Developages - Development and Technology Blog

tkrabec alerts us to a CERT advisory announcing a massive, multi-vendor DNS patch released today. Early this year, researcher Dan Kaminsky discovered a basic flaw in the DNS that could allow attackers easily to compromise any name server; it also affects clients. Kaminsky has been working in secret with a large group of vendors on a coordinated patch. Eighty-one vendors are listed in the CERT advisory (DOC). Here is the executive overview (PDF) to the CERT advisory — text reproduced at the link above. There’s a podcast interview with Dan Kaminsky too. His site has a DNS checker tool on the top page. “The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation. The good news is this is a really strange situation where the fix does not immediate reveal the vulnerability and reverse engineering isn’t directly possible.”

Read more of this story at Slashdot.

Original post by kdawson

CurtMonash writes “I was ego-surfing the other day, and was surprised to discover that I was listed as a member of an on-line dating service. It turns out these scamsters generate web pages for lots of (FirstName, LastName) combos, each claiming that the named individual is a member of their service. I posted about this, and discovered other people were upset, at least one had lost interest in a guy because he appeared to be a member, and so on. I’ve since followed up with lessons learned, a big one being that everybody should have a visible web presence. But frankly, the ideas I’ve come up with for fighting this kind of reputation scam seem fairly weak. Do Slashdotters have any better ideas?”

Read more of this story at Slashdot.

Original post by CmdrTaco

Ant brings us a write-up from a former malware analyst about the difficulties in fighting malware as it expands beyond English-language targets and into societies with different standards for privacy and security. Quoting: “One of the most fascinating facets of the increasing internationalization of malware is the cultural assumptions around such software. What is considered malware in the US may be commonly accepted in China or Japan, and this is largely due to the society that it exists in. Anti-cheating rootkits are very common in games released in these countries. What is considered to be invasive in the North American or European world is acceptable there. These anti-cheating rootkits would hook into the kernel space in a very invasive way, and have the behavioral characteristics of malware such as hooking into the keyboard driver. This made it very difficult from a purely technical standpoint to distinguish them.”

Read more of this story at Slashdot.

Original post by Soulskill

A few weeks ago, you asked questions of Lt. Col. John Bircher, head of an organization with a difficult-to-navigate name: the U.S. Army Computer Network Operations (CNO)-Electronic Warfare (EW) Proponent’s Futures Branch. Lt. Col. Bircher has answered from his perspective, at length, not just the usual 10 questions, but several more besides. Read on for his take on cyberwar, jurisdiction, ethics, and more.

Read more of this story at Slashdot.

Original post by timothy

Slimy anti-virus provider AVG is spamming the internet with deceptive traffic pretending to be Internet Explorer. Essentially, users of the software automatically pre-crawl search results, which is bad, but they do so with an intentionally generic user agent. This is flooding websites with meaningless traffic (on Slashdot, we’re seeing them as like 6% of our page traffic now). Best of all, they change their UA to avoid being filtered by websites who are seeing massive increases in bandwidth from worthless robots.

Read more of this story at Slashdot.

Original post by CmdrTaco

ancientribe writes “A researcher performing social-engineering exploits on behalf of several U.S. banks and other firms in the past year has ’stolen’ thousands of identities with a 100 percent success rate. He and his team have posed as investigators for the FDIC (among other things), and numerous times have literally been able to walk out the door with pilfered identities. The reason: organizations are typically so focused on online ID theft that they’ve forgotten how easy it is for a criminal to socially engineer his way into a bank branch or office and physically hack it.”

Read more of this story at Slashdot.

Original post by timothy

Filed under: Gaming

Nothing’s worse than when you log on to raid Onyxia only to find that some loser sold all your elite loot. Fear not, vulnerable World of Warcraft denizens, for Blizzard is here to sell you the $6.50 “Blizzard Authenticator” dongle. Reacting to an upswing in account theft incidents, Blizzard has released a security token that allows hardcore users to add another layer of protection to their high-level (and attractive) characters. The device is basically a SecurID token with a six-digit code that you’ll need to keep with you any time you want to get your groove on in Azeroth. By the way, we dare you to put this on your keychain and wear it with pride.

