concealment writes: "AT&T screwed up in 2010, serving up the e-mail addresses of over 110,000 of its iPad 3G customers online for anyone to find. But today Andrew Auernheimer, an online activist who pointed out AT&T’s blunder to Gawker Media, which went on to publicize the breach of private information, is the one in federal court this week.
Groups like the Electronic Frontier Foundation (EFF) worry that should that charge succeed it will become easy to criminalize many online activities, including work by well-intentioned activists looking for leaks of private information or other online security holes. Weev’s case hasn’t received much attention so far, but should he be found guilty this week it will likely become well known, fast."
concealment writes: "Computers owned by the Securities and Exchange Commission Trading and Markets division were brought by SEC staffers to a hacker convention. They contained unencrypted, step-by-step instructions to shut down our financial trading system. Essentially: A Hacker's Guide to our Financial Universe.
Sophisticated algorithms or complex malware were not required to crash the world's largest exchanges (and with them the world economy). No need for security clearance. A common thief could have hit the lottery with these babies."
concealment writes: "A new security hole has been discovered in Microsoft’s Skype that allows anyone to change your password and thus take over your account. The issue was first posted on a Russian forum two months ago and has been confirmed by The Next Web (we have not linked to any of the blogs or posts detailing the exploit because it is very easy to reproduce).
Update: Skype appears to have pulled its password reset page, stopping this flaw in its tracks (Confirmed, read below for details).
We’ve been in touch with Skype over the past few hours to give them a chance to address this vulnerability. The company has informed us it is currently conducting an internal investigation."
concealment writes: "A security flaw accessible via Google's UK motor insurance aggregator Google Compare has potentially exposed vast numbers of drivers to identity theft.
The vulnerability, the existence of which has been verified by The Register, made it possible for comprehensive personal details — including names, addresses, phone numbers and job — to be harvested at will."
concealment writes: "Software made by Siemens and targeted by the Stuxnet malware is still full of other dangerous vulnerabilities, according to Russian researchers whose presentation at the Defcon security conference earlier this year was cancelled following a request from the company.
Sergey Gordeychik, CTO of Moscow-based Positive Technologies, was scheduled to give a presentation in July at Defcon, but it was abruptly pulled after Siemens asked for more time to patch its WinCC software."
concealment writes: "During a pre-trial hearing in military court today, Manning's attorney, David Coombs, proposed a partial guilty plea covering a subset of the slew of criminal charges that the U.S. Army has lodged against him.
"Manning is attempting to accept responsibility for offenses that are encapsulated within, or are a subset of, the charged offenses," Coombs wrote on his blog this evening. "The court will consider whether this is a permissible plea.""
concealment writes: "Cybercriminals are using a new PDF exploit that bypasses the sandbox security features in Adobe Reader X and XI, in order to install banking malware on computers, according to researchers from Russian security firm Group-IB.
The zero-day exploit — an exploit for a previously unknown and unpatched vulnerability — has been integrated into a privately modified version of Blackhole, a commercial Web-based attack toolkit, the Group-IB researchers announced Wednesday."
concealment writes: "New Jersey's Christie administration made the announcement for the emergency policy change on November 3, in the wake of Hurricane Sandy. The idea is to permit registered voters in the Garden State to vote electronically using a system that Military and Overseas voters already use under the Uniformed and Overseas Citizens Absentee Voting Act (UOCAVA). Actually, Jersey's emergency plan is even less restrictive than the state's existing procedure, which usually requires absentee voters under UOCAVA to mail in a signed affidavit.
According to the Governor's office, "displaced voters may submit a mail-in ballot application either by email or fax to their county clerk. Once an application is approved, the clerk will electronically send a ballot to the voter by either fax or email in accordance to the voter's preference. Voters must return their electronic ballot – by fax or email – no later than November 6, 2012, at 8 p.m.""
concealment writes: "According to a new report from Bit9--a security vendor with a focus on defending against advanced persistent threats (APT)--there is a one in four chance that downloading an Android app from the official Google Play market could put you at risk. Bit9 analyzed 400,000 or so apps in Google Play, and found over 100,000 it considers to be on the shady side.
Does that mean that the sky is falling, and everyone with an Android smartphone or tablet should abandon it immediately? No. The research by Bit9 illustrates some issues with app development in general, and should raise awareness among mobile users to exercise some discretion when downloading and installing apps, but it's not a sign of any urgent crisis affecting Android apps."
concealment writes: "The problem lay with the DKIM key (DomainKeys Identified Mail) Google used for its google.com e-mails. DKIM involves a cryptographic key that domains use to sign e-mail originating from them – or passing through them – to validate to a recipient that the header information on an e-mail is correct and that the correspondence indeed came from the stated domain. When e-mail arrives at its destination, the receiving server can look up the public key through the sender’s DNS records and verify the validity of the signature.
Harris wasn’t interested in the job at Google, but he decided to crack the key and send an e-mail to Google founders Brin and Page, as each other, just to show them that he was onto their game."
concealment writes: "Security vendors Sophos and Kaspersky Lab both have in recent days warned of scam emails using the names of well-established companies to try to lure victims to malware sites. The scheme is obvious, or ought to be—the bad guys figure that if they use a trusted name, victims will trust the link.
The scams have been present virtually since email began, but security experts say they are increasing at an accelerating pace."
concealment writes: "Adobe announced new security features this week for its Reader and Acrobat XI products, including enhanced sandboxing, Force ASLR, PDF whitelisting, and Elliptic Curve Cryptography. In addition to a number of new features enhancing Reader's and Acrobat's PDF-creation capabilities, these security measures add another layer atop previous changes that have improved a once "widely exploited" app over the past two years.
Most importantly, Reader XI will have a "protected mode" that will extend the sandbox users gained in Reader X to limit read-only activities. This should protect against various types of data-theft when combined with the "write protection" already present in Adobe's software. Reader XI will also get a protected view-function, while Acrobat XI's protected-view function will be extended, so that both apps create a separate desktop to prevent screen-scraping attacks."
concealment writes: "He pointed out that reliability on the internet wasn't created by designing it into its bottom layer, stating that if it were, the cost to implement such a network would be substantial. Instead, he said that today's Internet Protocol is a cheap, unreliable way of communicating, and that when reliability is required, other protocols are introduced as needed.
"If you need reliability, you run something like TCP... and you concentrate reliability where you need it. There's an analogy here with security," he said.
"I am rather inclined to think that a [completely] secure network is not adequate to serve our needs, and that's one of the reasons we don't have one. We put our needs above some notion of security.""
concealment writes: "One day after the release of Firefox 16, Mozilla said it has "temporarily removed" the latest version of its browser because of a security flaw that the company is trying to fix as quickly as possible. The unusual precaution suggests the flaw is a serious one, but there are no reports of it being exploited.
"The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters," Mozilla Director of Security Assurance Michael Coates wrote. "At this time we have no indication that this vulnerability is currently being exploited in the wild."
(At the time of this submission, Mozilla is linking to 15.0.1 from their homepage as the "Download Mozilla" option.)"