msm1267 writes "Business travelers who tether their iPhones as mobile hotspots beware. Researchers at the University of Erlanger-Nuremberg in Germany have discovered a weakness in the way iOS generates default passwords for such connections that can leave a user's device vulnerable to man-in-the-middle attacks, information leakage or abuse of the user's Internet connection. Andreas Kurtz, Felix Freiling and Daniel Metz published a paper (PDF) that describes the inner workings of how an attacker can exploit the PSK (pre-shared key) authentication iOS uses to establish a secure WPA2 connection when using the Apple smartphone as a hotspot. The researchers said that attackers would find the least resistance attacking the PSK setup rather than trying their hand at beating the operating system's complex programming layers."
SlashBI: Your dashboard for the latest in business-intelligence news and analysis.
First time accepted submitter dougkfresh writes "Checkmarx's research lab identified that more than 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks, such as SQL Injection. Furthermore, a concentrated research into e-commerce plugins revealed that 7 out of the 10 most popular e-commerce plugins contain vulnerabilities. This is the first time that such a comprehensive survey was prepared to test the state of security of the leading plugins." It does seem that Wordpress continues to be a particularly perilous piece of software to run. When popularity and unsafe languages collide.
Rick Zeman writes "'Confidentiality is critical to national security.' So wrote the Justice Department in concealing the NSA's role in two wiretap cases. However, now that the NSA is under the gun, it's apparently not so critical, according to New York attorney Joshua Dratel: 'National security is about keeping illegal conduct concealed from the American public until you're forced to justify it because someone ratted you out.' The first he heard of the NSA's role in his client's case was 'when [FBI deputy director Sean] Joyce disclosed it on CSPAN to argue for the effectiveness of the NSA's spying.' Dratel challenged the legality of the spying in 2011, and asked a federal judge to order the government to produce the wiretap application the FBI gave the secretive Foreign Intelligence Surveillance Court to justify the surveillance. 'Disclosure of the FISA applications to defense counsel – who possess the requisite security clearance – is also necessary to an accurate determination of the legality of the FISA surveillance, as otherwise the defense will be completely in the dark with respect to the basis for the FISA surveillance,' wrote Dratel. According to Wired, 'The government fought the request in a 60-page reply brief (PDF), much of it redacted as classified in the public docket. The Justice Department argued that the defendants had no right to see any of the filings from the secret court, and instead the judge could review the filings alone in chambers."
The Washington Post reports that Google has filed a motion challenging the gag orders preventing it from disclosing information about the data requests it receives from government agencies. The motion cites the free speech protections of the First Amendment. "FISA court data requests typically are known only to small numbers of a company’s employees. Discussing the requests openly, either within or beyond the walls of an involved company, can violate federal law." From the filing (PDF): "On June 6, 2013, The Guardian newspaper published a story mischaracterizing the scope and nature of Google's receipt of and compliance with foreign intelligence surveillance requests. ... In light of the intense public interest generated by The Guardian's and Post's erroneous articles, and others that have followed them, Google seeks to increase its transparency with users and the public regarding its receipt of national security requests, if any. ... Google's reputation and business has been harmed by the false or misleading reports in the media, and Google's users are concerned by the allegation. Google must respond to such claims with more than generalities. ... In particular, Google seeks a declaratory judgment that Google as a right under the First Amendment to publish ... two aggregate unclassified numbers: (1) the total number of FISA requests it receives, if any; and (2) the total number of users or accounts encompassed within such requests."
chicksdaddy writes "Beware you barons of BitCoin – you World of Warcraft one-percenters: the long arm of the Internal Revenue Service may soon be reaching into your treasure hoard to extract Uncle Sam's fair share of your virtual wealth. A new Government Accountability Office (GAO) report on virtual economies finds that many types of transactions in virtual economies – including Bitcoin mining and virtual transactions that result in real-world profit – are likely taxable under current U.S. law, but that the IRS does a poor job of tracking such business activity and informing buyers and sellers of their duty to pay taxes on virtual earnings. The report, 'Virtual Economies and Currencies: Additional IRS Guidance Could Reduce Tax Compliance Risks' found that the growing use of virtual currencies like BitCoin and virtual game currencies warrants the U.S.'s tax collection agency to mitigate the risks. Those include efforts to educate taxpayers and the publication of basic tax reporting requirements for transactions using virtual currencies, The Security Ledger reports."
mask.of.sanity writes "Hundreds of organizations have been detected running dangerously vulnerable versions of SAP that were more than seven years old and thousands more have placed their critical data at risk by exposing SAP applications to the public Internet. The new research found the SAP services were inadvertently made accessible thanks to a common misconception that SAP systems were not publicly-facing and remotely-accessible. The SAP services contained dangerous vulnerabilities which were since patched by the vendor but had not been applied."
benrothke writes "It's said that truth is stranger than fiction, as fiction has to make sense. Had The Chinese Information War: Espionage, Cyberwar, Communications Control and Related Threats to United States Interests been written as a spy thriller, it would have been a fascinating novel of international intrigue. But the book is far from a novel. It's a dense, well-researched overview of China's cold-war like cyberwar tactics against the US to regain its past historical glory and world dominance." Read below for the rest of Ben's review.
