An anonymous reader writes "Catching a flight in the U.S. isn't a great experience anymore due to the security checks involved. You have to remove your shoes, your belt, get your laptop out, be scanned and subjected to radiation in the process. Hundreds of other people are doing the same thing, meaning it takes 40 minutes instead of four. Now, the TSA has come up with a clever, money-making alternative. Instead of scaling back security or speeding it up, you can instead pay $100 and bypass it completely!"

kierny writes "'The Internet needs crime,' said renowned cryptographer Whitfield Diffie, kicking off the Black Hat Europe conference in Amsterdam. His analysis — that there can't be good guys without bad guys — helps explain not just the rise of black hat hackers and, more recently, hacktivism, but signals that the information security profession will continue to not just be relevant, but demanded, especially as the number of data-spewing devices increases exponentially."

chicksdaddy writes "Threatpost is reporting today on the findings of an ENISA study that looked at whether consumers would pay more for goods in exchange for more privacy. The answer — 'Sure...just not much more.' The report (PDF): 'Study on Monetizing Privacy: An Economic Model for Pricing Personal Information' presents the findings of a laboratory study in which consumers were asked to buy identical goods from two online vendors: one that collected minimal customer information and another that required the customer to surrender more of their personal information to purchase the item, including phone number and a government ID number. The laboratory experiment showed that the majority of consumers value privacy protections. When the prices of the goods offered by both the privacy protecting and the privacy violating online retailers were equal, shoppers much preferred the privacy protecting vendor. But the preference for more privacy wasn't very strong, and didn't come close to equaling consumers' preference for lower prices. In fact, consumers readily switched to a more privacy-invasive provider if that provider charged a lower price for the same goods. How much lower? Not much, researchers discovered. A discount of just E0.50 ($0.65) was enough to sway consumers away from a vendor who would protect the privacy of their personal data."

Qedward writes "Iran is privately being blamed for a major cyberattack on the BBC that blocked access to its popular Persian TV service and disrupted the Corporation's IT using a denial-of-service attack. The multi-pronged March 2 attack took down much of the BBC's email, overloaded its telephone switchboard with automatic phone calls, and blocked a satellite feed for the BBC Persian station. BBC servers were also on the receiving end of a DDoS. In an unprecedented tactic, the BBC has trailed a speech to be given this week to the Royal Television Society in which Director General Mark Thompson will mention the attacks in some detail while stopping short of formally naming Iran as the perpetrator."

Sparrowvsrevolution writes in with a link to a Forbes story about the lackluster code produced by government agencies."Humans aren't very good at writing secure code. But they're worst at it when they're paid to do it for the U.S. government, according to a study that will be presented at the Black Hat Europe security conference in Amsterdam later this week. Chris Wysopal, chief technology officer of bug-hunting firm Veracode plans to give a talk breaking down a vulnerability analysis of 9,910 software applications over the second half of 2010 and 2011. Government-built applications came out far worse than those created by the commercial software industry or the finance industry. Only 16% of government web applications were secure by OWASP standards, compared with 24% of finance industry software and 28% of commercial software. By SANS standards, only 18% of government apps passed, compared with 28% of finance industry apps and 34% of commercial software. Wysopal and others blame the difference on a lack of accountability of federal contract developers, who aren't held to security standards and are even paid extra to fix their bugs after creating them."

A user writes "An article over at Gizmag says: 'It's a meme that's been doing the rounds on the internet in recent years: multi-word pass-phrases are as secure as long strings of gibberish but with the added benefit of being easy to remember. But research from Cambridge University suggests that this may not be the case. Pass-phrases comprised of dictionary words may not be as vulnerable as individual passwords, but they may still succumb to dictionary attacks, the research finds.' I find this to be twisting of words and general consensus; of course any password whatsoever is going to be insecure against offline attack, and using common, popular words is going to make guessing the password much easier. But is this really an issue in a world where most attacks are done online? Should general populace still be coaxed into using randomly generated passwords?"

