Posted by admin on Jul 2, 2009 in
Technology It didn’t take long for spammers to learn their lesson. About seven months after the McColo shutdown took out their command-and-control
operations, a similar shutdown last month was anticipated and routed around.
Symantec this week said that Cutwail, “one of the largest and most active botnets,” was affected when California-based ISP
Pricewert was shut down on June 5 - however, its activity was back up to one-third of its original levels after just a few hours. The antivirus company said
that shows that spammers have learned the importance of back-up channels for command and control.
The McColo shutdown in November gave them a wake-up call. Supposedly, spam levels dropped about 50% after upstream ISPs cut
off McColo, which hosted the command-and-control servers, and it took botnets such as “Srizbi” months to recover.
It’s interesting that spammers are just like anyone else in this regard; it often takes an actual disaster to get people thinking
about disaster recovery. Even a shadow network architecture needs a backup.
Symantec says that spam from botnets accounted for 83.2% of all spam in June, and spam accounted for 90.4% of all e-mail traffic,
so the backup plans are working just fine.
On a related note, fellow newsletter authors Jim Metzler and Steve Taylor recently discussed the “Darwin Awards for Disaster Recovery,” stories of people who didn’t exactly think their disaster recovery plans through, or didn’t test them before they needed
them. These awards might be just the incentive you need to make sure you have your disaster recovery implemented.
Posted by admin on Jul 2, 2009 in
Technology The Symbian Foundation expects to begin beta testing of a new version of its mobile phone operating system within the next
few weeks. Symbian^2, the first version of the software since the foundation said it planned to go open source, should be
ready for release six months after that, so smartphone buyers may see the first devices using the software in the first half
of next year.
The foundation was created when Nokia bought software developer Symbian, with the intention of uniting the underlying Symbian
operating system with user interface layers such as S60 or UIQ that had been developed on top of it.
Since December, when Nokia’s offer to acquire Symbian was approved, work has been accelerating, said David Wood, who holds
the post of futurist and catalyst at the Symbian Foundation.
Symbian^2 will add more of what we have seen in the latest Symbian devices, including a user interface that can be customized
by the users themselves, and more elaborate touch features.
Within a few weeks, the software will be “functionally complete,” said Wood: no more features will be added, and changes will
only be made based on feedback from phone manufacturers. In Symbian-speak that stage will be followed by a six-month process
of “hardening” the software before phones can be produced. The two stages correspond with the release of a beta version and
the process of beta-testing at other software companies, although Wood declined to use those terms.
The Symbian Foundation is also working hard on the Product Development Kit (PDK), which phone makers will use when building
phones based on the operating system. They can get it today, but it is not as polished as the Foundation would like, according
to Wood. Every two weeks a new version of the PDK is to be released, and Wood expects to have a significantly evolved kit
in about a month.
Work on both Symbian^2 and the PDK have taken longer than initially thought.
One of the issues has been software in Symbian OS and in the Series60 user interface that wasn’t owned by either Symbian or
Nokia. Third-party vendors included software in the OS for a fraction of the license fee, and aren’t happy for it to become
open source, according to Wood.
The Symbian Foundation has removed these parts of the software, and is either writing something equivalent, reverting to an
older implementation or using an R&D license, which it can be left in the code. But anyone who develops a commercial product
will have to pay when it goes on sale. That solution has been used to implement Java.
“This is the kind of engineering issue that will come up naturally when open-sourcing a very large software system,” said
Wood.
The foundation has also seen some of the advantages of the open-source model: Developers have started to download the open-source
modules and are reporting bugs, which is what the Foundation had hoped for, Wood said.
“I am hoping that this isn’t going to deter the package owners from moving their code quickly into open source. I am hoping
they’re going to say: ‘The good news is that the person who has reported these bugs hasn’t just said there is a bug, but also
how to fix it,’” said Wood.
So far, less than ten percent of the code has become open source, but that figure is rising all the time, according to Wood.
The goal is still for the platform to be open source by June, 2010.
“I’d love to see that happening quicker,” he said.
