If you're sick of the term "cloud" to refer to pretty much anything on "the internet" and consider that phrase a symptom of useless MBA, PHB, PowerPoint talking points oozing where they don't belong, sorry — you'll probably have to endure it for a while yet. Nerval's Lobster writes that Gartner's 2012 Hype Cycle of Emerging Technologies says that "Cloud computing" (along with a few other terms, such as "Near Field Communication" and "media tablets") is not just alive but growing. "Gartner uses the report to monitor the rise, maturity and decline of certain terms and concepts, the better for corporate strategists and planners to predict how things will trend over the next few months or years. As part of the report, Gartner's analysts have built a Hype Cycle which positions technologies on a graph tracing their rise, overexposure, inevitable fall, and eventual rehabilitation as quiet, productive, well-integrated, thoroughly un-buzz-worthy technologies. Right now, Gartner views hybrid cloud computing, Big Data, crowdsourcing, and the 'Internet of Things' as on the rise, while private cloud computing, social analytics and the Bring Your Own Device (BYOD) phenomenon are coasting at the Peak of Inflated Expectations."
Navigate with confidence through the cloud. Sign up for the SlashCloud Update newsletter now.
Trailrunner7 writes "The iPhone SMS app contains a quirky bug that could allow someone to send a user a text message that appears to come from any number that the sender specifies. The researcher who discovered the bug said it could be used by attackers to spoof messages from a bank or credit card company and send the victim to a target site controlled by the attacker. The issue lies in the way iOS implements a section of the SMS message called User Data Header, which has a number of options, one of which allows the user to change the phone number that the text message appears to come from. The advent of mobile banking apps, some of which use SMS messages for out-of-band authentication, makes this kind of attack vector perhaps more worrisome and useful for attackers than it would seem at first blush."
sl4shd0rk writes "Upon examining the PDF Engine behind Google Chrome, Google employees Mateusz Jurczyk and Gynvael Coldwind discovered numerous holes. This led them to also test Adobe Reader, which turned up around 60 holes which could crash the PDF reader, 40 of them being potential attack vectors. The duo notified Adobe, who promised fixes, but as of the latest updates (Tuesday of this week) for Windows and Macintosh, 16 of the reported flaws are still present (the Linux version has been ignored). To prove it, Mateusz and Gynvael obfuscated the info and released it, saying the unpatched holes could easily be found. The Google employees therefore recommend that users refrain from opening any PDF documents from external sources in Adobe Reader."
An anonymous reader writes "A new spear-phishing attack targeting a number of specific companies in a few industries, including the energy sector, has been spotted by several security companies. Dubbed 'Shamoon' due to a string of a folder name within the malware executable, the attack ends up with delivering destructive malware on the targeted computers that ends up making them unusable. The interesting part of this malware is that instead of staying under the radar and collecting information, the malware was designed to overwrite and wipe the files and the master boot record of the computer."
Sparrowvsrevolution writes "At the Usenix security conference in Seattle last week, a group of researchers from the University of California at Berkeley, Oxford University and the University of Geneva presented a study that hints at the darker side of a future where we control computers with our minds rather than a mouse. In a study of 28 subjects wearing brain-machine interface headsets built by companies like Neurosky and Emotiv and marketed to consumers for gaming and attention exercises, the researchers found they were able to extract hints directly from the electrical signals of the test subjects' brains that partially revealed private information like the location of their homes, faces they recognized and even sequences of numbers they recognized. For the moment, the experimental theft of users' private information from brain signals is more science fiction than a real security vulnerability, since it requires tricking the victim into thinking about the target information at a certain time, and still doesn't work reliably. (Though much better than random chance.) But as BMI gets more sophisticated and mainstream, the researchers say their study should serve as a warning about privacy issues around the technology of such interfaces."
An anonymous reader writes "I was recently volunteered to be the network/computer admin for a small non-profit school. One of the items asked of me had to do with filtering inappropriate content (i.e. stuff you wouldn't want your mother to see). Essentially we want to protect people who aren't able to protect themselves, at least while on campus. Basic site filtering is fairly easy — setup squid with one of the many filtering engines and click to filter the categories your interested. Additionally, making the computer lab highly visible uses public shame and humiliation to limit additional activity. The real question — How do you filter Facebook? There is a lot of great content and features on Facebook, and its a great way to stay in contact with friends, but there is also a potentially dark side. Along with inappropriate content, there is a tendency to share more information than should be shared, and not everyone follows proper security and privacy guidelines. What's the best way to setup campus-wide security/privacy policies for Facebook?"
