Surely if electronic gadgets could bring down an airplane, you can be sure that the Department of Homeland Security and the Transportation Security Administration, which has a consuming fear of 3.5 ounces of hand lotion and gel shoe inserts, wouldn’t allow passengers to board a plane with an iPad or Kindle, for fear that they would be used by terrorists.



I secretly think they are maintaining this rule just to avoid annoying phone calls during the flight.

Facebook is getting complicated. The social network just introduced the category of "trusted friend," not to be confused with the prior categories of "close friends," "acquaintances," "restricted" buddies, and authorized stalkers. Trusted friends are like super-friends. They have special powers! More »

Google announced that in the coming weeks all Google.com users that are logged in will be redirected to Google Secure Search. The secure version of Google Search has been launched last year and now includes all the features from the regular Google interface. The main difference is that the connection is encrypted and Google is the only one who knows the queries you've typed. ISPs, network administrators, those who intercept your connection and the webmasters of the pages from Google's search results won't able to find your searches. "SSL encrypts the communication channel between Google and a searcher's computer. When search traffic is encrypted, it can't easily be decoded by third parties between a searcher's computer and Google's servers," as Google says."As search becomes an increasingly customized experience, we recognize the growing importance of protecting the personalized search results we deliver. As a result, we're enhancing our default search experience for signed-in users. Over the next few weeks, many of you will find yourselves redirected to https://www.google.com (note the extra 's') when you're signed in to your Google Account. This change encrypts your search queries and Google's results page. This is especially important when you're using an unsecured Internet connection, such as a WiFi hotspot in an Internet cafe," explains Google.Right now, https://www.google.com no longer redirects to https://encrypted.google.com and Google no longer informs users that they're using Secure Search. It's important to keep in mind that no other search engine offers this feature and SSL has a performance penalty, which means that search results pages will load slower. This is especially noticeable when you use Google Instant and the results won't show up as fast as before.After the security incident from December 2009, Google went to great lengths to make its services more secure. Most services that require authentication default to SSL and many no longer offer unencrypted versions. It's interesting to see that Google Search will be treated just like Gmail, Google Docs, Google+ and other services that store user data even if this change won't make too many people happy (users will complain that search results pages load slower, webmasters will complain that their logs will be less useful, AdSense ads from search results will no longer be able to use the Google query and fewer users will click them, companies won't be able to monitor their employees' Google searches). Google already offers some solutions that address these issues: webmasters can use Google Webmaster Tools to find the most popular Google searches that sent users to their sites, while network admins can try the NoSSLSearch option.It's an important change, but I don't see why signed-in users should be treated differently and why protecting user queries outweighs the drawbacks mentioned earlier. One of the explanations could be that search will no longer be a distinct service and will integrate with Google+, Gmail, Google Docs Drive so much that it will be hard to notice when you've switched to a different app. Larry Page, Google's CEO, has recently said that "our ultimate ambition is to transform the overall Google experience, making it beautifully simple, almost automagical, because we understand what you want and can deliver it instantly. This means baking identity and sharing into all of our products so that we build a real relationship with our users. Sharing on the Web will be like sharing in real life across all your stuff."

The U.S. Securities and Exchange Commission has told public companies to disclose cyber attacks that could potentially lead to unexpected losses.

The guidelines issued on Thursday follow a rash of cyber attacks that have caused lawmakers to ask for clearer instructions on reporting cyber crimes. The guidance tells companies what they may be required to disclose.

Senator John Rockefeller asked the SEC to issue the rules amid fears that companies were failing to mention data breaches in their public filings. The SEC said that if a cyber attack occurs and leads to losses, then companies should disclose the losses, or at least estimates of what is “reasonably possible.”

“Intellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark. This guidance changes everything,” Rockefeller said in a statement to Reuters.

Breaches have occurred at big companies such as Sony, Google, Lockheed Martin, Citigroup, the International Monetary Fund and others. The SEC said it will not require companies to describe how they will further protect themselves, as that may only give ammunition to criminal hackers on how to attack the companies.

