dcblogs writes "Iran recently held a security trade show and conference, attended by high-ranking police and military officials. A video by an Iranian news outlet shows some of the products, from crossbows to unidentified systems, and includes an interview with Iran's police chief, Brig. Gen. Esmail Ahmadi-Moqadam: 'It's true that the U.S. made Stuxnet virus did some damage to our facilities but we were able to get them all up and running in no time. However, those who attack should expect retaliation and we haven't gone there just yet.'"

Trailrunner7 writes "There are thousands of apps in the Google Play mobile market that contain serious mistakes in the way that SSL/TLS is implemented, leaving them vulnerable to man-in-the-middle attacks that could compromise sensitive user data such as banking credentials, credit card numbers and other information. Researchers from a pair of German universities conducted a detailed analysis of thousands of Android apps and found that better than 15 percent of those apps had weak or bad SSL implementations. The researchers conducted a detailed study of 13,500 of the more popular free apps on Google Play, the official Android app store, looking at the SSL/TLS implementations in them and trying to determine how complete and effective those implementations are. What they found is that more than 1,000 of the apps have serious problems with their SSL implementations that make them vulnerable to MITM attacks, a common technique used by attackers to intercept wireless data traffic. In its research, the team was able to intercept sensitive user data from these apps, including credit card numbers, bank account information, PayPal credentials and social network credentials."

First time accepted submitter anavictoriasaavedra writes "In October, two German computer security researchers created a map that allows you to see a picture of online cyber-attacks as they happen. The map isn't out of a techno-thriller, tracking the location of some hacker in a basement trying to steal government secrets. Instead, it's built around a worldwide project designed to study online intruders. The data comes from honeypots. When the bots go after a honeypot, however, they're really hacking into a virtual machine inside a secure computer. The attack is broadcast on the map—and the researchers behind the project have a picture of how a virus works that they can use to prevent similar attacks or prepare new defenses."

CWmike writes "Eugene Kaspersky, the $800-million Russian cybersecurity tycoon, is, by his own account, out to 'save the world' with an exploit-proof operating system. Given the recent declarations from U.S. Secretary of Defense Leon Panetta and others that the nation is facing a 'digital Pearl Harbor' or 'digital 9/11' from hostile nation states like Iran, this sounds like the impossible dream come true — the cyber version of a Star Wars force field. But on this side of that world in need of saving, the enthusiasm is somewhat tempered. One big worry: source. 'The real question is, do you trust the people who built your system? The answer had better be yes,' said Gary McGraw, CTO of Cigital. Kaspersky's products are among the top ranked worldwide, are used by an estimated 300 million people and are embraced by U.S. companies like Microsoft, Cisco and Juniper Networks. But while he considers himself at some level a citizen of the world, he has close ties to Russian intelligence and Vladimir Putin. Part of his education and training was sponsored by the KGB, he is a past Soviet intelligence officer (some suspect he has not completely retired from that role) and he is said have a 'deep and ongoing relationship with Russia's Federal Security Service, or FSB,' the successor to the KGB and the agency that operates the Russian government's electronic surveillance network."

OverTheGeicoE writes "If you're concerned about possible health effects from TSA's X-ray body scanners, you might be pleased to learn that TSA is making changes. TSA is removing X-ray body scanners from major airports including Los Angeles International, Boston's Logan, Chicago's O'Hare, and New York City's JFK. Then again, these changes might not please you at all, because they are not mothballing the offending devices. No, they are instead moving them to smaller airports like the one in Mesa, AZ. Is this progress, or is TSA just moving potentially dangerous scanners from 'Blue' areas to 'Red' ones right before a presidential election?"

coondoggie writes "It's not clear if the Federal Trade Commission is throwing up its hands at the problem or just wants some new ideas about how to combat it, but the agency is now offering $50,000 to anyone who can create what it calls an innovative way to block illegal commercial robocalls on landlines and mobile phones."

Nerval's Lobster writes "Google is whipping the proverbial curtain back from its new Chromebook, which will retail for $249 and up. The Samsung-built device weighs 2.5 pounds and features an 11.6-inch screen (with 1366 x 768 resolution), backed by a 1.75GHz Samsung Exynos 5 Dual Processor. Google claims it will boot up in under 10 seconds and, depending on usage, last for 6.5 hours on one battery charge. From a product perspective, Chrome OS and its associated hardware found itself fighting a two-front battle: the first against Windows PCs and Macs, both of which could claim more robust hardware for a similar cost to the old Chromebooks (which started at $449), and the second against tablets, which offered the same degree of flexibility and connectivity for a cheaper sticker-price. By setting the cost of the new Chromebook at $249, Google continues that pricing skirmish on more favorable terms." CNET got a bit of hands-on time with the new kid, and gives it a lukewarm but positive reception.

