To entice security researchers to look for holes in the Chrome browser, Google has announced it will pay US$500 for bugs found in the code. But several experts have said that's not enough money to motivate skilled vulnerability researchers.
Under Google's new "experimental" incentive program, announced last week, people will get paid US$500 for select interesting and original security vulnerabilities discovered in Chrome, or US$1337 for particularly severe or clever bugs. That figure refers to the geek term for elite, or "leet", which can be spelled out using the numbers.
Mozilla pays US$500 to researchers who find valid security bugs in the Firefox browser, the Thunderbird email client or the Mozilla suite.
Jeremiah Grossman, chief technology officer and co-founder of WhiteHat Security, said Google's plan could be the start of an interesting trend.
"If a researcher is purely interested in the dollar reward, then by all means he should go where the dollar is highest. But if you happen to find one because it's fun and interesting to you, then you'll get paid too," he said. "I've been suggesting Microsoft should do this for a long time but they have a moral issue with it."
Microsoft has decided to stick with its no-bounty stance.
http://www.zdnet.com.au/news/security/soa/Google-stingy-on-malware-handout-/0,130061744,339300941,00.htm
Computer hackers disabled several Australian government websites Wednesday in coordinated attacks protesting against a planned internet filter aimed at pornography.
The attacks, confirmed by the Attorney-General's Department, crippled Australia's parliamentary website for almost an hour, including the Communications Department, which is pushing a compulsory internet filter for pornography and offensive content.
The attacks were launched by hackers aligned with an anti-Church of Scientology group known as "Anonymous."
"No government should have the right to refuse its citizens access to information solely because they perceive it to be 'unwanted'," the group said in an email.
"The Australian government will learn that one does not mess with our porn."
http://uk.reuters.com/article/idUKTRE6190E020100210
A Queensland man will have to pay Nintendo $1.5 million in damages after illegally copying and uploading one of its new games to the internet ahead of its release, the gaming giant says.
James Burt, 24, of Sinnamon Park in Queensland will pay Nintendo $1.5 million after an out-of-court settlement was struck to compensate the company for the loss of sales revenue.
Nintendo said the loss was caused when Burt made New Super Mario Bros for the Wii gaming console available for illegal download a week ahead of its official Australian release in November last year.
Under Australian law, copying and distributing games without the permission of the copyright holder is a breach of the Copyright Act.
Nintendo applied and was granted a search order by the Federal Court forcing Burt to disclose the whereabouts of all his computers, disks and electronic storage devices in November.
http://www.smh.com.au/digital-life/games/nintendo-pirate-to-pay-15m-20100209-np4i.html
Apple executives have hinted that an early price drop for the $500-and-up iPad may be in the works. A Credit Suisse analyst who reportedly met with Apple executives learned that Apple may slash the price of the iPad if demand for the new device is low.
For eager iPad early adopters that could turn out to be a big iBummer, but then again, the news of an iPad price drop should not be coming as a shock. Most technology companies have a history of screwing over their first batch of customers with price cuts and early upgrades, and Apple is no exception. In fact, Apple was behind one of the most famous early adopter scandals of all time.
So before you go spending your money on the first edition of the iPad, let's take a quick look back at just a few times when early adopters were left out in the cold by buying technology products before anyone else.
- iPhone
- Blu-Ray
- Tivo Down Under
- Wal-Mart Music Downloads
- Kindle 2 and DX
http://www.pcworld.com/article/188889/ipad_early_adopters.html
EBook Outlines Why Organizations Need to Shift from a Threat Centric Approach to a Trust Centric Endpoint Security Model to Eliminate Risks, Reduce Complexity, and Lower TCO
Shift happens. The threat landscape has changed for the worse as evidenced by the recent highly publicized attacks by hackers who used sophisticated methods to steal core intellectual property from Google, Adobe, and other high profile companies. Cyber criminals have become more agile than ever, insiders have increasingly taken advantage of trust and new Web 2.0 technologies have given both parties open access to sensitive data stores. Traditional technologies such as antivirus and firewalls can no longer act as the mainstay of modern security programs. The year 2009 was believed to be the tipping point of a cybercrime epidemic in which more malware was identified than any other time in the history of computing. With current growth rates of malware, it is feasible to see billions if not trillions of malware signatures within the span of a few short years. Organizations must begin to shift from a threat centric approach where the focus is on stopping what is known to be bad, to a trust centric model where the focus is on protecting what is known to be good and trusted in order to achieve greater intelligence around endpoint risks. In doing so, organizations will better eliminate risk, reduce complexity, lower TCO and improve overall endpoint security and compliance posture.
