×
Google

How To Pull Location Data From Encrypted Google Maps Sessions 28

Posted by Soulskill from the step-one-create-1:1-model-of-the-earth dept.
Trailrunner7 writes "In the last couple of years, Google and some other Web giants have moved to make many of their services accessible over SSL, and in many cases, made HTTPS connections the default. That's designed to make eavesdropping on those connections more difficult, but as researchers have shown, it certainly doesn't make traffic analysis of those connections impossible. Vincent Berg of IOActive has written a tool that can monitor SSL connections and make some highly educated guesses about the contents of the requests going to Google Maps, specifically looking at what size the PNG files returned by Google Maps are. The tool then attempts to group those images in a specific location, based on the grid and tile system that Google uses to construct its maps."
China

Best Practice: Travel Light To China 334

Posted by timothy from the micro-sd-in-dental-work dept.
Hugh Pickens writes "What may once have sounded like the behavior of a raving paranoid is now considered standard operating procedure for officials at American government agencies, research groups and companies as the NY Times reports how businesses sending representatives to China give them a loaner laptop and cellphone that they wipe clean before they leave and wipe again when they return. 'If a company has significant intellectual property that the Chinese and Russians are interested in, and you go over there with mobile devices, your devices will get penetrated,' says Joel F. Brenner, formerly the top counterintelligence official in the office of the director of national intelligence. The scope of the problem is illustrated by an incident at the United States Chamber of Commerce in 2010 when the chamber learned that servers in China were stealing information from four of its Asia policy experts who frequently visited China. After their trips, even the office printer and a thermostat in one of the chamber's corporate offices were communicating with an internet address in China. The chamber did not disclose how hackers had infiltrated its systems, but its first step after the attack was to bar employees from taking devices with them 'to certain countries,' notably China. 'Everybody knows that if you are doing business in China, in the 21st century, you don't bring anything with you,' says Jacob Olcott, a cybersecurity expert at Good Harbor Consulting. 'That's "Business 101" — at least it should be.'"
Businesses

Why Microsoft Developers Need a Style Guide 262

Posted by timothy from the offense-is-the-worst-thing-in-the-world dept.
snydeq writes "What your interface communicates to users can be just as important as what your software does, writes Fatal Exception's Neil McAllister in discussing the latest edition of the 'Microsoft Manual of Style', a style guide aimed at designers and developers who create Microsoft software, as well as those who write about it. 'The gist of much of Microsoft's advice is that a user's relationship with computer software is a unique one, and it's important to craft the language of software UIs accordingly,' McAllister writes. 'Occasionally, Microsoft's recommendations verge on the absurd. For example, you might not think it necessary to admonish developers to "not use slang that may be considered profane or derogatory, such as 'pimp' or 'bitch,'" but apparently it is.'"
Security

Southwest Airlines iPhone App Unencrypted, Vulnerable To Eavesdroppers 139

Posted by timothy from the one-more-path-to-id-theft dept.
New submitter davidstites writes "I am a masters computer science student at University of Colorado at Colorado Springs, and in November I performed a security audit of 230+ popular iOS applications because I wanted to know how secure apps on smartphones and tablets really are. I made a shocking discovery. The largest single potential security breach was with the Southwest Airlines application. Southwest Airlines' iPhone app leaves a user's information vulnerable to hackers. When you login to the application on your phone using your Rapid Rewards account, the app submits your username and password information as plain-text (unencrypted) to a Southwest remote server (mobile.southwest.com). A potential attacker can simply sniff for the data on the network and steal it. This situation is a hackers dream! If a victims credentials were captured, a hacker could use those credentials to login to that particular account and they would have access to anything the victim would have access to, such as addresses, birthdays, e-mail, phone and credit cards. They could even book a flight in the victims name." (Read on below for more details.)
Botnet

Tools, Techniques, Procedures of the RSA Hackers Revealed 54

Posted by timothy from the more-links-than-a-sausage-factory dept.
An anonymous reader writes "Details of the tools, techniques and procedures used by the hackers behind the RSA security breach have been revealed in a research paper (PDF) published by Australian IT security company Command Five. The paper also, for the first time, explains links between the RSA hack and other major targeted attacks. This paper is a vendor-neutral must-read for any network defenders concerned by the hype surrounding 'Advanced Persistent Threats.'"
Electronic Frontier Foundation

