alphadogg writes "The developers of many SSL libraries are releasing patches for a vulnerability that could potentially be exploited to recover plaintext information, such as browser authentication cookies, from encrypted communications.The patching effort follows the discovery of new ways to attack SSL, TLS and DTLS implementations that use cipher-block-chaining (CBC) mode encryption. The new attack methods were developed by researchers at the University of London's Royal Holloway College. The men published a research paper and a website on Monday with detailed information about their new attacks, which they have dubbed the Lucky Thirteen. They've worked with several TLS library vendors, as well as the TLS Working Group of the IETF, to fix the issue."
An anonymous reader writes "Our organization had had a decent SPF record of our own for a long time. Recently, we decided to try using SPF for filtering inbound mail. On the up side, a lot of bad mail was being caught. On the down side, it seems like there is always a 'very important' message being caught in the filter because the sender has failed to consider all mail sources in writing their record. At first, I tried to assist sending parties with correcting their records out of hope that it was isolated. This quickly started to consume far too much time. I'm learning that many have set up inaccurate but syntactically valid SPF records and forgotten about them, which is probably the worst outcome for SPF as a standard. Are you using SPF? How are you handling false positives caused by inaccurate SPF records?"
An anonymous reader sends this quote from a blog post about a very odd technical issue and some clever debugging: "Packets of death. I started calling them that because that’s exactly what they are. ... This customer location, for some reason or another, could predictably bring down the ethernet controller with voice traffic on their network. Let me elaborate on that for a second. When I say “bring down” an ethernet controller I mean BRING DOWN an ethernet controller. The system and ethernet interfaces would appear fine and then after a random amount of traffic the interface would report a hardware error (lost communication with PHY) and lose link. Literally the link lights on the switch and interface would go out. It was dead. Nothing but a power cycle would bring it back. ... While debugging with this very patient reseller I started stopping the packet captures as soon as the interface dropped. Eventually I caught on to a pattern: the last packet out of the interface was always a 100 Trying provisional response, and it was always a specific length. Not only that, I ended up tracing this (Asterisk) response to a specific phone manufacturer’s INVITE. ... With a modified HTTP server configured to generate the data at byte value (based on headers, host, etc) you could easily configure an HTTP 200 response to contain the packet of death — and kill client machines behind firewalls!"
An anonymous reader writes "Michael Geist reports that a coalition of Canadian industry groups, including the Canadian Chamber of Commerce, the Canadian Marketing Association, the Canadian Wireless Telecommunications Association and the Entertainment Software Association of Canada, are demanding legalized spyware for private enforcement purposes. The potential scope of coverage is breathtaking: a software program secretly installed by an entertainment software company designed to detect or investigate alleged copyright infringement would be covered by this exception. This exception could potentially cover programs designed to block access to certain websites (preventing the contravention of a law as would have been the case with SOPA), attempts to access wireless networks without authorization, or even keylogger programs tracking unsuspecting users (detection and investigation)."
An anonymous reader writes "Decapping chips and recovering code or data is nothing new, but the old problem of recovering Masked ROM through visual inspection (binary '0' and '1' can be distinguished within the images) is normally done by crowd sourcing a manual typing effort. Now a tool that semi-automates this process and then recovers the data automatically has been released."
An anonymous reader writes "Yesterday afternoon, Kaspersky Labs released a definition update that blocked all Internet and Intranet access on Windows XP workstations. While there has been no official communication from Kaspersky, their forum is lit up with angry customers relying on each other to find a fix." Update: 02/05 16:42 GMT by T : Thanks to an anonymous reader, who says that Kaspersky has issued a statement, and a fix (though the fix takes some manual labor to implement).
First time accepted submitter jsmyth writes "MySQL 5.6.10 has been released, marking the General Availability of version 5.6 for production." Here's more on the features of 5.6. Of possible interest to MySQL users, too, is this look at how MySQL spinoff MariaDB (from Monty, one of the three creators of MySQL) is making inroads into the MySQL market, including (as we've mentioned before) as default database system in some Linux distributions.
