Developages - Development and Technology Blog

An anonymous reader alerts us to a two-week-old story that hasn’t gotten much traction in the press to date. A Japanese newspaper and the AP report that China plans to demand source code from hardware manufacturers, and ban the sale of products from companies that don’t comply. China is calling this an “obligatory accreditation system for IT security products.” The plan is to go into effect next May, according to sources. “Products expected to be subject to the system are those equipped with secret coding, such as [a] contactless smart card system developed by Sony Corp., digital copiers, and computer servers. The Chinese government said it needs the source code to prevent computer viruses taking advantage of software vulnerabilities and to shut out hackers. However, this explanation is unlikely to satisfy concerns that disclosed information might be handed from the Chinese government to Chinese companies. There also are fears that Chinese intelligence services could exploit such confidential information by making it easier to break codes used in… digital devices.”

Read more of this story at Slashdot.

Original post by kdawson

Pickens writes “Human-rights activists have discovered a huge surveillance system in China that monitors and archives Internet text conversations sent by customers of Tom-Skype, a joint venture between a Chinese wireless operator and eBay. Researchers say the system monitors a list of politically charged words that includes words related to the religious group Falun Gong, Taiwan independence, the Chinese Communist Party and also words like democracy, earthquake and milk powder. The encrypted list of words inside the Tom-Skype software blocks the transmission of these words and records personal information about the customers who send the messages. Researchers say their discovery contradicts a public statement made by Skype executives in 2006 that ‘full end-to-end security is preserved and there is no compromise of people’s privacy.’ The Chinese government is not alone in its Internet surveillance efforts. In 2005, The New York Times reported that the National Security Agency was monitoring large volumes of telephone and Internet communications flowing into and out of the United States as part of an eavesdropping program that President Bush approved after the Sept. 11 attacks. ‘This is the worst nightmares of the conspiracy theorists around surveillance coming true,’ says Ronald J. Deibert, an associate professor of political science at the University of Toronto. ‘It’s “X-Files” without the aliens.’”

Read more of this story at Slashdot.

Original post by CmdrTaco

steveit_is writes “Yesterday it was reported that Microsoft’s revised CAPTCHA had been cracked. Now it’s Google’s turn. In a move that is sure to surprise no one, the spammers behind ‘Xrumer’ have announced that they’ve not only cracked Google’s CAPTCHA, but other forms of image verification as well, including ‘pick the cat’ style CAPTCHA.”

Read more of this story at Slashdot.

Original post by CmdrTaco

Bruce Schneier’s blog says “This is good: Microsoft Corp. and the state of Washington this week filed lawsuits against a slew of “scareware” purveyors, scam artists who use fake security alerts to frighten consumers into paying for worthless computer security software. “

Read more of this story at Slashdot.

Original post by CmdrTaco

Barence writes “Hackers have released source code that allows the ‘backup’ of RFID-protected passports, although the tool can potentially be used to create fake or cloned documents. The Hacker’s Choice, a non-commercial group of computer security experts, has released a video showing a cloned passport being approved by a security scanner at a Dutch airport. When the reader scans the passport, it is revealed to belong to one Elvis Aaron Presley, complete with picture. Reports of the hackers serenading security staff with ‘Are You Clonesome Tonight’ are unconfirmed.”

Read more of this story at Slashdot.

Original post by samzenpus

alphadogg writes “The Payment Card Industry Security Standards Council, the organization that sets technical requirements for processing credit- and debit-cards, Wednesday issued revised security rules, while also indicating next year it will focus on new guidelines for end-to-end encryption, payment machines and virtualization. PCI adherence has been pushed big time in the industry to help avoid more big breaches such as the one involving TJX. Those familiar with the standard say it could be expensive to implement and that there are some things those using wireless LANs will need to pay especially close attention to.”

Read more of this story at Slashdot.

Original post by samzenpus

toomuchtoomuchspam writes “According to Websense, Microsoft’s CAPTCHA has been busted again. CAPTCHA was surely a logical move for different service providers to fight against spammers. But seems like it is melting down. “Realizing the potential for massive abuse from spammers with anti-CAPTCHA capabilities, who could use the clean IP reputation to carry out various attacks over Email and Web space, Microsoft attempted to increase the complexity of their CAPTCHA system. The CAPTCHA system was revised in an attempt to both prevent automatic registrations from computer programs or automated bots, and preserve CAPTCHA’s usability and reliability. As this attack shows, those efforts have failed.” says Websense’s security researcher Prasad. Could there be any better CAPTCHA, a better solution?”

Read more of this story at Slashdot.

