mpol writes "In the past, WhatsApp has been criticized over their insecure use of XMPP. Recently, new versions of their app have incorporated encryption. It seems the trouble isn't over yet for WhatsApp and its users. Sam Granger writes on his blog that WhatsApp is using IMEI numbers as passwords. This is at least the case with the Android app, but other platforms are probably using similar methods. Since someone's IMEI number is easily readable, this isn't really secret information that should be used for authentication."
mbone writes "A very interesting paper (PDF) has just hit the streets (or, at least, Physics Review Letters) about the Heisenberg uncertainty relationship as it was originally formulated about measurements. The researchers find that they can exceed the uncertainty limit in measurements (although the uncertainty limit in quantum states is still followed, so the foundations of quantum mechanics still appear to be sound.) This is really an attack on quantum entanglement (the correlations imposed between two related particles), and so may have immediate applications in cracking quantum cryptography systems. It may also be easier to read quantum communications without being detected than people originally thought."
First time accepted submitter brocket66 writes with this excerpt from BGR: "Three major revisions of Google's Android operating system have launched since the company released Android 2.3 more than 21 months ago in December 2010, but Gingerbread is still the most widely used version of Android by a wide margin. A study conducted early this year by graphic designer Chris Sauve projected that based on Android adoption trends up to that point, Android 2.3 Gingerbread would be the dominant version of Android in 2012 despite the fact that Android 3.0 Honeycomb and Android 4.0 Ice Cream Sandwich had already been released. Now, as the fourth quarter of 2012 approaches, data from Google's Android version distribution tracker confirms once again that those projections were accurate."
New submitter trokez writes "Symantec has monitored the activities of a group using a specific trojan (Hydraq/Aurora) since 2009. The particular group has been connected (by Symantec) to the attack on Gmail in China, but also other high-profile attacks. 'These attackers have used a large number of zero-day exploits against not just the intended target organization, but also on the supply chain manufacturers that service the company in their cross hairs. These attackers are systematic and re-use components of an infrastructure we have termed the "Elderwood Platform." The term "Elderwood" comes from the exploit communication used in some of the attacks. This attack platform enables them to quickly deploy zero-day exploits.' The attacks seems to focus on industry espionage, with the defense industry and its suppliers at the focus."
chicksdaddy writes "A malicious software researcher finds herself in company with First Lady Michelle Obama and science fiction author Neil Gaiman: booted from the Web by hard-headed copyright protection algorithms, according to the Naked Security blog. Mila Parkour, a researcher who operates the Contagio malware blog, said on Thursday that she was kicked off the cloud based hosting service Mediafire, after three files she hosted there were flagged for copyright violations and ordered removed under the terms of the Digital Millennium Copyright Act (DMCA). The files included two compressed and encrypted malicious PDF files linked to Contagio blog posts from 2010. The firm responsible for filing the DMCA take down notice was Paris-based LeakID, which describes itself as a 'digital agency ...founded by experts from the world of radio, television and Internet.' LeakID markets 'Leaksearch,' an 'ownership tool that will alert you within seconds if your content...is being pirated.' According to Parkour, Mediafire received a notice from LeakID claiming that it was 'acting on behalf of the copyright owners,' though the owners and presumed copyrighted content weren't named."
This presentation was given by Joshua Corman at CodenomiCON 2012 in Las Vegas, an invitation-only security mini-conference sponsored by the pen-testing company Codenomicon that ran concurrently with Black Hat USA 2012. Josh is Director, Security Intelligence, for Akamai, and is one of the instigators of Rugged Software. He sympathizes with Anonymous more than with corporate or government forces that are determined to bring order to everything, including the Internet, on their terms. We have no transcript for this video since we only have permission to embed it, not to alter or add to it. But it's well worth watching, including the accompanying slides. And if Joshua Corman is speaking anywhere near you, it's well worth your time to go see him.
supersloshy writes "The launch of the GNOME 3 desktop environment sparked heated debate and criticism. GNOME developers have been listening to the concerns of its users and it is rolling out several significant changes in GNOME 3.6. The message tray, often called hard to use, was made much more visible in addition to being harder to accidentally trigger. The "lock" screen can now optionally control your music player, the system volume, and display notifications so you don't have to type in a password. GNOME will also support different input sources directly instead of requiring an add-on program. Nautilus, the GNOME file browser, is also getting a major face lift with a new, more compact UI, properly working search features, a "move to" and "copy to" option as an alternative to dragging and dropping, and a new "recent files" section. These changes, among many others including improvements to system settings, will be present in GNOME 3.6 when it is released later this month. Any other additions or changes not currently implemented by the GNOME team can be easily applied with only one click at the GNOME Extensions website."
Curseyoukhan writes "Norton released its annual cybercrime report on Wednesday, and the company put the 'direct costs associated with global consumer cybercrime at US $110 billion over the past twelve months.' Last year's report put the total 'at an annual price of $388 billion globally based on financial losses and time lost.' That's more than the estimated value of the global black market in marijuana, cocaine and heroin combined ($288 billion), the report said. But Norton makes no mention of the vast difference in 2011 and 2012 numbers. That's because last year's number was entirely fictitious." Something tells me that the scare-monger number-wavers aren't as embarrassed by this sort of logical deconstruction as they should be.
colinneagle writes with this excerpt from Network World: "If your password management system is to use your 'fingerprint as your master password,' and if your laptop uses UPEK software, then you'll not be happy to know your Windows password is not secure and instead is easily crackable. In fact, 'UPEK's implementation is nothing but a big, glowing security hole compromising (and effectively destroying) the entire security model of Windows accounts.' On the Elcomsoft blog about 'advanced password cracking insight,' Olga Koksharova had bad news for people who thought they were more secure by using biometrics, a UPEK fingerprint reader, instead of relying on a password. UPEK stores Windows account passwords in the registry 'almost in plain text, barely scrambled but not encrypted.' It's not just a few that are susceptible to hacking. 'All laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite are susceptible. If you ever registered your fingerprints with UPEK Protector Suite for accelerated Windows login and typed your account password there, you are at risk.'"
