turing0 writes "As a former bioinformatics researcher and CTO I have some sad news to start 2012 with. Though I am sure not a surprise to the Slashdot crowd, it appears we — or our demographic — made up more than 75% of the Google Health userbase. Today marks the end of Google Health. (Also see this post for the official Google announcement and lame excuse for the reasoning behind this myopic decision.) The decision of Google to end this excellent service is a fantastic example of what can represent the downside of cloud services for individuals and enterprises. The cloud is great when and while your desired application is present — assuming it's secure and robust — but you are at the mercy of the provider for longevity." (Read more, below.)

theshowmecanuck writes "Reuters reports that there is little or no security at one of the main factories in Russia responsible for military and Soyuz rocket manufacture. Blogger Lana Sator was able to walk right into the empty (off hours) facility through huge gaps in the fences that no-one bothered to repair, and there was no security to stop them aside from some dogs that didn't bother them either. In fact Lana even has one picture of herself posing next to an apparently non-functional security camera, another of her sitting on what looks like to be possibly a partially assembled rocket motor (someone who knows better can fill us in), and has about 100 photos of the escapade all told on her blog about this (it's in Russian... which I don't speak... any translators out there?). Russian officials are said to be deeply concerned. I wonder if this has any bearing on why Russian rockets haven't been making it into space successfully, or whether it and the launch failures are all part of some general industrial malaise that is taking place."

Orome1 writes "Many prisons and jails use SCADA systems with PLCs to open and close doors. Using original and publicly available exploits along with evaluating vulnerabilities in electronic and physical security designs, researchers discovered significant vulnerabilities in PLCs used in correctional facilities by being able to remotely flip the switches to 'open' or 'locked closed' on cell doors and gates."

wiredmikey writes "New research from Kaspersky Labs has revealed that the platform dubbed 'tilded' (~d), which was used to develop Stuxnet and Duqu, has been around for years. The researchers say that same platform has been used to create similar Trojans which have yet to be discovered. Alexander Gostev and Igor Sumenkov have put together some interesting research, the key point being that the person(s) behind what the world knows as Stuxnet and Duqu have actually been using the same development platform for several years." An anonymous reader adds a link to this "surprisingly entertaining presentation" (video) by a Microsoft engineer, in which "he tells the story of how he and others analysed the exploits used by Stuxnet. Also surprising are the simplicity of the exploits which were still present in Win7." See also the report at Secureist from which the SecurityWeek story draws.

A new submitter asks "Every New Year's Day, I assemble and memorize a random collection of seven to ten mixed-case alphanumeric characters and proceed to change every password I have on the interwebs to these characters (plus a few extra characters unique to the site). The problem is I only change them on the sites I visit. Once in a while, I'll come across a site I haven't visited for a few years, and I may end up not being able to guess the password before the try-lockout takes effect. What are your password-changing rituals, and how do they deal with situations like mine? I do use Keepass for work, but it is sometimes impractical for times I'm at other computers."

New submitter EliSowash writes "Malware developers are increasingly using QR Codes as an attack vector. 'The big problem is that the QR code to a human being is nothing more than "that little square with a bunch of strange blocks in it." There's no way to tell what is behind that QR code.' The advice we've always given to the computer user community is 'don't click a link in an email if you don't know who it's from or where it goes' — so how do we protect unsuspecting users from QR codes, where you can't see the destination at all?"

Trailrunner7 writes "Just a day after security researcher Stefan Viehbock released details of a vulnerability in the WiFi Protected Setup (WPS) standard that enables attackers to recover the router PIN, a security firm has published an open-source tool capable of exploiting the vulnerability. The tool, known as Reaver, has the ability to find the WPS PIN on a given router and then recover the WPA passphrase for the router, as well. Tactical Network Solutions has released the tool as an open-source project on Google Code, but also is selling a more advanced commercial version."

