twoheadedboy writes "Iran may have been hit hard by Stuxnet, but officials have said that reports of a virus infecting its nuclear facilities and forcing computers to play the AC/DC classic 'Thunderstruck' were rubbish. Last month, F-Secure's chief research officer, Mikko Hypponen, was sent an email that appeared to be from a scientist working at the Atomic Energy Organization of Iran (AEOI), claiming nuclear systems had been targeted by cyber attackers. Whilst the chief of the AEOI has come out to deny those claims, the sender of that email still managed to get hold of an official aeoi.org.ir email address. That has left some onlookers baffled about what is going on."

alstor writes "Yesterday an update to Knight Capital Group's algorithmic trading software caused massive volume buys and sells, resulting in large price swings on the New York Stock Exchange. As a result, the NYSE canceled some of the trades, but today the loss to Knight has been calculated at $440 million. Ignoring adjustments for inflation, this makes the cost of this glitch almost as much as the $475 million charge Intel took for the Pentium FDIV Bug, which might warrant adding this bug to the list of worst bugs. In light of this loss and the May 6, 2010 Flash Crash, perhaps investors will demand changes from firms using algorithmic trading, since the SEC is apparently too antiquated to do anything about it (PDF)."

wiredmikey writes "Despite a recent push by legislators, it remains unclear whether the Senate will manage to vote on the proposed comprehensive cybersecurity legislation (Cybersecurity Act of 2012) before Congress adjourns at the end of the week for its summer recess. Once all the amendments (over 70) have been dealt with, the Senate could decide to vote on the bill immediately, or wait till after the summer recess. As usual, the Democrats and Republicans have been unable to agree on which amendments will be considered, effectively stalling the bill. And most interesting, is that in typical U.S. political fashion, some of the amendments have nothing to with the topic on hand (cybersecurity): ... Sen. Frank Lautenberg has filed a measure to ban high-capacity ammunition clips as part of a gun-reform proposal. And Sen. Mike Lee filed a bill that would ban abortion in Washington, D.C. after 20 weeks of pregnancy. Sen. Michael Bennet and Tom Coburn filed an amendment to expand the Office for Personnel Management's federal government's data center consolidation initiative. Senate Minority Leader Mitch McConnell suggested an amendment to repeal the Affordable Care Act."

hypnosec tipped us to reports that Demonoid is still down after a suffering a massive DDoS last week, and that the domain is now redirecting to a malware-ridden spam site. Notable for surviving a CRIA mandated shutdown, this may be lights out for the torrent tracker: "To begin, while Demonoid’s admin told us that he would eventually bring the site back online, he clearly has other things on his mind. A really important family event puts a torrent site nowhere near the top of his priorities. ... Demonoid has been experiencing staffing issues this year. As we mentioned in an earlier article, there were rumors that one or maybe more Demonoid staffers had been questioned by authorities about their involvement in the site."

sabri writes "Cnet reports that German security expert Felix Lindner has unearthed several vulnerabilities in Huawei's carrier grade routers. These vulnerabilities could potentially enable attackers, or the Chinese government, to snoop on users' traffic and/or perform a man-in-the-middle attack. While these routers are mostly in use in Asia, Africa and the Middle East, they are increasingly being used in other parts of the world as well, because of their dirt-cheap pricing. Disclaimer: I work for one of their competitors." Via the H, you can check out the presentation slides. Yesterday Huawei issued a statement 'We are aware of the media reports on security vulnerabilities in some small Huawei routers and are verifying these claims...'

An anonymous reader tips news that Google has sent out a letter to app developers explaining policy changes for any new apps published on the Google Play store. In-app purchases must now use Google Play's payment system unless it's for goods or services used outside the app itself. They've added language to dissuade developers from making their apps look like other apps, or like they come from other developers. But more significantly, Google has explained in detail what qualifies as spam: repetitive content, misleading product descriptions, gaming the rating system, affiliate traffic apps, or apps that send communications without user consent. Also, advertisements within apps must now follow the same rules as the app itself, and they can't be intrusive: Ads can't install things like shortcuts or icons without consent, they must notify the user of settings changes, they can't simulate notifications, and they can't request personal information to grant full app function.

