An anonymous reader writes "Is Google planning on integrating an antivirus scanner into Android? A just-released Google Play store app update, as well as the company's recent acquisition of VirusTotal seem to hint that yes, Google is looking into it. 'Google yesterday started rolling out an update to its Google Play Store app: version 3.8.17 from August was bumped to version 3.9.16 in October. Android Police got its hands on the APK and posted an extensive tear down. The first change noted was the addition of new security-related artwork (exclamation icons and security shields) as well as the following strings: App Check 'Allow Google to check all apps installed to this device for harmful behavior? To learn more, go to Settings > Security.''"

gManZboy writes "If you skip Windows 8, you lose the appealing opportunity to synchronize all of your devices on a single platform — or so goes the argument. If you're skeptical, you're not alone. OS monogamy may be in Apple's interest, and Microsoft's, but ask why it's in your interest. Can Microsoft convince the skeptics? 'If the hardware and software are the same at home and at work, one can't be "better" than the other. It would help if Microsoft convinced users like me that their platform is so good, we'd be fools to go anywhere else,' writes Kevin Casey."

SpzToid writes "U.S. Secretary of Defense Leon E. Panetta has warned that the country is 'facing the possibility of a "cyber-Pearl Harbor" and [is] increasingly vulnerable to foreign computer hackers who could dismantle the nation's power grid, transportation system, financial networks and government.' Countries such as Iran, China, and Russia are claimed to be motivated to conduct such attacks (though in at least Iran's case, it could be retaliation). Perhaps this is old news around here, even though Panetta is requesting new legislation from Congress. I think the following message from Richard Bejtlich is more wise and current: 'We would be much better served if we accepted that prevention eventually fails, so we need detection, response, and containment for the incidents that will occur.' Times do changes, even in the technology sector. Currently Congress is preoccupied with the failure of U.S. security threats in Benghazi, while maybe Leon isn't getting the press his recent message deserves?"

ancientribe writes "A couple of college interns have discovered that remote administration tools (RATs) often used for cyberspying and targeted cyberattacks contain common flaws that ultimately could be exploited to help turn the tables on the attackers. RATs conduct keylogging, screen and camera capture, file management, code execution, and password-sniffing, and give the attacker a foothold in the infected machine as well as the targeted organization. This new research opens the door for incident responders to detect these attacker tools in their network and fight back."

An anonymous reader writes "Last week, Mozilla announced it will prompt Firefox users on Windows with old versions of Adobe Reader, Adobe Flash, and Microsoft Silverlight to update their plugins, but refused to detail how the system will work. Now, the organization has unveiled 'click-to-play plugin blocks,' which will be on by default in Firefox 17, starting with the three aforementioned plugins. (Expect more to be added eventually.) Furthermore, you can try out the feature for yourself now in Firefox 17 beta for Windows, Mac, and Linux." Also coming in Firefox 17 is support for Mozilla's "Social API." The announcement describes it thus: "Much like the OpenSearch standard, the Social API enables developers to integrate social services into the browser in a way that is meaningful and helpful to users. As services integrate with Firefox via the Social API sidebar, it will be easy for you to keep up with friends and family anywhere you go on the Web without having to open a new Web page or switch between tabs. You can stay connected to your favorite social network even while you are surfing the Web, watching a video or playing a game."

mask.of.sanity writes "A penetration tester has shown that GSM communications systems can be taken down with a handful of malformed packets. The weakness was in the lack of security around the Home Location Register server clusters which store GSM subscriber details as part of the global SS7 network. A single packet, sent from within any network including femtocells, took down one of the clusters for two minutes."

Ever since news broke last year that Microsoft would require Windows 8 machines to have UEFI secure boot enabled, there were concerns that it would be used to block the installation of other operating systems, such as Linux distributions. Now, reader dgharmon sends this quote from Ars Technica about a new defense against that outcome: "The Linux Foundation has announced plans to provide a general purpose solution suitable for use by Linux and other non-Microsoft operating systems. The group has produced a minimal bootloader that won't boot any operating system directly. Instead, it will transfer control to any other bootloader — signed or unsigned — so that can boot an operating system." The announcement adds, "The pre-bootloader will employ a 'present user'; test to ensure that it cannot be used as a vector for any type of UEFI malware to target secure systems. This pre-bootloader can be used either to boot a CD/DVD installer or LiveCD distribution or even boot an installed operating system in secure mode for any distribution that chooses to use it."

