Security mandates aim to shore up shattered SSL system
Too little, too late
A consortium of companies has published a set of security practices they want all web authentication authorities to follow for their secure sockets layer certificates to be trusted by browsers and other software.
The baseline requirements (PDF), published this week by the Certification Authority/Browser Forum, are designed to …
Adobe kills two actively exploited bugs in Reader
Unscheduled update coming to Windows machine near you
Adobe has released updates for its Reader and Acrobat applications that fix two vulnerabilities that attackers were exploiting to seize control of Windows-based machines.
Version 9.4.7 of the programs fix two memory-corruption bugs that Adobe says are “being actively exploited in limited, targeted attacks in the wild” against …
Judge dismisses charges against accused Twitter stalker
Offensive tweets protected by US Constitution
A federal judge has dismissed a criminal case against a man charged with stalking a religious leader on Twitter on the grounds that the more than 8,000 messages he posted, some predicting her violent death, were protected by the US constitution.
Thursday's ruling by US District Judge Roger W. Titus of Maryland was among the …
US spy drone hijacked with GPS spoof hack, report says
Electronic warfare comes of age – in Iran
The US stealth drone broadcast last week on Iranian state television was captured by spoofing its GPS coordinates, a hack that tricked the bird into landing in Iranian territory instead of where it was programmed to touch down, The Christian Science Monitor reported.
The 1700-word article cited an unnamed Iranian engineer who …
Visa probes reported security breach of card processor
17,000 cards already blocked
Credit card issuer company Visa is investigating the possible breach of a payment processor in Europe that may have compromised more than 10,000 cards in Eastern Europe.
In a statement issued on Thursday, according to IDG News, the issuer said: “Visa Europe has been informed of a potential data security breach at a European …
Feds charge eight former Siemens officials with bribery
$100m allegedly paid to secure Argentine identity cards
US officials have charged more than a dozen former executives and contractors of Siemens of conspiring to spend $100 million in bribes to secure a $1 billion contract to produce national identity cards for Argentine citizens.
A criminal indictment filed on Tuesday against eight former officials of the German industrial giant …
Newfangled graphics engine for browsers fosters data theft
The shady truth behind CSS shaders
Software developers at Google, Apple, Adobe, and elsewhere are grappling with the security risks posed by an emerging graphics technology, which in its current form could expose millions of web users' sensitive data to attackers.
The technology, known as CSS shaders is designed to render a variety of distortion effects, such as …
SCADA vuln imperils critical infrastructure, feds warn
Secret accounts open control systems to attack
An electronic device used to control machinery in water plants and other industrial facilities contains serious weaknesses that allow attackers to take it over remotely, the US agency that safeguards the nation's critical infrastructure has warned.
Some models of the Modicon Quantum PLC used in industrial control systems …
Espionage hack attack preys on chemical firms
Spotted in the wild: Nitro Part II
More than two months after the discovery of an organized malware campaign targeting dozens of companies in the defense and chemical industries, the espionage hack attack shows no signs of letting up.
According to a blog post published on Monday, the same group that targeted at least 38 companies between July and September is …
Malicious apps infiltrate Google's Android Market
Bogus games purged after more than 10,000 downloads
Google security crews have tossed at least a dozen smartphone games out of the Android Market after discovering they contained secret code that caused owners to accrue expensive charges for text messages sent to premium numbers.
The malicious apps, uploaded to the Google-hosted service by a developer named Logastrod, …
Windows Defender Offline: For PCs too hosed to go online
In beta now
Microsoft has released a beta version of its Windows Defender antivirus tool that works even when computers are so badly infected that they are unable to fully access the internet.
The program allows users to boot their sick machines from a CD, DVD or USB flash drive and use the most up-to-date definitions to fight the …
Four Romanians charged with hacking 150 Subway shops
Point-of-sale breach reaps millions in ill-gotten gains
Four Romanian nationals were charged with pocketing millions of dollars by hacking into the credit card processing systems of more than 200 businesses.
The men remotely accessed point-of-sale systems of 150 Subway sandwich shops and 50 unnamed retailers and stealing credit card data for more than 80,000 customers, according to a …
Chrome is the most secured browser - new study
Firefox finishes last in 3 browser security race
Google Chrome offers more protection against online attacks than any other mainstream browser, according to an evaluation that compares exploit mitigations, malicious link detection, and other safety features offered in Chrome, Internet Explorer, and Firefox.
