First time accepted submitter msamp writes "After the dotcom bubble burst so long ago,when tech jobs were so scarce, I went back to school and finished my PhD in Physics. They lied — there really is no shortage of scientists. Before the downturn I was a product manager for home networking equipment. Since getting the degree I have been program/project manager for small DoD and NASA instrumentation programs. I desperately want back into network equipment product management, but my networking tech skills aren't up to date. I find networking technology absolutely trivial and have been retraining on my own, but hiring managers see the gap and the PhD and run screaming. I'm more than willing to start over in network admin but can't even get considered for that. Suggestions?"
wiredmikey writes "NVIDIA on Saturday quietly released a driver update (version 310.90) that fixes a recently-uncovered security vulnerability in the NVIDIA Display Driver service (nvvsvc.exe). The vulnerability was disclosed on Christmas day by Peter Winter-Smith, a researcher from the U.K. According to Rapid7's HD Moore, the vulnerability allows a remote attacker with a valid domain account to gain super-user access to any desktop or laptop running the vulnerable service, and allows an attacker (or rogue user) with a low-privileged account to gain super-access to their own system. In addition to the security fix, driver version 310.90 addresses other bugs and brings performance increases for several games and applications for a number of GPUs including the GeForce 400/500/600 Series."
McGruber writes "Travel writer Christopher Elliott touches down with the news that the U.S. Transportation Security Administration was spotted standing around outside a recent American football game between the Minnesota Vikings and the Green Bay Packers (picture). According to Mr. Elliott, the 'TSA goes to NFL games and political conventions and all kinds of places that have little or nothing to do with ... travel. It even has a special division called VIPR — an unfortunate acronym for Visible Intermodal Prevention and Response team — that conducts these searches.' He continues, 'As far as I can tell, TSA is just asking questions at this point. "Data and results collected through the Highway BASE program will inform TSA's policy and program initiatives and allow TSA to provide focused resources and tools to enhance the overall security posture within the surface transportation community," it says in the filing. But they wouldn't be wasting our money asking such questions unless they planned to aggressively expand VIPR at some point in the near future. And that means TSA agents at NFL games, in subways and at the port won't be the exception anymore — they will be the rule.'"
paysonwelch points out John McAfee's latest blog post, which "details the complex spy network that he used to tap information from the highest echelons of the Belizean government. He might consider a new career as a movie producer — this blog post is enthralling. Here is an excerpt: 'I purchased 75 cheap laptop computers and, with trusted help, intalled invisible keystroke logging software on all of them — the kind that calls home (to me) and disgorges the text files. I began giving these away as presents to select people — government employees, police officers, Cabinet Minister's assistants, girlfriends of powerful men, boyfriends of powerful women.'"
McGruber writes "The big buzz for travelers today is the story of how a scary toothbrush prompted the closure of Hartsfield–Jackson Atlanta International Airport: 'Airport officials told Channel 2 Action News that an electric toothbrush began vibrating inside a bag checked onto an AirTran flight, causing workers to alert airport officials to the strange noise.' The terminal and the Metropolitan Atlanta Rapid Transit Authority (MARTA) subway were both temporary closed 'out of an abundance of caution.' ATL has been the world's busiest airport by passenger traffic since 1998, and by number of landings and take-offs since 2005."
An anonymous reader sends this quote from an IDG News report: "The Dutch government's cyber security center has published guidelines (in Dutch) that it hopes will encourage ethical hackers to disclose security vulnerabilities in a responsible way. The person who discovers the vulnerability should report it directly and as soon as possible to the owner of the system in a confidential manner, so the leak cannot be abused by others. Furthermore, the ethical hacker will not use social engineering techniques, nor install a backdoor or copy, modify or delete data from the system, the NCSC specified. Alternatively a hacker could make a directory listing in the system, the guidelines said. Hackers should also refrain from altering the system and not repeatedly access the system. Using brute-force techniques to access a system is also discouraged, the NCSC said. The ethical hacker further has to agree that vulnerabilities will only be disclosed after they are fixed and only with consent of the involved organization. The parties can also decide to inform the broader IT community if the vulnerability is new or it is suspected that more systems have the same vulnerability, the NCSC said."
tsu doh nimh writes "Google and Microsoft today began warning users about active phishing attacks against Google's online properties. The two companies said the attacks resulted from a fraudulent digital certificate that was mistakenly issued by a domain registrar run by TURKTRUST Inc., a Turkish domain registrar. Google said that on Dec. 24, 2012, its Chrome Web browser detected and blocked an unauthorized digital certificate for the '.google.com' domain. 'TURKTRUST told us that based on our information, they discovered that in August 2011 they had mistakenly issued two intermediate CA certificates to organizations that should have instead received regular SSL certificates,' Google said in a blog post today. Microsoft issued an advisory saying it is aware of active attacks using one of the fraudulent digital certificates issued by TURKTRUST, and that the fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against virtually any domain. The incident harkens back to another similar compromise that happened around the same time-frame. In September 2011, Dutch certificate authority Diginotar learned that a security breach at the firm had resulted in the fraudulent issuing of certificates."
llamafirst writes "As the year flipped to 2013, we learned that Adobe and Apple don't test for "forward date" bugs. Adobe prevented any copy of FrameMaker 10 from launching and Apple broke Do Not Disturb for the first week of 2013. Surely some more critical and safety systems also have lurking issues. Got tips for catching time/date bugs 'from the mysterious future?' (Also, obligatory link to Falsehoods programmers believe about time.)"
