Slashdot Mirror

itwbennett writes: A new approach to assembling blacklists analyzes chatter on the dark and open Web and can find malicious IP addresses that would have been missed using honeypots and intrusion detection systems, according to a report by security startup Recorded Future. On traditional blacklists, 99 percent of the addresses are for inbound activity, 'when someone is attacking your system from an external address,' said Staffan Truvé, chief scientist and co-founder at Recorded Future. On Recorded Future's new list, half of the addresses are for outbound activity, 'when an intruder is already in your systems, and is trying to connect to the outside world to exfiltrate data,' said Truvé. For example, Recorded Future identified 476 IP addresses associated with both the Dyreza and the Upatre malware families — only 41 of which were known to existing blacklists.

An anonymous reader notes that a project to develop an anonymizing Wi-Fi device has been canceled under mysterious circumstances. The device, called Proxyham, was unveiled a couple weeks ago by Rhino Security Labs. They said it would use low-frequency radio channels to connect a computer to public Wi-Fi hotspots up to 2.5 miles away, thus obscuring a user's actual location. But a few days ago the company announced it would be halting development and canceling a talk about it at Def Con, which would have been followed with a release of schematics and source code. They apologized, but appear to be unable to say anything further.

"In fact, all [the speaker] can say is that the talk is canceled, the ProxyHam source code and documentation will never be made public, and the ProxyHam units developed for Las Vegas have been destroyed. The banner at the top of the Rhino Security website promoting ProxyHam has gone away too. It's almost as if someone were trying to pretend the tool never existed." The CSO article speculates that a government agency killed the project and issued a gag order about it. A post at Hackaday calls this idea absurd and discusses the hardware needed to build a Proxyham. They say using it would be "a violation of the Computer Fraud & Abuse Act, and using encryption over radio violates FCC regulations. That’s illegal, it will get you a few federal charges — but so will blowing up a mailbox with some firecrackers." They add, "What you’re seeing is just the annual network security circus and it’s nothing but a show."

Several readers sent word that notorious surveillance company Hacking Team has itself been hacked. Attackers made off with 400GB worth of emails, documents, and source code. The company is known for providing interception tools to government and law enforcement agencies. According to the leaked files, Hacking Team has customers in Egypt, South Korea, Kazakhstan, Saudi Arabia, Oman, Lebanon, Mongolia, Russia, Germany, Sudan, and the United States — to name a few. It has been labeled an enemy of the internet by Reporters Without Borders. "Clients have had their passwords exposed as well, as several documents related to contracts and configurations have been circulating online." Nobody knows yet who perpetrated the hack.

itwbennett writes Depending on how you've configured the device, your backup drive may have been indexed by Google, making some seriously personal information freely available online to anyone who knows what they're looking for. Using a few simple Google searches, CSO's Steve Ragan discovered thousands of personal records and documents online, including sales receipts with credit card information and tax documents with social security numbers. In all cases, the files were exposed because someone used a misconfigured device acting as a personal cloud, or FTP (File Transfer Protocol) was enabled on their router.

itwbennett writes Depending on how you've configured the device, your backup drive may have been indexed by Google, making some seriously personal information freely available online to anyone who knows what they're looking for. Using a few simple Google searches, CSO's Steve Ragan discovered thousands of personal records and documents online, including sales receipts with credit card information and tax documents with social security numbers. In all cases, the files were exposed because someone used a misconfigured device acting as a personal cloud, or FTP (File Transfer Protocol) was enabled on their router.

itwbennett writes: On Tuesday, Steve Ragan's GoDaddy account was compromised. He knew it was coming, but considering the layered account protections used by the world's largest domain registrar, he didn't think the attacker would be successful. He was wrong. Within days, the attacker gained control over Steve's account just by speaking to customer support and submitting a Photoshopped ID.

itwbennett writes You know full well that Microsoft will never call you and ask to "access your computer" to help fix a problem. Yet this is a ruse that many unsuspecting computer users fall for and wind up with their machine hacked. CSO writer Steve Ragan, turns the tables during a phone call with a scammer — and he records it all for us to hear. Do yourself a favor and play it for your parents.

kdryer39 sends this news from CSO: A remotely exploitable vulnerability has been discovered by Stephane Chazelas in bash on Linux, and it is unpleasant. The vulnerability has the CVE identifier CVE-2014-6271. This affects Debian as well as other Linux distributions. The major attack vectors that have been identified in this case are HTTP requests and CGI scripts. Another attack surface is OpenSSH through the use of AcceptEnv variables. Also through TERM and SSH_ORIGINAL_COMMAND. An environmental variable with an arbitrary name can carry a nefarious function which can enable network exploitation.

