nonprofiteer writes "Two years ago, Visa, MasterCard, PayPal, Western Union and Bank of America cut off all funding to WikiLeaks. A group of free information advocates wants to prevent a similar financial blockade on information from happening again. Daniel Ellsberg, John Perry Barlow, and EFF staffers are founding the Freedom of the Press Foundation, an org that will raise money and channel it to edgy media groups that might suffer from a WikiLeaks-style embargo. When donors give to the Foundation, they can choose to have their funding passed on to any media group under the Foundation's umbrella (currently WikiLeaks, Muckrock, The National Security Archives and UpTake). That strategy aims to make it harder to cut funding to any of those organizations, or any added in the future. And because the site is encrypted, donors who worry about being identified as giving to any particularly controversial group can do so without being identified. It's like Tor for charitable giving."

CowboyRobot writes "Columbia University grad student Ang Cui demonstrated how networked printers and phones can be abused by attackers. 'The attack I demonstrated is caused by the multiple vulnerabilities within the syscall interface of the CNU [Cisco Native Unix] kernel,' Cui tells Dark Reading. 'It is caused by the lack of input validation at the syscall interface, which allows arbitrary modification of kernel memory from userland, as well as arbitrary code execution within the kernel. This, in turn, allows the attacker to become root, gain control over the DSP [Digital Signal Processor], buttons, and LEDs on the phone. The attack I demonstrated patches the existing kernel and DSP in order to carry out stealthy mic exfiltration.'"

An anonymous reader writes "A huge security hole has been discovered in recent Samsung devices including phones like the Galaxy S2 and S3. It is possible for every user to obtain root due to a custom faulty memory device created by Samsung." The problem affects phones with the Exynos System-on-Chip.

skade88 writes "If you are like me, the proud owner of a Radeon card, and feeling left out of the Linux graphics driver revolution that swept Nvidia cards recently, then stay tuned — there might be hope for us seeing better graphics performance in the Linux 3.8 kernel."

Albanach writes "At the start of November Slashdot reported the discovery of a code, thought to be from the Second World War, found attached to the leg of a pigeon skeleton located in an English chimney. Now a Canadian by the name of Gord Young claims to have deciphered the message in less than 20 minutes. He believes that the message is comprised mostly of acronyms."

chicksdaddy writes "The newly discovered Dexter malware is one of the few examples of a malicious program that targets point of sale terminals, but also communicates, botnet-like, with a command and control infrastructure. According to an analysis by Seculert, the custom malware has infected 'hundreds POS systems' including those operated by 'big-name retailers, hotels, restaurants and even private parking providers.' Now a detailed analysis by Verizon's RISK team suggests that Dexter may be a creation of a group responsible for the ubiquitous Zeus banking Trojan. By analyzing early variants of Dexter discovered in the wild, Verizon determined that the IP addresses used for Dexter's command and control were also used to host Zeus-related domains and several domains for Vobfus, also known as 'the porn worm,' which has been used to deliver the Zeus malware. Verizon also produced some tantalizing clues as to the identity of one individual who may be a part of the crew responsible for the malware. The RISK team linked the domain registration for a Dexter C&C server to an unusual online handle, 'hgfrfv,' that was used to post a number of suggestive help requests ('need help with decrypting a table encrypted with EncryptByKey') in online technical forums, where a live.com e-mail address was also provided. The account name was also linked to a shell account on the outsourcing web site freelancer.com, which lists 'hgfrfv' as an individual residing in the Russian Federation."

First time accepted submitter veganboyjosh writes "I got an instant message from an uncle the other day, asking me what was in the link I sent him. I hadn't sent him a link so I figured that his account had been hacked and he'd received a malicious link from some bot address with my name in the 'From' box. This was confirmed when he told me the address the link had come from. When I tried explaining what the link was, that his account had been hacked, and that he should change the password to his @aol.com email account, his response was 'No, I think your account was hacked, since the email came from you.' I went over it again, with a real-life analog of someone calling him on the phone and pretending to be me, but I'm not sure if that sunk in or not. This uncle is far from tech savvy. He's in his 60s, and uses Facebook several times a week. He knows I'm online much more and kind of know my way around. After his initial response, I didn't have it in me to get into the whole 'Never click a link from an unfamiliar email address' bit; to him, this wasn't an unfamiliar email address, it was mine. How do I explain this to him, and what else should I feel responsible for telling him?"

CowboyRobot writes "Earlier this year, the state's Department of Revenue was storing 3.3 million bank account numbers, as well as 3.8 million tax returns containing Social Security numbers for 1.9 million children and other dependents, in an unencrypted format. After a state employee clicked on a malicious email link, an attacker was able to obtain copies of those records. It's easy to blame the breach on 'Russian hackers' but who is really to blame? 'The state's leadership, from the governor on down, failed to take information security seriously or to correctly gauge the financial risk involved. As a result, taxpayers will pay extra to clean up the mess. Beyond the $800,000 that the state will spend — and should have already spent — to improve its information security systems, $500,000 will go to the data breach investigation, $740,000 to notify consumers and businesses, $250,000 for legal and PR help, and $12 million for identity theft monitoring services.'"

