DavidGilbert99 writes "LulzSec's star burnt brightly in the short period it was active, but things quickly turned sour when its core members began getting arrested. Last week three of the six core members were sentenced in the UK, but this only served to highlight the fact that one member of the group, known as Avunit, has been able to remain unidentified despite the FBI having turned the group's leader Sabu into an informant. Who is Avunit? And does he hold the purse strings of the group's Bitcoin wallet which could have up to $180,000 in it?" As usual, be warned of the horrendous autoplaying video ads surrounding good content at the primary link.
Navigate with confidence through the cloud. Sign up for the SlashCloud Update newsletter now.
Nerval's Lobster writes "Location is everything when choosing the site of a data center. Firms such as Microsoft and Google and Facebook spend a lot of time looking into the costs of land, power, regulation and taxes before placing their respective data centers in a particular place. Sometimes, that local tax bill comes into play in a big way. Just ask the National Security Agency which learned it faces a multimillion-dollar annual state tax on the power consumed by its new data center in Camp Williams, south of Salt Lake City. The Salt Lake Tribune obtained a series of email exchanges between the feds and the state, with the NSA protesting a $2.4 million tax on its annual power expenditure, pegged at about $40 million. Harvey Davis, director of installations and logistics for the NSA, sent a letter (subsequently quoted by the newspaper) to state officials that made the logistics argument: 'Long-term stability in the utility rates was a major factor in Utah being selected as our site for our $1.5bn construction at Camp Williams. HP325 [the new law] runs counter to what we expected.'" This would be the data center William Binney et al claim is logging almost all domestic communication.
colinneagle writes "Scripps News reporters discovered 170,000 records online of customers of Lifeline, a government program offering affordable phone service for low-income citizens, that contained everything needed for identity theft . Last year, the FCC 'tightened' the rules for the program by requiring Lifeline phone carriers to document applicants' eligibility, which led to collecting more sensitive information from citizens. A Scripps News investigative team claims it 'Googled' the phone companies TerraCom Inc. and YourTel America Inc. to discover all of the files. A Scripps reporter asked for an on-camera interview with the COO of TerraCom and YourTel after explaining the files were freely available online. That did not happen, but shortly thereafter the customer records disappeared from the internet. Then, the blame-the-messenger hacker accusations and mudslinging began. Although the Scripps reporters videotaped the process showing how they found the documents, attorney Jonathon Lee for both telecoms threatened the 'Scripps Hackers' with violating the Computer Fraud and Abuse Act (CFAA)."
benrothke writes "Had Locked Down: Information Security for Lawyers not been published by the American Bar Association (ABA) and 2 of its 3 authors not been attorneys; one would have thought the book is a reproach against attorneys for their obliviousness towards information security and privacy. In numerous places, the book notes that lawyers are often clueless when it comes to digital security. With that, the book is a long-overdue and valuable information security reference for anyone, not just lawyers." Read below for the rest of Ben's review.
judgecorp writes "Government institutions are among the targets of an attack on Pakistani bodies, which originates in India, according to reports. The campaign is using vulnerabilities in Microsoft software to install the HangOver malware, according to Norwegian security firm Norman Shark (PDF). From the article: 'In the attacks on Pakistani organizations, spear phishing emails were sent out purporting to contain information on "ongoing conflicts in the region, regional culture and religious matters," according to Norman. Norman could not provide direct attribution to the attacks, but its report did note the following: "The continued targeting of Pakistani interests and origins suggested that the attacker was of Indian origin." Snorre Fagerland, principal security researcher in the Malware Detection Team at Norman, told TechWeekEurope it appeared Pakistani government bodies had been attacked.'"
mask.of.sanity writes "Lights, sounds and magnetic fields can be used to activate malware on phones, new research has found. The lab-style attacks defined in a paper (PDF) used pre-defined signals hidden in songs and TV programmes as a trigger to activate embedded malware. Malware once activated would carry out programmed attacks either by itself or as part of a wider botnet of mobile devices."