The 102-page report, prepared by researchers from security firm …
Digital certificate authority suspends ops following breach
Hackers access database, gain control over website
Websites belonging to a Netherlands-based issuer of digital certificates were unavailable following reports hackers penetrated their security and accessed databases that should have been off limits.
Dutch telecommunications giant KPN issued a statement (translation here) that said it temporarily shut the website of it's Gemnet …
Man fights felony hacking charge for accessing wife's email
Gmail showed her having extramarital affair
A Michigan appeals court is trying to decide whether the state's anti hacking law should be invoked against a man who broke into his wife's Gmail account to see if she was having an affair.
Leon Walker, 34, faces a maximum of five years in prison for using a shared family computer to read his wife's personal email after she …
Military contractor warns of new Adobe Reader exploit
Attacks already under way
Attackers are exploiting a vulnerability in the latest versions of Adobe Reader and Acrobat applications to hijack computers running Microsoft Windows, Adobe warned on Tuesday.
The vulnerability, which corrupts memory involved with the U3D, or Universal 3D, file format, was reported by members of Lockheed Martin's computer …
Facebook security hole exposes Zuckerberg's privates
And possibly yours, too
A security hole on Facebook has been exposing private pictures of countless users, including the Social Network's founder and CEO Mark Zuckerberg.
A photo pilfering exploit posted to a bodybuilding.com forum on Monday included step-by-step instructions for viewing pictures designated as private by the Facebook users who posted …
Navy training mine washes ashore on Miami Beach
File under 'WTF!'
A portion of Miami Beach was evacuated on Monday following the discovery of a red and white cylinder that turned out to be a training mine belonging to the US Navy.
Police cordoned off the area surrounding the 6-foot by 2-foot mine, which a Miami Fire Rescue spokesman said appeared to be live but not as explosive as a regular …
It's ba-ack. Exploit revives slain browser history bug
Attack reveals recently visited websites
A Google researcher has resurrected an attack that allows website operators to steal the browsing history of visitors almost a year after all major browser makers introduced changes to close the gaping privacy hole.
Proof-of-concept code recently posted by Google security researcher Michal Zalewski works against the majority of …
Carrier IQ VP: App on millions of phones not a privacy risk
Like tiny fish through a net, key taps dropped from memory
More than 48 hours after a software developer posted evidence Carrier IQ monitored the key taps on more than 141 million smartphones, a company official has come forward to rebut the disturbing allegations. And he's provided enough technical detail to convince The Register the diagnostics software doesn't represent a privacy …
Does your smartphone run Carrier IQ? Find out here
Apple, AT&T, Sprint confirm; Nokia, RIM, Verizon deny
The roster of confirmed smartphone manufacturers and network providers using the controversial Carrier IQ tracking software has grown to include Apple, AT&T, Sprint, HTC, and Samsung. Verizon, Nokia, and Research in Motion, meanwhile, have denied reports saying they employ it.
In a statement that was widely reported on Thursday …
US Senator demands answers from Carrier IQ
Al Franken calls smartphone tracker on the carpet
Senator and former late-night funnyman Al Franken has called on Carrier IQ to explain why its diagnostic software, buried in the bowels of 141 million smartphones, isn't a massive violation of US wiretap laws.
In a letter sent to Larry Lenhart, CEO and president of the Mountain View, California-based software maker, Franken …
Duqu attackers: master coders, Linux rookies
Amateur goofs doom global wipe of C&C servers
The Duqu malware that targeted industrial manufacturers around the world may have been spawned by a well-funded team of competent coders, but their command of Linux led to some highly amateur mistakes.
According to a report published on Wednesday by researchers from Kaspersky Lab, the unknown attackers attempted a global …
Android glitch allows hackers to bug phone calls
Attack pierces defenses on devices from HTC, Samsung, Motorola, Google
Computer scientists have discovered a weakness in smartphones running Google's Android operating system that allows attackers to secretly record phone conversations, monitor geographic location data, and access other sensitive resources without permission.
Handsets sold by HTC, Samsung, Motorola, and Google contain code that …
BUSTED! Secret app on millions of phones logs key taps
Researcher says seeing is believing
An Android app developer has published what he says is conclusive proof that millions of smartphones are secretly monitoring the key presses, geographic locations, and received messages of its users.