New submitter mrheckman writes "California is suing Delta Air Lines for violation of California's on-line privacy law. Delta failed to 'conspicuously post a privacy policy within their mobile app that informs users of what personally identifiable information is being collected and what will be done with it' after a 30-day notice. Delta's app collects 'substantial personally identifiable information such as a user's full name, telephone number, email address, frequent flyer account number and pin code, photographs, and geo-location.' Why is it we still can't control what permissions an app has on our phones? It's absurd and disturbing that an app for checking flights and baggage demands all of those permissions."

An anonymous reader writes "It's been found that the Btrfs file-system is vulnerable to a Hash-DOS attack, a denial-of-service attack caused by hash collisions within the file-system. Two DOS attack vectors were uncovered by Pascal Junod that he described as causing astonishing and unexpected success. It's hoped that the security vulnerability will be fixed for the next Linux kernel release." The article points out that these exploits require local access.

An anonymous reader writes "Google on Friday announced it is shutting down a slew of features and services as part of its winter cleaning. Google Calendar will be losing a few features, Google Sync will be axed (on the consumer side), as will Google Calendar Sync, SyncML, the Issue Tracker Data API, and the Punchd app."

An anonymous reader writes "Researchers of the International Computer Science Institute in Berkeley have created an interactive diagram that shows root-CAs, their intermediates, the relationships between them and how many certificates have been signed by them. The graph was generated by passively monitoring the Internet uplinks of a number of (mostly) edu sites for SSL connections and their certificate Information. Among other things the graph shows that one GoDaddy intermediate signed more than 74,000 certificates and that a German CA uses more than 200 sub-CAs for administrative reasons."

CowboyRobot writes "A new targeted attack campaign with apparent Korean ties has been stealing email and Facebook credentials and other user-profile information from Russian telecommunications, IT, and space research organizations. The attackers are grabbing email user accounts and passwords from Outlook, as well as information about the victims' email server."

alphadogg writes "Japanese police are looking for an individual who can code in C#, uses a 'Syberian Post Office' to make anonymous posts online, and knows how to surf the web without leaving any digital tracks — and they're willing to pay. It is the first time that Japan's National Police Agency has offered a monetary reward for a wanted hacker, or put so much technical detail into one of its wanted postings. The NPA will pay up to $36,000, the maximum allowed under its reward system. The case is an embarrassing one for the police, in which earlier this year 4 individuals were wrongly arrested after their PCs were hacked and used to post messages on public bulletin boards. The messages included warnings of plans for mass killings at an elementary school posted to a city website."

jfruh writes "Over the past couple of years, you may have noticed a rash of often high-quality infographics by third parties appearing on your favorite websites. These images are offered to Web publishers free of charge, with the only request being a link back to the creator's own site. But when one blogger got an odd email from a the creator of infographic he put on his site two years ago, he did some digging and discovered that he had inadvertently helped some shady characters do SEO spamming."

tsamsoniw writes "PNC, Bank of America, SunTrust, and other major financial institutions have experienced a wave of DDoS attacks and site outages over the past couple of days, and Islamic extremist hacker group Izz ad-Din al-Qassam Cyber Fighters is claiming responsibility. The group, which launched similar attacks earlier this year, reiterated its demands: that a controversial YouTube video mocking the prophet Mohammed "be eliminated from the Internet.""

First time accepted submitter Idontpostmuch writes "The idea that technology cannot cause unemployment has long been taken as a simple fact of economics. Lately, some economists have been changing their tune. MIT research scientist Andrew Mcaffee writes, 'As computers and robots get more and more powerful while simultaneously getting cheaper and more widespread this phenomenon spreads, to the point where economically rational employers prefer buying more technology over hiring more workers. In other words, they prefer capital over labor. This preference affects both wages and job volumes. And the situation will only accelerate as robots and computers learn to do more and more, and to take over jobs that we currently think of not as "routine," but as requiring a lot of skill and/or education.'" Note: Certainly not all economists agree "that technology cannot cause unemployment," especially in the short term. From a certain perspective, displacing labor is a, if not the, central advantage of technology in general.

Today's interview victim, Jerry Irvine, is CIO of Chicago-area IT consultancy Prescient Solutions and is also a member of the National Cybersecurity Task Force. He concentrates on security but is a broad-spectrum IT expert who is entitled to put all these initials after his name: CISM, CISSP, MCSE, CCNA, CCNP, CCDA, CCDP, CNE, CBCP, CASP, CIPP/IT. He's also a really nice guy. In this video he talks about common ways IT departments blow their budgets and how not to have these problems where you work. (Hint: If you're an IT manager or CIO who has trouble getting your bosses to come across with an adequate IT budget, you might want to share this video with them.)

Last week, you asked questions of Eugene Kaspersky; below, find his answers on a range of topics, from the relationship of malware makers to malware hunters, to Kasperky Labs' relationship to the Putin government, as well as whitelisting vs. signature-based detection, Internet ID schemes, and the SCADA-specific operating system Kaspersky is working on. Spoiler: There are a lot of interesting facts here, as well as some teases.

Frequent contributor Bennett Haselton writes: "Hotmail and Yahoo Mail are apparently sharing a secret blacklist of domain names such that any mention of these domains will cause a message to be bounced back to the sender as spam. I found out about this because — surprise! — some of my new proxy site domains ended up on the blacklist. Hotmail and Yahoo are stonewalling, but here's what I've dug up so far — and why you should care." Read on for much more on how Bennett figured out what's going on, and why it's a hard problem to solve.