Madwand writes "The NetBSD Project is pleased to announce NetBSD 6.1, the first feature update of the NetBSD 6 release branch. It represents a selected subset of fixes deemed important for security or stability reasons, as well as new features and enhancements. NetBSD is a free, fast, secure, and highly portable Unix-like Open Source operating system. It is available for a wide range of platforms, from large-scale servers and powerful desktop systems to handheld and embedded devices. Its clean design and advanced features make it excellent for use in both production and research environments, and the source code is freely available under a business-friendly license. NetBSD is developed and supported by a large and vibrant international community. Many applications are readily available through pkgsrc, the NetBSD Packages Collection."
hypnosec writes with report of the possible theft of up to 22 million user IDs revealed by Yahoo! Japan. That scale is massive, but, he writes, "According to Yahoo, the information that was stolen didn't have passwords or any other information that would allow unauthorized users to carry out user identity verification." A story at the Japan Times adds a bit more detail.
An anonymous reader writes "Having entered my personal details (full real name, home address) to websites with an 'https://' prefix in order to purchase goods, I am still being sent emails from companies (or their agents) which include, in plain text, those same details I have entered over a secure connection. These are often companies which are very keen to tell you how much they value your privacy and how they will not pass your details on to third parties. What recourse does one have to tell them to desist from such behaviour whilst still doing business with them if their products are otherwise desirable? I email the relevant IT team as a matter of course to tell them it's not appropriate (mostly to no avail), but is there any legislation — in any territory — which addresses this?"
Techmeology writes "In response to declining utility of CALEA mandated wiretapping backdoors due to more widespread use of cryptography, the FBI is considering a revamped version that would mandate wiretapping facilities in end users' computers and software. Critics have argued that this would be bad for security (PDF), as such systems must be more complex and thus harder to secure. CALEA has also enabled criminals to wiretap conversations by hacking the infrastructure used by the authorities. I wonder how this could ever be implemented in FOSS."
msm1267 writes "Many popular online services have started to deploy password strength meters, visual gauges that are often color-coded and indicate whether the password you've chosen is weak or strong based on the website's policy. The effectiveness of these meters in influencing users to choose stronger passwords had not been measured until recently. A paper released this week by researchers at the University of California Berkeley, University of British Columbia, and Microsoft provides details on the results of a couple of experiments examining how these meters influence computer users when they're creating passwords for sensitive accounts and for unimportant accounts."
An anonymous reader writes "The Australian government has secretly censored over 1,000 web sites through a hitherto-unused internet censorship law. In April the Melbourne Free University was blocked without any explanation. Section 313 of the Telecommunications Act allows the government to close web sites without warning to "uphold laws, protect public revenue and safeguard national security". This is open to abuse as Australians only have limited free speech rights which already make it difficult for the press to report corruption."
Today eight members of the U.S. Congress have sent a letter to Google's Larry Page, asking him to address a number of privacy concerns about Google Glass. In the letter (PDF), they brought up the company's notorious Street View data collection incident, and asked how the company was planning to avoid a similar privacy breach with Glass. They also ask how Google is going to build Glass to protect the privacy of non-users who may not want their every public move to be recorded. Further, they ask about the security of recordings once they are made: "Will Google Glass have the capacity to store any data on the device itself? If so, will Google Glass implement some sort of user authentication system to safeguard stored data? If not, why not?" Google has until July 14th to respond.
hypnosec writes "Mozilla is not going ahead with its plans to block third-party cookies by default in the Beta version of its upcoming Firefox 22. Mozilla needs more time to analyze the outcome of blocking these cookies. The non-profit organization released Firefox Aurora on April 5 with a patch by Jonathan Mayer built into it which would only allow cookies from those websites which the user has visited. The patch would block the ones from sites which hadn't been visited yet. The reason for Mozilla's change in plans is that they're currently looking into 'false positives.' If a user visits one part of a group of site, cookies from that part will be allowed, but cookies from related sites in the group may be blocked, and they're worried it will create a poor user experience. On the other side of the coin, there are 'false negatives.' Just because a user may have visited a particular site doesn't mean she is comfortable with the idea of being tracked."
msm1267 writes "Conpot, short for Control Honeypot, is one of the first publicly available honeypots for industrial control systems (ICS) and SCADA gear. Built by two researchers from the Honeynet Project, the hope is that others will take what they started, deploy it on their own critical infrastructure networks and share the findings. 'The main goal is to make this kind of technology available for a general audience,' said Lukas Rist, one of the developers. 'Not just for security researchers, but also for people who are sysadmins setting up ICS systems who have no clue what could happen and want to see malware attacks against their systems and not put them in any danger.'" Unlike previous ICS Honeypots, this one simulates the control systems rather than requiring that you happen to own an actual industrial control system.
