×
Security

Trion Worlds' Rift Account Database Compromised 88

Posted by Soulskill from the level-up-your-firewall-skill dept.
New submitter Etrahkad writes "Trion Worlds, publisher of MMORPG Rift, has announced that somebody broke into one of their databases and gained access to user information. First Sony and now Rift... my identity has probably been stolen several times over, now. From the e-mail: 'We recently discovered that unauthorized intruders gained access to a Trion Worlds account database. The database in question contained information including user names, encrypted passwords, dates of birth, email addresses, billing addresses, and the first and last four digits and expiration dates of customer credit cards. ... there is no evidence, and we have no reason to believe, that full credit card information was accessed or compromised in any way." Are game companies not concerned with preventing these attacks?"
Transportation

Vanity Fair On the TSA and Security Theater 256

Posted by Soulskill from the keeping-the-terrists-from-winning dept.
OverTheGeicoE writes "Perhaps it's now officially cool to criticize the TSA. Vanity Fair has a story questioning the true value of TSA security. The story features Bruce Schneier, inventor of the term 'security theater' and contender for the Most Interesting Man in the World title, it would seem. With Schneier's mentoring, the author allegedly doctors a boarding pass to breach security at Reagan National Airport to do an interview with Schneier. 'To walk through an airport with Bruce Schneier is to see how much change a trillion dollars can wreak. So much inconvenience for so little benefit at such a staggering cost.'"
Android

EFF Reverse Engineers Carrier IQ 103

Posted by samzenpus from the see-how-it-ticks dept.
MrSeb writes "At this point we have a fairly good idea of what Carrier IQ is, and which manufacturers and carriers see fit to install it on their phones, but the Electronic Frontier Foundation — the preeminent protector of your digital rights — has taken it one step further and reverse engineered some of the program's code to work out what's actually going on. There are three parts to a Carrier IQ installation on your phone: The program itself, which captures your keystrokes and other 'metrics'; a configuration file, which varies from handset to handset and carrier to carrier; and a database that stores your actions until it can be transmitted to the carrier. It turns out that that the config profiles are completely unencrypted, and thus very easy to crack."
Security

The Problem With Windows 8's Picture Password 206

Posted by timothy from the guy-with-a-video-camera-also-a-threat dept.
alphadogg writes "The Windows 8 feature that logs users in if they touch certain points in a photo in the right order might be fun, but it's not very good security, according to the inventor of RSA's SecurID token. 'It's cute,' says Kenneth Weiss, who now runs a three-factor authentication business called Universal Secure Registry. 'I don't think it's serious security.' The major downside of the picture password is that drawing a finger across a photo on a touch screen is easy to video record from a distance — making it relatively easy to compromise, he says."
China

Chinese Developer Forum Leaks 6 Million User Credentials 102

Posted by timothy from the it's-curtains-for-you-elizabeth-my-dearbook dept.
gzipped_tar writes "The 'Chinese Software Developer Network' (CSDN), operated by Bailian Midami Digital Technology Co., Ltd., is one of the largest networks of software developers in China. A text file with 6 million CSDN user credentials including user names, password, emails, all in clear text, got leaked to the Internet. The CSDN has issued a letter of apology to its users. In the letter, it is explained that passwords created before April 2009 had been stored in plain text, while later passwords were encrypted. Users created between September 2010 and January 2011 may still suffer from email address leaks. A summary of the most frequent passwords without the corresponding usernames is available at GitHub. Somewhat surprisingly, the cryptic sounding password 'dearbook' ranks 4th with 46053 accounts using it."
Android

Twitter To Open Source Android Security Tech 164

Posted by samzenpus from the set-it-free dept.
itwbennett writes "Following last month's acquisition of Whisper Systems, Twitter is open sourcing 'some' of the company's Android security products. First up: TextSecure, a text messaging client that encrypts messages. Souce code is on GitHub now. 'Offering the technology to the community so soon after the acquisition could indicate that Twitter made the acquisition primarily for the developer talent,' writes IDG News Service's Nancy Gohring."
EU

EU Shipping Sector Cyber Security Awareness "Non-Existent" 55

Posted by samzenpus from the do-we-have-a-password? dept.
twoheadedboy writes "The European maritime sector has next to no idea about cyber security, according to a report released by the European Network and Information Security Agency (ENISA). The shipping industry, which carried 52 per cent of goods traffic in Europe in 2010, has 'currently low to non-existent' awareness of cyber security needs and challenges, the report said. ENISA claimed the lack of understanding was evident at every layer of the industry, from government bodies to port authorities and maritime companies."
Security

