×
Crime

Everything You Know About Password-Stealing Is Wrong 195

Posted by timothy from the but-password-stealing-is-wrong dept.
isoloisti writes "An article by some Microsofties in the latest issue of Computing Now magazine claims we have got passwords all wrong. When money is stolen, consumers are reimbursed for stolen funds and it is money mules, not banks or retail customers, who end up with the loss. Stealing passwords is easy, but getting money out is very hard. Passwords are not the bottleneck in cyber-crime and replacing them with something stronger won't reduce losses. The article concludes that banks have no interest in shifting liability to consumers, and that the switch to financially-motivated cyber-crime is good news, not bad. Article is online at computer.org site (hard-to-read multipage format) or as PDF from Microsoft Research."
Government

Feds Offer $20M For Critical Open Source Energy Network Cybersecurity Tools 56

Posted by samzenpus from the won't-somebody-please-think-of-the-energy-supply? dept.
coondoggie writes "The US Department of Energy today said it would spend $20 million on the development of advanced cybersecurity tools to help protect the nation's vulnerable energy supply. The DOE technologies developed under this program should be interoperable, scalable, cost-effective advanced tools that do not impede critical energy delivery functions, that are innovative and can easily be commercialized or made available through open source for no cost."
Government

Citizenville: Newsom Argues Against Bureaucracy, Swipes At IT Departments 173

Posted by samzenpus from the read-all-about-it dept.
Nerval's Lobster writes "Gavin Newsom, former mayor of San Francisco and current lieutenant governor of California, argues in his new book Citizenville that citizens need to take the lead in solving society's problems, sidestepping government bureaucracy with a variety of technological tools. It's more efficient for those engineers and concerned citizens to take open government data and use it to build apps that serve a civic function—such as Google Earth, or a map that displays crime statistics—than for government to try and provide these tools itself. But Newsom doesn't limit his attacks on government bureaucracy to politicians; he also reserves some fire for the IT departments, which he views as an outdated relic. 'The traditional IT department, which set up and maintained complex, centralized services—networks, servers, computers, e-mail, printers—may be on its way out,' he writes. 'As we move toward the cloud and technology gets easier to use, we'll have less need for full-time teams of people to maintain our stuff.' Despite his advocacy of the cloud and collaboration, he's also ambivalent about Wikileaks. 'It has made government and diplomacy much more challenging and ultimately less honest,' he writes at one point, 'as people fear that their private communications might become public.' Nonetheless, he thinks WikiLeaks and its ilk are ultimately here to stay: 'It is happening, and it's going to keep happening, and it's going to intensify.' In the end, he feels the benefits of collaboration and openness outweigh the drawbacks." Keep reading for the rest of Nick's review.
Education

Professors Rejecting Classroom Technology 372

Posted by samzenpus from the get-off-my-lawn dept.
CowboyRobot writes "The January edition of Science, Technology & Human Values published an article titled Technological Change and Professional Control in the Professoriate, which details interviews with 42 faculty members at three research-intensive universities. The research concludes that faculty have little interest in the latest IT solutions. 'I went to [a course management software workshop] and came away with the idea that the greatest thing you could do with that is put your syllabus on the Web and that's an awful lot of technology to hand the students a piece of paper at the start of the semester and say keep track of it,' said one. 'What are the gains for students by bringing IT into the class? There isn't any. You could teach all of chemistry with a whiteboard. I really don't think you need IT or anything beyond a pencil and a paper,' said another."
Security

How To Sneak Into the Super Bowl With Social Engineering 164

Posted by timothy from the appropriate-authorities dept.
danielkennedy74 links to an instructive story captured on video introduced with these words: "Sneaking in near press/employee access points without going thru them, zigzagging through corridors, and once carrying a box so someone opens a door for them, two jokers from Savannah State University social engineer their way into Super Bowl XLVII for the most part simply by looking like they belong." USA Today has a slightly longer article.
Communications

