8chan domain “seized” over allegations of “child abuse” content

Last week, the imageboard site 8chan.co was brought offline for a sustained period of over five days due to a prolonged DDoS attack. On Monday, it returned only to go back offline for a much different reason: Its domain had been seized.

Site founder Fredrick Brennan posted an e-mail on Monday that he says came from the site's Bahamas-based registar, Internet.bs. The note explained that the domain 8chan.co had been put "on hold" due to "child abuse" content appearing on the site.

This followed a swell of complaint e-mails sent over the weekend to Cloudflare, the "pass-through" hosting company that had been operating 8chan's servers. Some Cloudfare users were upset over content posted on 8chan by its imageboard users. "Please take appropriate measures to stop your customer from abusing your services and enabling illegal content," one complainant wrote after posting links to 11 8chan boards that contained underage "girls and boys shown in sexual poses."

Read 3 remaining paragraphs | Comments

Surprise! North Korea’s official news site delivers malware, too

A security researcher examining the website of North Korea's official news service, the Korean Central News Agency, has discovered that the site delivers more than just the latest photo spread of Democratic Peoples' Republic of Korea leader Kim Jong Un inspecting mushroom farms. There's a little extra surprise hidden in the site's code—malware. The news site appears to double as a way for North Korea to deliver a "watering hole" attack against individuals who want to keep tabs on the "activities" of the DPRK's dear leader.

Ars has independently verified a reference within part of the site's JavaScript code called from the home page to a download named "FlashPlayer10.zip." The file, which is set as a JavaScript variable "FlashPlayer" on the site's main page and on other site pages, contains two files labeled as Windows executable installers containing updates for the long-since obsolete Flash Player 10—one for an alleged ActiveX control, and the other for a browser plug in. Both are identical files, and they contain a well-known Windows malware dropper, based on an analysis through the malware screening site Virustotal.

Read 3 remaining paragraphs | Comments

When Google squares off with Microsoft on bug disclosure, only users lose

The perennial problem of bug disclosure has provoked a new squabble between Microsoft and Google. On Sunday, Google disclosed the existence of a Windows elevation of privilege flaw that the company reported privately in October. That flaw hasn't been patched yet. It will be very soon—the update is due to land on Patch Tuesday, tomorrow—but Google's publication of the flaw means that, for a couple of days, Windows users are vulnerable to an unfixed flaw.

In response, Chris Betz, senior director of the Microsoft Security Response Center, published a lengthy complaint calling for "better coordinated vulnerability disclosure."

Microsoft has been promoting "coordinated vulnerability disclosure" since 2010, but the security community has long been split on how best to disclose security flaws. On one extreme is the full disclosure crowd; security flaws are documented and described in full, in public, typically onto a mailing list. In the early days, that disclosure was typically the first time the software developer responsible even heard of the flaw, though some researchers promised to disclose to vendors first.

Read 12 remaining paragraphs | Comments

The importance of deleting old stuff—another lesson from the Sony attack

Thousands of articles have called the December attack against Sony Pictures a wake-up call to industry. Regardless of whether the attacker was the North Korean government, a disgruntled former employee, or a group of random hackers, the attack showed how vulnerable a large organization can be and how devastating the publication of its private correspondence, proprietary data, and intellectual property can be.

But while companies are supposed to learn that they need to improve their security against attack, there's another equally important but much less discussed lesson here: companies should have an aggressive deletion policy.

One of the social trends of the computerization of our business and social communications tools is the loss of the ephemeral. Things we used to say in person or on the phone we now say in e-mail, by text message, or on social networking platforms. Memos we used to read and then throw away now remain in our digital archives. Big data initiatives mean that we're saving everything we can about our customers on the remote chance that it might be useful later.

Read 7 remaining paragraphs | Comments