Lumension, the global leader in endpoint management and security, today unveiled a new eBook titled, “Shift Happens: The Evolution in Application Whitelisting.” The eBook is designed to arm security professionals with a better understanding of the new endpoint security risks to confidential data and proprietary systems and why organizations must make a shift away from traditional approaches to endpoint security models and look to adopt a trust centric model with application whitelisting.
“Whitelisting may be perceived as a new novel idea, but the old oak trees of IT security will tell you that it is hardly a new approach to shoring up systems,” Paul Zimski, vice president of solution marketing, Lumension. [...]
To download the free eBook, click on Shift Happens: The Evolution in Application Whitelisting.
http://news.yahoo.com/s/prweb/20100209/bs_prweb/prweb3582184
Sixty thousand accounts compromised
A Lebanese hacker claims to have hacked Orange's regional website in Cote d'Ivoire (Ivory Coast) through SQL injection. The attack allegedly gave him access to the website's administration interface and information on almost 60,000 customers.
Orange is the fifth largest telecom provider in the world with a presence in 166 countries and territories and an estimated 189 million subscribers. According to information on its website, Orange Cote d'Ivoire was the group's first subsidiary on the African continent and has over 4 million customers.
In an e-mail to Softpedia, a self-confessed grey hat hacker going by the name of Idahc took credit for compromising the organge.ci domain. The attached screenshots and a video demonstration clearly show the hacker navigating through the website's administration interface at will.
The site seems to have been compromised around the date of January 25, when Idahc used the administrative credentials to add a news story entitled "Hacked by Idahc" on the website. The entry is still online at the time of publishing, suggesting that the webmasters might not be aware of the security breach.
However, it appears that Idahc is not the only hacker to have targeted the orange.ci domain recently. According to a post on Web defacement archive Zone-H.org, someone else hacked the server and uploaded a rogue HTML file back in December. Similar to Idahc's news story, that file is still online and reads "3viLboy was here."
http://news.softpedia.com/news/Orange-Regional-Website-Hacked-134467.shtml
Sunbelt Software is supporting tomorrow’s Safer Internet Day, an awareness-raising initiative co-funded by the European Commission. Organizations in more than 60 countries are behind the campaign, this year focusing on the theme "Think B4 U post!"
New technologies have turned all of us, and mostly young people, into publishers of information, pictures, and videos. While bringing about new opportunities for personal expression and creativity, the same technologies can also conjure up embarrassing or even traumatic situations. For example, photos, once posted online, remain online and can be seen by anybody, even years after they have been posted. Therefore, children and teenagers need guidance to manage their online identity in a responsible way, to be in control of their own online identity.
“We are proud to be supporting Safer Internet Day. Whilst it is generally assumed that the latest generation will be the most technologically savvy, we see that children are taking increasingly liberties with their online identity and opening themselves up to a wealth of very real dangers,” explained Sunbelt Software CEO Alex Eckelberry. “By following this simple five point checklist they can enjoy the many social and academic benefits of the Internet safely.”
http://sunbeltblog.blogspot.com/2010/02/sunbelt-supports-safer-internet-day.html
We got a huge number of Microsoft security updates today:
- MS10-003 - Vulnerability in Microsoft Office (MSO) Could Allow Remote Code Execution (978214)
- MS10-004 - Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution (975416)
- MS10-005 - Vulnerability in Microsoft Paint Could Allow Remote Code Execution (978706)
- MS10-006 - Vulnerabilities in SMB Client Could Allow Remote Code Execution (978251)
- MS10-007 - Vulnerability in Windows Shell Handler Could Allow Remote Code Execution (975713)
- MS10-008 - Cumulative Security Update of ActiveX Kill Bits (978262)
- MS10-009 - Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (974145)
- MS10-010 - Vulnerability in Windows Server 2008 Hyper-V Could Allow Denial of Service (977894)
- MS10-011 - Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (978037)
- MS10-012 - Vulnerabilities in SMB Server Could Allow Remote Code Execution (971468)
- MS10-013 - Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (977935)
- MS10-014 - Vulnerability in Kerberos Could Allow Denial of Service (977290)
- MS10-015 - Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165)
The full version of their bulletin summary is in http://www.microsoft.com/technet/security/Bulletin/MS10-feb.mspx and MSRC's blog entry on the above is in http://blogs.technet.com/msrc/archive/2010/02/09/february-2010-security-bulletin-release.aspx
Banning web users suspected of illegally downloading content from the internet could breach human rights legislation, says the Joint Select Committee on Human Rights.
