rhartness writes "I am a long time Software Engineer, however, almost all of my work has been developing server-side, intranet applications or applications for the Windows desktop environment. With that said, I have recently come up with an idea for a new website which would require extremely high levels of security (i.e. I need to be sure that my servers are as 100% rock-solid, unhackable as possible.) I am an experienced developer, and I have a general understanding of web security; however, I am clueless of what is requires to create a web server that is as secure as, say, a banking account management system. Can the Slashdot community recommend good websites, books, or any other resources that thoroughly discuss the topic of setting up a small web server or network for hosting a site that is as absolutely secure as possible?"

An anonymous reader writes "New analysis of financial records and online chat logs retrieved from the operators of Spamdot.biz — until recently the most notorious spam affiliate program — provides tantalizing clues about the identity of the man behind Cutwail, currently the largest spam botnet. Brian Krebs tells the story of 'Google,' the screen name used by the now-27-year-old botmaster who was part of a team of programmers in Moscow. Over the years, Cutwail has shifted from a spam cannon for male enhancement pills to a major vector for distributing malicious software."

turing0 writes "As a former bioinformatics researcher and CTO I have some sad news to start 2012 with. Though I am sure not a surprise to the Slashdot crowd, it appears we — or our demographic — made up more than 75% of the Google Health userbase. Today marks the end of Google Health. (Also see this post for the official Google announcement and lame excuse for the reasoning behind this myopic decision.) The decision of Google to end this excellent service is a fantastic example of what can represent the downside of cloud services for individuals and enterprises. The cloud is great when and while your desired application is present — assuming it's secure and robust — but you are at the mercy of the provider for longevity." (Read more, below.)

theshowmecanuck writes "Reuters reports that there is little or no security at one of the main factories in Russia responsible for military and Soyuz rocket manufacture. Blogger Lana Sator was able to walk right into the empty (off hours) facility through huge gaps in the fences that no-one bothered to repair, and there was no security to stop them aside from some dogs that didn't bother them either. In fact Lana even has one picture of herself posing next to an apparently non-functional security camera, another of her sitting on what looks like to be possibly a partially assembled rocket motor (someone who knows better can fill us in), and has about 100 photos of the escapade all told on her blog about this (it's in Russian... which I don't speak... any translators out there?). Russian officials are said to be deeply concerned. I wonder if this has any bearing on why Russian rockets haven't been making it into space successfully, or whether it and the launch failures are all part of some general industrial malaise that is taking place."

Orome1 writes "Many prisons and jails use SCADA systems with PLCs to open and close doors. Using original and publicly available exploits along with evaluating vulnerabilities in electronic and physical security designs, researchers discovered significant vulnerabilities in PLCs used in correctional facilities by being able to remotely flip the switches to 'open' or 'locked closed' on cell doors and gates."

wiredmikey writes "New research from Kaspersky Labs has revealed that the platform dubbed 'tilded' (~d), which was used to develop Stuxnet and Duqu, has been around for years. The researchers say that same platform has been used to create similar Trojans which have yet to be discovered. Alexander Gostev and Igor Sumenkov have put together some interesting research, the key point being that the person(s) behind what the world knows as Stuxnet and Duqu have actually been using the same development platform for several years." An anonymous reader adds a link to this "surprisingly entertaining presentation" (video) by a Microsoft engineer, in which "he tells the story of how he and others analysed the exploits used by Stuxnet. Also surprising are the simplicity of the exploits which were still present in Win7." See also the report at Secureist from which the SecurityWeek story draws.

A new submitter asks "Every New Year's Day, I assemble and memorize a random collection of seven to ten mixed-case alphanumeric characters and proceed to change every password I have on the interwebs to these characters (plus a few extra characters unique to the site). The problem is I only change them on the sites I visit. Once in a while, I'll come across a site I haven't visited for a few years, and I may end up not being able to guess the password before the try-lockout takes effect. What are your password-changing rituals, and how do they deal with situations like mine? I do use Keepass for work, but it is sometimes impractical for times I'm at other computers."

New submitter EliSowash writes "Malware developers are increasingly using QR Codes as an attack vector. 'The big problem is that the QR code to a human being is nothing more than "that little square with a bunch of strange blocks in it." There's no way to tell what is behind that QR code.' The advice we've always given to the computer user community is 'don't click a link in an email if you don't know who it's from or where it goes' — so how do we protect unsuspecting users from QR codes, where you can't see the destination at all?"

Trailrunner7 writes "Just a day after security researcher Stefan Viehbock released details of a vulnerability in the WiFi Protected Setup (WPS) standard that enables attackers to recover the router PIN, a security firm has published an open-source tool capable of exploiting the vulnerability. The tool, known as Reaver, has the ability to find the WPS PIN on a given router and then recover the WPA passphrase for the router, as well. Tactical Network Solutions has released the tool as an open-source project on Google Code, but also is selling a more advanced commercial version."

OverTheGeicoE writes "It looks like Congress' recent jabs at TSA were just posturing after all. Last Friday, President Obama signed a spending act passed by both houses of Congress. The act gives TSA a $7.85 billion budget increase for 2012 and includes funding for 12 additional multi-modal Visible Intermodal Prevention and Response (VIPR) teams and 140 new behavior detection officers. It even includes funding for 250 shiny new body scanners, which was originally cut from the funding bill last May."

randomErr writes "Intel began shipping the new mobile Atom, formerly codenamed 'Cedar Trail', processors to manufacturers. As with most new chips it has more features and longer battery life. Intel said today 'Computing systems using new Atom processors will debut in early 2012 through leading original equipment manufacturers (OEMs) such as Acer, Asus, HP, Lenovo, Samsung, and Toshiba.'"

itwbennett writes "Yes, IPv4 addresses are running out, but a Y2K-style disaster/frenzy won't be coming in 2012. Instead, businesses are likely to spend the coming year preparing to upgrade to IPv6, experts say. Of course there's a chance that panic will ensue when Europe's RIPE hands out its last IPv4 addresses this summer, but 'most [businesses] understand that they can live without having to make any major investments immediately,' said IDC analyst Nav Chander. Plus, it won't be until 2013 that North America will run out of IPv4 addresses and there's no sense getting worked up before then."

