An anonymous reader writes with this excerpt from a Reuters report shedding light on one consequence of increasing knowledge of the extent of U.S. government spying: "Brazil awarded a $4.5 billion contract to Saab AB on Wednesday to replace its aging fleet of fighter jets, a surprise coup for the Swedish company after news of U.S. spying on Brazilians helped derail Boeing's chances for the deal. ... The timing of the announcement, after more than a decade of off-and-on negotiations, appeared to catch the companies involved by surprise. Even Juniti Saito, Brazil's top air force commander, said on Wednesday that he only heard of the decision a day earlier in a meeting with President Dilma Rousseff. Until earlier this year, Boeing's F/A-18 Super Hornet had been considered the front runner. But revelations of spying by the U.S. National Security Agency in Brazil, including personal communication by Rousseff, led Brazil to believe it could not trust a U.S. company."
Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.
wiredmikey writes "A board set up to review the NSA's vast surveillance programs has called for a wide-ranging overhaul of National Security Agency practices while preserving 'robust' intelligence capabilities. The panel, set up by President Obama, issued 46 recommendations, including reforms at a secret national security court and an end to retention of telephone 'metadata' by the spy agency. The 308-page report (PDF) submitted last week to the White House and released publicly Wednesday says the US government needs to balance the interests of national security and intelligence gathering with privacy and 'protecting democracy, civil liberties, and the rule of law.' Panel members said the recommendations would not necessarily mean a rolling back of intelligence gathering, including on foreign leaders, but that surveillance must be guided by standards and by high-level policymakers."
JoeyRox writes "Target experienced a system-wide breach of credit card numbers over the Black Friday holiday shopping season. What's unique about this massive breach is that it didn't involve compromising a centralized data center or website but instead represented a distributed attack at individual Target stores across the country. Investigators believe customer account numbers were lifted via software installed on card readers at checkout." Also at Slash BI.
kthreadd writes "In their research paper titled RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis, Daniel Genkin, Adi Shamir and Eran Tromer et al. present a method for extracting decryption keys from the GnuPG security suite using an interesting side-channel attack. By analysing the acoustic sound made by the CPU they were able to extract a 4096-bit RSA key in about an hour (PDF). A modern mobile phone placed next to the computer is sufficient to carry out the attack, but up to four meters have been successfully tested using specially designed microphones."
ananyo writes "The Guardian's technology editor, Charles Arthur, asks why researchers have remained largely silent in the wake of the revelation that the U.S. National Institute of Standards and Technology's standard for random numbers used for cryptography had been weakened by the NSA: 'The nature of the subversions sounds abstruse: the random-number generator, the 'Dual EC DRBG' standard, had been hacked by the NSA and the UK's GCHQ so that its output would not be as random as it should have been. That might not sound like much, but if you are trying to break an encrypted message, the knowledge that it is hundreds or thousands of times weaker than advertised is a great encouragement.' Arthur attributes the silence of UK academics, at least, to pressure from GCHQ. He goes on to say: 'For those who do care, White and Matthew Green, who teaches cryptography at Johns Hopkins University in Baltimore, Maryland, have embarked on an ambitious effort to clean up the mess — one that needs help. They have created a non-profit organization called OpenAudit.org, which aims to recruit experts to provide technical assistance for security projects in the public interest, especially open-source security software.'"
wiredmikey writes "A mobile botnet called MisoSMS is wreaking havoc on the Android platform, stealing personal SMS messages and exfiltrating them to attackers in China. Researchers at FireEye lifted the curtain off the threat on Monday, describing MisoSMS as 'one of the largest advanced mobile botnets to date' and warning that it is being used in more than 60 spyware campaigns. FireEye tracked the infections to Android devices in Korea and noted that the attackers are logging into command-and-controls in from Korea and mainland China, among other locations, to periodically read the stolen SMS messages. FireEye's research team discovered a total of 64 mobile botnet campaigns in the MisoSMS malware family and a command-and-control that comprises more than 450 unique malicious e-mail accounts."
mrspoonsi writes "Business Insider Reports: The National Security Agency described for the first time a cataclysmic cyber threat it claims to have stopped On Sunday's '60 Minutes.' Called a BIOS attack, the exploit would have ruined, or 'bricked,' computers across the country, causing untold damage to the national and even global economy. Even more shocking, CBS goes as far as to point a finger directly at China for the plot — 'While the NSA would not name the country behind it, cyber security experts briefed on the operation told us it was China.' The NSA says it closed this vulnerability by working with computer manufacturers. Debora Plunkett, director of cyber defense for the NSA: One of our analysts actually saw that the nation state had the intention to develop and to deliver — to actually use this capability — to destroy computers."
