×
Chrome

Researcher Claims To Have Chrome Zero-Day, Google Says "Prove It" 106

Posted by samzenpus from the secret-security dept.
chicksdaddy writes "Google's been known to pay $60,000 for information on remotely exploitable vulnerabilities in its Chrome web browser. So, when a researcher says that he has one, but isn't interested in selling it, eyebrows get raised. And that's just what's happening this week, with Google saying it will wait and see what Georgian researcher Ucha Gobejishvili has up his sleeve in a presentation on Saturday at the Malcon conference in New Delhi. Gobejishvili has claimed that he will demonstrate a remotely exploitable hole in the Chrome web browser at Malcon. He described the security hole in Chrome as a 'critical vulnerability' in a Chrome DLL. 'It has silent and automatically (sp) download function and it works on all Windows systems,' he told Security Ledger. However, more than a few questions hang over Gobejishvili's talk. The researcher said he discovered the hole in July, but hasn't bothered to contact Google. He will demonstrate the exploit at MalCon, and have a 'general discussion' about it, but won't release source code for it. 'I know this is a very dangerous issue that's why I am not publishing more details about this vulnerability,' he wrote. Google said that, with no information on the hole, it can only wait to hear the researcher's Malcon presentation before it can assess the threat to Chrome users."
Security

Ask Slashdot: Should Hosting Companies Have Change Freezes? 138

Posted by Soulskill from the what-about-change-burns dept.
AngryDad writes "Today I received a baffling email from my hosting provider that said, 'We have a company-wide patching freeze and we will not be releasing patches to our customers who utilize the patching portal for the months of November and December.' This means that myself and all other customers of theirs who run Windows servers will have to live with several critical holes for at least two months. Is this common practice with mid-tier hosting providers? If so, may I ask Eastern-EU folks to please refrain from hacking my servers during the holiday season?"
Crime

High-Voltage Fences For Zapping Would-Be Copper Thieves 363

Posted by Soulskill from the Cu-on-the-other-side dept.
coondoggie writes "It may be a gimmick or the ultimate answer, but a California city this week okay-ed a draft ordinance that would let businesses install 7,000-volt electric fences to protect sites from rampant copper thieves. As reported by the Sacramento CBS station, the reaction from one business owner to the ordinance says it all: 'It'll be a little fun to watch one of these guys get electrocuted holding my fence trying to rob me.'"
Microsoft

The Linux Foundation's UEFI Secure Boot Pre-Bootloader Delayed 179

Posted by Soulskill from the threatening-to-become-post-bootloader dept.
hypnosec writes "The Linux Foundation's plans for releasing a signed pre-bootloader that will enable users to install Linux alongside Windows 8 systems with UEFI have been reportedly delayed. The Foundation proposed a signed pre-bootloader that will chain-load a bootloader which, in turn, will boot the desired operating system, thus keeping Linux installations for novice users as simple as it was before. Further, this particular component is meant for small-time Linux distros which otherwise wouldn't have the required expertise or resources to develop their own system to tackle the secure boot issue. This was going as per plans up until Linux kernel maintainer James Bottomley disclosed that he has been having rather bizarre experiences with Microsoft sysdev centre. Bottomley said, 'The first time I sent the loader through, it got stuck (it still is, actually). So I sent another one through after a week or so. That actually produced a download, which I've verified is signed (by the MS UEFI key) and works, but now the Microsoft sysdev people claim it was "improperly" signed and we have to wait for them to sort it out. I've pulled the binary apart, and I think the problem is that it's not signed with a LF [Linux Foundation] specific key, it's signed by a generic one rooted in the UEFI key. I'm not sure how long it will take MS to get their act together but I'm hoping its only a few days." Update: 11/21 14:22 GMT by U L : See the Original weblog post, and one interesting tidbit: Microsoft banned bootloaders licensed under the GPLv3 and "similar open source licenses."
Security

