Banning web users suspected of illegally downloading content from the internet could breach human rights legislation, says the Joint Select Committee on Human Rights.
According to the group of MPs and members of the House of Lords, the proposals set out in the Digital Economy Bill reference 'technical measures' which could be employed to block internet pirates' web connections.
However the committee said the technical measures had not been "sufficiently specified".
"The concern we have with this Bill is that it lacks detail," said Andrew Dismore MP and chair of the Committee.
http://www.networkworld.com/news/2010/020810-banning-illegal-file-sharers-could-breach.html
Even users running up-to-date anti-virus software still get infected with malware, according to stats from an online malware scanning service.
Nearly a third (25,000 out of 78,800) of computers with up-to-date anti-virus software were discovered to be infected with malicious code when users scanned their PC using SurfRight's HitmanPro 3 behavioural scan.
SurfRight's analysis is based on 107,435 users who put their PC through its scanner between 10 October and 4 December 2009. Around a quarter of these users (28,608) either had no scanner installed or were running security software that was out of date.
Surfers are much more likely to turn to SurfRight's software if they suspected their Windows PC was running slowly or might be infected with malware, so the figures from SurfRight's audit are bound to come out worse than those from the general web population.
http://www.theregister.co.uk/2010/02/08/security_scanner_shortcomings/
China officials have shut down Black Hawk Safety Net, the country's biggest hacker training Website, and arrested three people for making hacker tools available online.
China announced it has arrested three people in connection with operating a hacker training school that distributed malware and hacking tools to its members in online forums.
According to Xinhua, China ’s state-run newspaper, three people were arrested in connection with making the tools available online through a business known as Black Hawk Safety Net. Established in 2005, Black Hawk Safety Net is reportedly headquartered in Xuchang of the central Henan Province and has more than 180,000 members. Police reportedly uncovered the operation as part of an investigation into a cyber-attack in Macheng City in 2007.
The three suspects arrested in the case are charged with offering online hacker tools, a crime newly listed in the country's criminal law last year, the paper reported.
http://www.eweek.com/c/a/Security/China-Closes-Hacker-Training-School-Arrest-3-827095
N.Y. man claims Symantec didn't tell him before charging his card, as 2009 settlement required
A New York man has sued security software maker Symantec for automatically renewing his subscription to Norton Antivirus, alleging that the company did not notify him before charging $76 to his credit card.
The lawsuit comes seven months after the New York Attorney General's office fined Symantec $375,000 for the practice and ordered it to give notice before renewing any subscription.
According to the lawsuit filed Jan. 19 in a New York County court, Kenneth Elan of Port Washington, N.Y., purchased a copy of Norton Antivirus in 2007. Early in November 2009, Symantec told him that it had automatically renewed his license to the software for one year, and charged his credit card $76.03. Elan said he had not been notified prior to the charge hitting his card.
http://www.computerworld.com/s/article/9153118/Symantec_hit_with_class_action_lawsuit_over_auto_renewals
Same incident as last year: http://www.calendarofupdates.com/updates/index.php?showtopic=20325
Google will today announce some big changes to its social media strategy. It is believed these will include changes to Gmail that will allow users to post messages in a similar way to Twitter or Facebook.
That social media sites Facebook and Twitter have a huge potential for advertising in the future will not have gone unnoticed at Mountain View, CA.
Google recently announced that its only social success to date; YouTube, has started to make a profit. Google bought the already successful but loss making YouTube in 2006, and has steadily increased the amount of advertising on the site since.
Google has numerous products that have some form of social aspect to them. Reader, Calendar, Bookmarks and others all encourage sharing, there is a full social network site in Orkut, Google Profiles links in well with Wave the much maligned collaboration tool. Then let's not forget SideWiki which allows users to leave messages on any site via a browser add-on.
The problem that Google has had is that these products have been too disparate. There hasn't been a single combining element that has allowed all the best features to appear in one single interface in a way that could compete with Facebook. It sounds like Google is attempting to make up for lost time now.
http://www.bigmouthmedia.com/live/articles/google-to-use-gmail-to-challenge-facebook.asp/6751/
Google to add social-media tools to Gmail similar to facebook, Twitter
Proof-of-concept demonstrates ease at which mobile spyware can be created to pilfer text messages and email, eavesdrop, and track victim's physical location via smartphone's GPS
A researcher at the ShmooCon hacker conference yesterday demonstrated how BlackBerry applications can be used to expose sensitive information without the use of exploits.