tsu doh nimh writes "Security experts have long opined that one way to make software more secure is to hold software makers liable for vulnerabilities in their products. This idea is often dismissed as unrealistic and one that would stifle innovation in an industry that has been a major driver of commercial growth and productivity over the years. But a new study released this week presents perhaps the clearest economic case yet for compelling companies to pay for information about security vulnerabilities in their products. Stefan Frei, director of research at NSS Labs, suggests compelling companies to purchase all available vulnerabilities at above black-market prices, arguing that even if vendors were required to pay $150,000 per bug, it would still come to less than two-tenths of one percent of these companies' annual revenue (PDF). To ensure that submitted bugs get addressed and not hijacked by regional interests, Frei also proposes building multi-tiered, multi-region vulnerability submission centers that would validate bugs and work with the vendor and researchers. The questions is, would this result in a reduction in cybercrime overall, or would it simply hamper innovation? As one person quoted in the article points out, a majority of data breaches that cost companies tens of millions of dollars have far more to do with other factors unrelated to software flaws, such as social engineering, weak and stolen credentials, and sloppy server configurations."
schwit1 writes in with the latest on an U.S. District Court ruling over NSA spying. "A federal judge ruled Monday that the National Security Agency's phone surveillance program is likely unconstitutional, Politico reports. U.S. District Court Judge Richard Leon said that the agency's controversial program, first unveiled by former government contractor Edward Snowden earlier this year, appears to violate the Constitution's Fourth Amendment, which states that the 'right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated.' 'I cannot imagine a more "indiscriminate" and "arbitrary invasion" than this systematic and high-tech collection and retention of personal data on virtually every single citizen for purposes of querying it and analyzing it without judicial approval,' Leon wrote in the ruling. The federal ruling came down after activist Larry Klayman filed a lawsuit in June over the program. The suit claimed that the NSA's surveillance 'violates the U.S. Constitution and also federal laws, including, but not limited to, the outrageous breach of privacy, freedom of speech, freedom of association, and the due process rights of American citizens.'"
hawkinspeter writes "The Register is hosting an exclusive that Bruce Schneier will be leaving his position at BT as security futurologist. From the article: 'News of the parting of the ways reached El Reg via a leaked internal email. Our source suggested that Schneier was shown the door because of his recent comments about the NSA and GCHQ's mass surveillance activities.'"
An anonymous reader writes "The OpenBSD project has no reason to follow the steps taken by FreeBSD with regard to hardware-based cryptography because it has already been doing this for a decade, according to Theo de Raadt. 'FreeBSD has caught up to what OpenBSD has been doing for over 10 years,' the OpenBSD founder told iTWire. 'I see nothing new in their changes. Basically, it is 10 years of FreeBSD stupidity. They don't know a thing about security. They even ignore relevant research in all fields, not just from us, but from everyone.'"
cagraham writes "In a seemingly minor update, Google announced that all Gmail images will now be cached on their own servers, before being displayed to users. This means that users won't have to click to download images in every email now — they'll just automatically be shown. For marketers, however, the change has serious implications. Because each user won't download the images from a third-party server, marketers won't be able to see open-rates, log IP addresses, or gather information on user location and browser type. Google says the changes are intended to enhance user privacy and security."
krakman writes "With the NSA disclosures, French media was 'outraged'. Yet they appear to be worse than the NSA, with a new law that codifies standard practice and provides for no judicial oversight while allowing electronic surveillance for a broad range of purposes, including 'national security,' the protection of France's 'scientific and economic potential' and prevention of ;terrorism' or 'criminality.' The government argues that the law, passed last week with little debate as part of a routine military spending bill, which takes effect in 2015, does not expand intelligence powers. Rather, officials say, those powers have been in place for years, and the law creates rules where there had been none, notably with regard to real-time location tracking. French intelligence agencies have little experience publicly justifying their practices. Parliamentary oversight did not begin until 2007."
New submitter StirlingArcher writes "I've always built/maintained my parents' PC's, but as Mum has got older her PC seems to develop problems more readily. I would love to switch her to Linux, but she struggles with change and wants to stay with Vista and MS Office. I've done the usual remove Admin rights, use a credible Internet Security package. Is there anything more dramatic that I could do, without changing the way she uses her PC or enforcing a new OS on her again? One idea was to use a Linux OS and then run Vista in a VM, which auto-boots and creates a backup image every so often. Thanks for any help!"
Hugh Pickens DOT Com writes "Ray Sanchez reports at CNN that the handling of Friday's shooting at Arapahoe High School, just 10 miles from the scene of the 1999 Columbine High School shooting, drew important lessons from the earlier bloodshed. At Arapahoe High School, where senior Claire Davis, 17, was critically injured before the shooter turned the gun on himself, law enforcement officers responded within minutes and immediately entered the school to confront the gunman rather than surrounding the building. As the sound of shots reverberated through the corridors, teachers immediately followed procedures put in place after Columbine, locking the doors and moving students to the rear of classrooms. "That's straight out of Columbine," says Kenneth Trump, president of National School Safety and Security Services. "The goal is to proceed and neutralize the shooter. Columbine really revolutionized the way law enforcement responds to active shooters." Arapahoe County Sheriff Grayson Robinson credits the quick police response time for the fact that student Karl Pierson, the gunman, stopped firing on others and turned his weapon on himself less than 1 minute, 20 seconds after entering the school. Authorities knew from research and contact with forensic psychologists that school shooters typically continue firing until confronted by law enforcement. "It's very unfortunate that we have to say that there's a textbook response on the way to respond to these," says Trump, "because that textbook was written based on all of the incidents that we've had and the lessons learned (PDF).""