New submitter oztechmuse writes "Australian Telco Telstra is planning to trial shaping some BitTorrent traffic during peak hours. Like all other telcos worldwide, they are facing increasing traffic with a long tail of users: 20% of users consume 80% of bandwidth. The problem is, telcos in Australia are already shaping BitTorrent traffic as a study by Measurement Lab has shown and traffic use continues to increase. Also, the 20% of broadband users consuming the most content will just find a different way of accessing the content and so overall traffic is unlikely to be reduced."
msm1267 writes "Activist Chris Soghoian, who in the past has targeted zero-day brokers with his work, has turned his attention toward wireless carriers and their reluctance to provide regular device updates to Android mobile devices. The lack of updates leaves millions of Android users sometimes upwards of two revs behind in not only feature updates, but patches for security vulnerabilities. 'With Android, the situation is worse than a joke, it’s a crisis,' said Soghoian, principal technologies and senior policy analyst with the American Civil Liberties Union. 'With Android, you get updates when the carrier and hardware manufacturers want them to go out. Usually, that’s not often because the hardware vendor has thin [profit] margins. Whenever Google updates Android, engineers have to modify it for each phone, chip, radio card that relies on the OS. Hardware vendors must make a unique version for each device and they have scarce resources. Engineers are usually focused on the current version, and devices that are coming out in the next year.'"
mask.of.sanity writes "Security researchers have shown how to raid Africa micro-finance bank accounts en masse using fake audio one time passwords. The banks use audio one-time passwords to authenticate users logging into their accounts, but failed to implement properly security controls across numerous systems. Crucially, the researchers did not reveal how they cracked the encryption in order to protect users."
coondoggie writes "When it comes to relatively new technologies, few have been developing at the relentless pace of mobile. But with that development has come a serious threat to the security of personal information and privacy. The Federal Trade Commission has issued a report (PDF) on mobility issues and said less than one-third of Americans feel they are in control of their personal information on their mobile devices. 'The report makes recommendations for critical players in the mobile marketplace: mobile platforms (operating system providers, such as Amazon, Apple, BlackBerry, Google, and Microsoft), application (app) developers, advertising networks and analytics companies, and app developer trade associations. ... The report recommends that mobile platforms should: Provide just-in-time disclosures to consumers and obtain their affirmative express consent before allowing apps to access sensitive content like geolocation; Consider developing a one-stop “dashboard” approach to allow consumers to review the types of content accessed by the apps they have downloaded; Consider offering a Do Not Track (DNT) mechanism for smartphone users.'"
An anonymous reader writes "All software has bugs, but this one is a particularly odd one. If you type "File:///" (no quotes) into almost any app on your Mac, it will crash. The discovery was made recently and a bug report was posted to Open Radar. First off, it’s worth noting that the bug only appears to be present in OS X Mountain Lion and is not reproducible in Lion or Snow Leopard. That’s not exactly good news given that this is the latest release of Apple’s operating system, which an increasing number of Mac users are switching to. ... A closer look shows the bug is inside Data Detectors, a feature that lets apps recognize dates, locations, and contact data, making it easy for you to save this information in your address book and calendar."
tsu doh nimh writes "A sophisticated cyberattack targeted The Washington Post in an operation that resembled intrusions against other major American news organizations and that company officials suspect was the work of Chinese hackers, the publication acknowledged on Friday. The disclosure came just hours after a former Post employee shared information about the break-in with ex-Postie reporter Brian Krebs, and caps a week marked by similar stories from The New York Times and The Wall Street Journal. Krebs cites a former Post tech worker saying that the publication gave one of its hacked servers to the National Security Agency for analysis, a claim that the Post's leadership denies. The story also notes that the Post relied on software from Symantec, the same security software that failed to detect intrusions at The New York Times for many months."