Researcher Claims Siemens Lied About Security Bugs 46

Posted by samzenpus from the pants-on-fire dept.
chicksdaddy writes "A month after an unknown gray hat hacker calling himself 'pr0f' used a three character password to hack his way onto Siemens software used to manage water treatment equipment in South Houston, Texas, a security researcher working for Google is accusing the company of trying to cover up the existence of other, more serious vulnerabilities in its products. Billy Rios has disclosed a range of vulnerabilities in Siemens SIMATIC software on his blog. The holes could allow a remote attacker to gain access to the Simatic user interface without a user name and password. Rios claims that he has disclosed the hole to Siemens and that the company has acknowledged the problem, only to deny its existence when a reporter asked for more information about the vulnerability."
Image

Book Review: Defense Against the Black Arts Screenshot-sm 58

Posted by samzenpus from the protect-ya-neck dept.
brothke writes "If there ever was a book that should not be judged by its title, Defense against the Black Arts: How Hackers Do What They Do and How to Protect against It, is that book. Even if one uses the definition in The New Hackers Dictionary of 'a collection of arcane, unpublished, and (by implication) mostly ad-hoc techniques developed for a particular application or systems area', that really does not describe this book. The truth is that hacking is none of the above. If anything, it is a process that is far from mysterious, but rather aether to describe. With that, the book does a good job of providing the reader with the information needed to run a large set of hacking tools." Read below for the rest of Ben's review.
Microsoft

New Remote Flaw In 64-Bit Windows 7 284

Posted by samzenpus from the hole-in-the-wall dept.
Trailrunner7 writes "Researchers are warning about a new remotely exploitable vulnerability in 64-bit Windows 7 that can be used by an attacker to run arbitrary code on a vulnerable machine. The bug was first reported a couple of days ago by an independent researcher and confirmed by Secunia. In a message on Twitter, a researcher named w3bd3vil said that he had found a method for exploiting the vulnerability by simply feeding an iframe with an overly large height to Safari. The exploit gives the attacker the ability to run arbitrary code on the victim's machine."
China

US Chamber of Commerce Infiltrated By Chinese Hackers 173

Posted by Unknown Lamer from the security-through-insecurity dept.
SpzToid writes "The Wall Street Journal is now reporting that a group of hackers in China breached the computer defenses of the United States Chamber of Commerce. The intrusion was quietly shut down in May 2010, while FBI investigations continue. 'A spokesman for the Chinese Embassy in Washington, Geng Shuang, said cyberattacks are prohibited by Chinese law and China itself is a victim of attacks. ... Still, the Chamber continues to see suspicious activity, they say. A thermostat at a town house the Chamber owns on Capitol Hill at one point was communicating with an Internet address in China, they say, and, in March, a printer used by Chamber executives spontaneously started printing pages with Chinese characters.'" According the article, the group "gained access to everything stored on its systems" and may have "had access to the network for more than a year before the breach was uncovered."
Android

Gaining a Remote Shell On Android 124

Posted by Soulskill from the poking-google-with-a-stick dept.
SharkLaser writes "The security of Android devices has come under scrutiny in recent months. Android Market has been plagued with a number of trojaned apps, and researchers have identified various root exploits and permission leaks that can be exploited, for example, to send premium rate SMSs. Now researcher Thomas Cannon of ViaForensics is demonstrating a method for setting up remote shell on an Android device without using any exploits or vulnerabilities. The security hole is not new, and it has been pointed out for a number of years, but Google has yet to fix it. The method works on various versions of Android, up to and including the newest Ice Cream Sandwich."
Bug

October, November the Worst Months For Writing Buggy Code 136

Posted by Soulskill from the blame-the-halloween-candy-coma dept.
chicksdaddy writes "Data from application testing firm Veracode suggests that the quality of application code submitted for auditing is pretty much constant throughout the year — except for the months of October and November, when the average density of vulnerabilities in the code jumps considerably. But why? Is it the pressure of deadlines? The stress of developers' lives (kids back to school, etc.)?"
IBM