OverTheGeicoE writes "It looks like Congress' recent jabs at TSA were just posturing after all. Last Friday, President Obama signed a spending act passed by both houses of Congress. The act gives TSA a $7.85 billion budget increase for 2012 and includes funding for 12 additional multi-modal Visible Intermodal Prevention and Response (VIPR) teams and 140 new behavior detection officers. It even includes funding for 250 shiny new body scanners, which was originally cut from the funding bill last May."

randomErr writes "Intel began shipping the new mobile Atom, formerly codenamed 'Cedar Trail', processors to manufacturers. As with most new chips it has more features and longer battery life. Intel said today 'Computing systems using new Atom processors will debut in early 2012 through leading original equipment manufacturers (OEMs) such as Acer, Asus, HP, Lenovo, Samsung, and Toshiba.'"

itwbennett writes "Yes, IPv4 addresses are running out, but a Y2K-style disaster/frenzy won't be coming in 2012. Instead, businesses are likely to spend the coming year preparing to upgrade to IPv6, experts say. Of course there's a chance that panic will ensue when Europe's RIPE hands out its last IPv4 addresses this summer, but 'most [businesses] understand that they can live without having to make any major investments immediately,' said IDC analyst Nav Chander. Plus, it won't be until 2013 that North America will run out of IPv4 addresses and there's no sense getting worked up before then."

First time accepted submitter aeturnus writes "A new attack on the GSM mobile communications protocol has been demonstrated by Karsten Nohl and Luca Melette of Security Research Labs, based off their previously published attacks around vulnerabilities in the GSM A5/1 encryption protocol. This new attack, which Nohl indicates already in use by criminals, allows an attacker to simulate a GSM mobile and use it to make calls and send text messages. Nohl also discussed protective measures users should take against these attacks, and others in use by intelligence communities around the world." This was just one of many presentations at the 28th Chaos Communications Congress.

wiredmikey writes "In a rare move, Microsoft is breaking its normal procedures and will issue an emergency out-of-band security update on Thursday to address a hash collision attack vulnerability that came into the spotlight yesterday, and affects various Web platforms industry-wide. The vulnerability is not specific to Microsoft technologies and has been discovered to impact PHP 5, Java, .NET, and Google's v8, while PHP 4, Ruby, and Python are somewhat vulnerable. Microsoft plans to release the bulletin on December 29, 2011, at 10:00 AM Pacific Time, and said it would addresses security vulnerabilities in all supported releases of Microsoft Windows. 'The impact of this vulnerability is similar to other Denial of Service attacks that have been released in the past, such as the Slowloris DoS or the HTTP POST DoS,' said security expert Chris Eng. 'Unlike traditional DoS attacks, they could be conducted with very small amounts of bandwidth. This hash table multi-collision bug shares that property.'"

dcblogs writes "IT managers see themselves as 'reigning supreme,' in an organization, and are seen by non-IT workers as difficult to get along with, says organizational psychologist Billie Blair. If IT managers changed their ways, they could have a major impact in an organization. 'So much of their life is hidden under a bushel because they don't discuss things, they don't divulge what they know, and the innovation that comes from that process doesn't happen, therefore, in the organization,' says Blair."

nbauman writes "In June 1903, Gugliemo Marconi and his partner Ambrose Flemming were about to give the first demonstration of long-range wireless communication at the Royal Institution in London, which, Marconi said, could be sent in complete confidentiality with no fear of the messages being hijacked. Suddenly, the silence was broken by a huge mysterious wireless pulse strong enough to take over the carbon-arc projector and make it sputter messages in Morse Code. First, it repeated the word 'Rats' over and over again (abusive at that time). Then it tapped out, 'There was a young fellow of Italy, who diddled the public quite prettily.' Further rude epithets followed. It was Nevil Maskelyne, a stage musician and inventor who was annoyed because Marconi's patents prevented him from using wireless. It was the first hacking, to demonstrate an insecure system."