theodp writes "Earlier this week, hackers gained access to Twitter's internal systems and stole information, compromising 250,000 Twitter accounts before the breach was stopped. Reporting the incident on the company's official blog, Twitter's manager of network security did not specify the method by which hackers penetrated its system, but mentioned vulnerabilities related to Java in Safari and Firefox, and echoed Homeland Security's advisory that users disable Java in their browsers. Sure, blame everything on Larry Ellison. Looks like bad things do happen in threes — Twitter's report comes on the heels of disclosures of hacking attacks on the WSJ and NY Times."
darthcamaro writes "Oracle has been slammed a lot in recent months about its lackluster handling of Java security. Now Oracle is responding as strongly as it can with one of the largest Java security updates in history. 50 flaws in total with the vast majority carrying the highest-possible CVSS score of 10."
New submitter Matt Slaybaugh writes "John Foley at InformationWeek has an editorial saying that the missing piece in the new gun control legislation is adequate data management. 'President Obama introduced 23 executive orders on Jan. 16 aimed at reducing gun violence through a combination of tougher regulation and enforcement, research, training, education and attention to mental healthcare. Several of the proposed actions involve better information sharing, including requiring federal agencies to make relevant data available to the FBI's background check system and easing legal barriers that prevent states from contributing data to that system.' But concrete plans are needed now to improve the current poor system of data collection and sharing. Federal CIO Steven VanRoekel's Digital Government Strategy, introduced in May, 'defines an IT architecture and processes for sharing digitized content securely, using Web APIs and with attention to protecting privacy. ... Unfortunately, on top of the data quality issues identified by the White House, and the FBI's and ATF's outdated IT systems, there's a lack of transparency about the systems used to enforce federal gun-control laws.'"
chicksdaddy writes "Veracode's blog has an interesting piece that looks at whether 'brogramming' — the testosterone- and booze-fueled coding culture depicted in movies like The Social Network — spells death for the 'engineering' part of 'software engineering.' From the post: 'The Social Network is a great movie. But, let's face it, the kind of "coding" you're doing when you're "wired in"... or drunk... isn't likely to be very careful or – need we say – secure. Whatever else it may have done, [brogramming's] focus on flashy, testosterone-fueled "competitive" coding divorces "writing software" – free form, creative, inspirational – from "software engineering," its older, more thoughtful and reliable cousin.' The article picks up on Leslie Lamport's recent piece in Wired: 'Why we should build software like we build houses' — also worth reading!"
wiredmikey writes "The popular belief is that security risks increase as the user engages in riskier and shadier behavior online, but that apparently isn't the case, Cisco found in its 2013 Annual Security report. It can be more dangerous to click on an online advertisement than an adult content site these days, according to Cisco. For example, users clicking on online ads were 182 times more likely to wind up getting infected with malware than if they'd surfed over to an adult content site, Cisco said. The highest concentration of online security targets do not target pornography, pharmaceutical, or gambling sites as much as they affect legitimate sites such as search engines, online retailers, and social media. Users are 21 times more likely to get hit with malware from online shopping sites and 27 more times likely with a search engine than if they'd gone to a counterfeit software site, according to Cisco's report (PDF). There is an overwhelming perception that people get compromised for 'going to dumb sites,' Mary Landesman, senior security researcher at Cisco, told SecurityWeek."
wiredmikey writes "The Wall Street Journal said Thursday its computers were hit by Chinese hackers, the latest U.S. media organization citing an effort to spy on its journalists covering China. The Journal made the announcement a day after The New York Times said hackers, possibly connected to China's military, had infiltrated its computers in response to its expose of the vast wealth amassed by a top leader's family. The Journal said in a news article that the attacks were 'for the apparent purpose of monitoring the newspaper's China coverage' and suggest that Chinese spying on U.S. media 'has become a widespread phenomenon.'"
