[pdp] provides some perspective on the news regarding the GIFAR attack developed by researchers at NGS Software. As he explains, the idea behind the attack, which basically relies on combining a JAR with other files is not new. Combining JAR/ZIP files with GIF/JPG files will create hybrid files with headers at both the top and bottom of the file and allow them to bypass any image manipulation library as valid files. While tightened security and more stringent file validation practices are advisable, the problem is larger than just a vulnerability in browser security. ZIP is an incredibly generic packing technology used everywhere, from Microsoft files to Open Office documents, and of course, in JAR files. He closes with, “any file format that is based on ZIP, you allow your users to upload on your server, can be used in an attack”

[photo: Jon Jacobsen]

Laptop Containing 33,000 Clear Users Information Stolen

Security 101: Never put unencrypted sensitive information on a laptop and expect that it’s safe. Especially if you are the TSA. Recently, the TSA announced that a laptop was stolen from San Francisco International Airport containing “pre-enrollment records of approximately 33,000 customers” for the Clear Trusted Traveler Program. For $100 per year, the Clear Program enables travelers to get through airport security faster by showing TSA officers their Clear Registered Traveler Card and going through a special security line. While this program has no doubt saved many people valuable time getting through security, there are about 33,000 people who are now asking the question “Who has my personal information?”

[via schneier on security]

Edit: It looks like the laptop was found, however it is still unclear if the information on the laptop was compromised. In addition to basic personal information (Name, Address, Birthday, etc.), the laptop also contained drivers license, passport, green card information about clear users. You can check out the story here. Credits to [AudioCraz-Z] for the link.