Trailrunner7 writes "Google's Android platform has become the most popular mobile operating system both among consumers and malware writers, and the company earlier this year introduced the Bouncer system to look for malicious apps in the Google Play market. Bouncer, which checks for malicious apps and known malware, is a good first step, but as new work from researchers Jon Oberheide and Charlie Miller shows, it can be bypassed quite easily and in ways that will be difficult for Google to address in the long term. Oberheide and Miller, both well-known for their work on mobile security, went into their research without much detailed knowledge of how the Bouncer system works. Google has said little publicly about its capabilities, preferring not to give attackers any insights into the system's inner workings. So Oberheide and Miller looked at it as a challenge, an exercise to see how much they could deduce about Bouncer from the outside, and, as it turns out, the inside."

wiredmikey writes "Microsoft disclosed that 'unauthorized digital certificates derived from a Microsoft Certificate Authority' were used to sign components of the recently discovered Flame malware. 'We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft,' Microsoft Security Response Center's Jonathan Ness wrote in a blog post. Microsoft is also warning that the same techniques could be leveraged by less sophisticated attackers to conduct more widespread attacks. In response to the discovery, Microsoft released a security advisory detailing steps that organizations should take in order block software signed by the unauthorized certificates, and also released an update to automatically protect customers. Also as part of its response effort, Microsoft said its Terminal Server Licensing Service no longer issues certificates that allow code to be signed."

Hugh Pickens writes "Mikko Hypponen, Chief Research Officer of software security company F-Secure, writes that when his company heard about Flame, they went digging through their archive for related samples of malware and were surprised to find that they already had samples of Flame, dating back to 2010 and 2011, that they were unaware they possessed. 'What this means is that all of us had missed detecting this malware for two years, or more. That's a spectacular failure for our company, and for the antivirus industry in general.' Why weren't Flame, Stuxnet, and Duqu detected earlier? The answer isn't encouraging for the future of cyberwar. All three were most likely developed by a Western intelligence agency as part of covert operations that weren't meant to be discovered and the fact that the malware evaded detection proves how well the attackers did their job. In the case of Stuxnet and DuQu, they used digitally signed components to make their malware appear to be trustworthy applications and instead of trying to protect their code with custom packers and obfuscation engines — which might have drawn suspicion to them — they hid in plain sight. In the case of Flame, the attackers used SQLite, SSH, SSL and LUA libraries that made the code look more like a business database system than a piece of malware. 'The truth is, consumer-grade antivirus products can't protect against targeted malware created by well-resourced nation-states with bulging budgets,' writes Hypponen, adding that it's highly likely there are other similar attacks already underway that we haven't detected yet because simply put, attacks like these work. 'Flame was a failure for the antivirus industry. We really should have been able to do better. But we didn't. We were out of our league, in our own game.'"

An anonymous reader writes "I am on a committee to evaluate internet options for a medium sized condo association (80 units — 20 stories) in a major metropolitan area (Chicago). What options are out there? What questions should one ask of the various sales representatives? How should access be distributed within the building (wireless APs, ethernet cable). Does it make sense to provide any additional condo wide infrastructure (servers, services)? How much should it cost? How much dedicated bandwidth is required to support a community of this size?"

chrb writes "Nintendo has announced that its new Wii U console will feature a social network called the Miiverse in which users can video chat, see what others are playing, share game content and swap tips." And with a nod to Zawinski's Law, "The redesigned Wii U GamePad features dual sticks, a touch screen that supports finger and stylus interaction, motion and gyroscope sensors, and the ability to act as a TV remote. The Wii U GamePad has its own dedicated Web browser and can share images and video to a TV so that everyone can enjoy the shared content."

