Qedward writes "Iran is privately being blamed for a major cyberattack on the BBC that blocked access to its popular Persian TV service and disrupted the Corporation's IT using a denial-of-service attack. The multi-pronged March 2 attack took down much of the BBC's email, overloaded its telephone switchboard with automatic phone calls, and blocked a satellite feed for the BBC Persian station. BBC servers were also on the receiving end of a DDoS. In an unprecedented tactic, the BBC has trailed a speech to be given this week to the Royal Television Society in which Director General Mark Thompson will mention the attacks in some detail while stopping short of formally naming Iran as the perpetrator."

Sparrowvsrevolution writes in with a link to a Forbes story about the lackluster code produced by government agencies."Humans aren't very good at writing secure code. But they're worst at it when they're paid to do it for the U.S. government, according to a study that will be presented at the Black Hat Europe security conference in Amsterdam later this week. Chris Wysopal, chief technology officer of bug-hunting firm Veracode plans to give a talk breaking down a vulnerability analysis of 9,910 software applications over the second half of 2010 and 2011. Government-built applications came out far worse than those created by the commercial software industry or the finance industry. Only 16% of government web applications were secure by OWASP standards, compared with 24% of finance industry software and 28% of commercial software. By SANS standards, only 18% of government apps passed, compared with 28% of finance industry apps and 34% of commercial software. Wysopal and others blame the difference on a lack of accountability of federal contract developers, who aren't held to security standards and are even paid extra to fix their bugs after creating them."

A user writes "An article over at Gizmag says: 'It's a meme that's been doing the rounds on the internet in recent years: multi-word pass-phrases are as secure as long strings of gibberish but with the added benefit of being easy to remember. But research from Cambridge University suggests that this may not be the case. Pass-phrases comprised of dictionary words may not be as vulnerable as individual passwords, but they may still succumb to dictionary attacks, the research finds.' I find this to be twisting of words and general consensus; of course any password whatsoever is going to be insecure against offline attack, and using common, popular words is going to make guessing the password much easier. But is this really an issue in a world where most attacks are done online? Should general populace still be coaxed into using randomly generated passwords?"

wiredmikey writes "Microsoft is urging organizations to apply the sole critical update in this month's Patch Tuesday release as soon as possible. The critical bulletin – one of six security bulletins issued as part of Tuesday's release – addresses two vulnerabilities in the Remote Desktop Protocol (RDP). Those IT admins who use RDP to manage their machines over the internet, which is essentially the default in cloud-based installations such as Amazon's AWS, need to patch as quickly as possible, said Qualys CTO Wolfgang Kandek. Besides the RDP bugs, this month's Patch Tuesday addressed five other vulnerabilities: two denial-of-service bugs and an escalation of privileges issue in Microsoft Windows; a remote code execution vulnerability in Microsoft Expression Design; and an escalation of privileges issue in Microsoft Visual Studio."

dcblogs writes "In the first 40 days of President Barack Obama's administration, the White House email system was down 23% of time, according to White House CIO Brook Colangelo, the person who also delivered the 'first presidential Blackberry.' The White House IT systems inherited by the new administration were in bad shape. Over 82% of the White House's technology had reached its end of life. Desktops, for instance, still had floppy disk drives, including the one Colangelo delivered to Rahm Emanuel, Obama's then chief of staff and now Mayor of Chicago. There were no redundant email servers."

snydeq writes "IT pros feeling the pressure to boost tech skills should expect little support from their current employers, according to a recent report on IT skills. '9 in 10 business managers see gaps in workers' skill sets, yet organizations are more likely to outsource a task or hire someone new than invest in training an existing staff. Perhaps worse, a significant amount of training received by IT doesn't translate to skills they actually use on the job.'"

New submitter iroc_eater writes with news of an announcement from Dell that it plans to acquire SonicWall, a security services provider. "SonicWall’s technology detects and protects networks from intrusions and malware attacks, and helps protect data. Dell is buying services and software businesses as the PC market faces competition from smartphones and tablets. Last month, the company hired CA Inc. Chief Executive Officer John Swainson to oversee the software push, and today he said security is an important part of that strategy. 'My goal is to make software a meaningful part of Dell’s overall portfolio, so that means that this is not the last thing you’re going to see from us,' Swainson said."

