wiredmikey writes "A mobile botnet called MisoSMS is wreaking havoc on the Android platform, stealing personal SMS messages and exfiltrating them to attackers in China. Researchers at FireEye lifted the curtain off the threat on Monday, describing MisoSMS as 'one of the largest advanced mobile botnets to date' and warning that it is being used in more than 60 spyware campaigns. FireEye tracked the infections to Android devices in Korea and noted that the attackers are logging into command-and-controls in from Korea and mainland China, among other locations, to periodically read the stolen SMS messages. FireEye's research team discovered a total of 64 mobile botnet campaigns in the MisoSMS malware family and a command-and-control that comprises more than 450 unique malicious e-mail accounts."
Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!
mrspoonsi writes "Business Insider Reports: The National Security Agency described for the first time a cataclysmic cyber threat it claims to have stopped On Sunday's '60 Minutes.' Called a BIOS attack, the exploit would have ruined, or 'bricked,' computers across the country, causing untold damage to the national and even global economy. Even more shocking, CBS goes as far as to point a finger directly at China for the plot — 'While the NSA would not name the country behind it, cyber security experts briefed on the operation told us it was China.' The NSA says it closed this vulnerability by working with computer manufacturers. Debora Plunkett, director of cyber defense for the NSA: One of our analysts actually saw that the nation state had the intention to develop and to deliver — to actually use this capability — to destroy computers."
tsu doh nimh writes "Security experts have long opined that one way to make software more secure is to hold software makers liable for vulnerabilities in their products. This idea is often dismissed as unrealistic and one that would stifle innovation in an industry that has been a major driver of commercial growth and productivity over the years. But a new study released this week presents perhaps the clearest economic case yet for compelling companies to pay for information about security vulnerabilities in their products. Stefan Frei, director of research at NSS Labs, suggests compelling companies to purchase all available vulnerabilities at above black-market prices, arguing that even if vendors were required to pay $150,000 per bug, it would still come to less than two-tenths of one percent of these companies' annual revenue (PDF). To ensure that submitted bugs get addressed and not hijacked by regional interests, Frei also proposes building multi-tiered, multi-region vulnerability submission centers that would validate bugs and work with the vendor and researchers. The questions is, would this result in a reduction in cybercrime overall, or would it simply hamper innovation? As one person quoted in the article points out, a majority of data breaches that cost companies tens of millions of dollars have far more to do with other factors unrelated to software flaws, such as social engineering, weak and stolen credentials, and sloppy server configurations."
schwit1 writes in with the latest on an U.S. District Court ruling over NSA spying. "A federal judge ruled Monday that the National Security Agency's phone surveillance program is likely unconstitutional, Politico reports. U.S. District Court Judge Richard Leon said that the agency's controversial program, first unveiled by former government contractor Edward Snowden earlier this year, appears to violate the Constitution's Fourth Amendment, which states that the 'right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated.' 'I cannot imagine a more "indiscriminate" and "arbitrary invasion" than this systematic and high-tech collection and retention of personal data on virtually every single citizen for purposes of querying it and analyzing it without judicial approval,' Leon wrote in the ruling. The federal ruling came down after activist Larry Klayman filed a lawsuit in June over the program. The suit claimed that the NSA's surveillance 'violates the U.S. Constitution and also federal laws, including, but not limited to, the outrageous breach of privacy, freedom of speech, freedom of association, and the due process rights of American citizens.'"
hawkinspeter writes "The Register is hosting an exclusive that Bruce Schneier will be leaving his position at BT as security futurologist. From the article: 'News of the parting of the ways reached El Reg via a leaked internal email. Our source suggested that Schneier was shown the door because of his recent comments about the NSA and GCHQ's mass surveillance activities.'"
An anonymous reader writes "The OpenBSD project has no reason to follow the steps taken by FreeBSD with regard to hardware-based cryptography because it has already been doing this for a decade, according to Theo de Raadt. 'FreeBSD has caught up to what OpenBSD has been doing for over 10 years,' the OpenBSD founder told iTWire. 'I see nothing new in their changes. Basically, it is 10 years of FreeBSD stupidity. They don't know a thing about security. They even ignore relevant research in all fields, not just from us, but from everyone.'"
cagraham writes "In a seemingly minor update, Google announced that all Gmail images will now be cached on their own servers, before being displayed to users. This means that users won't have to click to download images in every email now — they'll just automatically be shown. For marketers, however, the change has serious implications. Because each user won't download the images from a third-party server, marketers won't be able to see open-rates, log IP addresses, or gather information on user location and browser type. Google says the changes are intended to enhance user privacy and security."
