×
Cellphones

Researchers Demo New GSM Attacks at Chaos Communications Congress 17

Posted by timothy from the your-party's-on-the-line dept.
First time accepted submitter aeturnus writes "A new attack on the GSM mobile communications protocol has been demonstrated by Karsten Nohl and Luca Melette of Security Research Labs, based off their previously published attacks around vulnerabilities in the GSM A5/1 encryption protocol. This new attack, which Nohl indicates already in use by criminals, allows an attacker to simulate a GSM mobile and use it to make calls and send text messages. Nohl also discussed protective measures users should take against these attacks, and others in use by intelligence communities around the world." This was just one of many presentations at the 28th Chaos Communications Congress.
Microsoft

Microsoft Issuing Unusual Out-of-Band Security Update 156

Posted by timothy from the rolls-downhill dept.
wiredmikey writes "In a rare move, Microsoft is breaking its normal procedures and will issue an emergency out-of-band security update on Thursday to address a hash collision attack vulnerability that came into the spotlight yesterday, and affects various Web platforms industry-wide. The vulnerability is not specific to Microsoft technologies and has been discovered to impact PHP 5, Java, .NET, and Google's v8, while PHP 4, Ruby, and Python are somewhat vulnerable. Microsoft plans to release the bulletin on December 29, 2011, at 10:00 AM Pacific Time, and said it would addresses security vulnerabilities in all supported releases of Microsoft Windows. 'The impact of this vulnerability is similar to other Denial of Service attacks that have been released in the past, such as the Slowloris DoS or the HTTP POST DoS,' said security expert Chris Eng. 'Unlike traditional DoS attacks, they could be conducted with very small amounts of bandwidth. This hash table multi-collision bug shares that property.'"
Businesses

IT Managers Are Aloof Says Psychologist and Your Co-Workers 378

Posted by samzenpus from the I-have-people-skills;-I-am-good-at-dealing-with-people dept.
dcblogs writes "IT managers see themselves as 'reigning supreme,' in an organization, and are seen by non-IT workers as difficult to get along with, says organizational psychologist Billie Blair. If IT managers changed their ways, they could have a major impact in an organization. 'So much of their life is hidden under a bushel because they don't discuss things, they don't divulge what they know, and the innovation that comes from that process doesn't happen, therefore, in the organization,' says Blair."
Security

Progressive Era Hacker Griefed Marconi Demonstration 147

Posted by samzenpus from the trolling-through-the-ages dept.
nbauman writes "In June 1903, Gugliemo Marconi and his partner Ambrose Flemming were about to give the first demonstration of long-range wireless communication at the Royal Institution in London, which, Marconi said, could be sent in complete confidentiality with no fear of the messages being hijacked. Suddenly, the silence was broken by a huge mysterious wireless pulse strong enough to take over the carbon-arc projector and make it sputter messages in Morse Code. First, it repeated the word 'Rats' over and over again (abusive at that time). Then it tapped out, 'There was a young fellow of Italy, who diddled the public quite prettily.' Further rude epithets followed. It was Nevil Maskelyne, a stage musician and inventor who was annoyed because Marconi's patents prevented him from using wireless. It was the first hacking, to demonstrate an insecure system."
Security

New York Times Hacked? 103

Posted by samzenpus from the fox-in-the-henhouse dept.
First time accepted submitter porsche911 writes "It looks like the NYTimes have been hacked and a large number of subscribers spammed with messages about cancellation of their service. The phone system is overwhelmed as well. The Times is currently saying the email is a fake, but that raises other worries. They were one of the only 3rd parties that had the email in question so it appears either someone really screwed up or they've suffered a data breach." Update: 12/28 21:59 GMT by S : Looks like it was just a mistake by an employee.
Privacy

