tsu doh nimh writes "Google and Microsoft today began warning users about active phishing attacks against Google's online properties. The two companies said the attacks resulted from a fraudulent digital certificate that was mistakenly issued by a domain registrar run by TURKTRUST Inc., a Turkish domain registrar. Google said that on Dec. 24, 2012, its Chrome Web browser detected and blocked an unauthorized digital certificate for the '.google.com' domain. 'TURKTRUST told us that based on our information, they discovered that in August 2011 they had mistakenly issued two intermediate CA certificates to organizations that should have instead received regular SSL certificates,' Google said in a blog post today. Microsoft issued an advisory saying it is aware of active attacks using one of the fraudulent digital certificates issued by TURKTRUST, and that the fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against virtually any domain. The incident harkens back to another similar compromise that happened around the same time-frame. In September 2011, Dutch certificate authority Diginotar learned that a security breach at the firm had resulted in the fraudulent issuing of certificates."
llamafirst writes "As the year flipped to 2013, we learned that Adobe and Apple don't test for "forward date" bugs. Adobe prevented any copy of FrameMaker 10 from launching and Apple broke Do Not Disturb for the first week of 2013. Surely some more critical and safety systems also have lurking issues. Got tips for catching time/date bugs 'from the mysterious future?' (Also, obligatory link to Falsehoods programmers believe about time.)"
An anonymous reader writes "Right on schedule, Microsoft on Thursday announced its usual advance notification for the upcoming Patch Tuesday. While the company is planning to release seven bulletins (two Critical and five Important) which address 12 vulnerabilities, there is one that is notably missing: a bulletin for the new IE vulnerability discovered on Saturday. For those who didn't see the news on the weekend, criminals started using a new IE security hole to attack Windows computers in targeted attacks. While IE9 and IE10 are not affected, versions IE6, IE7, and IE8 are."
Trailrunner7 writes with the news as posted at Threatpost (based on this advisory) that "All of the current versions of the Ruby on Rails Web framework have a SQL injection vulnerability that could allow an attacker to inject code into Web applications. The vulnerability is a serious one given the widespread use of the popular framework for developing Web apps, and the maintainers of Ruby on Rails have released new versions that fix the flaw, versions 3.2.10, 3.1.9 and 3.0.18. The advisory recommends that users running affected versions, which is essentially anyone using Ruby on Rails, upgrade immediately to one of the fixed versions, 3.2.10, 3.1.9 or 3.0.18. The vulnerability lies specifically in the Ruby on Rails framework, and its presence doesn't mean that all of the apps developed on vulnerable versions are susceptible to the bug."
Barence writes "When Microsoft last year launched Outlook.com, the company carelessly left the SteveBallmer@Outlook.com address vacant. It was snapped up by the editor of PC Pro, giving an insight into the type of emails the public sends to the Microsoft CEO. Among the messages sent to the account are complaints about the Windows 8 interface, a plea from someone who was 'literally driven crazy' by Windows Server product keys, and someone who wants Windows Phone's calendar to remind him when he's being paid. There's also a more sinister complaint from someone who claims they were the victim of racial discrimination when applying for a job at a Microsoft Store."
Curseyoukhan writes "Infosec vendor IID (Internet Identity) probably hopes that by the time 2014 rolls around no one will remember the prediction it just made. That is the year it says we will see the first murder via internet connected device. The ability to do this has been around for quite some time but the company won't say why it hasn't happened yet. Probably because that would have screwed up their fear marketing. CIO blogger challenges them to a $10K bet over their claim."
crookedvulture writes "Slashdot has previously covered The Tech Report's exposure of frame latency issues with recent AMD graphics processors. Both desktop and notebook Radeons exhibit frame latency spikes that interrupt the smoothness of in-game animation but don't show up in the FPS averages typically used to benchmark performance. AMD has been looking into the problem and may have discovered the culprit. The Graphics Core Next architecture underpinning recent Radeons is quite different from previous designs, and AMD has been rewriting the memory management portion of its driver to properly take advantage. This new code improves frame latencies, according to AMD's David Baumann, and the firm has accelerated the process of rolling it into the official Catalyst drivers available to end users. Radeon owners can take some comfort in the fact that a driver update may soon alleviate the frame latency problems associated with AMD's latest GPUs. However, they might also be disappointed that it's taken AMD this long to optimize its drivers for the now year-old GCN architecture."
jfruh writes "Those Nigerian spam scams of the last decade may have just been the first step in a looming African cyber-crime wave. Africa has the world's fastest-growing middle class, whose members are increasingly tech-savvy and Internet connected — and the combination of ambitious, educated people, a ceiling on advancement due to corruption and lack of infrastructure, and lax law enforcement is a perfect petri dish for increased cybercrime."