Hosting Provider Automatically Fixes Vulnerabilities In Customers' Websites 73

Posted by Soulskill from the what-could-possibly-go-wrong dept.
An anonymous reader writes "Dutch hosting provider Antagonist announced their in-house developed technology that automatically detects and fixes vulnerabilities in their customers' websites. The service is aimed at popular software such as WordPress, Drupal and Joomla. 'As soon as a vulnerability is detected, we inform the customer. We also explain how the customer can resolve the issue. In case the customer does not respond to our first notice within the next two weeks, we automatically patch the vulnerability.' Antagonist plans to license the technology to other hosting providers as well."
Encryption

Quantum Cryptography Conquers Noise Problem 79

Posted by Soulskill from the to-the-victor-go-the-quantum-spoils dept.
ananyo writes "Quantum-encryption systems that encode signals into a series of single photons have so far been unable to piggyback on existing telecommunications lines because they don't stand out from the millions of others in an optical fiber. But now, physicists using a technique for detecting dim light signals have transmitted a quantum key along 90 kilometers of noisy optical fiber. The feat could see quantum cryptography finally enter the mainstream. The researchers developed a detector that picks out photons only if they strike it at a precise instant, calculated on the basis of when the encoded photons were sent. The team's 'self-differentiating' detector activates for 100 picoseconds, every nanosecond. The weak charge triggered by a photon strike in this short interval would not normally stand out, but the detector measures the difference between the signal recorded during one operational cycle and the signal from the preceding cycle — when no matching photon was likely to be detected. This cancels out the background hum. Using this device, the team has transmitted a quantum key along a 90-kilometer fiber, which also carried noisy data at 1 billion bits per second in both directions — a rate typical of a telecommunications fiber."
Security

Israeli Infrastructure Proves Too Strong For Anonymous 569

Posted by Soulskill from the adobe-flash-up-to-date-on-all-government-sites dept.
Mephistophocles writes "Ever since the beginning of Operation Pillar of Defense, hackers have been working overtime to strike a blow against the Israeli government's computer systems, Finance Minister Yuval Steinitz said Sunday. No fewer than 44 million attacks have been recorded since the operation began five days ago — with nearly all of them failing, thanks to the recent strengthening of computer defense systems in Israel. Speaking at a special press conference at the Government Computing Center in Jerusalem about the cyber war against Israel that has accompanied Hamas's rocket attacks, Steinitz said that hackers 'are trying to disable the symbols of Israeli sovereignty, to enter web sites and install anti-Israel content, thus compromising information and data and damaging the government's ability to serve the public.' Most of the attacks, he said, were against government sites, like the Prime Minister's Office site, and security-related sites, such as that of the Home Front Command, the body charged with informing Israelis on how to protect themselves in the event of an attack. Out of those 44 million-plus attacks on government and defense related sites, said Steinitz, only one succeeded – partially. One site, which he did not name, was 'wobbly for a few minutes,' but quickly recovered. Even though the government has been successful in warding off hack attacks, Steinitz said that government sites were fully backed up and mirrored, meaning that they could be replaced by a duplicate site instantly if the original site were compromised."
Government

Jail Looms For Man Who Revealed AT&T Leaked iPad User E-Mails 124

Posted by Soulskill from the doing-it-wrong dept.
concealment sends this quote from MIT's Technology Review: "AT&T screwed up in 2010, serving up the e-mail addresses of over 110,000 of its iPad 3G customers online for anyone to find. But Andrew Auernheimer, an online activist who pointed out AT&T's blunder to Gawker Media, which went on to publicize the breach of private information, is the one in federal court this week. Groups like the Electronic Frontier Foundation worry that should that charge succeed it will become easy to criminalize many online activities, including work by well-intentioned activists looking for leaks of private information or other online security holes. [Auernheimer's] case hasn't received much attention so far, but should he be found guilty this week it will likely become well known, fast."
Security

