Stories by Glenn Fleishman

Should you fear the latest Mac firmware exploit?

A security researcher has found what he says is a deep flaw that potentially affects all Macintosh Intel models made until mid-2014, when the error he discovered appears to have been fixed. The exploit would allow, in a very particular set of combined conditions, to rewrite the boot-up firmware in a Mac to include persistent, malicious software.

Glenn Fleishman | 05 Jun | Read more

SHA-what? A new warning in Chrome shames outdated security

As websites lag in taking action on fundamental, known security problems, Google and Mozilla have started to take matters into their own hands to alert users about server or infrastructure flaws. The latest iteration is Google rolling out a warning and an error in a recent version of Chrome that waggles its finger at outdated encryption methods used for securing sessions. Mozilla will follow no later than January, though maybe earlier. Where are Apple and Microsoft hiding? More on them later.

Glenn Fleishman | 01 Jun | Read more

Private I: The network vulnerability is coming from inside the house!

There's no doubt that networked resources like printers, scanners, and storage devices have a huge degree of utility. But cheaper and older peripherals don't always have the gumption to connect via Wi-Fi or ethernet. USB is the only option, or at the least, it's far cheaper. Networking USB devices is thus a clever workaround. Apple has supported external access to printers via AirPort Express since 2004, and to storage via its AirPort Extreme and Time Capsule base stations since 2007.

Glenn Fleishman | 23 May | Read more

Private I: Apple's Chinese market share may affect security judgment

Google apparently doesn't mind picking a fight with China. In 2010, unable to find a basis in which it could operate its services with minimal filtering or interference, and after attacks reported to originate in China against the company's internal mail and other systems, it shifted its search results from mainland China to servers in Hong Kong. Hong Kong operates under a special status, though it is part of the People's Republic. Mainland searchers had to use workarounds to perform searches via Google in Hong Kong and elsewhere.

Glenn Fleishman | 01 May | Read more

TrueCrypt cryptographic audit turns up little to fear

Most desktop cryptography relies on software created and maintained by corporations, often (not always) based on open standards, but requiring a level of trust in that firm's ability to resist government efforts to weaken it as well as believing they can validate and audit their own code well enough to find and then repair serious flaws.

Glenn Fleishman | 03 Apr | Read more

Private I: Trust and verify for network certificate roots

In a post on March 23, Google's security team explained that it had discovered that someone was delivering digital certificates to users for Google domains that weren't authorized by Google. A quick investigation discovered that a Chinese certificate authority (CA), CNNIC, had improperly given a reseller enough power to create verifiable certificates for any domain in the world.

Glenn Fleishman | 27 Mar | Read more

FREAKish apps still have security holes

The web security exploit known as FREAK that I discussed last week was patched by Apple days after it was discovered two weeks ago. FREAK relied on a configuration issue in web servers combined with a flaw for backwards compatibility in many software libraries used to create a secure connection. But the patch only affected Apple's operating systems--not all apps.

Glenn Fleishman | 20 Mar | Read more