Quince alPillan writes "Netflix revealed today that they've released Chaos Monkey, an open source Amazon Web Service testing tool that will randomly turn off instances in Auto Scaling Groups. 'We have found that the best defense against major unexpected failures is to fail often. By frequently causing failures, we force our services to be built in a way that is more resilient. We are excited to make a long-awaited announcement today that will help others who embrace this approach. ...source code for the founding member of the Simian Army, Chaos Monkey, is available to the community.'"

Gunkerty Jeb writes "Moxie Marlinspike, the security and privacy researcher known for his SSLStrip, Convergence and RedPhone tools, has released a new tool that can crack passwords used for some VPNs and wireless networks that rely on encryption using Microsoft's MS-CHAPv2 protocol. Marlinspike discussed the tool during a talk at DEF CON over the weekend, and it is available for download."

An anonymous reader writes "It has been discovered that the Uplay system Ubisoft uses to both check a game is legal and offer up gaming achievements, multiplayer, and additional content, actually contains a rootkit. The discovery was made by Tavis Ormandy, an information security engineer at Google, when he installed Assassin's Creed: Revelations on his laptop. He noticed that during the installation Uplay installed a browser plug-in that allows any website to gain access to your machine through a backdoor and take control of it.The plug-in can be classed as a rootkit because it is thought to allow continued privileged access to a machine without a user's consent."
Update: Ubisoft has released a statement saying it has issued a forced patch to correct the flaw in the browser plug-in for the Uplay PC application.

CowboyRobot writes "Informatica64, a security research group, demonstrated the use of cached JavaScript to control computers connecting to a malicious proxy. 'The researchers found a variety of low-level criminals using their proxy server: fraudsters posing as British immigration officials offering work permits in hopes of stealing money and sensitive documents from their victims; a man pretending to be a pretty woman on a number of dating sites to con victims into sending money for a plane ticket; and another fraudster selling nonexistent Yorkshire Terriers.'"

lukehopewell1 writes "After the threats, admissions and delays, hacktivists protesting a data retention scheme proposed by the Australian Government's National Security Inquiry have begun dumping data gleaned from an Australian telco — presumably AAPT. Anonymous is in the process of dumping government and business customer data onto Pastebin for the world to see under the guise of Operation Australia. This episode is far from over, however. We're likely to see more data trickle out over the coming days, considering that the group has promised 40GB worth of leaks."

New submitter tramp writes "The Register reports, 'Eran Hammer, who helped create the OAuth 1.0 spec, has been editing the evolving 2.0 spec for the last three years. He resigned from his role in June but only went public with his reasons in a blog post on Thursday. "At the end, I reached the conclusion that OAuth 2.0 is a bad protocol," Hammer writes. "WS-* bad. It is bad enough that I no longer want to be associated with it."' At the end of his post, he says, 'I think the OAuth brand is in decline. This framework will live for a while, and given the lack of alternatives, it will gain widespread adoption. But we are also likely to see major security failures in the next couple of years and the slow but steady devaluation of the brand. It will be another hated protocol you are stuck with.'"

An anonymous reader writes "Nearly a year ago, Facebook introduced its bug bounty program, inviting security researchers to poke around the site, discover vulnerabilities that could compromise the integrity or privacy of Facebook user data, and then responsibly disclose them to the company. Still, when the social network's security team received a tip from a researcher about a vulnerability in the company's own network which would allow attackers to eavesdrop on internal communications, they made an unprecedented choice by broadened the scope of the bug bounty program and inviting researchers to search for other holes in the corporate network. Nobody expects malicious attackers to have a change of heart and hand over information about a vulnerability for a few thousand dollars when they could sell the stole information for much more. It should, therefore, come as no surprise that Ryan McGeehan, the manager of Facebook's security-incident response unit, stated that if there's a million-dollar bug, they will pay it out."

Hugh Pickens writes "Reuters reports that Apple will buy fingerprint sensor technology developer AuthenTec for about $356 million, striking a deal that could help Apple bring fingerprint technology, already used in mobile phones in Japan for authentication of mobile payments, to markets such as the United States, where mobile-wallet services have been slow to catch on. Some analysts expect the iPhone 5 to include some form of mobile payments technology. 'In the past 5 years, the growth of iPhone and Android smartphones has made mobile data security essential, not just a "nice-to-have" feature,' says Ben Yu, Managing Director of Sierra Ventures, one of the early investors in AuthenTec. 'People have their whole lives on the phones.' AuthenTec's embedded fingerprint scanners and other identity-related software is particularly useful now that Near Field Communications, or NFC-enabled, phones have begun to appear in the market. Analyst Colin Gillis says AuthenTec technology could potentially also help Apple combat problems such as theft of its more portable products such as iPhones. 'If they could have a way where they could tie the phone to a user more tightly, that would make sense for them,' says Gillis. The price tag for AuthenTec is a drop in the bucket of Apple's cash pile of $117.2 billion. 'We'll see if it's a one-off or if Tim Cook will start to level his cash balance and acquire talent,' adds Gillis."

