 |
MySpace page serves bogus Microsoft update |
| |
Using a hacked MySpace profile, online criminals are trying to trick victims into downloading a malicious Trojan Horse program by disguising it as a Microsoft update, according to researchers at security vendor McAfee. Web surfers are presented with what appears to be a popup window advising them to download the latest version of Microsoft's Windows Malicious Software Removal Tool. This software is distributed by Microsoft to help Windows users rid their systems of malware. In reality, the popup window is just part of a larger image that takes up most of the computer screen. If the user clicks anywhere on this image, his computer will then begin to download the Trojan program. The Trojan, known as TFactory, is a well-known piece of code that has been used by criminals for well over a year, according to Dave Marcus, a security research manager with McAfee. |
| |
|
Google hits back at claims that its search technology infringes an existing patent. |
| |
A suit filed in November jointly by Northeastern University and a search technology company called Jarg against Google. It seeks an injunction preventing Google from further infringement, as well as royalty payments and damages. The patent in question describes a distributed database system that breaks queries into fragments and distributes them to multiple computers in a network to get faster search results. The plaintiffs say that Google uses this system to run its search engine, and that the system was invented by Kenneth Baclawski, an associate professor at Northeastern and one of Jarg's founders. Northeastern was awarded a patent for the system, which it has licensed exclusively to Jarg. In its response Friday, Google argued that the patent is invalid and should not have been awarded in the first place. Its counterclaim asks the court to declare the patent invalid & unenforceable. Both parties have requested a jury trial and legal experts have said the case could be resolved in 18 months to two years. |
| |
|
|
Intel slapped with new anti-trust investigation |
| |
New York state Attorney General Andrew Cuomo has launched an anti-trust investigation of Intel, after his office served a wide-ranging subpoena on the chip giant's pricing practices and possible attempts to exclude competitors through its market power. |
| |
|
|
Sony unveils superfast wireless data transfer system |
| |
Sony is developing Transfer Jet - a 'near-field communications' wireless data transfer system for gadgets that is capable of sending data, including pictures and video, over a range of a few centimetres at rates of about 375Mbit/s over a 560Mbit/s making it faster than USB2.0 and IEEE1394 FireWire interfaces. A prototype of the system was on show at the International Consumer Electronics Show in Las Vegas earlier this month. In a demonstration, a digital camera equipped with Transfer Jet and about 45 images was placed onto a version of Sony's photo reader box that also packed the technology. After a short pause, the images began transferring and within a few seconds the VGA-resolution images were inside the photo reader, and could be viewed on a television. |
| |
|
|
Open source security bugs uncovered |
| |
A US Department of Homeland Security (DHS) bug-fixing scheme has uncovered an average of one security glitch per 1,000 lines of code in 180 widely used open source software projects. All the software scrutinised was found to have significant numbers of security flaws, Coverity said on Wednesday. Since 2006 the project has helped fix 7,826 open source flaws in 250 projects, out of 50 million lines of code scanned, the company said. Coverity also scans proprietary software, handling about 400 product lines for private customers, but said its private clients don't tend to disclose information about bugs found in their products. Many of the open source projects scanned have been assiduous in repairing the bugs that have turned up, and on Wednesday Coverity advanced the first batch of 11 open source projects to its second stage of the bug-cleansing process, called Rung 2. Many more remain on Rung 1 or even Rung 0, meaning they haven't yet begun to fix the flaws identified. The 11 projects are Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL. Other popular software the project has scrutinised include Apache, the Linux kernel and Firefox. Rung 2 is the highest security level yet reached under the DHS project, and was attained by eliminating several classes of security and quality defects, according to Coverity open source strategist David Maxwell. For instance, 236 flaws were uncovered in 450,000 lines of Samba code, of which 228 have been corrected. Having passed to the next level, Coverity will provide the projects with an updated version of its scanner product, which will allow developers to identify still more flaws. The Rung 2 scanning service will be upgraded from version 2.4 to version 3.6 of Coverity's Prevent bug-scanning product, Coverity said. The latest version in commercial use is 3.8 |
| |
|
|
Google and Facebook join data portability group |
| |
Google and Facebook have joined the DataPortability Workgroup, an organisation dedicated to creating ways to share user-generated content on social networking sites.
