Slashdot

Lexta writes with an interesting tidbit from IEEE Spectrum: "'Karsten Nohl, chief research scientist with H4RDW4RE, a Sunnyvale, Calif.-based security research firm, is mounting what could be the most ambitious attempt yet to compromise the GSM phone system.' The intended approach is to create an open source project to spread the computation of a giant look-up table across more than 80 machines. Interestingly, they've openly stated that nVidia's CUDA technology will be used to execute parallel elements of the problem on GPUs as well."

darthcamaro writes "Yesterday we discussed Google's launch of its new Public DNS service. Now Metasploit founder and CSO at Rapid7, H D Moore, investigates how well-protected Google's service is against the Kaminsky DNS flaw. Moore has put together a mapping of Google's source port distribution on the Public DNS service. In his view, it looks like the source ports are sufficiently random, even though they are limited to a small range of ports. The InternetNews report on Moore's research concludes: 'What Moore's preliminary research clearly demonstrates to me is that Google really does need to live up to its promise here. Unlike a regular ISP, Google will be subject to more scrutiny (and research) than other DNS providers.'"

[rvr] writes "Last Monday, the Spanish Government published the latest draft for the Sustainable Economy Act, which would enable a Commission dependent of the Ministry of Culture to take down websites without a court order, in cases of Intellectual Property piracy. On Wednesday, using Google Wave, a group of journalists, bloggers, professionals and creators composed and issued a Manifesto in Defense of Fundamental Rights on the Internet, stating that 'Copyright should not be placed above citizens' fundamental rights to privacy, security, presumption of innocence, effective judicial protection and freedom of expression.' Quickly, more than 50,000 blogs and sites re-published the manifesto. On Thursday morning, the Ministry of Culture Ángeles González Sinde (former president of the Spanish Academy of Motion Picture Arts and Sciences) organized a meeting with a group of Internet experts and signers of the Manifesto. The meeting was narrated in real time via Twitter and concluded without any agreement. On Thursday afternoon, the Prime Minister's staff had a private meeting with the Ministry of Culture and some party members (who also expressed their opposition to the draft). Finally, Spain Prime Minister José Luis Rodríguez Zapatero announced in a press meeting that the text will be changed and a court order will continue to be a requirement, but [the government] still will search for ways to fight Internet piracy."

Ardisson writes "Swiss iPhone developer Nicolas Seriot presented last night a talk on iPhone Privacy in Geneva. He showed how a malicious application could harvest personal data on a non-jailbroken iPhone (PDF) and without using private APIs. It turns out that the email accounts, the keyboard cache content and the WiFi connection logs are fully accessible. The talk puts up several recommendations. There is also a demo project on github."

garg0yle writes "According to McAfee, more than a third of Cameroon domains (TLD of .cm) are infested with viruses or other not-so-fun party treats. Given that it's very easy to mis-type .com as .cm, this puts the computers of a lot of fat-fingered typists in peril. Second place on the most-infested domains list goes to China (.cn), while Hong Kong (last year's 'winner') is now comfortably middle-of-the-pack."

Barence follows up to the ongoing Black Screen of Death Saga by saying "Microsoft says reports of 'Black Screen of Death' errors aren't caused by Windows Updates, as claimed by a British security firm. The software giant claims November's Windows Updates didn't alter registry keys in the way described by Prevx, which said that the Microsoft Patches caused PCs to boot with just a black screen and a Windows Explorer window. Microsoft is now blaming the problem on malware. Prevx has issued a grovelling apology on its own blog."

reginaldo writes to clue us that pirates in Somalia have opened up a cooperative in Haradheere, where investors can pay money or guns to help their favorite pirate crew for a share of the piracy profits. "'Four months ago, during the monsoon rains, we decided to set up this stock exchange. We started with 15 "maritime companies" and now we are hosting 72. Ten of them have so far been successful at hijacking,' Mohammed [a wealthy former pirate who took a Reuters reporter to the facility] said. ... Piracy investor Sahra Ibrahim, a 22-year-old divorcee, was lined up with others waiting for her cut of a ransom pay-out after one of the gangs freed a Spanish tuna fishing vessel. 'I am waiting for my share after I contributed a rocket-propelled grenade for the operation,' she said, adding that she got the weapon from her ex-husband in alimony. 'I am really happy and lucky. I have made $75,000 in only 38 days since I joined the "company."'"