First time accepted submitter Brandon Butler writes "Amazon.com, the multi-billion online retail website, experienced an outage of unknown proportions on Thursday afternoon. Rumblings of an Amazon.com outage began popping up on Twitter at about 2:40 PM ET. Multiple attempts to access the site around 3:15 PM ET on Thursday were met with the message: 'Http/1.1 Service Unavailable.' By 3:30 PM ET the site appeared to be back online for at least some users. How big of a deal is an hour-long Amazon outage? Amazon.com's latest earnings report showed that the company makes about $10.8 billion per quarter, or about $118 million per day and $4.9 million per hour." Update: 01/31 22:25 GMT by T : "Hackers claim credit."
Okian Warrior writes "As a followup to yesterday's article detailing 50 Million Potentially Vulnerable To UPnP Flaws, this video shows getting root access on a Belkin WeMo remote controlled wifi outlet. As the discussion notes, remotely turning someone's lamp on or off is not a big deal, but controlling a [dry] coffeepot or space heater might be dangerous. The attached discussion also points out that rapidly cycling something with a large inrush current (such as a motor) could damage the unit and possibly cause a fire." In the style of Bruce Schneier's movie-plot threat scenarios, what's the most nefarious use you can anticipate such remote outlet control being used for?
coondoggie writes "The Federal Trade Commission today said the submission period for its Robocall Challenge had ended and it got 744 new ideas for ways to shut down the annoying automated callers. The FTC noted that the vast majority of telephone calls that deliver a prerecorded message trying to sell something to the recipient are illegal. The FTC regulates these calls under the Telemarketing Sales Rule and the Challenge was issued to developing technical or functional solutions and proofs of concepts that can block illegal robocalls which, despite the agency's best efforts, seem to be increasing."
Zordak writes "Micron has recently landed U.S. Patent 8,352,745, which claims priority back to a February 2000 application---well before Apple's 2004 slide-to-unlock application. While claim construction is a highly technical art, the claims here are (for once) almost as broad as they sound, and may cover the bulk of touch screen smart phones on the market today. Dennis Crouch's Patently-O has a discussion."
New submitter matteocorti writes "I work at medium-sized university and we are considering reducing the number of domains used for email addresses (now around 350): the goal is to have all the 30K personal addresses in a single domain. This will increase the clashes for the local part of the address for people with the same first and last name (1.6%). We are considering several options: one of them is to use 'email@example.com' and the other is to use 'firstname.lastname@example.org.' The first case will avoid any conflict in the addresses (usernames are unique) but the second is fancier. Which approach does your organization use? How are name conflicts (homonyms) solved? Manually or automatically (e.g., by adding a number)?"
judgecorp writes "Yesterday's BlackBerry 10 announcement did not mention the company's tablet, the Playbook, but users will be relieved to know it will get an update to BlackBerry 10. It's not a huge surprise, since BB10 is based on the PlayBook's QNX operating system, but PlayBook users may have been worried since the company did not even mention the struggling tablet in passing at the event." Hopefully the Playbook's camera is better than the one in the new BB10-based Z10 phone, the low-light performance of which Gizmodo describes as "four-years-ago crap."
An anonymous reader writes " Rob is a Time Warner Cable customer, and he's received two really interesting things from them lately. First, a 50% speed boost: they claim to have upgraded the speed of his home Internet connection. That's neat. Oh, and they've also cut his bill, from $45 to $30. Wow! What has prompted this amazing treatment? Years of loyalty and on-time payments? No, not exactly. Rob lives in Kansas City, pilot site for Google Fiber. Even though they have shut off people in other states for using too much bandwidth. Is Google making them show that it's not that hard to provide good service and bandwidth?"
Orome1 writes "A new discovered malware is potentially one of the most costly viruses yet discovered. Uncovered by NQ Mobile, the 'Bill Shocker' (a.expense.Extension.a) virus has already impacted 620,000 users in China and poses a threat to unprotected Android devices worldwide. Bill Shocker downloads in the background, without arousing the mobile device owner's suspicion. The infection can then take remote control of the device, including the contact list, Internet connections and dialing and texting functions. Once the malware has turned the phone into a "zombie," the infection uses the device to send text message to the profit of advertisers. In many cases, the threat will overrun the user's bundling quota, which subjects the user to additional charges."
