Apple is keeping mum about when - or if - it will blacklist SSL certificates more than a week after other browser makers moved to break trust with the disgraced Dutch certificate authority DigiNotar. With each new day revealing more about the extent of the breach, experts warn that Apple is leaving users of the company’s Safari Web Browser and mobile devices vulnerable to man in the middle attacks.

As GlobalSign continues the investigation into the claimed compromise of its CA infrastructure, the attacker who says he breached DigiNotar and Comodo said in another message on Pastebin Wednesday that not only did he hack GlobalSign, but he has the private key used to sign the certificate for the company’s own domain as well as backups of its databases. The attacker, who is known as Comodohacker since his compromise of Comodo’s CA infrastrucutre in March, said that his attack on GlobalSign will be revealed soon, as will his compromises of three other certificate authorities that he says he has breached. His message seems to be in response to media reports and emailed comments and questions he is getting as he continues to reveal more details of the attacks.

Dutch Certificate Authority (CA) DigiNotar has watched the situation surrounding the breach to their network go from bad to worse, as new reports estimate 300,000 Iranians were possibly compromised due problematic security within the company. A security report compiled by Fox-IT, who is investigating the breach, outlined several instances of lackluster security on DigiNotar’s network, and noted that some 300,000 Iranians were exposed in the incident. Version 1 of the report can be read here. In total, 531 fraudulent certificates were issued during the DigiNotar breach, including certificates for Google, Microsoft, MI6, the CIA, TOR, Mossad, Skype, Twitter, Facebook, Thawte, VeriSign, and Comodo.

The same attacker who claimed to have compromised Comodo in March is now claiming responsibility for the attack on DigiNotar, the Dutch certificate authority that issued fraudulent certificates for several hundred domains in he last few weeks, including Google, Yahoo, Mozilla Add-Ons and several intelligence agencies. In the wake of the widening scandal, the Dutch government has performed an audit of the company’s CA business and browser vendors have revoked trust for the certificates DigiNotar issued for the Dutch government’s PKI. In a message posted to the same Pastebin account used to detail the Comodo attack six months ago,a user by the name of Comodohacker claims to have compromised not just DigiNotar but also four other high-profile CAs, including GlobalSign. The hacker also said that his actions are politically motivated, in retaliation for the Dutch involvement in the Srebrenica massacre in 1995. The hacker said that he attacked DigiNotar on July 11, the anniversary of that massacre.

Apple’s latest version of Mac OS X is creating serious security risks for businesses that use it to interact with a popular form of centralized networks. People logging in to Macs running OS X 10.7, aka Lion, can access restricted resources using any password they want when the machines use a popular technology known as LDAP for authentication. Short for Lightweight Directory Access Protocol, LDAP servers frequently contain repositories of highly sensitive enterprise data, making them a goldmine to attackers trying to burrow their way in to sensitive networks.

Call it “RSA on the Rhine.” Government officials in The Netherlands were left scrambling Tuesday to reassure nervous citizens that the country’s digital ID system, dubbed DigID, was safe after it was revealed that DigiNotar, the certificate authority that backs the DigID system, had been compromised by hackers and used to issue fraudulent certificates. In a statement on Tuesday, the Netherlands Ministry of the Interior and Kingdom Relations, sought to reassure millions of residents that the public key infrastructure (PKI) system used by the government, PKIoverheid was still secure.

DigiNotar confirms it was breached and Google.com just one of ‘several dozens’ of fraudulently issued digital certificates obtained by hackers and now revoked

What’s worse than finding a worm in your apple? Finding half a worm. What’s worse than discovering that someone has launched a man-in-the-middle attack against Iranian Google users, silently intercepting everything from email to search results and possibly putting Iranian activists in danger? Discovering that this attack has been active for two months. People all over the world use Google services for sensitive or private communications every day. Google enables encrypted connections to these services in order to protect users from spying by those who control the network, such as ISPs and governments. Today, the security of this encryption relies entirely on certificates issued by certificate authorities (CAs), which continue to prove vulnerable to attack. When an attacker obtains a fraudulent certificate, he can use it to eavesdrop on the traffic between a user and a website even while the user believes that the connection is secure.

A certificate authority in the Netherlands issued a valid SSL wildcard certificate for Google to a third party in July, leading to concerns that attackers may have been using the certificate to route sensitive traffic through their own servers, capturing it and compromising user data in the process. The certificate was revoked by the CA, DigiNotar, after the problem came to light Monday.

Two federal lawmakers have asked the General Accountability Office to look into the security of medical devices after a researcher showed how he was able to hack his insulin pump and alter settings due to security flaws in the system. Representatives Anna Eshoo (D-CA) and Ed Markey (D-MA), members of the House Energy and Commerce Committee, asked the GAO this week to investigate the safety of medical devices that have built-in wireless communication capabilities and could be susceptible to such attacks.

News International, parent company to the U.K.’s Sun newspaper, is warning thousands of people that their information might have been lifted after a security breach last month at the hands of LulzSec. In July, the Sun website was hacked by LulzSec, resulting in a false report announcing the death of Rupert Murdoch. The incident occurred just as News Corp. landed in the middle of a hacking scandal itself.

The London Metropolitan Police on Wednesday arrested a 19-year-old Shetland Islands man who they say is “Topiary,” the most visible figure in LulzSec. The police news release doesn’t name the suspect. The bust is the second high-profile arrest of an alleged member of the six-man hacking gang. British police last week arrested a 16-year-old they say is “T-Flow” — another prominent member. In June they arrested 19-year-old Ryan Cleary of Wickford, Essex, who allegedly ran an IRC channel used by the group.

They’re back. The hacker gang LulzSec, after declaring retirement last month, cracked the Rupert Murdoch–owned New Times on Monday and used it to host a fake news story declaring that the embattled media mogul had been found dead at his home. The web defacement took the form of a mock article from Murdock’s The Sun, with the headline “Media moguls body discoverd” [sic]. The text goes on to claim falsely that Murdoch “ingested a large quantity of palladium before stumbling into his famous topiary garden late last night.”

In the face of continued attacks on federal agencies and contractors such as Booz Allen Hamilton and IRC Federal that do highly sensitive security work for the U.S. government, Sen. John McCain has asked Senate leaders to appoint a select committee to look into the attacks and data leaks that have plagued Washington throughout 2011. In a letter to Senate Majority Leader Harry Reid and Senate Minority Leader Mitch McConnell, McCain (R-Ariz.) said that a temporary Senate committee is necessary in order to get a handle on all of the disparate cybersecurity legislation proposals and to address the threat posed by groups such as Anonymous, LulzSec and Wikileaks.

It was January 2010, and investigators with the International Atomic Energy Agency had just completed an inspection at the uranium enrichment plant outside Natanz in central Iran, when they realized that something was off within the cascade rooms where thousands of centrifuges were enriching uranium. Natanz technicians in white lab coats, gloves and blue booties were scurrying in and out of the “clean” cascade rooms, hauling out unwieldy centrifuges one by one, each sheathed in shiny silver cylindrical casings.