eldavojohn writes "A formal complaint was filed in California (caged PDF) last week by John Lindstein naming David Miscavige and the Church of Scientology International as defendants. Lindstein claims that for sixteen years (from age 8) he was forced to work as a slave at Gold Base, a secret CoS site run by Golden Era Productions with 'razor wire, security guard patrols, surveillance posts, and three roll calls each day.' The pay was $50 a week. The allegations include 'Violations of wage and hour laws as well as unfair/illegal business practices actionable under California B&P 17200 Et. Seq.' and a complaint under the 13th Amendment of the US Constitution, which abolished slavery. Members of the group Anonymous praised the summons."

dasButcher notes that the Supreme Court will hear arguments next week brought by a Nevada accounting firm that asserts the oversight board for the Sarbanes-Oxley Act is unconstitutional. If the plaintiffs are successful, it could force Congress to rewrite or abandon the law used by many companies to validate tech investments for security and compliance. "Many auditing firms have used [Sarbanes-Oxley Section] 404 as a lever for imposing stringent security technology requirements on publicly traded companies regulated by SOX and their business partners. SOX security compliance has proven effective for vendors and solution providers, as it forces regulated enterprises to spend billions of dollars on technology that, many times, doesn’t prevent security incidents but does make them compliant with the law."

duguk writes "Microsoft has confirmed that it is investigating a problem described as the 'black screen of death,' which affects Windows 7 — and reports suggest it affects Vista and XP, too. The firm said it was looking into reports that suggest its latest security update, released on Tuesday 25 November, caused the problem. The error means that users of Windows 7 and earlier operating systems see a totally black screen after logging on to the system." Update: 12/01 22:35 GMT by KD : Microsoft now says that its November Windows updates are not causing the BlackSOD: "The company has found those reports to be inaccurate and our comprehensive investigation has shown that none of the recently released updates are related to the behavior described in the reports."

Nashville Guy writes "According to Australia's The Age, 'A New Zealand man living in Queensland and believed to be behind the world's largest spam operation, has been ordered to pay more than $16 million for running the illegal enterprise. Lance Atkinson, 26, originally from Christchurch, was living in Pelican Waters on the Sunshine Coast when the US Federal Trade Commission (FTC) had his assets frozen last year. ... The FTC found Atkinson and American Jody Smith were at the centre of the world's largest internet spam operation, dubbed 'AffKing,' having recruited spammers from around the world.'"

Trailrunner7 writes "A researcher has published an explanation of a new flaw in FreeBSD that allows a remote attacker to take control of a vulnerable machine. The vulnerability could give an attacker root access to the FreeBSD machine, and the FreeBSD developers have published a patch for the flaw early Tuesday. The vulnerability lies in run-time link-editor and, if exploited, gives an attacker the ability to run arbitrary code. The researcher, Kingcope, has posted an explanation of the flaw on the Full Disclosure mailing list. In a message to FreeBSD users, Colin Percival, the project's security officer, said that because of the severity of the flaw and the fact that exploit code already is available, he felt it was necessary to post the patch as soon as possible, without even publishing a security advisory."

eldavojohn writes "Congressman Peter King (R-NY) is calling for a probe into Wikileaks with regard to the recent publication of half a million 9/11 pager messages. He has announced that he plans to have his Washington staff begin a preliminary investigation because Wikileaks' action 'raises security issues.' A word of caution: Congressman King has been known to make inflammatory and unpopular statements."

buchner.johannes writes "I was fed up with the general consensus that Linux is oh-so-secure and has no malware. After a week of work, I finished a package of malware for Unix/Linux. Its whole purpose is to help white-hat hackers point out that a Linux system can be turned into a botnet client by simply downloading BOINC and attaching it to a user account to help scientific projects. The malware does not exploit any security holes, only loose security configurations and mindless execution of unverified downloads. I tested it to be injected by a PHP script (even circumventing safe mode), so that the Web server runs it; I even got a proxy server that injects it into shell scripts and makefiles in tarballs on the fly, and adds onto Windows executables for execution in Wine. If executed by the user, the malware can persist itself in cron, bashrc and other files. The aim of the exercise was to provide a payload so security people can 'pwn' systems to show security holes, without doing harm (such as deleting files or disrupting normal operation). But now I am unsure of whether it is ethically OK to release this toolkit, which, by ripping out the BOINC payload and putting in something really evil, could be turned into proper Linux malware. On the one hand, the way it persists itself in autostart is really nasty, and that is not really a security hole that can be fixed. On the other hand, such a script can be written by anyone else too, and it would be useful to show people why you need SELinux on a server, and why verifying the source of downloads (checksums through trusted channels) is necessary. Technically, it is a nice piece, but should I release it? I don't want to turn the Linux desktop into Windows, hence I'm slightly leaning towards not releasing it. What does your ethics say about releasing such grayware?"