An anonymous reader writes "The Nvidia binary driver has been exploited by an anonymous hacker, who reported it to nvidia months ago and it was never fixed. Now the exploit was made public." The one releasing the exploit (relayed to him anonymously) is David Arlie, well known X hacker. The bug lets the attacker write to any part of memory on the system by shifting the VGA window; the attached exploit uses this to attain superuser privileges. It appears that this has been known to Nvidia for at least a month.

First time submitter KateKintail writes "I'm being promoted to be a director of a computer/web services department at work with staff members (not yet hired) working under me. My workplace doesn't have a dress code 95% of the year. Is this the end of my days of jeans and enjoyably geeky t-shirts? Is there a way to dress professionally in the workplace as a boss (the kind that doesn't need to be defeated at the end of a level) while still showing my Browncoat or Whovian love as I crawl under cobwebby desks to check that equipment is properly plugged in?"

bigvibes writes "A couple of weeks ago Dropbox hired some outside experts to investigate why a bunch of users were getting spam at e-mail addresses used only for Dropbox storage accounts. The results of the investigation are in, and it turns out a Dropbox employee's account was hacked, allowing access to user e-mail addresses." This particular employee had a list of user emails stored in their Dropbox. To prevent future incidents, Dropbox is moving toward two-factor authentication.

retroworks writes "J.D. Tuccille of the conservative think tank Reason Foundation discusses last week's news about the first working 3D-printed gun. According to the original article, the partly plastic '.22-caliber pistol, formed from a 3D-printed AR-15 (M16) lower receiver, and a normal, commercial upper' fired 200 rounds without any sign of wear and tear. Tuccille takes the discovery in the direction of politically topical gun control. '...the development makes it clear that a wide range of bans, restrictions and prohibitions are becoming increasingly unenforcable.' But in my mind, this example of additive-manufacturing technology raises even more questions about patent law enforcement. Will 3D printing be to the Anti-gray-market-alliance what online porn became to neighborhood blue laws?"

Quince alPillan writes "Netflix revealed today that they've released Chaos Monkey, an open source Amazon Web Service testing tool that will randomly turn off instances in Auto Scaling Groups. 'We have found that the best defense against major unexpected failures is to fail often. By frequently causing failures, we force our services to be built in a way that is more resilient. We are excited to make a long-awaited announcement today that will help others who embrace this approach. ...source code for the founding member of the Simian Army, Chaos Monkey, is available to the community.'"

Gunkerty Jeb writes "Moxie Marlinspike, the security and privacy researcher known for his SSLStrip, Convergence and RedPhone tools, has released a new tool that can crack passwords used for some VPNs and wireless networks that rely on encryption using Microsoft's MS-CHAPv2 protocol. Marlinspike discussed the tool during a talk at DEF CON over the weekend, and it is available for download."

An anonymous reader writes "It has been discovered that the Uplay system Ubisoft uses to both check a game is legal and offer up gaming achievements, multiplayer, and additional content, actually contains a rootkit. The discovery was made by Tavis Ormandy, an information security engineer at Google, when he installed Assassin's Creed: Revelations on his laptop. He noticed that during the installation Uplay installed a browser plug-in that allows any website to gain access to your machine through a backdoor and take control of it.The plug-in can be classed as a rootkit because it is thought to allow continued privileged access to a machine without a user's consent."
Update: Ubisoft has released a statement saying it has issued a forced patch to correct the flaw in the browser plug-in for the Uplay PC application.

CowboyRobot writes "Informatica64, a security research group, demonstrated the use of cached JavaScript to control computers connecting to a malicious proxy. 'The researchers found a variety of low-level criminals using their proxy server: fraudsters posing as British immigration officials offering work permits in hopes of stealing money and sensitive documents from their victims; a man pretending to be a pretty woman on a number of dating sites to con victims into sending money for a plane ticket; and another fraudster selling nonexistent Yorkshire Terriers.'"

lukehopewell1 writes "After the threats, admissions and delays, hacktivists protesting a data retention scheme proposed by the Australian Government's National Security Inquiry have begun dumping data gleaned from an Australian telco — presumably AAPT. Anonymous is in the process of dumping government and business customer data onto Pastebin for the world to see under the guise of Operation Australia. This episode is far from over, however. We're likely to see more data trickle out over the coming days, considering that the group has promised 40GB worth of leaks."