Orome1 writes "QR codes are very handy for directing users to specific sites by simply scanning them with their smartphones. But the ease with which this technology works has also made it a favorite of malware peddlers and online crooks, who have taken to including QR codes that lead to malicious sites in spam emails. They have also begun using the same tactic in the physical world, by printing out the malicious QR codes on stickers and affixing them on prominent places in locations where there is a lot of foot traffic. According to Symantec Hosted Services director Warren Sealey, these locations include airports and city centers, where the crooks stick them over genuine QR codes included in advertisements and notices, and most likely anywhere a person might look and be tempted to scan them."
If you use Chrome along with Google's Sync, you may have noticed something strange Monday: normally stable Chrome crashing. An article at Wired (excerpt below) explains why: "Late Monday, Google engineer Tim Steele confirmed what developers had been suspecting. The crashes were affecting Chrome users who were using another Google web service known as Sync, and that Sync and other Google services — presumably Gmail too — were clobbered Monday when Google misconfigured its load-balancing servers. ... Steele wrote in a developer discussion forum, a problem with Google's Sync servers kicked off an error on the browser, which made Chrome abruptly shut down on the desktop. 'It's due to a backend service that sync servers depend on becoming overwhelmed, and sync servers responding to that by telling all clients to throttle all data types,' Steele said. That 'throttling' messed up things in the browser, causing it to crash."
The wait is over; diegocg writes "Linux kernel 3.7 has been released. This release adds support for the new ARM 64-bit architecture, ARM multiplatform — the ability to boot into different ARM systems using a single kernel; support for cryptographically signed kernel modules; Btrfs support for disabling copy-on-write on a per-file basis using chattr; faster Btrfs fsync(); a new experimental 'perf trace' tool modeled after strace; support for the TCP Fast Open feature in the server side; experimental SMBv2 protocol support; stable NFS 4.1 and parallel NFS; a vxlan tunneling protocol that allows to transfer Layer 2 ethernet packets over UDP; and support for the Intel SMAP security feature. Many small features and new drivers and fixes are also available. Here's the full list of changes."
An anonymous reader writes "The Register is reporting that the hacking collective GhostShell has announced it has [dumped] around 1.6 million account details purloined from government, military, and industry. The [hacking] group said in a statement: 'we have prepared a juicy release of 1.6 million accounts/records from fields such as aerospace, nanotechnology, banking, law, education, government, military, all kinds of wacky companies & corporations working for the department of defense, airlines and more.'"
ShipLives writes "Researchers have tested Google's app verification service (included in Android 4.2 last month), and found that it performed very poorly at identifying malware in apps. Specifically, the app verification service identified only ~15% of known malware in testing — whereas existing third-party security apps identified between 51% and 100% of known malware in testing."
mask.of.sanity writes "Researchers have developed attacks capable of crippling Global Positioning System infrastructure critical to the navigation of a host of military and civilian technologies including planes, ships and unamed drones. The novel remote attacks can be made against consumer and professional-grade receivers using $2500 worth of custom-built equipment. Researchers from Carnegie Mellon University and Coherent Navigation detailed the attacks in a paper. (pdf)"
angry tapir writes "Security researchers have identified a botnet controlled by its creators over the Tor anonymity network. It's likely that other botnet operators will adopt this approach, according to the team from vulnerability assessment and penetration testing firm Rapid7. The botnet is called Skynet and can be used to launch DDoS (distributed denial-of-service) attacks, generate Bitcoins — a type of virtual currency — using the processing power of graphics cards installed in infected computers, download and execute arbitrary files or steal login credentials for websites, including online banking ones. However, what really makes this botnet stand out is that its command and control (C&C) servers are only accessible from within the Tor anonymity network using the Tor Hidden Service protocol."
SternisheFan sends this quote from Ars: "On Friday, a federal grand jury in Dallas indicted Barrett Brown, a former self-proclaimed Anonymous spokesperson, for trafficking 'stolen authentication features,' as well as 'access device fraud' and 'aggravated identity theft.' Brown has been detained since he was arrested in September for allegedly threatening a federal agent. 10 counts of the 12-count indictment concern the aggravated identity theft charge (the indictment references 10 people from whom Brown is alleged to have stolen information), but the most interesting charge is probably the first; a single count saying Brown, 'did knowingly traffic in more than five authentication features knowing that such features were stolen and produced without lawful authority.' But rather than a physical back-alley hand-off, this alleged trafficking happened online when Barrett transferred a hyperlink, 'from the Internet Relay Chat (IRC) channel called "#Anonops" to an IRC channel under Brown's control, called "#ProjectPM."' That hyperlink happened to include over 5,000 credit card numbers, associating Ids, and Card Verification Values (CVVs) from the Stratfor Global Intelligence database."
