Information Security News
No, it's not an April Fool's prank. AT&T really is forbidding passwords that contain obscene language. Or at least that's what the company's password reset page says.
AT&T's policy barring obscene passwords is surprising because it's completely unnecessary, even for a company that bends over backward not to offend even its most modest customers or employees. If workers are following standard industry practices, passcodes will never be shared with customer support representatives or engineers either verbally or in e-mails. Instead, plain-text strings such as "shittypolicy" will be cryptographically converted to strings such as "eaf6f87e9d009cd3c713e6533ce8b15ac9ed2009" that in theory can't be mathematically reversed. Sure, it's a good idea to block the use of expletives, but that has nothing to do with their potential to offend. The reason to bar them is that they're generally so short and widely used that they're easily cracked.
When AT&T's policy came to light over the weekend, Ars assumed it was an April Fool's-motivated hoax. An AT&T spokesman still hasn't delivered a requested statement, but the screenshot posted above suggests the reports are true.
The War Z, a first-person zombie shooter game with 600,000 players, has been taken offline after attackers gained access to e-mail addresses and password data used to play the game and log in to user forums.
The data exposed in the breach also included in-game character names, the IP addresses players used to access user forums and the game, and any other data contained in the forum or game databases, an advisory posted by game developer Hammerpoint Interactive warned. It said the game and forums will be unavailable while outside experts and investigators pinpoint the cause of the compromise. Payment information was not exposed because payments are processed by a third-party and not on The War Z systems.
"If you posted other information to the forum it is likely that such data was accessed as well," the advisory stated. "We do not collect the names or addresses of our gamers so that information was not impacted unless you posted it on the forum. We are investigating whether additional information may have been obtained." The notice warned that e-mail addresses used to register for the game were also obtained.
by John Timmer
Here in the Ars science section, we cover a lot of interesting research that may eventually lead to the sort of technology discussed in other areas of the site. In many cases, that sort of deployment will be years away (assuming it ever happens). But in a couple of fields, the rapid pace of proof-of-principle demonstrations hints that commercialization isn't too far beyond the horizon.
One of these areas is quantum key distribution between places that aren't in close proximity. Quantum keys hold the promise of creating a unique, disposable key on demand in such a way that any attempts to eavesdrop will quickly become obvious. We know how to do this over relatively short distances using fiber optic cables, so the basic technique is well-established. Throughout the past couple of years, researchers have been getting rid of the cables: first by sending quantum information across a lake, then by exchanging it between two islands.
The latter feat involved a distance of 144km, which is getting closer to the sorts of altitudes occupied by satellites. But exchanging keys with satellites would seem to add a significant challenge—they move. Over the weekend, Nature Photonics published a paper that indicates we shouldn't necessarily view that as an obstacle. The paper describes a team of German researchers who managed to obtain quantum keys transmitted from a moving aircraft.
Tens of thousands of websites, some operated by The Los Angeles Times, Seagate, and other reputable companies, have recently come under the spell of "Darkleech," a mysterious exploitation toolkit that exposes visitors to potent malware attacks.
The ongoing attacks, estimated to have infected 20,000 websites in the past few weeks alone, are significant because of their success in targeting Apache, by far the Internet's most popular Web server software. Once it takes hold, Darkleech injects invisible code into webpages, which in turn surreptitiously opens a connection that exposes visitors to malicious third-party websites, researchers said. Although the attacks have been active since at least August, no one has been able to positively identify the weakness attackers are using to commandeer the Apache-based machines. Vulnerabilities in Plesk, Cpanel, or other software used to administer websites is one possibility, but researchers aren't ruling out the possibility of password cracking, social engineering, or attacks that exploit unknown bugs in frequently used applications and OSes.
Researchers also don't know precisely how many sites have been infected by Darkleech. The server malware employs a sophisticated array of conditions to determine when to inject malicious links into the webpages shown to end users. Visitors using IP addresses belonging to security and hosting firms are passed over, as are people who have recently been attacked or who don't access the pages from specific search queries. The ability of Darkleech to inject unique links on the fly is also hindering research into the elusive infection toolkit.
by Peter Bright
We described the scale of the attack as "Internet-threatening," elaborating further that the attack, peaking at more than 300 gigabits per second, "is the kind of scale that threatens the core routers that join the Internet's disparate networks."
Subsequently, posts on Gizmodo and The Guardian called into question these assessments, with Gizmodo casting doubt on the description by asking some "simple questions" and The Guardian specifically claiming that it was "shoddy journalism."
Seven basic steps to avoid being 'phished'
Sydney Morning Herald
Phishing your employees in the name of security. An international hacker was recently found to have more than 10,000 stolen debit and credit card numbers. So, clearly, phishing – the practice of tricking someone into giving bank or credit card ...