Posts Tagged ‘security’

All that user-generated content? 95% is malware, spam

// February 8th, 2010 // No Comments » // Tech News

The latest research from Websense Security Labs paints a dreary but familiar picture of the state of online security threats. Echoing the bad news of other such recent reports , it seems the vast majority of the Web consists of malware and spam. Worse yet, even legitimate, well-known sites are being used to pump malware, SEO poisoning, or phishing attacks. Websense uses a global network of systems to scan and analyze over 40 billion websites every hour, tracking malware and other unwanted content. The results for the latter half of 2009 show a 225 percent increase in malicious websites. Worse, 71 percent of websites found to contain some malicious code were in fact legitimate websites that had been compromised in some way.

Amazon puts out one e-book pricing fire as others flare up

// February 8th, 2010 // No Comments » // Tech News

Just as it looked like Amazon was about to achieve an iTunes-style lock on the e-book marketplace, the impending arrival of Apple’s iPad seems to have emboldened book publishers. After a pricing dispute caused all Macmillan titles to disappear off Amazon’s virtual shelves , other publishers joined the pricing revolt , demanding greater flexibility in setting prices on their wares. According to the Wall Street Journal , Amazon has apparently settled the first of these disputes by capitulating. According to the Journal’s report, Amazon will give up on its $9.99 pricing target for e-books, and allow Macmillan greater flexibility to set the rates for its content. The new prices may be as much as $5.00 higher. Although Amazon had announced that it had no choice but to concede given what it termed Macmillan’s “monopoly” over its content, the publisher’s books were slow to reappear in the retailer’s site. That apparently changed over the weekend following a full settlement of the dispute on Friday. Unfortunately for Amazon, it appears that Macmillan will be the first of many publishers that seek to renegotiate terms, as at least two others (Harper Collins and Hachette) have voiced their intention of doing so. The trigger for the sudden uprising, according to nearly every report on the  matter, is the impending arrival of Apple’s iPad, as Apple has negotiated deals that allow publishers to retain significant control over e-book prices. As we noted in our earlier coverage, this is a complete role reversal compared to the dispute over downloadable music pricing. For Amazon, it all has to be a major disappointment. After remaining relatively circumspect about Kindle sales, the company allowed itself a bit of back-patting after both hardware and e-book sales boomed over the holidays. Its primary competitor, Sony, appeared to be struggling in comparison, and newcomers to the e-book reader market appeared to have a bad case of first-generation hardware blues, something that Amazon had already put in its past. But the mere threat of Apple releasing a competing product seems to have encouraged Amazon’s key suppliers (the publishers) to think different.

Hacker training site reappears after takedown by China

// February 8th, 2010 // No Comments » // Tech News

Chinese authorities are making a cursory effort to crack down on hackers as of late, and have shut down hacker training website Black Hawk Safety Net. According to state-run news organization Xinhua , police in the Hubei Province made three arrests associated with the massive recruiting site and have confiscated numerous assets, including cash, servers, and a Honda Accord. With all eyes on China thanks to the Great Google Scandal of 2010 , a move like this may calm fears that China is allowing itself to become a Wild West of cybercriminals. The problem is that Black Hawk already has a contingency plan in place and may be back sooner than later. Police allege Black Hawk Safety Net is responsible for distributing hacking tools, viruses, and malware for members to use, and say that it is among the largest—if not the largest—of such sites in the country. According to Xinhua, the site has more than 12,000 VIP members plus 170,000 free members, and has collected over 7 million yuan (just over US$1 million at today’s conversion rates) in membership fees. When police raided the site, they confiscated nine servers, five computers, and froze some 1.7 million yuan in cash, though the paper reported that this was part of a long-term effort to investigate the site.

