Lasrick writes "As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry, Reuters has learned." Asks an anonymous reader: "If the NIST curves really are broken (as has been suggested for years), then most SSL connections might be too, amirite?"
Follow Slashdot stories on Twitter
Barence writes "The latest tests from Dennis Publishing's security labs saw Microsoft Security Essentials fail to detect 39% of the real-world malware thrown at it. Dennis Technology Labs (DTL) tested nine home security products on a Windows 7 PC, including Security Essentials, which is distributed free to Windows users and built into Windows 8 in the form of Windows Defender. While the other eight packages all achieved protection scores of 87% or higher — with five scoring 98% or 99% — Microsoft's free antivirus software protected against only 61% of the malware samples used in the test. Microsoft conceded last year that its security software was intended to offer only "baseline" performance"."
Lab Rat Jason writes "During a discussion with my wife last night, I came to the realization that the primary reason I have a Hadoop cluster tucked under my desk at home (I work in an office) is because my drive for learning is too aggressive for my IT department's security policy, as well as their hardware budget. But on closer inspection the issue runs even deeper than that. Time spent working on the somewhat menial tasks of the day job prevent me from spending time learning new tech that could help me do the job better. So I do my learning on my own time. As I thought about it, I don't know a single developer who doesn't have a home setup that allows them to tinker in a more relaxed environment. Or, put another way, my home setup represents the place I wish my company was going. So my question to Slashdot is this: How many of you find yourselves investing personal time to learn things that will directly benefit your employer, and how many of you are able to 'separate church and state?'"
theodp writes "A week after President Obama stressed the importance of computer science to America, the Department of Homeland Security put out a call for 100+ of the nations' best-and-brightest college students to work for nothing on the nation's cyber security. The unpaid internship program, DHS notes, is the realization of recommendations (PDF) from the Homeland Security Advisory Council's Task Force on CyberSkills, which included execs from Facebook, Lockheed Martin, and Sony, and was advised by representatives from Cisco, JP Morgan Chase, Goldman Sachs, Northrop Grumman, the NSF, and the NSA. 'Do you desire to protect American interests and secure our Nation while building a meaningful and rewarding career?' reads the job posting for Secretary's Honors Program Cyber Student Volunteers (salary: $0.00-$0.00). 'If so, the Department of Homeland Security (DHS) is calling.' Student volunteers, DHS adds, will begin in spring 2014 and participate throughout the summer. Get your applications in by January 3, kids!"
An anonymous reader writes with this excerpt from a Reuters report shedding light on one consequence of increasing knowledge of the extent of U.S. government spying: "Brazil awarded a $4.5 billion contract to Saab AB on Wednesday to replace its aging fleet of fighter jets, a surprise coup for the Swedish company after news of U.S. spying on Brazilians helped derail Boeing's chances for the deal. ... The timing of the announcement, after more than a decade of off-and-on negotiations, appeared to catch the companies involved by surprise. Even Juniti Saito, Brazil's top air force commander, said on Wednesday that he only heard of the decision a day earlier in a meeting with President Dilma Rousseff. Until earlier this year, Boeing's F/A-18 Super Hornet had been considered the front runner. But revelations of spying by the U.S. National Security Agency in Brazil, including personal communication by Rousseff, led Brazil to believe it could not trust a U.S. company."
wiredmikey writes "A board set up to review the NSA's vast surveillance programs has called for a wide-ranging overhaul of National Security Agency practices while preserving 'robust' intelligence capabilities. The panel, set up by President Obama, issued 46 recommendations, including reforms at a secret national security court and an end to retention of telephone 'metadata' by the spy agency. The 308-page report (PDF) submitted last week to the White House and released publicly Wednesday says the US government needs to balance the interests of national security and intelligence gathering with privacy and 'protecting democracy, civil liberties, and the rule of law.' Panel members said the recommendations would not necessarily mean a rolling back of intelligence gathering, including on foreign leaders, but that surveillance must be guided by standards and by high-level policymakers."