According to the group of MPs and members of the House of Lords, the proposals set out in the Digital Economy Bill reference 'technical measures' which could be employed to block internet pirates' web connections.
However the committee said the technical measures had not been "sufficiently specified".
"The concern we have with this Bill is that it lacks detail," said Andrew Dismore MP and chair of the Committee.
http://www.networkworld.com/news/2010/020810-banning-illegal-file-sharers-could-breach.html
Even users running up-to-date anti-virus software still get infected with malware, according to stats from an online malware scanning service.
Nearly a third (25,000 out of 78,800) of computers with up-to-date anti-virus software were discovered to be infected with malicious code when users scanned their PC using SurfRight's HitmanPro 3 behavioural scan.
SurfRight's analysis is based on 107,435 users who put their PC through its scanner between 10 October and 4 December 2009. Around a quarter of these users (28,608) either had no scanner installed or were running security software that was out of date.
Surfers are much more likely to turn to SurfRight's software if they suspected their Windows PC was running slowly or might be infected with malware, so the figures from SurfRight's audit are bound to come out worse than those from the general web population.
http://www.theregister.co.uk/2010/02/08/security_scanner_shortcomings/
China officials have shut down Black Hawk Safety Net, the country's biggest hacker training Website, and arrested three people for making hacker tools available online.
China announced it has arrested three people in connection with operating a hacker training school that distributed malware and hacking tools to its members in online forums.
According to Xinhua, China ’s state-run newspaper, three people were arrested in connection with making the tools available online through a business known as Black Hawk Safety Net. Established in 2005, Black Hawk Safety Net is reportedly headquartered in Xuchang of the central Henan Province and has more than 180,000 members. Police reportedly uncovered the operation as part of an investigation into a cyber-attack in Macheng City in 2007.
The three suspects arrested in the case are charged with offering online hacker tools, a crime newly listed in the country's criminal law last year, the paper reported.
http://www.eweek.com/c/a/Security/China-Closes-Hacker-Training-School-Arrest-3-827095
N.Y. man claims Symantec didn't tell him before charging his card, as 2009 settlement required
A New York man has sued security software maker Symantec for automatically renewing his subscription to Norton Antivirus, alleging that the company did not notify him before charging $76 to his credit card.
The lawsuit comes seven months after the New York Attorney General's office fined Symantec $375,000 for the practice and ordered it to give notice before renewing any subscription.
According to the lawsuit filed Jan. 19 in a New York County court, Kenneth Elan of Port Washington, N.Y., purchased a copy of Norton Antivirus in 2007. Early in November 2009, Symantec told him that it had automatically renewed his license to the software for one year, and charged his credit card $76.03. Elan said he had not been notified prior to the charge hitting his card.
http://www.computerworld.com/s/article/9153118/Symantec_hit_with_class_action_lawsuit_over_auto_renewals
Same incident as last year: http://www.calendarofupdates.com/updates/index.php?showtopic=20325
Google will today announce some big changes to its social media strategy. It is believed these will include changes to Gmail that will allow users to post messages in a similar way to Twitter or Facebook.
That social media sites Facebook and Twitter have a huge potential for advertising in the future will not have gone unnoticed at Mountain View, CA.
Google recently announced that its only social success to date; YouTube, has started to make a profit. Google bought the already successful but loss making YouTube in 2006, and has steadily increased the amount of advertising on the site since.
Google has numerous products that have some form of social aspect to them. Reader, Calendar, Bookmarks and others all encourage sharing, there is a full social network site in Orkut, Google Profiles links in well with Wave the much maligned collaboration tool. Then let's not forget SideWiki which allows users to leave messages on any site via a browser add-on.