Read | Permalink | Email this | Comments

Original post by Joshua Fruhlinger

Filed under: Gaming

Nothing’s worse than when you log on to raid Onyxia only to find that some loser sold all your elite loot. Fear not, vulnerable World of Warcraft denizens, for Blizzard is here to sell you the $6.50 “Blizzard Authenticator” dongle. Reacting to an upswing in account theft incidents, Blizzard has released a security token that allows hardcore users to add another layer of protection to their high-level (and attractive) characters. The device is basically a SecurID token with a six-digit code that you’ll need to keep with you any time you want to get your groove on in Azeroth. By the way, we dare you to put this on your keychain and wear it with pride.

Read | Permalink | Email this | Comments

Original post by Joshua Fruhlinger

Debit card for booze-hungry kids creates net shopping fears.

Original post by Mike Slocombe

gregor-e writes “Japan has scheduled a full-scale rollout of visual age-verification on cigarette vending machines. Unfortunately for them, a Sankei Sports news reporter has determined that this system can be fooled by holding up a magazine photo of an adult.”

Read more of this story at Slashdot.

Original post by timothy

palegray.net writes “Bruce Schneier brings us his perspective on a future filled with kill switches; from OnStar-equipped automobiles and city buses that can be remotely disabled by police to Microsoft’s patent-pending ideas regarding so-called Digital Manners Policies. In Schneier’s view, these capabilities aren’t exactly high points of our potential future. From the article: ‘Once we go down this path — giving one device authority over other devices — the security problems start piling up. Who has the authority to limit functionality of my devices, and how do they get that authority? What prevents them from abusing that power? Do I get the ability to override their limitations? In what circumstances, and how? Can they override my override?’ We recently discussed the Pentagon’s interest in kill switches for airplanes. At what point does centralizing and/or delegating operational authority over so much of our lives become a dangerous practice of its own?”

Read more of this story at Slashdot.

Original post by Soulskill

SecureThroughObscure writes “ZDNet Zero-Day blogger Nate McFeters has asked the question, ‘Should vulnerabilities be treated as defects?’ McFeters claims that if vulnerabilities were treated as product defects, companies would have an effective way of forcing developers and business units to focus on security issue. McFeters suggests providing bonuses for good developers, and taking away from bonuses for those that can’t keep up. It’s an interesting approach that if used, might force companies to take a stronger stance on security related issues.”

Read more of this story at Slashdot.

Original post by timothy

benst writes “Here’s yet another way to measure the success of GPS: by the efforts to negate it. While unintentional jamming continues to rise, intentional jamming by both foreign military forces and at-home miscreants of various stripes also has shown increased vigor in the past six months. Related here are recent instances of intentional jamming on each side of the border, and (briefly outlined) one initiative mounted by the National Geospatial Intelligence Agency (NGA) to counteract it. Also here ways to detect and prevent jamming.”

Read more of this story at Slashdot.

Original post by timothy

An anonymous reader writes “Citibank is reissuing ATM cards following a December server breach in which hackers stole customer PIN codes, Wired reports. In recent months the FBI has arrested 10 people in the New York area who were allegedly involved in using the codes to steal over $2 million from Citibank checking and savings accounts, including two Ukrainian immigrants who were each caught with $800,000 in cash stashed in boxes and shopping bags in their homes. Some of the suspects are cooperating, telling the feds that they’ve been working for a Russian hacker. They use magstripe writers to encode the stolen account numbers onto blank cards, then hit ATMs in New York, and transfer 70% of the loot back to Russia.”

Read more of this story at Slashdot.

Original post by timothy

Barence writes “UK researchers are working on fitting CCTV cameras with artificial intelligence, allowing them to more quickly respond to crimes. The technology, being developed by University of Portsmouth scientists, would allow cameras to “hear” violent sounds and react, swiveling quickly in the direction of a broken window or somebody shouting abusively for example, before alerting an operator. The artificial intelligence powering the camera would also be able to respond to visual cues such as fights, or violent behaviour.”

Read more of this story at Slashdot.

Original post by samzenpus