The success of the platform doesn’t rest on one phone model, but there will be some pressure on the first phones.
“I think is important that these devices are seen as step forward, and that there is a new set of applications available,”
said Wood.
He will be disappointed if there aren’t a whole lot more attractive applications by the time these first devices arrive. Symbian
support for multitasking will be one key aspect of these applications, according to Wood.
“We may not have, straight off, as many applications as there are now on the iPhone, because they have done a tremendous task.
But I see that we will catch up,” said Wood.
The smartphone market is currently in a state of flux. Apple has rolled out a new iPhone, Microsoft is preparing to release
a new version of its mobile operating system and Google’s operating system Android, which is also an open source project,
is slowly starting to pick up speed.
Wood isn’t too worried about their headstart. Instead, the growing interest in smartphones will help the Symbian Foundation
in the long term, and make buyers more aware of that there are different operating systems to choose between, according to
Wood.
At least one analyst thinks the Symbian Foundation is underestimating the progress the other platforms are making.
“The big, big threat they face at the moment is the pace at which other platforms are gathering momentum,” said Ben Wood,
analyst at CCS Insight.
No one can ignore what Apple has achieved, with tens of millions devices and an application developer community that Symbian
can only dream of for its speed of development, volumes and the engagement with end users. Android is also generating a tremendous
amount of interest, and the phones have a more modern user interface compared to existing Symbian devices, according to CCS
Insight’s Wood.
He is less and less convinced that Symbian is going to be a truly competitive platform against these new operating systems
from Apple and Google.
But that doesn’t mean CCS Insight’s Wood thinks that Symbian is going away. The Nokia 5800 XpressMusic has been a huge success
for Nokia, and the recently announced 5530 XpressMusic looks to follow in its footsteps, he said. Symbian is better suited
for use in these kinds of mid-tier phones that aren’t as powerful as the iPhone, but are good enough for users who can’t afford
an expensive smartphone, he said.
Nokia’s announcement last week that it will contribute to development of Intel’s Linux-based Moblin software for smartphones
is an indication that Nokia is working on a new software platform for its most advanced phones, according to CCS Insight’s
Wood.
Currently, those advanced phones, including Nokia’s flagship N97, run Symbian, not Linux.
That’s not something that’s going to change, according to Symbian’s Wood.
“Nokia has been, and continues to be, engaged in a large number of different device projects, with different partners and
with different software systems. We don’t expect any significant changes in Nokia’s engagement with Symbian as a result of
this announcement,” he said.
Posted by admin on Jul 2, 2009 in
Technology Jailbreaking an iPhone leaves users vulnerable to attack by stripping away most of the handset’s security protections, a security
researcher warned Thursday.
“If you care about security, don’t use a jailbroken iPhone,” said security researcher Charlie Miller, speaking at the SyScan
security conference in Singapore on Thursday.
Jailbreaking is a term used to describe the process of stripping away the protections that prevent a user from installing
applications on an iPhone that have not been digitally signed by Apple. Jailbreaking tools have been popular among users in
the U.S. and elsewhere who do not want to be tied to a specific operator, or who want to add software or capabilities to the
phone that Apple doesn’t offer.
The process removes around 80 percent of the security protections built into the phone’s software, making it more vulnerable,
Miller said.
Overall, the stripped-down version of Mac OS X used in the iPhone makes it more secure than computers running the full version
of the operating system, Miller said.
Many capabilities contained in the full version of the operating system, like support for Java and Adobe Flash, are not available
on the iPhone. In addition, the iPhone doesn’t support many of the features contained in PDF files, which have proved to be
a fertile source of Mac OS X vulnerabilities. This gives attackers fewer options when looking for vulnerabilities to exploit,
he said.
In addition, iPhones are limited to running applications that have been digitally signed by Apple, which means that an attacker
cannot simply install and run their own software on the handset. The iPhone also has hardware protections for data stored
in memory.
Jailbreaking an iPhone disables these two security functions, making the phone more vulnerable to an attack, Miller said.