MojoKid writes "Recently AMD announced that it would cease offering monthly graphics driver updates, and instead issue Catalyst versions only 'when it makes sense.' That statement would be a good deal more comforting if it didn't 'make sense' to upgrade AMD's drivers nearly every single month. From 2010 through 2011, AMD released a new Catalyst driver every month like clockwork. Starting last summer, however, AMD began having trouble with high-profile game releases that performed badly or had visual artifacts. Rage was one high-profile example, but there have been launch-day issues with a number of other titles, including Skyrim, Assassin's Creed, Bat Man: Arkham City, and Battlefield 3. The company responded to these problems by quickly releasing out-of-band driver updates. In addition, AMD's recent Catalyst 12.6 beta driver also fixes random BSODs on the desktop, poor Crossfire scaling in Skyrim and random hangs in Crysis 2 in DX9. In other words, AMD is still working to resolve important problems in games that launched more than six months ago. It's hard to put a positive spin on slower driver releases given just how often those releases are necessary."

coondoggie writes "The nasty Trojan known as Citadel malware, which is based on Zeus, has typically been used to extort money from online banking users, but a new variant is making the rounds that tries to get your money by saying you looked at child porn sites and must pay a violation fee to the U.S. Department of Justice. This variation, called Reveton, lures the victim to a drive-by download website, at which time the ransomware is installed on the user's computer, says the U.S. Internet Crime Complaint Center (IC3). Once installed, the computer freezes and a screen is displayed warning the user they have violated United States Federal Law."

McGruber writes "Joseph Bonneau, a computer scientist at the University of Cambridge, calculated the password strengths of nearly 70 million Yahoo! users. He compared the strengths of passwords chosen by different demographic groups and compared the results. People over the age of 55 pick passwords double the strength of those chosen by people under 25 years old." Does this mean that the younger users are more cavalier and naive, or are they simply more cynical about the actual value of strong passwords in the era of large-scale user-database compromises?

judgecorp writes "Google has applied for the .lol domain in ICANN's sale of generic top level domains (gTLDs). Google also asked for .google, .docs, and .youtube at a cost of $185,000 each, in the round of applications which has finally closed. A glitch in the application system may have leaked some of the applicants' data to other applicants."

New submitter lsatenstein writes with this snippet from The H:"The regional government of Spain's Basque Country has decreed that all software produced for Basque government agencies and public bodies should be open sourced. Joinup, the European Commission's open source web site, cites an article in Spanish newspaper El Pais [English translation], saying that the only exceptions will be software that directly affects state security and a handful of projects which are being conducted in conjunction with commercial software suppliers."

Bob the Super Hamste writes "The BBC is reporting on a new law in Venezuela that effectively bans the commercial sale of firearms and ammunition to private citizens. Previously anyone with a permit could purchase a firearm from any commercial vendor but now only the police, military, and security firms will be able to purchase firearms or ammunition from only state-owned manufactures or importers. Hugo Chavez's government states that the goal is to eventually disarm the citizenry. The law, which went into effect today, was passed on February 29th, and up to this point the government has been running an amnesty program allowing citizens to turn in their illegal firearms. Since the law was first passed, 805,000 rounds of ammunition have been recovered from gun dealers. The measure is intended to curb violent crime in Venezuela, where 78% of homicides are linked to firearms."

blackbearnh writes "Everyone these days knows that you have to double- and triple-check your code for security vulnerabilities, and make sure your servers are locked down as tight as you can. But why? Because our underlying operating systems, languages, and platforms do such a crappy job of protecting us from ourselves. The inevitable result of clamoring for new features, rather than demanding rock-solid infrastructure, is that the developer community wastes huge amounts of time protecting their applications from exploits that should never be possible in the first place. The next time you hear about a site that gets pwned by a buffer overrun exploit, don't think 'stupid developers!', think 'stupid industry!'"

An anonymous reader writes "As Microsoft released the preview of the next version of its Internet Explorer browser, news that in Windows 8 the browser will be sending a 'Do Not Track' signal to Web sites by default must have shaken online advertising giants. 'Consumers can change this default setting if they choose,' Microsoft noted, but added that this decision reflects their commitment to providing Windows customers an experience that is 'private by default' in an era when so much user data is collected online.' This step will make Internet Explorer 10 the first web browser with DNT on by default. And while the websites are not required to comply with the users' do-not-track request, the DNT initiative — started by the U.S. Federal Trade Commission — is making good progress."

diewlasing sends this excerpt from the NY Times: "From his first months in office, President Obama secretly ordered increasingly sophisticated attacks on the computer systems that run Iran's main nuclear enrichment facilities, significantly expanding America's first sustained use of cyberweapons, according to participants in the program. Mr. Obama decided to accelerate the attacks — begun in the Bush administration and code-named Olympic Games — even after an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed it to escape Iran's Natanz plant and sent it around the world on the Internet. Computer security experts who began studying the worm, which had been developed by the United States and Israel, gave it a name: Stuxnet."

