tsu doh nimh writes "The miscreants who maintain Blackhole and Nuclear Pack — competing crimeware products that are made to be stitched into hacked sites and use browser flaws to foist malware — say they've added a brand new exploit that attacks a previously unknown and currently unpatched security hole in Java. The curator of Blackhole, a miscreant who uses the nickname 'Paunch,' announced yesterday on several Underweb forums that the Java zero-day was a 'New Year's Gift,' to customers who use his exploit kit. The exploit has since been verified to work on all Java 7 versions by AlienVault Labs. The news comes days after it was revealed that Paunch was reserving his best exploits for a more closely-held exploit pack called Cool Exploit Kit, a license for which costs $10,000 per month."
judgecorp writes "Nokia has admitted that it routinely decrypts user's HTTPS traffic, but says it is only doing it so it can compress it to improve speed. That doesn't convince security researcher Gaurang Pandya, who accuses the company of spying on customers." From the article, Nokia says: "'Importantly, the proxy servers do not store the content of web pages visited by our users or any information they enter into them. When temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users' content, it is done in a secure manner. ... Nokia has implemented appropriate organisational and technical measures to prevent access to private information. Claims that we would access complete unencrypted information are inaccurate.'"
coondoggie writes "With China once again playing games with the rare earth materials it largely holds sway over, the U.S. Department of Energy today said it would set up a research and development hub that will bring together all manner of experts to help address the situation. The DOE awarded $120 million to Ames Laboratory to set up an Energy Innovation Hub that will develop solutions to the domestic shortages of rare earth metals and other materials critical for U.S. energy security, the DOE stated."
cervesaebraciator writes "Tim Lee over at Ars Technica recently interviewed Derek Khanna, a former staffer for the Republican Study Committee. As reported on Slashdot, Khanna wrote a brief suggesting the current copyright law might not constitute free market thinking. He was rewarded for his efforts with permanent time off of work. Khanna continues to speak out about the need for copyright reform as well as its potential as a winning electoral issue and, according to Lee, he's actually beginning to receive some positive attention for his efforts. 'I encourage Hill staffers to bring forth new ideas. Don't be discouraged by the potential consequences,' Khanna told Ars. 'You work for the American people. It's your job, your obligation to be challenging existing paradigms and put forward novel solutions to existing problems.' Would that more in both major parties thought like this."
BeatTheChip writes "The day Andrea Hernandez lost her federal case against expulsion for refusing a school mandated RFID badge, Rep. Lois Kolkhorst moved to file two bills on the first day of the Texas Legislative session. Kolkhorst has sponsored several anti-RFID bills for schools over the years. This year they are HB 101 and HB 102."
New submitter Bugs42 writes "CNN.com has an opinion piece on the possibility of cramming guns full of computers and sensors to disable them in certain buildings or around children. The author, in true mainstream media fashion, completely fails to see any possible technical problems with this. Quoting: 'How might this work? Start with locational "self-awareness." Guns should know where they are and if another gun is nearby. Global positioning systems can meet most of the need, refining a gun's location to the building level, even within buildings. Control of the gun would remain in the hand of the person carrying it, but the ability to fire multiple shots in crowded areas or when no other guns are present would be limited by software that understands where the gun is being used. Guns should also be designed to sense where they are being aimed. Artificial vision and optical sensing technology can be adapted from military and medical communities. Sensory data can be used by built-in software to disable firing if the gun is pointed at a child or someone holding a child."
Bob the Super Hamste writes "The St. Paul Pioneer Press is reporting that Andrew Henderson was recording Ramsey County sheriff's deputies frisking a bloody-faced man, who was then loaded into an ambulance by paramedics. Then sheriff's deputy Jacqueline Muellner approached Henderson and confiscated his video camera, stating, 'We'll just take this for evidence,' which was recorded on Henderson's cell phone. On October 30th, Henderson went to the Arden Hills sheriff's office to retrieve his video camera, where he was told where he would have to wait to receive his camera back. A week later, Henderson was charged with obstruction of legal process and disorderly conduct, with the citation stating, 'While handling a medical/check the welfare (call), (Henderson) was filming it. Data privacy HIPAA violation. Refused to identify self. Had to stop dealing with sit(uation) to deal w/Henderson.' In mid November, Henderson went back to the sheriff's office to attempt to retrieve his camera and get a copy of the report when Deputy Dan Eggers refused. ... Jennifer Granick, a specialist on privacy issues at Stanford University Law School, states that the alleged violation of HIPAA rules by Andrew Henderson is nonsense, stating, 'There's nothing in HIPAA that prevents someone who's not subject to HIPAA from taking photographs on the public streets, HIPAA has absolutely nothing to say about that.'" The article notes that the Deputy in question basically told the guy he was arrested for being a "buttinski" and recording someone in the midst of a violent mental health breakdown. Supposedly the footage was deleted from the camera while in police custody.
judgecorp writes "British Members of Parliament have warned that the UK's cyber warfare strategy is getting it wrong. According to a defense committee report, the country's IT security forces are inadequately prepared for a cyber attack, rely too heavily on inadequately protected systems, and do not sufficiently appreciate the difficulty of attributing the source of an attack."
