Linode DDoS Attack – Merry Xmas Sysadmins

So the Linode DDoS attack – seems like this xmas has been a terrible time for sys admins, along with what happened to Steam and A Small Orange (100+ hours down). A whole lot of work during the most drunken holiday of the year, not fun. And yes it affected me too, work wise everything [...] The post Linode DDoS Attack – Merry Xmas...

Read the full post at darknet.org.uk

Google slams AVG for exposing Chrome user data with “security” plugin

Safer browsing... except someone can watch everything you search?

A free plugin installed by AVG AntiVirus bypassed the security of Google's Chrome browser, potentially exposing the browsing histories and other personal data of customers to the Internet. The vulnerability, demonstrated in an exploit by a Google researcher earlier this year, has now been patched after initial stumbling attempts by AVG, according to a discussion of the bug in Google's security research discussion list.

AVG's "Web TuneUp" tool is a free download from the Chrome Store intended to provide reputation-based protection against malicious websites, and it was "force-installed" by AVG AntiVirus in a way that broke the security checks Chrome uses to test for malicious plugins and malware. The plugin works by sending the Web addresses of sites visited by the user to AVG's servers to check them against a database of known malicious sites. But the way the plugin was constructed meant that information could be easily exploited by an attacker through cross-site scripting [XSS], according to a post by Google Security researcher Tavis Ormandy on December 15.

"This extension adds numerous JavaScript API's to Chrome, apparently so that they can hijack search settings and the new tab page," Ormandy wrote. "The installation process is quite complicated so that they can bypass the chrome malware checks, which specifically tries to stop abuse of the extension API. Anyway, many of the API's are broken."

Read 5 remaining paragraphs | Comments