wiredmikey writes "Microsoft is urging organizations to apply the sole critical update in this month's Patch Tuesday release as soon as possible. The critical bulletin – one of six security bulletins issued as part of Tuesday's release – addresses two vulnerabilities in the Remote Desktop Protocol (RDP). Those IT admins who use RDP to manage their machines over the internet, which is essentially the default in cloud-based installations such as Amazon's AWS, need to patch as quickly as possible, said Qualys CTO Wolfgang Kandek. Besides the RDP bugs, this month's Patch Tuesday addressed five other vulnerabilities: two denial-of-service bugs and an escalation of privileges issue in Microsoft Windows; a remote code execution vulnerability in Microsoft Expression Design; and an escalation of privileges issue in Microsoft Visual Studio."

dcblogs writes "In the first 40 days of President Barack Obama's administration, the White House email system was down 23% of time, according to White House CIO Brook Colangelo, the person who also delivered the 'first presidential Blackberry.' The White House IT systems inherited by the new administration were in bad shape. Over 82% of the White House's technology had reached its end of life. Desktops, for instance, still had floppy disk drives, including the one Colangelo delivered to Rahm Emanuel, Obama's then chief of staff and now Mayor of Chicago. There were no redundant email servers."

snydeq writes "IT pros feeling the pressure to boost tech skills should expect little support from their current employers, according to a recent report on IT skills. '9 in 10 business managers see gaps in workers' skill sets, yet organizations are more likely to outsource a task or hire someone new than invest in training an existing staff. Perhaps worse, a significant amount of training received by IT doesn't translate to skills they actually use on the job.'"

New submitter iroc_eater writes with news of an announcement from Dell that it plans to acquire SonicWall, a security services provider. "SonicWall’s technology detects and protects networks from intrusions and malware attacks, and helps protect data. Dell is buying services and software businesses as the PC market faces competition from smartphones and tablets. Last month, the company hired CA Inc. Chief Executive Officer John Swainson to oversee the software push, and today he said security is an important part of that strategy. 'My goal is to make software a meaningful part of Dell’s overall portfolio, so that means that this is not the last thing you’re going to see from us,' Swainson said."

SonicSpike writes "The Justice Department is defending the government's refusal to discuss — or even acknowledge the existence of — any cooperative research and development agreement between Google and the National Security Agency. The Washington based advocacy group Electronic Privacy Information Center sued in federal district court here to obtain documents about any such agreement between the Internet search giant and the security agency. The NSA responded to the suit with a so-called 'Glomar' response in which the agency said it could neither confirm nor deny whether any responsive records exist. U.S. District Judge Richard Leon in Washington sided with the government last July."

wiredmikey writes with a quote from an article at Secury Week: "In order to get a look at what happens when a smartphone is lost, Symantec conducted an experiment, called the Honey Stick Project, where 50 fully-charged mobile devices were loaded with fake personal and corporate data and then dropped in publicly accessible spots in five different cities ...Tracking showed that 96-percent of the devices were accessed once found (PDF), and 70-percent of them were accessed for personal and business related applications and information. Less than half of the people who located the intentionally lost devices attempted to locate the owner. Interestingly enough, only two phones were left unaccounted for; the others were all found."

An anonymous reader writes "Late last year, senior British military officers, Defense Ministry officials, and other government officials were tricked into becoming Facebook friends with someone masquerading as United States Navy admiral James Stavridis. By doing so, they exposed their own personal information (such as private e-mail addresses, phone numbers, pictures, the names of family members, and possibly even the details of their movements), to unknown hackers."

On March 2, 2012, Timothy wrote about University of Michigan Professor J. Alex Halderman and his contention that there is no way to have secure voting over the Internet using current technology. In this video, Alex explains what he meant and tells us about an experiment (that some might call a prank) he and his students did back in 2010, when they (legally) hacked a Washington D.C. online voting pilot project. This is, of course, a "professional driver on closed course; do not attempt" kind of thing. If you mess with voting software without permission, you might suddenly find the FBI coming through your door at 4 a.m., so please don't do it.