New Linux Rootkit Emerges 172

Posted by timothy from the horses-getting-nervous dept.
Trailrunner7 writes "A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems, and while it has some interesting features, it does not appear to be the work of a high-level programmer or be meant for use in targeted attacks. The Linux rootkit does not appear to be a modified version of any known piece of malware and it first came to light last week when someone posted a quick description and analysis of it on the Full Disclosure mailing list. That poster said his site had been targeted by the malware and some of his customers had been redirected to malicious sites."
Facebook

Facebook Switching To HTTPS By Default 92

Posted by Unknown Lamer from the single-party-spying dept.
Trailrunner7 writes "Facebook this week will begin turning on secure browsing by default for its millions of users in North America. The change will make HTTPS the default connection option for all Facebook sessions for those users, a shift that gives them a good baseline level of security and will help prevent some common attacks. Facebook users have had the option of turning on HTTPS since early 2011 when the company reacted to attention surrounding the Firesheep attacks. However, the technology was not enabled by default and users have had to opt-in and manually make the change in order to get the better protection of HTTPS."
Businesses

Unresolved Issues Swirl Around Securing Mobile Payments 44

Posted by samzenpus from the at-your-own-risk dept.
CowboyRobot writes "While many mobile payments startups are using both traditional and nontraditional authentication methods, regulatory uncertainty still exists around liability for fraud attacks on customers using mobile payments. Although there haven't been any public attacks from fraudsters on alternative mobile payments providers such as Square, LevelUp or Dwolla, anecdotal stories are already circulating among security experts and regulators of such attacks. One thing that still has to be worked out in this area is regulatory oversight. 'The regulators are not yet clear who owns the regulatory oversight for these environments. These technologies tend to fall through the cracks even in terms of card-present or card-not-present.'"
Security

Two FreeBSD Project Servers Hacked 46

Posted by samzenpus from the protect-ya-neck dept.
hypnosec writes "The FreeBSD project has suffered a security breach. Hackers have successfully compromised servers that were part of the infrastructure used to build third-party software packages. The Security team over at the FreeBSD project is of the opinion that hackers were able to gain access to the servers using legitimate SSH keys and not by exploiting any operating system vulnerabilities. Instances of intrusion were first detected on November 11. FreeBSD project, through a message on public announcements mailing list said that the security breach hasn't affected the project's core components like kernel or system libraries but, has affected third-party software packages being distributed by the project."
Crime

John McAfee Launches Blog, Offers $25K Reward For "Real Killers" 377

Posted by samzenpus from the on-the-run dept.
An anonymous reader writes "The IT security pioneer John McAfee has launched a blog to document his life on the lam, as Belize police chase him down for suspicion of killing a neighbor. McAfee is using the blog to state his case, raise suspicions about Belize authorities and to offer a $25K reward to find the real killer or killers. From the article: 'McAfee writes that he is on run with a 20-year-old female named Sam, photos of whom are in the blog, along with a post from her. McAfee says a handful of friends and associates have been rounded up by police over the past week or so. His posts are filled with dramatic descriptions of his actions (including returning to his home in disguise to find police digging up his dead dogs and cutting off their heads) and lay bare his suspicions about Belize authorities. '"
Censorship

You Can't Say That On the Internet 432

Posted by samzenpus from the watch-what-you-say dept.
hessian writes in with a story about the arbitrary and often outdated online decency standards being imposed by companies."A bastion of openness and counterculture, Silicon Valley imagines itself as the un-Chick-fil-A. But its hyper-tolerant facade often masks deeply conservative, outdated norms that digital culture discreetly imposes on billions of technology users worldwide. What is the vehicle for this new prudishness? Dour, one-dimensional algorithms, the mathematical constructs that automatically determine the limits of what is culturally acceptable. Consider just a few recent kerfuffles. In early September, The New Yorker found its Facebook page blocked for violating the site’s nudity and sex standards. Its offense: a cartoon of Adam and Eve in the Garden of Eden. Eve’s bared nipples failed Facebook’s decency test."
Microsoft

