Barence writes "Microsoft claims an "independent" report proves it has the best spam protection in the industry — an argument deconstructed by PC Pro. 'Our own internal metrics, customer feedback, and even a recent third-party report confirms that no mail service offers better protection than Hotmail,' Microsoft's Dick Craddock wrote in a Windows Live blog post earlier this week."
J. Alex Halderman and Nadia Heninger write in with an update to yesterday's story on RSA key security: "Yesterday Slashdot posted that RSA keys are 99.8% secure in the real world. We've been working on this concurrently, and as it turns out, the story is a bit more complicated. Those factorable keys are generated by your router and VPN, not bankofamerica.com. The geeky details are pretty nifty: we downloaded every SSL and SSH keys on the internet in a few days, did some math on 100 million digit numbers, and ended up with 27,000 private keys. (That's 0.4% of SSL keys in current use.) We posted a long blog post summarizing our findings over at Freedom to Tinker."
DMandPenfold writes with a quote from an article in Computer World: NASDAQ and BATS saw their sites disrupted during the day on Monday and Tuesday respectively. The sites host company news and share price data, as well as vital information on live service status on the exchanges. It is understood, however, that while the websites were affected, the stock exchanges continued to trade as normal with no change to trading. A spokesperson at BATS said the exchange's site had been hit with 'an external Distributed Denial Of Service incident.' Our trading systems were not affected and there were no exchange customer disruptions associated with the incident.' ... NASDAQ told the Wall Street Journal that on Tuesday it experienced 'intermittent service disruptions on our corporate websites.' It is not known who initiated the attacks. In 2010, NASDAQ's Directors Desk online scheduling application was compromised by hackers. An FBI investigation found that the stock exchange's aging software and out of date security patches played a key part in the problems."
tsu doh nimh writes "Computers running Microsoft's antivirus and security software may be flagging google.com — the world's most-visited Web site — as malicious, apparently due to a faulty Valentine's Day security update shipped by Microsoft. For several hours on Tuesday, PC users browsing with Internet Explorer on a machine equipped with Microsoft Security Essentials or Forefront saw warnings that Google.com was serving up a 'severe' threat – Exploit:JS/Blacole.BW — basically that google.com was supposedly infected with a Blackhole exploit kit. The warning prompted users to 'delete' the threat, although accepting the default action appeared to cause no ill result. The episode is more embarrassing than harmful, given that Microsoft is expected to ship antivirus technology with the next version of Windows."
An anonymous reader writes "If you grab all the public keys you can find on the net, then you might expect to uncover a few duds — but would you believe that 2 out of every 1000 RSA keys is bad? This is one of the interesting findings in the paper 'Ron was wrong, Whit is right' by Lenstra, Hughes, Augier, Bos, Kleinjung and Wachter. Quoting from the paper's abstract: 'We performed a sanity check of public keys collected on the web. Our main goal was to test the validity of the assumption that different random choices are made each time keys are generated. We found that the vast majority of public keys work as intended. A more disconcerting finding is that two out of every one thousand RSA moduli that we collected offer no security. Our conclusion is that the validity of the assumption is questionable and that generating keys in the real world for "multiple-secrets" cryptosystems such as RSA is significantly riskier than for "single-secret" ones such as ElGamal or (EC)DSA which are based on Diffie-Hellman.'" For a layman's interpretation of the research, the NY Times has an article about the paper. Update: 02/15 01:34 GMT by S : Security researcher Dan Kaminsky has commented on the paper, saying that while the survey work itself is good, it doesn't necessarily support the paper's thesis. He writes, "On the most basic level, risk in cryptography is utterly dominated, not by cipher selection, but by key management. The study found 12,720 public keys. It also found approximately 2.94 million expired certificates. And while the study didn’t discuss the number of certificates that had no reason to be trusted in the first place (being self signed), it did find 5.4M PGP keys. It does not matter the strength of your public key if nobody knows to demand it."
An anonymous reader sends this quote from CBC News: "Hackers based in China enjoyed widespread access to Nortel's computer network for nearly a decade, according to ... Brian Shields, a former Nortel employee who launched an internal investigation of the attacks, the Wall Street Journal reports [from behind a paywall]. ... Over the years, the hackers downloaded business plans, research and development reports, employee emails and other documents. According to the internal report, Nortel 'did nothing from a security standpoint' about the attacks."
An anonymous reader writes "Back in early 95 I registered a domain name and built a website for a hobby of mine. Over time the website (and domain) name have built a small but steady stream of traffic but my interest in the hobby is essentially gone and I've not been a visitor to my own site in well over two years. I'd like to sell the site/domain to a long time member who has expressed interest in taking over and trying to grow the site, however I use the domain for my own personal email including banking, health insurance, etc. How have fellow readers gone about parting ways from a domain that they've used for an email address?" More generally, what terms would you like to include (or have you included) in a domain transfer? Old horror stories could help prevent new horror stories.