SonicSpike writes "The Justice Department is defending the government's refusal to discuss — or even acknowledge the existence of — any cooperative research and development agreement between Google and the National Security Agency. The Washington based advocacy group Electronic Privacy Information Center sued in federal district court here to obtain documents about any such agreement between the Internet search giant and the security agency. The NSA responded to the suit with a so-called 'Glomar' response in which the agency said it could neither confirm nor deny whether any responsive records exist. U.S. District Judge Richard Leon in Washington sided with the government last July."

wiredmikey writes with a quote from an article at Secury Week: "In order to get a look at what happens when a smartphone is lost, Symantec conducted an experiment, called the Honey Stick Project, where 50 fully-charged mobile devices were loaded with fake personal and corporate data and then dropped in publicly accessible spots in five different cities ...Tracking showed that 96-percent of the devices were accessed once found (PDF), and 70-percent of them were accessed for personal and business related applications and information. Less than half of the people who located the intentionally lost devices attempted to locate the owner. Interestingly enough, only two phones were left unaccounted for; the others were all found."

An anonymous reader writes "Late last year, senior British military officers, Defense Ministry officials, and other government officials were tricked into becoming Facebook friends with someone masquerading as United States Navy admiral James Stavridis. By doing so, they exposed their own personal information (such as private e-mail addresses, phone numbers, pictures, the names of family members, and possibly even the details of their movements), to unknown hackers."

On March 2, 2012, Timothy wrote about University of Michigan Professor J. Alex Halderman and his contention that there is no way to have secure voting over the Internet using current technology. In this video, Alex explains what he meant and tells us about an experiment (that some might call a prank) he and his students did back in 2010, when they (legally) hacked a Washington D.C. online voting pilot project. This is, of course, a "professional driver on closed course; do not attempt" kind of thing. If you mess with voting software without permission, you might suddenly find the FBI coming through your door at 4 a.m., so please don't do it.

wiredmikey writes "It isn't often that after a data breach involving credit cards, the public is given information on the exact amount money lost by consumers as a result. Thanks to the FBI, however, we now have a better understanding of what 60,000 stolen credit cards translates to financially, as this data was included in their investigation notes while working the Stratfor case. The last time the public had something close to actual stats from the source, we learned that the TJX breach cost Visa $68 million in 2007, two years after the TJX network was compromised by Albert Gonzalez. Yet, those were Visa's estimates. Now, in the aftermath of the Stratfor breach, the FBI has attributed $700,000 worth of charge fraud to the 60,000 credit card records taken during the network compromise. AntiSec supporters walked away with 860,160 usernames and passwords, in addition to the credit card records."

mask.of.sanity writes "Sony Entertainment Network is rebuilding its information security posture to defend against hacktivism. It includes a security operations center that serves as a nerve center collating information on everything from staff phone calls, to CCTV, to PlayStation gamers. If it is successful, the counter intelligence-based system will be deployed across the entire company. 'At Sony, we are modifying our programs to deal less with state-sponsored [attacks] and more with socially-motivated hackers. It will be different,' said Chief Security Officer Brett Wahlin."

Trailrunner7 writes "When the long arm of the law reached in to arrest members of Anonymous's senior leadership on Tuesday, speculation immediately turned to the identities of the six men behind the Guy Fawkes mask. With the benefit of hindsight, it turns out that many had been hiding in plain sight, with day jobs, burgeoning online lives and — for those who knew where to look — plenty of clues about their extracurricular activities on behalf of the world's most famous hacking crew. Two of the accused, Darren Martyn (aka 'pwnsauce,' 'raepsauce,' and 'networkkitten,') and Donncha O'Cearbhail, formerly known as Donncha Carroll (aka 'Palladium'), sported significant online footprints and made little effort to hide their affinity for hacking. In other areas, however, Martyn (who was reported to be 25, but claimed to be 19), seemed to be on his way to bigger and better things. He was a local chapter leader of the Open Web Application Security Project in Galway, Ireland. He spent some of his free time with a small collective of computer researchers with Insecurety Research, under the name 'infodox.'"