Data Exposed In Stratfor Compromise Analyzed 141

Posted by Unknown Lamer from the forecast-is-for-doom dept.
wiredmikey writes with an excerpt from an article in Security Week: "Following news that security and intelligence firm Stratfor is downplaying the recent hack of its systems, Identity Finder today shared a detailed analysis of the data released so far by the attackers. Based on the analysis, 50,277 Individual Credit Card Numbers were exposed, but 40,626 are expired, leaving just 9,651 that are not expired. In terms of emails, 86,594 Email addresses were claimed to be exposed by the hackers, but only 47,680 were unique. The hackers have released personal information for Stratfor subscribers whose first names begin with A through M, with N through Z expected to be released soon. In addition to the presently published data compromised during the attack, the attackers claim that 200GB of company email containing 2.7 million emails was captured as well." As of posting, Stratfor's website is still down.
Android

Samsung Reconsidering Android 4.0 On the Galaxy S 192

Posted by Unknown Lamer from the seeing-is-believing dept.
ghostoftiber writes "The original Galaxy S was the redheaded step child of the Samsung device line. ... Samsung announced over Christmas that the original Galaxy S was done, leaving its faithful fans in a position of having another year on their contracts with no upgrade path. Users were predictably incensed, and it looks like Samsung changed their minds. There's also the Samsung Vibrant development forum if you want Ice Cream Sandwich running on your Vibrant right now." The original source is bit iffy and implies that the release will not be fully featured (probably due to hardware constraints). Business Insider contacted Samsung directly and an official response is expected today.
Television

Justifications For Creating an IT Department? 214

Posted by Unknown Lamer from the dual-purpose-departments dept.
jjoelc writes "This may sound like an odd request, so first some background. I work at a broadcast television station, and I have found it to be very common for IT to be lumped in with the engineering department at many stations. I believe this is mainly because the engineers were the first people in the business to have and use computers in any real capacity, and as the industry moved to file-based workflows it has simply stayed that way. I believe there is a need for IT to be its own department with its own goals, budgets, etc. But I am having a bit of a rough time putting together the official proposal to justify this change, likely because it seems so obviously the way it should be and is done everywhere else. So I am asking for some pointers on the best ways to present this idea to a general manager. What are the business justifications for having a standalone IT department in a small business? How would you go about convincing upper management of those needs? There are approximately 100 employees at the station I am currently at, but we do own another 4 stations in two states (each of these other stations are in the 75-100 employee range). The long term goal would be to have a unified IT department across all 5 stations."
Businesses

Ask Slashdot: Handing Over Personal Work Without Compensation? 848

Posted by Soulskill from the donating-to-the-not-so-needy dept.
rsmith84 writes "I'm the Senior Systems administrator for a small trade college. When I was hired on, it was strictly for L3 related tasks such as advanced server administration, Exchange design and implementation, etc. They have no in-house programmers, no help desk software, and no budget to purchase one. I'm a moderate PHP and MySQL programmer on the side and am easily capable of writing something to meet their needs, but do not believe I should be A) asked to or B) required to, as my job description and employment terms are not based upon this skill set. I like a challenge, and since all of my goals outlined since my hire date have been met and exceeded, I have a lot of down time. So I wrote the application. It streamlines several critical processes, allows for a central repository of FAQ, and provides end users with access to multiple systems all in one place. I've kept a detailed time log of my work and feel I should be remunerated for the work before just handing over the code. The entire source was developed on personal equipment off company hours. My question is: what should I do? If they are willing to compensate me, I will gladly hand it over. However, it's been mentioned that, if I do the project, it is all but guaranteed that I will see no compensation. The application would streamline a lot of processes and take a lot of the burden off my team, freeing them up to handle what I deem to be more challenging items on their respective punch lists and a better utilization of their time and respective skills. I'm a firm believer in not getting 'something for nothing,' especially when the skills are above my pay grade."
Networking

New WiFi Setup Flaw Allows Easy Router PIN Guessing 86

Posted by Soulskill from the orders-of-magnitude dept.
Trailrunner7 writes "There is a newly discovered vulnerability in the WiFi Protected Setup standard that reduces the number of attempts it would take an attacker to brute-force the PIN for a wireless router's setup process. The flaw results in too much information about the PIN being returned to an attacker and makes the PIN quite weak, affecting the security of millions of WiFi routers and access points. Security researcher Stefan Viehbock discovered the vulnerability (PDF) and reported it to US-CERT. The problem affects a number of vendors' products, including D-Link, Netgear, Linksys and Buffalo. 'I noticed a few really bad design decisions which enable an efficient brute force attack, thus effectively breaking the security of pretty much all WPS-enabled Wi-Fi routers. As all of the of the more recent router models come with WPS enabled by default, this affects millions of devices worldwide,' Viehbock said."
Security