wiredmikey writes "It isn't often that after a data breach involving credit cards, the public is given information on the exact amount money lost by consumers as a result. Thanks to the FBI, however, we now have a better understanding of what 60,000 stolen credit cards translates to financially, as this data was included in their investigation notes while working the Stratfor case. The last time the public had something close to actual stats from the source, we learned that the TJX breach cost Visa $68 million in 2007, two years after the TJX network was compromised by Albert Gonzalez. Yet, those were Visa's estimates. Now, in the aftermath of the Stratfor breach, the FBI has attributed $700,000 worth of charge fraud to the 60,000 credit card records taken during the network compromise. AntiSec supporters walked away with 860,160 usernames and passwords, in addition to the credit card records."

mask.of.sanity writes "Sony Entertainment Network is rebuilding its information security posture to defend against hacktivism. It includes a security operations center that serves as a nerve center collating information on everything from staff phone calls, to CCTV, to PlayStation gamers. If it is successful, the counter intelligence-based system will be deployed across the entire company. 'At Sony, we are modifying our programs to deal less with state-sponsored [attacks] and more with socially-motivated hackers. It will be different,' said Chief Security Officer Brett Wahlin."

Trailrunner7 writes "When the long arm of the law reached in to arrest members of Anonymous's senior leadership on Tuesday, speculation immediately turned to the identities of the six men behind the Guy Fawkes mask. With the benefit of hindsight, it turns out that many had been hiding in plain sight, with day jobs, burgeoning online lives and — for those who knew where to look — plenty of clues about their extracurricular activities on behalf of the world's most famous hacking crew. Two of the accused, Darren Martyn (aka 'pwnsauce,' 'raepsauce,' and 'networkkitten,') and Donncha O'Cearbhail, formerly known as Donncha Carroll (aka 'Palladium'), sported significant online footprints and made little effort to hide their affinity for hacking. In other areas, however, Martyn (who was reported to be 25, but claimed to be 19), seemed to be on his way to bigger and better things. He was a local chapter leader of the Open Web Application Security Project in Galway, Ireland. He spent some of his free time with a small collective of computer researchers with Insecurety Research, under the name 'infodox.'"

Sara Chan writes "NATO has awarded its largest cyber-security contract to date, in a move that is expected to prompt member states to augment their own cyber-security capabilities. The contract, for €58 million ($76 million), is to design and implement NATO's Computer Incident Response Capability. NCIRC will enable NATO to monitor computer networks from its headquarters in Brussels and detect and respond to cyber threats and vulnerabilities at about 50 NATO sites in 28 countries. The project is intended to meet the requirements of a declaration by NATO Head of States at the Lisbon Summit, in November 2010, which called for the achievement of NCIRC Full Operational Capability by end of 2012."

Tackhead writes "Hot on the hooves of Sergey Glazunov's hack 5-minutes into Pwn2Own, an image of an axe-wielding pink pony was the mark of success for a hacker with the handle of Pinkie Pie. Pinkie Pie subtly tweaked Chromium's sandbox design by chaining together three zero-day vulnerabilities, thereby widening his appeal to $60K in prize money, another shot at a job opportunity at the Googleplex, and instantly making Google's $1M Pwnium contest about 20% cooler. (Let the record show that Slashdot was six years ahead of this particular curve, and that April Fool's Day is less than a month away.)"

An anonymous reader writes with this excerpt from Network World: "A lengthy report prepared for the U.S. government about China's high-tech buildup to prepare for cyberwar includes speculation about how a potential conflict with the U.S. would unfold — and how it might only take a few freelance Chinese civilian hackers working on behalf of China's People's Liberation Army to sow deadly disruptions in the U.S. military logistics supply chain. As told, if there's a conflict between the U.S. and China related to Taiwan, "Chinese offensive network operations targeting the U.S. logistics chain need not focus exclusively on U.S. assets, infrastructure or territory to create circumstances that could impede U.S. combat effectiveness," write the report's authors, Bryan Krekel, Patton Adams and George Bakos, all of whom are information security analysts with Northrop Grumman. The report, "Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage," focuses primarily on facts about China's cyberwar planning but also speculates on what might happen in any cyberwar."