JoeyRox writes "Target experienced a system-wide breach of credit card numbers over the Black Friday holiday shopping season. What's unique about this massive breach is that it didn't involve compromising a centralized data center or website but instead represented a distributed attack at individual Target stores across the country. Investigators believe customer account numbers were lifted via software installed on card readers at checkout." Also at Slash BI.
kthreadd writes "In their research paper titled RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis, Daniel Genkin, Adi Shamir and Eran Tromer et al. present a method for extracting decryption keys from the GnuPG security suite using an interesting side-channel attack. By analysing the acoustic sound made by the CPU they were able to extract a 4096-bit RSA key in about an hour (PDF). A modern mobile phone placed next to the computer is sufficient to carry out the attack, but up to four meters have been successfully tested using specially designed microphones."
ananyo writes "The Guardian's technology editor, Charles Arthur, asks why researchers have remained largely silent in the wake of the revelation that the U.S. National Institute of Standards and Technology's standard for random numbers used for cryptography had been weakened by the NSA: 'The nature of the subversions sounds abstruse: the random-number generator, the 'Dual EC DRBG' standard, had been hacked by the NSA and the UK's GCHQ so that its output would not be as random as it should have been. That might not sound like much, but if you are trying to break an encrypted message, the knowledge that it is hundreds or thousands of times weaker than advertised is a great encouragement.' Arthur attributes the silence of UK academics, at least, to pressure from GCHQ. He goes on to say: 'For those who do care, White and Matthew Green, who teaches cryptography at Johns Hopkins University in Baltimore, Maryland, have embarked on an ambitious effort to clean up the mess — one that needs help. They have created a non-profit organization called OpenAudit.org, which aims to recruit experts to provide technical assistance for security projects in the public interest, especially open-source security software.'"
wiredmikey writes "A mobile botnet called MisoSMS is wreaking havoc on the Android platform, stealing personal SMS messages and exfiltrating them to attackers in China. Researchers at FireEye lifted the curtain off the threat on Monday, describing MisoSMS as 'one of the largest advanced mobile botnets to date' and warning that it is being used in more than 60 spyware campaigns. FireEye tracked the infections to Android devices in Korea and noted that the attackers are logging into command-and-controls in from Korea and mainland China, among other locations, to periodically read the stolen SMS messages. FireEye's research team discovered a total of 64 mobile botnet campaigns in the MisoSMS malware family and a command-and-control that comprises more than 450 unique malicious e-mail accounts."
mrspoonsi writes "Business Insider Reports: The National Security Agency described for the first time a cataclysmic cyber threat it claims to have stopped On Sunday's '60 Minutes.' Called a BIOS attack, the exploit would have ruined, or 'bricked,' computers across the country, causing untold damage to the national and even global economy. Even more shocking, CBS goes as far as to point a finger directly at China for the plot — 'While the NSA would not name the country behind it, cyber security experts briefed on the operation told us it was China.' The NSA says it closed this vulnerability by working with computer manufacturers. Debora Plunkett, director of cyber defense for the NSA: One of our analysts actually saw that the nation state had the intention to develop and to deliver — to actually use this capability — to destroy computers."
tsu doh nimh writes "Security experts have long opined that one way to make software more secure is to hold software makers liable for vulnerabilities in their products. This idea is often dismissed as unrealistic and one that would stifle innovation in an industry that has been a major driver of commercial growth and productivity over the years. But a new study released this week presents perhaps the clearest economic case yet for compelling companies to pay for information about security vulnerabilities in their products. Stefan Frei, director of research at NSS Labs, suggests compelling companies to purchase all available vulnerabilities at above black-market prices, arguing that even if vendors were required to pay $150,000 per bug, it would still come to less than two-tenths of one percent of these companies' annual revenue (PDF). To ensure that submitted bugs get addressed and not hijacked by regional interests, Frei also proposes building multi-tiered, multi-region vulnerability submission centers that would validate bugs and work with the vendor and researchers. The questions is, would this result in a reduction in cybercrime overall, or would it simply hamper innovation? As one person quoted in the article points out, a majority of data breaches that cost companies tens of millions of dollars have far more to do with other factors unrelated to software flaws, such as social engineering, weak and stolen credentials, and sloppy server configurations."
schwit1 writes in with the latest on an U.S. District Court ruling over NSA spying. "A federal judge ruled Monday that the National Security Agency's phone surveillance program is likely unconstitutional, Politico reports. U.S. District Court Judge Richard Leon said that the agency's controversial program, first unveiled by former government contractor Edward Snowden earlier this year, appears to violate the Constitution's Fourth Amendment, which states that the 'right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated.' 'I cannot imagine a more "indiscriminate" and "arbitrary invasion" than this systematic and high-tech collection and retention of personal data on virtually every single citizen for purposes of querying it and analyzing it without judicial approval,' Leon wrote in the ruling. The federal ruling came down after activist Larry Klayman filed a lawsuit in June over the program. The suit claimed that the NSA's surveillance 'violates the U.S. Constitution and also federal laws, including, but not limited to, the outrageous breach of privacy, freedom of speech, freedom of association, and the due process rights of American citizens.'"
hawkinspeter writes "The Register is hosting an exclusive that Bruce Schneier will be leaving his position at BT as security futurologist. From the article: 'News of the parting of the ways reached El Reg via a leaked internal email. Our source suggested that Schneier was shown the door because of his recent comments about the NSA and GCHQ's mass surveillance activities.'"