Rick Zeman writes "According to a headline article in the New York Times, they admit to being hacked by the Chinese, and covers the efforts of Mandiant to investigate, and then to eradicate their custom Advanced Persistent Threats (APT). This was alleged to be in reaction to an article which details the sleazy business dealings of the family of Wen Jiabao, China's newest Prime Minister. China's Ministry of National Defense said in denial, 'Chinese laws prohibit any action including hacking that damages Internet security.'" Update: 01/31 15:00 GMT by T : The Times used Symanetic's suite of malware protection software; Symantec has issued a statement that could be taken as slightly snippy about its role in (not) preventing the spyware from taking hold.
An anonymous reader writes "In a February 2013 ACM Queue / Communications of the ACM article, A decade of OS access-control extensibility, Robert Watson at the University of Cambridge credits 2000s-era DARPA security research, distributed via FreeBSD, for the success of sandboxing in desktop, mobile, and embedded systems such as Mac OS X, iOS, and Juniper's Junos router OS. His blog post about the article argues that OS security extensibility is just as important as more traditional file system (VFS) and device driver extensibility features in kernels — especially in embedded environments where UNIX multi-user security makes little sense, and where tradeoffs between performance, power use, functionality, and security are very different. This seems to fly in the face of NSA's recent argument argument that one-size-fits-all SELinux-style Type Enforcement is the solution for Android security problems. He also suggests that military and academic security researchers overlooked the importance of app-store style security models, in which signed application identity is just as important as 'end users' in access control."
Qedward writes "As the UK prepares to shake up the way computer science is taught in schools, Redmond is warning that the UK risks falling behind other countries in the race to develop and nurture computing talent, if 'we don't ensure that all children learn about computer science in primary schools.' With 100,000 unfilled IT jobs but only 30,500 computer science graduates in the UK last year, MS believes: 'By formally introducing children to computer science basics at primary school, we stand a far greater chance of increasing the numbers taking the subject through to degree level and ultimately the world of work.'"
redletterdave writes "According to the 30-count indictment released by the Central District of California, 27-year-old hacker Karen 'Gary' Kazaryan allegedly hacked his way into hundreds of online accounts, using personal information and nude or semi-nude photos of his victims to coerce more than 350 female victims to show him their naked bodies, usually over Skype. By posing as a friend, Kazaryan allegedly tricked these women into stripping for him on camera, capturing more than 3,000 images of these women to blackmail them. Kazaryan was arrested by federal agents on Tuesday; if convicted on all 30 counts, including 15 counts of computer intrusion and 15 counts of aggravated identity theft, Kazaryan could face up to 105 years in federal prison."
wehe writes "Heise News reports today some Samsung notebooks can be turned into a brick if booted just one time via UEFI into Linux. Even the firmware does not boot anymore. Some reports in the Ubuntu bug tracker system report that such notebooks can not be recovered without replacing the main board. Other Linux distributions may be affected as well. Kernel developers are discussing a change in the Samsung-laptop driver." It appears even Samsung is having trouble tracking down the problem (from the article): "According to Canonical's Steve Langasek, Samsung developers have been attempting to develop a firmware update to prevent the problem for several weeks. Langasek is advising users to start Ubuntu installation on Samsung notebooks from an up-to-date daily image, in which the Ubuntu development team has taken precautions to prevent the problem from arising. It is, however, not completely clear that these measures are sufficient."
