Preliminary details for the sale of tickets for the FIFA Club World Cup Morocco 2013 have been announced, with VISA exclusive pre-sales beginning on Monday 14 October.
The online pre-sale, exclusive to VISA cardholders, begins on Monday 14 October and will run until Sunday 27 October. This will be for all categories, including the Category 3 reserved for Moroccoresidents.
The open sales phase, for all other payment cards, will begin on Monday 28 October, and will again include all ticket categories.
For those wishing to purchase tickets in person, the Local Sales Stations will open in Morocco in November right up until the first match day. Public Ticket Sales Counters will be located at the Agadir Stadum, the Marrakech Stadium and at other locations to be confirmed in Morocco.
For more information on Club World Cup tickets, make sure to check FIFA.com regularly for further updates.
(Reuters) - At least 35 people were killed and 50 injured when a train derailed on the outskirts of the northern Spanish city of Santiago de Compostela on Wednesday in one of the country's worst rail disasters.
Bodies covered in blankets lay next to carriages as smoke billowed from the wreckage a few hundred meters away from the entrance to the city's main station.
The train derailed on the eve of the ancient city's main Christian festival when thousands of pilgrims travel in to pack the streets.
"It was going so quickly ... It seems that on a curve the train started to twist, and the wagons piled up one on top of the other," passenger Ricardo Montesco told Cadena Ser radio station.
"A lot of people were squashed on the bottom. We tried to squeeze out of the bottom of the wagons to get out and we realized the train was burning ... I was in the second wagon and there was fire ... I saw corpses," he added.
Another witness told the radio station she had heard an explosion before seeing the derailed train.
A spokesman for the regional government's office described the derailment as an accident. But the wreckage will stir memories of 2004's Madrid train bombing, carried out by Islamists, that killed 191 people.
"We can confirm there was an accident, but we cannot confirm mortalities as yet," the official told Reuters.
The head of the surrounding Galicia region, Alberto Nunez Feijoo, said at least 35 people had died and it was too early to say what had caused the derailment.
The crash happened a day before the city's main festival paying tribute to the remains of St James, one of Jesus' 12 disciples.
The apostle's shrine in the city is the destination of the famous El Camino de Santiago pilgrimage, followed by Christians since the Middle Ages.
The city is also the birthplace of Spanish Prime Minister Mariano Rajoy.
No one was immediately available to comment from Spanish train operator Renfe whose logo was visible on the wrecked carriages.
Islam Times - The Financial Times, a renowned British newspaper reported that the British Security Services had broken into a London apartment following concerns that the residence was used for terrorist activities, only to found that the premises were used for prostitution.
The apartment which is owned by non-other than Salwa Hamad bin Jassim, the Qatari Prime Minister’s daughter, raised some serious question marks over the young woman’s moral standards and the nature of her activities when in the United Kingdom. According to witnesses Salwa was actually at the apartment in the company of a westerner.
Although the Qatari embassy tried to prevent the scandal from seeing the light of day by offering $50 million to the paper, the Financial Times refused.
In a city of boundless bling, Dubai Police also are in hot pursuit after adding a nearly $550,000 Lamborghini to its fleet.
The sports car, painted in green-and-white colors of the Dubai force, will not likely be roaring after law breakers. Instead, it will be mostly dispatched to tourist areas to show - in the words of Major General Khamis Mattar Al Mazeina, Dubai Police’s Deputy Commander General - “how classy Dubai is.”
The two-door, two-seater sports car, which can reach speeds of up to 217mph, has been painted in the green-and-white colors of the Dubai Police force. It can go from 0 to 62mph in 2.9 seconds.
The Aventador was described by Lamborghini on its website as “a one-of-a-kind piece of art.”
Moroccan football hooligans rampaged through Casablanca, mugging pedestrians and smashing up carriages of the city’s new tram system, cars and public buses. Nearly 200 people have been arrested.
Fans from the capital Rabat paraded through Casablanca before Thursday’s match between clubs from the two cities and attacked people and property. No one was reported injured.
Police said Friday that 193 people were charged with vandalism and the destruction included eight tram carriages, seven public buses and 13 cars. People described on national television being attacked in the streets and mugged by the fans as well.
An inquiry has been launched to discover why more security forces weren’t present.
There is a fierce rivalry between Moroccan football clubs and there have been outbreaks of violence outside games in the past. alarabiya
Last year, a Googler named Dr. Elie Bursztein noticed that Apple's App Store protocols weren't very secure.
Much of the interaction your iDevice had with the App Store was conducted via plain old HTTP.
Apple should really have been using HTTPS, or secure HTTP.
HTTPS, as you probably know, is HTTP traffic carried inside a Secure Sockets Layer (SSL) or Transaction Layer Security (TLS) wrapper.