An anonymous reader writes: The Heartbleed vulnerability is the cause of the data breach at Community Health Systems, which resulted in 4.5 million records (containing patient data) being compromised. According to a blog post from TrustedSec, the attackers targeted a vulnerable Juniper router and obtained credentials, which allowed them access to the network's VPN.

An anonymous reader writes "In a letter to RSA executives, F-Secure's Mikko Hypponen says he is canceling his talk at the 2014 RSA Conference, due to the company's deal with the NSA, and how the agency has treated foreigners." From the letter: " I don’t really expect your multibillion dollar company or your multimillion dollar conference to suffer as a result of your deals with the NSA. In fact, I'm not expecting other conference speakers to cancel. Most of your speakers are american anyway — why would they care about surveillance that’s not targeted at them but at non-americans. Surveillance operations from the U.S. intelligence agencies are targeted at foreigners. However I’m a foreigner. And I’m withdrawing my support from your event."

rjmarvin writes "The hits keep coming in the massive Adobe breach. It turns out the millions of passwords stolen in the hack reported last month that compromised over 38 million users and source code of many Adobe products were protected using outdated encryption security instead of the best practice of hashing. Adobe admitted the hack targeted a backup system that had not been updated, leaving the hacked passwords more vulnerable to brute-force cracking."

CWmike writes "Google's strategy for making surveillance of user Internet activity more difficult for U.S. and foreign governments — started last year, but accelerated in June following the NSA leaks — is as much about economics as data encryption, experts say. Eric Grosse, vice president for security engineering at Google, told The Washington Post: 'It's an arms race.' The crux of the issue with Google making the NSA dragnet harder (knowing if the government wants in, it will get in) is that the NSA evaluates the tactic it uses by weighing the cost with the value of the information obtained. However, the agency does evaluate the tactic it uses by weighing the cost with the value of the information obtained. 'The NSA has turned the fabric of the Internet into a vast surveillance platform, but they are not magical,' Bruce Schneier, a renowned security technologist and cryptographer, wrote in The Guardian. 'They're limited by the same economic realities as the rest of us, and our best defense is to make surveillance of us as expensive as possible.' The NSA's capabilities for cracking encryption are not known outside the agency. However, the most secure part of an encryption system remains the 'mathematics of cryptography,' Schneier said. The greater weaknesses, and the ones mostly likely to be exploited by governments in general, are the systems at the start and end of the data flow. 'I worry a lot more about poorly designed cryptographic products, software bugs, bad passwords, companies that collaborate with the NSA to leak all or part of the keys, and insecure computers and networks.' Is this about citizen's rights, or a business decision (some might say an existential issue) for Google? Does it matter, and will it make a difference?"

CWmike writes "Eugene Kaspersky, the $800-million Russian cybersecurity tycoon, is, by his own account, out to 'save the world' with an exploit-proof operating system. Given the recent declarations from U.S. Secretary of Defense Leon Panetta and others that the nation is facing a 'digital Pearl Harbor' or 'digital 9/11' from hostile nation states like Iran, this sounds like the impossible dream come true — the cyber version of a Star Wars force field. But on this side of that world in need of saving, the enthusiasm is somewhat tempered. One big worry: source. 'The real question is, do you trust the people who built your system? The answer had better be yes,' said Gary McGraw, CTO of Cigital. Kaspersky's products are among the top ranked worldwide, are used by an estimated 300 million people and are embraced by U.S. companies like Microsoft, Cisco and Juniper Networks. But while he considers himself at some level a citizen of the world, he has close ties to Russian intelligence and Vladimir Putin. Part of his education and training was sponsored by the KGB, he is a past Soviet intelligence officer (some suspect he has not completely retired from that role) and he is said have a 'deep and ongoing relationship with Russia's Federal Security Service, or FSB,' the successor to the KGB and the agency that operates the Russian government's electronic surveillance network."

