×
Security

Will Hackers Try To Disrupt the Iowa Caucuses? 162

Posted by Unknown Lamer from the if-the-gop-can-do-it-anyone-can dept.
Hugh Pickens writes "The Iowa Republican Party is boosting the security of the electronic systems it will use to count the first votes of the 2012 presidential campaign after receiving a mysterious threat to its computers in a video urging its supporters to shut down the Iowa caucuses .... 'It's very clear the data consolidation and data gathering from the caucuses, which determines the headlines the next morning, who might withdraw or resign from the process, all of that is fragile,' says Douglas Jones, a computer science professor at the University of Iowa who has consulted for both political parties. The state GOP fears such a delay could disrupt the traditional influence of Iowa's first-in-the-nation vote. 'With the eyes of the media on the state, the last thing we want to do is have a situation where there is trouble with the reporting system,' says Wes Enos, a member of the Iowa GOP's central committee. The GOP is encouraging party activists who run the precinct votes to use paper ballots instead of a show of hands, which has been the practice in some areas so the ballots can provide a backup in the event of any later confusion about the results. 'There is really only one way — and it needn't be a secret — to help assure that results cannot easily be manipulated by either Anonymous or by GOP officials themselves,' writes Brad Friedman. 'The hand-counted paper ballot system, with decentralized results posted at the "precincts," is the only way to try and protect against manipulation of the results from either insiders or outsiders.'"
Privacy

GnuPG Short ID Collision Has Occurred. 110

Posted by Unknown Lamer from the 32-bits-ought-be-enough-for-anyone dept.
kfogel writes "Asheesh Laroia now has two GPG different keys with the same short ID (70096AD1) circulating on keyservers. One of them is an older 1024-bit DSA key, the other is a newer 4096-bit RSA key. Oops. Asheesh argues that GPG's short IDs are too short to be the default anymore — collisions are too easy to create: he did it on purpose and openly, but others could do it on purpose and secretly. More discussion (and a patch by dkg) are in this bug report."
Businesses

Israeli Spyware Sold To Iran 164

Posted by Soulskill from the dollars-trump-diplomacy dept.
Hugh Pickens writes "Bloomberg reports that Israeli trade, customs and defense officials say they didn't know that systems for performing 'deep- packet inspection' into Internet traffic, sold under the brand name NetEnforcer, had gone to a country whose leaders have called for the destruction of the Jewish state. Allot Communications Ltd., an Israel-based firm which reported $57 million in sales last year, sold its systems to a Randers, a Denmark-based technology distributor where workers at that company, RanTek A/S, repackaged the gear and shipped it to Iran. The sales skirted a strict Israeli ban that prohibits 'trading with the enemy,' including any shipments that reach Iran, Syria and Lebanon. Although Allot officials say they had no knowledge of their equipment going to Iran and are looking into RanTek's sales, three former sales employees for Allot say it was well known inside the Israeli company that the equipment was headed for Iran. 'Israel considers Iran quite possibly its greatest threat, and so the Israeli government would come down very strong against any company that exported to Iran,' says Ira Hoffman. 'Iran is also considered by the U.S. as one of its most strategic threats.' Israeli lawmaker Nachman Shai has called for a parliamentary investigation, and the country's Defense Ministry has begun to examine the report."
Security

Researchers Build TCP-Based Spam Detection 81

Posted by samzenpus from the beans-without-spam dept.
itwbennett writes "In a presentation at the Usenix LISA conference in Boston, researchers from the Naval Academy showed that signal analysis of factors such as timing, packet reordering, congestion and flow control can reveal the work of a spam-spewing botnet. The work 'advanced both the science of spam fighting and ... worked through all the engineering challenges of getting these techniques built into the most popular open-source spam filter,' said MIT computer science research affiliate Steve Bauer, who was not involved with the work. 'So this is both a clever bit of research and genuinely practical contribution to the persistent problem of fighting spam.'"
Security

New Car Anti-Theft Device Profiles Your Rear End 126

Posted by samzenpus from the top-to-bottom dept.
Hugh Pickens writes "A car-seat identifier developed at Japan's Advanced Institute of Industrial Technology by Associate Professor Shigeomi Koshimizu can recognize a person by his or her rear end with 98 percent accuracy when the person takes a seat in his car. The bucket seat's lower section is lined with 360 pressure sensors that measure pressure on a scale from 0 to 256, sending information to a laptop, which aggregates the information, generates the key data and produces a precise map of the seated person's rear profile. Researchers say traditional biometric techniques such as iris scanners and fingerprint readers cause stress to people undergoing identity checks, while the simple act of getting seated carries less psychological baggage. Koshimizu wants to see his work available commercially as an anti-theft product in two to three years if automakers agree to collaborate. He sees possibilities of this device being used beyond auto-theft identity protection to a device for security identification in office settings, where users log on to their PCs as they sit down."
Android