Sara Chan writes "NATO has awarded its largest cyber-security contract to date, in a move that is expected to prompt member states to augment their own cyber-security capabilities. The contract, for €58 million ($76 million), is to design and implement NATO's Computer Incident Response Capability. NCIRC will enable NATO to monitor computer networks from its headquarters in Brussels and detect and respond to cyber threats and vulnerabilities at about 50 NATO sites in 28 countries. The project is intended to meet the requirements of a declaration by NATO Head of States at the Lisbon Summit, in November 2010, which called for the achievement of NCIRC Full Operational Capability by end of 2012."

Tackhead writes "Hot on the hooves of Sergey Glazunov's hack 5-minutes into Pwn2Own, an image of an axe-wielding pink pony was the mark of success for a hacker with the handle of Pinkie Pie. Pinkie Pie subtly tweaked Chromium's sandbox design by chaining together three zero-day vulnerabilities, thereby widening his appeal to $60K in prize money, another shot at a job opportunity at the Googleplex, and instantly making Google's $1M Pwnium contest about 20% cooler. (Let the record show that Slashdot was six years ahead of this particular curve, and that April Fool's Day is less than a month away.)"

An anonymous reader writes with this excerpt from Network World: "A lengthy report prepared for the U.S. government about China's high-tech buildup to prepare for cyberwar includes speculation about how a potential conflict with the U.S. would unfold — and how it might only take a few freelance Chinese civilian hackers working on behalf of China's People's Liberation Army to sow deadly disruptions in the U.S. military logistics supply chain. As told, if there's a conflict between the U.S. and China related to Taiwan, "Chinese offensive network operations targeting the U.S. logistics chain need not focus exclusively on U.S. assets, infrastructure or territory to create circumstances that could impede U.S. combat effectiveness," write the report's authors, Bryan Krekel, Patton Adams and George Bakos, all of whom are information security analysts with Northrop Grumman. The report, "Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage," focuses primarily on facts about China's cyberwar planning but also speculates on what might happen in any cyberwar."

itwbennett writes "French computer company Bull Group is looking to sell off the Internet spying software business of its subsidiary Amesys. The Eagle system, which was 'designed to build databases supporting lawful interception activities on the Internet,' has an interesting pedigree, having been 'developed for Libya after signing a 2007 contract with the regime there,' according to the WSJ."

wiredmikey writes "This month, Ford is borrowing something from the software industry: updates. With a fleet of new cars using the sophisticated infotainment system they developed with Microsoft called SYNC, Ford has the need to update those vehicles — for both features and security reasons. But how do you update the software in thousands of cars? Traditionally, the automotive industry has resorted to automotive recalls. But now, Ford will be releasing thirty thousand USB sticks to Ford owners with the new SYNC infotainment system, although the update will also be available for online download. In preparing to update your car, Ford encourages users to have a unique USB for each Ford they own, and to have the USB drive empty and not password protected. In the future, updating our gadgets, large and small, will become routine. But for now, it's going to be really cumbersome and a little weird. Play this forward a bit. Image taking Patch Tuesday to a logical extreme, where you walk around your house or office to apply patches to many of the offline gadgets you own."

An anonymous reader writes "Robert S. Mueller III, Director of the Federal Bureau of Investigation (FBI), yesterday warned Congress of terrorist hacking. He believes that while terrorists haven't hacked their way into the U.S. government yet, it's an imminent threat. Mueller said, 'To date, terrorists have not used the Internet to launch a full-scale cyber attack, but we cannot underestimate their intent. Terrorists have shown interest in pursuing hacking skills. And they may seek to train their own recruits or hire outsiders, with an eye toward pursuing cyber attacks.'"