An anonymous reader writes "The details of a Canadian spying case are coming to light, including the method of copying the sensitive data from the 'secured' computer linking five countries and the Russian handlers: Copy Data into Notepad; Save File to Floppy Drive; USB Key; ???; Profit! For $3000/mo in prepaid credit cards and wire transfers."

another random user writes "A researcher by the name of Suriya Prakash has claimed that the majority of phone numbers on Facebook are not safe. It's not clear where he got his numbers from (he says 98 percent, while another time he says 500 million out of Facebook's 600 million mobile users), but his demonstration certainly showed he could collect countless phone numbers and their corresponding Facebook names with very little effort. Facebook has confirmed that it limited Prakash's activity but it's unclear how long it took to do so. Prakash disagrees with when Facebook says his activity was curtailed." Update: 10/11 17:47 GMT by T : Fred Wolens of Facebook says this isn't an exploit at all, writing "The ability to search for a person by phone number is intentional behavior and not a bug in Facebook. By default, your privacy settings allow everyone to find you with search and friend finder using the contact info you have provided, such as your email address and phone number. You can modify these settings at any time from the Privacy Settings page. Facebook has developed an extensive system for preventing the malicious usage of our search functionality and the scenario described by the researcher was indeed rate-limited and eventually blocked." Update: 10/11 20:25 GMT by T : Suriya Prakash writes with one more note: "Yes, it is a feature of FB and not a bug.but FB never managed to block me; the vul was in m.facebook.com. Read my original post. Many other security researchers also confirmed the existence of this bug; FB did not fix it until all the media coverage." Some of the issue is no doubt semantic; if you have a Facebook account that shows your number, though, you can decide how much you care about the degree to which the data is visible or findable.

Shortly after the release of the newest major version of Firefox, an anonymous reader writes with word that "Mozilla has removed Firefox 16 from its installer page due to security vulnerabilities that, if exploited, could allow 'a malicious site to potentially determine which websites users have visited' ... one temporary work-around, until a fix is released, is to downgrade to 15.0.1"

An anonymous reader writes "Last night, Google held its Pwnium 2 competition at Hack in the Box 2012, offering up a total of $2 million for security holes found in Chrome. Only one was discovered; a young hacker who goes by the alias 'Pinkie Pie' netted the highest reward level: a $60,000 cash prize and a free Chromebook (the second time he pulled it off). Google today patched the flaw and announced a new version of Chrome for Windows, Mac, and Linux."

wiredmikey writes "The U.S. Supreme Court said this week it will let stand an immunity law on wiretapping viewed by government as a useful anti-terror tool but criticized by privacy advocates. The top U.S. court declined to review a December 2011 appeals court decision that rejected a lawsuit against AT&T for helping the NSA monitor its customers' phone calls and Internet traffic. Plaintiffs argue that the law allows the executive branch to conduct 'warrantless and suspicionless domestic surveillance' without fear of review by the courts and at the sole discretion of the attorney general. The Obama administration has argued to keep the immunity law in place, saying it would imperil national security to end such cooperation between the intelligence agencies and telecom companies. The Supreme Court is set to hear a separate case later this month in which civil liberties' group are suing NSA officials for authorizing unconstitutional wiretapping."

judgecorp writes "RSA boss Art Covielo trod on the toes of privacy proponents' toes at London's RSA 2012 show, by accusing them of faulty reasoning and over-stating their fears of Big Brother. By trying to limit what legitimate companies can do with our data, privacy groups are tying the hands of people who might protect us, he says. 'Where is it written that cyber criminals can steal our identities but any industry action to protect us invites cries of Big Brother.' Ever-outspoken, he also complained that governments and cyber-crooks are collaborating to breach organisations with sophisticated techniques. In that world, it is just as well vendors are whiter than white, eh?"

concealment sends this excerpt from CNBC: "A single mysterious computer program that placed orders — and then subsequently canceled them — made up 4 percent of all quote traffic in the U.S. stock market last week, according to the top tracker of high-frequency trading activity. The motive of the algorithm is still unclear. The program placed orders in 25-millisecond bursts involving about 500 stocks, according to Nanex, a market data firm. The algorithm never executed a single trade, and it abruptly ended at about 10:30 a.m. ET Friday."

