hypnosec writes "A new flaw has been discovered in printers manufactured by Samsung whereby a backdoor in the form of an administrator account would enable attackers to not only take control of the flawed device, but will also allow them to attack other systems in the network. According to a warning on US-CERT the administrator account is hard-coded in the device in the form of an SNMP community string with full read-write access. The backdoor is not only present in Samsung printers but also in Dell printers that have been manufactured by Samsung. The administrator account remains active even if SNMP is disabled from the printer's administration interface."

Lucas123 writes "Next year, smart phones will begin shipping with the ability to have dual identities: one for private use and the other for corporate. Hypervisor developers, such as VMware and Red Bend, are working with system manufacturers to embed their virtualization software in the phones, while IC makers, such as Intel, are developing more powerful and secure mobile device processors. The combination will enable mobile platforms that afford end users their own user interface, secure from IT's prying eyes, while in turn allowing a company to secure its data using mobile device management software. One of the biggest benefits dual-identity phones will offer is enabling admins to wipe corporate data from phones without erasing end users profiles and personal information."

Nerval's Lobster writes "Netflix has released Hystrix, a library designed for managing interactions between distributed systems, complete with 'fallback' options for when those systems inevitably fail. The code for Hystrix—which Netflix tested on its own systems—can be downloaded at Github, with documentation available here, in addition to a getting-started guide and operations examples, among others. Hystrix evolved out of Netflix's need to manage an increasing rate of calls to its APIs, and resulted in (according to the company) a 'dramatic improvement in uptime and resilience has been achieved through its use.' The Netflix API receives more than 1 billion incoming calls per day, which translates into several billion outgoing calls (averaging a ratio of 1:6) to dozens of underlying systems, with peaks of over 100,000 dependency requests per second. That's according to Netflix engineer Ben Christensen, who described the incredible loads on the company's infrastructure in a February blog posting. The vast majority of those calls serve the discovery user interfaces (UIs) of the more than 800 different devices supported by Netflix."

Sparrowvsrevolution writes "You may remember a vulnerability in four million keycard locks presented at the Black Hat conference in July. Hacker Cody Brocious showed he could insert a device he built for less than $50 into the port at the bottom of the common hotel lock, read a key out of its memory, and open it in seconds. Two months later, it turns out at least one burglar was already making use of that technique to rob a series of hotel rooms in Texas. The Hyatt House Galleria in Houston has revealed that in at least three September cases of theft from its rooms, the thief used that Onity vulnerability to effortlessly open rooms and steal valuables like laptops. Petra Risk Solutions, an insurance firm focus the hospitality industry also reports that at least two other hotels in Texas were hit with the attack. Onity has been criticized for its less-than-stellar response to a glaring vulnerability in its devices. The Hyatt says Onity didn't provide a fix until after its break-ins, forcing the hotel to plug its locks' ports with epoxy. And even now, Onity is asking its hotel customers to pay for the full fix, which involves replacing the locks' circuit boards."

Trailrunner7 writes "It is open season on SCADA software right now. Last week, researchers at ReVuln, an Italian security firm, released a video showing off a number of zero-day vulnerabilities in SCADA applications from manufacturers such as Siemens, GE and Schneider Electric. And now a researcher at Exodus Intelligence says he has discovered more than 20 flaws in SCADA packages from some of the same vendors and other manufacturers, all after just a few hours' work."

ryzvonusef writes with news that hackers have taken down the local Pakistan versions of many popular websites, including google.com.pk, apple.pk, microsoft.pk and yahoo.pk. 284 sites were affected in total. Many of the sites were defaced, and a group called Eboz is taking credit for the hack. According to TechCrunch, "The root of today’s attack, it seems, came via a breach of Pakistan’s TLD operator, PKNIC, which administers and registers all .pk domains. Looking at affected organizations via PKNIC’s look up, it appears that all the sites are now redirecting to two nameservers, dns1.freehostia.com and dns2.freehostia.com."

David Hume writes "The Los Angeles Times has a story about the two-year University of Tulsa Cyber Corps Program. About '85% of the 260 graduates since 2003 have gone to the NSA, which students call "the fraternity," or the CIA, which they call "the sorority."' 'Other graduates have taken positions with the FBI, NASA and the Department of Homeland Security.' According to the University of Tulsa website, two programs — the National Science Foundation's Federal Cyber Service: Scholarship for Service and the Department of Defense's (DOD's) Information Assurance Scholarship Program — provide scholarships to Cyber Corps students."