→ SSL/TLS uses public-key cryptography to create a secure data channel, even between users or websites that have never corresponded before. Conventional encryption, like a doorlock, relies on a single key that can lock or unlock. How to share that one-size-fits-all key before you start using it is a security problem all of its own. Public key cryptography relies on an algorithm that uses two keys. One is kept private, and the other made public. What the public key locks, only the private key can unlock.
The problem with HTTP is that if you're on someone else's network, whether it's wired or wireless, they can probably listen into all your web traffic.
Likewise, if someone else is on your network, they can do the same thing, eavesdropping undetectably.
Worse still, it's very likely that they'll be able not only to watch what you're doing, but also to modify the traffic you send and receive.
So, in an ideal world, there would be HTTPS only, since the encryption layer inhibits both eavesdropping and unauthorised modification. Nobody would use HTTP for anything.
And why not? SSL/TLS encryption can be made largely transparent both to the programmer and the user, so the difference in online experience between encrypted and unencrypted web sessions is pretty modest.
In practice, however, HTTPS isn't quite as convenient for your IT department as HTTP.
You need to get certificates signed, your private keys stored securely, and more.
That means an operational change, which means paperwork, implementation time and (you can guess what comes next) money.
Also, because every HTTPS download is encrypted uniquely for each user each time they fetch it, it's much harder to cache HTTPS traffic.
If 2000 users from the USA pull down the same image file from your database in New Zealand, you can't rely on a web cache on the USA side to serve up an identical copy of the file to 1999 of them, because each download is individually negotiated and encrypted.
That means an operational change, which means paperwork, implementation time and (you can guess what comes next) money.
As a result, a sort-of HTTP/HTTPS hybrid evolved.
You use HTTPS for the parts of the transaction that really have to be secret, such as sending passwords, credit card numbers and other Personally Identifiable Information (PII).
For everything else, you use HTTP.
That was the model used by many online services, including webmail providers and social networks, until fairly recently.
Implemented as a Firefox plugin, Firesheep listened on the network until the HTTPS-protected part of your social networking session was complete.
Then it sniffed out your session cookie, the magic token embedded in your post-authentication HTTP requests that tells Facebook, Twitter and others that you're an authorised user.
Firesheep could then pretend to be you, posting status updates, links, tweets and more from your accounts as if you had done it yourself.
Of course, even without actively hijacking your social networking accounts, an eavesdropper can learn an awful lot about you from your HTTP traffic.
After all, not everything you upload to Facebook or Twitter is inevitably intended for public consumption, so it oughtn't really to be uploaded without being wrapped in an SSL/TLS session.
Facebook, Twitter and others, bless them all, eventually bit the bullet and simply switched to HTTPS for everything. (At least, they did for web-based clients. Special-purpose mobile apps were, and some still are, a different story, but we shall ignore that issue here.)
But Apple, it seems, didn't bother with HTTPS everywhere, even for its own App Store, until 2013.
Since there's no other place to shop when you're buying or selling iDevice software, and since Apple likes it that way, you might think that Cupertino would have set the bar a bit higher.
You might also have expected Apple to react a bit more quickly after Dr. Bursztein's fairly detailed explanations of why the bar reallyneeded to be higher.
In July 2012, he explained several problems, which he's now made public, including active attacks (that's where you change HTTP content en route between server and client) by which a malcontent could steal your password, trick you into buying the wrong App, deliver you a bogus update, or quietly prevent you from applying a needed update.
Burzstein also showed that the App Store routinely uploaded an unencrypted list of already-installed Apps from your device.
That doesn't sound like much, but it is.
Firstly, some of those Apps will identify aspects of your life that would be handy for a social engineer to know: the bank you use, the newspapers you like, the games you play, the share-trading services you invest with, and more.
Secondly, the complete selection of Apps on your device may very well be unique to you, thus making it a handy form of digital fingerprint for an attacker.
Earlier this year, Apple finally made a start towards the change that many of its web traffic competitors like Google, Facebook and Twitter made some time ago, and bumped all the App Store's active content to HTTPS:
Good. (Better yet would have been to serve everything using HTTPS, but let's be thankful for what we've got.)
If you're a web developer and your web services rely on users sending you traffic that contains anything at all that oughtn't to be public, you should be doing the same.
Even data that isn't legally considered PII can be pure gold to cybercrooks, and so leaking it could be putting your customers at risk.
And you wouldn't want that, would you?
Learning more about SSL/TLS
Would you like to know more about SSL/TLS?
Here's a quarter-hour Sophos Techknow podcast, featuring Paul Ducklin and Chester Wisniewski as they explain the S in HTTPS:
Yesterday was a challenging day for the double X-chromosomed - or, really, for anybody who doesn't want to be spied on.