In a YouTube video posted on Monday, Trevor Eckhart showed how software from a Silicon Valley company known as Carrier IQ …
Google researchers propose fix for ailing SSL system
Changes would overhaul net's foundation of trust
Security researchers from Google have proposed an overhaul to improve the security of the Secure Sockets Layer encryption protocol that millions of websites use to protect communications against eavesdropping and counterfeiting.
The changes are designed to fix a structural flaw that allows any one of the more than 600 bodies …
Malls suspend plan to track shoppers' cellphones
Privacy concerns rain on retailer's snoop fest
Two shopping malls have dropped plans to track shopper's movements after a US senator voiced privacy concerns about the practice, which involves monitoring individuals' cellphone signals.
The Footpath tracking system will no longer be used at the Promenade Temecula mall in southern California or the Short Pump Town Center mall …
Twitter crypto purchase leaves Egypt dissidents in lurch
Android privacy service goes dark
A company that provided free cellphone encryption to dissidents in Egypt abruptly suspended its services on Monday so that Twitter could integrate some of its privacy enabling technology into the microblogging site.
Twitter's acquisition of San Francisco-based Whisper Systems came on Monday, the same day Egyptian citizens …
Assange shocker: 'Of course I'm a goddamn journalist'
Meanwhile, overhauled whistle-blower system delayed
WikiLeaks founder Julian Assange is running out of patience with those who question his rightful membership with the fourth estate.
Just hours after receiving Australia's Walkley Award for "recognition of long-term commitment and achievement in the Australian media," Assange appeared by Skype at the News World Summit in Hong …
Software maker sorry for trying to silence security researcher
Withdraws legal threats over mobile 'rootkit' claims
A Silicon Valley software maker has withdrawn legal threats against an Android developer who claimed the company's diagnostic application amounted to a rootkit that posed a privacy threat to millions of handset owners.
In a statement issued on Wednesday, Mountain View, California-based Carrier IQ apologized to Trevor Eckhart …
Browser plugin brings strong crypto to Google webmail
(Some restrictions apply)
Software developers have released a JavaScript implementation of the OpenPGP encryption message format that allows users to encrypt and decrypt communications within web-based mail services.
GPG4Browsers is currently available only as an extension for the Google Chrome browser for integration with Gmail. It works with all …
Apple one-day-only sale plans for Macs, iPads leaked to web
iPhone discounts a no show
Apple plans to offer modest discounts on Macs, iPads, and iPods for one day only on Friday, according to the 9to5Mac website, which said a trusted tipster leaked the details of its day-after-Thanksgiving sales.
iMacs, MacBook Airs and MacBook Pros will be marked down by $101, while iPads will be discounted by $41 to $61 …
FBI: No evidence of water system hack destroying pump
Probe into SCADA breach continues
Federal officials said there's no evidence to support a report that hackers destroyed a pump used by an Illinois-based water utility after gaining unauthorized access to the computer system it used to operate its machinery.
In an email sent on Tuesday afternoon to members of the Industrial Control Systems Joint Working Group, …
Google mail crypto tweak makes eavesdropping harder
'Forward secrecy' protects data for the long term
Google engineers have enhanced the encryption offered in Gmail, Google Docs, and other services to protect users against retroactive attacks that allow hackers to decrypt communications months or years after they were sent.
The feature, a type of key-establishment protocol known as forward secrecy, ensures that each online …
Tor launches DIY relays in Amazon cloud
Easy to build, cheap to run
The Tor Project is tapping Amazon's EC2 cloud service to make it easier for volunteers to donate bandwidth to the anonymity network.
Developers with the project have released preconfigured Tor Cloud images that volunteers can use to quickly deploy bridges that allow users to access the service. The new system is designed to …
'Organized' hack targets AT&T wireless subscribers
'Auto script' attack fails to breach accounts
Hackers used automatic scripts to target AT&T wireless subscribers in an unsuccessful attempt to steal information stored in their online accounts, company officials said.
In an email sent to targeted subscribers, AT&T warned of an “organized attempt” to break into their accounts. The advisory was sent to less than 1 per cent …
Smart meters blamed for Wi-Fi, garage opener interference
Utility not doing enough, advocate says
Smart meters issued by an electric utility in Maine are interfering with a wide range of customers' electronic devices, including wireless routers, cordless phones, electric garage doors, and answering machines.
The Central Maine Power Company has received complaints from more than 200 customers since the meters were installed …
Clegg orders fresh review of UK extradition treaty
New hope for Gary McKinnon
Supporters of accused NASA hacker Gary McKinnon scored a small political victory after Deputy Prime Minister Nick Clegg ordered a fresh review of the lopsided extradition treaty between the US and the UK.