Widespread Compromise Of Yahoo-Backed Email In New Zealand 47

Posted by timothy from the spam-is-best-in-sushi dept.
First time accepted submitter Bitsy Boffin writes "Xtra, the largest ISP in New Zealand, which outsources email provision to Yahoo, has in the last two days been subject to a widespread email compromise, causing potentially thousands of accounts to send spam messages to every address in their webmail address books. Discussion at Geekzone centers around this potentially being a continuation of the Yahoo XSS exploit. While Telecom NZ, the owners of Xtra internet service provider indicate that the problem was "resolved", reports of spam from its members continue unabated. Telecom NZ are advising those affected to change their passwords."
Cloud

Mega Vulnerability Reward Program Starts Payouts: 7 Bugs Fixed In First Week 41

Posted by timothy from the paid-in-bitcoins-of-course dept.
An anonymous reader writes "If you're a hacker or a security researcher, this is a reminder that you don't have to take on Google's or Mozilla's software to get paid for finding a bug. In its first week, the Mega vulnerability reward program has already confirmed and fixed seven bugs, showing that Dotcom really does put his money where his mouth is. Although Mega hasn't shared how much money it paid out in the first week, how many bug submissions were made, or even who found which bugs, the company did briefly detail the discovered security holes. It also confirmed that the program is here to stay and urged those participating to find more severe bugs."
Bug

What To Do When an Advised BIOS Upgrade Is Bad? 467

Posted by timothy from the wishful-thinking dept.
Bomarc writes "Twice now I've been advised to 'flash the BIOS to the latest,' once by a (major) hard drive controller maker (RAID); once by an OEM (who listed the update as 'critical,' and has removed older versions of the BIOS). Both times, the update has bricked an expensive piece of equipment. Both times, the response after the failed flash was 'It's not our problem, it's out of warranty.' Given that they recommended / advised that the unit be upgraded, shouldn't they shoulder the responsibility of BIOS upgrade failure? Also, if their design had sockets rather than soldering on parts, one could R/R the faulty part (BIOS chip), rather than going to eBay and praying. Am I the only one that has experienced this type of problem? Have you been advised to upgrade a BIOS (firmware); and the upgrade bricked the part or system? If so, what did you do? Should I name the companies?"
Bug

Six Months Without Adobe Flash, and I Feel Fine 393

Posted by timothy from the alternatives-emerge-in-a-wait-no dept.
Reader hessian six months ago de-installed the Adobe Flash player on all of his browsers, probably a prudent move in light of various recent vulnerabilities. "This provoked some shock and incredulity from others. After all, Flash has been an essential content interpreter for over a decade. It filled the gap between an underdeveloped JavaScript and the need for media content like animation, video and so on." But it turns out that life sans Flash can still be worth living. Are there things you rely on that make Flash hard to give up?
China

How a Chinese Hacker Tried To Blackmail Me 146

Posted by timothy from the shame-if-anything-was-t'-happen dept.
An anonymous reader writes "Slate provides the first-person account of a CEO who received an e-mail with several business documents attached threatening to distribute them to competitors and business partners unless the CEO paid $150,000. 'Experts I consulted told me that the hacking probably came from government monitors who wanted extra cash,' writes the CEO, who successfully ended the extortion with an e-mail from the law firm from the bank of his financial partner, refusing payment and adding that the authorities had been notified. According to the article, IT providers routinely receive phone calls from their service providers if they detect any downtime on the monitors of network traffic installed by the Chinese government, similar to the alerts provided to telecom providers about VoIP fraud on their IP-PBX switches. 'Hundreds of millions of Chinese operate on the Internet without any real sense of privacy, fully aware that a massive eavesdropping apparatus tracks their every communication and move...' writes the CEO. 'With China's world and ours intersecting online, I expect we'll eventually wonder how we could have been so naive to have assumed that privacy was normal- or that breaches of it were news.'"
Bug

