Q: What is OpenCandy?

A: OpenCandy runs a moderated recommendation network that enables software developers to recommend other software during installation of their application they believe will be valuable to their users. We were started by a passionate group of people who were determined to help users discover software and change the way software developers make money and reach new users. That’s why OpenCandy-powered recommendations are clearly labeled and why we allow only the best software into our network.

After examining an SSD for traces of data after it had been quick formatted, the team expected the purging routines to kick in around 30-60 minutes later, a process that must happen on SSDs before new data can be written to those blocks. To their surprise, this happened in only three minutes, after which only 1,064 out of 316,666 evidence files were recoverable from the drive.

Going a stage further, they removed the drive from the PC and connected a ‘write blocker’, a piece of hardware designed to isolate the drive and stop any purging of its contents. Incredibly, after leaving this attached for only 20 minutes, almost 19 percent of its files had been wiped for good, a process the researchers put down the ability of SSDs to initiate certain routines independent of a computer.

"The fact that data has been purged does not mean that a human knowingly tried to destroy evidence (e.g. 'accidentally appearing guilty'). [But] SSD data purging can destroy the evidence needed to demonstrate guilt (e.g. accidentally seeming innocent)," says Bell.

Researchers at UC San Diego found that the normal methods we use to securely wipe magnetic drives aren’t as useful on solid-state drives. After testing twelve SSDs, they found that only four were securely erased with whole-drive erasure methods. Trying to securely wipe a single file was even less successful, and more often than not a good portion of the file was recoverable.

The best way to keep your data secure on an SSD, the researchers said, was to encrypt the entire disk from the get-go, as soon as you’ve installed your operating system. Then, when you’re done with the drive, you can delete the encryption keys and do a regular full-drive erasure. They note that securely erasing unencrypted SSDs is very difficult, and in some cases impossible.

Paradoxically, only last week researchers in California uncovered a separate but related problem with SSDs, namely that it could be hard to securely wipe data from them in a guaranteed, controlled way.

Although at first it sounds as if this finding contradicts the Australian research (i.e that data is constantly being wiped by SSDs in order to maintain performance), it is more concerned with the difficulty of guaranteeing that data has really been erased from the portion of the drive it is located on from the point of view of software erase programs

exploitation was complicated by the fact that exploit techniques for 64-bit Safari are not widely documented. The techniques that the researchers used to bypass operating system protections like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) are well-known, but the specific use and adaptation of these techniques on 64-bit Safari is unusual and required developing tools and attack code from scratch.

The time taken to develop working exploits shows that operating system-level protections like DEP and ASLR are useful tools. Finding security flaws in the browser is one thing; turning it into a useful attack that will succeed on up-to-date systems is quite another. But though the protection mechanisms make the job of exploiting flaws harder, they're plainly not impervious. Motivated attackers will find a way through the protection. The days of overnight hacks may be behind us—at the first pwn2own in 2007, an exploitable Safari flaw was discovered in five hours and a reliable exploit developed in just four hours—but successful hacks will continue to be an issue.

Historically, the competition has required competitors to use the newest version of the browser and operating system. Perhaps aware of this, Apple released Safari 5.0.4 a day ahead of the competition, patching some 60 security holes in the browser. However, this year the rules have been altered: the configuration was frozen a week ago, hence the competition being run against Safari 5.0.3. Under the new rules, pwning (and hence owning) only needs to succeed on the frozen version.

In an interview with ZDNet, Miller said the attack works perfectly against an iPhone running iOS 4.2.1 but will fail against the newest iOS 4.3 update.

Apple has quietly added ASLR (address space layout randomization) to iOS 4.3, a key mitigation that puts up an extra roadblock for hackers.

“If you update your iPhone today, the [MobileSafari] vulnerability is still there, but the exploit won’t work. I’d have to bypass DEP and ASLR for this exploit to work,” Miller said.

Miller’s winning exploit used ROP (return oriented programming) techniques to bypass DEP.

