A sophisticated attack against Google coming from china. It is interesting to see how this was done.
It was based on phishing and on installing malware on victim computer to access to their gmail attack. The victims are chinese human right activists. And they were able to access two gmail accounts.
A demo of the attack using Metasploit tool can be watched here.
An interesting post from veracode blog about trusting compilers.
To sum up the issue is that kaspersky and F-Secure labs published a sample of a new kind of viruses that target compilers in order to modify them to make them inject malicious code when compiling sources.
The overall approach is interesting. However, as I have posted in response to the post.
It is clear that compilers cannot be trusted anymore. However, I don't think that it is hard to detect that the compiler is malicious.
An easy and simple way would be to take a simple program, say the HelloWorld program and a compiled version, a trusted one. For this, the binary code should be reviewed (this is possible, even manually because the code is simple).
Then we compare the compiled version we get using the compiler (to be tested) with the other 'trusted one'.
No need to go with complex binary analyses, as suggested by Chris's paper.
CWE/SANS published a recent report on the most dangerous programming errors, that developers should be aware of. This report is very interesting, and worth reading.
Dr. Tejeddine Mouelhi