An anonymous reader writes "The Raspberry Pi finally saw a release on February 29 this year and is thought to have sold 200,000 units, with a million expected to ship before the year is over. That's a lot of tiny PCs, but it's also been an opportunity for owners to feedback any problems or tweaks they'd like made to the board. The Raspberry Pi Foundation has taken the feedback on board and today announced a revised design is being put into production. The new Raspberry Pi, known as revision 2.0 PCB, is expected to start shipping in the next few weeks. The revision includes a number of changes, but is essentially the same board. To summarize it includes a new reset circuit, a replacement for the reset fuses allowing for more reliable USB hub power, two GPIO pin changes for JTAG debug support, four redundant GPIO signals have been removed, and a new connector has been added for attaching a range of boards including a clock or audio codec. Two of the more easily noticeable changes include a fix that stops the HDMI connection interfering with certain operations of the Raspberry Pi, and the addition of two 2.5mm mounting holes to allow for easier mounting."
SchrodingerZ writes "Scientists from around the world have collaborated to achieve quantum teleportation over 143 kilometers in free space. Quantum information was sent between the Canary Islands of La Palma and Tenerife. Quantum teleportation is not how it is made out in Star Trek, though. Instead of sending an object (in this case a photon) from one location to another; the information of its quantum state is sent, making a photon on the other end look identical to the original. 'Teleportation across 143 kilometres is a crucial milestone in this research, since that is roughly the minimum distance between the ground and orbiting satellites.' It is the hope of the research team that this experiment will lead to commercial use of quantum teleportation to interact with satellites and ground stations. This will increase the efficiency of satellite communication and help with the expansion of quantum internet usage. The full paper on the experiment can be found [note: abstract only, full article paywalled] in the journal Nature."
A federal investigation has been launched after hackers claimed to have stolen Mitt Romney’s tax returns. The hackers have given Romney until September 28th to pay $1 million in bitcoins or they say they will release the returns. From the article: "The claim was made in a post on the Pastebin site on Sunday that alleged that Romney's federal tax returns were taken from the offices of PriceWaterhouse Coopers in Frankin, Tenn., on August 25 by someone who snuck into the building and made copies of the document. The message author threatened to release the files publicly on September 28 and said copies of the files had been given to Democratic and Republican leaders in that county. Democrats have made Romney's refusal to release his tax returns a key point in their criticism that he is not in touch with working class voters."
First time accepted submitter lcam writes in with a story about a video that has started a new round of condemnation against the TSA over the testing of drinks. "The video, posted on YouTube on Monday and featured on NBC Nightly News with Brian Williams Tuesday night, has already garnered almost 125,000 hits and nearly 900 comments from angry travelers. It shows two TSA officers swabbing bottles of water, a carton of coconut water and a cup of coffee, among other liquids. 'Now remember that this is inside the terminal, well beyond the security check and purchased inside the terminal ... just people waiting to get on the plane,' YouTube user danno02 says in the video's description. 'My wife and son came back from a coffee shop just around the corner, then we were approached. I asked them what they were doing. One of the TSA ladies said that they were checking for explosive chemicals (as we are drinking them).' The TSA insisted Tuesday that its policy of checking liquids beyond the security gate has been in place for five years now. TSA agents will randomly patrol the gates using a test strip and dropper containing a non-toxic solution, it said."
First time accepted submitter WIn5t0n writes "Just a day after the alleged leak of 12million Apple UDID's, both Apple and FBI have denied the story that Anonymous, a global hacking community, gained access to the files by hacking into an FBI laptop through a Java vulnerability. Earlier this morning the FBI claimed that, even though the agent cited in Anonymous's story is an actual FBI operative, neither he nor anyone else in the agency has or has had access to Apple device information. This afternoon Apple followed up on the FBI's statement, with an unidentified Apple representative claiming that, 'The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organization.' It should also be noted that while the hackers claim to have accessed 12 million UDID's, only 1 million were publicly released. The Apple representative who made the previous statements also said that, 'Apple has replaced the types of identifiers the hackers appear to have gotten and will be discontinuing their use.' Even though neither Anonymous nor the FBI/APPLE will admit where the data actually came from, it does appear that at least some of the leaked UDID's are legit and can be tied back to current, privately owned devices. So far no information besides the devices UDID, DevToken ID, and device name has been released, however the original hackers claimed that some devices were tied to details as exact as phone numbers and billing addresses."
An anonymous reader writes "CNet reports that Google was awarded a patent yesterday for logging into a computing device using face recognition (8,261,090). 'In order for the technology to work, Google's patent requires a camera that can identify a person's face. If that face matches a "predetermined identity," then the person is logged into the respective device. If multiple people want to access a computer, the next person would get in front of the camera, and the device's software would automatically transition to the new user's profile. ... Interestingly, Apple last year filed for a patent related to facial recognition similar to what Google is describing in its own service. That technology would recognize a person's face and use that as the authentication needed to access user profiles or other important information.'"