NoelJ

IE 6 & 7 Unpatched Exploit Goes Wild

Kolargol00 writes “Heise online reports the availability of an exploit (Google translation) for the yet-unpatched MSA-981374 affecting Internet Explorer 6 and 7. It has already been spotted in the wild by McAfee and integrated into the Metasploit Framework.”

Read more of this story at Slashdot.

Barence writes “Speaking exclusively to PC Pro, Eugene Kaspersky has claimed Apple has repeatedly refused to deliver the software development kit necessary to design security software for the phone. ‘We have been in contact for two years with Apple to develop our anti-theft software, [but] still we do not have permission,’ said Kaspersky. Although he admits the risk of viruses infecting the iPhone is ‘almost zero,’ he claims that securing the data on the handset is critical, especially as iPhones are increasingly being used for business purposes. ‘I don’t want to say Apple’s is the wrong way of behaving, or the right way,’ Kaspersky added. ‘It’s just a corporate culture — it wants to control everything.’”

Read more of this story at Slashdot.

An anonymous reader writes “The IEEE MAN/LAN Standards Committee — better known as the people who brought us Ethernet, Wi-Fi, and Bluetooth — is celebrating its 30th anniversary next week. This article has interviews with the original committee chairman and other veteran members, and reveals some of the inside situation. It also looks at some of the upcoming 802.x standards including one that sends data by modulating visible light.”

Read more of this story at Slashdot.

An anonymous reader writes “We all know about the Mythical Man-Month, the argument that adding more programmers to a software project just makes it later and later. A Linux startup out of MIT claims to have busted the myth, using an MIT holiday month to hire 20 college student interns to get all their work done and quadrupling its productivity.”

Read more of this story at Slashdot.

itwbennett writes “Ninety of the 249 Zeus command-and-control servers were knocked offline overnight when two ISPs, named Troyak and Group 3, were taken offline. Whoever was behind the takedown ‘just decided to knock out a large area of cyber-crime, and this was probably one of the easiest ways to do it,’ said Kevin Stevens, a researcher with SecureWorks. As with the McColo takedown of just over a year ago, Troyak’s upstream providers seem to have knocked it off the Internet, Cisco said in a statement. ‘The ISP was “De-peered,”‘ Cisco said. ‘Troyak’s upstream network providers effectively pulled the plug on Troyak’s router, refusing to transmit its traffic.’”

Read more of this story at Slashdot.

snydeq writes “Google has launched the Google Apps Marketplace, providing a venue for third-party, cloud-based applications to supplement Google’s own online applications. The program enables integrations with such applications as Google Gmail, Documents, Sites, and Calendar. All told, the effort begins with 50 vendors participating, including Atlassian, NetSuite, Skytap, and Zoho. Participation in Google Apps Marketplace is open to customers of the Premier, Standard, and Education editions of Google Apps. Applications are linked to the marketplace via REST Web services and APIs including OpenID and OAuth.”

Read more of this story at Slashdot.

HipToday writes “As posted on the OpenBSD Journal, OpenSSH 5.4 has been released: ‘Some highlights of this release are the disabling of protocol 1 by default, certificate authentication, a new “netcat mode,” many changes on the sftp front (both client and server) and a collection of assorted bugfixes. The new release can already be found on a large number of mirrors and of course on www.openssh.com.’”

Read more of this story at Slashdot.

52-year-old Anthony Digati was arrested for trying to extort $200,000 from an insurance firm by threatening to spam them with six million emails unless they paid up. Digati said he would use a spam service and his amazing talents as a “huge social networker” to drag the company “through the muddiest waters imaginable” and presumably unfriend everyone. He added that the price would increase to $3 million if they failed to pay up by Monday, according to federal authorities.

Read more of this story at Slashdot.

macslocum writes “Nat Torkington begins sketching out an open data process that borrows liberally from open source tools: ‘Open source discourages laziness (because everyone can see the corners you’ve cut), it can get bugs fixed or at least identified much faster (many eyes), it promotes collaboration, and it’s a great training ground for skills development. I see no reason why open data shouldn’t bring the same opportunities to data projects. And a lot of data projects need these things. From talking to government folks and scientists, it’s become obvious that serious problems exist in some datasets. Sometimes corners were cut in gathering the data, or there’s a poor chain of provenance for the data so it’s impossible to figure out what’s trustworthy and what’s not. Sometimes the dataset is delivered as a tarball, then immediately forks as all the users add their new records to their own copy and don’t share the additions. Sometimes the dataset is delivered as a tarball but nobody has provided a way for users to collaborate even if they want to. So lately I’ve been asking myself: What if we applied the best thinking and practices from open source to open data? What if we ran an open data project like an open source project? What would this look like?’”

Read more of this story at Slashdot.

Trailrunner7 writes “Security researchers have found that Vodafone, one of the world’s larger wireless providers, is distributing some HTC phones with malware pre-installed on them. The phone, HTC’s Magic, runs the Google Android mobile operating system, and is one of the more popular handsets right now. A researcher at Panda Software received one of the handsets recently, and upon attaching it to her PC, found that the phone was pre-loaded with the Mariposa bot client. Mariposa has been in the news of late thanks to some arrests connected to the operation of the botnet.”