Trailrunner7 writes "The DHS and ICS-CERT are warning users of some popular Tridium Niagara AX industrial control system software about a series of major vulnerabilities in the applications that are remotely exploitable and could be used to take over vulnerable systems. The bugs, discovered by researchers Billy Rios and Terry McCorkle, are just the latest in a series of vulnerabilities found in the esoteric ICS software packages that control utilities and other critical systems. The string of bugs reported by Rios and McCorkle include a directory traversal issue that gives an attacker the ability to access files that should be restricted. The researchers also discovered that the Niagara software stores user credentials in an insecure manner. There are publicly available exploits for some of the vulnerabilities."
tad001 writes "The Daily Mail has pictures of Apple's new mini connector. The photograph, shared by French tech website nowhereelse.fr, shows two components, one of which is said to be similar to another apparently leaked picture of a part of the new iPhone. As well as the new dock connector, the part also seems to take in the headphone jack and the home button connector for the hotly awaited devices."
kactusotp writes "I run a small indie game company, and since source code is kind of our lifeblood, I'm pretty paranoid about backups. Every system has a local copy, servers run from a RAID 5 NAS, we have complete offsite backups, backup to keyrings/mobile phones, and cloud backups in other countries as well. With all the talk about solar flares and other such near-extinction events lately, I've been wondering: is it actually possible to store or protect data in such a way that if such an event occurred, data survives and is recoverable in a useful form? Optical and magnetic media would probably be rendered useless by a large enough solar flare, and storing source code/graphics in paper format would be impractical to recover, so Slashdot, short of building a Faraday cage 100 km below the surface of the Moon, how could you protect data to survive a modern day Carrington event?"
wiredmikey writes "Saudi Aramco, Saudi Arabia's national oil company and the largest oil company in the world, confirmed that is has been hit by a cyber attack that resulted in malware infecting user workstations and forcing IT to kill the company's connection to the outside world. '..An official at Saudi Aramco confirmed that the company has isolated all its electronic systems from outside access as an early precautionary measure that was taken following a sudden disruption that affected some of the sectors of its electronic network,' the company wrote in a statement. This incident follows an attack on systems at the National Iranian Oil Company back in April, when a virus was detected inside the control systems of Kharg Island oil terminal, which also resulted in the company taking its systems offline. In response to continued cyber attacks against its networks and facilities, Iran earlier this month said it plans to move key ministries and state bodies off the public Internet to protect them from such attacks."
hypnosec writes "Anonymous has claimed a new attack on Sony's PlayStation Network, and this time around it seems they have information from nearly 10 million user accounts. As a proof of the hack they dumped more than 3000 credentials online in the form of a pastebin post. The notorious hacktivist group is claiming that the entire set of hacked credentials contains over 10 million PSN accounts and that the file is of around 50GB." Update: 08/16 13:12 GMT by S : Sony has denied this claim.
Trailrunner7 writes "A team of researchers has discovered a weakness in the command-and-control infrastructure of one of the major DDoS toolkits, Dirt Jumper, that enables them to stop attacks that are in progress. The discovery gives the researchers the ability to access the back-end servers that control the attack tool, as well as the configuration server, and key insights into the way that the tool works and how attackers are using it. Dirt Jumper is not among the more well-known of the DDoS attack toolkits, but it's been in use for some time now and has a number of separate iterations. The bot evolved from the older RussKill bot over time, and various versions of the tool's binary code and back end configuration files have been made public. Researchers have watched as the bot has been used in attacks around the world against a variety of targets, and now they've been able to find a crack in the malware's control infrastructure."
jfruh writes "Did you know that Craigslist founder Craig Newmark has a loyalty points account with the Starwood hotel chain? Did you know that both Tim Cook and Steve Ballmer have Dropbox accounts? All this information — and much more — can be found out because so many prominent executives use their corporate email address for their account logins, and most sites make it possible to see if an email address is associated with an account even if you don't have the account password. Just knowing that such an account exists can lead to technical and social engineering attempts to crack it, as happened in the case of Wired's Mat Honan."
tsu doh nimh writes "The FBI is warning that it's getting inundated with complaints from people taken in by ransomware scams that spoof the FBI and try to scare people into paying 'fines' in lieu of going to jail for having downloaded kiddie porn or pirated content. KrebsOnSecurity.com looks inside a few of the scams in the FBI alert, and it turns out it only takes 1-3 percent of victims to pay up to make it seriously worth the fraudsters' while."
Trailrunner7 writes "Controversial document-sharing site WikiLeaks was back online Monday evening after sustaining a week-long distributed denial-of-service attack. The organization apparently received some extra capacity and assistance from Web performance and security firm Cloudfare to counter the 10 gigabits per second of bogus traffic that overwhelmed servers for numerous WikiLeaks domains and several supporters' sites. Targets included WikiLeaks' news aggregation site and its donations infrastructure, which it calls the Fund for Network Neutrality. A few days ago the organization posted a statement describing what it surmised was a DNS amplification attack. 'Broadly speaking, this attack makes use of open DNS servers where attackers send a small request to, the fast DNS servers then amplify the request, the request has now increased somewhat in size and is sent to the server of wikileaks-press.org. If an attacker then exploits hundreds of thousands of open DNS resolvers and sends millions of requests to each of them, the attack becomes quite powerful. We only have a small uplink to our server, the size of all these requests was 100,000 times the size of our uplink.'"