SternisheFan writes with this news from the Indian Express: "Pakistan's interior minister Friday said the government will suspend cell phone services in most parts of the country over the next two days to prevent attacks against Shia Muslims during a key religious commemoration. Militants often detonate bombs using cell phones and this is the first time the government has implemented such a wide-scale suspension. Saturday and Sunday are the most important days of Muharram, the first month of the Islamic calendar, especially important to Shias. Pakistani Shias Sunday observe Ashoura, commemorating the 7th century death of Imam Hussein, the Prophet Muhammad's grandson. Different parts of the Muslim world mark Ashoura on different days —neighbouring Afghanistan, for example, observes it on Saturday. 'The suspension of cell phone services will begin at 6 am Saturday and run through the next day,' Interior Minister Rehman Malik told reporters in Pakistan's capital, Islamabad. He said 90 per cent of the bombs set off by militants in Pakistan have been detonated using cell phones. Some criticized the government for suspending services, saying it was a huge inconvenience."
CowboyRobot writes with the (not unexpected) official U.S. denial of using the Flame malware to spy on France. From the article: "That allegation was leveled at the U.S. government by unnamed French officials, according to a Tuesday report in the weekly French newspaper L'Express. It reported that computers belonging to top advisers to then French president Nicolas Sarkozy had been hacked using the Flame cyberespionage malware, which was designed to be used in highly targeted attacks... Napolitano was also asked if it wasn't ironic that while the United States has been sounding alarms over the growing amount of malware that's targeting U.S. government system, it also commissioning the Stuxnet and Flame cyber-espionage malware used against Iran. Napolitano, however, pled official ignorance. 'These programs were never attributed in any way to the U.S. government.'"
angry tapir writes "A Web security policy mechanism that promises to make HTTPS-enabled websites more resilient to various types of attacks has been approved and released as an Internet standard — but despite support from some high-profile websites, adoption elsewhere is still low. HTTP Strict Transport Security (HSTS) allows websites to declare themselves accessible only over HTTPS (HTTP Secure) and was designed to prevent hackers from forcing user connections over HTTP or abusing mistakes in HTTPS implementations to compromise content integrity."
Orome1 writes "Facebook has announced some proposed updates to their Data Use Policy (how user data is collected and used) and their Statement of Rights and Responsibilities (explains the terms governing use of their services). These updates include new tools for managing Facebook Messages, changes to how they refer to certain products, tips on managing one's timelines, and reminders about what's visible to other people on Facebook. Elliot Schrage, Facebook's vice president of communications, public policy, and marketing, said: 'We found that the voting mechanism, which is triggered by a specific number of comments, actually resulted in a system that incentivized the quantity of comments over their quality,' he explained. 'Therefore, we're proposing to end the voting component of the process in favor of a system that leads to more meaningful feedback and engagement.'"
chicksdaddy writes "Google's been known to pay $60,000 for information on remotely exploitable vulnerabilities in its Chrome web browser. So, when a researcher says that he has one, but isn't interested in selling it, eyebrows get raised. And that's just what's happening this week, with Google saying it will wait and see what Georgian researcher Ucha Gobejishvili has up his sleeve in a presentation on Saturday at the Malcon conference in New Delhi. Gobejishvili has claimed that he will demonstrate a remotely exploitable hole in the Chrome web browser at Malcon. He described the security hole in Chrome as a 'critical vulnerability' in a Chrome DLL. 'It has silent and automatically (sp) download function and it works on all Windows systems,' he told Security Ledger. However, more than a few questions hang over Gobejishvili's talk. The researcher said he discovered the hole in July, but hasn't bothered to contact Google. He will demonstrate the exploit at MalCon, and have a 'general discussion' about it, but won't release source code for it. 'I know this is a very dangerous issue that's why I am not publishing more details about this vulnerability,' he wrote. Google said that, with no information on the hole, it can only wait to hear the researcher's Malcon presentation before it can assess the threat to Chrome users."
AngryDad writes "Today I received a baffling email from my hosting provider that said, 'We have a company-wide patching freeze and we will not be releasing patches to our customers who utilize the patching portal for the months of November and December.' This means that myself and all other customers of theirs who run Windows servers will have to live with several critical holes for at least two months. Is this common practice with mid-tier hosting providers? If so, may I ask Eastern-EU folks to please refrain from hacking my servers during the holiday season?"
coondoggie writes "It may be a gimmick or the ultimate answer, but a California city this week okay-ed a draft ordinance that would let businesses install 7,000-volt electric fences to protect sites from rampant copper thieves. As reported by the Sacramento CBS station, the reaction from one business owner to the ordinance says it all: 'It'll be a little fun to watch one of these guys get electrocuted holding my fence trying to rob me.'"
