Twitter Web Interface Exploited

Seems there were an abundance of “re-tweets” on this morning, all containing a fragment of JavaScript which re-tweets itself when moused-over on the Twitter web interface.  This could easily be mutated into a much more sinister attack.

Twitter reports that this issue has been resolved.


Microsoft Alerts On Massive ASP.NET Bug

Microsoft is warning users that a critical bug in ASP.Net could be exploited by attackers to hijack encrypted Web sessions to steal usernames and passwords from Web sites.

According to Microsoft’s advisory, the flaw exists in all versions of ASP.Net, a Web application framework used to craft millions of sites and applications.  Microsoft will have to patch every supported version of Windows, including XP, Server 2003, Windows 7, and Server 2008 R2.  Other products, including IIS and SharePoint server software are also affected.

Hackers can exploit the vulnerability by forcing cipher text into an ASP.Net application and noting the error messages it returns.  By repeating the process and analyzing the errors, criminals can learn enough to correctly guess the encryption key and decrypt the entire cipher text.

No ETA is provided for patch release, however workarounds are provided.

GM Demos All-Electric Cruze EV

Here they come!!  I’ve been waiting a long time for the re-emergence of the electric car.  GM has teamed up with Daewoo, LG Chem, and LG Electronics a year ago, and this is the interim result.

The Cruze EV is equipped with a 31-kWh battery that generates a maximum of about 102.5 miles per hour with a 0-60 of about 8.2 seconds.  The Cruze EV has demonstrated a 100-mile range. The development team is working on a “quick-charge” application that will significantly reduce the Cruze EV’s 220-volt charge time of 8 to 10 hours.


IETF Approves Customised E-Crime Reporting Format

An Internet standards group has approved an electronic crimes reporting format, which should give security researchers a consistent set of data with which to more accurately categorize and gauge online crime.

The Internet Engineering Task Force (IETF) approved a customised version of the XML-based Instant Object Description Exchange Format (IODEF). Extensions have been added to it that are appropriate for creating standard e-crime reports.

The format allows for unambiguous time stamps, support for different languages and a feature to attach samples of malicious code.  It solves the problem facing the security industry now of inconsistent reports, which make it harder to spot trends and react quickly.