diegocg writes "Linux 3.2 has been released. New features include support for Ext4 block size bigger than 4KB and up to 1MB, btrfs has added faster scrubbing, automatic backup of critical metadata and tools for manual inspection; the process scheduler has added support to set upper limits of CPU time; the desktop responsiveness in presence of heavy writes has been improved, TCP has been updated to include an algorithm which speeds up the recovery of connection after lost packets; the profiling tool 'perf top' has added support for live inspection of tasks and libraries. The Device Mapper has added support for 'thin provisioning' of storage, and a support for a new architecture has been added: Hexagon DSP processor from Qualcomm. New drivers and small improvements and fixes are also available in this release. Here's the full list of changes."

LinuxScribe writes "The Linux Foundation has quietly restored all of the websites it took down following the September 2011 breach that affected Linux.com and all other Foundation websites--an attack that was linked to the August 2011 breach of kernel.org. But one website won't be coming back: the Linux Developer Network, launched in 2008. Content from the site will now be hosted across all of the Linux Foundation's web properties."

gManZboy writes "Automatic teller machine maker Diebold has taken a novel approach to protecting bank customer data: virtualization. Virtualized ATMs store all customer data on central servers, rather than the ATM itself, making it difficult for criminals to steal data from the machines. In places including Brazil, customer data has been at risk when thieves pulled or dynamited ATMs out of their settings and drove off with them. With threats increasing worldwide at many retail points of sale, such as supermarket checkout counters and service station gas pumps, Diebold needed to guarantee the security of customer data entered at the 50,000 ATMs that it manages. Diebold last year partnered with VMware to produce a zero-client ATM. No customer data is captured and stored on the ATM itself." Perhaps Diebold should take the same approach to vote-tabulating machines.

hankwang writes "The Internet Storm Center reported that one million web pages have been attacked by the Lilupophilupop SQL injection and contain a malicious Javascript link. Affected sites can be found using a Google search query. See also the technical details of the SQL injection. The attack is directed to sites running ASP or ColdFusion with an MSSQL backend. The payload of the Javascript leads, via redirects and obfuscated Javascript, to a fake download page for Adobe Flash and antivirus software."

Hugh Pickens writes "Kevin Mandia has spent his entire career cleaning up problems much like the recent breach at Stratfor where Anonymous defaced Stratfor's Web site, published over 50,000 of its customers' credit card numbers online and have threatened to release a trove of 3.3 million e-mails, putting Stratfor is in the position of trying to recover from a potentially devastating attack without knowing whether the worst is over. Mandia, who has responded to breaches, extortion attacks and economic espionage campaigns at 22 companies in the Fortune 100 in the last two years and has told Congress that if an advanced attacker targets your company then a breach is inevitable (PDF), calls the first hour he spends with companies 'upchuck hour' as he asks for firewall logs, web logs, and emails to quickly determine the 'fingerprint' of the intrusion and its scope. The first thing a forensics team will do is try to get the hackers off the company's network, which entails simultaneously plugging any security holes, removing any back doors into the company's network that the intruders might have installed, and changing all the company's passwords. 'This is something most people fail at. It's like removing cancer. You have to remove it all at once. If you only remove the cancer in your leg, but you have it in your arm, you might as well have not had the operation on your leg.' In the case of Stratfor, hackers have taken to Twitter to announce that they plan to release more Stratfor data over the next several days, offering a ray of hope — experts say the most dangerous breaches are the quiet ones that leave no trace."

Orome1 writes "While many companies use IPsec for secure remote access to their networks, no integrated IPsec VPN client is available on Android. Apple has already fixed this shortcoming in iOS, in part, because it wanted make the iPhone attractive for businesses. The Android operating system doesn't just lack an integrated IPsec VPN client, it also makes installing and configuring third-party VPN software quite complicated. IPsec VPN clients have to be integrated into the kernel of each device, and the client software has to be installed specifically for a memory area. This means that the firmware of each Android smartphone or tablet has to be modified accordingly. Until a 'real' IPsec VPN client is available, Android users can use their devices' integrated VPN clients based on PPTP or L2TP, which is deployed over IPsec. A 'real' IPsec VPN connection, however, is more secure because it encrypts data prior to authentication."

wiedzmin writes "Japanese Defense Ministry has awarded Fujitsu a contract to develop a vigilante computer virus, which will track down and eliminate other viruses, or rather — their sources of origin. Are 'good' viruses a bad idea? Sophos seems to think so, saying, 'When you're trying to gather digital forensic evidence as to what has broken into your network, and what data it may have stolen, it's probably not wise to let loose a program that starts to trample over your hard drives, making changes.'"

First time accepted submitter jehan60188 writes with this excerpt from an article from Hack a Day: "The 28th Annual Chaos Communication Congress just wrapped things up on December 31st and they've already published recordings of all the talks at the event. These talks were live-streamed, but if you didn't find time in your schedule to see all that you wanted, you'll be happy to find your way to the YouTube collection of the event. The topics span a surprising range. We were surprised to see a panel discussion on depression and suicide among geeks ... which joins another panel called Queer Geeks, to address some social issues rather than just hardcore security tech. But there's plenty of that as well with topics on cryptography, security within web applications, and also a segment on electronic currencies like Bitcoins.'" The CCC wiki has a list of mirrors with downloads in multiple formats (including WebM).

rhartness writes "I am a long time Software Engineer, however, almost all of my work has been developing server-side, intranet applications or applications for the Windows desktop environment. With that said, I have recently come up with an idea for a new website which would require extremely high levels of security (i.e. I need to be sure that my servers are as 100% rock-solid, unhackable as possible.) I am an experienced developer, and I have a general understanding of web security; however, I am clueless of what is requires to create a web server that is as secure as, say, a banking account management system. Can the Slashdot community recommend good websites, books, or any other resources that thoroughly discuss the topic of setting up a small web server or network for hosting a site that is as absolutely secure as possible?"