hypnosec writes "The Linux Foundation's plans for releasing a signed pre-bootloader that will enable users to install Linux alongside Windows 8 systems with UEFI have been reportedly delayed. The Foundation proposed a signed pre-bootloader that will chain-load a bootloader which, in turn, will boot the desired operating system, thus keeping Linux installations for novice users as simple as it was before. Further, this particular component is meant for small-time Linux distros which otherwise wouldn't have the required expertise or resources to develop their own system to tackle the secure boot issue. This was going as per plans up until Linux kernel maintainer James Bottomley disclosed that he has been having rather bizarre experiences with Microsoft sysdev centre. Bottomley said, 'The first time I sent the loader through, it got stuck (it still is, actually). So I sent another one through after a week or so. That actually produced a download, which I've verified is signed (by the MS UEFI key) and works, but now the Microsoft sysdev people claim it was "improperly" signed and we have to wait for them to sort it out. I've pulled the binary apart, and I think the problem is that it's not signed with a LF [Linux Foundation] specific key, it's signed by a generic one rooted in the UEFI key. I'm not sure how long it will take MS to get their act together but I'm hoping its only a few days." Update: 11/21 14:22 GMT by U L : See the Original weblog post, and one interesting tidbit: Microsoft banned bootloaders licensed under the GPLv3 and "similar open source licenses."
An anonymous reader writes "Dutch hosting provider Antagonist announced their in-house developed technology that automatically detects and fixes vulnerabilities in their customers' websites. The service is aimed at popular software such as WordPress, Drupal and Joomla. 'As soon as a vulnerability is detected, we inform the customer. We also explain how the customer can resolve the issue. In case the customer does not respond to our first notice within the next two weeks, we automatically patch the vulnerability.' Antagonist plans to license the technology to other hosting providers as well."
ananyo writes "Quantum-encryption systems that encode signals into a series of single photons have so far been unable to piggyback on existing telecommunications lines because they don't stand out from the millions of others in an optical fiber. But now, physicists using a technique for detecting dim light signals have transmitted a quantum key along 90 kilometers of noisy optical fiber. The feat could see quantum cryptography finally enter the mainstream. The researchers developed a detector that picks out photons only if they strike it at a precise instant, calculated on the basis of when the encoded photons were sent. The team's 'self-differentiating' detector activates for 100 picoseconds, every nanosecond. The weak charge triggered by a photon strike in this short interval would not normally stand out, but the detector measures the difference between the signal recorded during one operational cycle and the signal from the preceding cycle — when no matching photon was likely to be detected. This cancels out the background hum. Using this device, the team has transmitted a quantum key along a 90-kilometer fiber, which also carried noisy data at 1 billion bits per second in both directions — a rate typical of a telecommunications fiber."
Mephistophocles writes "Ever since the beginning of Operation Pillar of Defense, hackers have been working overtime to strike a blow against the Israeli government's computer systems, Finance Minister Yuval Steinitz said Sunday. No fewer than 44 million attacks have been recorded since the operation began five days ago — with nearly all of them failing, thanks to the recent strengthening of computer defense systems in Israel. Speaking at a special press conference at the Government Computing Center in Jerusalem about the cyber war against Israel that has accompanied Hamas's rocket attacks, Steinitz said that hackers 'are trying to disable the symbols of Israeli sovereignty, to enter web sites and install anti-Israel content, thus compromising information and data and damaging the government's ability to serve the public.' Most of the attacks, he said, were against government sites, like the Prime Minister's Office site, and security-related sites, such as that of the Home Front Command, the body charged with informing Israelis on how to protect themselves in the event of an attack. Out of those 44 million-plus attacks on government and defense related sites, said Steinitz, only one succeeded – partially. One site, which he did not name, was 'wobbly for a few minutes,' but quickly recovered. Even though the government has been successful in warding off hack attacks, Steinitz said that government sites were fully backed up and mirrored, meaning that they could be replaced by a duplicate site instantly if the original site were compromised."
concealment sends this quote from MIT's Technology Review: "AT&T screwed up in 2010, serving up the e-mail addresses of over 110,000 of its iPad 3G customers online for anyone to find. But Andrew Auernheimer, an online activist who pointed out AT&T's blunder to Gawker Media, which went on to publicize the breach of private information, is the one in federal court this week. Groups like the Electronic Frontier Foundation worry that should that charge succeed it will become easy to criminalize many online activities, including work by well-intentioned activists looking for leaks of private information or other online security holes. [Auernheimer's] case hasn't received much attention so far, but should he be found guilty this week it will likely become well known, fast."
Trailrunner7 writes "A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems, and while it has some interesting features, it does not appear to be the work of a high-level programmer or be meant for use in targeted attacks. The Linux rootkit does not appear to be a modified version of any known piece of malware and it first came to light last week when someone posted a quick description and analysis of it on the Full Disclosure mailing list. That poster said his site had been targeted by the malware and some of his customers had been redirected to malicious sites."
Trailrunner7 writes "Facebook this week will begin turning on secure browsing by default for its millions of users in North America. The change will make HTTPS the default connection option for all Facebook sessions for those users, a shift that gives them a good baseline level of security and will help prevent some common attacks. Facebook users have had the option of turning on HTTPS since early 2011 when the company reacted to attention surrounding the Firesheep attacks. However, the technology was not enabled by default and users have had to opt-in and manually make the change in order to get the better protection of HTTPS."