New submitter sackbut writes with a story at Wired about the often-discussed concept of "cyberwarfare," and the worst-case scenarios that are sometimes presented as possible outcomes of concerted malicious hacking. According to Wired, which calls these scenarios "the new yellowcake," "[E]vidence to sustain such dire warnings is conspicuously absent. In many respects, rhetoric about cyber catastrophe resembles threat inflation we saw in the run-up to the Iraq War. And while Congress' passing of comprehensive cybersecurity legislation wouldn't lead to war, it could saddle us with an expensive and overreaching cyber-industrial complex." Writes sackbut: "Perhaps good for programmers, but not so good for rights."
First time accepted submitter wrldwzrd89 writes "The Document Foundation, the team behind the free and open-source office suite called LibreOffice, has released their latest and greatest version. As is typical with major releases of LibreOffice, there are significant new features making their debut in this version. The component with the biggest upgrade is Calc, which now has support for up to 10,000 sheets per workbook among its new features. Also noteworthy among the new features is support for importing Microsoft Visio files in Impress and Draw. The full feature list is available in a PDF hosted on Dropbox; LibreOffice itself can be downloaded here."
jfruh writes "The CIA's website has been down intermittently since Friday, apparently the victim of a DDOS attack. One of the more interesting questions of the story is whether elements of Anonymous are behind this — a question that even prominent members of the Anonymous movement can't seem to answer with any certainty. Perhaps this is obvious, but it seems that an anarchic, leaderless grouping can be hard to keep tabs on."
wiredmikey writes with an excerpt from Security Week:"Whistleblower site Cryptome has been hacked and infected by the Blackhole exploit kit. ... Cryptome co-founder John Young however told SecurityWeek that the Cryptome site is in the process of cleaning everything up, and that process should be finished by the end of the day. Founded in 1996, Cryptome publishes thousands of documents, including many related to national security, law enforcement and military. On Feb. 12, a reader advised the site that accessing a file had triggered a warning in their antivirus about the Blackhole exploit kit. ... Subsequent analysis found thousands of files on the site had been infected." Cryptome has certainly seen worse.
Trailrunner7 writes "In the last couple of years, Google and some other Web giants have moved to make many of their services accessible over SSL, and in many cases, made HTTPS connections the default. That's designed to make eavesdropping on those connections more difficult, but as researchers have shown, it certainly doesn't make traffic analysis of those connections impossible. Vincent Berg of IOActive has written a tool that can monitor SSL connections and make some highly educated guesses about the contents of the requests going to Google Maps, specifically looking at what size the PNG files returned by Google Maps are. The tool then attempts to group those images in a specific location, based on the grid and tile system that Google uses to construct its maps."
Hugh Pickens writes "What may once have sounded like the behavior of a raving paranoid is now considered standard operating procedure for officials at American government agencies, research groups and companies as the NY Times reports how businesses sending representatives to China give them a loaner laptop and cellphone that they wipe clean before they leave and wipe again when they return. 'If a company has significant intellectual property that the Chinese and Russians are interested in, and you go over there with mobile devices, your devices will get penetrated,' says Joel F. Brenner, formerly the top counterintelligence official in the office of the director of national intelligence. The scope of the problem is illustrated by an incident at the United States Chamber of Commerce in 2010 when the chamber learned that servers in China were stealing information from four of its Asia policy experts who frequently visited China. After their trips, even the office printer and a thermostat in one of the chamber's corporate offices were communicating with an internet address in China. The chamber did not disclose how hackers had infiltrated its systems, but its first step after the attack was to bar employees from taking devices with them 'to certain countries,' notably China. 'Everybody knows that if you are doing business in China, in the 21st century, you don't bring anything with you,' says Jacob Olcott, a cybersecurity expert at Good Harbor Consulting. 'That's "Business 101" — at least it should be.'"
snydeq writes "What your interface communicates to users can be just as important as what your software does, writes Fatal Exception's Neil McAllister in discussing the latest edition of the 'Microsoft Manual of Style', a style guide aimed at designers and developers who create Microsoft software, as well as those who write about it. 'The gist of much of Microsoft's advice is that a user's relationship with computer software is a unique one, and it's important to craft the language of software UIs accordingly,' McAllister writes. 'Occasionally, Microsoft's recommendations verge on the absurd. For example, you might not think it necessary to admonish developers to "not use slang that may be considered profane or derogatory, such as 'pimp' or 'bitch,'" but apparently it is.'"
New submitter davidstites writes "I am a masters computer science student at University of Colorado at Colorado Springs, and in November I performed a security audit of 230+ popular iOS applications because I wanted to know how secure apps on smartphones and tablets really are. I made a shocking discovery. The largest single potential security breach was with the Southwest Airlines application. Southwest Airlines' iPhone app leaves a user's information vulnerable to hackers. When you login to the application on your phone using your Rapid Rewards account, the app submits your username and password information as plain-text (unencrypted) to a Southwest remote server (mobile.southwest.com). A potential attacker can simply sniff for the data on the network and steal it. This situation is a hackers dream! If a victims credentials were captured, a hacker could use those credentials to login to that particular account and they would have access to anything the victim would have access to, such as addresses, birthdays, e-mail, phone and credit cards. They could even book a flight in the victims name." (Read on below for more details.)