krakman writes "With the NSA disclosures, French media was 'outraged'. Yet they appear to be worse than the NSA, with a new law that codifies standard practice and provides for no judicial oversight while allowing electronic surveillance for a broad range of purposes, including 'national security,' the protection of France's 'scientific and economic potential' and prevention of ;terrorism' or 'criminality.' The government argues that the law, passed last week with little debate as part of a routine military spending bill, which takes effect in 2015, does not expand intelligence powers. Rather, officials say, those powers have been in place for years, and the law creates rules where there had been none, notably with regard to real-time location tracking. French intelligence agencies have little experience publicly justifying their practices. Parliamentary oversight did not begin until 2007."
New submitter StirlingArcher writes "I've always built/maintained my parents' PC's, but as Mum has got older her PC seems to develop problems more readily. I would love to switch her to Linux, but she struggles with change and wants to stay with Vista and MS Office. I've done the usual remove Admin rights, use a credible Internet Security package. Is there anything more dramatic that I could do, without changing the way she uses her PC or enforcing a new OS on her again? One idea was to use a Linux OS and then run Vista in a VM, which auto-boots and creates a backup image every so often. Thanks for any help!"
Hugh Pickens DOT Com writes "Ray Sanchez reports at CNN that the handling of Friday's shooting at Arapahoe High School, just 10 miles from the scene of the 1999 Columbine High School shooting, drew important lessons from the earlier bloodshed. At Arapahoe High School, where senior Claire Davis, 17, was critically injured before the shooter turned the gun on himself, law enforcement officers responded within minutes and immediately entered the school to confront the gunman rather than surrounding the building. As the sound of shots reverberated through the corridors, teachers immediately followed procedures put in place after Columbine, locking the doors and moving students to the rear of classrooms. "That's straight out of Columbine," says Kenneth Trump, president of National School Safety and Security Services. "The goal is to proceed and neutralize the shooter. Columbine really revolutionized the way law enforcement responds to active shooters." Arapahoe County Sheriff Grayson Robinson credits the quick police response time for the fact that student Karl Pierson, the gunman, stopped firing on others and turned his weapon on himself less than 1 minute, 20 seconds after entering the school. Authorities knew from research and contact with forensic psychologists that school shooters typically continue firing until confronted by law enforcement. "It's very unfortunate that we have to say that there's a textbook response on the way to respond to these," says Trump, "because that textbook was written based on all of the incidents that we've had and the lessons learned (PDF).""
Trailrunner7 writes "The NSA surveillance scandal has created ripples all across the Internet, and the latest one is a new effort from the IETF to change the way that encryption is used in a variety of critical application protocols, including HTTP and SMTP. The new TLS application working group was formed to help developers and the people who deploy their applications incorporate the encryption protocol correctly. TLS is the successor to SSL and is used to encrypt information in a variety of applications, but is most often encountered by users in their Web browsers. Sites use it to secure their communications with users, and in the wake of the revelations about the ways that the NSA is eavesdropping on email and Web traffic its use has become much more important. The IETF is trying to help ensure that it's deployed properly, reducing the errors that could make surveillance and other attacks easier."
krakman writes "According to a NY Times article, a 6-month internal investigation has not been able to define the actual files that Edward Snowden had copied. There is a suspicion that not all the documents have been leaked to newspapers, and a senior NSA official (Rick Ledgett), who is heading the security agency's task force examining Mr. Snowden's leak, has said on the record that he would consider recommending amnesty for Mr. Snowden in exchange for those unleaked documents. 'They've spent hundreds and hundreds of man-hours trying to reconstruct everything he has gotten, and they still don't know all of what he took,' a senior administration official said. 'I know that seems crazy, but everything with this is crazy.' That Mr. Snowden was so expertly able to exploit blind spots in the systems of America's most secretive spy agency illustrates how far computer security still lagged years after President Obama ordered standards tightened after the WikiLeaks revelations of 2010."