Samsung Laptop Bug Is Not Linux Specific 215

Posted by timothy from the using-french-or-korean-does-it-too dept.
First time accepted submitter YurB writes "Matthew Garrett, a Linux kernel developer who was investigating the recent Linux-on-Samsung-in-UEFI-mode problem, has bricked a Samsung laptop using a test userspace program in Windows. The most fascinating part of the story is on what is actually causing the firmware boot failure: 'Unfortunately, it turns out that some Samsung laptops will fail to boot if too much of the [UEFI] variable storage space is used. We don't know what "too much" is yet, but writing a bunch of variables from Windows is enough to trigger it. I put some sample code here — it writes out 36 variables each containing a kilobyte of random data. I ran this as an administrator under Windows and then rebooted the system. It never came back.'"
Bug

iOS 6.1 Leads To Battery Life Drain, Overheating For iPhone Users 266

Posted by timothy from the that's-a-drag dept.
An anonymous reader writes "We have started seeing an increase in iPhone issues related to battery life and overheating. All of them seem to be related to users upgrading their devices to iOS 6.1. Furthermore, Vodafone UK today began sending out text messages to iPhone 4S owners on its network, warning them not to upgrade to iOS 6.1 due to issues with 3G performance. The text reads, 'If you've not already downloaded iOS 6.1 for your iPhone 4s, please hold off for the next version while Apple fixes 3G performance issues. Thanks.'"
Internet Explorer

IE Patch To Fix 57 Vulnerabilities 91

Posted by timothy from the there's-a-sauce-for-that dept.
Billly Gates writes "Microsoft is advising users to stick with other browsers until Tuesday, when 57 patches for Internet Explorer 6, 7, 8, 9, and even 10 are scheduled. There is no word if this patch is to protect IE from the 50+ Java exploits that were patched last week or the new Adobe Flash vulnerabilities. Microsoft has more information here. In semi-related news, IE 10 is almost done for Windows 7 and has a IE10 blocker available for corporations. No word on whether IE 10 will be included as part of the 57 updates."
Microsoft

Adobe Hopes Pop-up Warnings Will Stop Office-Borne Flash Attacks 125

Posted by timothy from the ms-bob-is-on-the-case dept.
tsamsoniw writes "In the wake of the most recent zero-day attacks exploiting Flash Player, Adobe claims that it's worked hard to make Player secure — and that most SWF exploits stem from users opening infected Office docs attached to emails. The company has a solution, though: A forthcoming version of Flash Player will detect when it's being launched from Office and will present users with a dialog box with vague warnings of a potential threat."
Security

Bit9 Hacked, Stolen Certs Used To Sign Malware 65

Posted by Soulskill from the that-seems-like-a-bad-plan dept.
tsu doh nimh writes "Bit9, a company that provides software and network security services to the U.S. government and at least 30 Fortune 100 firms, has suffered a compromise that cuts to the core of its business: helping clients distinguish known 'safe' files from computer viruses and other malicious software. A leading provider of 'application whitelisting' services, Bit9's security technology turns the traditional approach to fighting malware on its head. Antivirus software, for example, seeks to identify and quarantine files that are known bad or strongly suspected of being malicious. In contrast, Bit9 specializes in helping companies develop custom lists of software that they want to allow employees to run, and to treat all other applications as potentially unknown and dangerous. But in a blog post today, the company disclosed that attackers broke into its network and managed to steal the digital keys that Bit9 uses to distinguish good from bad applications. The attackers then sent signed malware to at least three of Bit9's customers, although Bit9 isn't saying which customers were affected or to what extent. The kicker? The firm said it failed to detect the intrusion in part because the servers used to store its keys were not running Bit9's own software."
Communications