An anonymous reader writes "Right on schedule, Microsoft on Thursday announced its usual advance notification for the upcoming Patch Tuesday. While the company is planning to release seven bulletins (two Critical and five Important) which address 12 vulnerabilities, there is one that is notably missing: a bulletin for the new IE vulnerability discovered on Saturday. For those who didn't see the news on the weekend, criminals started using a new IE security hole to attack Windows computers in targeted attacks. While IE9 and IE10 are not affected, versions IE6, IE7, and IE8 are."
Trailrunner7 writes with the news as posted at Threatpost (based on this advisory) that "All of the current versions of the Ruby on Rails Web framework have a SQL injection vulnerability that could allow an attacker to inject code into Web applications. The vulnerability is a serious one given the widespread use of the popular framework for developing Web apps, and the maintainers of Ruby on Rails have released new versions that fix the flaw, versions 3.2.10, 3.1.9 and 3.0.18. The advisory recommends that users running affected versions, which is essentially anyone using Ruby on Rails, upgrade immediately to one of the fixed versions, 3.2.10, 3.1.9 or 3.0.18. The vulnerability lies specifically in the Ruby on Rails framework, and its presence doesn't mean that all of the apps developed on vulnerable versions are susceptible to the bug."
Barence writes "When Microsoft last year launched Outlook.com, the company carelessly left the SteveBallmer@Outlook.com address vacant. It was snapped up by the editor of PC Pro, giving an insight into the type of emails the public sends to the Microsoft CEO. Among the messages sent to the account are complaints about the Windows 8 interface, a plea from someone who was 'literally driven crazy' by Windows Server product keys, and someone who wants Windows Phone's calendar to remind him when he's being paid. There's also a more sinister complaint from someone who claims they were the victim of racial discrimination when applying for a job at a Microsoft Store."
Curseyoukhan writes "Infosec vendor IID (Internet Identity) probably hopes that by the time 2014 rolls around no one will remember the prediction it just made. That is the year it says we will see the first murder via internet connected device. The ability to do this has been around for quite some time but the company won't say why it hasn't happened yet. Probably because that would have screwed up their fear marketing. CIO blogger challenges them to a $10K bet over their claim."
crookedvulture writes "Slashdot has previously covered The Tech Report's exposure of frame latency issues with recent AMD graphics processors. Both desktop and notebook Radeons exhibit frame latency spikes that interrupt the smoothness of in-game animation but don't show up in the FPS averages typically used to benchmark performance. AMD has been looking into the problem and may have discovered the culprit. The Graphics Core Next architecture underpinning recent Radeons is quite different from previous designs, and AMD has been rewriting the memory management portion of its driver to properly take advantage. This new code improves frame latencies, according to AMD's David Baumann, and the firm has accelerated the process of rolling it into the official Catalyst drivers available to end users. Radeon owners can take some comfort in the fact that a driver update may soon alleviate the frame latency problems associated with AMD's latest GPUs. However, they might also be disappointed that it's taken AMD this long to optimize its drivers for the now year-old GCN architecture."
jfruh writes "Those Nigerian spam scams of the last decade may have just been the first step in a looming African cyber-crime wave. Africa has the world's fastest-growing middle class, whose members are increasingly tech-savvy and Internet connected — and the combination of ambitious, educated people, a ceiling on advancement due to corruption and lack of infrastructure, and lax law enforcement is a perfect petri dish for increased cybercrime."
Hugh Pickens writes "Nicole Perlroth reports in the NY Times that the antivirus industry has a dirty little secret: antivirus products are not very good at stopping new viruses. Researchers collected and analyzed 82 new computer viruses and put them up against more than 40 antivirus products, made by top companies like Microsoft, Symantec, McAfee and Kaspersky Lab and found that the initial detection rate was less than 5 percent (PDF). 'The bad guys are always trying to be a step ahead,' says Matthew D. Howard, who previously set up the security strategy at Cisco Systems. 'And it doesn't take a lot to be a step ahead.' Part of the problem is that antivirus products are inherently reactive. Just as medical researchers have to study a virus before they can create a vaccine, antivirus makers must capture a computer virus, take it apart and identify its 'signature' — unique signs in its code — before they can write a program that removes it. That process can take as little as a few hours or as long as several years. In May, researchers at Kaspersky Lab discovered Flame, a complex piece of malware that had been stealing data from computers for an estimated five years. 'The traditional signature-based method of detecting malware is not keeping up,' says Phil Hochmuth. Now the thinking goes that if it is no longer possible to block everything that is bad, then the security companies of the future will be the ones whose software can spot unusual behavior and clean up systems once they have been breached. 'The bad guys are getting worse,' says Howard. 'Antivirus helps filter down the problem, but the next big security company will be the one that offers a comprehensive solution.'"