First time accepted submitter Bitsy Boffin writes "Xtra, the largest ISP in New Zealand, which outsources email provision to Yahoo, has in the last two days been subject to a widespread email compromise, causing potentially thousands of accounts to send spam messages to every address in their webmail address books. Discussion at Geekzone centers around this potentially being a continuation of the Yahoo XSS exploit. While Telecom NZ, the owners of Xtra internet service provider indicate that the problem was "resolved", reports of spam from its members continue unabated. Telecom NZ are advising those affected to change their passwords."
Catch up on stories from the past week (and beyond) at the Slashdot story archive
An anonymous reader writes "If you're a hacker or a security researcher, this is a reminder that you don't have to take on Google's or Mozilla's software to get paid for finding a bug. In its first week, the Mega vulnerability reward program has already confirmed and fixed seven bugs, showing that Dotcom really does put his money where his mouth is. Although Mega hasn't shared how much money it paid out in the first week, how many bug submissions were made, or even who found which bugs, the company did briefly detail the discovered security holes. It also confirmed that the program is here to stay and urged those participating to find more severe bugs."
Bomarc writes "Twice now I've been advised to 'flash the BIOS to the latest,' once by a (major) hard drive controller maker (RAID); once by an OEM (who listed the update as 'critical,' and has removed older versions of the BIOS). Both times, the update has bricked an expensive piece of equipment. Both times, the response after the failed flash was 'It's not our problem, it's out of warranty.' Given that they recommended / advised that the unit be upgraded, shouldn't they shoulder the responsibility of BIOS upgrade failure? Also, if their design had sockets rather than soldering on parts, one could R/R the faulty part (BIOS chip), rather than going to eBay and praying. Am I the only one that has experienced this type of problem? Have you been advised to upgrade a BIOS (firmware); and the upgrade bricked the part or system? If so, what did you do? Should I name the companies?"
An anonymous reader writes "Slate provides the first-person account of a CEO who received an e-mail with several business documents attached threatening to distribute them to competitors and business partners unless the CEO paid $150,000. 'Experts I consulted told me that the hacking probably came from government monitors who wanted extra cash,' writes the CEO, who successfully ended the extortion with an e-mail from the law firm from the bank of his financial partner, refusing payment and adding that the authorities had been notified. According to the article, IT providers routinely receive phone calls from their service providers if they detect any downtime on the monitors of network traffic installed by the Chinese government, similar to the alerts provided to telecom providers about VoIP fraud on their IP-PBX switches. 'Hundreds of millions of Chinese operate on the Internet without any real sense of privacy, fully aware that a massive eavesdropping apparatus tracks their every communication and move...' writes the CEO. 'With China's world and ours intersecting online, I expect we'll eventually wonder how we could have been so naive to have assumed that privacy was normal- or that breaches of it were news.'"
First time accepted submitter YurB writes "Matthew Garrett, a Linux kernel developer who was investigating the recent Linux-on-Samsung-in-UEFI-mode problem, has bricked a Samsung laptop using a test userspace program in Windows. The most fascinating part of the story is on what is actually causing the firmware boot failure: 'Unfortunately, it turns out that some Samsung laptops will fail to boot if too much of the [UEFI] variable storage space is used. We don't know what "too much" is yet, but writing a bunch of variables from Windows is enough to trigger it. I put some sample code here — it writes out 36 variables each containing a kilobyte of random data. I ran this as an administrator under Windows and then rebooted the system. It never came back.'"
An anonymous reader writes "We have started seeing an increase in iPhone issues related to battery life and overheating. All of them seem to be related to users upgrading their devices to iOS 6.1. Furthermore, Vodafone UK today began sending out text messages to iPhone 4S owners on its network, warning them not to upgrade to iOS 6.1 due to issues with 3G performance. The text reads, 'If you've not already downloaded iOS 6.1 for your iPhone 4s, please hold off for the next version while Apple fixes 3G performance issues. Thanks.'"