Tyler Shields, senior researcher for Veracode's Research Lab, also released proof-of-concept source code for a spyware app he created and demonstrated at the hacker confab in Washington, D.C., that forces the victim's BlackBerry to hand over its contacts and messages. The app also can grab text messages, listen in on the victim, as well as track his physical location via the phone's GPS.
The spyware sits on the victim's smartphone, and an attacker can remotely use the app to dump the user's contact list, email inbox, and SMS message. It even keeps the attacker updated on new contacts the victim adds to his contact list. "This is a proof-of-concept to demonstrate how mobile spyware and applications for malicious behavior are trivial to write just by using the APIs of the mobile OS itself," Shields says.
http://www.darkreading.com/securityservices/security/app-security/showArticle.jhtml?articleID=222700260
An Adobe product manager has apologized for allowing a potentially serious bug in Flash Player to remain unfixed for more than 16 months.
The admission, by Emmy Huang, product manager for Flash, came a week after Apple CEO Steve Jobs lambasted Adobe engineers as "lazy" and said when Macs crash, "more often than not it’s because of Flash." Adobe CTO Kevin Lynch struck back, insisting that at Adobe, "we don't ship Flash with any known crash bugs."
The crash bug at issue in Huang's blog post published over the weekend was reported in September 2008, but it has yet to be excised from release versions of Flash. She said a beta version of Flash scheduled for official release later this year has fixed the problem.
Continued here: http://www.theregister.co.uk/2010/02/09/adobe_flash_crash_bug/
Flash Bug Report
As has been pointed out by the community, there is an existing crash bug that was reported by Matthew Dempsky in the Flash Player bugbase (JIRA FP-677) in September of 2008 that still exists in the release players. It is fixed in Flash Player 10.1 beta, and has been since we launched the beta in early November 2009.
I want to reiterate that it is our policy that crashes are serious "A" priority bugs, and it is a tenet of the Flash Player team that ActionScript developers should never be able to crash Flash Player. If a crash occurs, it is by definition a bug, and one that Adobe takes very seriously. When they happen, it can be the result of something going on purely within Flash Player, something in the browser, or even at the OS level. Depending on where an issue occurs we work to resolve the crash internally or with our partners.
So what happened here? We picked up the bug as a crasher when it was filed on September 22, 2008, and were able to reproduce it. Remember that Flash Player 10 shipped in October 2008, so when this bug was reported we were pretty much locked and loaded for launch. The mistake we made was marking this bug for "next" release, which is the soon to be released Flash Player 10.1, instead of marking it for the next Flash Player 10 security dot release. We should have kept in contact with the submitter and to let him know the progress, sorry we did not do that. Having that line of communication open would have allowed him to let us know directly that it was still an issue. I intend to follow up with the product manager (or Adobe rep) who worked on this issue to make sure it doesn't happen again. It slipped through the cracks, and it is not something we take lightly.
The team is actively reviewing all unresolved crash bugs in JIRA and will reach out to the submitter if we need their help. We have been updating JIRA bugs with status when we ship pre-release and release players with fixes, but will be focusing on scrubbing these more vigilantly so the community will be able to get status on their issues earlier. Again, FP-677 is fixed in Flash Player 10.1 beta on Adobe Labs and was made public in a regular bugbase scrub that happened yesterday.
http://blogs.adobe.com/emmy/archives/2010/02/flash_bug_repor.html
From Bruce at his "Schneier on Security":
At FSE 2010 this week, Dmitry Khovratovich and Ivica Nikolic presented a paper where they cryptanalyze ARX algorithms (algorithms that use only addition, rotation, and exclusive-OR operations): "Rotational Cryptanalysis of ARX." In the paper, they demonstrate their attack against Threefish. Their attack breaks 39 (out of 72) rounds of Threefish-256 with a complexity of 2252.4, 42 (out of 72) rounds of Threefish-512 with a complexity of 2507, and 43.5 (out of 80) rounds of Threefish-1024 with a complexity of 21014.5. (Yes, that's over 21000. Don't laugh; it really is a valid attack, even though it -- or any of these others -- will never be practical.)