First, there was this Ars Technica pieceabout ratters: hackers who use remote administration tools (RATs) to gain access to (primarily) women's webcams, files and PC microphones to steal files and surreptitiously spy on victims, whom they refer to as "girl slaves."
While we wait, there's time to ponder the privacy invasions Google's glasses portends.
For one, it will be a boon to those who don't have the technical acumen to actually hack into somebody's computer and take it over like the ratter crowd.
As ReadWrite pointed out, Google's device removes the social awkwardness, and obviousness, of pointing a camera or smartphone at somebody to snap their photo or grab some video of them.
Taking the phone or camera out of the equation means that stalker types can just look and snap, or leer and record, as the case may be.
Of course, it's not only attractive women who'll be potentially targeted by creeps. It's could be children, or anybody, for that matter.
Google hasn't included facial recognition for their first iteration of Glass. I tried to find thoughts from them on whether it would be included in future versions, but I came up short. Enlighten me, please, if you've seen such.
Given the social networking giants' attraction to this technology up to this point, it's hard to imagine Google will refrain from including it in the long term.
In the meantime, the Glass-clad will have the option of quietly muttering voice commands to their Android-enabled face gear so as to do a bit of Google stalking on whomever they just met.
The invasion of privacy this promises to usher in is reminiscent of "Girls Around Me," the stalking app that tied in to Foursquare to enable users to access women's specific location, photos, Facebook details including birthdays or relationship status or schools attended, and whatever else Facebook and Foursquare's check-in functions had broadcast about its targets.
Thankfully, at least one business has already banned Google Glass.
If you’re one of the few who are planning on going out and spending your savings on Google Glasses – what will for sure be a new fad for the fanny-pack wearing never removing your bluetooth headset wearing crowd – plan on removing them before you enter The 5 Point. The 5 Point is officially a No Google Glass zone.
Nicely done, 5 Point. Thank you for protecting your patrons' privacy, particularly in your gadget-savvy city.
ZDNet's James Kendrick predicts that when public awareness of Google Glass reaches a critical mass, and when people understand that the devices can record photos, video and audio of the wearer's surroundings, we'll see more such bans.
Don't be surprised if within weeks of the Google Glasses general release we start seeing bans of it cropping up all over the place.
I hope he's right.
I'd suggest that as we await the availability of what admittedly sounds like insanely fun gadgetry, outside of the scary privacy bits, you practice the same caution with regards to your privacy around Google Glass as I recommended with Girls Around Me.
To wit: Check your applications. Stay safe. Check what they're beaming out about you. Check your children's applications. Be aware of the information your kids' apps beam out about them.
French telecom regulators have suggested that Skype could face charges for failing to register as a telecom and do all the things that French telecoms are supposed to do - for example, let police eavesdrop on calls.
ARCEP, the French telecom authority, on Tuesday posted a notice stating that they have informed the Paris public prosecutor that as Skype provides French internet users with the ability to make phone calls, it is thereby obliged to comply with regulations that include routing emergency calls and "implementing the means required to perform legally ordered interceptions."
Skype's failure to declare itself an "electronic communications operator" after being "requested several times" by ARCEP could be classified a criminal offense, ARCEP says.
Here's a statement Skype sent to Ars Technica about the désaccord désagréable:
Skype is a globally known and used software app that seamlessly enables millions of people to communicate every day via their Internet connection. We have engaged with ARCEP in discussion over the last several months during which we shared our view that Skype is not a provider of electronic communications services under French law. We will continue to work with ARCEP in a constructive fashion to seek agreement on a resolution that ensures people, wherever they are, can continue to rely on Skype as they do today.
As the Washington Post reported last July, Skype has been sharing more and more data with law enforcement authorities since Microsoft purchased the company in May 2011.
That includes making online chats and other user information such as addresses and credit card numbers available to police.
At any rate, Skype may never have deserved its former reputation as a safe harbor for activists to communicate without fear of interception.
Christopher Soghoian, a tech policy analyst and privacy advocate at the American Civil Liberties Union (ACLU) wrote this about Skype last year:
Skype has always been rather evasive when it comes to discussing this issue. Whenever questions come up, the company makes it a point to mention that it provides end-to-end encryption, but then dodges all questions about how it handles encryption keys.
Skype's strategy is genius - most journalists, even those that cover tech, know very little about the more granular aspects of cryptography. When Skype says it provides end-to-end call encryption, journalists then tell their readers that Skype is wiretapping proof, even though Skype never made that specific claim. Conveniently enough, Skype never bothers to correct the many people who have read a tad bit too much into the company's statements about security.
So it would seem that if France does put the collar around Skype's neck and get it to heel, not much will change.