An anonymous reader writes "The OpenBSD project has no reason to follow the steps taken by FreeBSD with regard to hardware-based cryptography because it has already been doing this for a decade, according to Theo de Raadt. 'FreeBSD has caught up to what OpenBSD has been doing for over 10 years,' the OpenBSD founder told iTWire. 'I see nothing new in their changes. Basically, it is 10 years of FreeBSD stupidity. They don't know a thing about security. They even ignore relevant research in all fields, not just from us, but from everyone.'"
cagraham writes "In a seemingly minor update, Google announced that all Gmail images will now be cached on their own servers, before being displayed to users. This means that users won't have to click to download images in every email now — they'll just automatically be shown. For marketers, however, the change has serious implications. Because each user won't download the images from a third-party server, marketers won't be able to see open-rates, log IP addresses, or gather information on user location and browser type. Google says the changes are intended to enhance user privacy and security."
krakman writes "With the NSA disclosures, French media was 'outraged'. Yet they appear to be worse than the NSA, with a new law that codifies standard practice and provides for no judicial oversight while allowing electronic surveillance for a broad range of purposes, including 'national security,' the protection of France's 'scientific and economic potential' and prevention of ;terrorism' or 'criminality.' The government argues that the law, passed last week with little debate as part of a routine military spending bill, which takes effect in 2015, does not expand intelligence powers. Rather, officials say, those powers have been in place for years, and the law creates rules where there had been none, notably with regard to real-time location tracking. French intelligence agencies have little experience publicly justifying their practices. Parliamentary oversight did not begin until 2007."
New submitter StirlingArcher writes "I've always built/maintained my parents' PC's, but as Mum has got older her PC seems to develop problems more readily. I would love to switch her to Linux, but she struggles with change and wants to stay with Vista and MS Office. I've done the usual remove Admin rights, use a credible Internet Security package. Is there anything more dramatic that I could do, without changing the way she uses her PC or enforcing a new OS on her again? One idea was to use a Linux OS and then run Vista in a VM, which auto-boots and creates a backup image every so often. Thanks for any help!"
Hugh Pickens DOT Com writes "Ray Sanchez reports at CNN that the handling of Friday's shooting at Arapahoe High School, just 10 miles from the scene of the 1999 Columbine High School shooting, drew important lessons from the earlier bloodshed. At Arapahoe High School, where senior Claire Davis, 17, was critically injured before the shooter turned the gun on himself, law enforcement officers responded within minutes and immediately entered the school to confront the gunman rather than surrounding the building. As the sound of shots reverberated through the corridors, teachers immediately followed procedures put in place after Columbine, locking the doors and moving students to the rear of classrooms. "That's straight out of Columbine," says Kenneth Trump, president of National School Safety and Security Services. "The goal is to proceed and neutralize the shooter. Columbine really revolutionized the way law enforcement responds to active shooters." Arapahoe County Sheriff Grayson Robinson credits the quick police response time for the fact that student Karl Pierson, the gunman, stopped firing on others and turned his weapon on himself less than 1 minute, 20 seconds after entering the school. Authorities knew from research and contact with forensic psychologists that school shooters typically continue firing until confronted by law enforcement. "It's very unfortunate that we have to say that there's a textbook response on the way to respond to these," says Trump, "because that textbook was written based on all of the incidents that we've had and the lessons learned (PDF).""
Trailrunner7 writes "The NSA surveillance scandal has created ripples all across the Internet, and the latest one is a new effort from the IETF to change the way that encryption is used in a variety of critical application protocols, including HTTP and SMTP. The new TLS application working group was formed to help developers and the people who deploy their applications incorporate the encryption protocol correctly. TLS is the successor to SSL and is used to encrypt information in a variety of applications, but is most often encountered by users in their Web browsers. Sites use it to secure their communications with users, and in the wake of the revelations about the ways that the NSA is eavesdropping on email and Web traffic its use has become much more important. The IETF is trying to help ensure that it's deployed properly, reducing the errors that could make surveillance and other attacks easier."