Looking For Love; Finding Privacy Violations 112

Posted by timothy from the my-profile's-all-lies-anyhow dept.
itwbennett writes "When you sign up for online dating, there's a certain amount of information you expect to give up, like whether or not your weight is proportional to your height. But you probably don't expect that your profile will remain online long after you stop subscribing to the service. In some cases your photo can be found even after being deleted from the index, according to the electronic frontier foundation (EFF), which identified six major security weaknesses in online dating sites."
Graphics

TMS9918A Retro Video Chip Reimplemented In FPGA, With VGA Out 126

Posted by timothy from the disintergrated dept.
acadiel writes "Matthew H from the AtariAge.com TI-99/4A forum has finalized a design of a TMS 9918A replacement (with VGA out) for classic computer systems such as the ColecoVision, TI-99/4A, SpectraVision, MSX1, SpectraVision 128, and Tomy Tutor Home computers. This hardware project replaces the native video controller on these classic systems and enables them to have VGA output for the first time." (It's just under $100 to order one.)
Operating Systems

Bad Guys Use Open Source, Too 84

Posted by timothy from the malice-aforethought dept.
First time accepted submitter colinneagle writes "Open source has been so successful in giving us software like Linux, Apache, Hadoop, etc., why wouldn't the open source method work with other types of software? Probably no one expected that the criminals behind vast malware trojans would adopt open source methods to make their malware more dangerous, but they have. According to this report from Seculert Research, the makers of Citadel, a variant of the Zeus Trojan are using open source models to hone their code and make the Trojan more dangerous."
Wireless Networking

FCC Maps the 3G Wasteland Of the Western US 173

Posted by timothy from the desires-infinite-resources-scarce dept.
alphadogg writes "The Federal Communications Commission has released a map showing which counties across the U.S. lacked coverage from either 3G or 4G networks and found that wide swaths of the western half of the country were 3G wastelands, particularly in mountainous states such as Idaho and Nevada. This isn't particularly surprising since it's much more difficult for carriers to afford building out mobile data networks in sparsely populated mountainous regions, but it does underscore how large stretches of the United States lack access to mobile data services that people in the Northeast, South and Midwest now take for granted."
Censorship

Tor Tests Undetectably Encrypted Connections In Iran 157

Posted by timothy from the great-song-from-flock-of-seagulls dept.
Sparrowvsrevolution writes "Ahead of the anniversary of Iran's revolution, the country's government has locked down its already-censored Internet, blocking access to many services and in some cases cutting off all encrypted traffic on the Web of the kind used by secure email, social networking and banking sites. In response, the information-freedom-focused Tor Project is testing a new tool it's calling 'obfsproxy,' or obfuscated proxy, which aims to make SSL or TLS traffic appear to be unencrypted traffic like HTTP or instant messaging data. While the tool currently only disguises SSL as the SOCKS protocol, in future versions it will aim to disguise encrypted traffic as any protocol the user chooses. Tor executive director Andrew Lewman says the idea is to 'make your Ferrari look like a Toyota by putting an actual Toyota shell over the Ferrari.'" Reader bonch adds: "A thread on Hacker News provides first-hand accounts as well as workarounds."
Google

Google Offering Cash For Your Cache 152

Posted by samzenpus from the have-a-couple-bucks dept.
pigrabbitbear writes "The gradual transformation of the web into an ultra-personalized, corporate-owned social space in the cloud has raised more than a few legitimate concerns about data privacy. Google, for obvious reasons, has always been one of the top cheerleaders for this metamorphosis. Touting a fresh new privacy policy that allows data about you from all of their services to coalesce, they've recently been particularly bullish about rendering that increasingly realistic digital portrait of you that lies stuffed away in their servers. It has led us again to question: How much are we comfortable with our machines knowing about us? How much is our privacy really worth? With their new program, Google is now asking those questions quite directly, and preceding them with dollar signs. Are we all on the verge of making our own information age Faustian bargains?"
Government

Hacked Syrian Officials Used '12345' As Email Password 231

Posted by samzenpus from the I've-got-the-same-combination-on-my-luggage dept.
Nominei writes "The Israeli newspaper Haaretz reports that the Syrian President, aides and staffers had their email hacked by Anonymous, who leaked hundreds of emails online. Reportedly, many of the accounts used the password '12345' (which their IT department probably warned them to change when the accounts got set up, of course)."
Businesses