It appears that Skype has long been going along with law enforcement's request to intercept communications.
If French citizens ever inhabited a safe zone outside of that type of surveillance, it sounds like that bubble will likely get popped soon.
This story has been updated with content that supersedes much of the original content. Updates are found at the bottom of the story
Hackers disclosed this morning that they have been able to compromise BarackObama.com through a SQL injection attack.
The English of the post is quite poor; however, the researcher makes a very valid point. Shouldn't the most powerful, well-protected man in the world have a website that is at least reasonably secure? Storing credentials in plain text is even more embarrassing than being vulnerable to SQL injection. Sometimes passwords must be stored in a reversible manner, but you should make the attacker at least work at it a bit.
More concerning is the screenshot that shows the URL as donate.barackobama.com. What other unencrypted information about donors might be stored in this database? If passwords haven't been encrypted, it doesn't take much imagination to figure out that other sensitive data is unencrypted as well.
On the bright side, it does appear that the staffers who log in to this site have somewhat secure passwords. The lengths are not impressive, but most show the recommended mix of letters, numbers, and capitalization and are not based on obvious dictionary words.
I deliver a seminar entitled "Anatomy of an Attack: How Hackers Threaten Your Security," in which I discuss how SQL injection attacks work and demonstrate an actual attack to show how simple it can be for even someone unskilled to perform this type of reconnaissance. Another point that is often difficult to explain is that there is no such thing as "safe surfing."
As administrators, we are often our most dangerous users. Time and again, when asked, administrators will say their scariest surfer is an executive, the sales guy, or the mail clerk. The bigger danger is having administrative privilege and not realizing how pervasive the threat on the web is. When the NY Times, Google, and BarackObama.com are hosting malware, there are no safe websites despite the false confidence gained by not surfing porn.
What can you do to avoid becoming the next victim of this type of compromise? One piece of advice I give in "Anatomy of an Attack" is to approach inputs on your website from a whitelisting angle, rather than trying to blacklist every possible way you think someone could enter malicious input. There are many ways to encode SQL commands to bypass filtering, so it is best to only accept characters that should be valid input.
Sensitive data should always be encrypted regardless of where it resides. Many companies are beginning to encrypt laptop hard disks, but this is just the beginning. Desktops and servers are as likely as anything else to contain personally identifiable information and should be treated with the same caution as laptops. Sensitive data must be tracked and secure practices applied whether that data is in a database, on a backup tape, or being transported on a USB key or smart phone.
Our recent introduction of DLP into Sophos Anti-Virus helps administrators discover this data when it is being transferred, and can also help identify endpoints that may contain data that needs protection. The extent to which this data is spread throughout your organization may surprise you.
I invite anyone in the Atlanta or Chicago areas to join me for my next two "Anatomy of an Attack" seminars. The presentation is purely informational, and not focused on our products or a sales pitch. In addition to providing information on all the latest threats, who is behind them, and how to defend yourself, I demonstrate some live malware and how criminals are distributing it through the web, giving insight into how you can better defend your networks.
Update: The Tech Herald is reporting that they have spoken to the Democratic National Committee who deny Obama's site was hacked. This is not surprising, and I believe is also incorrect. The usernames all match up with Obama staffers and campaign staff, which if the screenshot posted by Unu was mocked up would be a lot more work than most scammers would bother with.
Additionally my wife brought to my attention that several of the passwords are in fact based upon the names of the users and are of far poorer quality than I originally had posted. Just another reason to choose a good password... You never know when someone who stores it insecurely will leak it, and potentially make you look quite foolish.
Update 2: Upon doing further research it would appear the users viewed in the screenshot may in fact be related to Roosevelt University. The Tech Herald has updated their post above confirming that information. A source aware of the events has informed me that the barackobama.com site may have been used as a proxy in accessing the Roosevelt University MS Access database. No data collected nor used by barackobama.com or the DNC was compromised. By Googling for some of the names provided in the screenshot it is quite easy to confirm that they are associated with Roosevelt University. The more interesting part is the statement from Blue State Digital that the database that was compromised is not hosted by them. They stated that they do not use Access databases, and do not host any content associated with barackobama.com. Whether this is an elaborate hoax, or a yet to be found hole that allowed someone to proxy from the Obama site is yet to be determined.
Things started to change after the 
Since there's no other place to shop when you're buying or selling iDevice software, and since Apple likes it that way, you might think that Cupertino would have set the bar a bit higher.
Google hasn't included facial recognition for their first iteration of Glass. I tried to find thoughts from them on whether it would be included in future versions, but I came up short. Enlighten me, please, if you've seen such.
Nicely done, 5 Point. Thank you for protecting your patrons' privacy, particularly in your gadget-savvy city.
