another random user writes with news of a vulnerability in the Skype password reset tool "All you need to do is register a new account using that email address, and even though that address is already used (and the registration process does tell you this) you can still complete the new account process and then sign in using that account Info (original post in Russian)" concealment adds a link to another article with an update that Skype disabled the password reset page as a temporary fix.

Mephistophocles writes "A chilling article by Darkreading's Kelly Jackson Higgins describes how the growing accessibility of hacking tools like RATs (Remote Access Trojans) have made cyber-espionage possible for more than just those financially backed by large nation-states, and speculates on what the implications of this may be: 'Researchers at Norman Security today revealed that they recently analyzed malware used in phishing emails targeting Israeli and Palestinian targets and found that attackers used malware based on the widely available Xtreme RAT crimeware kit. The attacks, which first hit Palestinian targets, this year began going after Israeli targets, including Israeli law enforcement agencies and embassies around the world. Norman says the same attacker is behind the attacks because the attacks use the same command-and-control (C&C) infrastructure, as well as the same phony digital certificates. This attack campaign just scratches the surface of the breadth and spread of these types of attacks around the world as more players have been turning to cyberspying. "We're just seeing the tip of the iceberg," says Einar Oftedal, deputy CTO at Norman.'"

mask.of.sanity writes "Hardcoded usernames and passwords have been discovered in a recent line of Telstra broadband routers that allow attackers access to customer networks. The flaws meant customer unique passwords could be bypassed to access the device administrative console and LAN."

New submitter thn writes "John McAfee, who started the antivirus software giant named after him, has been accused of murder in Belize and is wanted. McAfee had taken to 'posting on a drug-focused Russian message board...about his attempts to purify the psychoactive compounds colloquially known as "bath salts,"' Gizmodo wrote. The scariest aspect of this story may be the fact that an entire lab was constructed for John McAfee's research purposes. Because of his efforts to extract chemicals from natural chemical plans McAfee was able to justify his experiments in a country that is largely unregulated."

Nerval's Lobster writes "The use of a Red Team and penetration testing can strengthen an organization's security posture. But how does a Red Team member actually think like an attacker, and use that mindset to exploit security vulnerabilities? Gillis Jones works for WhiteHat Security, where his job rests within the TRC (Threat Research Center). It's here that he performs hands-on site assessments, which involve manually confirming all the issues reported by an automatic scan of a particular Website or application. His job includes checking the application's POST and GET requests for reflection of any inputs. He also checks for Cross-Site Scripting (XSS), which includes stored, reflected, and DOM XSS vulnerabilities. Those checks let him determine the Website’s basic security posture. If user input isn’t encoded or sanitized, that’s a good indicator of other problems. And if that’s the case, then Jones (or someone like him) will move on to checking for SQL Injection (SQLi) vulnerabilities and other issues."

Sparrowvsrevolution writes "Since 2008, Dallas, Texas attorney Erich Spangenberg and his company TQP have been launching suits against hundreds of firms, claiming that merely by using SSL, they've violated a patent TQP acquired in 2006. Nevermind that the patent was actually filed in 1989, long before the World Wide Web was even invented. So far Spangenberg's targets have included Apple, Google, Intel, Dell, Hewlett-Packard, every major bank and credit card company, and scores of web startups and online retailers, practically anyone who encrypts pages of a web sites to protect users' privacy. And while most of those lawsuits are ongoing, many companies have already settled with TQP rather than take the case to trial, including Apple, Amazon, Dell, and Exxon Mobil. The patent has expired now, but Spangenberg can continue to sue users of SSL for six more years and seems determined to do so as much as possible. 'When the government grants you the right to a patent, they grant you the right to exclude others from using it,' says Spangenberg. 'I don't understand why just because [SSL is] prevalent, it should be free.'"

jjp9999 writes "Nextgov reports, 'The Homeland Security Department has commissioned Accenture to test technology that mines open social networks for indications of pandemics, according to the vendor.' This will kick off a year-long biosurveillance program, costing $3 million, that will log trends in public health by looking through public posts. This ties back to White House guidelines released in July that ask federal agencies to 'Consider social media as a force multiplier that can empower individuals and communities to provide early warning and global situational awareness.'"

chicksdaddy writes "We hear a lot about vulnerabilities in industrial control system (ICS) software. But what about real evidence of compromised SCADA and industrial control systems? According to security researcher Michael Toecker, a consultant at the firm Digital Bond, the evidence for infected systems with links to industrial automation and control systems is right under our eyes: buried in public support forums. Toecker audited support sites like bleepingcomputer.com, picking through data dumps from free malware scanning tools like HijackThis and DDS. He found scans of infected systems that were running specialized ICS software like Schweitzer Engineering Labs (SEL) AcSELerator Software and GE Power's EnerVista Software (used to configure GE electric power protection products). The infected end user systems could be the pathway to compromising critical infrastructure, including electrical infrastructure. 'With access to a protection relay through a laptop, a malicious program could alter settings in the configuration file, inject bad data designed to halt the relay, or even send commands directly to the relay when a connection was made,' Toecker wrote."

KermMartian writes "It has been nearly two decades since Texas Instruments released the TI-82 graphing calculator, and as the TI-83, TI-83+, and TI-84+ were created in the intervening years, these 6MHz machines have only become more absurdly retro, complete with 96x64-pixel monochome LCDs and a $120 price tag. However, a student member of a popular graphing calculator hacking site has leaked pictures and details about a new color-screen TI-84+ calculator, verified to be coming soon from Texas Instruments. With the lukewarm reception to TI's Nspire line, it seems to be an attempt to compete with Casio's popular color-screen Prizm calculator. Imagine the graphs (and games!) on this new 320x240 canvas."

