- Symantec: New ZeuS botnet no longer needs central command servers, NetworkWorld via Slashdot
- Researchers to detail WebKit zero-day on Android phones at RSA Conference, threatpost
- Cambridge’s Capsicum Framework Promises Efficient Security For UNIX/ChromeOS, Slashdot
- SSL fix aims to mend huge cracks in ‘Net’s foundation of trust, Ars Technica
- ASLR to be mandatory for binary Firefox extensions, The H Security: News and Features
- Add-ons behaving badly: the challenges of policing the Firefox ecosystem, Ars Technica
- Android drive-by download attack via phishing SMS, ZDNet
- Flashback Mac OS X malware exploiting (old) Java security holes, ZDNet
- Is Windows to blame for viruses?, Wild Webmink
- Researcher to demo smartphone attack at RSA, InSecurity Complex at CNET News
- PSI 3.0: Auto-patching for dummies, Krebs on Security
- Cisco to push threat intelligence to all devices, The Register
- Google offers $1 million reward to hackers who exploit Chrome, Ars Technica
- Mobile firms back new GSMA app privacy guidelines, BBC News
- Time to kill off captchas, Scientific American
- Use it better: 8 alternatives to the hated captcha, Scientific American
- PostgreSQL updates close security holes, The H Open Source: News and Features
- Fake chat screen malware hijacks banking customers, threatpost
- Mozilla introduces Collusion, a new tracking mapper add-on, The H Security: News and Features
- Loophole in iOS allows developers access to users’ photos, threatpost
- HTTPS Everywhere reaches 2.0, comes to Chrome as beta, The H Security: News and Features
- Phone call ‘line noise’ could expose thieves, Technology Review
- Darpa warns: Your iPhone is a military threat, Danger Room at Wired.com
- Espionage malware with ties to RSA hack snags scores of government PCs, Ars Technica
- How a web link can take control of your phone, Technology Review
- 99% of NASA’s portable devices are unencrypted, Ars Technica
- EFF’s HTTPS Everywhere plugin detects bad certs, security flaws, threatpost
- Tick-like banking Trojan drills into Firefox, sucks out info, The Register
- Mozilla proposes Do Not Track at OS level on mobile devices, The H Open Source: News and Features
- Android Apps also have a backdoor to your photos, Ars Technica
- NSA publishes blueprint for top secret Android phone, Slashdot
- Report: Hackers seized control of computers in NASA’s Jet Propulsion Lab, Threat Level at Wired.com
- Linode exploit caused theft of thousands of Bitcoins, Slashdot
- Bitcoins worth $228,000 stolen from customers of hacked Webhost, Ars Technica
- Phishing via NFC, The H Security: News and Features
- Slowloris DDoS tool used by Anonymous hacked to include Zeus trojan, Ars Technica
Ooh, I like the idea of this spamtrap alternative to painful Captchas:
The Hidden-Field Scam
The Web site’s creator makes a tempting-sounding text box labeled something like “E-mail address”—and then makes it invisible, using CSS (cascading style sheets) coding. Humans will never see that box, and will leave it empty; software bots will fill it in.
Or from http://www.sitepoint.com/captcha-alternatives/
6. Detect the presence of JavaScript
If your page can run JavaScript, you can be almost certain it has been loaded in a browser by a human user. A simple in-page dynamically generated JavaScript function could perform a simple calculation or create a checksum for the posted data. This can be passed back in a form value for verification.
An estimated 10% of people have JavaScript disabled, so further checks will be necessary in those situations.
7. Show a verification page or fail the first posting attempt
Bots have a tough time reacting to a server response. If you are in any doubt about the validity of a post, show a intermediary page asking the user to confirm their data and press submit again.