twoheadedboy writes: WhatsApp, the popular messaging app, isn't doing SSL as securely as it could/should be, according to security researchers. When a user wants to pay for a licence on an Android device, an in-app browser appears to let the transaction go ahead. But the connection between the browser and the WhatsApp server isn't protected by SSL, even if the connection to the payment services is. That's bad, as it can let hackers carrying out man-in-the-middle attacks know when a WhatsApp user is connecting to a payment service, like PayPal and Google Wallet, as offered by WhatsApp, They can then serve up phishing pages to the user and steal their payment login details. "It's serious as it's a complete and utter failure of HTTPS," says security expert Troy Hunt.
twoheadedboy writes: Claire Perry MP, who has been the main driver of the UK government's plans for default blocking of pornography, has had her website plastered in porn by hackers. But the story only just begins there. Notable blogger Guido Fawkes, otherwise known as Paul Staines, posted on the matter, only to later be accused of sponsoring the hacking himself. During some back and forth over Twitter, it appeared Perry was "confused", as she said Fawkes had posted a link to the defaced page, when he had only shown a screenshot of the site. Given the backlash against the government's plans to censor porn and its technical fallacies, the event could be particularly embarrassing for Perry. She is not commenting on the matter, whilst Staines has threatened to sue unless Perry offers a retraction of her claim he had anything to do with the hack.
twoheadedboy writes: A Chinese hacker group is the chief suspect of spear phishing attacks against the Falun Dafa spiritual group and military organisations in the Philippines. Data handed to TechWeek by AlienVault Labs showed how zero-day malware, designed to pilfer Outlook email account logins, was just one strand of the attacks, which are ongoing. Other malware sought to steal passwords for other accounts, dodging many commercial AV products, whilst remote access tools indicate this is a serious surveillance operation. Chinese authorities have neither confirmed nor denied the claims. But it marks another case of Internet-led surveillance with China's name attached to it, following numerous reports of mass Chinese hacking, which has already allegedly hit massive firms like Facebook and Google.
twoheadedboy writes: Google and its Motorola division have come up with some innovative yet scary ideas on how to fix the world’s password woes, proposing tattoos and pills for truly effective authentication. Presented by Regina Dugan, former DARPA head and lead for advanced research at Motoroladuring the D11 conference, the tattoo works as a wearable NFC patch. But it's the pill that's more of a radical idea. It contains a small chip with a switch and a battery, which uses stomach acids to serve as an electrolyte to power it up. "The switch goes on and off, and it creates an 18-bit ECG-like signal in your body and essentially your entire body becomes your authentication token," Dugan explained. Produced by a company called Proteus Digital Health, the pill has already been cleared by the US Federal Drug Administration. With passwords failing as an authentication mechanism, wearable or swallowable tech might be the answer... even if it is creepy.
twoheadedboy writes: When BT engineers set out to lay fibre broadband cables in remote areas in North Yorkshire, they didn't think they would have many issues. But they didn't see the badgers coming. They discovered badger setts along the planned route for a cable connecting 450 properties to the local exchange. As it is illegal to destroy or upset setts — badgers are considered an endangered species — BT has had to hold off putting down the fibre until it either gains permission from the National Trust or comes up with fresh plans.
twoheadedboy writes: Google is getting tough on zero-day vulnerabilities. It has said it will go public with any information it has on exploited unpatched vulnerabilities a week after it has told the vendor, unless that vendor does something about it. Google’s standard period for keeping exploits under wraps was 60 days so it's clearly taking a hard line. "Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information," Google researchers said.
twoheadedboy writes: Despite suggestions Bitcoin might be the ideal currency for dealers on the dark web, it appears Perfect Money, a Panama-based operation, is proving the most popular alternative to the now-defunct Liberty Reserve. A source working the underground forums told TechWeekEurope that, for now, fraudsters are rapidly migrating to Perfect Money. Many vendors have started accepting it, having previously primarily used Liberty Reserve, which was shut down following the arrest of its founder and four other members this past week. Internet fraudsters might be interested in Perfect Money as it has distanced itself from the US, cutting off all new American registrations. However, one forum user said he was turned down by Perfect Money as their “type of activity is not welcome”. Other currencies may yet win out...