This is excellent work, and represents the best attacks against Threefish to date. (I suspect that the attacks can be extended a few more rounds with some clever cryptanalytic tricks, but no further.) The security of full Threefish isn't at risk, of course; there's still plenty of security margin.
http://www.schneier.com/blog/archives/2010/02/new_attack_on_t.html
TD Bank's failure to detect fraudulent money transfers 'unacceptable,' official says
The theft of $378,000 from the town of Poughkeepsie, N.Y. is prompting questions about the responsibility of banks to protect customer accounts from online criminals.
In a statement last week , a town official revealed that thieves had broken into the town's TD Bank account and transferred $378,000 to accounts in the Ukraine.
The thefts took place over a two-day period in mid-January during which a total of nine attempts were made to steal money. In the end, four of the attempts were successful, resulting in the lost money.
The thefts were discovered by town officials one day after they occurred. So far, TD bank has managed to recover $95,000, with efforts still under way to try and recover the rest. The theft is being investigated by local police, the FBI and the U.S. Secret Service.
It was not clear how the thieves gained access to the town's bank account and there was no immediate response from Town Supervisor Patricia Meyers to a Computerworld request for comment.
http://www.networkworld.com/news/2010/020810-poughkeepsie-ny-slams-bank-for.html
If you're outside Moscone Center for this week's Macworld Expo, and someone hands you a "Lost iPhone" sticker, don't toss it away. It could help you track down your phone, should it ever go missing.
The stickers, from iHound Software, go on the back of the iPhone or the phone's case. They feature a unique ID number so that anyone who finds a misplaced phone can go to iHound's Website and punch in the nine-digit number along with a message to the phone's doubtlessly frantic owner.
"We believe most phones are lost, not stolen," Gary Moskoff, one of the founders of iHound Software told me Monday, as we talked about his company's mobile security offering.
Of course, to take advantage of that lost sticker, you've got to use the iHound app for the iPhone. But iHound has an Expo-timed special there too: for the month of February, the app--normally a $3 download--is available for free. (After the 10-day trial period, you'll still have to pay a recurring service charge, which Moskoff says costs less than $1 a month.)
http://www.networkworld.com/news/2010/020910-ihound-aims-to-help-you.html
A metals supply company in Michigan is suing its bank for poor security practices after a successful phishing attack against an employee allowed thieves to steal more than half a million dollars last year.
The lawsuit, filed by Experi-Metal Inc. (EMI), in Sterling Heights, Mich., charges that Dallas-based Comerica Bank effectively groomed its customers to become phishing victims by routinely sending them e-mail messages that asked recipients to click a link to update the bank's security technology. The company also alleges that Comerica's security protections for customers are not commercially reasonable, because the phishing scam routed around the bank's 2-factor authentication system.
According to a complaint EMI filed in December with a Michigan circuit court, for many years Comerica used "digital certificates" for authenticating online banking customers. Digital certificates are the browser-based counterparts to ATM cards, and many banks require customers to include the bank's cryptographically signed digital certificate in their browser before the bank's online system will allow users access. [...]
EMI's complaint is here (.pdf). Comerica's line-by-line response is available here (.pdf).
http://www.krebsonsecurity.com/2010/02/comerica-phish-foiled-2-factor-protection/
In tests, algorithm was an efficient estimator of worm virulence and could determine the size of the susceptible host population after only a few infections
Self-propagating worms are malicious computer programs, which, after being released, can spread throughout networks without human control, stealing or erasing hard drive data, interfering with pre-installed programs and slowing, even crashing, home and work computers. Now a new code, or algorithm, created by Penn State researchers targets the "stealthiest" of these worms, containing them before an outbreak can occur.
"In 2001 the 'Code Red' worms caused $2 billion dollars worth of damage worldwide," said Yoon-Ho Choi, a postdoctoral fellow in information sciences and technology at Penn State. "Our algorithm can prevent a worm's propagation early in its propagation stage."