Trailrunner7 writes in with a story about a iOS security guide released by Apple. "Apple has released a detailed security guide for its iOS operating system, an unprecedented move for a company known for not discussing the technical details of its products, let alone the security architecture. The document lays out the system architecture, data protection capabilities and network security features in iOS, most of which had been known before but hadn't been publicly discussed by Apple. The iOS Security guide (PDF), released within the last week, represents Apple's first real public documentation of the security architecture and feature set in iOS, the operating system that runs on iPhones, iPads and iPod Touch devices. Security researchers have been doing their best to reverse engineer the operating system for several years and much of what's in the new Apple guide has been discussed in presentations and talks by researchers. 'Apple doesn't really talk about their security mechanisms in detail. When they introduced ASLR, they didn't tell anybody. They didn't ever explain how codesigning worked,' security researcher Charlie Miller said."

An anonymous reader writes with this story at Ars Technica: "Three self-taught hackers from the DC949 hacker collective managed to use a combination of techniques to beat ReCaptcha with 99.1% accuracy (better than most humans!)" In short, the hackers skipped the visual part of the Recaptcha system entirely, focusing on the audio alternative, which gave them a few convenient angles of attack. Google responded with changes to the system, but that doesn't minimize their accomplishment.

An anonymous reader writes "I'm in charge of getting some phones for my company to give to our mobile reps. Security is a major consideration for us, so I'm looking for the most secure off-the-shelf solution for this. I'd like to encrypt all data on the phone and use encryption for texting and phone calls. There are a number of apps in the android market that claim to do this, but how can I trust them? For example, I tested one, but it requires a lot of permissions such as internet access; how do I know it is not actually some kind of backdoor? I know that Boeing is producing a secure phone, which is no doubt good — but probably too expensive for us. I was thinking of maybe installing Cyanogenmod onto something, using a permissions management app to try and lock down some backdoors and searching out a trustworthy text and phone encryption app. Any good ideas out there?"

First time accepted submitter dintech writes "The Wall Street Journal reports that while Sony considered online-only content distribution for its next-generation Playstation, the manufacturer has decided that the new console will include an optical drive after all. Microsoft is also planning to include an optical disk drive in the successor to its Xbox 360 console as the software company had concerns about access to Internet bandwidth."

Gunkerty Jeb writes "Two financial industry groups, the American Bankers Association (ABA) and the Financial Services Roundtable, announced on Thursday that they have applied to the Internet Corporation for Assigned Names and Numbers (ICANN) to operate two top level Internet domains, .bank and .insurance, on behalf of the financial services industry. In a published statement, the groups said that they had applied for .bank and .insurance to 'provide the highest security for the millions of customers conducting banking and insurance activities online.' The move comes as the U.S. Congress is set to begin hearings on e-banking fraud on Friday."

wiredmikey writes "Simurgh, a privacy tool used in Iran and Syria to bypass Internet censorship and governmental monitoring, is being circulated with a backdoor. The compromised version has been offered on P2P networks and via web searches. Research conducted by CitizenLab.org has shown that the malicious version isn't available from the original software source, only through third-party access, so it appears that Simurgh has been repackaged. The troubling aspect of the malicious version is that while it does install the proxy as expected, it then adds a keylogging component, and ships the recorded information off to a server hosted in the U.S. and registered to a person in Saudi Arabia. In response to this attack, the team that develops Simurgh has instituted a check that will warn the user if they are running a compromised version of the software. At present, it is unknown who developed the hijacked version of Simurgh, or why they did so."