Android Approved By Pentagon 160

Posted by samzenpus from the getting-the-greenlight dept.
sfcrazy writes "The Pentagon has approved a version of Android running on Dell hardware to be used by DoD officials, along with the BlackBerry. The approval of Android by the DoD is a major setback for Apple's iPhone. This doesn't mean that DoD employees can use any Android phone. The Pentagon has approved only Dell's hardware running Android 2.2. Interestingly Dell recently discontinued its Streak phone which runs Android 2.2. Dell is now offering Dell Venue which runs on Android 2.2. So, this is the phone which DoD employees can use."
Crime

Anonymous Hacks US Think Tank Stratfor 356

Posted by samzenpus from the looking-behind-the-curtain dept.
Frankie70 writes "At 11:45 PST on Christmas Eve, hacking collective Anonymous disclosed that not only has it hacked the Stratfor website (since confirmed by Friedman himself), but has also obtained the full client list of over 4000 individuals and corporations, including their credit cards (which supposedly have been used to make $1 million in 'donations'), as well as over 200 GB of email correspondence."
IT

Sorry, IT: These 5 Technologies Belong To Users 348

Posted by Soulskill from the rayguns-not-on-the-list dept.
GMGruman writes "The BYOD (bring your own device) phenomenon hasn't been easy on IT, which has seen its control slip. But for these five technologies — mobile devices, cloud computing services, social technology, exploratory analytics, and specialty apps — it has already slipped, and Forrester and others argue IT needs to let go of them. That also means not investing time and money in all the management apps that vendors are happy to sell to IT shops afraid of BYOD — as this post shows, many just won't deliver what IT hopes."
Businesses

Cyber Insurance Industry Expected To Boom 58

Posted by Soulskill from the who-doesn't-love-new-forms-of-insurance dept.
An anonymous reader writes "The high profile hacks to Sony's systems this year were quite costly — Sony estimated losses at around $200 million. Their insurance company was quick to point out that they don't own a cyber insurance policy, so the losses won't be mitigated at all. Because of that and all the other notable hacking incidents recently, analysts expect the cyber insurance industry to take off in the coming year. 'Last October, the S.E.C. issued a new guidance requiring that companies disclose "material" cyber attacks and their costs to shareholders. The guidance specifically requires companies to disclose a "description of relevant insurance coverage." That one S.E.C. bullet point could be a boon to the cyber insurance industry. Cyber insurance has been around since the Clinton administration, but most companies tended to "self insure" against cyber attacks.'"
Security

U.S. Congress Authorizes Offensive Use of Cyberwarfare 206

Posted by Soulskill from the take-the-battle-to-the-enemy's-router dept.
smitty777 writes "Congress has recently authorized the use of offensive military action in cyberspace. From the December 12th conference on the National Defense Authorization Act, it states, 'Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, Allies and interests, subject to: (1) the policy principles and legal regimes that the Department follows for kinetic capabilities, including the law of armed conflict; and (2) the War Powers Resolution.' According to the FAS, 'Debate continues on whether using the War Powers Resolution is effective as a means of assuring congressional participation in decisions that might get the United States involved in a significant military conflict.'"
Security

Trion Worlds' Rift Account Database Compromised 88

Posted by Soulskill from the level-up-your-firewall-skill dept.
New submitter Etrahkad writes "Trion Worlds, publisher of MMORPG Rift, has announced that somebody broke into one of their databases and gained access to user information. First Sony and now Rift... my identity has probably been stolen several times over, now. From the e-mail: 'We recently discovered that unauthorized intruders gained access to a Trion Worlds account database. The database in question contained information including user names, encrypted passwords, dates of birth, email addresses, billing addresses, and the first and last four digits and expiration dates of customer credit cards. ... there is no evidence, and we have no reason to believe, that full credit card information was accessed or compromised in any way." Are game companies not concerned with preventing these attacks?"
Transportation

Vanity Fair On the TSA and Security Theater 256

Posted by Soulskill from the keeping-the-terrists-from-winning dept.
OverTheGeicoE writes "Perhaps it's now officially cool to criticize the TSA. Vanity Fair has a story questioning the true value of TSA security. The story features Bruce Schneier, inventor of the term 'security theater' and contender for the Most Interesting Man in the World title, it would seem. With Schneier's mentoring, the author allegedly doctors a boarding pass to breach security at Reagan National Airport to do an interview with Schneier. 'To walk through an airport with Bruce Schneier is to see how much change a trillion dollars can wreak. So much inconvenience for so little benefit at such a staggering cost.'"
Android