CWmike writes "Eugene Kaspersky, the $800-million Russian cybersecurity tycoon, is, by his own account, out to 'save the world' with an exploit-proof operating system. Given the recent declarations from U.S. Secretary of Defense Leon Panetta and others that the nation is facing a 'digital Pearl Harbor' or 'digital 9/11' from hostile nation states like Iran, this sounds like the impossible dream come true — the cyber version of a Star Wars force field. But on this side of that world in need of saving, the enthusiasm is somewhat tempered. One big worry: source. 'The real question is, do you trust the people who built your system? The answer had better be yes,' said Gary McGraw, CTO of Cigital. Kaspersky's products are among the top ranked worldwide, are used by an estimated 300 million people and are embraced by U.S. companies like Microsoft, Cisco and Juniper Networks. But while he considers himself at some level a citizen of the world, he has close ties to Russian intelligence and Vladimir Putin. Part of his education and training was sponsored by the KGB, he is a past Soviet intelligence officer (some suspect he has not completely retired from that role) and he is said have a 'deep and ongoing relationship with Russia's Federal Security Service, or FSB,' the successor to the KGB and the agency that operates the Russian government's electronic surveillance network."

CWmike writes "Eugene Kaspersky, the $800-million Russian cybersecurity tycoon, is, by his own account, out to 'save the world' with an exploit-proof operating system. Given the recent declarations from U.S. Secretary of Defense Leon Panetta and others that the nation is facing a 'digital Pearl Harbor' or 'digital 9/11' from hostile nation states like Iran, this sounds like the impossible dream come true — the cyber version of a Star Wars force field. But on this side of that world in need of saving, the enthusiasm is somewhat tempered. One big worry: source. 'The real question is, do you trust the people who built your system? The answer had better be yes,' said Gary McGraw, CTO of Cigital. Kaspersky's products are among the top ranked worldwide, are used by an estimated 300 million people and are embraced by U.S. companies like Microsoft, Cisco and Juniper Networks. But while he considers himself at some level a citizen of the world, he has close ties to Russian intelligence and Vladimir Putin. Part of his education and training was sponsored by the KGB, he is a past Soviet intelligence officer (some suspect he has not completely retired from that role) and he is said have a 'deep and ongoing relationship with Russia's Federal Security Service, or FSB,' the successor to the KGB and the agency that operates the Russian government's electronic surveillance network."

fireballrus writes "There is one more way to use your BitCoins rather than buying weed or socks. Recently, a Bitcoin Exchange called ICBIT quietly introduced a futures market, obviously using Bitcoins as its main currency. Gold futures trade roughly at 137 BTC/tr.oz and Sweet Crude Oil at 7.3 BTC/bbl. This may play a positive role in the Bitcoin economy which needs more ways to actually use coins instead of mining them." While this sounds intriguing, I'd like to hear a good case for why BitCoin makes sense in this context.

Fnord666 writes "The U.S. Computer Emergency Readiness Team (US-CERT) has disclosed a flaw in Intel chips that could allow hackers to gain control of Windows and other operating systems, security experts say. The flaw was disclosed the vulnerability in a security advisory released this week. Hackers could exploit the flaw to execute malicious code with kernel privileges, said a report in the Bitdefender blog. 'Some 64-bit operating systems and virtualization software running on Intel CPU hardware are vulnerable to a local privilege escalation attack,' the US-CERT advisory says. 'The vulnerability may be exploited for local privilege escalation or a guest-to-host virtual machine escape.'" According to the article, exposed OSes include "Windows 7, Windows Server 2008 R2, 64-bit versions of FreeBSD and NetBSD, as well as systems that include the Xen hypervisor."