An anonymous reader writes "New analysis of financial records and online chat logs retrieved from the operators of Spamdot.biz — until recently the most notorious spam affiliate program — provides tantalizing clues about the identity of the man behind Cutwail, currently the largest spam botnet. Brian Krebs tells the story of 'Google,' the screen name used by the now-27-year-old botmaster who was part of a team of programmers in Moscow. Over the years, Cutwail has shifted from a spam cannon for male enhancement pills to a major vector for distributing malicious software."

turing0 writes "As a former bioinformatics researcher and CTO I have some sad news to start 2012 with. Though I am sure not a surprise to the Slashdot crowd, it appears we — or our demographic — made up more than 75% of the Google Health userbase. Today marks the end of Google Health. (Also see this post for the official Google announcement and lame excuse for the reasoning behind this myopic decision.) The decision of Google to end this excellent service is a fantastic example of what can represent the downside of cloud services for individuals and enterprises. The cloud is great when and while your desired application is present — assuming it's secure and robust — but you are at the mercy of the provider for longevity." (Read more, below.)

theshowmecanuck writes "Reuters reports that there is little or no security at one of the main factories in Russia responsible for military and Soyuz rocket manufacture. Blogger Lana Sator was able to walk right into the empty (off hours) facility through huge gaps in the fences that no-one bothered to repair, and there was no security to stop them aside from some dogs that didn't bother them either. In fact Lana even has one picture of herself posing next to an apparently non-functional security camera, another of her sitting on what looks like to be possibly a partially assembled rocket motor (someone who knows better can fill us in), and has about 100 photos of the escapade all told on her blog about this (it's in Russian... which I don't speak... any translators out there?). Russian officials are said to be deeply concerned. I wonder if this has any bearing on why Russian rockets haven't been making it into space successfully, or whether it and the launch failures are all part of some general industrial malaise that is taking place."

Orome1 writes "Many prisons and jails use SCADA systems with PLCs to open and close doors. Using original and publicly available exploits along with evaluating vulnerabilities in electronic and physical security designs, researchers discovered significant vulnerabilities in PLCs used in correctional facilities by being able to remotely flip the switches to 'open' or 'locked closed' on cell doors and gates."

wiredmikey writes "New research from Kaspersky Labs has revealed that the platform dubbed 'tilded' (~d), which was used to develop Stuxnet and Duqu, has been around for years. The researchers say that same platform has been used to create similar Trojans which have yet to be discovered. Alexander Gostev and Igor Sumenkov have put together some interesting research, the key point being that the person(s) behind what the world knows as Stuxnet and Duqu have actually been using the same development platform for several years." An anonymous reader adds a link to this "surprisingly entertaining presentation" (video) by a Microsoft engineer, in which "he tells the story of how he and others analysed the exploits used by Stuxnet. Also surprising are the simplicity of the exploits which were still present in Win7." See also the report at Secureist from which the SecurityWeek story draws.

A new submitter asks "Every New Year's Day, I assemble and memorize a random collection of seven to ten mixed-case alphanumeric characters and proceed to change every password I have on the interwebs to these characters (plus a few extra characters unique to the site). The problem is I only change them on the sites I visit. Once in a while, I'll come across a site I haven't visited for a few years, and I may end up not being able to guess the password before the try-lockout takes effect. What are your password-changing rituals, and how do they deal with situations like mine? I do use Keepass for work, but it is sometimes impractical for times I'm at other computers."

New submitter EliSowash writes "Malware developers are increasingly using QR Codes as an attack vector. 'The big problem is that the QR code to a human being is nothing more than "that little square with a bunch of strange blocks in it." There's no way to tell what is behind that QR code.' The advice we've always given to the computer user community is 'don't click a link in an email if you don't know who it's from or where it goes' — so how do we protect unsuspecting users from QR codes, where you can't see the destination at all?"

Trailrunner7 writes "Just a day after security researcher Stefan Viehbock released details of a vulnerability in the WiFi Protected Setup (WPS) standard that enables attackers to recover the router PIN, a security firm has published an open-source tool capable of exploiting the vulnerability. The tool, known as Reaver, has the ability to find the WPS PIN on a given router and then recover the WPA passphrase for the router, as well. Tactical Network Solutions has released the tool as an open-source project on Google Code, but also is selling a more advanced commercial version."

OverTheGeicoE writes "It looks like Congress' recent jabs at TSA were just posturing after all. Last Friday, President Obama signed a spending act passed by both houses of Congress. The act gives TSA a $7.85 billion budget increase for 2012 and includes funding for 12 additional multi-modal Visible Intermodal Prevention and Response (VIPR) teams and 140 new behavior detection officers. It even includes funding for 250 shiny new body scanners, which was originally cut from the funding bill last May."

randomErr writes "Intel began shipping the new mobile Atom, formerly codenamed 'Cedar Trail', processors to manufacturers. As with most new chips it has more features and longer battery life. Intel said today 'Computing systems using new Atom processors will debut in early 2012 through leading original equipment manufacturers (OEMs) such as Acer, Asus, HP, Lenovo, Samsung, and Toshiba.'"

itwbennett writes "Yes, IPv4 addresses are running out, but a Y2K-style disaster/frenzy won't be coming in 2012. Instead, businesses are likely to spend the coming year preparing to upgrade to IPv6, experts say. Of course there's a chance that panic will ensue when Europe's RIPE hands out its last IPv4 addresses this summer, but 'most [businesses] understand that they can live without having to make any major investments immediately,' said IDC analyst Nav Chander. Plus, it won't be until 2013 that North America will run out of IPv4 addresses and there's no sense getting worked up before then."