twoheadedboy writes: Nasdaq has been fined $10 million by the US Securities and Exchange Commission over “poor systems and decision-making” during the Facebook initial public offering. When Facebook went public on 18 May 2012, it was hoping for a major success, but technical glitches and poor decision making at Nasdaq caused real problems. The SEC said “a design limitation” in the system to match IPO buy and sell orders was at the root of the disruption, thought to have cost investors $500 million. Orders failed to register properly, leaving banks like Citigroup and UBS in the lurch and making additional, unnecessary bids. They may still win money back from Nasdaq if legal challenges go their way.
twoheadedboy writes: Mozilla has sent British spyware pusher Gamma International a cease and desist letter, after a report showed how the surveillance software was being delivered under the guise of a Firefox executable. Gamma has come under fire in recent months after its spyware was found in use in countries with poor human rights records. Its FinSpy tool, which can infect smartphones and PCs, was seen in use in various nations run by apparently repressive regimes, including Bahrain, Egypt, Ethiopia, Turkmenistan and Vietnam. Mozilla isn't happy about how that spyware is getting on users' machines, however. "As an open source project trusted by hundreds of millions of people around the world, defending Mozilla’s trademarks from this abuse is vital to our brand, mission and continued success,” said Mozilla chief privacy officer Alex Fowler.
twoheadedboy writes: Major hosting company Go Daddy has been hit by a significant DDoS attack, for the second time in a month. Customers across Europe complained of downtime, whilst GoDaddy.com itself was knocked offline for periods yesterday. There was a "large-scale attack on our European Internet infrastructure", said Go Daddy communications manager Nick Fuller. As witnessed in the Spamhaus attacks of March, it appears the continuing growth in DDoS attack size and prevalence are causing carnage for even the biggest firms.
twoheadedboy writes: Just over a year ago, phishers tricked a lady into handing over her banking details. They then siphoned off her life savings, amounting to £1 million, and went on a spending spree in the UK January sales, wasting large sums of the money of cheeseburgers, gold and powerful PCs. Eight people have now been convicted for their involvement in the scam and face sentencing in May. It was a global crime, with some suspects based in Egypt and the victim living in South Africa, but an investigation from the leading light of the UK's cyber policing, the Metropolitan Police Service’s Police Central e-Crime Unit (PCeU), was successful in tracking down the crooks.
twoheadedboy writes: The Institute of Electrical and Electronics Engineers (IEEE) standards body has announced the formation of a study group to explore the possibility of developing a new 400Gbps Ethernet standard, the first step on the way to insanely fast networks of the future. The group will meet for the first time between 14 and 17 May in Victoria, British Columbia in Canada. The IEEE wants to ensure networks can deal with the "burgeoning bandwidth tsunami", said John D’Ambrosia, chief Ethernet evangelist, CTO office at Dell and chair of the new group.
twoheadedboy writes: Research from TechWeekEurope has shown how the UK government has lied about fighting the so-called "database state". Back in 2009, the Conservative Party, in the run-up to the election that would see them come to power as part of a Coalition, said they would cut the number of central databases and slim down surveillance. But Freedom of Information requests have shown that not only have database numbers either stayed flat or risen across government departments, abuse of data is rife in certain areas too and some departments run such complex and distributed systems they can't even count how many troves of personal data they have sitting on servers. On top of that, the Tories have essentially rehashed many of the projects of the Labour regime they once derided. From the Communications Data Bill, better known as Snooper's Charter, to a massive database of children's visits to hospitals, the database state looks set to expand, not contract. MPs working in government agree. “It is clear that Conservative ministers have in many cases not learnt from the Labour errors, and, egged on by the Labour party, are pushing for some illiberal policies,” says Julian Huppert, MP for Cambridge.
twoheadedboy writes: As the value of Bitcoins hit new highs this week of $142 per coin, the biggest exchange claimed to have been on the wrong end of a "major DDoS attack". Japan-based Mt.Gox said it appeared there were two motivations behind the attacks. First, to destabilise Bitcoin and, second, to abuse the system for profit. "“Attackers wait until the price of Bitcoins reaches a certain value, sell, destabilize the exchange, wait for everybody to panic-sell their Bitcoins, wait for the price to drop to a certain amount, then stop the attack and start buying as much as they can," the company said. Meanwhile, Bitcoin wallet site Instawallet has shut down, with security problems to blame. The company was hit by a breach earlier this week.