E-Mail Hack Exposes Bush Family Pictures, Correspondence 230

Posted by Soulskill from the dubya-the-painter dept.
New submitter rHBa sends this article about another high-profile email account breach: "The apparent hack of several e-mail accounts has exposed personal photos and sensitive correspondence from members of the Bush family, including both former U.S. presidents. The posted photos and e-mails contain a watermark with the hacker's online alias, 'Guccifer.' ... Included in the hacked material is a confidential October 2012 list of home addresses, cell phone numbers, and e-mails for dozens of Bush family members, including both former presidents, their siblings, and their children. ... Correspondence obtained by the hacker indicates that at least six separate e-mail accounts have been compromised, including the AOL account of Dorothy Bush Koch, daughter of George H.W. Bush and sister of George W. Bush. Other breached accounts belong to Willard Heminway, 79, an old friend of the 41st president who lives in Greenwich, Connecticut; CBS sportscaster Jim Nantz, a longtime Bush family friend; former first lady Barbara Bush’s brother; and George H.W. Bush’s sister-in-law. "
Security

New Adobe Flash Vulnerabilities Being Actively Exploited On Windows and OS X 167

Posted by Soulskill from the something-to-be-said-for-consistency dept.
Orome1 writes "Adobe has pushed out an emergency Flash update that solves two critical vulnerabilities (CVE-2013-0633 and CVE-2013-0634) that are being actively exploited to target Windows and OS X users, and is urging users to implement it as soon as possible. According to a security bulletin released on Thursday, the OS X exploit targets Flash Player in Firefox or Safari via malicious Flash content hosted on websites, while Windows users are targeted with Microsoft Word documents delivered as an email attachments which contain malicious Flash content. Adobe has also announced its intention of adding new protections against malicious Flash content embedded in Microsoft Office documents to its next feature release of Flash Player."
Bug

Facebook Breaks Major Websites With Redirection Bug 179

Posted by Soulskill from the now-we're-tripping-on-virtual-power-cords dept.
johnsnails writes "Some of the biggest news sites in the world disappeared yesterday when Facebook took over the internet with a redirection bug. Visitors to sites such as The Washington Post, BuzzFeed, the Gawker network, NBC News and News.com.au were immediately transferred to a Facebook error page upon loading their intended site. It was fixed quickly, and Facebook provided this statement: 'For a short period of time, there was a bug that redirected people logging in with Facebook from third party sites to Facebook.com. The issue was quickly resolved, and Login with Facebook is now working as usual.'"
Android

Fragmentation Leads To Android Insecurities 318

Posted by samzenpus from the united-we-stand dept.
Rick Zeman writes "The Washington Post writes about how vendor fragmentation leads to security vulnerabilities and other exploits. This situation is '...making the world's most popular mobile operating system more vulnerable than its rivals to hackers, scam artists and a growing universe of malicious software' unlike Apple's iOS which they note has widely available updates several times a year. In light of many companies' Bring Your Own Device initiatives 'You have potentially millions of Androids making their way into the work space, accessing confidential documents,' said Christopher Soghoian, a former Federal Trade Commission technology expert who now works for the American Civil Liberties Union. 'It's like a really dry forest, and it's just waiting for a match.'"
Encryption

Deloitte: Use a Longer Password In 2013. Seriously. 538

Posted by timothy from the you're-gonna-need-a-bigger-post-it dept.
a user writes "Deloitte predicts that 8-character passwords will become insecure in 2013. Humans have trouble remembering passwords with more than seven characters, and it is difficult to enter long, complex passwords into mobile devices. Users have not adapted to increased computing power available to crackers, and continue to use bad practices such as using common and short passwords, and re-using passwords across multiple websites. A recent study showed that using the 10000 most common passwords would have cracked >98% of 6 million user accounts. All of these problems have the potential for a huge security hazard. Password vaults are likely to become more widely used out of necessity. Multifactor authentication strategies, such as phone texts, iris scans, and dongles are also likely to become more widespread, especially by banks."

Slashdot Top Deals