MikeatWired writes "The malware business growing around Google Android — now the leading smartphone operating system — is still in its infancy. Today, many of the apps built to steal money from Android users originate from Russia and China, so criminal gangs there have become cyber-trailblazers. Sophos and Symantec on Wednesday released their latest Android malware discoveries written in Russian. While the language narrows the number of potential victims, the social-engineering tactics used to get Android users to install the malware is universal. The gang tracked by Sophos is using fake antivirus scanners, while Symantec is tracking cybercriminals using mobile websites to offer bogus versions of popular games. Sophos says the criminals are like other entrepreneurs launching startups. They're starting in Russia, but have far greater ambitions. 'I don't think we can say that they're necessarily using it as a testing ground — think of it more as a local business that as it grows may gain multinational ambitions,' Graham Cluley, senior technology consultant at Sophos, said in an email interview on Wednesday. The cyber scam tracked by Sophos was reported this week by GFI Lab, which discovered links to the bogus antivirus software on Twitter. Sophos dug deeper and found that the .ru domains pointed to the same Internet protocol address hosted in Ukraine."

MikeatWired writes "The malware business growing around Google Android — now the leading smartphone operating system — is still in its infancy. Today, many of the apps built to steal money from Android users originate from Russia and China, so criminal gangs there have become cyber-trailblazers. Sophos and Symantec on Wednesday released their latest Android malware discoveries written in Russian. While the language narrows the number of potential victims, the social-engineering tactics used to get Android users to install the malware is universal. The gang tracked by Sophos is using fake antivirus scanners, while Symantec is tracking cybercriminals using mobile websites to offer bogus versions of popular games. Sophos says the criminals are like other entrepreneurs launching startups. They're starting in Russia, but have far greater ambitions. 'I don't think we can say that they're necessarily using it as a testing ground — think of it more as a local business that as it grows may gain multinational ambitions,' Graham Cluley, senior technology consultant at Sophos, said in an email interview on Wednesday. The cyber scam tracked by Sophos was reported this week by GFI Lab, which discovered links to the bogus antivirus software on Twitter. Sophos dug deeper and found that the .ru domains pointed to the same Internet protocol address hosted in Ukraine."

CWmike writes "CNET's Declan McCullagh reported last week on the FBI's argument that the massive shift of communications from the telephone system to the Internet 'has made it far more difficult for the agency to wiretap Americans suspected of illegal activities.' The law has already been expanded once, in 2004, to include broadband networks, but still excludes Web companies. The FBI says its surveillance efforts are in danger of 'going dark' if it is not allowed to monitor the way people communicate now. Not surprisingly, a range of opponents, from privacy advocates to legal experts, disagree — strongly. On key tech hitch with the plan, per ACLU attorney Mark Rumold and others: There is a difference between wiretapping phones and demanding a backdoor to Internet services. 'A backdoor doesn't just make it accessible to the FBI — it makes it vulnerable to others,' Rumold says."

CWmike writes "CNET's Declan McCullagh reported last week on the FBI's argument that the massive shift of communications from the telephone system to the Internet 'has made it far more difficult for the agency to wiretap Americans suspected of illegal activities.' The law has already been expanded once, in 2004, to include broadband networks, but still excludes Web companies. The FBI says its surveillance efforts are in danger of 'going dark' if it is not allowed to monitor the way people communicate now. Not surprisingly, a range of opponents, from privacy advocates to legal experts, disagree — strongly. On key tech hitch with the plan, per ACLU attorney Mark Rumold and others: There is a difference between wiretapping phones and demanding a backdoor to Internet services. 'A backdoor doesn't just make it accessible to the FBI — it makes it vulnerable to others,' Rumold says."

CWmike writes "The internet is no stranger to crime, writes corporate investigator Brandon Gregg. From counterfeit and stolen products, to illegal drugs, stolen identities and weapons, nearly anything can be purchased online with a few clicks of the mouse. The online black market not only can be accessed by anyone with an Internet connection, but the whole process of ordering illicit goods and services is alarmingly easy and anonymous, with multiple marketplaces to buy or sell anything you want. Gregg started with $1000 and a took journey into the darker side of the Internet using two tools: Bitcoin and the Tor Bundle."