An anonymous reader writes "Not to be left out Apple has released details about government requests for customer data. The company said it received between 4,000-5,000 government requests, affecting as many as 10,000 accounts or devices. From the article: 'The iPad maker said that it received between 4,000 and 5,000 requests from U.S. law enforcement agencies for customer data from December 1, 2012 to May 31, 2013, and that 9,000 to 10,000 accounts or devices were specified in the requests. Apple did not state how many of the requests were from the National Security Agency or how many affected accounts or devices may have been tied to any NSA requests.' Facebook and Microsoft released their numbers this weekend."
cold fjord writes "Yet more details about the controversy engulfing the NSA. From CNET: 'Rep. Mike Rogers (R-Mich.), chairman of the House Intelligence Committee, explained how the program worked without violating individuals' civil rights. "We take the business records by a court order, and it's just phone numbers — no names, no addresses — put it in a lock box," Rogers told CBS News' "Face The Nation." "And if they get a foreign terrorist overseas that's dialing in to the United Sates, they take that phone number... they plug it into this big pile, if you will, of just phone numbers — it's like a phonebook without any names and any addresses with it — to see if there's a connection, a foreign terrorist connection to the United States." "When a number comes out of that lock box, it's just a phone number — no names, no addresses," he said. "If they think that's relevant to their counterterrorism investigation, they give that to the FBI. Then upon the FBI has to go out and meet all the legal standards to even get whose phone number that is."' From the AP: ' ... programs run by the National Security Agency thwarted potential terrorist plots in the U.S. and more than 20 other countries — and that gathered data is destroyed every five years. Last year, fewer than 300 phone numbers were checked against the database of millions of U.S. phone records ... the intelligence officials said in arguing that the programs are far less sweeping than their detractors allege.... both NSA programs are reviewed every 90 days by the secret court authorized by the Foreign Intelligence Surveillance Act. Under the program, the records, showing things like time and length of call, can only be examined for suspected connections to terrorism, they said. The ... program helped the NSA stop a 2009 al-Qaida plot to blow up New York City subways.'"
wiredmikey writes "Facebook and Microsoft say they received thousands of requests for information from U.S. authorities last year but are prohibited from listing a separate tally for security-related requests or secret court orders related to terror probes. The two companies have come under heightened scrutiny since reports leaked of a vast secret Internet surveillance program U.S. authorities insist targets only foreign terror suspects and is needed to prevent attacks. Facebook said Friday it had received between 9,000 and 10,000 requests for user data affecting 18,000 to 19,000 accounts during the second half of last year and Microsoft said it had received 6,000 to 7,000 requests affecting 31,000 to 32,000 accounts during the same period." Meanwhile, an article at the Guardian is suggesting the government may have better targets to pursue than Edward Snowden. "[U.S. director of national intelligence James Clapper] has come out vocally to condemn Snowden as a traitor to the public interest and the country, yet a review of Booz Allen's own history suggests that the government should be investigating his former employer, rather than the whistleblower."
An anonymous reader writes "For a few years now, we've been hearing about TV-related devices that have built-in cameras and microphones. Their stated purpose is to monitor consumers and gather data — often to target advertising. (We'll set aside any unstated purposes — the uses they tell us about are bad enough.) Now, two members of the U.S. House of Representatives have submitted legislation to regulate this sort of technology. '[They] said they want to get out ahead of the release of this new technology and pass legislation that ensures it would include beefed up privacy protections for consumers. They added that this legislation is particularly relevant given the recent revelations about the National Security Agency's Internet surveillance programs. ... Additionally, the bill requires a cable box or set-top device to notify consumers when the monitoring technology is activated and in use by posting the phrase "We are watching you" across their TV screens.'"
New submitter RoccamOccam writes "Shortly after the news broke that the Department of Justice had been secretly monitoring the phones and email accounts of Associated Press and Fox News reporters (and the parents of Fox News Correspondent James Rosen), CBS News' Sharyl Attkisson said her computer seemed like it had been compromised. Turns out, it was. 'A cyber security firm hired by CBS News has determined through forensic analysis that Sharyl Attkisson's computer was accessed by an unauthorized, external, unknown party on multiple occasions late in 2012. Evidence suggests this party performed all access remotely using Attkisson's accounts. While no malicious code was found, forensic analysis revealed an intruder had executed commands that appeared to involve search and exfiltration of data.'"
alphadogg writes "Medical device makers should take new steps to protect their products from malware and cyberattacks or face the possibility that U.S. Food and Drug Administration won't approve their devices for use, the FDA said. The FDA issued new cybersecurity recommendations for medical devices on Thursday, following reports that some devices have been compromised. Recent vulnerabilities involving Philips fetal monitors and in Oracle software used in body fluid analysis machines are among the incidents that prompted the FDA to issue the recommendations."