Read more of this story at Slashdot.

krebsonsecurity writes “Organized cyber-criminal gangs stole $25 million in the 3rd quarter alone last year, by pilfering the online bank accounts of small to midsized businesses, the FDIC reported last week. In contrast, traditional bank robbers hauled just $9.4 million in 1,184 bank robberies during that same period, according to an analysis of FBI bank crime statistics by krebsonsecurity.com. From that story: ‘The federal government sure publishes a lot more information about physical bank robberies than it makes available about online stick-ups. Indeed, the FBI’s bank crime stats are extraordinarily detailed. For example, they can tell you that in the 3rd quarter of last year, bank robbers were more likely to hold up their local branch between the hours of 9 a.m. and 11 a.m. on a Wednesday than at any other time or day of the week; they can tell you the number of tear gas and dye packs taken with the loot, the number of security cameras activated, the number of food stamps taken, even what percentage of suspected perpetrators had illegal drug habits at the time of the robberies. About the only thing the stats don’t tell you is what brand of jeans the perpetrators were wearing and whether the getaway car had cool vanity plates. What do we get about e-crime statistics from the federal government? One guy from the FDIC giving a speech at the RSA conference.”

Read more of this story at Slashdot.

b4dc0d3r writes “How do you make sense of the various model numbers or naming schemes for CPUs, graphics cards, and the related chipsets? All I want is something that will run Oblivion and output full 1080 video to a TV. Last time I built my own computer I just went to Pricewatch, made a few easy choices, and everything came to my door. Do I really have to research the differences among Core i5, Core 2 Duo, Pentium 4, Pentium D, Sempron, Athlon, Phenom …? And that’s just the processor. Is there a reference somewhere? In short, how do you buy a computer these days?”

Read more of this story at Slashdot.

Hugh Pickens writes “Network World summarizes an RSA Conference panel discussion in which former NSA technical director Brian Snow said that cryptographers for the NSA have been losing ground to their counterparts in universities and commercial security vendors for 20 years, but still maintain the upper hand in the sophistication of their crypto schemes and in their ability to decrypt. ‘I do believe NSA is still ahead, but not by much — a handful of years,’ says Snow. ‘I think we’ve got the edge still.’ Snow added that that in the 1980s there was a huge gap between what the NSA could do and what commercial encryption technology was capable of. ‘Now we are very close together and moving very slowly forward in a mature field.’ The NSA has one key advantage (besides their deep staff of Ph.D. mathematicians and other cryptographic experts who work on securing traffic and breaking codes): ‘We cheat. We get to read what [academics] publish. We do not publish what we research,’ he said. Snow’s claim of NSA superiority seemed to rankle some members on the panel. Adi Shamir, the “S” in the RSA encryption algorithm, said that when the titles of papers in NSA technical journals were declassified up to 1983, none of them included public key encryption; ‘That demonstrates that NSA was behind,’ said Shamir. Snow replied that when technologies are developed separately in parallel, the developers don’t necessarily use the same terms for them.”

Read more of this story at Slashdot.

snydeq writes “InfoWorld’s Neil McAllister takes a deeper look at HTML5, outlining what developers should expect from this overhaul of HTML — one that some believe could put an end to proprietary Web technologies such as Flash and Silverlight. Among the most eagerly anticipated additions to HTML5 are new elements and APIs that allow content authors to create rich media using nothing more than standards-based HTML. The standard also introduces browser-based application caches, which enable Web apps to store information on the client device. ‘But for all of HTML5’s new features, users shouldn’t expect plug-ins to disappear overnight. The Web has a long history of many competing technologies and media formats, and the inertia of that legacy will be difficult to overcome. It may yet be many years before a pure-HTML5 browser will be able to match the capabilities of today’s patchwork clients,’ McAllister writes. ‘In the end, browser market share may be the most significant hurdle for developers interested in making the most of HTML5. Until these legacy browsers are replaced with modern updates, Web developers may be stuck maintaining two versions of their sites: a rich version for HTML5-enabled users, and a version for legacy browsers that falls back on outdated rendering tricks.’”

Read more of this story at Slashdot.

swandives writes “Researchers at US-CERT have warned that software accompanying the Energizer DUO USB battery charger contains a Trojan that gives hackers total access to a Windows PC. The product was sold in the US, Latin America, Europe and Asia starting in 2007. Upon installation, the software creates the file ‘Arucer.dll,’ a Trojan that listens for commands on TCP port 7777. Upon receiving instructions, the Trojan can download and execute files, transmit files stolen from the PC, or tweak the Windows registry. Uninstalling the software disables the automatic execution of the Trojan. Users can also remove Arucer.dll from Windows’ system32 directory and reboot the machine to disable the backdoor component.”

Read more of this story at Slashdot.

Trackback this post | Feed on Comments to this post