Posted by admin on Jul 2, 2009 in
Technology A Chinese company that has created a massive database of malware found on Chinese Web sites opened up the information to other security organizations on Thursday.
Beijing-based KnownSec gathered the viruses and other information with a crawler that scans nearly 2 million Chinese Web sites
each day, Zhao Wei, CEO of the security company, said in an interview in Beijing. He planned to give a presentation on the
subject at the Forum of Incident Response and Security Teams (FIRST) security conference in Kyoto, Japan this week.
The database covers more Chinese Web sites and provides more up-to-date information about their security than any other, Zhao
said in the interview. China produces the majority of the world’s malware, he said.
A history for each site in the database lists dates of malware infection, the strings of malicious code placed on the sites
and which antivirus products defend viewers against their attacks. The database also stores tens of thousands of viruses found
being distributed by the sites.
KnownSec each day finds more than 100 Trojan downloader files that have never been seen before, Zhao said. Each of those can
direct a victim’s PC to download up to ten viruses.
The database also has a list of Web sites that are currently compromised. Only about half of the newly infected sites KnownSec
finds each day are also listed by Google as dangerous, said Zhao.
Google labels search results it has found to be potentially dangerous during scans of its index. When asked for comment, a
Google spokeswoman said organizations need to work together to identify online threats and stamp them out.
Security companies and national computer emergency response teams can request access to the KnownSec database, Zhao said.
Security companies could use the information to shield users of their antivirus programs against new malware threats, he said.
“We cannot realize the role of this data by just keeping it,” Zhao said.
Separately, security vendor McAfee has seen a rise in malware from China in recent months, Prabhat Singh, McAfee’s senior
director of Avert operations in the Asia Pacific, said in an interview.
The amount of malware Chinese Internet users reported to McAfee in the last six months was nearly 80 percent the amount reported
in all of 2008, Singh said. At that growth rate, the amount of malware seen in China this year could double over last year,
he said.
Password-stealing Trojans were the dominant type of malware in China in the first quarter this year, said Singh. Many specifically
try to steal account passwords for online games, which are extremely popular in China, he said. An attacker can strip a game
account of equipment like weapons and armor and sell them for cash.
About one in four Chinese Web sites currently have a malicious reputation, Singh said. That may not mean the site owners themselves
are malicious, but that attackers have compromised the sites and are using them to distribute malware.
Phishing is also on the rise in China, Singh said. China hosted the second-highest number of phishing sites in the world in
the last quarter, mainly targeting Chinese bank users, he said.
Posted by admin on Jul 2, 2009 in
Technology China has not lifted its requirement that an Internet filtering program be shipped with all computers sold in the country,
even though the plan was postponed this week, state media said Thursday.
It is just “a matter of time” before the mandate for PC makers to ship the program takes effect, the website of the official
newspaper China Daily cited an unnamed official as saying Thursday.
China indefinitely delayed enforcement of the mandate late Tuesday, just hours before the deadline originally set for foreign
and domestic PC makers to ship the program. But the announcement also said China would continue seeking input on how to carry
out the plan.
China says the program, called Green Dam Youth Escort, is meant to protect children from “harmful” information online. The
program blocks pornography and other content, including some related to politically sensitive issues such as criticisms of
a former president. Sites are also blocked if they reference Falun Gong, the spiritual movement banned as a cult in China.
Foreign industry groups and the U.S. government had protested the mandate over concerns including the program’s security,
free speech, user privacy and the software’s alleged theft of code from a U.S. company.
But China pushed back its mandate only because PC makers said they needed more time to prepare and to distribute the software,
not because of copyright infringement concerns, China Daily cited the official in the Ministry of Industry and Information
Technology (MIIT) as saying.
“The government will definitely carry on the directive on Green Dam,” the official was quoted as saying.
Chinese PC makers including Lenovo said they would still ship the program, according to the report. Lenovo did not immediately
respond to a request for comment.