Gunkerty Jeb writes "In a project that found more than 80 million unique IP addresses responding to Universal Plug and Play (UPnP) discovery requests, researchers at Rapid7 were shocked to find that somewhere between 40 and 50 million of those are vulnerable to at least one of three known attacks. A Rapid7 white paper enumerated UPnP-exposed systems connected to the Internet and identified the number of vulnerabilities present in common configurations. Researchers found that more than 6,900 product models produced by 1,500 different vendors contained at least one known vulnerability, with 23 million systems housing the same remote code execution flaw. 'This research was primarily focused on vulnerabilities in the SSDP processor across embedded devices,' Rapid7's CSO HD Moore said. 'The general process was to identify what was out there, make a list of the most commonly used software stacks, and then audit those stacks for vulnerabilities. The results were much worse than we anticipated, with the most commonly used software stack (libupnp) also being the most vulnerable.'"
alphadogg writes "Five years after the disclosure of a serious vulnerability in the Domain Name System dubbed the Kaminsky bug, only a handful of U.S. ISPs, financial institutions or e-commerce companies have deployed DNS Security Extensions (DNSSEC) to alleviate this threat. In 2008, security researcher Dan Kaminsky described a major DNS flaw that made it possible for hackers to launch cache poisoning attacks, where traffic is redirected from a legitimate website to a fake one without the website operator or end user knowing. While DNS software patches are available to help plug the Kaminsky hole, experts agree that the best long-term fix is DNSSEC, which uses digital signatures and public-key encryption to allow websites to verify their domain names and corresponding IP addresses and prevent man-in-the-middle attacks. Despite the promise of DNSSEC, the number of U.S. corporations that have deployed this added layer of security to their DNS server is minuscule."
An anonymous reader writes "Mozilla on Tuesday announced a massive change to the way it loads third-party plugins in Firefox. The company plans to enable Click to Play for all versions of all plugins, except the latest release of Flash. This essentially means Firefox will soon only load third-party plugins when users click to interact with the plugin. Currently, Firefox automatically loads any plugin requested by a website, unless Mozilla has blocked it for security reasons (such as for old versions of Java, Silverlight, and Flash)."
snydeq writes "Microsoft's release of Office 2013 represents the latest in a series of makeover moves, this time aimed at shifting use of its bedrock productivity suite to the cloud. Early hands-on testing suggests Office 2013 is the 'best Office yet,' bringing excellent cloud features and pay-as-you-go pricing to Office. But Microsoft's new vision for remaining nimble in the cloud era comes with some questions, such as what happens when your subscription expires, not to mention some gray areas around inevitable employee use of Office 2013 Home Premium in business settings." Zordak points to coverage of the new Office model at CNN Money, and says "More interesting than the article itself is the comments. The article closes by asking 'Will you [pay up]?' The consensus in the comments is a resounding 'NO,' with frequent mentions of the suitability of OpenOffice for home productivity." Also at SlashCloud.
An anonymous reader writes "Electronic devices are built to last, which make them very reliable. However, if during a hostile situation such a device has to be left behind or gets dropped, it will continue to function and could end up giving the enemy an advantage. With that in mind, DARPA has set about creating electronics that work for as long as necessary, but can be destroyed at a moment's notice. The project is called Vanishing Programmable Resources (VAPR). Its main aim is to develop so-called transient electronics that are capable of dissolving completely, or at the very least to the point where they no longer function. Destroying a VAPR device should be as easy as sending a signal to it or placing the device within certain conditions e.g. extreme heat or cold, that triggers the rapid destruction process."
noh8rz10 writes "Holy moly! iPad gets a heavyweight sibling, clicking in at 128GB. This places it in range of storage for Surface Pro and ultrabooks. It's clearly targeted at the professional market, as the press release cites X-rays and CAD files as reasons. Should Microsoft be afraid? Methinks so. Best part, pricing is growing by log 2. Just as the 32GB version is $100 more than the 16, and the 64 is $100 more than the 32, this new version is $100 more than the 64!" Update: 01/29 16:00 GMT by T : Here's Apple's announcement itself.
snydeq writes "Deep End's Paul Venezia waxes philosophical about Perl stagnancy in IT. 'A massive number of tools and projects still make the most out of the language. But it's hard to see Perl regaining its former glory without a dramatic turnaround in the near term. As more time goes by, Perl will likely continue to decline in popularity and cement its growing status as a somewhat arcane and archaic language, especially as compared to newer, more lithe options. Perhaps that's OK. Perl has been an instrumental part of the innovation and technological advancements of the last two decades, and it's served as a catalyst for a significant number of other languages that have contributed heavily to the programming world in general.'"