Clegg broke ranks with the Government over a review issued last month that concluded the treaty wasn't biased. He has …
Second water utility reportedly hit by hack attack
Proof-of-concept intrusion
Images posted online suggest that hackers may have gained unauthorized access to computers controlling a second water treatment facility, a claim that raises additional concerns about of the security of the US's critical infrastructure.
Five computer screenshots posted early Friday purport to show the user interface used to …
World's first Win 8 malware 'bootkit' to debut next week
'Stoned Lite' too impaired to defeat UEFI
A security researcher said that he has developed malware for Microsoft's forthcoming Windows 8 operating system that is able to load during boot-up when it's run on older PCs.
Peter Kleissner said Stoned Lite – as the latest version of his bootkit is called – doesn't bypass defenses that will be available to people using Windows …
Water utility hackers destroy pump, expert says
Updated SCADA breach 'a really big deal'
Hackers destroyed a pump used by a US water utility after gaining unauthorized access to the industrial control system it used to operate its machinery, a computer security expert said.
Joe Weiss, a managing partner for Applied Control Solutions, said the breach was most likely performed after the attackers hacked into the …
Crooks make it rain by seeding cloud with zombies
Your compute resources rented out
Malware operators are once again trying to generate profits from the cloud, this time by stealing the resources of infected computers and selling them to a new distributed-computing network, researchers from Kaspersky said.
After infecting a computer, the malware downloads and installs the MetaTrader 5 Tester Agent, software …
Facebook vows 'consequences' for extreme porn scammers
Updated Responsible parties already identified
Facebook officials have tracked down the scammers responsible for deluging the social network with images depicting bestiality, self-mutilation and other depravity and is vowing to seek swift justice.
As previously reported, Facebook has blamed the torrent of extreme smut on a "self-XSS vulnerability in the browser" that …
Windows 8 aims to make security updates less painful
Fewer restarts, less desktop clutter
The next version of Microsoft's Windows operating system will introduce changes that are designed to make automatic updates less disruptive by eliminating popup notifications and reducing the number of times machines must be restarted.
In a blog post published on Monday, Microsoft Program Manager for the Windows Update Group …
'Devastating' protocol flaw could paralyze Bitcoin system
Scientists propose 'Red Balloon' incentive solution
Computer scientists say they've identified a fundamental flaw in the Bitcoin electronic currency system that could eventually stunt its development unless developers change the way users are rewarded for their participation.
With about 7.5 million Bitcoins in circulation, the highly decentralized system relies on public-key …
US anti-hacking law turns computer users into criminals
Former prosecutor calls for change to CFAA
A commonly invoked anti-hacking law is so overbroad that it criminalizes conduct as innocuous as using a fake user name on Facebook or fibbing about your weight in a Match.com profile, one of the nation's most respected legal authorities has said.
George Washington University Law School Professor Orin S. Kerr said he hopes the …
Hackers port iPhone 4S' Siri to rival devices
Apple's personal assistant cracked open
Hackers say they've reverse engineered the Siri personal assistant that debuted in last month's release of the iPhone 4S, a feat that allows them to make it work from virtually any device.
To back up their claim, the hackers – from the mobile-application developer Applidium – released a collection of tools on Monday that they …
World's stealthiest rootkit pushes DNS hijacking trojan
DNS Changer dropped by TDSS
One of the world's most advanced pieces of malware is being used to spread DNS Changer, a trojan at the heart of a massive click fraud scheme that has already hijacked 4 million PCs, security researchers said.
Just a few days after federal prosecutors in the US shuttered the international conspiracy, researchers from Dell …
Certificate stolen from Malaysian gov used to sign malware
Security warnings bypassed
Researchers have discovered malware circulating in the wild that uses a private signing certificate belonging to the Malaysian government to bypass warnings many operating systems and security software display when end users attempt to run untrusted applications.
The stolen certificate belongs to the Malaysian Agricultural …
Tour de France winner sentenced for hack of doping lab
Trojan siphoned 1,700 confidential files
Floyd Landis, the disgraced US cyclist who was stripped of his 2006 Tour de France victory for doping, was handed a suspended 12-month prison sentence for his part in a hack of an anti-doping lab computer.
Arnie Baker, Landis's former trainer, also received a suspended 12-month term from the same French court in Nanterre, near …
