Famous Apple security expert Charlie Miller is preparing to announce 20+ new Zero Day security holes in Mac OS X at CanSecWest.  Charlie says “OS X has a large attack surface consisting of open source components, closed source third-party components and closed source Apple components; bugs in any of these types of components can lead to remote compromise.”   He further explains “Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town.”  As I have been saying for years, Apple users are currently safer only because hackers see a larger ROI (return on investment) attacking Microsoft Windows based machines.

I have been noticing Apple Mac users more frequently requesting and installing third party anti-virus protection software than in previous years.   More key players in the anti-virus industry are releasing their flagship security products for the Mac OS.   When the Mac OS becomes a key target to hackers the damage caused will be quite significant due to most Apple users not installing third party security software solutions and the general mindset that the Mac OS is secure from hackers and exploits.

Tags: apple, Exploits, hack, hacker, zero day

Author: Christopher

1024-bit RSA encryption is used around the world to protect web servers and other devices using OpenSSL.  In the past only the RSA 768-bit version has been crackable using brute force methods with 1,500 years of processing time.  Recently computer scientists from University of Michigan claim they are able to crack OpenSSL  using a full 1024-bit RSA encryption by fluctuating the voltage on the servers power supply.  Although the scientist say this type of attack can be easily prevented by changing the error-checking algorithm, they claim this type of attack is repeatable and consistent and able to be performed in just over 100 hours.  Exponentially quicker than previous successful attacks on weaker key lengths.

Because direct access to the servers power supply is required to perform this attack, it is unlikely this vulnerability will be exploited in the wild on most servers.   Many consumer devices like MP3 players, BluRay players, and mobile phones use RSA encryption to protect intellectual property.   Consumer devices on the other hand are easy to gain physical access to and manipulated to gain access to intellectual property or private data.

More information can be found in their white paper (PDF) that will be presented next week in Dresden at the Design Automation and Test in Europe conference.

OpenSSL has acknowledged this vulnerability and are currently working on a patch.

Tags: Exploit, ssl, Vulnerability

Author: Christopher