Will Hackers Try To Disrupt the Iowa Caucuses? 162

Posted by Unknown Lamer from the if-the-gop-can-do-it-anyone-can dept.
Hugh Pickens writes "The Iowa Republican Party is boosting the security of the electronic systems it will use to count the first votes of the 2012 presidential campaign after receiving a mysterious threat to its computers in a video urging its supporters to shut down the Iowa caucuses .... 'It's very clear the data consolidation and data gathering from the caucuses, which determines the headlines the next morning, who might withdraw or resign from the process, all of that is fragile,' says Douglas Jones, a computer science professor at the University of Iowa who has consulted for both political parties. The state GOP fears such a delay could disrupt the traditional influence of Iowa's first-in-the-nation vote. 'With the eyes of the media on the state, the last thing we want to do is have a situation where there is trouble with the reporting system,' says Wes Enos, a member of the Iowa GOP's central committee. The GOP is encouraging party activists who run the precinct votes to use paper ballots instead of a show of hands, which has been the practice in some areas so the ballots can provide a backup in the event of any later confusion about the results. 'There is really only one way — and it needn't be a secret — to help assure that results cannot easily be manipulated by either Anonymous or by GOP officials themselves,' writes Brad Friedman. 'The hand-counted paper ballot system, with decentralized results posted at the "precincts," is the only way to try and protect against manipulation of the results from either insiders or outsiders.'"
Privacy

GnuPG Short ID Collision Has Occurred. 110

Posted by Unknown Lamer from the 32-bits-ought-be-enough-for-anyone dept.
kfogel writes "Asheesh Laroia now has two GPG different keys with the same short ID (70096AD1) circulating on keyservers. One of them is an older 1024-bit DSA key, the other is a newer 4096-bit RSA key. Oops. Asheesh argues that GPG's short IDs are too short to be the default anymore — collisions are too easy to create: he did it on purpose and openly, but others could do it on purpose and secretly. More discussion (and a patch by dkg) are in this bug report."
Businesses

Israeli Spyware Sold To Iran 164

Posted by Soulskill from the dollars-trump-diplomacy dept.
Hugh Pickens writes "Bloomberg reports that Israeli trade, customs and defense officials say they didn't know that systems for performing 'deep- packet inspection' into Internet traffic, sold under the brand name NetEnforcer, had gone to a country whose leaders have called for the destruction of the Jewish state. Allot Communications Ltd., an Israel-based firm which reported $57 million in sales last year, sold its systems to a Randers, a Denmark-based technology distributor where workers at that company, RanTek A/S, repackaged the gear and shipped it to Iran. The sales skirted a strict Israeli ban that prohibits 'trading with the enemy,' including any shipments that reach Iran, Syria and Lebanon. Although Allot officials say they had no knowledge of their equipment going to Iran and are looking into RanTek's sales, three former sales employees for Allot say it was well known inside the Israeli company that the equipment was headed for Iran. 'Israel considers Iran quite possibly its greatest threat, and so the Israeli government would come down very strong against any company that exported to Iran,' says Ira Hoffman. 'Iran is also considered by the U.S. as one of its most strategic threats.' Israeli lawmaker Nachman Shai has called for a parliamentary investigation, and the country's Defense Ministry has begun to examine the report."
Security

Researchers Build TCP-Based Spam Detection 81

Posted by samzenpus from the beans-without-spam dept.
itwbennett writes "In a presentation at the Usenix LISA conference in Boston, researchers from the Naval Academy showed that signal analysis of factors such as timing, packet reordering, congestion and flow control can reveal the work of a spam-spewing botnet. The work 'advanced both the science of spam fighting and ... worked through all the engineering challenges of getting these techniques built into the most popular open-source spam filter,' said MIT computer science research affiliate Steve Bauer, who was not involved with the work. 'So this is both a clever bit of research and genuinely practical contribution to the persistent problem of fighting spam.'"
Security