Microsoft Patch Tuesday for February 2010: 13 bulletins

// February 5th, 2010 // No Comments » // Tech News

According to the Microsoft Security Response Center, Microsoft will issue 13 Security Bulletins addressing 26 vulnerabilities on Tuesday, and it will host a webcast to address customer questions about the bulletins the following day (February 10 at 11:00am PST, if you’re interested). Five of the vulnerabilities are rated “Critical,” seven are marked as “Important,” and the last one is classified as “Moderate.” All of the Critical vulnerabilities earned their rating through a remote code execution impact, meaning a hacker could potentially gain control of an infected machine. At least 10 of the 13 patches will require a restart. The list of affected operating systems includes Windows 2000, Windows XP (x86 and x64), Windows Server 2003 (x86 and x64), Windows Vista (x86 and x64), Windows Server 2008 (x86 and x64), Windows 7 (x86 and x64), and Windows Server 2008 R2 (x86 and x64). In terms of the Microsoft Office suites, only older versions are affected: Office XP, Office 2003, and Microsoft Office 2004 for Mac. Compared to last month’s quiet Patch Tuesday , this one is quite a whopper. The exact breakdown of the bulletins is as follows: Bulletin 1: Critical (Remote Code Execution), Windows Bulletin 2: Critical (Remote Code Execution), Windows Bulletin 3: Critical (Remote Code Execution), Windows Bulletin 4: Critical (Remote Code Execution), Windows Bulletin 5: Critical (Remote Code Execution), Windows Bulletin 6: Important (Remote Code Execution), Office Bulletin 7: Important (Remote Code Execution), Office Bulletin 8: Important (Remote Code Execution), Windows Bulletin 9: Important (Denial of Service), Windows Bulletin 10: Important (Elevation of Privilege), Windows Bulletin 11: Important (Remote Code Execution), Windows Bulletin 12: Important (Denial of Service), Windows Bulletin 13: Moderate (Elevation of Privilege), Windows If you’re wondering, the 17-year-old Windows hole we reported on last month is indeed being plugged next week. As for the Internet Explorer flaw disclosed this week , Microsoft understandably isn’t ready to patch it yet. What is worrying, however, is that Redmond says it is still working on a patch for the SMB flaw that can be used crash Windows 7 and Server 2008 R2 remotely. That was disclosed three months ago , so the company is lagging quite a bit with that one. Along with these patches, Microsoft is also planning to release the following on Patch Tuesday: One or more nonsecurity, high-priority updates on Windows Update (WU) and Windows Server Update Services (WSUS) One or more nonsecurity, high-priority updates on Microsoft Update (MU) and WSUS An updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Microsoft Download Center This information is subject to change by Patch Tuesday; Microsoft has been known to rush patches as well as pull them if it deems it necessary.

Cisco’s wiretapping system open to exploit, says researcher

// February 4th, 2010 // No Comments » // Tech News

To meet the needs of law enforcement, most telecommunications equipment includes hardware and software that allow for the monitoring of traffic originating with the targets of investigations. The precise capabilities are often dictated by formalized standards, which allow any hardware maker to implement a compliant system. Unfortunately, these standards often leave the hardware wide open to various attacks that leave regular users vulnerable, and provide savvy surveillance targets the opportunity to evade the snooping. An IBM researcher has put Cisco’s system under the microscope at a Black Hat Conference, and found it comes up short. Although the standard was designed to put Cisco hardware in compliance with EU directives, it has apparently been adopted by a number of other hardware makers. The presentation, described in detail by Dark Reading, describes how its reliance on SNMPv3, creates a variety of options for attack. For example, the protocol was initially vulnerable to a brute force attacks on its authentication system; although Cisco has patched that flaw, there’s no way to determine how many unpatched machines remain in the wild. SNMP also defaults to operating over UDP, and it’s relatively easy to spoof things like the source address and port for that protocol. It’s possible to use TCP instead, and even limit the addresses that can access the hardware, but the protocol doesn’t specify either of these. Communications aren’t encrypted by default, and the system won’t notify administrators when a trace is activated or disabled, meaning that hackers could potentially set up or eliminate surveillance without anyone being aware of it. The IBM researcher, Tom Cross, notified Cisco of the issues back in December, and recommends revisions to the standard that will ensure that it is more secure by default. That might be helpful, but it still wouldn’t deal with the problems posed by unpatched systems—Cross himself apparently recognizes that network administrators can be hesitant to risk the disruption of service that may come with updating major pieces of equipment.