Chris453 writes "Earlier today, a Texas High School student named Andrea Hernandez and her family lost the first round of the lawsuit filed to prevent her school district from forcing its students to wear RFID badges for tracking purposes. The judge in the case declared that the district's compromise for the student (a badge without the battery) was sufficient and dismissed any First Amendment issues. The badges are RFIDs powered by built-in batteries and one of the concerns was that the badges would be used to track students off-campus. Interestingly enough, the school district claims in court documents that 'The badges do not work off campus (PDF).' However, on their website, the school district confirms that it is conceivable that an off-campus RFID reader could access badge serial numbers, but tries to downplay the significance: 'Therefore, an intruder or "hacker" can only learn that the tag serial number is, for example, #69872331, but that does not provide any useful information. Has the district committed perjury by claiming that the active RFIDs magically deactivate themselves when off school property?"
New submitter Oxide writes "A Kuwaiti court sentenced a man to two years in prison on Monday for insulting the country's ruler on Twitter, his lawyer said, the second person to be jailed for the offense in as many days. The Gulf state has clamped down in recent months on political activists who have been using social media websites to criticize the government and the ruling family. What's interesting is that the tweets in question did not mention the ruler directly but just indicated it might be him it is referring to."
mask.of.sanity writes "Researchers have examined writing styles to identify previously anonymous carders and hackers operating on underground forums. Up to 80 percent of users who wrote at least 5000 words across their posts could be identified using linguistic techniques. Techniques such as stylometric analysis were used to track users who posted across different forums, and could even be used to unveil authors of thesis papers or blogs who had taken to underground networks."
iComp sends word of a Chinese businessman who pleaded guilty to selling pirated software the retail value of which totaled more than $100 million. The software came from over 200 different companies, and was sold to buyers in 61 different countries over a 3-year period. The man was arrested by the U.S. Department of Homeland Security on the island of Saipan in 2011, after undercover agents had been working on the case for 18 months (PDF). "Li trolled black market Internet forums in search of hacked software, and people with the know-how to crack the passwords needed to run the program. Then he advertised them for sale on his websites. Li transferred the pirated programs to customers by sending compressed files via Gmail, or sent them hyperlinks to download servers, officials said. ... Agents lured Li from China to the U.S. territory of Saipan under the premise of discussing a joint illicit business venture. At an island hotel, Li delivered counterfeit packaging and, prosecutors said, "Twenty gigabytes of proprietary data obtained unlawfully from an American software company." Officials did not identify the company in court documents."
Spy Handler writes "A software update of the California welfare computer system (CalWIN) caused 37,000 Food Stamp recipients to lose their EBT (a credit card paid for by the government) benefits last weekend. According to the article, Hewlett Packard was responsible for the failed update of CalWIN, but at 8:00 a.m. today Xerox (who administers another state welfare system called CalFresh) issued a patch that reactivated the EBT cards."
chicksdaddy writes "A security researcher who was looking for vulnerabilities in Facebook's platform instead stumbled on a much larger hole that could affect scores of firms who rely on a secure file transfer platform from Accellion. Writing on his blog on Monday, Israeli researcher Nir Goldshlager said he discovered the password reset vulnerability while analyzing a Accellion deployment that is used, internally, by Facebook employees. Goldshlager used public knowledge of the Accellion platform to access a hidden account creation page for the Facebook deployment and create a new Facebook/Accellion account linked to his e-mail address. After analyzing Accellion's password reset feature, he realized that — with that valid account — he could reset the password of any other Facebook/Accellion user with some cutting and pasting and a simple HTTP POST request, provided he knew the user's login e-mail address — effectively hijacking the account. Goldshlager said he informed Facebook and that the hole has been patched by Facebook and Accellion. However, other Accellion customers using private cloud deployments of the product could still be vulnerable."
Antipater writes "Disney parks and resorts have long had a system that combined your room key, credit card, and park ticket into a single card. Now, they're taking it a step further by turning the card into an RFID wristband (called a 'MagicBand'), tracking you, and personalizing your park experience, targeted-ad style. 'Imagine booking guaranteed ride times for your favorite shows and attractions even before setting foot in the park,' wrote Tom Staggs, chairman of Walt Disney Parks and Resorts, in a blog posting on Monday. 'With MyMagic+, guests will be able to do that and more, enabling them to spend more time together and creating an experience that's better for everyone.' Disney does go on to talk about all the things you can opt out of if you have privacy concerns, and the whole system seems to be voluntary or even premium." With a theme park, at least, you can also choose to avoid the place entirely; that makes it, however creepy, a bit different from compulsory education settings, or mandatory car tracking.