An anonymous reader writes "The six month cycle that Canonical adheres to for Ubuntu releases has come around again today. Ubuntu 12.10 'Quantal Quetzal' has been released. There's a whole range of new features and updates, but here are the most important: WebApps — treats online services as if they are desktop apps (Gmail, Twitter, Facebook); Online Services — control logins to all your services from a single window and get them integrated into search results (e.g. GDocs for file searches); Dash Preview — right click any icon, get a detailed preview of what it is; Linux kernel 3.5.4; GNOME 3.6; Nautilus 3.4; latest Unity; No more Unity 2D, fallback is the Gallium llvmpipe software rasterizer; Default apps updated (Firefox 16.01, Thunderbird 16.01, LibreOffice 3.6.2, Totem, Shotwell, Rythmbox); Full disc encryption available during install; Single, 800MB distribution for all architectures." It's now available for download. The next version, due in six months' time, will be called Raring Ringtail.

An anonymous reader writes "During the 12th Annual Global LambdaGrid Workshop in Chicago, researchers have demonstrated interactive multi-point streaming of 8K/UHDTV (i.e., 16x Full HD resolution) using commodity PC hardware running Linux and open-source UltraGrid software. The transmissions featured GPU-accelerated JPEG and DXT compressions implemented using the NVIDIA CUDA platform, which are also available as open-source software. The streams were distributed from the source to one location in the USA and to another location in the Czech Republic over 10Gbps GLIF network infrastructure."

coondoggie writes "NASA today said it wants to gauge industry interest in the agency holding one of its patented Centennial Challenges to build the next cool unmanned aircraft. NASA said it is planning this Challenge in collaboration with the Federal Aviation Administration and the Air Force Research Lab, with NASA providing the prize purse of up to $1.5 million."

First time accepted submitter titan1070 writes "French scientist Dr. Spitzer and his colleagues have been working on a device that can sense faint traces of TNT and other explosives being smuggled into airports and other transportation methods. the hope for this device is that it will surpass the best bomb finder in the business, the sniffer dog. From the article: ' While researchers like Dr. Spitzer are making progress — and there are some vapor detectors on the market — when it comes to sensitivity and selectivity, dogs still reign supreme. “Dogs are awesome,” said Aimee Rose, a product sales director at the sensor manufacturer Flir Systems, which markets a line of explosives detectors called Fido. “They have by far the most developed ability to detect concealed threats,” she said. But dogs get distracted, cannot work around the clock and require expensive training and handling, Dr. Rose said, so there is a need for instruments.'"

Frequent contributor Bennett Haselton writes: After I sent 10 new proxy sites to my (confirmed-opt-in) mailing list, two of them ended up on one of Spamhaus's blacklists, and as a result, all 10 domains were disabled by the domain registrar, so the sites disappeared from the Web. Did you even know this could happen?"

Dupple sends this quote from MIT's Technology Review: "Computerized hospital equipment is increasingly vulnerable to malware infections, according to participants in a recent government panel. These infections can clog patient-monitoring equipment and other software systems, at times rendering the devices temporarily inoperable. While no injuries have been reported, the malware problem at hospitals is clearly rising nationwide, says Kevin Fu, a leading expert on medical-device security and a computer scientist at the University of Michigan and the University of Massachusetts, Amherst, who took part in the panel discussion. [He said], 'Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There's little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches.' ... Despite FDA guidance issued in 2009 to hospitals and manufacturers—encouraging them to work together and stressing that eliminating security risks does not always require regulatory review—many manufacturers interpret the fine print in other ways and don't offer updates, Fu says. And such reporting is not required unless a patient is harmed."