Windows Phone 8 Users Hit Some Snags 391

Posted by timothy from the my-android-phone-freezes-way-too-often dept.
symbolset writes "As reported on The Verge, many people are experiencing freezing, rebooting and battery problems on their new Windows Phone 8 devices. This WP8Central thread shows many of the issues. Affected devices include Lumia 920 and HTC 8X." Every phone and every OS has its problems, and happy users probably aren't as vocal; it would be good to know how Windows Phone users who are also iOS and Android users compare them for reliability.
Crime

Hacker vs. Counter-Hacker — a Legal Debate 182

Posted by timothy from the shhh-this-is-the-conspiracy-room dept.
Freddybear writes "If your computer has been cracked and subverted for use by a botnet or other remote-access attack, is it legal for you to hack back into the system from which the attack originated? Over the last couple of years three legal scholars and bloggers have debated the question on The Volokh Conspiracy weblog. The linked webpage collects that debate into a coherent document. 'The debaters are:
  • Stewart Baker, a former official at the National Security Agency and the Department of Homeland Security, a partner at Steptoe & Johnson with a large cybersecurity practice. Stewart Baker makes the policy case for counterhacking and challenges the traditional view of what remedies are authorized by the language of the CFAA.
  • Orin Kerr, Fred C. Stevenson Research Professor of Law at George Washington School of Law, a former computer crimes prosecutor, and one of the most respected computer crime scholars. Orin Kerr defends the traditional view of the Act against both Stewart Baker and Eugene Volokh.
  • Eugene Volokh, Gary T. Schwartz Professor of Law at UCLA School of Law, founder of the Volokh Conspiracy, and a sophisticated technology lawyer, presents a challenge grounded in common law understandings of trespass and tort.'"
Google

New Malware Variant Uses Google Docs As a Proxy To Phone Home 85

Posted by timothy from the why-not-use-linkedin-like-all-the-other-spammers dept.
An anonymous reader writes "Windows 8 may block most malware out of the box, but there is still malware out there that thwarts Microsoft's latest and greatest. A new Trojan variant, detected as Backdoor.Makadocs and spread via RTF and Microsoft Word document marked as Trojan.Dropper, has been discovered that not only adds a clause to target Windows 8 and Windows Server 2012, but also uses Google Docs as a proxy server to phone home to its Command & Control (C&C) server."
Security

Anonymous Attacks Israeli Websites In Response To IDF Operation In Gaza 560

Posted by timothy from the bad-juju dept.
An anonymous reader writes "On Thursday, Anonymous reported that it took down close to 40 Israeli government and security establishment websites, although the single website that they presented as having been attacked belonged to a security and cleaning services company. The report came after Likud MK Danny Danon announced earlier in the week that his website had been taken down by a group calling itself TeaM KuWaiT HaCkErS. Danon's website had been hosting an online petition calling for the Israeli government to cut off the supply of electricity going from Israel to Gaza. " A report at Russia Today puts the number at "hundreds" of sites, instead.
Security

FreeBSD Project Discloses Security Breach Via Stolen SSH Key 86

Posted by timothy from the happy-transparency dept.
An anonymous reader writes "Following recent compromises of the Linux kernel.org and Sourceforge, the FreeBSD Project is now reporting that several machines have been broken into. After a brief outage, ftp.FreeBSD.org and other services appear to be back. The project announcement states that some deprecated services (e.g., cvsup) may be removed rather than restored. Users are advised to check for packages downloaded between certain dates and replace them, although not because known trojans have been found, but rather because the project has not yet been able to confirm that they could not exist. Apparently initial access was via a stolen SSH key, but fortunately the project's clusters were partitioned so that the effects were limited. The announcement contains more detailed information — and we are left wondering, would proprietary companies that get broken into so forthcoming? Should they be?"

Slashdot Top Deals