hypnosec writes "A new flaw has been discovered in printers manufactured by Samsung whereby a backdoor in the form of an administrator account would enable attackers to not only take control of the flawed device, but will also allow them to attack other systems in the network. According to a warning on US-CERT the administrator account is hard-coded in the device in the form of an SNMP community string with full read-write access. The backdoor is not only present in Samsung printers but also in Dell printers that have been manufactured by Samsung. The administrator account remains active even if SNMP is disabled from the printer's administration interface."
Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.
Lucas123 writes "Next year, smart phones will begin shipping with the ability to have dual identities: one for private use and the other for corporate. Hypervisor developers, such as VMware and Red Bend, are working with system manufacturers to embed their virtualization software in the phones, while IC makers, such as Intel, are developing more powerful and secure mobile device processors. The combination will enable mobile platforms that afford end users their own user interface, secure from IT's prying eyes, while in turn allowing a company to secure its data using mobile device management software. One of the biggest benefits dual-identity phones will offer is enabling admins to wipe corporate data from phones without erasing end users profiles and personal information."
Nerval's Lobster writes "Netflix has released Hystrix, a library designed for managing interactions between distributed systems, complete with 'fallback' options for when those systems inevitably fail. The code for Hystrix—which Netflix tested on its own systems—can be downloaded at Github, with documentation available here, in addition to a getting-started guide and operations examples, among others. Hystrix evolved out of Netflix's need to manage an increasing rate of calls to its APIs, and resulted in (according to the company) a 'dramatic improvement in uptime and resilience has been achieved through its use.' The Netflix API receives more than 1 billion incoming calls per day, which translates into several billion outgoing calls (averaging a ratio of 1:6) to dozens of underlying systems, with peaks of over 100,000 dependency requests per second. That's according to Netflix engineer Ben Christensen, who described the incredible loads on the company's infrastructure in a February blog posting. The vast majority of those calls serve the discovery user interfaces (UIs) of the more than 800 different devices supported by Netflix."
Sparrowvsrevolution writes "You may remember a vulnerability in four million keycard locks presented at the Black Hat conference in July. Hacker Cody Brocious showed he could insert a device he built for less than $50 into the port at the bottom of the common hotel lock, read a key out of its memory, and open it in seconds. Two months later, it turns out at least one burglar was already making use of that technique to rob a series of hotel rooms in Texas. The Hyatt House Galleria in Houston has revealed that in at least three September cases of theft from its rooms, the thief used that Onity vulnerability to effortlessly open rooms and steal valuables like laptops. Petra Risk Solutions, an insurance firm focus the hospitality industry also reports that at least two other hotels in Texas were hit with the attack. Onity has been criticized for its less-than-stellar response to a glaring vulnerability in its devices. The Hyatt says Onity didn't provide a fix until after its break-ins, forcing the hotel to plug its locks' ports with epoxy. And even now, Onity is asking its hotel customers to pay for the full fix, which involves replacing the locks' circuit boards."
Trailrunner7 writes "It is open season on SCADA software right now. Last week, researchers at ReVuln, an Italian security firm, released a video showing off a number of zero-day vulnerabilities in SCADA applications from manufacturers such as Siemens, GE and Schneider Electric. And now a researcher at Exodus Intelligence says he has discovered more than 20 flaws in SCADA packages from some of the same vendors and other manufacturers, all after just a few hours' work."
ryzvonusef writes with news that hackers have taken down the local Pakistan versions of many popular websites, including google.com.pk, apple.pk, microsoft.pk and yahoo.pk. 284 sites were affected in total. Many of the sites were defaced, and a group called Eboz is taking credit for the hack. According to TechCrunch, "The root of today’s attack, it seems, came via a breach of Pakistan’s TLD operator, PKNIC, which administers and registers all .pk domains. Looking at affected organizations via PKNIC’s look up, it appears that all the sites are now redirecting to two nameservers, dns1.freehostia.com and dns2.freehostia.com."
David Hume writes "The Los Angeles Times has a story about the two-year University of Tulsa Cyber Corps Program. About '85% of the 260 graduates since 2003 have gone to the NSA, which students call "the fraternity," or the CIA, which they call "the sorority."' 'Other graduates have taken positions with the FBI, NASA and the Department of Homeland Security.' According to the University of Tulsa website, two programs — the National Science Foundation's Federal Cyber Service: Scholarship for Service and the Department of Defense's (DOD's) Information Assurance Scholarship Program — provide scholarships to Cyber Corps students."