IBM's Five Predictions For the Next Five Years 219

Posted by timothy from the ok-but-let's-revisit-in-5-years dept.
PolygamousRanchKid writes "In each of the past five years, IBM has come up with a list of five innovations it believes will become popular within five years. In this, the sixth year, IBM has come up with the following technologies it thinks will gain traction: (1) People power will come to life. Advances in technology will allow us to trap the kinetic energy generated (and wasted) from walking, jogging, bicycling, and even from water flowing through pipes. (2) You will never need a password again. Biometrics will finally replace the password and thus redefine the word 'hack.' (3) Mind reading is no longer science fiction. Scientists are working on headsets with sensors that can read brain activity and recognize facial expressions, excitement, and more without needing any physical inputs from the wearer. (4) The digital divide will cease to exist. Mobile phones will make it easy for even the poorest of poor to get connected. (5) Junk mail will become priority mail. "In five years, unsolicited advertisements may feel so personalized and relevant it may seem that spam is dead."
Businesses

Ready For Your Payroll Software Update? 105

Posted by timothy from the open-wide dept.
SEWilco writes "A federal payroll tax reduction for two months is being pushed by the President. Paying less money to the government seems good, but if the law is changed it will change the payroll taxes in January and February. Many of us can well imagine what that will do to the many payroll systems which are already programmed with the 2012 tax rates."
Security

Tech Forensics Take Center Stage in Manning Pre-Trial 172

Posted by Unknown Lamer from the next-time-use-a-better-passphrase dept.
smitty777 writes with some updates from Bradley Manning's Article 32 hearing: "Wired has been reporting all [yester]day on the prosecution's technological evidence against Bradley Manning. The first is on the technology and techniques used by Manning. In the second, the examiners admit they didn't find any matching cables on Manning's computer. And finally, evidence that Manning chatted directly with Assange himself." The prosecution was able to access chat logs and other bits of evidence (which had been deleted, but not scrubbed from the disk) thanks to PFC Manning's use of the same password for his OS login and encryption passphrase. Oops.
Bug

Software Bug Caused Qantas Airbus A330 To Nose-Dive 603

Posted by Unknown Lamer from the bugs-on-a-plane dept.
pdcull writes "According to Stuff.co.nz, the Australian Transport Safety Board found that a software bug was responsible for a Qantas Airbus A330 nose-diving twice while at cruising altitude, injuring 12 people seriously and causing 39 to be taken to the hospital. The event, which happened three years ago, was found to be caused by an airspeed sensor malfunction, linked to a bug in an algorithm which 'translated the sensors' data into actions, where the flight control computer could put the plane into a nosedive using bad data from just one sensor.' A software update was installed in November 2009, and the ATSB concluded that 'as a result of this redesign, passengers, crew and operators can be confident that the same type of accident will not reoccur.' I can't help wondering just how a piece of code, which presumably didn't test its input data for validity before acting on it, could become part of a modern jet's onboard software suite?"
Encryption

Do Slashdotters Encrypt Their Email? 601

Posted by Unknown Lamer from the translate-it-to-navajo dept.
An anonymous reader writes "Many years ago when I first heard of PGP, I found an add-on that made it fairly simple to use PGP to encrypt my email. Despite the fact that these days most people know that email is a highly insecure means of communication, very few people that I know ever use any form of email encryption despite the fact that it is pretty easy to use. This isn't quite what I would have expected when I first set it up. So, my question to fellow Slashdotters is 'Do you encrypt your email? If not, 'Why not?' and 'Why has email encryption using PGP or something similar not become more commonplace?' The use of cryptography used to be a hot topic once upon a time."
Encryption

MIT Software Allows Queries On Encrypted Databases 68

Posted by Soulskill from the cutting-out-the-middleman dept.
Sparrowvsrevolution writes "CryptDB, a piece of database software that MIT researchers presented at the Symposium on Operating System Principles in October, allows users to send queries to an encrypted SQL database and get results without decrypting the stored information. CryptDB works by nesting data in several layers of cryptography (PDF), each of which has a different key and allows a different kind of simple operation on encrypted data. It doesn't work with every kind of calculation, and it's not the first system to offer this sort of computation on encrypted data. But it may be the only practical one. A previous crypto scheme that allowed operations on encrypted data multiplied computing time by a factor of a trillion. This one adds only 15-26%."
Privacy

Moxie Marlinspike Answers Your Questions 76

Posted by samzenpus from the here's-the-scoop dept.
A few weeks ago you asked security guru Moxie Marlinspike about all manner of security issues, being searched at the border, and how to come up with a good online name. He's graciously answered a number of your inquiries which you will find below.

Slashdot Top Deals