An anonymous reader writes "Andy Oram reports on the quality, security, and community driving open source adoption. 'All too often, the main force uniting competitors is the fear of another vendor and the realization that they can never beat a dominant vendor on its own turf. Open source becomes a way of changing the rules out from under the dominant player. OpenStack, for instance, took on VMware in the virtualization space and Amazon.com in the IaaS space. Android attracted phone manufacturers and telephone companies as a reaction to the iPhone.'"
Today The New Yorker unveiled a project called Strongbox, which aims to let sources share tips and leaks with the news organization in a secure manner. It makes use of the TOR network and encrypts file uploads with PGP. Once the files are uploaded, they're transferred via thumb-drive to a laptop that isn't connected to the internet, which is erased every time it is powered on and booted with a live CD. The publication won't record any details about your visit, so even a government request to look at their records will fail to find any useful information. "There’s a growing technology gap: phone records, e-mail, computer forensics, and outright hacking are valuable weapons for anyone looking to identify a journalist’s source. With some exceptions, the press has done little to keep pace: our information-security efforts tend to gravitate toward the parts of our infrastructure that accept credit cards." Strongbox is actually just The New Yorker's version of a secure information-sharing platform called DeadDrop, built by Aaron Swartz shortly before his death. DeadDrop is free software.
msm1267 writes "There are a lot of echoes of the disclosure debate in the current discussions about vulnerability exploit sales. The commercial exploit market has developed relatively quickly, at least the public portion of it. Researchers have been selling vulnerabilities to a variety of buyers – government agencies, contractors, other researchers and third-party brokers – for years. But it was done mostly under cover of darkness. Now, although the transactions themselves are still private, the fact that they're happening, and who's buying (and in some cases, selling) is out in the open. As with the disclosure debate, there are intelligent people lining up on both sides of the aisle and the discussion is generating an unprecedented level of malice."
wiredmikey tips this AFP report: "Russia on Tuesday said it had detained an alleged American CIA agent working undercover at the U.S. embassy who was discovered with a large stash of money as he was trying to recruit a Russian intelligence officer. Russia's Federal Security Service (FSB, ex-KGB) identified the man as Ryan C. Fogle — third secretary of the political section of Washington's embassy in Moscow — and said he had been handed back to the embassy after his detention. Photographs published show his alleged espionage equipment including wigs, a compass, torch and even a mundane atlas of Moscow as well as a somewhat old fashioned mobile phone. Russia's Federal Security Service (FSB) said Fogle was carrying 'special technical equipment, written instructions for recruiting a Russian citizen, a large sum of money and means for changing a person's appearance.' The FSB also said the U.S. intelligence service has made repeated attempts to recruit the staff of Russian law enforcement agencies and special services. The incident comes amid a new chill in Russian-U.S. relations sparked by the Syrian crisis and concern in Washington over what it sees as President Vladimir Putin's crackdown on human rights."
An anonymous reader sends this excerpt from BetaBeat: "The Department of Homeland Security appears to have shut down the ability to use Dwolla, a mobile payment service, to withdraw and deposit money into Mt. Gox, a Bitcoin trading platform. ... A representative for Dwolla told Betabeat that the company is 'not party' to this matter and encourages those with questions to reach out to Mt. Gox or the DHS. 'The Department of Homeland Security and U.S. District Court for the District of Maryland issued a 'Seizure Warrant' for the funds associated with Mutum Sigillium's Dwolla account (a.k.a. Mt. Gox),' he said. 'In light of the court order, procured by the Department of Homeland Security, Dwolla has ceased all account activities associated with Dwolla services for Mutum Sigillum while Dwolla's holding partner transferred Mutum Sigillium's balance, per the warrant.'"