New Car Anti-Theft Device Profiles Your Rear End 126

Posted by samzenpus from the top-to-bottom dept.
Hugh Pickens writes "A car-seat identifier developed at Japan's Advanced Institute of Industrial Technology by Associate Professor Shigeomi Koshimizu can recognize a person by his or her rear end with 98 percent accuracy when the person takes a seat in his car. The bucket seat's lower section is lined with 360 pressure sensors that measure pressure on a scale from 0 to 256, sending information to a laptop, which aggregates the information, generates the key data and produces a precise map of the seated person's rear profile. Researchers say traditional biometric techniques such as iris scanners and fingerprint readers cause stress to people undergoing identity checks, while the simple act of getting seated carries less psychological baggage. Koshimizu wants to see his work available commercially as an anti-theft product in two to three years if automakers agree to collaborate. He sees possibilities of this device being used beyond auto-theft identity protection to a device for security identification in office settings, where users log on to their PCs as they sit down."
Android

Android Approved By Pentagon 160

Posted by samzenpus from the getting-the-greenlight dept.
sfcrazy writes "The Pentagon has approved a version of Android running on Dell hardware to be used by DoD officials, along with the BlackBerry. The approval of Android by the DoD is a major setback for Apple's iPhone. This doesn't mean that DoD employees can use any Android phone. The Pentagon has approved only Dell's hardware running Android 2.2. Interestingly Dell recently discontinued its Streak phone which runs Android 2.2. Dell is now offering Dell Venue which runs on Android 2.2. So, this is the phone which DoD employees can use."
Crime

Anonymous Hacks US Think Tank Stratfor 356

Posted by samzenpus from the looking-behind-the-curtain dept.
Frankie70 writes "At 11:45 PST on Christmas Eve, hacking collective Anonymous disclosed that not only has it hacked the Stratfor website (since confirmed by Friedman himself), but has also obtained the full client list of over 4000 individuals and corporations, including their credit cards (which supposedly have been used to make $1 million in 'donations'), as well as over 200 GB of email correspondence."
IT

Sorry, IT: These 5 Technologies Belong To Users 348

Posted by Soulskill from the rayguns-not-on-the-list dept.
GMGruman writes "The BYOD (bring your own device) phenomenon hasn't been easy on IT, which has seen its control slip. But for these five technologies — mobile devices, cloud computing services, social technology, exploratory analytics, and specialty apps — it has already slipped, and Forrester and others argue IT needs to let go of them. That also means not investing time and money in all the management apps that vendors are happy to sell to IT shops afraid of BYOD — as this post shows, many just won't deliver what IT hopes."
Businesses

Cyber Insurance Industry Expected To Boom 58

Posted by Soulskill from the who-doesn't-love-new-forms-of-insurance dept.
An anonymous reader writes "The high profile hacks to Sony's systems this year were quite costly — Sony estimated losses at around $200 million. Their insurance company was quick to point out that they don't own a cyber insurance policy, so the losses won't be mitigated at all. Because of that and all the other notable hacking incidents recently, analysts expect the cyber insurance industry to take off in the coming year. 'Last October, the S.E.C. issued a new guidance requiring that companies disclose "material" cyber attacks and their costs to shareholders. The guidance specifically requires companies to disclose a "description of relevant insurance coverage." That one S.E.C. bullet point could be a boon to the cyber insurance industry. Cyber insurance has been around since the Clinton administration, but most companies tended to "self insure" against cyber attacks.'"
Security

U.S. Congress Authorizes Offensive Use of Cyberwarfare 206

Posted by Soulskill from the take-the-battle-to-the-enemy's-router dept.
smitty777 writes "Congress has recently authorized the use of offensive military action in cyberspace. From the December 12th conference on the National Defense Authorization Act, it states, 'Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, Allies and interests, subject to: (1) the policy principles and legal regimes that the Department follows for kinetic capabilities, including the law of armed conflict; and (2) the War Powers Resolution.' According to the FAS, 'Debate continues on whether using the War Powers Resolution is effective as a means of assuring congressional participation in decisions that might get the United States involved in a significant military conflict.'"

Slashdot Top Deals