Companies are on the hook for disclosing costs of fixing compromised networks, increased cyber protection costs that may include changes to personnel, lost revenues from unauthorized access to information, losses related to the failure to retain customers after an attack, litigation costs, and reputation damage after an attack.

Filed under: security

Image of an HTC Evo via Wikipedia

If you’ve got one of HTC’s popular Android phones, such as the Evo 4G, Evo 3D or Thunderbolt, your phone may be giving apps you’ve installed a huge amount of personal data — information that you didn’t authorize those apps to have access to.

The reported vulnerability, according to Artem Russakovskii of AndroidPolice.com, comes about due to a flawed logging application contained within the most recent version of the HTC Sense user interface, a custom skin that HTC includes with its Android phones.

When you grant apps access to the phone’s internet capabilities (permission that would ordinarily only allow the app to access the web for uploading and downloading data), HTC’s logging application also grants access to a whole host of other data. That data, Russakovskii says, includes:

active notifications in the notification bar
build number, bootloader version, radio version, kernel version
network info, including IP addresses
full memory info
CPU info
file system info and free space on each partition
running processes
current snapshot/stacktrace of every running process and thread
list of installed apps, including permissions used, user ids, versions, and more
system properties/variables
currently active broadcast listeners and history of past broadcasts received
currently active content providers
battery info and status

“Theoretically, it may be possible to clone a device using only a small subset of the information leaked here,” Russakovskii adds.

Apparently, HTC installed a suite of logging tools — for a purpose that’s still unclear — but neglected to secure the data that was being logged. The discovery was made by Trevor Eckhart, a security researcher.

“It’s like leaving your keys under the mat and expecting nobody who finds them to unlock the door,” Russakovskii writes.

We contacted a HTC spokesperson today, who provided this response: “HTC takes our customers’ security very seriously, and we are working to investigate this claim as quickly as possible. We will provide an update as soon as we’re able to determine the accuracy of the claim and what steps, if any, need to be taken.”

Removing the vulnerability is not possible without rooting the device, removing the HTC Sense software, or waiting for an update from HTC, Russakovskii says. He has also provided a proof of concept app that you can install to determine if your phone is susceptible.

For more details, see the Android Police blog post.

Filed under: mobile, VentureBeat

Oh, Microsoft! You are so cunning. With IE market share plummeting and many users opting for “alternative” web browsers like Firefox and Chrome, your base of power is crumbling. We thought you would succumb to melancholy and accept your fate. But you had a plan all along. Clever girl.

Yes, Microsoft has found a way to stanch the hemorrhaging of its users to other browsers: label them as malware in the built-in Security Essentials suite!

Okay, I kid. It was just a minor mistake, and they corrected it immediately: “On September 30th, 2011, an incorrect detection for PWS:Win32/Zbot was identified. On September 30th, 2011, Microsoft released an update that addresses the issue.” The incorrect detection led to Chrome being removed and reinstall prohibited.

It actually brings up an interesting point, though. Seamless updates like Chrome’s are growing more popular, especially since many apps are essentially web services, and changes (mostly innocent) happen behind the curtain all the time. When it’s a local app, though, the process for authentication becomes more complicated.

Google shouldn’t have to wait for Microsoft to approve all its updates. But Microsoft needs to be vigilant and watch for unauthorized changes that may negatively affect the user. And while malicious programs are important to watch for, poorly secured ones can be just as dangerous.

Security was never simple, but it’s getting more complicated by the day and users have more choices and more exposure. Luckily, snafus like this one are pretty harmless and Microsoft, though I give them a hard time, is actually very responsive on this front.

Update: Google has some more information on their Chrome blog.

Researchers at the Department of Energy's Argonne National Laboratory have demonstrated an electronic "man in the middle" attack that allows remote tampering with the Diebold AccuVote voting system. Argonne's Vulnerability Assessment Team has previously exposed the same sort of vulnerability in Sequoia AVC machines in 2009, and believe the attack could be used against a wide range of voting machines.