The Gradual Death of the Brick and Mortar Tech Store 491

Posted by samzenpus from the say-hello-to-the-dodo dept.
Cutting_Crew writes "As we all know brick and mortar stores have been closing left and right recently. We had CompUSA, Borders and Circuit City all close their doors within the last 4 years. According to an article on Forbes.com, it is spelled out pretty clearly why Best Buy is next in line to shut its doors for good. Some of the reasons highlighted include a 40% drop is Best Buy stock in 2011, lack of vision regarding their online services, management too concerned with store sales instead of margins and blatant disregard for quality customer service."
Encryption

Sponsor a Valve On Colossus 30

Posted by timothy from the don't-worry-they-have-tubes-too dept.
mikejuk writes "The UK's National Museum of Computing has come up with a novel idea to raise funds for its new gallery for its rebuilt Colossus computeryou can sponsor a valve. All you have to do is buy a small area in a picture of Colossus (at £0.1 per pixel — min £10), upload a picture to occupy the space, set a URL and pay using PayPal."
Encryption

Pasadena Police Encrypt, Deny Access To Police Radio 487

Posted by Soulskill from the can't-broadcast-where-their-combat-UAVs-are dept.
An anonymous reader writes "There is media (but not public?) outcry over the Pasadena, CA police switch from analog radio that can be picked up by scanners to encrypted digital radio that cannot. 'On Friday, Pasadena police Lt. Phlunte Riddle said the department was unsure whether it could accommodate the media with digital scanners. Riddle said the greatest concern remains officer safety. "People who do bank robberies use scanners, and Radio Shack sells these things cheap," Riddle said. "We just had a robbery today on Hill Avenue and Washington Boulevard," Riddle said. "The last thing I want to do is to have the helicopter or the officers set up on the street and the criminals have a scanner and know where our officers are." Just prior to the switch over, city staffers said they would look into granting access to police radio chatter, most likely by loaning media outlets a scanner capable of picking up the secure signal.'"
Businesses

Proposed Law Would Give DHS Power Over Privately Owned IT Infrastructure 300

Posted by timothy from the for-great-justice dept.
CelticWhisper writes "H.R. 3674, the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act (PRECISE Act), would allow the U.S. Department of Homeland Security to require improved security practices from those businesses managing systems whose disruption could prove detrimental to critical life-sustaining or national-security initiatives." As the article points out, this is just "one of 30 or so such bills currently percolating on the Hill."
Chrome

No More SSL Revocation Checking For Chrome 152

Posted by timothy from the substitute-my-own dept.
New submitter mwehle writes with this bit from Ars Technica: "Google's Chrome browser will stop relying on a decades-old method for ensuring secure sockets layer certificates are valid after one of the company's top engineers compared it to seat belts that break when they are needed most. The browser will stop querying CRL, or certificate revocation lists, and databases that rely on OCSP, or online certificate status protocol, Google researcher Adam Langley said in a blog post published on Sunday. He said the services, which browsers are supposed to query before trusting a credential for an SSL-protected address, don't make end users safer because Chrome and most other browsers establish the connection even when the services aren't able to ensure a certificate hasn't been tampered with."
Crime

Cops Set Up Extortion Sting On Symantec's Source Code Thieves 168

Posted by timothy from the don't-worry-now-we're-telling-the-truth dept.
Sparrowvsrevolution writes "Hackers linked with Anonymous leaked another 1.26 gigabytes of Symantec's data Monday night, what they say is the source code company's PCAnywhere program. More interestingly, also posted a long private email conversation that seems to show a Symantec exec offering the hackers $50,000 to not leak the company's data and to publicly state they had lied about obtaining it. Symantec has responded by revealing that in fact, the $50,000 offer had been a ruse, and the 'Symantec exec' was actually a law enforcement agent trying to trace the hackers. It adds that all the information the hackers have released, including a 2006 version of Norton Internet Security, is outdated and poses no threat to the company or its customers. Symantec says the Anonymous hackers began attempting to extort money from the company in mid-January, and it responded by contacting law enforcement, though it won't comment on the results of the fake payoff sting while the investigation is still ongoing."
Encryption

Defendant Ordered To Decrypt Laptop Claims She Had Forgotten Password 1009

Posted by Unknown Lamer from the war-on-alzheimer's-patients dept.
wiedzmin writes "A Colorado woman that was ordered by a federal judge to decrypt her laptop hard-drive for police last month, appears to have forgotten her password. If she does not remember the password by month's end, as ordered, she could be held in contempt and jailed until she complies. It appears that bad memory is now a federal offense." The article clarifies that her lawyer stated she may have forgotten the password; they haven't offered that as a defense in court yet.

Slashdot Top Deals