Sparrowvsrevolution writes "Slashdot readers are no doubt familiar by now with the case of Onity, the company whose locks are found on 4 million hotel room doors worldwide and, as came to light over the summer, can be opened in seconds with a $50 Arduino device. Since that hacking technique was unveiled by Mozilla developer Cody Brocious at Black Hat, Onity first downplayed its security flaws and then tried to force its hotel customers to pay the cost of the necessary circuit board replacements to fix the bug. But now, after at least one series of burglaries exploiting the bug hit a series of hotel rooms in Texas, Onity has finally agreed to shoulder the cost of replacing the hardware itself — at least for its locks in major chain hotels in the U.S. installed after 2005. Score one point for full disclosure."
coondoggie writes "The U.S. government's overly complicated way of classifying and declassifying information needs to be dumped and reinvented with the help of a huge technology injection if it is to keep from being buried under its own weight. That was one of the main conclusions of a government board tasked with making recommendations on exactly how the government should transform the current security classification system (PDF)."
New submitter thereitis writes "Looking over my home computing setup, I see equipment ranging from 20 years old to several months old. What sorts of old and new equipment have you seen coexisting, and in what type of environment?" I regularly use keyboards from the mid 1980s, sometimes with stacked adapters to go from ATX to PS/2, and PS/2 to USB, and I'm sure that's not too unusual.
Orome1 writes "Check Point has revealed how a sophisticated malware attack was used to steal an estimated €36 million from over 30,000 customers of over 30 banks in Italy, Spain, Germany and Holland over summer this year. The theft used malware to target the PCs and mobile devices of banking customers (PDF). The attack also took advantage of SMS messages used by banks as part of customers' secure login and authentication process. The attack infected both corporate and private banking users, performing automatic transfers that varied from €500 to €250,000 each to accounts spread across Europe."
dcblogs writes "Despite the fact that technology plays an increasingly important role in the economy, IT wages remain persistently flat. This may be tech's inconvenient truth. In 2000, the average hourly wage was $37.27 in computer and math occupations for workers with at least a bachelor's degree. In 2011, it was $39.24, adjusted for inflation, according to a new report by the Economic Policy Institute. That translates to an average wage increase of less than a half percent a year. In real terms, IT wages overall have gone up by $1.97 an hour in just over 10 years, according to the EPI. Data from professional staffing firm Yoh shows wages in decline. In its latest measure for week 12 of 2012, the hourly wages were $31.45 and in 2010, for the same week, at $31.78. The worker who earned $31.78 in 2010 would need to make $33.71 today to stay even with inflation. Wages vary by skill and this data is broad. The unemployment rate for tech has been in the 3-4% range, but EPI says full employment has been historically around 2%."
chicksdaddy writes "A presentation at the Passwords^12 Conference in Oslo, Norway (slides), has moved the goalposts on password cracking yet again. Speaking on Monday, researcher Jeremi Gosney (a.k.a epixoip) demonstrated a rig that leveraged the Open Computing Language (OpenCL) framework and a technology known as Virtual Open Cluster (VCL) to run the HashCat password cracking program across a cluster of five, 4U servers equipped with 25 AMD Radeon GPUs communicating at 10 Gbps and 20 Gbps over Infiniband switched fabric. Gosney's system elevates password cracking to the next level, and effectively renders even the strongest passwords protected with weaker encryption algorithms, like Microsoft's LM and NTLM, obsolete. In a test, the researcher's system was able to generate 348 billion NTLM password hash checks per second. That renders even the most secure password vulnerable to compute-intensive brute force and wordlist (or dictionary) attacks. A 14 character Windows XP password hashed using LM for example, would fall in just six minutes, said Per Thorsheim, organizer of the Passwords^12 Conference. For some context: In June, Poul-Henning Kamp, creator of the md5crypt() function used by FreeBSD and other, Linux-based operating systems, was forced to acknowledge that the hashing function is no longer suitable for production use — a victim of GPU-powered systems that could perform 'close to 1 million checks per second on COTS (commercial off the shelf) GPU hardware,' he wrote. Gosney's cluster cranks out more than 77 million brute force attempts per second against MD5crypt."
snydeq writes "A growing trend faces business executives traveling to China: government or industry spooks stealing data from their laptops and installing spyware. 'While you were out to dinner that first night, someone entered your room (often a nominal hotel staffer), carefully examined the contents of your laptop, and installed spyware on the computer — without your having a clue. The result? Exposure of information, including customer data, product development documentation, countless emails, and other proprietary information of value to competitors and foreign governments. Perhaps even, thanks to the spyware, there's an ongoing infection in your corporate network that continually phones home key secrets for months or years afterward.'"