CWmike writes "The internet is no stranger to crime, writes corporate investigator Brandon Gregg. From counterfeit and stolen products, to illegal drugs, stolen identities and weapons, nearly anything can be purchased online with a few clicks of the mouse. The online black market not only can be accessed by anyone with an Internet connection, but the whole process of ordering illicit goods and services is alarmingly easy and anonymous, with multiple marketplaces to buy or sell anything you want. Gregg started with $1000 and a took journey into the darker side of the Internet using two tools: Bitcoin and the Tor Bundle."

jfruh writes "You'd think that, of all events, security conferences would have tight security. But one anonymous human pen tester managed to sneak into the RSA conference without credentials, using tried and true techniques like waving a badge from another conference at security guards and slipping in through exits."

itwbennett writes "Today's criminals aren't stealing money — that's so yesterday, according to professional social engineer Jim Stickley. In an interview with CSO's Joan Goodchild, Stickley explains how he's broken into financial institutions large and small, and stolen their sensitive data. In a companion story, Stickley walks through the steps he takes to fool clients into thinking he's there for fire safety, while he's really proving they are an easy target for a data breach."

itwbennett writes "Today's criminals aren't stealing money — that's so yesterday, according to professional social engineer Jim Stickley. In an interview with CSO's Joan Goodchild, Stickley explains how he's broken into financial institutions large and small, and stolen their sensitive data. In a companion story, Stickley walks through the steps he takes to fool clients into thinking he's there for fire safety, while he's really proving they are an easy target for a data breach."

Robert McMillan writes "You remember Terry Childs, right? He was finally sentenced Friday. Childs got four years in prison for refusing to hand over passwords to his bosses. This is a denial of service under California law."

Ian Lamont writes "Suspicions about China slipping eavesdropping technology into computer exports have been around for years. But the recent spying attacks, attributed to China, on Google and other Internet companies have revived the hardware spying concerns. An IT World blogger suggests the gear can't be trusted, noting that it wouldn't be hard to add security holes to the firmware of Chinese-made USB memory sticks, computers, hard drives, and cameras. He also implies that running automatic checks for data of interest in the compromised gear would not be difficult." The blog post mentions Ken Thompson's admission in 1983 that he had put a backdoor into the Unix C compiler; he laid out the details in the 1983 Turing Award lecture, Reflections On Trusting Trust: "The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect."

angry tapir writes "Diebold has released a security fix for its Opteva automated teller machines after cyber-criminals apparently broke into the systems at one or more businesses in Russia and installed malicious software. Diebold learned of the incident in January and sent out a global security update to its ATM customers using the Windows operating system. It is not releasing full details of what happened, including which businesses were affected, but said criminals had gained physical access to the machines to install their malicious program. Arrests have reportedly been made."

Esther Schindler writes "CSO has an annotated, zoomable map of real botnet topologies showing the interconnections between the compromised computers and the command-and-control systems that direct them. The map is based on work by security researcher David Voreland; it has interactive controls so you can zoom in and explore botnets' inner workings. Hackers use botnets for spamming, DDoS attacks and identity theft. One recent example is the Storm botnet, which may have comprised 1 million or more zombie systems at its peak. As with any networking challenge, there are good (resilient) designs and some not-so-good ones. In some cases the topology may be indicative of a particular botnet's purpose, or of a herder on the run."

Esther Schindler writes "CSO has an annotated, zoomable map of real botnet topologies showing the interconnections between the compromised computers and the command-and-control systems that direct them. The map is based on work by security researcher David Voreland; it has interactive controls so you can zoom in and explore botnets' inner workings. Hackers use botnets for spamming, DDoS attacks and identity theft. One recent example is the Storm botnet, which may have comprised 1 million or more zombie systems at its peak. As with any networking challenge, there are good (resilient) designs and some not-so-good ones. In some cases the topology may be indicative of a particular botnet's purpose, or of a herder on the run."