Choi and his colleagues' algorithm defends against the spread of local scanning worms that search for hosts in "local" spaces within networks or sub-networks. This strategy allows them access to hosts that are clustered, which means once they infect one host, the rest can be can be infected quickly. There are many types of scanning worms, but Choi calls these worms the stealthiest because they are the most efficient and can evade even the best worm defenses.
http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=222700362
According to Billboard Magazine, the average broadband ISP loses about 1.4% of their customers per month (aka churn), 14.5% annually, or over 2.1 million customers each year. Comcast for example, with their average customer paying $43 per month, stands to lose $1.1 billion lost from churn every year. How do you keep those customers around?
http://www.broadbandreports.com/shownews/ISPs-Look-To-Bundled-Music-Services-To-Keep-You-Around-106750
The Authors Guild agreed to a controversial settlement with Google because it feared repeating the mistakes that the music industry has made in dealing with digital works, it said Friday.
Google and the Authors Guild have struggled to get final approval of a settlement granting Google the right to continue a six-year book-scanning project than has digitized 12 million titles. Objections to that settlement from authors and academics have been heated, and despite revisions, the U.S. Department of Justice continued to object in principle to the settlement on Thursday, saying "the (revised agreement) purports to grant legal rights that are difficult to square with the core principle of the Copyright Act that copyright owners generally control whether and how to exploit their works during the term of copyright."
With that in mind, many have wondered why the Authors Guild chose to settle the case rather than fight it out in court and clear up the issue of whether or not Google's decision to scan out-of-print yet copyright-protected books really is allowed under fair-use laws. The reason is simple, the Guild said in a blog post Friday: legal victories haven't stopped copyright infringement in other forms of digital media.
"Copyright victories tend to be Pyrrhic in the digital age," the Guild wrote. If the Guild had prevailed in its suit against Google, it said it believed that copyright infringement would have just moved elsewhere, just as court victories won by the RIAA over Napster led to the rise of services like Kazaa and others.
http://news.cnet.com/8301-30684_3-10448186-265.html
The government has been urged to give more details on the process that would lead to disconnection of broadband access for unlawful file-sharers, a sanction laid out in the Digital Economy Bill.
In a report published on Friday, the Joint Committee on Human Rights (JCHR) expressed concern at the "lack of detail" given by the bill regarding the process that would lead to broadband users having their connections suspended or having other technical measures imposed, saying this made it "extremely difficult" to assess the human-rights aspects of the process.
"As we have explained in the past, flexibility is not an appropriate reason for defining a power which engages individual rights without adequate precision to allow for proper parliamentary scrutiny of its proportionality," the committee wrote in the report, Legislative Scrutiny: Digital Economy Bill.
Specifically, the committee wants to know whether people could be indefinitely suspended, and whether suspended people would be barred from getting internet access from alternative services. They also want to know what standard of evidence and proof would lead to technical measures being imposed.
http://news.zdnet.co.uk/communications/0,1000000085,40025393,00.htm
Calls Mac OS X 10.4 'hindrance' to development; Apple's already dumped Tiger
Baring any last-minute change of mind, Mozilla will permanently drop support for Mac OS X 10.4 from future editions of Firefox.
Mozilla stopped supporting Mac OS X 10.4, aka Tiger, in September 2009, but left a large amount of Tiger bits in the development code. Now, said Josh Aas, a platform engineer for Mozilla who works on Mac OS X integration, it's time to either restore support for the five-year-old operating system or remove the code from the development tree.
"We would like to take advantage of more modern technologies on Mac OS X and 10.4 support has been a hindrance," said Aas in a message yesterday on the mozilla.dev.planning forum. "Where we can work around supporting 10.4, doing so consumes valuable time and effort. Neither Chrome nor Safari has to deal with this."
According to Mozilla's metrics, 24% of those running the Mac version of Firefox 3.5 rely on Tiger, while 12% of those running the just-released Firefox 3.6 do. Half of all users run Firefox 3.5 on Mac OS X 10.5, aka Leopard, while 59% run Firefox 3.6 on OS X 10.6, or Snow Leopard.
Aas noted that Tiger users can continue to run Firefox 3.6, which supports the older operating system, until that version is retired from support.