An anonymous reader writes "A court in Hamburg, Germany, has granted an injunction against a user of the anonymous and encrypted file-sharing network RetroShare. RetroShare users exchange data through encrypted transfers and the network setup ensures that the true sender of the file is always obfuscated. The court, however, has now ruled that RetroShare users who act as an exit node are liable for the encrypted traffic that's sent by others."
dgharmon writes with this excerpt from rt.com: "A pretrial hearing in the case against accused LulzSec hacker Jeremy Hammond this week ended with the 27-year-old Chicago man being told he could be sentenced to life in prison for compromising the computers of Stratfor. Judge Loretta Preska told Hammond in a Manhattan courtroom on Tuesday that he could be sentenced to serve anywhere from 360 months-to-life if convicted on all charges relating to last year's hack of Strategic Forecasting, or Stratfor, a global intelligence company whose servers were infiltrated by an offshoot of the hacktivist collective Anonymous. Hammond is not likely to take the stand until next year, but so far has been imprisoned for eight months without trial. Legal proceedings in the case might soon be called into question, however, after it's been revealed that Judge Preska's husband was a victim of the Stratfor hack."
An anonymous reader writes "A dead pigeon discovered a few weeks ago in a UK chimney may be able to provide new answers to the secrets of World War II. Unfortunately, British cryptographers at the country's Government Communications Headquarters (GCHQ) have been unable to crack the code encrypting a message the bird was tasked with sending and say they are confident it cannot be decoded 'without access to the original cryptographic material.'"
mask.of.sanity writes "This custom Yamaha TRX 850 has been outfitted with wireless sniffing and attack tools, routers, a laptop, Raspberry Pi and even a heads up display integrated within the bike helmet. It was built from open source kit and cheap hardware by a security penetration tester who wanted to make his love of wardriving more nimble. The plans are detailed in a diagram and a video."
SternisheFan writes with this news from the Indian Express: "Pakistan's interior minister Friday said the government will suspend cell phone services in most parts of the country over the next two days to prevent attacks against Shia Muslims during a key religious commemoration. Militants often detonate bombs using cell phones and this is the first time the government has implemented such a wide-scale suspension. Saturday and Sunday are the most important days of Muharram, the first month of the Islamic calendar, especially important to Shias. Pakistani Shias Sunday observe Ashoura, commemorating the 7th century death of Imam Hussein, the Prophet Muhammad's grandson. Different parts of the Muslim world mark Ashoura on different days —neighbouring Afghanistan, for example, observes it on Saturday. 'The suspension of cell phone services will begin at 6 am Saturday and run through the next day,' Interior Minister Rehman Malik told reporters in Pakistan's capital, Islamabad. He said 90 per cent of the bombs set off by militants in Pakistan have been detonated using cell phones. Some criticized the government for suspending services, saying it was a huge inconvenience."
CowboyRobot writes with the (not unexpected) official U.S. denial of using the Flame malware to spy on France. From the article: "That allegation was leveled at the U.S. government by unnamed French officials, according to a Tuesday report in the weekly French newspaper L'Express. It reported that computers belonging to top advisers to then French president Nicolas Sarkozy had been hacked using the Flame cyberespionage malware, which was designed to be used in highly targeted attacks... Napolitano was also asked if it wasn't ironic that while the United States has been sounding alarms over the growing amount of malware that's targeting U.S. government system, it also commissioning the Stuxnet and Flame cyber-espionage malware used against Iran. Napolitano, however, pled official ignorance. 'These programs were never attributed in any way to the U.S. government.'"
angry tapir writes "A Web security policy mechanism that promises to make HTTPS-enabled websites more resilient to various types of attacks has been approved and released as an Internet standard — but despite support from some high-profile websites, adoption elsewhere is still low. HTTP Strict Transport Security (HSTS) allows websites to declare themselves accessible only over HTTPS (HTTP Secure) and was designed to prevent hackers from forcing user connections over HTTP or abusing mistakes in HTTPS implementations to compromise content integrity."
Orome1 writes "Facebook has announced some proposed updates to their Data Use Policy (how user data is collected and used) and their Statement of Rights and Responsibilities (explains the terms governing use of their services). These updates include new tools for managing Facebook Messages, changes to how they refer to certain products, tips on managing one's timelines, and reminders about what's visible to other people on Facebook. Elliot Schrage, Facebook's vice president of communications, public policy, and marketing, said: 'We found that the voting mechanism, which is triggered by a specific number of comments, actually resulted in a system that incentivized the quantity of comments over their quality,' he explained. 'Therefore, we're proposing to end the voting component of the process in favor of a system that leads to more meaningful feedback and engagement.'"