Schneier points out an interesting article comparing modern cybersecurity to piracy on the high seas in the early 1800s. The article extends the comparison into projected action based on historical context. "Similarly, in many ways, current U.S. policy on the security of electronic commerce is similar to Adams' appeasement approach to the Barbary pirates. The U.S. government's inability to dictate a consistent cyber commerce protection policy is creating a financial burden on the U.S. private sector to maintain a status quo, when those resources could be used to mount a more-effective Internet-focused defense. In the case of financial fraud on the Internet, the costs associated with fraudulent transactions are currently borne by private companies, which then have to pass those costs on to their customers. This basically creates a system in which the financial institutions are paying a type of 'tribute' to the cyber criminals, just as Adams did to the Barbary pirates."

Sarah S writes "The application security researcher Jeremiah Grossman described to CSO magazine how he takes extreme measure to stay safe online. The simplest tip he uses: two separate browsers: 'One, which he calls the 'promiscuous' browser, is the one he uses for ordinary browsing. A second browser is used only for security-critical tasks such as online banking. When Grossman wants to do online banking, he closes his promiscous browser, opens the more prudish one, and does only what he has to do before closing it and going back to his insecure browser.'"

Sarah S writes "The application security researcher Jeremiah Grossman described to CSO magazine how he takes extreme measure to stay safe online. The simplest tip he uses: two separate browsers: 'One, which he calls the 'promiscuous' browser, is the one he uses for ordinary browsing. A second browser is used only for security-critical tasks such as online banking. When Grossman wants to do online banking, he closes his promiscous browser, opens the more prudish one, and does only what he has to do before closing it and going back to his insecure browser.'"

oDDmON oUT writes "An article on the Computerworld site quotes polling results from a potentially-divisive PatchLink survey. The poll shows that the majority of enterprise customers feel there are no compelling security enhancements in Windows Vista, that they have no plans to migrate to it in the near term and that many will 'either stick with the Windows they have, or turn to Linux or Mac OS X'. A majority, 87%, said they would stay with their existing version of Windows. This comes on the heels of a dissenting view of Vista's track record in the area of security at the six month mark, which sparked a heated discussion on numerous forums."

Martin writes "Great report on security vulnerabilities for MS/Linux/OS X. This is a revised version of the one Jeff Jones did back on March 21: Windows Vista — 90 Day Vulnerability Report. This time he did what the Linux community had asked. Everyone complained that he did the report based on a full Linux distro including optional components, not on just a base OS install. So this time he did both; Vista still came out on top. I was shocked that Apple was even on the list as I believed all those Mac commercials!"

Martin writes "Great report on security vulnerabilities for MS/Linux/OS X. This is a revised version of the one Jeff Jones did back on March 21: Windows Vista — 90 Day Vulnerability Report. This time he did what the Linux community had asked. Everyone complained that he did the report based on a full Linux distro including optional components, not on just a base OS install. So this time he did both; Vista still came out on top. I was shocked that Apple was even on the list as I believed all those Mac commercials!"

Esther Schindler writes "CSO Magazine has an article about "The Scourge of Image Spam," with an explanation of its effect (a year ago, fewer than five out of 100 e-mails were image spam; today, up to 40 percent are in that category, and image spam is the reason spam traffic overall doubled in 2006). You might already know about that, ho-hum. But what's even cooler is a interactive graphic page which demonstrates the various methods used by image spammers and how it works."

Esther Schindler writes "CSO Magazine has an article about "The Scourge of Image Spam," with an explanation of its effect (a year ago, fewer than five out of 100 e-mails were image spam; today, up to 40 percent are in that category, and image spam is the reason spam traffic overall doubled in 2006). You might already know about that, ho-hum. But what's even cooler is a interactive graphic page which demonstrates the various methods used by image spammers and how it works."

rabblerouzer writes "Millions have had their personal information stolen because of lax security and may not even know it because of the patchwork of state laws that fail to mandate timely notification of victims. Boston-based law firm Mintz Levin is seeking feedback on what you would like to see included in draft legislation."

rabblerouzer writes "Millions have had their personal information stolen because of lax security and may not even know it because of the patchwork of state laws that fail to mandate timely notification of victims. Boston-based law firm Mintz Levin is seeking feedback on what you would like to see included in draft legislation."

rabblerouzer writes "Hugh Thompson, who was interviewed by Slashdot on the dangers of e-voting, now has a cool blog entry on how he was able to bring down the gaming/movie console on an airplane. He calls it one of the most interesting examples of a software 'abuse case' he has ever seen." Fortunately the IFE system is totally disjoint from the avionics.

rabblerouzer writes "Hugh Thompson, who was interviewed by Slashdot on the dangers of e-voting, now has a cool blog entry on how he was able to bring down the gaming/movie console on an airplane. He calls it one of the most interesting examples of a software 'abuse case' he has ever seen." Fortunately the IFE system is totally disjoint from the avionics.