First time accepted submitter porsche911 writes "It looks like the NYTimes have been hacked and a large number of subscribers spammed with messages about cancellation of their service. The phone system is overwhelmed as well. The Times is currently saying the email is a fake, but that raises other worries. They were one of the only 3rd parties that had the email in question so it appears either someone really screwed up or they've suffered a data breach." Update: 12/28 21:59 GMT by S : Looks like it was just a mistake by an employee.

wiredmikey writes with an excerpt from an article in Security Week: "Following news that security and intelligence firm Stratfor is downplaying the recent hack of its systems, Identity Finder today shared a detailed analysis of the data released so far by the attackers. Based on the analysis, 50,277 Individual Credit Card Numbers were exposed, but 40,626 are expired, leaving just 9,651 that are not expired. In terms of emails, 86,594 Email addresses were claimed to be exposed by the hackers, but only 47,680 were unique. The hackers have released personal information for Stratfor subscribers whose first names begin with A through M, with N through Z expected to be released soon. In addition to the presently published data compromised during the attack, the attackers claim that 200GB of company email containing 2.7 million emails was captured as well." As of posting, Stratfor's website is still down.

ghostoftiber writes "The original Galaxy S was the redheaded step child of the Samsung device line. ... Samsung announced over Christmas that the original Galaxy S was done, leaving its faithful fans in a position of having another year on their contracts with no upgrade path. Users were predictably incensed, and it looks like Samsung changed their minds. There's also the Samsung Vibrant development forum if you want Ice Cream Sandwich running on your Vibrant right now." The original source is bit iffy and implies that the release will not be fully featured (probably due to hardware constraints). Business Insider contacted Samsung directly and an official response is expected today.

jjoelc writes "This may sound like an odd request, so first some background. I work at a broadcast television station, and I have found it to be very common for IT to be lumped in with the engineering department at many stations. I believe this is mainly because the engineers were the first people in the business to have and use computers in any real capacity, and as the industry moved to file-based workflows it has simply stayed that way. I believe there is a need for IT to be its own department with its own goals, budgets, etc. But I am having a bit of a rough time putting together the official proposal to justify this change, likely because it seems so obviously the way it should be and is done everywhere else. So I am asking for some pointers on the best ways to present this idea to a general manager. What are the business justifications for having a standalone IT department in a small business? How would you go about convincing upper management of those needs? There are approximately 100 employees at the station I am currently at, but we do own another 4 stations in two states (each of these other stations are in the 75-100 employee range). The long term goal would be to have a unified IT department across all 5 stations."

rsmith84 writes "I'm the Senior Systems administrator for a small trade college. When I was hired on, it was strictly for L3 related tasks such as advanced server administration, Exchange design and implementation, etc. They have no in-house programmers, no help desk software, and no budget to purchase one. I'm a moderate PHP and MySQL programmer on the side and am easily capable of writing something to meet their needs, but do not believe I should be A) asked to or B) required to, as my job description and employment terms are not based upon this skill set. I like a challenge, and since all of my goals outlined since my hire date have been met and exceeded, I have a lot of down time. So I wrote the application. It streamlines several critical processes, allows for a central repository of FAQ, and provides end users with access to multiple systems all in one place. I've kept a detailed time log of my work and feel I should be remunerated for the work before just handing over the code. The entire source was developed on personal equipment off company hours. My question is: what should I do? If they are willing to compensate me, I will gladly hand it over. However, it's been mentioned that, if I do the project, it is all but guaranteed that I will see no compensation. The application would streamline a lot of processes and take a lot of the burden off my team, freeing them up to handle what I deem to be more challenging items on their respective punch lists and a better utilization of their time and respective skills. I'm a firm believer in not getting 'something for nothing,' especially when the skills are above my pay grade."

Trailrunner7 writes "There is a newly discovered vulnerability in the WiFi Protected Setup standard that reduces the number of attempts it would take an attacker to brute-force the PIN for a wireless router's setup process. The flaw results in too much information about the PIN being returned to an attacker and makes the PIN quite weak, affecting the security of millions of WiFi routers and access points. Security researcher Stefan Viehbock discovered the vulnerability (PDF) and reported it to US-CERT. The problem affects a number of vendors' products, including D-Link, Netgear, Linksys and Buffalo. 'I noticed a few really bad design decisions which enable an efficient brute force attack, thus effectively breaking the security of pretty much all WPS-enabled Wi-Fi routers. As all of the of the more recent router models come with WPS enabled by default, this affects millions of devices worldwide,' Viehbock said."