Daniel_Stuckey writes "Earlier this year, it was London. Most recently, it was a university in Germany. Wherever it is, [artist Aram] Bartholl is opening up his eight white, plainly printed binders full of the 4.7 million user passwords that were pilfered from the social network and made public by a hacker last year. He brings the books to his exhibits, called 'Forgot Your Password,' where you're free to see if he's got your data—and whether anyone else who wanders through is entirely capable of logging onto your account and making Connections with unsavory people. In fact, Bartholl insists: "These eight volumes contain 4.7 million LinkedIn clear text user passwords printed in alphabetical order," the description of his project reads. "Visitors are invited to look up their own password.""
jones_supa writes "The most widely used cellphone encryption cipher A5/1 can be easily defeated by the National Security Agency, an internal document shows. This gives the agency the means to intercept most of the billions of calls and texts that travel over radiowaves every day, even when the agency would not have the encryption key. Encryption experts have long known the cipher to be weak and have urged providers to upgrade to newer systems. Consequently it is also suggested that other nations likely have the same cracking capability through their own intelligence services. The vulnerability outlined in the NSA document concerns encryption developed in the 1980s but still used widely by cellphones that rely on 2G GSM. It is unclear if the agency may also be able to decode newer forms of encryption, such as those covered under CDMA."
msm1267 writes "Users of Apple's Safari browser are at risk for information loss because of a feature common to most browsers that restores previous sessions. The problem with Safari is that it stores session information including authentication credentials used in previous HTTPS sessions in a plaintext XML file called a Property list, or plist, file. The plist files, a researcher with Kaspersky Lab's Global Research and Analysis Team said, are stored in a hidden folder, but hiding them in plain sight isn't much of a hurdle for a determined attacker. 'The complete authorized session on the site is saved in the plist file in full view despite the use of https,' said researcher Vyacheslav Zakorzhevsky on the Securelist blog. 'The file itself is located in a hidden folder, but is available for anyone to read.'"
An anonymous reader writes "Peter Eckersley at the EFF reports that the 'App Ops' privacy feature added to Android in 4.3 has been removed as of 4.4.2. The feature allowed users to easily manage the permission settings for installed apps. Thus, users could enjoy the features of whatever app they liked, while preventing the app from, for example, reporting location data. Eckersley writes, 'When asked for comment, Google told us that the feature had only ever been released by accident — that it was experimental, and that it could break some of the apps policed by it. We are suspicious of this explanation, and do not think that it in any way justifies removing the feature rather than improving it.1 The disappearance of App Ops is alarming news for Android users. The fact that they cannot turn off app permissions is a Stygian hole in the Android security model, and a billion people's data is being sucked through. Embarrassingly, it is also one that Apple managed to fix in iOS years ago.'"
An anonymous reader writes "Wired reports that the chat logs between Bradley Manning and Julian Assange that were used as evidence in Manning's trial have made it onto the web, at least briefly. One of those logs contained something very interesting on page 4, which was picked up on by the News of Iceland, which reports, '"Jesus Christ. I think that we have recordings of all phone calls to and from the Icelandic parliament during the past four months". This text can be found in documents that the US military published on its website and is said to be part of the conversations between Julian Assange and Bradley Manning. According to the documents, Assange claims to have phone call recordings from Althingi, the Icelandic parliament, but this is the first time that the existence of such data is mentioned publicly. ... According to Icelandic laws, it is required to inform the person you are speaking with if the phone call is being recorded. Given that the parliament is not violating laws it is clear that Assange or his associates would have to have installed recording devices or wiretaps in the parliament.' — What makes it even more interesting is that Wired also reports in this recent story: Someone's Been Siphoning Data Through a Huge Security Hole in the Internet."
codeusirae writes "A study by Incapsula suggests 61.5% of all website traffic is now generated by bots. The security firm said that was a 21% rise on last year's figure of 51%. From the article: 'Some of these automated software tools are malicious - stealing data or posting ads for scams in comment sections. But the firm said the biggest growth in traffic was for 'good' bots. These are tools used by search engines to crawl websites in order to index their content, by analytics companies to provide feedback about how a site is performing, and by others to carry out other specific tasks - such as helping the Internet Archive preserve content before it is deleted.'"
Frequent contributor Bennett Haselton writes: "Google has fixed a vulnerability, first discovered by researcher Gergely Kalman, which let users search for credit card numbers by using hex number ranges. However, Google should have acknowledged or at least responded to the original bug finder (and possibly even paid him a bounty for it), and should have been more transparent about the process in general." Read on for the rest of the story.
First time accepted submitter LibbyMC writes "Google's approach to bringing older C software to the browser is demonstrated in bringing the '80s-era AmigaOS to Chrome. 'The Native Client technology runs software written to run on a particular processor at close to the speeds that native software runs. The approach gives software more direct access to a computer's hardware , but it also adds security restrictions to prevent people from downloading malware from the Web that would take advantage of that power.'" Chrome users can go straight to the demo.