An anonymous reader writes "A court in Hamburg, Germany, has granted an injunction against a user of the anonymous and encrypted file-sharing network RetroShare. RetroShare users exchange data through encrypted transfers and the network setup ensures that the true sender of the file is always obfuscated. The court, however, has now ruled that RetroShare users who act as an exit node are liable for the encrypted traffic that's sent by others."

dgharmon writes with this excerpt from rt.com: "A pretrial hearing in the case against accused LulzSec hacker Jeremy Hammond this week ended with the 27-year-old Chicago man being told he could be sentenced to life in prison for compromising the computers of Stratfor. Judge Loretta Preska told Hammond in a Manhattan courtroom on Tuesday that he could be sentenced to serve anywhere from 360 months-to-life if convicted on all charges relating to last year's hack of Strategic Forecasting, or Stratfor, a global intelligence company whose servers were infiltrated by an offshoot of the hacktivist collective Anonymous. Hammond is not likely to take the stand until next year, but so far has been imprisoned for eight months without trial. Legal proceedings in the case might soon be called into question, however, after it's been revealed that Judge Preska's husband was a victim of the Stratfor hack."

An anonymous reader writes "A dead pigeon discovered a few weeks ago in a UK chimney may be able to provide new answers to the secrets of World War II. Unfortunately, British cryptographers at the country's Government Communications Headquarters (GCHQ) have been unable to crack the code encrypting a message the bird was tasked with sending and say they are confident it cannot be decoded 'without access to the original cryptographic material.'"

mask.of.sanity writes "This custom Yamaha TRX 850 has been outfitted with wireless sniffing and attack tools, routers, a laptop, Raspberry Pi and even a heads up display integrated within the bike helmet. It was built from open source kit and cheap hardware by a security penetration tester who wanted to make his love of wardriving more nimble. The plans are detailed in a diagram and a video."

A reader writes with this news from the Indian Express: "Pakistan's interior minister Friday said the government will suspend cell phone services in most parts of the country over the next two days to prevent attacks against Shia Muslims during a key religious commemoration. Militants often detonate bombs using cell phones and this is the first time the government has implemented such a wide-scale suspension. Saturday and Sunday are the most important days of Muharram, the first month of the Islamic calendar, especially important to Shias. Pakistani Shias Sunday observe Ashoura, commemorating the 7th century death of Imam Hussein, the Prophet Muhammad's grandson. Different parts of the Muslim world mark Ashoura on different days —neighbouring Afghanistan, for example, observes it on Saturday. 'The suspension of cell phone services will begin at 6 am Saturday and run through the next day,' Interior Minister Rehman Malik told reporters in Pakistan's capital, Islamabad. He said 90 per cent of the bombs set off by militants in Pakistan have been detonated using cell phones. Some criticized the government for suspending services, saying it was a huge inconvenience."

CowboyRobot writes with the (not unexpected) official U.S. denial of using the Flame malware to spy on France. From the article: "That allegation was leveled at the U.S. government by unnamed French officials, according to a Tuesday report in the weekly French newspaper L'Express. It reported that computers belonging to top advisers to then French president Nicolas Sarkozy had been hacked using the Flame cyberespionage malware, which was designed to be used in highly targeted attacks... Napolitano was also asked if it wasn't ironic that while the United States has been sounding alarms over the growing amount of malware that's targeting U.S. government system, it also commissioning the Stuxnet and Flame cyber-espionage malware used against Iran. Napolitano, however, pled official ignorance. 'These programs were never attributed in any way to the U.S. government.'"

angry tapir writes "A Web security policy mechanism that promises to make HTTPS-enabled websites more resilient to various types of attacks has been approved and released as an Internet standard — but despite support from some high-profile websites, adoption elsewhere is still low. HTTP Strict Transport Security (HSTS) allows websites to declare themselves accessible only over HTTPS (HTTP Secure) and was designed to prevent hackers from forcing user connections over HTTP or abusing mistakes in HTTPS implementations to compromise content integrity."

