CowboyRobot writes "Security expert Mikko Hypponen talks about his experience at F-Secure, including adventures such as flying to Lahore to interview the creators of 'Brain,' one of the early computer viruses that was spread manually on floppy disks. But while the early virus creators were just trying to have fun and learn, modern malware makers are motivated only by money. 'But there's a misconception that they all necessarily make a lot of money. There's a hierarchy of workers, with some just making a few hundred dollars to $1,000 doing the dirty work of the more experienced online criminals who make the real money.'"
Make a difference in your data center. Sign up for SlashDataCenter Update newsletter now.
Hugh Pickens writes "Currently — as most of us know — TSA agents briefly examine government ID and boarding passes as each passenger presents their documents at a checkpoint at the end of a security line. Thom Patterson writes at CNN that under a 2008 Apple patent application that was approved in July and filed under the working title "iTravel," a traveler's phone would automatically send electronic identification to a TSA agent as soon as the traveler got in line and as each traveler waits in line. TSA agents would examine the electronic ID at an electronic viewing station. Next, at the X-ray stations, a traveler's phone would confirm to security agents that the traveler's ID had already been checked. Apple's patent calls for the placement of special kiosks (PDF) around the airport which will automatically exchange data with your phone via a close range wireless technology called near field communication (NFC). Throughout the process, the phone photo could be displayed on a screen for comparison with the traveler. Facial recognition software could be included in the process. Several experts say a key question that must be answered is: How would you prove that the phone is yours? To get around this problem, future phones or electronic ID may require some form of biometric security function including photo, fingerprint and photo retinal scan comparisons. Of course, there is still a ways to go. If consumers, airlines, airports and the TSA don't embrace the NFC kiosks, experts say it's unlikely Apple's vision would become reality. 'First you would have to sell industry on Apple's idea. Then you'd have to sell it to travel consumers,' says Neil Hughes of Apple Insider. 'It's a chicken-and-egg problem.'"
An anonymous reader writes "Yesterday, XDA Developers forum users kinfaus and pokey9000 were discussing how the latest devices from Amazon (the second-generation 7 Kindle Fire and the 7 Kindle Fire HD) come with more sophisticated protection than their predecessors, including locked bootloaders and 'high security' features offered by their OMAP processors. Today, the devices have been rooted." Using a known bug in busybox dating to April even.
An anonymous reader wrote in with news that the GNOME Shell fork, Cinnamon, released version 1.6 yesterday. The release features persistent (and nameable) workspaces, a window list applet, greatly improved notifications (they're collected in one place), improved task switchers and audio control, workspace flipping while dragging windows, and integration with their fork of Nautilus. See the release announcement for more and lots of screenshots (detailed source changelog). From the looks of it, this release is closer than ever to merging the modern Gtk3/GNOME stack with the missing functionality from previous windowing environments.
McGruber writes "Continuing its standard practice of wasting hundreds of millions of taxpayer dollars, the TSA has awarded an indefinite delivery / indefinite quantity (IDIQ) contract, worth up to $245 Million, to American Science and Engineering Inc. to deliver an unspecified number of 'second generation' Advanced Imaging Technology screening systems for use at U.S. airports. As previously reported, Jonathan Corbett proved that TSA's current nude-o-scopes are incapable of actually detecting hidden objects."
wiredmikey writes with a snippet from Security Week: "Much of the talk about cybercrime remains focused on East Asia. But according to a new report, it is hackers in Eastern Europe that have actually emerged as more sophisticated. In a report entitled 'Peter the Great vs. Sun Tzu' ... compared hackers from the two regions. His conclusion — the Eastern Europeans are far more insidious and strategic. While East Asian groups tend to work for other organizations interested in their skills, hackers from Eastern Europe generally operate in small, independent units, and are focused on profit. Their infrastructure tends to be developed by them specifically for their own use in attacks. 'They [Eastern European groups] tend to want to be in control of their entire infrastructure and will routinely set up their own servers for use in attacks, develop their own DNS servers to route traffic and create sophisticated traffic directional systems used in their attacks,' according to the report. 'If they do go outside, they will carefully select bulletproof hosts to support their infrastructure. It is their hallmark to maintain control of the whole stack similar to the business models pioneered by Apple.'"
colinneagle sends this excerpt from Network World: "Google announced last Friday that, in accordance to its policy of supporting a current browser and the immediate predecessor, its Google Apps productivity suite would drop support for Internet Explorer 8 once Windows 8 ships. Neither IE9 nor IE10 are available on XP. Adobe announced on the Photoshop Blog that the next version of Photoshop CS would support only Windows 7 and 8. The current version, CS6, is available for XP but, amusingly, not for Vista, which was its successor. This is a much-needed boost for Microsoft, which anxiously wants to put XP out to pasture after 11 years. Despite efforts to get rid of the old OS, XP still holds 43% of the market, according to the latest monthly data from Net Applications. Among Steam customers, Windows 7 has 70% market share, covering both 32-bit and 64-bit, while XP has 12%. That confirms what has been known for some time: consumers are adopting Windows 7 at a much faster rate than businesses. I know there is a whole economic argument to be had, and these numbers are not precise or scientific, but if XP really can be found in only 12% of households but 43% of businesses (or something close to that), then it really is time for the enterprise to stop dragging its tail."