Billly Gates writes "Microsoft is advising users to stick with other browsers until Tuesday, when 57 patches for Internet Explorer 6, 7, 8, 9, and even 10 are scheduled. There is no word if this patch is to protect IE from the 50+ Java exploits that were patched last week or the new Adobe Flash vulnerabilities. Microsoft has more information here. In semi-related news, IE 10 is almost done for Windows 7 and has a IE10 blocker available for corporations. No word on whether IE 10 will be included as part of the 57 updates."
tsamsoniw writes "In the wake of the most recent zero-day attacks exploiting Flash Player, Adobe claims that it's worked hard to make Player secure — and that most SWF exploits stem from users opening infected Office docs attached to emails. The company has a solution, though: A forthcoming version of Flash Player will detect when it's being launched from Office and will present users with a dialog box with vague warnings of a potential threat."
tsu doh nimh writes "Bit9, a company that provides software and network security services to the U.S. government and at least 30 Fortune 100 firms, has suffered a compromise that cuts to the core of its business: helping clients distinguish known 'safe' files from computer viruses and other malicious software. A leading provider of 'application whitelisting' services, Bit9's security technology turns the traditional approach to fighting malware on its head. Antivirus software, for example, seeks to identify and quarantine files that are known bad or strongly suspected of being malicious. In contrast, Bit9 specializes in helping companies develop custom lists of software that they want to allow employees to run, and to treat all other applications as potentially unknown and dangerous. But in a blog post today, the company disclosed that attackers broke into its network and managed to steal the digital keys that Bit9 uses to distinguish good from bad applications. The attackers then sent signed malware to at least three of Bit9's customers, although Bit9 isn't saying which customers were affected or to what extent. The kicker? The firm said it failed to detect the intrusion in part because the servers used to store its keys were not running Bit9's own software."
New submitter rHBa sends this article about another high-profile email account breach: "The apparent hack of several e-mail accounts has exposed personal photos and sensitive correspondence from members of the Bush family, including both former U.S. presidents. The posted photos and e-mails contain a watermark with the hacker's online alias, 'Guccifer.' ... Included in the hacked material is a confidential October 2012 list of home addresses, cell phone numbers, and e-mails for dozens of Bush family members, including both former presidents, their siblings, and their children. ... Correspondence obtained by the hacker indicates that at least six separate e-mail accounts have been compromised, including the AOL account of Dorothy Bush Koch, daughter of George H.W. Bush and sister of George W. Bush. Other breached accounts belong to Willard Heminway, 79, an old friend of the 41st president who lives in Greenwich, Connecticut; CBS sportscaster Jim Nantz, a longtime Bush family friend; former first lady Barbara Bush’s brother; and George H.W. Bush’s sister-in-law. "
Orome1 writes "Adobe has pushed out an emergency Flash update that solves two critical vulnerabilities (CVE-2013-0633 and CVE-2013-0634) that are being actively exploited to target Windows and OS X users, and is urging users to implement it as soon as possible. According to a security bulletin released on Thursday, the OS X exploit targets Flash Player in Firefox or Safari via malicious Flash content hosted on websites, while Windows users are targeted with Microsoft Word documents delivered as an email attachments which contain malicious Flash content. Adobe has also announced its intention of adding new protections against malicious Flash content embedded in Microsoft Office documents to its next feature release of Flash Player."
johnsnails writes "Some of the biggest news sites in the world disappeared yesterday when Facebook took over the internet with a redirection bug. Visitors to sites such as The Washington Post, BuzzFeed, the Gawker network, NBC News and News.com.au were immediately transferred to a Facebook error page upon loading their intended site. It was fixed quickly, and Facebook provided this statement: 'For a short period of time, there was a bug that redirected people logging in with Facebook from third party sites to Facebook.com. The issue was quickly resolved, and Login with Facebook is now working as usual.'"
Rick Zeman writes "The Washington Post writes about how vendor fragmentation leads to security vulnerabilities and other exploits. This situation is '...making the world's most popular mobile operating system more vulnerable than its rivals to hackers, scam artists and a growing universe of malicious software' unlike Apple's iOS which they note has widely available updates several times a year. In light of many companies' Bring Your Own Device initiatives 'You have potentially millions of Androids making their way into the work space, accessing confidential documents,' said Christopher Soghoian, a former Federal Trade Commission technology expert who now works for the American Civil Liberties Union. 'It's like a really dry forest, and it's just waiting for a match.'"
clustro writes "Deloitte predicts that 8-character passwords will become insecure in 2013. Humans have trouble remembering passwords with more than seven characters, and it is difficult to enter long, complex passwords into mobile devices. Users have not adapted to increased computing power available to crackers, and continue to use bad practices such as using common and short passwords, and re-using passwords across multiple websites. A recent study showed that using the 10000 most common passwords would have cracked >98% of 6 million user accounts. All of these problems have the potential for a huge security hazard. Password vaults are likely to become more widely used out of necessity. Multifactor authentication strategies, such as phone texts, iris scans, and dongles are also likely to become more widespread, especially by banks."