MojoKid writes "Nike+ FuelBand is a $149 wristband with LED display that tracks your daily activity, tells you how many calories you've burned, lets you know how much fuel you have left in the tank, and basically keeps track of 'every move you make.' If you think that sounds like a privacy nightmare waiting to happen, it pretty much is. A source directly connected to Nike reported an amusing, albeit startling anecdote about a guy who got caught cheating on his girlfriend because of the Nike+ FuelBand. 'They shared their activity between each other and she noticed he was active at 1-2AM, when he was supposed to be home.' That's just one scenario. What if the wristband gets lost or stolen? How much data is actually stored on these sorts of devices? And remember, you're syncing it to the cloud with an iOS or Android app."

hypnosec writes with news that two security consultants have found vulnerabilities in Call of Duty: Modern Warfare 3 and the CryEngine 3 graphics engine that could harm game makers and players alike. Presenting at the Power of Community (POC2012) security conference, the researchers demonstrated how a denial-of-service attack could affect Modern Warfare 3, and how a server-level attack on CryEngine 3 allowed them to "create a remote shell on a game-player's computer." "'Once you get access to the server, which is basically the interface with the company, you can get access to all of the information on the players through the server,' Ferrante said. In general, game companies don't seem to be very focused on security but rather on performance of the game itself, Ferrante said. Adding security checks can slow down games, and if the companies don't deem the problem a very critical issue, it will usually be ignored. 'These are games that have a very large market,' Auriemma said."

An anonymous reader writes "A man has initiated a class-action suit against Blizzard over a product used to shore up Battle.net security. Benjamin Bell alleges that Blizzard's sale of Authenticators — devices that enable basic two-tier authentication — represents deceptive and unfair additional costs to their basic games. (Blizzard sells the key fob versions for $6.50, and provides a free mobile app as an alternative. Neither are mandatory.) The complaint accuses Blizzard of making $26 million in Authenticator sales. In response, Blizzard made a statement refuting some of the complaint's claims and voicing their intention to 'vigorously defend' themselves."

Penurious Penguin writes "The Wall Street Journal, in correspondence with Chevron representatives, reveals that back in 2010, Stuxnet reached Chevron, where it managed to infect — but not significantly affect — the oil giant's network. According to a Chevron representative speaking to CNET, the issue was 'immediately addressed ... without incident.' The Stuxnet worm is believed to be the work of the U.S. and Israel, and this report is confirmation that it struck well wide of its intended targets. Chevron's general manager of the earth sciences department, Mark Koelmel, said to CIO Journal, 'I don't think the U.S. government even realized how far it had spread ... I think the downside of what they did is going to be far worse than what they actually accomplished.'"

An anonymous reader writes "Now that Windows 8 is on sale and has already been purchased by millions, expect very close scrutiny of Microsoft's latest and greatest security features. 0-day vulnerabilities are already being claimed, but what about the malware that's already out there? When tested against the top threats, Windows 8 is immune to 85 percent of them, and gets infected by 15 percent, according to tests run by BitDefender."

An anonymous reader writes "I am getting ready to start learning the use of virtual machines. What VM software would you recommend? This is for personal use. It would be good to run both Windows VMs and Linux VMs. Early use would be maintaining multiple Windows installs using only one desktop computer with plenty of cores and memory. I would be starting with a Windows host, but probably later switching to a Linux host after I learn more about it. Free is good, but reliability and ease of use are better. What is your preferred choice for a VM beginner? VMware? Xen? VirtualBox? Something else?" It may also be helpful if you can recommend particular VM software for particular uses, or provide some insight on different hosting options.

cheesecake23 writes "Many talking heads have attributed Obama's success to an unmatched 'ground game.' Now, inside reports from campaign volunteers suggest that Project Orca, a Republican, tech-based voter monitoring effort with 37,000 volunteers in swing states, turned out to be an epic failure due to dismal IT. Problems ranged from state-wide incorrect PINs, to misleading and delayed information packets delivered to volunteers, to a server outage and missing redirection of secure URLs."

Qedward writes "A high court judge has ruled that companies do not have a general claim of ownership of the content contained in staff emails. The decision creates a potential legal minefield for the terms of staff contracts and an administrative nightmare for IT teams running email servers, back up and storage. The judge ruled businesses do not have an 'enforceable proprietary claim' to staff email content unless that content can be considered to be confidential information belonging to a business, unless business copyright applies to the content, or unless the business has a contractual right of ownership over the content. Justice Edwards-Stuart added it was 'quite impractical and unrealistic' to determine that ownership of the content of emails either belongs exclusively to the creator or the recipient of an email."

Esther Schindler writes "The job of dealing with an under-performing employee doesn't end when the culprit is shown the door. Everyone focuses on security tasks, after you fire the idiot, such as changing passwords, but that's just one part of the To Do list. More important, in the long run, is the cleanup job that needs to be done after you fire the turkey, looking for the hidden messes and security flaws the ex-employee may have left behind. Otherwise, you'll still be cleaning up the problems six months later."

littlekorea writes "Australia's telcos have declared that SMS technology should not be used by banks to verify identities for online banking transactions, in a bid to wash their hands of culpability for phone porting hacks. But three of Australia's largest four banks insist they will continue to use SMS messages to carry authentication codes for transactions."

coondoggie writes "NASA said today it had teamed with the European Space Agency to successfully test an experimental version of an 'interplanetary Internet' to control a robot on the ground in Germany from a laptop onboard the International Space Station."