Last year Aaron Swartz was indicted on four felony counts for allegedly stealing millions of academic journal articles from JSTOR. Today, Federal prosecutors piled on nine additional felony charges. The charges (PDF) are mostly covered under the 1984 Computer Fraud and Abuse Act, and are likely to test the legislation's limits. According to Wired, "The indictment accuses Swartz of repeatedly spoofing the MAC address — an identifier that is usually static — of his computer after MIT blocked his computer based on that number. The grand jury indictment also notes that Swartz didn't provide a real e-mail address when registering on the network. Swartz also allegedly snuck an Acer laptop bought just for the downloading into a closet at MIT in order to get a persistent connection to the network. Swartz allegedly hid his face from surveillance cameras by holding his bike helmet up to his face and looking through the ventilation holes when going in to swap out an external drive used to store the documents. Swartz also allegedly named his guest account 'Gary Host,' with the nickname 'Ghost.'"
An anonymous reader writes "Ars reports that Microsoft has announced pricing plans for Office 2013 that include a subscription-based model for home users. There will be a $100/year Home version that can be shared by up to 5 users and a $150/year Small Business version. 'Subscription software of one form or another has proven popular in the enterprise (whether it be cloud services, like Office 365, or subscriptions to desktop software, such as Microsoft's Software Assurance scheme). But so far it's a rarity in the consumer space. Anti-virus software has tried to bully and cajole users into getting aboard the subscription train, but the large number of users with out-of-date anti-viral protection suggests users are resisting. ... As another incentive to subscribe, and one that might leave a bad taste in the mouth, the company says that subscribers will be given unspecified "updates" to add new features and capabilities over the life of their subscription. Perpetual licensees will only get bug fixes and security updates.'"
From David Dahl's weblog: "Good news! With a lot of hard work – I want to tip my hat to Ryan Sleevi at Google – the W3C Web Crypto API First Public Working Draft has been published. If you have an interest in cryptography or DOM APIs and especially an interest in crypto-in-the-DOM, please read the draft and forward any commentary to the comments mailing list: email@example.com" This should be helpful in implementing the Cryptocat vision. Features include a secure random number generator, key generation and management primitives, and cipher primitives. The use cases section suggests multi-factor auth, protected document exchange, and secure (from the) cloud storage: "When storing data with remote service providers, users may wish to protect the confidentiality of their documents and data prior to uploading them. The Web Cryptography API allows an application to have a user select a private or secret key, to either derive encryption keys from the selected key or to directly encrypt documents using this key, and then to upload the transformed/encrypted data to the service provider using existing APIs." Update: 09/19 00:01 GMT by U L : daviddahl commented: "I have built a working extension that provides 'window.mozCrypto', which does SHA2 hash, RSA keygen, public key crypto and RSA signature/verification, see: https://addons.mozilla.org/en-US/firefox/addon/domcrypt/ and source: https://github.com/daviddahl/domcrypt I plan on updating the extension once the Draft is more settled (after a first round of commentary & iteration)"
An anonymous reader writes "We are a group of three researches, and in the last few weeks, we have been working on Wi-Fi monitor mode for Android devices, based on Broadcom BCM4329 and BCM4330 chipsets. Currently we have a successful PoC for Nexus One and Samsung Galaxy S 2. We've released all the info in our new blog."
Orome1 writes "Microsoft has issued a security advisory with advice on how to patch a Internet Explorer zero-day vulnerability recently spotted being exploited in the wild by attackers that might be the same ones that are behind the Nitro attacks. News that there is a previously unknown Internet Explorer vulnerability that is actively being misused in the wild by attackers that are believed to be the same ones that are behind the Nitro attacks has reverberated all over the Internet yesterday."
MojoKid writes "Intel's next-generation CPU architecture, codenamed Haswell, puts heavy emphasis on reducing power consumption. Pushing Haswell down to a 10W TDP is an achievement, but hitting these targets requires collaboration. Haswell will offer finer-grained control over areas of logic that were previously either on or off, up to and including specific execution units. These optimizations are impressive, particularly the fact that idle CPU power is approaching tablet levels, but they're only part of the story. Operating system changes matter as well, and Intel has teamed up with Microsoft to ensure that Windows 8 takes advantage of current and future hardware. Haswell's 10W target will allow the chip to squeeze into many of the convertible laptop/tablet form factors on display at IDF, while Bay Trail, the 22nm, out-of-order successor to Clover Trail, arrives in 2013 as well. Not to mention the company's demonstration of the first integrated digital WiFi radio. Folks have been trading blows over whether Intel could compete with ARM's core power consumption. Meanwhile, Santa Clara has been busy designing many other aspects of the full system solution for low power consumption and saving a lot of wattage in the process." It's mildly amusing that Windows 8 is the first version to gain dynamic ticks, something Linux has had working since around 2007.
wiredmikey writes "A new zero-day vulnerability affecting Internet Explorer is being exploited in the wild affecting IE 9 and earlier. The vulnerability, if exploited, would allow full remote code execution and enable an attacker to take over an affected system. Security researcher Eric Romang discovered the vulnerability and exploit over the weekend while monitoring some infected servers said to be used by the alleged Nitro gang. To run the attack, a file named 'exploit.html' is the entry point of the attack ... According to analysis by VUPEN, the exploit takes advantage of a 'use-after-free vulnerability' that affects the mshtml.dll component of Internet Explorer. Rapid7 on Monday released an exploit module for Metaspolit which will let security teams and attackers alike test systems."
mask.of.sanity writes "A security researcher has demonstrated a series of attacks that are capable of disabling touch tone and voice activated phone systems, forcing them to disclose sensitive information. The commands can be keyed in using touchtones or even using the human voice. In one test, a phone system run by an unnamed Indian bank had dumped customer PINs. In another, a buffer overflow was triggered against a back-end database. Other attacks can be used to crash phone systems outright."