Scott writes "I'm submitting my own story on an important topic: Is it illegal to discover a vulnerability on a Web site? No one knows yet, but Eric McCarty's pleading guilty to hacking USC's web site was 'terrible and detrimental,' according to tech lawyer Jennifer Granick. She believes the law needs at least to be clarified, and preferably changed to protect those who find flaws in production Web sites — as opposed to those who 'exploit' such flaws. Of course, the owners of sites often don't see the distinction between the two. Regardless of whether or not it's illegal to disclose Web vulnerabilities, it's certainly problematic, and perhaps a fool's errand. After all, have you seen how easy it is to find XSS flaws in Web sites? In fact, the Web is challenging the very definition of 'vulnerability,' and some researchers are scared. As one researcher in the story says: 'I'm intimidated by the possible consequences to my career, bank account, and sanity. I agree with [noted security researcher] H.D. Moore, as far as production websites are concerned: "There is no way to report a vulnerability safely."'"

An anonymous reader writes "When an online exortionist comes a knocking, threatining a DDoS, do you pay or fight? For many, paying may seem like a sensible option when compared to going out of buisness. CSO Magazine has a riveting article about how an online gambling site and a DDoS specialist teamed up to take on such an extortionist. When everybody else was rolling over and paying, this company risked its very existence to fight back. From the article: '"The attack went to 1.5Gb, with bursts up to 3Gb. It wasn't targeted at one thing. It was going to routers, DNS servers, mail servers, websites. It was like a battlefield, where there's an explosion over here, then over there, then it's quiet, then another explosion somewhere else," says Lyon. "They threw everything they had at us. I was just in shock."'"

An anonymous reader writes "When an online exortionist comes a knocking, threatining a DDoS, do you pay or fight? For many, paying may seem like a sensible option when compared to going out of buisness. CSO Magazine has a riveting article about how an online gambling site and a DDoS specialist teamed up to take on such an extortionist. When everybody else was rolling over and paying, this company risked its very existence to fight back. From the article: '"The attack went to 1.5Gb, with bursts up to 3Gb. It wasn't targeted at one thing. It was going to routers, DNS servers, mail servers, websites. It was like a battlefield, where there's an explosion over here, then over there, then it's quiet, then another explosion somewhere else," says Lyon. "They threw everything they had at us. I was just in shock."'"

DeliBoy writes "In light of public discussions over security after The Scream was stolen, CSO Online offers an interesting look at museum security. The article details a system designed without budget restrictions intended to secure a painting in a public gallery. Interesting how the consultant balances public access with the need for security, comprised of redundant vibration sensors, overlapping microwave and infrared motion sensors, and an old-fashioned guard. "

DeliBoy writes "In light of public discussions over security after The Scream was stolen, CSO Online offers an interesting look at museum security. The article details a system designed without budget restrictions intended to secure a painting in a public gallery. Interesting how the consultant balances public access with the need for security, comprised of redundant vibration sensors, overlapping microwave and infrared motion sensors, and an old-fashioned guard. "

Over at CSO Magazine there's a wonderful interview with Bruce Schneier, where he talks about cryptography and security. He has several good points, such as the physical security industry versus the IT security camp, and how true security really boils down to people problems. There's some good commentary on post-9/11 airport security regulations as well.

Over at CSO Magazine there's a wonderful interview with Bruce Schneier, where he talks about cryptography and security. He has several good points, such as the physical security industry versus the IT security camp, and how true security really boils down to people problems. There's some good commentary on post-9/11 airport security regulations as well.