First time accepted submitter aeturnus writes "A new attack on the GSM mobile communications protocol has been demonstrated by Karsten Nohl and Luca Melette of Security Research Labs, based off their previously published attacks around vulnerabilities in the GSM A5/1 encryption protocol. This new attack, which Nohl indicates already in use by criminals, allows an attacker to simulate a GSM mobile and use it to make calls and send text messages. Nohl also discussed protective measures users should take against these attacks, and others in use by intelligence communities around the world." This was just one of many presentations at the 28th Chaos Communications Congress.

wiredmikey writes "In a rare move, Microsoft is breaking its normal procedures and will issue an emergency out-of-band security update on Thursday to address a hash collision attack vulnerability that came into the spotlight yesterday, and affects various Web platforms industry-wide. The vulnerability is not specific to Microsoft technologies and has been discovered to impact PHP 5, Java, .NET, and Google's v8, while PHP 4, Ruby, and Python are somewhat vulnerable. Microsoft plans to release the bulletin on December 29, 2011, at 10:00 AM Pacific Time, and said it would addresses security vulnerabilities in all supported releases of Microsoft Windows. 'The impact of this vulnerability is similar to other Denial of Service attacks that have been released in the past, such as the Slowloris DoS or the HTTP POST DoS,' said security expert Chris Eng. 'Unlike traditional DoS attacks, they could be conducted with very small amounts of bandwidth. This hash table multi-collision bug shares that property.'"

dcblogs writes "IT managers see themselves as 'reigning supreme,' in an organization, and are seen by non-IT workers as difficult to get along with, says organizational psychologist Billie Blair. If IT managers changed their ways, they could have a major impact in an organization. 'So much of their life is hidden under a bushel because they don't discuss things, they don't divulge what they know, and the innovation that comes from that process doesn't happen, therefore, in the organization,' says Blair."

nbauman writes "In June 1903, Gugliemo Marconi and his partner Ambrose Flemming were about to give the first demonstration of long-range wireless communication at the Royal Institution in London, which, Marconi said, could be sent in complete confidentiality with no fear of the messages being hijacked. Suddenly, the silence was broken by a huge mysterious wireless pulse strong enough to take over the carbon-arc projector and make it sputter messages in Morse Code. First, it repeated the word 'Rats' over and over again (abusive at that time). Then it tapped out, 'There was a young fellow of Italy, who diddled the public quite prettily.' Further rude epithets followed. It was Nevil Maskelyne, a stage musician and inventor who was annoyed because Marconi's patents prevented him from using wireless. It was the first hacking, to demonstrate an insecure system."

First time accepted submitter porsche911 writes "It looks like the NYTimes have been hacked and a large number of subscribers spammed with messages about cancellation of their service. The phone system is overwhelmed as well. The Times is currently saying the email is a fake, but that raises other worries. They were one of the only 3rd parties that had the email in question so it appears either someone really screwed up or they've suffered a data breach." Update: 12/28 21:59 GMT by S : Looks like it was just a mistake by an employee.

wiredmikey writes with an excerpt from an article in Security Week: "Following news that security and intelligence firm Stratfor is downplaying the recent hack of its systems, Identity Finder today shared a detailed analysis of the data released so far by the attackers. Based on the analysis, 50,277 Individual Credit Card Numbers were exposed, but 40,626 are expired, leaving just 9,651 that are not expired. In terms of emails, 86,594 Email addresses were claimed to be exposed by the hackers, but only 47,680 were unique. The hackers have released personal information for Stratfor subscribers whose first names begin with A through M, with N through Z expected to be released soon. In addition to the presently published data compromised during the attack, the attackers claim that 200GB of company email containing 2.7 million emails was captured as well." As of posting, Stratfor's website is still down.

ghostoftiber writes "The original Galaxy S was the redheaded step child of the Samsung device line. ... Samsung announced over Christmas that the original Galaxy S was done, leaving its faithful fans in a position of having another year on their contracts with no upgrade path. Users were predictably incensed, and it looks like Samsung changed their minds. There's also the Samsung Vibrant development forum if you want Ice Cream Sandwich running on your Vibrant right now." The original source is bit iffy and implies that the release will not be fully featured (probably due to hardware constraints). Business Insider contacted Samsung directly and an official response is expected today.

jjoelc writes "This may sound like an odd request, so first some background. I work at a broadcast television station, and I have found it to be very common for IT to be lumped in with the engineering department at many stations. I believe this is mainly because the engineers were the first people in the business to have and use computers in any real capacity, and as the industry moved to file-based workflows it has simply stayed that way. I believe there is a need for IT to be its own department with its own goals, budgets, etc. But I am having a bit of a rough time putting together the official proposal to justify this change, likely because it seems so obviously the way it should be and is done everywhere else. So I am asking for some pointers on the best ways to present this idea to a general manager. What are the business justifications for having a standalone IT department in a small business? How would you go about convincing upper management of those needs? There are approximately 100 employees at the station I am currently at, but we do own another 4 stations in two states (each of these other stations are in the 75-100 employee range). The long term goal would be to have a unified IT department across all 5 stations."