Orome1 writes "Facebook has announced some proposed updates to their Data Use Policy (how user data is collected and used) and their Statement of Rights and Responsibilities (explains the terms governing use of their services). These updates include new tools for managing Facebook Messages, changes to how they refer to certain products, tips on managing one's timelines, and reminders about what's visible to other people on Facebook. Elliot Schrage, Facebook's vice president of communications, public policy, and marketing, said: 'We found that the voting mechanism, which is triggered by a specific number of comments, actually resulted in a system that incentivized the quantity of comments over their quality,' he explained. 'Therefore, we're proposing to end the voting component of the process in favor of a system that leads to more meaningful feedback and engagement.'"

chicksdaddy writes "Google's been known to pay $60,000 for information on remotely exploitable vulnerabilities in its Chrome web browser. So, when a researcher says that he has one, but isn't interested in selling it, eyebrows get raised. And that's just what's happening this week, with Google saying it will wait and see what Georgian researcher Ucha Gobejishvili has up his sleeve in a presentation on Saturday at the Malcon conference in New Delhi. Gobejishvili has claimed that he will demonstrate a remotely exploitable hole in the Chrome web browser at Malcon. He described the security hole in Chrome as a 'critical vulnerability' in a Chrome DLL. 'It has silent and automatically (sp) download function and it works on all Windows systems,' he told Security Ledger. However, more than a few questions hang over Gobejishvili's talk. The researcher said he discovered the hole in July, but hasn't bothered to contact Google. He will demonstrate the exploit at MalCon, and have a 'general discussion' about it, but won't release source code for it. 'I know this is a very dangerous issue that's why I am not publishing more details about this vulnerability,' he wrote. Google said that, with no information on the hole, it can only wait to hear the researcher's Malcon presentation before it can assess the threat to Chrome users."

AngryDad writes "Today I received a baffling email from my hosting provider that said, 'We have a company-wide patching freeze and we will not be releasing patches to our customers who utilize the patching portal for the months of November and December.' This means that myself and all other customers of theirs who run Windows servers will have to live with several critical holes for at least two months. Is this common practice with mid-tier hosting providers? If so, may I ask Eastern-EU folks to please refrain from hacking my servers during the holiday season?"

coondoggie writes "It may be a gimmick or the ultimate answer, but a California city this week okay-ed a draft ordinance that would let businesses install 7,000-volt electric fences to protect sites from rampant copper thieves. As reported by the Sacramento CBS station, the reaction from one business owner to the ordinance says it all: 'It'll be a little fun to watch one of these guys get electrocuted holding my fence trying to rob me.'"

hypnosec writes "The Linux Foundation's plans for releasing a signed pre-bootloader that will enable users to install Linux alongside Windows 8 systems with UEFI have been reportedly delayed. The Foundation proposed a signed pre-bootloader that will chain-load a bootloader which, in turn, will boot the desired operating system, thus keeping Linux installations for novice users as simple as it was before. Further, this particular component is meant for small-time Linux distros which otherwise wouldn't have the required expertise or resources to develop their own system to tackle the secure boot issue. This was going as per plans up until Linux kernel maintainer James Bottomley disclosed that he has been having rather bizarre experiences with Microsoft sysdev centre. Bottomley said, 'The first time I sent the loader through, it got stuck (it still is, actually). So I sent another one through after a week or so. That actually produced a download, which I've verified is signed (by the MS UEFI key) and works, but now the Microsoft sysdev people claim it was "improperly" signed and we have to wait for them to sort it out. I've pulled the binary apart, and I think the problem is that it's not signed with a LF [Linux Foundation] specific key, it's signed by a generic one rooted in the UEFI key. I'm not sure how long it will take MS to get their act together but I'm hoping its only a few days." Update: 11/21 14:22 GMT by U L : See the Original weblog post, and one interesting tidbit: Microsoft banned bootloaders licensed under the GPLv3 and "similar open source licenses."

An anonymous reader writes "Dutch hosting provider Antagonist announced their in-house developed technology that automatically detects and fixes vulnerabilities in their customers' websites. The service is aimed at popular software such as WordPress, Drupal and Joomla. 'As soon as a vulnerability is detected, we inform the customer. We also explain how the customer can resolve the issue. In case the customer does not respond to our first notice within the next two weeks, we automatically patch the vulnerability.' Antagonist plans to license the technology to other hosting providers as well."