jvillain writes "India is about to pull the plug on 25 million cell phones in the name of fighting terrorism and fraud. 'The ban by India's Department of Telecommunications has been unfolding gradually since Oct. 6, 2008, six weeks before the attacks in Mumbai killed 173 people and wounded 308. A memo then directed service providers to cut off cellphone users whose devices didn't have a real IMEI — or unique identity number — in the interests of 'national security.' Since then, the move has picked up steam as a way to circumvent terrorists using black market, unregistered cellphones. The Mumbai attackers kept in touch with each other via cellphones and used GPS to pinpoint their attacks, which started Nov. 26, 2008, and went on for three days. The telecommunications department has issued warnings and deadlines through 2009 but has announced this one is for real, telling operators to block cellphones without valid IMEI numbers. Previously, it warned companies to stop importing them and customers to stop buying them.'"

Unexpof writes "A man has been arrested by the British Police Central e-Crime Unit (PCeU), accused of stealing the usernames and passwords from players of the RuneScape MMORPG. Security experts report that this is one of the first occasions when a Brit has been apprehended for 'virtual robbery,' although incidents have happened in the past. For instance, the CEO of the sci-fi trading game EVE Online stole 200 billion 'kredits,' which he then used as a deposit on a real-world house, and in October last year a Japanese woman was arrested by police after allegedly hacking her virtual husband 'to death.'"

truesaer writes "I'll be spending all of next year backpacking through South America. In the past I've used Internet cafes while away, but this time I plan to bring a netbook and rely primarily on Wi-Fi hotspots. I'll be facing the same issues and risks that business travelers in hotels and airports face, as well as those encountered by millions of other backpackers, gap-year travelers, and students. Since my trip is so long I'll have no choice but to access my banking, credit card, and investment accounts on public networks. I will not have a system at home to connect through. Other than an effective firewall, a patched system, and the use of SSL, what else should I do to protect my information? Keep in mind that many places have very poor bandwidth and latency."

A post by Cyberveillance a couple of weeks back revealed a complex black-hat operation involving Google searches leading to hundreds of thousands of bogus blogs, exploiting the "long tail" of search results and isolated from Google's auto-detection of malware sites by a shifting network of redirectors. The fake blog posts are innocuous when visited directly, but make aggressive attempts to install a fake Windows anti-virus tool (which is actually a Trojan horse) if clicked through from Google. Other search engines do not index the bogus sites. The Unmask Parasites site has a detailed two-part analysis of the badware operation, which puts some numbers on its scope: almost 688,000 bogus scareware blogs can be located in Google; some of them have upwards of 1000 posts. This analysis also reveals that a large majority of the sites hacked to host fake blogs are on the network of Servage.net. From the second Unmask Parasites link: "What we have here is millions of rogue web pages targeting the long tail of web search (millions of keywords) where each page tries to install fake (and malicious) "anti-virus" software on visitors' computers. While this black-hat campaign is active for at least 6 months, webmasters of the compromised sites and their hosting providers don't simply notice this illicit activity. The good news is Google seems to have noticed this problem. Probably thanks to the Cyveillance blog post. During the week after that post I see a steady decrease in search results returned by the queries that you can find in this post."

nk497 writes "F-Secure researchers are calling attention to the fact that it's impossible to run third-party anti-virus on iPhones, because the SDK doesn't allow for it. It's a problem, as they claim malware will start to target the phone. 'None of the existing anti-virus vendors can make one, without help from Apple,' chief research officer Mikko Hypponen said. 'Apple hasn't been too interested in developing antivirus solutions for the iPhone, because there are no viruses, which of course, isn't exactly true.' At the moment, the only worms faced by the iPhone have targeted unlocked, jailbroken devices — so Apple's not too bothered protecting users of such phones." While Apple claims that the iPhone's closed nature offers protection to its users, and security vendors maneuver for a piece of a market now closed to them, clearly both sides are pushing their own self-interest.

Eugen tips news that Microsoft has sent DMCA takedown notices to several websites to stop them from offering the Computer Online Forensic Evidence Extractor (COFEE) tool for download after it was leaked earlier this month. One of the sites, Cryptome.org, has posted their correspondence with Microsoft over the software. "... Microsoft contacted Network Solutions, which hosts Cryptome, and since John Young, the owner of the website, wasn't too keen on losing his whole website for the sake of a single 15MB file, he removed the download link and sent Network Solutions a notice of compliance."