More in http://www.computerworld.com/s/article/9152920/Mozilla_ends_Firefox_support_for_Mac_OS_Tiger?taxonomyId=89
An internet security expert at IBM reported to the Black Hat conference that he discovered Cisco routers are vulnerable to a potential surveillance backdoor.
According to Arstechnica, Tom Cross, security systems researcher at IBM, gave a presentation exposing the backdoor to demonstrate how the 'lawful intercept' function in Cisco's system can be targeted by hackers to gain access to data flowing through the routers.
Hackers aren't blocked after failed attempts to access a Cisco router and notification alerts aren't sent to the administrator. Making matters even worse, ISPs can't detect and track who the culprits might be because their employees aren't allowed to detect and intercept.
It is not entirely Cisco's fault.
Continue reading in http://www.theinquirer.net/inquirer/news/1590674/cisco-handholds-hackers-backdoor
A malicious spam campaign caught by Panda Labs is using a fake Microsoft Update notice to trick victims into installing a Trojan. While well crafted, the attack still provides dead giveaways.
The e-mail, which Panda posts with a screen shot, is spoofed to look as if it comes from Microsoft Support. With a realistic-looking subject and e-mail body that attempts to piggy-back on the constant (and correct) advice to keep your computer up-to-date with patches, it's a great example of a social engineering attack.
http://www.pcworld.com/article/188456/fake_microsoft_outlook_update_installs_trojan.html
Microsoft will release security updates for Office and Windows products this month. You will get it via Windows Update website/server using Windows Update program in Vista/7 or by visiting Microsoft Update and Microsoft Download Center websites. Delete emails with security updates as attachment. Microsoft do NOT send their updates via email. Even other software vendors will NOT send program updates via email or chat room or any social networking services.
A site dedicated to tracking the infamous ZeuS botnet is celebrating its first birthday.
In the twelve months since the ZeuS Tracker was born, on 2 February 2009, the site has tracked more then 2,800 malicious botnet command and control servers associated with ZeuS. The site has logged around 360MB ZeuS config files and 330MB in binaries.
Thanks to the work of the volunteers and security consultancies, such as Team Cymru, that have contributed to the project, a ZeuS control hub can sometimes be taken down in minutes. Local CERTs, registrars and ISPs subscribe to the list compiled by ZeuS tracker to identify and take-down suspect domains.
More recently, ZeuS Tracker data has been integrated into the suspect blocklist of commercial products, as explained in a post celebrating the anniversary of the ZeuS tracker on abuse.ch here.
http://www.theregister.co.uk/2010/02/05/zeus_tracker/
The second half of 2009 saw malware authors focus their efforts to ensure they drove victims straight to them. In contrast to the first half of the year where mass injection attacks like Gumblar, Beladen and Nine Ball promoted a sharp rise in the number of malicious Web sites, Websense Security Labs observed a slight (3.3 percent) decline in the growth of the number of Web sites compromised. Instead, attackers replaced their traditional scattergun approach with focused efforts on Web 2.0 properties with higher traffic and multiple pages.
Over the six month period, Search Engine Optimization (SEO) poisoning attacks featured heavily, and Websense Security Labs research identified that 13.7 percent of searches for trending news/buzz words lead to malware. In addition, attackers continued to capitalize on Web site reputation and exploiting user trust, with 71 percent of Web sites with malicious code revealed to be legitimate sites that had been compromised.
Web security intelligence remains a critical component of any email and data security strategy as illustrated by the continued popularity of blended threats (spam emails with embedded URLs). During the second half of 2009 Websense Security Labs discovered:
• 13.7 percent of searches for trending news/buzz words (as defined by Yahoo Buzz & Google Trends) lead to malware
• 95 percent of user-generated comments to blogs, chat rooms and message boards are spam or malicious
• 35 percent of malicious Web attacks included data-stealing code
• 58 percent of data-stealing attacks are conducted over the Web
• 85.8 percent of all emails were spam
• an average growth of 225 percent in malicious Web sites
[...]
The full report is available here.
http://community.websense.com/blogs/websense-features/archive/2010/02/01/websense-security-labs-report-state-of-internet-security-q3-q4-2009.aspx