The move by the two firms, which together store a huge amount of social content, comes less than a week after a blogosphere brouhaha erupted when well-known tech blogger Robert Scoble had his Facebook account closed for using a Plaxo tool to copy his contacts. Plaxo has also announced plans to join the group, acording to Chris Saad, co-founder and CEO of Faraday Media and an organiser of the data portability group. "Their joint support of the DataPortability initiative presents a new opportunity for the next generation of software - particularly in the fields of social software, user rights and interoperability," said Saad. "This means users will be able to access their friends and media across all the applications, social networking sites and widgets that implement the design into their systems." The group's philosophy is that user photos, videos and other forms of personal data should be discoverable by and shared between their chosen tools and vendors, he added. "The technologies already exist; we simply need a complete reference design to pull the pieces together," Saad noted. "Our mission: To put all existing technologies and initiatives in context to create a reference design for end-to-end data portability." Marshall Kirkpatrick, a blogger at ReadWriteWeb, , said that the announcement by Google and Facebook could mean the end of user lock-in - but could also create new privacy challenges. |
| |
|
|
Personal information record losses reach new heights |
| |
More than 120 million people in the US had personal data exposed in 2007 as identity theft reached record heights. That's according to research from the non-profit organisation the Identity Theft Resource Center (ITRC) which reported 446 separate breaches exposing 128 million records. The data shows a more-than sixfold increase over its 2006 figures, when 312 incidents were recorded, involving more than 19 million individuals. Another group, Attrition.org, shows 319 personal information data loss incidents in 2007 in its database, both in the USA and other countries. Criminals can fraudulently use other another person's identity data to buy goods, take out loans, take money from savings accounts, and hire cars. That person has to recover from the loss and endure badgering by debt-recovery organisations and bailiffs. Here in the UK government agencies alone lost over 28 million people's identity data in 2007. Additional medical data records were lost due to NHS errors. The number of new identity fraud victims contacting credit reference checking agency Experian continues to grow: 2,570 victims of identity fraud contacted it for assistance in the first half of 2007; a 68 percent year-on-year increase. |
| |
|
|
Firefox 3 beta hits the streets |
| |
The second beta of Firefox 3 has been released ahead of schedule and includes several improvements including better protection against cross-site JSON (JavaScript Object Notation) data leaks, and a new "effective top-level domain" (eTLD) service that puts tighter control on site-specific content such as cookies to stymie privacy hacks and session hijacking. Also new is an enhanced address bar - Firefox calls it the 'location bar' - that matches page titles and addresses from the browser's history with the user's bookmarks and tags. The beta also boasts improvements to the browser's performance and stability that developers gleaned from Beta 1 feedback. |
| |
|
|
Google to bid for wireless spectrum |
| |
Google intends to bid on wireless spectrum in the 700MHz band when the US Federal Communications Commission begins auctioning that resource in late January, the search engine giant announced on Friday. It's interest in the spectrum came after AT&T and other large broadband providers expressed interest in recent years in getting Web-based businesses to pay more for their customers' use of the broadband networks. The recent interest in wireless spectrum has led it in several directions. The company launched the Open Handset Alliance, an open-development platform for mobile phones, earlier this month. |
| |
|
|
Exchange Server 2007 SP1 hits the street |
| |
Microsoft has released the first service pack for Exchange Server 2007, fixing software bugs and adding some new features to make the product more stable and useful for business customers. Users can download Exchange Server 2007 Service Pack 1 (SP1) from Microsoft's website. Anticipating the long-awaited release of Windows Server 2008 during next few weeks, Microsoft added support for that product into SP1, as well as features that allow for integration between Exchange Server 2007 and Office Communications Server 2007. |
| |
|
|
New Security Tool Could Replace Passwords |
| |
A new security tool called Undercover developed by researchers at Carnegie Mellon University attempts to get around the factors that make PIN entry so vulnerable - for instance, the fact that anyone with sharp eyes, or a set of concealed cameras can easily observe what keys a user is tapping. To deal with such "observation attacks," Undercover conceals not the user's response, but the challenge to which they are responding, or at least part of it. The prototype entry system Christin decided upon uses a motor-controlled trackball and a keypad with five color-coded keys. The user places his left hand on the trackball, concealing it.