The problem that Google has had is that these products have been too disparate. There hasn't been a single combining element that has allowed all the best features to appear in one single interface in a way that could compete with Facebook. It sounds like Google is attempting to make up for lost time now.
http://www.bigmouthmedia.com/live/articles/google-to-use-gmail-to-challenge-facebook.asp/6751/
Google to add social-media tools to Gmail similar to facebook, Twitter
Proof-of-concept demonstrates ease at which mobile spyware can be created to pilfer text messages and email, eavesdrop, and track victim's physical location via smartphone's GPS
A researcher at the ShmooCon hacker conference yesterday demonstrated how BlackBerry applications can be used to expose sensitive information without the use of exploits.
Tyler Shields, senior researcher for Veracode's Research Lab, also released proof-of-concept source code for a spyware app he created and demonstrated at the hacker confab in Washington, D.C., that forces the victim's BlackBerry to hand over its contacts and messages. The app also can grab text messages, listen in on the victim, as well as track his physical location via the phone's GPS.
The spyware sits on the victim's smartphone, and an attacker can remotely use the app to dump the user's contact list, email inbox, and SMS message. It even keeps the attacker updated on new contacts the victim adds to his contact list. "This is a proof-of-concept to demonstrate how mobile spyware and applications for malicious behavior are trivial to write just by using the APIs of the mobile OS itself," Shields says.
http://www.darkreading.com/securityservices/security/app-security/showArticle.jhtml?articleID=222700260
An Adobe product manager has apologized for allowing a potentially serious bug in Flash Player to remain unfixed for more than 16 months.
The admission, by Emmy Huang, product manager for Flash, came a week after Apple CEO Steve Jobs lambasted Adobe engineers as "lazy" and said when Macs crash, "more often than not it’s because of Flash." Adobe CTO Kevin Lynch struck back, insisting that at Adobe, "we don't ship Flash with any known crash bugs."
The crash bug at issue in Huang's blog post published over the weekend was reported in September 2008, but it has yet to be excised from release versions of Flash. She said a beta version of Flash scheduled for official release later this year has fixed the problem.
Continued here: http://www.theregister.co.uk/2010/02/09/adobe_flash_crash_bug/
Flash Bug Report
As has been pointed out by the community, there is an existing crash bug that was reported by Matthew Dempsky in the Flash Player bugbase (JIRA FP-677) in September of 2008 that still exists in the release players. It is fixed in Flash Player 10.1 beta, and has been since we launched the beta in early November 2009.
I want to reiterate that it is our policy that crashes are serious "A" priority bugs, and it is a tenet of the Flash Player team that ActionScript developers should never be able to crash Flash Player. If a crash occurs, it is by definition a bug, and one that Adobe takes very seriously. When they happen, it can be the result of something going on purely within Flash Player, something in the browser, or even at the OS level. Depending on where an issue occurs we work to resolve the crash internally or with our partners.
So what happened here? We picked up the bug as a crasher when it was filed on September 22, 2008, and were able to reproduce it. Remember that Flash Player 10 shipped in October 2008, so when this bug was reported we were pretty much locked and loaded for launch. The mistake we made was marking this bug for "next" release, which is the soon to be released Flash Player 10.1, instead of marking it for the next Flash Player 10 security dot release. We should have kept in contact with the submitter and to let him know the progress, sorry we did not do that. Having that line of communication open would have allowed him to let us know directly that it was still an issue. I intend to follow up with the product manager (or Adobe rep) who worked on this issue to make sure it doesn't happen again. It slipped through the cracks, and it is not something we take lightly.
The team is actively reviewing all unresolved crash bugs in JIRA and will reach out to the submitter if we need their help. We have been updating JIRA bugs with status when we ship pre-release and release players with fixes, but will be focusing on scrubbing these more vigilantly so the community will be able to get status on their issues earlier. Again, FP-677 is fixed in Flash Player 10.1 beta on Adobe Labs and was made public in a regular bugbase scrub that happened yesterday.
http://blogs.adobe.com/emmy/archives/2010/02/flash_bug_repor.html
From Bruce at his "Schneier on Security":
At FSE 2010 this week, Dmitry Khovratovich and Ivica Nikolic presented a paper where they cryptanalyze ARX algorithms (algorithms that use only addition, rotation, and exclusive-OR operations): "Rotational Cryptanalysis of ARX." In the paper, they demonstrate their attack against Threefish. Their attack breaks 39 (out of 72) rounds of Threefish-256 with a complexity of 2252.4, 42 (out of 72) rounds of Threefish-512 with a complexity of 2507, and 43.5 (out of 80) rounds of Threefish-1024 with a complexity of 21014.5. (Yes, that's over 21000. Don't laugh; it really is a valid attack, even though it -- or any of these others -- will never be practical.)