Sparrowvsrevolution writes with news of some particularly insecure security cameras. From the article: "Eighteen brands of security camera digital video recorders are vulnerable to an attack that would allow a hacker to remotely gain control of the devices to watch, copy, delete or alter video streams at will, as well as to use the machines as jumping-off points to access other computers behind a company's firewall, according to tests by two security researchers. And 58,000 of the hackable video boxes, all of which use firmware provided by the Guangdong, China-based firm Ray Sharp, are accessible via the Internet. Early last week a hacker who uses the handle someLuser found that commands sent to a Swann DVR via port 9000 were accepted without any authentication. That trick would allow anyone to retrieve the login credentials for the DVR's web-based control panel. To compound the problem, the DVRs automatically make themselves visible to external connections using a protocol known as Universal Plug And Play, (UPnP) which maps the devices' location to any local router that has UPnP enabled — a common default setting. ...Neither Ray Sharp nor any of the eighteen firms have yet released a firmware fix."
hypnosec writes "Matthew Garrett published some patches today which break hibernate and kexec support on Linux when Secure Boot is used. The reason for disabling hibernation is that currently the Linux kernel doesn't have the capability of verifying the resume image when returning from hibernation, which compromises the Secure Boot trust model. The reason for disabling the kexec support while running in Secure Boot is that the kernel execution mechanism may be used to load a modified kernel thus bypassing the trust model of Secure Boot." Before arming your tactical nuclear flame cannon, note that mjg says "These patches break functionality that people rely on without providing any functional equivalent, so I'm not suggesting that they be merged as-is." Support for signed kexec should come eventually, but it looks like hibernation will require some clever hacking to support properly in a Restricted Boot environment.
chicksdaddy writes "Google cemented its reputation as the squarest company around Monday (pun intended), offering prizes totaling Pi Million Dollars — that's right: $3.14159 million greenbacks — in its third annual Pwnium hacking contest, to be held at the CanSecWest conference on March 7 in Vancouver, British Columbia. Google will pay $110,000 for a browser or system level compromise delivered via a web page to a Chrome user in guest mode or logged in. The company will pay $150,000 for any compromise that delivers 'device persistence' delivered via a web page, the company announced on the chromium blog. 'We believe these larger rewards reflect the additional challenge involved with tackling the security defenses of Chrome OS, compared to traditional operating systems,' wrote Chris Evans of Google's Security Team."
snydeq writes "Security pros and government officials warn of a possible cyber 9/11 involving banks, utilities, other companies, or the Internet, InfoWorld reports. 'A cyber war has been brewing for at least the past year, and although you might view this battle as governments going head to head in a shadow fight, security experts say the battleground is shifting from government entities to the private sector, to civilian targets that provide many essential services to U.S. citizens. The cyber war has seen various attacks around the world, with incidents such as Stuxnet, Flame, and Red October garnering attention. Some attacks have been against government systems, but increasingly likely to attack civilian entities. U.S. banks and utilities have already been hit.'"
Damien1972 writes "The Brazilian government has begun fixing trees in the Amazon rainforest with a wireless device, known as Invisible Tracck, which will allow trees to contact authorities once they are felled and moved. Here's how it works: Brazilian authorities fix the Invisible Tracck onto a tree. An illegal logger cuts down the tree and puts it onto a truck for removal, unaware that they are carrying a tracking device. Once Invisible Tracck comes within 20 miles (32 kilometers) of a cellular network it will 'wake up' and alert authorities."