The attack requires tampering with voting machine hardware, and allows for votes to be changed as the voter prepares to commit them. But the devices require no actual changes to the hardware—the hardware required to make the attacks can be attached and removed without leaving any evidence that it had ever been there. The electronics in the demonstrated attack are simply jacked in between two components on the Diebold's printed circuit board using existing connectors.

VAT team leader Roger Johnston said in a video posted by Brad Friedman of the voting watchdog site The Brad Blog that the physical security measures taken to protect voting machines in many states are inadequate to protect them from pre-Election Day tampering. "They're often kept a week or two before elections in a school or church basement,"Johnston said. And the modifications can be made without picking locks or breaking seals on the devices.

Diebold has a shaky security history. In 2004, Johns Hopkins University computer science professor Avi Rubin and a team of researchers revealed a broad set of cyber vulnerabilities in the AccuVote system. In the past, there have been suggestions that Diebold itself tampered with elections in Georgia in 2002.

But while cyber attacks would require a high level of sophistication, the electronic man-in-the-middle attack demonstrated by Argonne's VAT team requires only basic electronics skills, and about $10.50 worth of hardware. "Anybody with an electronics workbench could put this together," Argonne VAT team member John Warner said in the video.




Read the comments on this post

As if the MySQL community doesn't have enough to worry about, a security firm is reporting that the MySQL.com website has been commandeered by hackers. And recent visitors to the MySQL.com website may have downloaded something other than the database software to their systems.

Web security firm Armorize reported in its blog today that the MySQL.com website has been turned into a launchpad for serving up malware attacks. Visitors to the home page of the site are hit with a JavaScript injection attack that has been planted on the site. The script opens an IFRAME to a malicious site, which in turn launches a BlackHole exploit "pack" that probes for known browser and plugin weaknesses and then stealthily installs malware on the visitor's PC. There's no warning button or action required by the user other than visiting the site to trigger the download.

Security blogger Brian Krebs reports that he had seen a post last week on a Russian hacker forum by a member offering to sell root access MySQL.com for $3,000. The site is owned by Oracle.





Read the comments on this post

But all that can be handled with pre-9/11 security. Exactly two things have made airplane travel safer since 9/11: reinforcing the cockpit door, and convincing passengers they need to fight back. Everything else has been a waste of money. Add screening of checked bags and airport workers and we’re done. Take all the rest of the money and spend it on investigation and intelligence.

As true that may be, we are never going to see the end of security theater. It is what people want. They want the government to do something; something that they can see even if it clearly isn't working. Likewise for war on drugs or the death penalty. Nevertheless something to keep in mind and keep insisting it to your elected representatives.

The issue reminds me of the taxation and spending debates; many Americans want low taxes and high government spending, forever.  For airline security, at times we want to treat it as a matter of mere law enforcement, to be handled by others, and one which should not inconvenience our daily lives or infringe on our rights.  At the same time, so many Americans view airline security as a vital matter of foreign policy and indeed as part of a war.  We own and promote this view and yet we are outraged when asked to behave as one might be expected to in a theater of war.  

The main danger to liberty here is not the TSA but rather a set of American attitudes which, at the same time, take our current "war" both far too seriously and also not nearly seriously enough.

Tyler Cowen highlights this behavior of Americans that I always find befuddling. All the talk of America being at war but if you live in America, there is no sign of that actually being true. While I understand fears of being violated by the TSA, such fears are non-existent when it comes to the rights of others (law in AZ, etc.)

" Safari v4 & v5, with a combined market browser share of 4% (~83 million users), has a feature (Preferences > AutoFill > AutoFill web forms) enabled by default. Essentially we are hacking auto-complete functionality."

Uncheck the AutoFill web forms options and use 1Password instead; much more secure anyway.

"No matter what browser you use – Safari, Firefox, Opera, Chrome – you can easily block access to certain websites by editing your Mac’s hosts file. In fact, it’s completely free and no extra software is required."