McGruber writes "The Federal Times has the stunning (but not surprising) news that a new audit found six Defense Department modernization projects to be a combined $8 billion — or 110 percent — over budget. The projects are also suffering from years-long schedule delays. In 1998, work began on the Army's Logistics Modernization Program (LMP). In April 2010, the General Accounting Office issued a report titled 'Actions Needed to Improve Implementation of the Army Logistics Modernization Program' about the status of LMP. LMP is now scheduled to be fully deployed in September 2016, 12 years later than originally scheduled, and 18 years after development first began! (Development of the oft-maligned Duke Nukem Forever only took 15 years.)"

New submitter bupbin writes "We are providing a detailed report and analysis of eleven different popular gun safes produced by Stack-On, GunVault, and Bulldog to warn the public of the dangers inherent in some of these products because the manufacturers nor their major retailers will do so. In that report you can view eight different Stack-On models, one produced by Bulldog, and one manufactured by GunVault. A similar design defect is demonstrated in an inexpensive safe for storing valuables that is sold by AMSEC, a very reputable safe manufacturer in the United States. Unfortunately, their digital safe with their claim of a 'state-of-the-art electronic lock' can also be opened (literally) by a three-year-old because of a common mechanism used in the industry that is subject to circumvention."

An anonymous reader writes "When earlier this year Google introduced Bouncer — an automated app scanning service that analyzes apps by running them on Google's cloud infrastructure and simulating how they will run on an Android device — it shared practically nothing about how it operates, in the hopes of making malicious app developers' scramble for a while to discover how to bypass it. As it turned out, several months later security researchers Jon Oberheide and Charlie Miller discovered — among other things — just what kind of virtual environment Bouncer uses (the QEMU processor emulator) and that all requests coming from Google came from a specific IP block, and made an app that was instructed to behave as a legitimate one every time it detected this specific virtual environment. Now two more researchers have effectively proved that Bouncer can be rather easily fooled into considering a malicious app harmless."

An anonymous reader writes "I'm leaving my current job for a new one. I've been at this job for 10+ years so I'm sure there is tons of personal stuff stored on my machine. Since I can't take it with me does any one have a suggestions of tools or practices to clean off all of that data. I've already got my personal documents and files. I'm most worried about CC, debit card numbers and web site passwords I've used in browsers. Does clearing the cache, cookies, temp files do a good enough job? BTW it's a Windows 7 system if that makes a difference."

Sparrowvsrevolution writes "At the Defcon security conference later this week, two security researchers will release a tool that aims to expose a little-seen list of hidden private aircraft flight plans–the so-called Block Aircraft Registration Request or BARR list, a collection of aircraft whose owners have tried to keep their whereabouts secret. Any private jet owner can request to be taken out of the FAA's public database of flight plans. But Dustin Hoffman and Semon Rezchikov found that private flyers' whereabouts are still broadcast in air-traffic control communications. So they developed a speech-to-text system that pulls out planes' tail numbers from those communications almost in real time, often fast enough to post a plane's destination before it lands. In its proof-of-concept version, the site is focusing on Las Vegas airports, but plans to expand to other cities soon."

silentbrad writes with this excerpt from the Financial Post: "Fast-evolving biometric technologies are promising to deliver the most convenient, secure connection possible between you and your bank account — using your body itself in place of all of those wallets and purses stuffed with cash, change and plastic cards. Biometrics is the science of humans' physiological or behaviourial characteristics and it's being used to develop technology that recognizes and matches unique patterns in human fingerprints, faces and eyes and even sweat glands and buttock pressure. Its applications in the financial realm are a potentially huge time and effort saver, but that's just a beginning for the technology's usefulness. ... [BIOPTid Inc.]'s One Touch cube, set to be on the market within a year, is an external device that users can hook up to their computers and mobile electronics to replace passwords for Internet logins and banking. The cube reads a personal sweat gland barcode to verify identity from the moisture on a user's fingertip. ... 'Biometrics is something that's used by governments, it's used by "Big Brother" to keep an eye on us and we want to change that,' says [BIOPTid chief Scott McNulty] 'We think biometrics is something that can be actually used by the people and it becomes their technology that they use to protect themselves.'"

gManZboy writes "A key component of the FAA's emerging 'Next Gen' air traffic control system is fundamentally insecure and ripe for manipulation and attack, security researcher Andrei Costin said in a presentation Wednesday at Black Hat 2012. Costin outlined a series of issues related to the Automatic Dependent Surveillance-Broadcast (ADS-B) system, a replacement to the decades-old ground radar system used to guide airplanes through the sky and on the ground at airports. Among the threats to ADS-B: The system lacks a capability for message authentication. 'Any attacker can pretend to be an aircraft' by injecting a message into the system, Costin said. There's also no mechanism in ADS-B for encrypting messages. One example problem related to the lack of encryption: Costin showed a screen capture showing the location of Air Force One — or that someone had spoofed the system."