Via the H comes news of a possible remote attack vector using the protocol handler installed by Valve's Steam platform: "During installation, it registers the steam:// URL protocol which is capable of connecting to game servers and launching games ... In the simplest case, an attacker can use this to interfere with the parameters that are submitted to the program. For example, the Source engine's command line allows users to select a specific log file and add items to it. The ReVuln researchers say that they successfully used this attack vector to infect a system (PDF) via a batch file that they had created in the autostart folder. ... In the even more popular Unreal engine, the researchers also found a way to inject and execute arbitrary code. Potential attackers would, of course, first have to establish which games are installed on the target computer. "

concealment writes with news of those Swedish pirates improving their infrastructure. From the article: "The Pirate Bay has made an important change to its infrastructure. The world's most famous BitTorrent site has switched its entire operation to the cloud. From now on The Pirate Bay will serve its users from several cloud hosting providers scattered around the world. The move will cut costs, ensure better uptime, and make the site virtually invulnerable to police raids — all while keeping user data secure." They are still running their own dedicated load balancers that forward encrypted traffic to one of their "cloud" providers, rather than dealing with physical colocation. Seems like a sensible decision any IT manager would make.

Bismillah writes "Pacemakers seem to be hackable now too, if researcher Barnaby Jack is to be believed. And the consequences of that are deadly. Anonymous assassinations within 30 feet of the pacemaker seem to be possible. From the article: 'In a video demonstration, which Jack declined to release publicly because it may reveal the name of the manufacturer, he issued a series of 830 volt shocks to the pacemaker using a laptop. The pacemakers contained a "secret function" which could be used to activate all pacemakers and implantable cardioverter-defibrillators (ICDs) in a 30 foot -plus vicinity. ... In reverse-engineering the terminals – which communicate with the pacemakers – he discovered no obfuscation efforts and even found usernames and passwords for what appeared to be the manufacturer’s development server. That data could be used to load rogue firmware which could spread between pacemakers with the "potential to commit mass murder."'"

Sparrowvsrevolution writes "Maybe instead of zero-day vulnerabilities, we should call them -312-day vulnerabilities. That's how long it takes, on average, for software vendors to become aware of new vulnerabilities in their software after hackers begin to exploit them, according to a study presented by Symantec at an Association of Computing Machinery conference in Raleigh, NC this week. The researchers used data collected from 11 million PCs to correlate a catalogue of zero-day attacks with malware signatures taken from those machines. Using that retrospective analysis, they found 18 attacks that represented zero-day exploits between February 2008 and March of 2010, seven of which weren't previously known to have been zero-days. And most disturbingly, they found that those attacks continued more than 10 months on average – up to 2.5 years in some cases – before the security community became aware of them. 'In fact, 60% of the zero-day vulnerabilities we identify in our study were not known before, which suggests that there are many more zero-day attacks than previously thought — perhaps more than twice as many,' the researchers write."

An anonymous reader writes "The Information Commissioner's Office has filed a suit for £120,000 against the Greater Manchester Police because officers regularly used memory sticks without passwords to copy data from police computers and work on it away from the department. In July 2011, thousands of peoples' information was stolen from a officer's home on an unencrypted memory stick. A similar event happened at the same department in September 2010. 'This was truly sensitive personal data, left in the hands of a burglar by poor data security. The consequences of this type of breach really do send a shiver down the spine,' said ICO deputy commissioner David Smith."

Trailrunner7 writes "Attacks against SCADA and industrial-control systems have become a major concern for private companies as well as government agencies, with executives and officials worried about the potential effects of a major compromise. Security experts in some circles have been warning about the possible ramifications of such an attack for some time now, and researchers have found scores of vulnerabilities in SCADA and ICS systems in the last couple of years. Now, engineers at Kaspersky Lab have begun work on new operating system designed to be a secure-by-design environment for the operation of SCADA and ICS systems. 'Well, re-designing ICS applications is not really an option. Again, too long, too pricey and no guarantees it will fit the process without any surprises. At the same time, the crux of the problem can be solved in a different way. OK, here is a vulnerable ICS but it does its job pretty well in controlling the process. We can leave the ICS as is but instead run it in a special environment developed with security in mind! Yes, I'm talking about a highly-tailored secure operating system dedicated to critical infrastructure,' Eugene Kaspersky said in an interview."

Dupple writes "The IC3 has been made aware of various malware attacking Android operating systems for mobile devices. Some of the latest known versions of this type of malware are Loozfon and FinFisher. Loozfon is an information-stealing piece of malware. Criminals use different variants to lure the victims. One version is a work-at-home opportunity that promises a profitable payday just for sending out email. A link within these advertisements leads to a website that is designed to push Loozfon on the user's device. The malicious application steals contact details from the user's address book and the infected device's phone number."