Original post by samzenpus

Here’s another tale of UK data loss that has to be one for the “You couldn’t make it up” files.
An Englishman has bought a Nikon Coolpix camera from eBay for £17 that had lots of secret information stored on it.
Acording to The Sun, list is considerable.

a document marked “top secret” detailed the encrypted computer system […]

Original post by Simon Perry

Here’s another tale of UK data loss that has to be one for the “You couldn’t make it up” files.
An Englishman has bought a Nikon Coolpix camera from eBay for £17 that had lots of secret information stored on it.
According to The Sun, list is considerable.

a document marked “top secret” detailed the encrypted computer system […]

Original post by Simon Perry

ancientribe writes “Hacker RSnake blogs about a newly discovered and deadly denial-of-service attack that could well be the next big threat to the Internet as a whole. It goes after a broadband Internet connection and KOs machines on the other end such that they stay offline even after the attack is over. It spans various systems, too: the pair of Swedish researchers who found it have already contacted firewall, operating system, and Web-enabled device vendors whose products are vulnerable to this attack.” Listen to the interview (MP3) — English starts a few minutes in — and you might find yourself convinced that we have a problem. The researchers claim that they have been able to take down every system with a TCP/IP stack that they have attempted; and they know of no fix or workaround.

Read more of this story at Slashdot.

Original post by kdawson

AcidAUS sends us the story of an online poker cheating ring that netted an estimated $10M for its perpetrators over almost 4 years. The article spotlights the role of an Australian player who first performed the statistical analyses that demonstrated that cheating had to be going on. “In two separate cases, Michael Josem, from Chatswood, analyzed detailed hand history data from Absolute Poker and UltimateBet and uncovered that certain player accounts won money at a rate too fast to be legitimate. His findings led to an internal investigation by the parent company that owns both sites. It found rogue employees had defrauded players over three years via a security hole that allowed the cheats to see other player’s secret (or hole) cards.” The (Mohawk) Kahnawake Gaming Commission, which licenses the two poker companies, has released its preliminary report. MSNBC reporting from a couple of weeks back gives deep background on the scandal.

Read more of this story at Slashdot.

Original post by kdawson

rifles only writes “Russian police almost certainly know the identity of the programmer responsible for the frightening ‘ransomware’ crypto virus, Gpcode, which has hit the Internet several times since 2006, says a story at Techworld, which has tapped a Kaspersky Lab researcher. Gpcode used 1024-bit RSA/128-bit RC4 to lock up victims’ data, an uncrackable combination that left the world with only one solution: find the virus author to get the master key. So why don’t the cops do anything? Good question, but this is Russia we’re talking about.”

Read more of this story at Slashdot.

Original post by timothy

Barence writes “In what’s turning out to be a bad week for security in the UK, confidential MI6 documents, fingerprints and photos relating to suspected Al-Qaeda terrorists have been found in the memory of the second-hand Nikon Coolpix camera, which was bought on eBay for only £17. The buyer immediately went to the police, who initially treated it as a joke; when they realised he was serious, they swooped on his home and seized his camera and PC. Remember, this is the same MI6 which plans to recruit new members via Facebook, a userbase not exactly famous for its dedication to privacy, security and discretion. The news comes on the back of yesterday’s embarrassment over a local council whose VPN device ended up on eBay with confidential login details left on it.”

Read more of this story at Slashdot.

Original post by timothy

Selikoff writes “I just noticed Cablevision’s Optimum Online service has begun hijacking DNS Error pages with, you guessed it, ad-supported results. Aside from hurting the underlying stability of the Internet, there have been instances where hackers have used such tools against customers. I know Road Runner customers have had to deal with this for a couple months now, although at least they have an outlet to turn it off.” Update: 09/30 13:18 GMT by T : Note, as several readers have pointed out, that this hijacking is of DNS errors rather than 404 errors as originally presented.

Read more of this story at Slashdot.

Original post by timothy

An anonymous reader sends a link to DarkReading on the recent announcement by Princeton researchers of four major Web sites on which they found exploitable cross-site request forgery vulnerabilities. The sites are the NYTimes, YouTube, Metafilter, and INGDirect. All but the NYTimes site have patched the hole. “…four major Websites susceptible to the silent-but-deadly cross-site request forgery attack — including one on INGDirect.com’s site that would let an attacker transfer money out of a victim’s bank account… Bill Zeller, a PhD candidate at Princeton, says the CSRF bug that he and fellow researcher Edward Felton found on INGDirect.com represents… ‘the first example of a CSRF attack that allows money to be transferred out of a bank account that [we’re] aware of.’… CSRF is little understood in the Web development community, and it is therefore a very common vulnerability on Websites. ‘It’s basically wherever you look,’ says [a security researcher].” Here are Zeller’s Freedom to Tinker post and the research paper (PDF).

Read more of this story at Slashdot.

Original post by kdawson