Reuters social media editor charged over Anonymous hack of LA Times

Matthew Keys, deputy social media editor for Reuters, has been charged with conspiring with members of Anonymous to hack into the website of the Los Angeles Times in December 2010.

Keys, 26, was charged with one count each of conspiracy to transmit information to damage a protected computer, transmitting information to damage a protected computer, and attempted transmission of information to damage a protected computer. The crimes carry sentences of up to ten years and fines of up to $250,000, though any actual sentences are likely to be a small fraction of these.

Keys was a former employee of California television station KTXL Fox 40. Fox 40 and the LA Times are both owned by media conglomerate the Tribune Company. Through his employment, he had credentials to the Tribune Company's content management system (CMS).

Read 2 remaining paragraphs | Comments

Most PC security problems come from unpatched third-party Windows apps

If you've got 99 security problems, odds are Microsoft's not one—or at least it's just a minority of them. In its annual review of software vulnerabilities, security software firm Secunia found that 86 percent of vulnerabilities discovered on systems scanned by its software in the 50 most popular Windows software packages in 2012 were attributable to third-party developers and not to Microsoft's Windows operating system or applications. And for most of these vulnerabilities, a patch was already available at the time they were discovered.

Of the top 50 most used Windows packages—including the Windows 7 operating system itself, 18 were found to have end-point security vulnerabilities, a 98 percent increase over five years ago. Of those 18 packages, Google's Chrome and the Mozilla Firefox browser were the biggest culprits, with 291 and 257 detected vulnerabilities respectively. Apple iTunes came in third, with 243 detected vulnerabilities. The remainder of the top ten offenders were:

  • Adobe Flash Player: 67
  • Oracle Java JRE SE: 66
  • Adobe AIR: 56
  • Microsoft Windows 7: 50
  • Adobe Reader: 43
  • Microsoft Internet Explorer: 41
  • Apple Quicktime: 29

Of the vulnerabilities documented in Secunia's database, 84 percent had already been patched by vendors when they were discovered on systems. "This means that it is possible to remediate the majority of vulnerabilities," said Secunia Director of Product Management Morten R. Stengaard. "There is no excuse for not patching."

Read on Ars Technica | Comments

National Vulnerability Database taken down by vulnerability-exploiting hack

The federal government's official catalog of software vulnerabilities was taken offline after administrators discovered two of its servers had been compromised. By malware. That exploited a software vulnerability.

The National Vulnerability Database is maintained by the National Institute of Standards and Technology and has been unavailable since late last week, according to an e-mail sent by NIST official Gail Porter published on Google+. At the time of this article on Thursday afternoon, the database remained down and there was no indication when service would be restored.

"On Friday March 8, a NIST firewall detected suspicious activity and took steps to block unusual traffic from reaching the Internet," Porter wrote in the March 14 message. "NIST began investigating the cause of the unusual activity and the servers were taken offline. Malware was discovered on two NIST Web servers and was then traced to a software vulnerability."

Read 2 remaining paragraphs | Comments

Two new attacks on SSL decrypt authentication cookies

Researchers have devised two new attacks on the Transport Layer Security and Secure Sockets Layer protocols, the widely used encryption schemes used to secure e-commerce transactions and other sensitive traffic on the Internet.

The pair of exploits—one presented at the just-convened 20th International Workshop on Fast Software Encryption and the other scheduled to be unveiled on Thursday at the Black Hat security conference in Amsterdam—don't pose an immediate threat to the millions of people who rely on the Web-encryption standards. Still, they're part of a growing constellation of attacks with names including BEAST, CRIME, and Lucky 13 that allow determined hackers to silently decrypt protected browser cookies used to log in to websites. Together, they underscore the fragility of the aging standards as they face an arsenal of increasingly sophisticated exploits.

"It illustrates how serious this is that there are so many attacks going on involving a protocol that's been around for years and that's so widely trusted and used," Matthew Green, a professor specializing in cryptography at Johns Hopkins University, told Ars. "The fact that you now have CRIME, BEAST, Lucky 13, and these new two attacks within the same week really illustrates what a problem we're facing."

Read 14 remaining paragraphs | Comments