Opera Software patched critical vulnerabilities in its browser, researchers have identified another serious bug that allows attackers to remotely execute malicious code on the machines of people running the most recent version of the software. Opera has vowed to fix the flaw soon.

Among the bugs squashed in Opera 9.61 was a stored cross site scripting (XSS) vulnerability that allowed attackers to view victims' browsing history. That attack is no longer possible, but now researchers have discovered an even more serious exploit that's based on the same weakness.

http://news.cnet.com/8301-1009_3-10078353-83.html
The Australian Taxation Office has misplaced a disk containing the unencrypted tax details of 3122 trustees, and has failed to notify them of the breach until 3 weeks later. Interestingly enough, Australia still has no laws governing the handling or reporting of corporate data breaches. Yay for incompetent government!

The ATO admitted that the CD was not encrypted and victims were only notified three weeks later.

The disk contained the name, address and super fund tax file numbers for 3122 trustees and was being couriered to the ATO, but failed to reach the department.

The Tax Office was notified about the missing CD on October 3 but only sent out letters to the victims on October 24, offering to re-issue the tax file numbers for their super funds.

http://arstechnica.com/news.ars/post/20081029-court-rules-hash-analysis-is-a-fourth-amendment-search.html
The long-contested idea that using hashes to determine the content of computer files is classified under the Fourth Constitutional Amendment as a "search" has been upheld in court for the first time, though appeal is likely.

A good coder has as many uses for hash functions as George Washington Carver did for peanuts—but law enforcement is fond of these digital fingerprinting techniques as well, because they allow reams of data to be rapidly sifted and identified. Legal scholars, however, have spent a decade puzzling over whether the use of hash value analysis in a criminal investigation counts as a Fourth Amendment "search." A federal court in Pennsylvania last week became the first to rule that it does—but one legal expert says an appeal is very likely.

http://arstechnica.com/journals/microsoft.ars/2008/10/30/arspdc-windows-7s-streamlined-uac
Although they're keeping that fugly UI, it seems Microsoft will be overhauling UAC in Windows 7.

One feature of Vista that came under more criticism than most was User Access Control. The feature, designed to make Windows more secure by both limiting the rights of Administrators and making it easier for regular Users to gain Administrator rights only when necessary, was deemed to be annoying and intrusive. As a result, some 10-15% of Vista users turn it off.

Vista SP1 smoothed a few of the more annoying UAC wrinkles, but retained the same fundamental mechanics. The two main problems with UAC:the screen going black momentarily whenever a confirmation prompt was displayed, and the need to reaffirm explicit user actions.

With Windows 7, Microsoft has tried to tone down UAC to make it less invasive while still affording the same protection.

http://www.downloadsquad.com/2008/10/30/ubuntu-8-10-intrepid-ibex-released/
Bang-on-target Intrepid Ibex has gone final today, with many impressive new features.

Ubuntu 8.10 is available for download today. And because Ubuntu Linux is open source software and we've been following its development for the last 6 months, there aren't a ton of surprises. But that doesn't mean you shouldn't download it if you're running Ubuntu 8.04 or if you're looking for a new Linux distro to try. Because it does include a number of tweaks, bug fixes, and improvements. Here are just a few:

    * Improved support for connecting to 3G wireless networks
    * A utility for loading a fully working Ubuntu installation on a USB disk
    * There's a new System Cleaner utility that will help identify abandoned software packages (which could address one of my biggest pet peeves about most Linux distributions)
    * The Nautilus file manager now supports tabs

http://blog.wired.com/business/2008/10/tivo-set-to-str.html
It appears TiVo and Netflix have finally pulled their fingers out and are testing their system for streaming Netflix movies directly to TiVo subscribers.

Four years in the making, the Tivo/Netflix streaming partnership is finally ready for prime time. Tivo began testing software Thursday and expects to have the entire Netflix streaming collection available to subscribers of both services by early December.

The companies originally announced plans to serve Netflix movies-on-demand to Tivo boxes in 2004 but shelved plans due to a lack of available content.