Hugh Pickens writes "Neal Ungerleider notes that cryptography pioneer and Pretty Good Privacy (PGP) creator Phil Zimmermann has launched a new startup that provides industrial-strength encryption for Android and iOS where users will have access to encrypted phone calls, emails, VoIP videoconferencing, SMS, and MMS. Text and multimedia messages are wiped from a phone's registry after a pre-determined amount of time, and communications within the network are allegedly completely secure. An 'off-shore' company with employees from many countries, Silent Circle's target market includes troops serving abroad, foreign businesspeople in countries known for surveillance of electronic communications, government employees, human rights activists, and foreign activists. For encryption tools, which are frequently used by dissidents living under repressive regimes and others with legitimate reasons to avoid government surveillance, the consequences of failed encryption can be deadly. 'Everyone has a solution [for security] inside your building and inside your network, but the big concern of the large multinational companies coming to us is when the employees are coming home from work, they're on their iPhone, Android, or iPad emailing and texting,' says Zimmermann. 'They're in a hotel in the Middle East. They're not using secure email. They're using Gmail to send PDFs.' Another high-profile encryption tool, Cryptocat, was at the center of controversy earlier this year after charges that Cryptocat had far too many structural flaws for safe use in a repressive environment."

JamieKitson writes "The latest Webconverger 15 release is the first Linux distribution to be automagically updatable from a Github repository. The chroot of the OS is kept natively in git's format and fuse mounted with git-fs. Webconverger fulfills the Web kiosk use case, using Firefox and competes indirectly with Google Chrome OS. Chrome OS also has an autoupdate feature, however not as powerful, unified & transparent as when simply using git."

tsu doh nimh writes "Brian Krebs follows up on a recent Slashdot discussion about a cybercrime gang that is recruiting botmasters to help with concerted heists against U.S. financial institutions. The story looks at the underground's skeptical response to this campaign, which is being led by a criminal hacker named vorVzakone ('thief in law'), who has released a series of videos about himself. vorVzakone also is offering a service called 'insurance from criminal prosecution,' in which miscreants can purchase protection from goons who specialize in bribing or intimidating Russian/Eastern European police into scuttling cybercrime investigations. For $100,000, the service also claims to have people willing to go to jail in place of the insured. Many in the criminal underground view the entire scheme as an elaborate police sting operation."

An anonymous reader writes "I have a cottage at the end of a long dirt road, no electricity nor internet, and recently some (insert expletive here) wads are using the area as a trash dump: countertops, sofas, metal scraps, tvs — all the stuff they don't want to pay to dump at the landfill. I can't block the road because it's a fire access. But I would really like to have a way to catch who is doing this. Are there any a) waterproof, b) self-contained, c) self-powered, and (ideally) d) inexpensive video-recording units out there? Are there any other creative ways to get the guys? I was thinking of something like a device that will cycle, so that the last week of video is recorded. It could take photos or video, and as long as it's small enough that I could camouflage it well, I suspect I'd be able to figure this out soon. And any idea of what my legal rights are to videotape or record?" Hunters have been doing this for years (with film, and now digital) to figure out prey patterns with cameras that are built for concealment; what else would you recommend?

mask.of.sanity writes "New privacy threats have been uncovered by security researchers that could allow every device operating on 3G networks to be tracked. The vulnerabilities could be exploited with cheap commercial off-the-shelf technology to reveal the location of phones and other 3G-capable devices operating on all 3G compliant networks. It was similar, but different, to previous research that demonstrated how attackers could redirect a victim's outgoing traffic to different networks."

CowboyRobot writes "The story begins when GunnAllen, a financial company, outsourced all of its IT to The Revere Group. Before long, it was discovered that 'A senior network engineer had disabled the company's WatchGuard firewalls and routed all of the broker-dealer's IP traffic--including trades and VoIP calls--through his home cable modem.' In addition to the obvious security concerns of sending information such as bank routing information and driver's license numbers, the act violated SEC rules because the routed information was not being logged. Regardless of whether the cause was negligence, incompetence, or sabotage, the matter was swept under the rug for a time until unpaid SQL Server licenses meant threatening calls from Microsoft as well. The rest of the story is one of greed, mismanagement, and neglect, and ends with the SEC's first-ever fine for failure to protect customer data."