With apologies to George R. R. Martin, the drama around legitimate security research is starting to rival anything the Starks, Lannisters and Targaryens could muster.
Hardly a month goes by without some white-hat bug hunter wedged between a vendor or government threatening legal or regulatory action against disclosures that would serve only to make something more secure. Clearly some points on this vendor-researcher-policymaker triangle just don’t get that subtlety.
Soon after Dutch newspaper Volkskrant reported [in Dutch] about the Android vulnerability on the 27th of June, some members of the (security) community raised concerns about our attack.
It would be "nothing new" and "overrated". Some people [in Dutch] suggested that having a strong password already helps a lot, while others doubt the possibility of uploading malicious code on the Google Play Store and/or maintain that your phone will display plenty of warnings if you were to try this attack. They all miss the point.
An upcoming talk covering security problems in Internet-connected cameras has been canceled after opposition from some manufacturers.
Gianni Gnesa was scheduled to give a presentation titled "Abusing Network Surveillance Cameras" on Oct. 14 at the Hack in the Box GSEC conference in Singapore.
In the wake of last week's cookie security warning, accomplished Polish penetration tester Dawid Czagan has dug up a separate issue with Apple's Safari.
The bug Czagan has reported to Apple relates to its handling of the HTTPOnly flag, again leaving cookies open to attack.
A whole lot of work rolling out HTTP security is being undermined by bad browser implementation that facilitates man-in-the-middle attacks.
CERT has warned that all of the major browser vendors have a basic implementation error that mean “cookies set via HTTP requests may allow a remote attacker to bypass HTTPS and reveal private session information”.