This is excellent work, and represents the best attacks against Threefish to date. (I suspect that the attacks can be extended a few more rounds with some clever cryptanalytic tricks, but no further.) The security of full Threefish isn't at risk, of course; there's still plenty of security margin.
http://www.schneier.com/blog/archives/2010/02/new_attack_on_t.html
TD Bank's failure to detect fraudulent money transfers 'unacceptable,' official says
The theft of $378,000 from the town of Poughkeepsie, N.Y. is prompting questions about the responsibility of banks to protect customer accounts from online criminals.
In a statement last week , a town official revealed that thieves had broken into the town's TD Bank account and transferred $378,000 to accounts in the Ukraine.
The thefts took place over a two-day period in mid-January during which a total of nine attempts were made to steal money. In the end, four of the attempts were successful, resulting in the lost money.
The thefts were discovered by town officials one day after they occurred. So far, TD bank has managed to recover $95,000, with efforts still under way to try and recover the rest. The theft is being investigated by local police, the FBI and the U.S. Secret Service.
It was not clear how the thieves gained access to the town's bank account and there was no immediate response from Town Supervisor Patricia Meyers to a Computerworld request for comment.
http://www.networkworld.com/news/2010/020810-poughkeepsie-ny-slams-bank-for.html
If you're outside Moscone Center for this week's Macworld Expo, and someone hands you a "Lost iPhone" sticker, don't toss it away. It could help you track down your phone, should it ever go missing.
The stickers, from iHound Software, go on the back of the iPhone or the phone's case. They feature a unique ID number so that anyone who finds a misplaced phone can go to iHound's Website and punch in the nine-digit number along with a message to the phone's doubtlessly frantic owner.
"We believe most phones are lost, not stolen," Gary Moskoff, one of the founders of iHound Software told me Monday, as we talked about his company's mobile security offering.
Of course, to take advantage of that lost sticker, you've got to use the iHound app for the iPhone. But iHound has an Expo-timed special there too: for the month of February, the app--normally a $3 download--is available for free. (After the 10-day trial period, you'll still have to pay a recurring service charge, which Moskoff says costs less than $1 a month.)
http://www.networkworld.com/news/2010/020910-ihound-aims-to-help-you.html
A metals supply company in Michigan is suing its bank for poor security practices after a successful phishing attack against an employee allowed thieves to steal more than half a million dollars last year.
The lawsuit, filed by Experi-Metal Inc. (EMI), in Sterling Heights, Mich., charges that Dallas-based Comerica Bank effectively groomed its customers to become phishing victims by routinely sending them e-mail messages that asked recipients to click a link to update the bank's security technology. The company also alleges that Comerica's security protections for customers are not commercially reasonable, because the phishing scam routed around the bank's 2-factor authentication system.
According to a complaint EMI filed in December with a Michigan circuit court, for many years Comerica used "digital certificates" for authenticating online banking customers. Digital certificates are the browser-based counterparts to ATM cards, and many banks require customers to include the bank's cryptographically signed digital certificate in their browser before the bank's online system will allow users access. [...]
EMI's complaint is here (.pdf). Comerica's line-by-line response is available here (.pdf).
http://www.krebsonsecurity.com/2010/02/comerica-phish-foiled-2-factor-protection/
In tests, algorithm was an efficient estimator of worm virulence and could determine the size of the susceptible host population after only a few infections
Self-propagating worms are malicious computer programs, which, after being released, can spread throughout networks without human control, stealing or erasing hard drive data, interfering with pre-installed programs and slowing, even crashing, home and work computers. Now a new code, or algorithm, created by Penn State researchers targets the "stealthiest" of these worms, containing them before an outbreak can occur.
"In 2001 the 'Code Red' worms caused $2 billion dollars worth of damage worldwide," said Yoon-Ho Choi, a postdoctoral fellow in information sciences and technology at Penn State. "Our algorithm can prevent a worm's propagation early in its propagation stage."
Choi and his colleagues' algorithm defends against the spread of local scanning worms that search for hosts in "local" spaces within networks or sub-networks. This strategy allows them access to hosts that are clustered, which means once they infect one host, the rest can be can be infected quickly. There are many types of scanning worms, but Choi calls these worms the stealthiest because they are the most efficient and can evade even the best worm defenses.
http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=222700362