EFF Reverse Engineers Carrier IQ 103

Posted by samzenpus from the see-how-it-ticks dept.
MrSeb writes "At this point we have a fairly good idea of what Carrier IQ is, and which manufacturers and carriers see fit to install it on their phones, but the Electronic Frontier Foundation — the preeminent protector of your digital rights — has taken it one step further and reverse engineered some of the program's code to work out what's actually going on. There are three parts to a Carrier IQ installation on your phone: The program itself, which captures your keystrokes and other 'metrics'; a configuration file, which varies from handset to handset and carrier to carrier; and a database that stores your actions until it can be transmitted to the carrier. It turns out that that the config profiles are completely unencrypted, and thus very easy to crack."
Security

The Problem With Windows 8's Picture Password 206

Posted by timothy from the guy-with-a-video-camera-also-a-threat dept.
alphadogg writes "The Windows 8 feature that logs users in if they touch certain points in a photo in the right order might be fun, but it's not very good security, according to the inventor of RSA's SecurID token. 'It's cute,' says Kenneth Weiss, who now runs a three-factor authentication business called Universal Secure Registry. 'I don't think it's serious security.' The major downside of the picture password is that drawing a finger across a photo on a touch screen is easy to video record from a distance — making it relatively easy to compromise, he says."
China

Chinese Developer Forum Leaks 6 Million User Credentials 102

Posted by timothy from the it's-curtains-for-you-elizabeth-my-dearbook dept.
gzipped_tar writes "The 'Chinese Software Developer Network' (CSDN), operated by Bailian Midami Digital Technology Co., Ltd., is one of the largest networks of software developers in China. A text file with 6 million CSDN user credentials including user names, password, emails, all in clear text, got leaked to the Internet. The CSDN has issued a letter of apology to its users. In the letter, it is explained that passwords created before April 2009 had been stored in plain text, while later passwords were encrypted. Users created between September 2010 and January 2011 may still suffer from email address leaks. A summary of the most frequent passwords without the corresponding usernames is available at GitHub. Somewhat surprisingly, the cryptic sounding password 'dearbook' ranks 4th with 46053 accounts using it."
Android

Twitter To Open Source Android Security Tech 164

Posted by samzenpus from the set-it-free dept.
itwbennett writes "Following last month's acquisition of Whisper Systems, Twitter is open sourcing 'some' of the company's Android security products. First up: TextSecure, a text messaging client that encrypts messages. Souce code is on GitHub now. 'Offering the technology to the community so soon after the acquisition could indicate that Twitter made the acquisition primarily for the developer talent,' writes IDG News Service's Nancy Gohring."
EU

EU Shipping Sector Cyber Security Awareness "Non-Existent" 55

Posted by samzenpus from the do-we-have-a-password? dept.
twoheadedboy writes "The European maritime sector has next to no idea about cyber security, according to a report released by the European Network and Information Security Agency (ENISA). The shipping industry, which carried 52 per cent of goods traffic in Europe in 2010, has 'currently low to non-existent' awareness of cyber security needs and challenges, the report said. ENISA claimed the lack of understanding was evident at every layer of the industry, from government bodies to port authorities and maritime companies."
Security

Researcher Claims Siemens Lied About Security Bugs 46

Posted by samzenpus from the pants-on-fire dept.
chicksdaddy writes "A month after an unknown gray hat hacker calling himself 'pr0f' used a three character password to hack his way onto Siemens software used to manage water treatment equipment in South Houston, Texas, a security researcher working for Google is accusing the company of trying to cover up the existence of other, more serious vulnerabilities in its products. Billy Rios has disclosed a range of vulnerabilities in Siemens SIMATIC software on his blog. The holes could allow a remote attacker to gain access to the Simatic user interface without a user name and password. Rios claims that he has disclosed the hole to Siemens and that the company has acknowledged the problem, only to deny its existence when a reporter asked for more information about the vulnerability."
Image

Book Review: Defense Against the Black Arts Screenshot-sm 58

Posted by samzenpus from the protect-ya-neck dept.
brothke writes "If there ever was a book that should not be judged by its title, Defense against the Black Arts: How Hackers Do What They Do and How to Protect against It, is that book. Even if one uses the definition in The New Hackers Dictionary of 'a collection of arcane, unpublished, and (by implication) mostly ad-hoc techniques developed for a particular application or systems area', that really does not describe this book. The truth is that hacking is none of the above. If anything, it is a process that is far from mysterious, but rather aether to describe. With that, the book does a good job of providing the reader with the information needed to run a large set of hacking tools." Read below for the rest of Ben's review.
Microsoft

New Remote Flaw In 64-Bit Windows 7 284

Posted by samzenpus from the hole-in-the-wall dept.
Trailrunner7 writes "Researchers are warning about a new remotely exploitable vulnerability in 64-bit Windows 7 that can be used by an attacker to run arbitrary code on a vulnerable machine. The bug was first reported a couple of days ago by an independent researcher and confirmed by Secunia. In a message on Twitter, a researcher named w3bd3vil said that he had found a method for exploiting the vulnerability by simply feeding an iframe with an overly large height to Safari. The exploit gives the attacker the ability to run arbitrary code on the victim's machine."

Slashdot Top Deals