An anonymous reader writes "It is no secret that SSH binaries can be backdoored. It is nonetheless interesting to see analysis of real cases where a trojanized version of the daemon are found in the wild. In this case, the binary not only lets the attacker log onto the server if he has a hardcoded password, the attacker is also granted access if he/she has the right SSH key. The backdoor also logs all username and passwords to exfiltrate them to a server hosted in Iceland."
chicksdaddy writes "The U.S. Department of Defense has stopped updating its main reference list of vital defense technologies that are banned from export, according to a new report from the Government Accountability Office (GAO), The Security Ledger reports. The Militarily Critical Technologies List (MCTL) is used to identify technologies that are critical to national defense and that require extra protection — including bans on exports and the application of anti-tamper technology. GAO warned six years ago that the Departments of State and Commerce, which are supposed to use the list, found it too broad and outdated to be of much use. The latest report (GAO 13-157) finds that the situation has worsened: budget cuts forced the DOD to largely stop updating and grooming the list in 2011. Sections on emerging technologies are outdated, while other sections haven't been updated since 1999. Without the list to rely on, the DOD has turned to a hodgepodge of other lists, while officials in the Departments of State and Commerce who are responsible for making decisions about whether to allow a particular technology to be exported have turned to ad-hoc networks of subject experts. Other agencies are looking into developing their own MCTL equivalents, potentially wasting government resources duplicating work that has already been done, GAO found."
Matt Steelblade writes "I've been in love with computers since my early teens. I took out books from the library and just started messing around until I had learned QBasic, then Visual Basic 5, and how to take apart a computer. Fast forward 10 years. I'm a very recent college graduate with a BA in philosophy (because of seminary, which I recently left). I want to get into IT work, but am not sure where to start. I have about four years experience working at a grade/high school (about 350 computers) in which I did a lot of desktop maintenance and some work on their AD and website. At college (Loyola University Chicago) I tried to get my hands on whatever computer courses I could. I ended up taking a python course, a C# course, and data structures (with python). I received either perfect scores or higher in these courses. I feel comfortable in what I know about computers, and know all too well what I don't. I think my greatest strength is in troubleshooting. With that being said, do I need more schooling? If so, should I try for an associate degree (I have easy access to a Gateway technical college) or should I go for an undergraduate degree (I think my best bet there would be UW-Madison)? If not, should I try to get certified with CompTIA, or someone else? Or, would the best bet be to try to find a job or an internship?"
hypnosec writes "Microsoft upped its security ante with Address Space Layout Randomization (ASLR) in Windows 7 and Windows 8, but it seems this mechanism to prevent hackers from jumping to a known memory location can be bypassed. A hacker has released a brilliant, yet simple trick to circumvent this protection. KingCope, a hacker who released several exploits targeting MySQL in December, has detailed a mechanism through which the ASLR of Windows 7, Windows 8 and probably other operating systems can be bypassed to load a DLL file with malicious instructions to a known address space."
Jeremiah Cornelius writes "Blogger Adam Howard at Port3000 has a post about Google's exposure of thousands of publicly accessible printers. 'A quick, well crafted Google search returns "About 86,800 results" for publicly accessible HP printers.' He continues, 'There's something interesting about being able to print to a random location around the world, with no idea of the consequence.' He also warns about these printers as a possible beachhead for deeper network intrusion and exploitation. With many of the HP printers in question containing a web listener and a highly vulnerable and unpatched JVM, I agree that this is not an exotic idea. In the meanwhile? I have an important memo for all Starbucks employees."
Trailrunner7 writes "Ten years ago today, on Jan. 25, 2003, a new worm took the Internet by storm, infecting thousands of servers running Microsoft's SQL Server software every minute. The worm, which became known as SQL Slammer, eventually became the fastest-spreading worm ever and helped change the way Microsoft approached security and reshaped the way many researchers handled advisories and exploit code. This is the inside story of SQL Slammer, told by David Litchfield, the researcher who found the bug and wrote the exploit code that was later taken by Slammer's authors and used as part of the worm."