Foreign PC makers did not appear to relax when China pushed back the Green Dam requirement. A Hewlett-Packard spokeswoman
repeated an earlier comment that the company is seeking additional information. A Dell spokeswoman said the company supported
China’s goal of protecting children from online pornography and would work to educate customers about filtering software that
has been thoroughly tested.
A spokesman at the MIIT declined to comment.
Posted by admin on Jul 2, 2009 in
Technology The grainy video shows a bleary-eyed young man in a hoodie inside the Carrell Clinic in Dallas, Texas. As he hits the elevator
button, the theme music from Mission Impossible plays in the background. “You’re on a mission with me: Infiltration,” he tells
the camera.
Then in the course of the next five minutes, the man, who says he hasn’t slept in 3 days, uses a security key to roam the
halls of the hospital and install malicious botnet software on a computer there.
He says he’s “infiltrated a very large corporate office,” but according to the U.S. Federal Bureau of Investigation, he was
just working the night shift as a security guard, pretending to break into the very building he was supposed to be guarding.
On Friday the federal authorities arrested Jesse William McGraw on a charge of felony computer intrusion, saying he intended
to use the botnet to launch a massive distributed denial of service (DDOS) attack on July 4, the day after he was set to stop
working there. He’d nicknamed the day “Devil’s Day.”
He worked for a Dallas security company called United Protection Services, on the 11 p.m. to 7 a.m. shift at the clinic.
McGraw, who went by the hacker name GhostExodus, allegedly installed malicious software all over the Carrell Clinic, including
systems that contained confidential information, and others that managed the building’s climate-control systems, authorities
said Tuesday.
The hacker could have harmed patients or damaged drugs if he had turned off air conditioning during Texas’s hot summer months,
authorities said.
GhostExodus’s Mission Impossible video was one of several that he posted to YouTube. They have since been removed, but copies
were seen by the IDG News Service. One video named in court filings that was not deleted shows him skillfully playing a violin.
GhostExodus may have seen his arrest coming.
In a March 14 online journal entry, he said that an enemy was fabricating evidence against him and that he was erasing his tracks, but he did leave some tracks
on the Web. For example, there’s a May 24 forum post, where he bragged about his hacking and posted screen shots of the administrative interface to the heating, ventilation and
air conditioning (HVAC) systems used at the hospital. “Spreading botnets is boring. But sometimes you get a hefty prize for
all your hard work and labor,” he wrote. “Like this you see below. An HVAC server.”
McGraw talks like a big-time spy, but he makes some silly mistakes. In one video he puts on surgical gloves, presumably to
hide his fingerprints, after typing on the computer he plans to hack. In another, he crops the video so that his face is not
visible, but then shows off a fake FBI identity card — with his picture on it. Then there’s the fact that he posted the whole
thing to YouTube.
His undoing came when a member of his hacker group, called the Electronik Tribulation Army, boasted to security researcher
Wesley McGrew and showed him screen shots of hacked machines. That hacker, who went by the name XXxxImmortalxxXX, claimed
to have hacked the Carrell Clinic systems, but McGrew soon linked the crime to GhostExodus and handed over his findings to
authorities.
The group also compromised computers used by the Dallas Police and the National Aeronautics and Space Administration, (NASA)
the FBI said in an affidavit. According to GhostExodus’s journal he appears to have found a cross-site scripting bug — a common Web programming error
— on NASA’s Web site.
McGrew, a graduate student at Mississippi State University, said that it probably never occurred to GhostExodus to fake the
videos he made. “It’s a show of skill to his hacker peers,” he said via instant message.
Still, the video is “pretty amazing,” he added.
“He’s a security guard at the hospital, but he’s pretending to infiltrate a corporate office and he’s running around with
a hoodie on over his security guard uniform and installing botnet software on a hospital computer all to the Mission Impossible
music,” he said. “[You] can’t make this stuff up.”
Posted by admin on Jul 2, 2009 in
Technology A digital rights group is contesting a U.S. music industry association’s assertion that royalties are due each time a mobile
phone ringtone is played in public.