Cryptor has a simple, easy-to-use interface which makes securing files a pleasure. The built-in 'String Utility' let’s you encrypt/decrypt a string in an instant, without the usual hassle of using command-line tools.

Like Knox, Espionage uses encrypted disk images to store sensitive data. However, Espionage performs a bit of Finder trickery to give you the illusion that you’re interacting directly with a protected folder, instead of a disk image—the program does all the disk-image work for you, behind the scenes.

The FBI is pressing Internet service providers to record which Web sites customers visit and retain those logs for two years, a requirement that law enforcement believes could help it in investigations of child pornography and other serious crimes.

Hackers seeking source code from Google, Adobe and dozens of other high-profile companies used unprecedented tactics that combined encryption, stealth programming and an unknown hole in Internet Explorer, according to new details released by researchers at anti-virus firm McAfee.

While the Schiphol airport in Amsterdam had at some gates the required equipment with technology capable of detecting explosives concealed inside an underwear, the gate from which the North-West Airlines flight to Detroit took off did not have this equipment and technology.

more biochemical suits for Grand Forks County, N.D., than the town has police officers to wear them; and $557,400 worth of rescue and communications equipment apparently needed for some 1,500 residents of the town of North Pole, Alaska.

You can't catch terrorists by casting a broad net. You catch terrorists with good police work. You look at networks, suspicious behavior, clues. Ignoring the desperate plea of a father who goes to the CIA with information about his son being radicalized in Yemen, but then patting down 170 million Nigerians ever after, is brain dead.

Several of these arguments are based on assumptions that guided the U.S. response to the Sept. 11, 2001, attacks -- and unfortunately, they are as unfounded now as they were then. The biggest whopper of all? The paternalistic assertion that the government can keep us all safe without our help.

Go to History tab, hit show in sidebar, highlight website then edit delete.

The beauty of Facebook’s many features is that now you can choose what you show and to what type of people. By using friend lists and playing with your privacy settings, you can create different views for each segment of your life.

ISRO on Monday successfully launched its first all-weather spy satellite that will help security agencies keep a watch on the movements on the borders, from its spaceport.

Opting out of a network does not mean you will no longer receive online advertising. It does mean that the network from which you opted out will no longer deliver ads tailored to your Web preferences and usage patterns.

Avert successful hacker attacks and enhance security with this easy-to-use plugi

White Paper by India Today

The Aim of the Mumbai Prepared Initiative is to highlight the importance of Emergency Preparedness and to develop unique, Mumbai-centred programs and initiatives for disaster preparedness, while simultaneously acting as a catalyst for a local, state & national discussion on how to more effectively partner with non-profit organizations, emergency responders and the city and state infrastructures to serve Mumbai citizens better in emergency situations.

Airport security in America is a sham—“security theater” designed to make travelers feel better and catch stupid terrorists. Smart ones can get through security with fake boarding passes and all manner of prohibited items—as our correspondent did with ease.

The most common retort against privacy advocates -- by those in favor of ID checks, cameras, databases, data mining and other wholesale surveillance measures -- is this line: "If you aren't doing anything wrong, what do you have to hide?"

Federal agents may take a traveler's laptop or other electronic device to an off-site location for an unspecified period of time without any suspicion of wrongdoing

Simply drag a copy-protected PDF onto PDF Unlocker's icon, and a new, non-protected copy will be created.

If we teach everyone to be alert for photographers, and terrorists don't take photographs, we've wasted money and effort, and taught people to fear something they shouldn't.

This is the apocalyptic scene terrorists hope to create if they ever get their hands on a nuclear bomb.

With every site you build there are going to be security risks and issues, there is no way around this, it is going to happen. All we can do is minimize the damage, be ready for it and take action. Wordpress is now the most popular Blogging Engine, this w

In the early seventies, the public-school system in San Antonio, Texas, began leaving many of its school buildings, parking lots, and other property dark at night and found that the no-lights policy not only reduced energy costs but also dramatically cut

Not yet applicable to us but definitely will be in the future.