At the Black Hat security conference today, Microsoft championed a new approach to addressing security issues. The new emphasis is on collaboration between software vendors and security researchers to ensure that customers are kept as safe as possible.

Microsoft likened its approach to Neighborhood Watch schemes—secure computing cannot be achieved with software vendors and researchers all working independently; the landscape is too complex and the attackers are too numerous for this approach to work. Instead, companies must set aside their differences and work together to safeguard customers.

Much has been made of a recent Facebook "leak" which allegedly disclosed information on over 100 million Facebook users. What some reports have failed to highlight, however, is that the information was already public to begin with.

Security researcher Ron Bowes wrote a Ruby script that downloads information from Facebook's user directory, a searchable index of public profile pages. The directory does not expose a user's entire profile and only exposes information that the user has allowed Facebook to make public. This includes names, profile images, and small sampling of the user's friends. Users can opt out of inclusion in the search, but could potentially still appear on the directory page of a friend who is searchable.

Android enthusiast Stephen Bird found a way to gain root access on Motorola's new Droid X smartphone. He ported an exploit for the Motorola Milestone that was recently published by developer Sebastian Krahmer.

The exploit takes advantage of an Android flaw that is similar to a privilege escalation vulnerability Krahmer found in udev last year. He briefly explains the hack in a little message to Google's engineers that is included in a document that he distributes with the exploit code.

"For the Google Engineers: The vulnerability is inside init, perfectly porting old udev's CVE-2009-1185," he wrote. "Exploitation sounds easy therefore but only the experienced will recognize its beauty."

Droid X owners can use the Android debugging tool to run the exploit on their device. Step-by-step instructions are available from the AllDroid forum community. The exploit will give users the ability to modify the contents of the filesystem and use certain third-party software like screenshot and tethering tools that only work on rooted devices.

Although the phone can now be rooted, the Droid X bootloader encryption hasn't been cracked yet—meaning that there is still no way to install custom ROM images on the device. It's possible that root access will simplify the process of identifying and exploiting weaknesses in the bootloader lock, however, so we could potentially see a full Droid X hack soon.

Read the comments on this post

If you use the autocomplete features in Safari, certain versions of IE, Firefox, or Chrome, you could be making yourself vulnerable to identity theft and other attacks, according to one security researcher scheduled to speak at the Black Hat conference next week. White Hat Security CTO Jeremiah Grossman says that the four major browsers have critical weaknesses that have yet to be addressed by their respective companies, and could expose users' passwords, e-mail addresses, and more to attackers.

Grossman plans to demo a proof-of-concept attack at next week's conference. As most of us know, if you have autocomplete turned on in many browsers, you just have to begin typing a letter or two in one of the fields before they all fill in with your name and address, possibly your credit card number, and more. Grossman says attackers can simply create a page with hidden form fields that use JavaScript to enter letters and numbers into each field until it finds one that's a hit, and the browser autocompletes it.

Users don't even have to enter a single letter for the attack to work—all they have to do is load the page, and they likely wouldn't even be aware of what's happening.

According to Grossman, the autocomplete exploit works in the two most recent versions of Safari (4 and 5), as well as IE 6 and 7. Firefox and Chrome aren't susceptible to this particular attack, though they were vulnerable to another one: Grossman says that the two browsers can expose stored usernames and passwords for saved sites, making it possible for a cross-site scripting vulnerability to grab the info when a user logs into a Google account or Facebook, for example.

The reason he plans to expose these vulnerabilities at Black Hat is because the companies in question have apparently not responded to Grossman's attempts to contact them about it. "I would never have talked about this publicly if Apple had taken this seriously," Grossman told The Register. "I figured somebody else must have found this before because it's so brain-dead simple.” When he sent a follow-up query “I never heard anything back, human or robotic."

Read the comments on this post

A presentation due to be shown at the Black Hat security conference at the end of the month will show that many of the routers used for residential internet connections are vulnerable to attack by hackers. The attacks would allow traffic to be redirected and intercepted, in addition to giving hackers access to victims' local networks.

The title of the presentation, "How to Hack Millions of Routers," gives a clear indication of the scale of the potential issues. Popular router models from Netgear, Linksys, and Belkin were found to be vulnerable, including models used for Verizon's FIOS and DSL services, as were widely-used third-party firmwares such as DD-WRT and OpenWrt. About half the routers tested did not appear to be vulnerable.

Yesterday, the DNS root zone was signed. This is an important step in the deployment of DNSSEC, the mechanism that will finally secure the DNS against manipulation by malicious third parties. 

The Domain Name System is a hierarchical system, where many nameserver operators are in charge of a limited set of information pertaining to a particular place in the hierarchy. To find the address information associated with any given name, it's necessary to traverse the hierarchy. For instance, looking up www.arstechnica.com means talking to a nameserver that knows about the "root," then going to one with information about .com and finally one that knows about arstechnica.com. DNSSEC requires signatures at each of these steps. Several top level domains (TLDs), such as .org, .se and .nl, have already signed their "zone," and can provide a secure pointer to domain names at the next level in the DNS hierarchy.

Mozilla has long had a policy of offering a monetary reward to developers who find new security vulnerabilities in the Firefox Web browser. In a recent change of policy, the organization has bumped the bounty from a modest $500 to $3,000. The offer has also been extended to Firefox Mobile and other new products.

The discovery of a previously unknown security vulnerability opens up a lot of opportunities for profit. Security researchers can get a ton of press exposure and publicity by publishing an exploit of an unpatched zero-day flaw. It is also increasingly common for security researchers to sit on undisclosed vulnerabilities for a long time so that they can whip them out for a quick and easy win during competitions that offer cash prizes.

It's clear that perceptions about vulnerability disclosure and the value of security bugs are changing in the software industry. Following the Pwn2Own competition last year at CanSecWest, security researcher Charlie Miller gained attention for his controversial "NO MORE FREE BUGS" campaign. He contends that vendors should pay for knowledge about previously undocumented vulnerabilities.

Mozilla's decision to offer $3,000 for legitimate new security threats is beneficial to users because it will encourage timely and responsible disclosure of new exploitable flaws.

Read the comments on this post