The American Society of Composers, Authors and Publishers (ASCAP) filed suit against AT&T asserting that ringtones qualify
as a public performance under the Copyright Act. ASCAP, which has 350,000 members, collects royalties and licenses public
performances of works under copyright.
The Electronic Frontier Foundation (EFF), however, asserts that copyright law exempts performances made “without any purpose
of direct or indirect commercial advantage,” which would include a ringtone heard in a restaurant.
The organization further argued that the move by ASCAP could jeopardize consumer rights and increase costs for consumers.
The EFF filed an amicus brief for the case on Wednesday in U.S. District Court for the Southern District of New York.
“These wrongheaded legal claims cast a shadow over innovators who are building gadgets that help consumers get the most from
their copyright privileges,” the EFF said in a blog post.
ASCAP’s suit highlights efforts by the music industry to aggressively assert its influence in dealing with new digital media.
ASCAP wants mobile operators to pay royalties or be held liable for the so-called public performances of the ringtones. The
organization has indicated that it would not pursue claims against individual consumers but rather the operators.
Operators such as AT&T and others that sell ringtones already pay royalties to songwriters for use of their material. ASCAP
rejects the argument that ringtones fall under the exemption and that performances can still infringe even if there is no
commercial gain.
On June 12, ASCAP filed a document opposing a motion from AT&T asking for a summary judgment in the case, which the EFF has
posted on its Web site.
Posted by admin on Jul 2, 2009 in
Technology Apple is working to fix an iPhone vulnerability that could allow an attacker to remotely install and run unsigned software
code with root access to the phone.
The attack in question exploits a weakness in the way iPhones handle text messages received via SMS (Short Message Service),
said security researcher Charlie Miller, during a presentation at the SyScan conference in Singapore on Thursday. He didn’t provide a detailed description of the SMS vulnerability, citing an agreement
with Apple.
Miller is an authority on MacOS X security, and is a co-author of The Mac Hacker’s Handbook.
The SMS vulnerability allows an attacker to run software code on the phone that is sent by SMS over a mobile operator’s network.
The malicious code could include commands to monitor the location of the phone using GPS, turn on the phone’s microphone to
eavesdrop on conversations, or make the phone join a distributed denial of service attack or a botnet, Miller said
Apple is working to patch the vulnerability and expects to have a fix ready later this month, before Miller discusses the
attack in greater detail during a planned presentation at the Black Hat USA conference in Las Vegas.
Despite the SMS vulnerability, the stripped-down version of MacOS X used in the iPhone makes it more secure than computers
running the full-blown operating system, Miller said.
For starters, the stripped-down version of the OS presents fewer options for attackers, removing applications and features
such as support for Adobe Flash and Java, which they might otherwise be able to exploit for vulnerabilities. In addition,
the iPhone includes hardware protection for data stored in memory and the phone is designed to only run software code that
has been digitally signed by Apple.
The iPhone also requires applications to run in a sandbox, a security feature that isolates them from other applications and
limits their access to the phone’s capabilities. But SMS offers a way for attackers to get greater access to the phone’s capabilities,
Miller said.
“SMS is a great vector to attack the iPhone,” he said.
Most often used to send brief text messages between cell phones, SMS can also send binary code to an iPhone, which then processes
the code without any user interaction. Each SMS message is limited to 140 bytes, but longer sequences can be sent to the phone
as multiple messages that are automatically reassembled.
This feature allows larger programs to be delivered to a phone, Miller said.
In addition, vulnerabilities found in the iPhone’s SMS function give an attacker root access to the handset, Miller said.
That’s not the case for the iPhone’s other applications, such as its browser, where vulnerabilities only give an attacker
access to the application’s sandbox.
“The iPhone is more secure than OS X, but SMS could be a critical vulnerability,” Miller said.
Posted by admin on Jul 2, 2009 in
Technology Dell and Hewlett-Packard (HP) were criticized by Greenpeace for not implementing their product recycling services properly
in India.
But the companies and analysts say that part of the reason why recycling hasn’t taken off in India is lack of interest from
consumers.