The system's challenge is to display on a screen a set of five images, one of which may be an image from a portfolio that the user has previously provided - for instance, a photo of a pet or a holiday snap. The user is asked to identify their own image, or to press a key signalling that none of the images are theirs. The motor rotates the concealed trackball in a particular direction, which indicates the values assigned to the color-coded keys - something that, in theory, no onlooker would be able to observe. The user then enters their response on the keypad. Overall, the researchers found that the system proved usable, with some aspects looking particularly promising for future authentication systems. |
| |
|
|
Microsoft Buys 3D Developer |
| |
Microsoft has bought Caligari, a developer of 3D modeling software. Its signature tool, called trueSpace, has a user interface that makes it easy to build complex 3D animations. In December, Microsoft bought Multimap, which also became a wholly owned subsidiary and works with the Virtual Earth and Search groups. Multimap develops online mapping services. At the time of that acquisition, Microsoft said the buy would help it expand its online services offerings to consumers and businesses. Virtual Earth's 3D version, currently in beta, lets users zoom in and out of 3D maps of cities and natural areas. It is similar to Google's Google Earth product. |
| |
|
|
New Tools Support Mobile Web 2.0 Apps |
| |
Trolltech plans to announce on Monday at the Mobile World Congress in Barcelona that it has integrated QT, its development platform, with WebKit, the Web browser technology used by Apple, Nokia, Google, Motorola and others. The integration should make it easier for developers to build products that integrate online components into mobile phone applications.
Trolltech, a Norwegian company that Nokia recently announced plans to buy, has integrated the tools so that developers can build the bulk of an application using HTML and the rest using C ++. By using HTML to create most of the application, handset makers can save development costs because C ++ engineers are typically harder to find and more expensive to use, said Benoit Schillings, CTO of Trolltech. However, they can still create some features using C ++, which offers more functionality and performance. |
| |
|
|
Hacked Antivirus Site of AvSoft Technologies Delivers a Virus |
| |
The Web site for Indian antivirus vendor AvSoft Technologies has been hacked and is being used to install malicious software on visitors' computers, security researchers said last week. The download section of AvSoft's S-cop Web site hosts the malicious code, according to Roger Thompson, chief research officer with security vendor AVG. "They let one of their pages get hit by an iFrame injection," he said. "It shows that anyone can be a victim. ... It's hard to protect Web servers properly."
The technique used on the site has been seen in thousands of similar hacks over the past few months. The attackers open an invisible iFrame Window within the victim's browser, which redirects the client to another server. That server, in turn, launches attack code that attempts to install malicious software on the victim's computer. The malicious software is a variant of the Virut virus family. The iFrame pages are commonly used by Web developers to insert content into their Web pages, but because it is possible to create an invisible iFrame window, the technology is often misused by hackers as a way to silently redirect victims to malicious Web sites.
McAfee Security Research Manager Dave Marcus believes that the site was compromised by exploiting a Web programming error, most likely in the site's SQL or PHP code. Security experts say that criminals have written automated programs that scour the Web for these types of flaws and then automatically infect sites, making this an increasingly common problem. |
| |
|
|
Performance Results Mixed with Vista Service Pack 1 |
| |
Microsoft's newly released Vista Service Pack 1 may solve some of the performance glitches that have annoyed Windows Vista users and discouraged others from adopting the OS, but it doesn't appear from our initial tests to be a panacea. In our first tests of the service pack, file copying, one of the main performance-related complaints from Vista users, was significantly faster. But other tests showed little improvement and in two tests, our experience was actually a little better without the service pack installed than with it.
Service Pack 1 was released to manufacturing yesterday, and officially sent out to reviewers today (Service Pack 1 was also unofficially unleashed today on BitTorrent, too). Service Pack 1 will be available to users in March, as a download; Microsoft plans to have SP1 integrated into Windows Vista at retail as well, but could not give a timeline on how quickly the update will be included in the retail version of Vista. |
| |
|
|
Security Pros: Kill ActiveX |
| |
A wave of bugs in the plug-in technology used by Microsoft's Internet Explorer (IE) browser has some security experts, including those at U. S. Computer Emergency Readiness Team (US-CERT), part of the federal government's Department of Homeland Security, recommending that users disable all ActiveX controls. US-CERT's advice was prompted by multiple vulnerabilities in high-profile ActiveX components used by members of the popular Facebook and MySpace social networks, as well as users of Yahoo Inc.'s music services.
Three new vulnerabilities in the photo uploader software used by both Facebook and MySpace were disclosed Monday by researcher Elezar Broad, who on Monday also posted sample attack code for a pair of critical bugs in Yahoo's Music Jukebox. Last week, Broad had pinned the Facebook and MySpace ActiveX controls with two other flaws. All five of the Facebook/MySpace vulnerabilities originated with an ActiveX control developed by Aurigma Inc.
As the number of vulnerabilities mounted, security professionals began ringing the alarm. On Monday, for instance, Symantec analysts urged users to "use caution when browsing the Web" and told IT administrators to disable the relevant ActiveX controls by setting several "kill bits" in the Windows registry. Disabling individual ActiveX controls, however, requires editing the Windows registry, a task too scary for most consumers to contemplate. |
