Information Security News
by Dan Goodin
Five days after Ars chronicled a security researcher's three-year odyssey investigating a mysterious piece of malware he dubbed badBIOS, some of his peers say they are still unable to reproduce his findings.
"I am getting increasingly skeptical due to the lack of evidence," fellow researcher Arrigo Triulzi told Ars after examining forensic data that Ruiu has turned over. "So either I am not as good as people say or there is really nothing."
As Ars reported last week, Ruiu said the malware first took hold of a MacBook Air of his three years ago and has since infected his laboratory computers running Windows, Linux, and BSD. Even more intriguing are his claims the malware targets his computers' low-level Basic Input/Output System (BIOS), Unified Extensible Firmware Interface (UEFI), or Extensible Firmware Interface (EFI) firmware and allows infected machines to communicate even when they're not connected over a network.
Moxie Marlinspike is a cryptographer, software developer and security researcher who regularly appears at the Black Hat security conferences. His critique of HTTPS Web encryption has led browser makers to change the way they implement it. He is also developer of the TextSecure and RedPhone Android apps for encrypting text messages and voice calls. In 2011, Twitter bought his encryption startup Whisper Systems for an undisclosed sum. The pseudonymously named Marlinspike originally posted this editorial on his ThoughtCrime.org blog.
In August of this year, Ladar Levison shut down his e-mail service, Lavabit, in an attempt to avoid complying with a US government request for his users' e-mails. To defy the US government's gag order and shut down his service took great courage, and I believe that Ladar deserves our support in his legal defense of that decision.
There is now an effort underway to restart the Lavabit project, however, which might be a good opportunity to take a critical look at the service itself. After all, how is it possible that a service which wasn't supposed to have access to its users' e-mails found itself in a position where it had no other option but to shut down in an attempt to avoid complying with a request for the contents of its users' e-mails?
by canada goose billigt
by Winter Hunting Parka Canada
Hackers are exploiting a previously unknown vulnerability in Microsoft Windows and Office software that allows computers to be infected with malware, the company warned in advisories published Tuesday.
The advanced exploit arrives in a booby-trapped Word document attached to e-mails, Elia Florio of the Microsoft Security Response Center wrote on Tuesday. The attacks are narrowly targeted at certain individuals or companies and are mostly found in the Middle East and South Asia. The malicious document exploits a vulnerability in Microsoft's graphics device interface that makes it possible for attackers to remotely execute any code of their choice.
"If the attachment is opened or previewed, it attempts to exploit the vulnerability using a malformed graphics image embedded in the document," Dustin Childs, group manager in the Microsoft Trustworthy Computing group wrote in a separate advisory. "An attacker who successfully exploited the vulnerability could gain the same user rights as the logged on user." A third advisory is here.
Researchers at Cornell University have published a paper detailing what they see as a vulnerability in Bitcoin's protocol. Ittay Eyal and Emin Gün Sirer of Cornell's Department of Computer Science say Bitcoin is vulnerable to "selfish mining"—an attack by one or more members of the Bitcoin network who try to computationally corner the supply of bitcoins and control their flow.
"This attack can have significant consequences for Bitcoin," Eyal and Sirer wrote. "Rational miners will prefer to join the selfish miners, and the colluding group will increase in size until it becomes a majority. At this point, the Bitcoin system ceases to be a decentralized currency."
The Bitcoin community has been discussing the possibility of this sort of attack, sometimes known as a "cartel" attack, for over three years. But the risk in the past has been largely downplayed for one simple reason: it would require an attacker to have more computing power at his or her disposal than the rest of the Bitcoin network combined. The Cornell researchers' paper outlines a new strategy to the attack that still would require control of a significant number of the "nodes" in Bitcoin's transaction processing network, but it takes a different route to control—exploiting the rational behavior (and greed) of other miners.
by best boots to go with canada goose jacket
Posted by InfoSec News on Nov 05Dear Hackers and Hackeranis,
Posted by InfoSec News on Nov 05http://www.pcworld.com/article/2060539/microsoft-giving-away-free-it-training-and-a-job-to-soldiers.html
Posted by InfoSec News on Nov 05http://news.cnet.com/8301-1009_3-57610793-83/nsa-chief-may-lose-us-cyber-command-role/
Posted by InfoSec News on Nov 05http://www.washingtonpost.com/blogs/the-switch/wp/2013/11/01/how-a-grad-student-trying-to-build-the-first-botnet-brought-the-internet-to-its-knees/
Posted by InfoSec News on Nov 05http://krebsonsecurity.com/2013/11/hackers-take-limo-service-firm-for-a-ride/