cold fjord writes "There are new developments in the ongoing controversy engulfing the NSA as a result of the Snowden leaks. From The Hill: 'Emerging from a hearing with NSA Director Gen. Keith Alexander, Reps. Mike Rogers (R-Mich.), chairman of the Intelligence Committee, and Dutch Ruppersberger (Md.), the senior Democrat on the panel, said Edward Snowden simply wasn't in the position to access the content of the communications gathered under National Security Agency programs, as he's claimed. "He was lying," Rogers said. "He clearly has over-inflated his position, he has over-inflated his access and he's even over-inflated what the actual technology of the programs would allow one to do. It's impossible for him to do what he was saying he could do." ... "He's done tremendous damage to the country where he was born and raised and educated," Ruppersberger said. ... "It was clear that he attempted to go places that he was not authorized to go, which should raise questions for everyone," Rogers added.'" U.S. Attorney General Eric Holder has also told the E.U. justice commissioner that media reports surrounding PRISM are wrong: "The contention it [PRISM] is not subject to any internal or external oversights is simply not correct. It's subject to an extensive oversight regime from executive, legislative and judicial branches and Congress is made aware of these activities. The courts are aware as we need to get a court order. ... We can't target anyone unless appropriate documented foreign intelligence purpose for the prevention of terrorism or hostile cyber activities." Meanwhile, Bloomberg has gone live with a report (based on unidentified sources, so take it with a grain of salt) saying that private sector cooperation with snooping government agencies extends far beyond the ones listed in the PRISM report. "Thousands of technology, finance and manufacturing companies are working closely with U.S. national security agencies, providing sensitive information and in return receiving benefits that include access to classified intelligence, four people familiar with the process said." Whatever PRISM turns out to be, the NY Times is reporting that at least Yahoo, and probably other tech companies as well, tried to fight participation in it. Other reports suggest Twitter refused to participate, though there's been no official confirmation.
Debian warns on its blog: "The unofficial third party repository Debian Multimedia stopped using the domain debian-multimedia.org some months ago. The domain expired and it is now registered again by someone unknown to Debian. (If we're wrong on this point, please sent us an email so we can take over the domain! This means that the repository is no longer safe to use, and you should remove the related entries from your source.list file.)" Update: 06/14 02:58 GMT by U L : If you're wondering where it went, it moved to deb-multimedia.org, after the DPL (at the time) asked the maintainer to stop using the Debian name.
First time accepted submitter jarle.aase writes "It's doable today to use a mix of virtual machines, VPN, TOR, encryption (and staying away from certain places; like Google Plus, Facebook, and friends), in order to retain a reasonable degree of privacy. In recent days, even major mainstream on-line magazines have published such information. (Aftenposten, one of the largest newspapers in Norway, had an article yesterday about VPN, Tor and Freenet!) But what about the cell-phone? Technically it's not hard to design a phone that can switch off the GSM transmitter, and use VoIP for calls. VoIP could then go from the device through Wi-Fi and VPN. Some calls may be routed trough PSTN gateways — allowing the agencies to track the other party. But they will not track your location. And they will not track pure, encrypted VoIP calls that traverse trough VPN and use anonymous SIP or XMPP accounts. Android may not be the best software for such a device, as it very eagerly phones home. The same is true for iOS and Windows 8. Actually, I would prefer a non cloud-based mobile OS from a vendor that is not in the PRISM gallery. Does such a device exist yet? Something that runs a relatively safe OS, where GSM can be switched totally off? Something that will only make an outgoing network connection when I ask it to do so?" And in the absence of a perfect solution, what do you do instead? (It's still Android and using the cell network, but Red Phone — open sourced last year — seems like a good start.)
hypnosec writes "OWASP's Top 10, the Open Web Application Security Project's top 10 most critical web application security risks, has been updated and a new list for 2013 published. Last updated back in 2010, the organization has published the new list wherein the importance of cross-site scripting (XSS) and cross-site request forgery (CRSF) has been diluted a little, while risks related to broken session management and authentication have moved up a notch. Code injection, which was the topmost risk in 2010, has retained its position in the updated list. The 2013 Top Ten list (PDF) has been compiled based on half a million vulnerabilities discovered in thousands of applications from hundreds of vendors."
judgecorp writes "Security researchers say that iPhone and other Apple devices are vulnerable to an old attack, using a fake Wi-Fi access point. Attackers can use an SSID which matches one that is stored on the iPhone (say "BTWiF"), which the iPhone will connect to automatically. Other devices are protected thanks to the use of HTTPS, which enforces HTTPS, but iPhones are susceptible to this man in the middle attack, researchers say."
Trailrunner7 writes "A group of eight senators from both parties have introduced a new bill that would require the attorney general to declassify as many of the rulings of the secret Foreign Intelligence Surveillance Court as possible as a way of bringing into the sunlight much of the law and opinion that guides the government's surveillance efforts. Under the terms of the proposed law, the Justice Department would be required to declassify major FISC opinions as a way to give Americans a view into how the federal government is using the Foreign Intelligence Surveillance Act and Patriot Act. If the attorney general determines that a specific ruling can't be declassified without endangering national security, he can declassify a summary of it. If even that isn't possible, then the AG would need to explain specifically why the opinion needs to be kept secret."