Hugh Pickens writes "Nicole Perlroth reports in the NY Times that the antivirus industry has a dirty little secret: antivirus products are not very good at stopping new viruses. Researchers collected and analyzed 82 new computer viruses and put them up against more than 40 antivirus products, made by top companies like Microsoft, Symantec, McAfee and Kaspersky Lab and found that the initial detection rate was less than 5 percent (PDF). 'The bad guys are always trying to be a step ahead,' says Matthew D. Howard, who previously set up the security strategy at Cisco Systems. 'And it doesn't take a lot to be a step ahead.' Part of the problem is that antivirus products are inherently reactive. Just as medical researchers have to study a virus before they can create a vaccine, antivirus makers must capture a computer virus, take it apart and identify its 'signature' — unique signs in its code — before they can write a program that removes it. That process can take as little as a few hours or as long as several years. In May, researchers at Kaspersky Lab discovered Flame, a complex piece of malware that had been stealing data from computers for an estimated five years. 'The traditional signature-based method of detecting malware is not keeping up,' says Phil Hochmuth. Now the thinking goes that if it is no longer possible to block everything that is bad, then the security companies of the future will be the ones whose software can spot unusual behavior and clean up systems once they have been breached. 'The bad guys are getting worse,' says Howard. 'Antivirus helps filter down the problem, but the next big security company will be the one that offers a comprehensive solution.'"
An anonymous reader writes "EFnet member Fionn 'Fudge' Kelleher reported several vulnerabilities in the IRC daemons charybdis, ircd-ratbox, and other derivative IRCds. The vulnerability was subsequently used to bring down large portions of the EFnet IRC network." By crafting a particular message, you can cause the IRC daemon to call strlen(NULL) and game over, core dumped.
CowboyRobot writes "The 802.11ac standard is expected to be ratified in 2013 and NetworkComputing has an interview with representatives of Cisco Systems and Aerohive Networks about what that will mean for everyone else. 'Out of the gate, the increases in performance over 11n will not be tremendously impressive. The second wave--which will require a hardware refresh--gets far more interesting... First-generation 802.11ac products will achieve up to 1.3 Gbps through the use of three spatial streams, 80-MHz-wide channels (double the largest 40 MHz channel width with 802.11n), and use of better hardware components that allow higher levels of modulation and encoding (up to 256-QAM). Whether we will actually see 802.11ac products capable of 6.9 Gbps is dependent on hardware enhancements on both the access point and client that are not certain.'"
tearmeapart writes "The teams at FreeBSD have reached another great achievement with FreeBSD 9.1, with improvements to the already fantastic zfs features, more VM improvements (helping bringing FreeBSD to the next generation of VMs), and improvements in speed to many parts of the network system. Support FreeBSD via the FreeBSD mall or download/upgrade FreeBSD from a mirror. Unfortunately, the torrent server is still down due to the previous security incident." And new submitter northar writes "The other day the NetBSD project released their first update to the 6.x series, 6.0.1. They also (rather discreetly) announced a fund drive targeting 60.000 USD before the end of 2012 in the release notes. They better get going if their donation page is anything like recently updated."
hypnosec writes "The Free Software Foundation is on an offensive against restricted boot systems and is busy appealing for donations and pledge in the form of signatures in a bid to stop systems such as the UEFI SecureBoot from being adopted on a large-scale basis and becoming a norm in the future. The FSF, through an appeal on its website, is requesting users to sign a pledge titled 'Stand up for your freedom to install free software' that they won't be purchasing or recommending for purchase any such system that is SecureBoot enabled or some other form of restricted boot techniques. The FSF has managed to receive, as of this writing, over 41,000 signatures. Organizations like the Debian, Edoceo, Zando, Wreathe and many others have also showed their support for the campaign."
An anonymous reader writes "Criminals are using a new Internet Explorer security hole to attack Windows computers in targeted attacks, though the vulnerability could end up being more widely exploited. While IE9 and IE10 are not affected, versions IE6, IE7, and IE8 are. It's great to see that the latest versions of IE are immune, but this new vulnerability is still bad news for Windows XP users and earlier since they cannot upgrade to more recent versions of Microsoft's browser. 'We are actively investigating reports of a small, targeted issue affecting Internet Explorer 6-8,' Dustin Childs of Microsoft Trustworthy Computing told TNW. 'We will take appropriate action to help keep customers protected once our analysis is complete. People using Internet Explorer 9-10 are not impacted.'"
New submitter FreaKBeaNie writes "Earlier this month, the FTC issued 9 orders to data brokerage companies to learn more about their privacy practices. Data brokers are skilled at connecting quasi-private data with publicly available data, like voter rolls, housing sales, and now gun ownership records. Unlike merchants or business partners, these data brokers may or may not have had any interaction with the 'subjects' of their data collection."