This is not the first time Miller has successfully broken into a fully patched iPhone. In 2007, Miller exploited the new iPhone’s Safari browser to launch code that read the log of SMS messages, the address book, the call history, and the voicemail data. Then in 2009, Miller teamed up with Colin Mulliner to exploit a memory corruption bug in the way the iPhone handles SMS messages.

Over the years, Miller said the iPhone’s security posture has improved significantly.

“The first one [in 2007] was really, really easy. They had nothing, no sandboxing. Everything was running as root. It was super easy. The SMS one [in 2009] was harder because of DEP but there were no sandbox issues because the process that controlled SMSes wasn’t in a sandbox.”

“As of 4.3, because of the new ASLR, it will be much harder,” Miller added.

While the research team acknowledged that the BlackBerry benefits from obscurity, Iozzo said the absence of ASLR, DEP and code signing has put the device “way behind the iPhone” from a security perspective.

“The advantage for BlackBerry is the obscurity. It makes it a bit harder to attack a system if you don’t have documentation and information,” Iozzo said.

Dear Guest,

We have been informed by one of our email service providers, Epsilon,
that your email address was exposed by an unauthorized entry into that
provider's computer system. We use our email service providers to
help us manage the large number of email communications with our
guests. Our email service providers send emails on our behalf to
guests who have chosen to receive email communications from us.

We regret that this incident has occurred and any inconvenience this
incident may cause you. We take your privacy very seriously, and we
will continue to work diligently to protect your personal information.

We want to assure you that your email address was the only personal
information we have regarding you that was compromised in this
incident.

As a result of this incident, it is possible that you may receive spam
email messages, emails that contain links containing computer viruses
or other types of computer malware, or emails that seek to deceive you
into providing personal or credit card information. As a result, you
should be extremely cautious before opening links or attachments from
unknown third parties or providing a credit card number or other
sensitive information in response to any email.

If you have any questions regarding this incident, please contact us
at (407) 560-2547 during the hours of 9:00 am to 7:00 pm (Eastern Time)
Monday through Friday, and 9:00 am through 5:00 pm (Eastern Time)
Saturday and Sunday.

Sincerely,

Disney Destinations

A major security breach exposed countless customer emails for a growing list of companies, including TiVo, JPMorgan Chase, Citi, Capital One, Marriott Rewards, Walgreens and more.

Epsilon, the world's largest permission-based email marketing services company, released a statement reporting an unauthorized entry in its clients' customer database on Friday. Email addresses and customer names were obtained. The list of client databases began with the grocery chain Krogers, but as the investigation continues, more companies are added.

Epsilon sends over 40 billion emails annually and counts over 2,500 clients, including 7 of the Fortune 10 to build and host their customer databases, reports Security Week:

The current list of companies affected include:
TiVo
US Bank
JPMorgan Chase
Capital One
Barclays Bank of Delaware
McKinsey & Company
Marriott Rewards
Ritz-Carlton Rewards
New York & Company
Walgreens
Brookstone
LL Bean
The College Board
Home Shopping Network (HSN)
Disney Destinations

Dear Valued Best Buy Customer,

On March 31, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the email addresses of some Best Buy customers were accessed without authorization.

We have been assured by Epsilon that the only information that may have been obtained was your email address and that the accessed files did not include any other information. A rigorous assessment by Epsilon determined that no other information is at risk. We are actively investigating to confirm this.

For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails. As our experts at Geek Squad would tell you, be very cautious when opening links or attachments from unknown senders.

In keeping with best industry security practices, Best Buy will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, www.bestbuy.com. If you receive an email asking for personal information, delete it. It did not come from Best Buy.

Our service provider has reported this incident to the appropriate authorities.

We regret this has taken place and for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information. For more information on keeping your data safe, please visit:
http://www.geeksquad.com/do-it-yours...data-safe.aspx.

Sincerely,

Barry Judge
Executive Vice President & Chief Marketing Officer
Best Buy