Buy Office 2007, get 2010 free? Microsoft posts, pulls deal

// February 4th, 2010 // No Comments » // Tech News

Microsoft has accidentally posted details about a promotion it will be running for those who buy Office 2007 a few months before and after the release of Office 2010 in June 2010 . It is called the “Microsoft Office 2010 Technology Guarantee Program,” though Redmond is not yet ready to announce it. “Microsoft has not disclosed an Office 2010 Technology Guarantee,” a Microsoft spokesperson told Ars. “We have no further comment at this time.” According to a cached copy of a post on ” In The Know - Charles Van Heusen’s Weblog ,” which is part of the Microsoft US Partner Community website, Customers who purchase a copy of Office 2007, with or without a new PC, from an authorized reseller between March 5, 2010 and September 30, 2010 qualify for the promotion. They must install and activate Office 2007 by September 30, 2010 and request their free Office 2010 product by October 31, 2010 using an activated Office 2007 Product Key and a dated sales receipt. Office 2010 will be available for a free download for those that qualify, though discs will be orderable for a fee (Microsoft usually charges for shipping and handling when sending out copies of discs for software it is giving away via download). One Office 2010 product is allowed per qualifying Office 2007 purchase, though there is a limit of 25 per person.

JooJoo maker: iPad won’t crowd us out of tablet space

// February 4th, 2010 // No Comments » // Tech News

When Fusion Garage invited us down to their Singapore office yesterday for a look at the JooJoo tablet, we went with the assumption that they would be showing us the final software running on actual production hardware. As it happens, we were shown the same device that the company used for its launch back in December. Nevertheless, I had a chance to speak with founder and CEO Chandra Rathakrishnan, and was able to confirm additional information on the company’s plans, and about the device itself.

In wake of hack, Google negotiating cooperation with the NSA

// February 4th, 2010 // No Comments » // Tech News

In January, Google went public with news that some of its systems had been hacked, along with those of a number of US-based companies. The attacks had targeted both accounts maintained by political activists and commercial code, and Google pointed the finger straight at China, vowing to change its entire approach to business in that country. But a report now suggests that the company is also looking to beef up its internal defenses to prevent a repeat of the attacks. The Washington Post is reporting that Google has started negotiations with the US National Security Agency about a collaborative effort to analyze the attack and figure out how best to prevent a recurrence. The Post is citing confidential sources, as the deal isn’t final and, even if it were, it’s unlikely that Google would seek to publicize it. For starters, both organizations have already been the target of many complaints by privacy advocates, the NSA for its domestic surveillance efforts, Google for its data retention policies. The combination of the two would clearly make the advocates far more uneasy, and might help them make their case with the wider public. Meanwhile, as the report notes, private companies have often been loath to share information about their proprietary systems with the government for a variety of reasons. That may explain why the negotiations have been going slowly, as the NSA would clearly need access to and understanding of Google’s infrastructure in order to fully evaluate the attacks and future risks. And that’s precisely the sort of proprietary information that Google is presumably reluctant to provide anyone with—even a highly secretive organization like the NSA.

feature: Studios crushed: ISP can’t be forced to play copyright cop

// February 4th, 2010 // No Comments » // Tech News

In a definitive defeat for film studios—and in a first case of its kind worldwide—Australia’s Federal Court has ruled that ISPs have no obligation to act on copyright infringement notices or to disconnect subscribers after receiving multiple letters. If copyright holders want justice for illegal file-sharing, they need to start by targeting the right people: those who committed the infringement. The ruling handed down today by Judge J. Cowdroy aims to be nothing less than magisterial: in 200 pages, it examines the issue from every possible angle because of the “obvious importance of these proceedings to the law of copyright both in this country and possibly overseas.”

Graphene transistors promise 100GHz speeds

// February 4th, 2010 // No Comments » // Tech News

Researchers are running into the physical limits of speed and scaling in silicon transistor technology, forcing them to look elsewhere for next-generation devices. The leading candidate to replace silicon being pursued by, well, pretty much everyone, is graphene. Graphene, single sheets of graphitic carbon, is exciting because it is a single atom thick and has remarkably high electron mobilities (100 times greater than silicon), making it ideally suited to atomic-scale, high-speed operation. Also, graphene’s electrical properties can be controlled, switching it among conducting, semiconducting and electrically insulating forms. That means graphene-only (or, more likely, graphene-mostly) devices are, in principle, possible. In this week’s Science , researchers from IBM demonstrate graphene-based field effect transistors (FETs) that may operate at much higher speeds (100GHz) than Si FETs. Graphene layers were thermally grown on two-inch SiC wafers and the FETs were formed using standard Si fabrication techniques with HfO 2 as the gate oxide. That’s a rather significant point—the researchers actually created an entire wafer of these devices.

« Older Entries


eXTReMe Tracker