wiredmikey writes "In a rare move, Microsoft is breaking its normal procedures and will issue an emergency out-of-band security update on Thursday to address a hash collision attack vulnerability that came into the spotlight yesterday, and affects various Web platforms industry-wide. The vulnerability is not specific to Microsoft technologies and has been discovered to impact PHP 5, Java, .NET, and Google's v8, while PHP 4, Ruby, and Python are somewhat vulnerable. Microsoft plans to release the bulletin on December 29, 2011, at 10:00 AM Pacific Time, and said it would addresses security vulnerabilities in all supported releases of Microsoft Windows. 'The impact of this vulnerability is similar to other Denial of Service attacks that have been released in the past, such as the Slowloris DoS or the HTTP POST DoS,' said security expert Chris Eng. 'Unlike traditional DoS attacks, they could be conducted with very small amounts of bandwidth. This hash table multi-collision bug shares that property.'"

PolygamousRanchKid writes with this snippet from Reuters that sounds like a ready-made movie script: "Switzerland's UBS said on Thursday it had discovered unauthorized trading by a trader in its investment bank had caused a loss of some $2 billion. 'The matter is still being investigated, but UBS's current estimate of the loss on the trades is in the range of $2 billion,' the bank said in a brief statement just before the stock market opened." Asks the RanchKid: "I wonder how this will reopen the debate about the role of computer systems in the trading and the safeguards that are supposed to protect against these risks. But if microseconds mean millions in trading ... who has time for checks?"

GovTechGuy writes "The FCC adopted new rules on Thursday that would significantly increase the penalties for individuals or organizations that alter their caller ID information to commit fraud or with other harmful intent. The new rules allow the FCC to fine violators $10,000 per violation plus more for every day it continues. Users can still change their caller ID info as long as it's not for fraud or harmful purposes."

mvar writes "While his Black Hat DC Conference demonstration was not flawless, a University of Luxembourg student on Wednesday did show that it's possible to trick iPhone users into joining a fake GSM network. Ralf-Philipp Weinmann showed how to cobble together a laptop using open-source software OpenBTS and other low-cost gear to create a fake GSM transmitter base station to locate iPhones in order to send their owners a message. A number of iPhone users in the room expressed surprise that they had gotten a message asking them to join the network. 'You want to get phones not just used by the teenage crowd but executives,' said Weinmann, adding that it is possible to 'have complete control of the phone.' Part of the reason these fake GSM network attacks are possible is because the code base used in smartphones such as the iPhone, which is Infineon-based, goes back to the 1990s."

Jeffrey Goldberg writes for the Atlantic about his recent experiences with opting out of the back-scatter full-body scanners now being used to screen airport travelers. Passengers can choose to submit to a pat-down instead of going through the scanners, but according to one of the TSA employees Goldberg talked to, the rules for those are soon changing to make things more uncomfortable for opt-outs, while not doing much for actual security. He writes, 'The pat-down, while more effective than previous pat-downs, will not stop dedicated and clever terrorists from smuggling on board small weapons or explosives. When I served as a military policeman in an Israeli army prison, many of the prisoners 'bangled' contraband up their a**es. I know this not because I checked, but because eventually they told me this when I asked. ... the effectiveness of pat-downs does not matter very much, because the obvious goal of the TSA is to make the pat-down embarrassing enough for the average passenger that the vast majority of people will choose high-tech humiliation over the low-tech ball check."