The Dell India web siteon, which is likely to be the first port of call for the company’s Indian customers, does not have information on take-back
and recycling services, Greenpeace said on Wednesday.
Dell did not also respond appropriately when customers called up customer care in India with a request to take back and recycle
their computers, a Greenpeace spokesman said. “They said the information is available online,” he said.
HP, which started its recycling program for consumers as late as May this year, does not have enough collection centers in
India, Greenpeace’s Toxics Campaigner Abhishek Pratap said on Wednesday.
“They have 17 collection centers in nine cities, when they should be having at least a 100 centers covering all the cities
in India,” Pratap said.
Dell will work to improve its India web site to include a prominent link on recycling on its India web site, said Mahesh Bhalla,
director and general manager for Dell’s consumer business in India, on Thursday. The information is already available on the
recycling pages of Dell’s main site, to which there are links from the Dell India site.
Dell does not have collection centers, and instead offers to pick up computers at no cost from the homes of consumers, Bhalla
added.
The criticism of the recycling programs of Dell and HP has however brought into focus the lack of readiness of the Indian
market for such programs.
Consumers want a payment even for their old PCs, said Kapil Dev Singh, country manager at research firm IDC India. They would
rather sell their computers to resellers or junk buyers than turn them in free for recycling, he added.
Dell’s recycling program for consumers has not been very successful in India, possibly because users would rather gift their
old computers, or sell it to a local dealer for a price, Bhalla said.
Awareness of the need to protect the environment through recycling is low among consumers, Singh said.
An HP spokesman said Thursday that it was increasing the number of collection centers. The Indian mindset of attaching a residual
value to an end-of-life product has to change for consumers to start adhering to safe e-waste management practices, he added.
To provide its customers with an incentive to return old computers, Dell is now considering offering gift coupons or discounts
on new purchases to customers returning their old computers, Bhalla added.
HP has launched a media campaign to create awareness amongst consumers on the need to recycle e-waste responsibly.
Greenpeace on Wednesday also criticized HP, Dell, and Lenovo worldwide for failing to adhere to commitments to eliminate hazardous
substances like polyvinyl chloride (PVC) plastic and brominated flame retardants (BFRs) from their products by the end of
this year. Dell had to adjust its timetable as there aren’t viable alternatives for many of the components containing the
chemicals that are used in its products, a spokeswoman said.
Indian PC vendor Wipro scored highest on Greenpeace’s Indian version of its Guide to Greener Electronics.
Posted by admin on Jul 2, 2009 in
Technology Mozilla will patch the just-released Firefox 3.5 in the next few weeks to stamp out several bugs that went unfixed in the
final version of the browser, the company said Tuesday.
Firefox 3.5.1, which Mozilla intends to deliver in mid-to-late July, will include fixes for at least three bugs and “topcrashes,”
the term the company uses to describe the frequently-reported crashes. Like many applications, Firefox asks users to report
crashes by displaying a prompt after the browser goes down.
“[The] goal of this release should be a quick turnaround that fixes topcrashes and bugs we almost held ship for,” Mozilla
said in notes published after a weekly status meeting.
One of the topcrashes scheduled for a fix involves TraceMonkey, the new, faster JavaScript engine that debuted in Firefox 3.5. At least one of
the bugs was fixed a week before Mozilla released the final code on Tuesday.
The quick patch is not unusual for Mozilla. The company did the same thing last year, when it issued Firefox 3.0.1 four weeks after shipping Firefox 3.0, 2008’s update.
Users downloaded about 6.5 million copies of Firefox 3.5 in the browser’s first 36 hours, according to Mozilla’s real-time counter. Although that’s a far cry from the 8.3 million copies of Firefox 3.0 Mozilla delivered in the first 24 hours of its availability last summer, it’s a pace that, if sustained,
would exceed the 11 million copies of Safari 4 that Apple claimed were downloaded in its first three days.
Firefox 3.5 can be downloaded in Windows, Mac and Linux editions in 58 different languages from Mozilla’s site; current users can update by choosing “Check for Updates” under the “Help” menu.