Archive for January, 2008

Security Alerts

Author: Antony Savvas, Computer weekly.com
Posted: 31 Jan 2008

Internet banking authentication systems including two-factor security systems are being threatened by a new Trojan.

The new Trojan, spotted in various forms in recent weeks, poses a potentially serious threat to most authentication systems being rolled out by banks to protect their electronic customers.

“Most of the banks’ two-factor authentication systems centre around the use of a customer-supplied password, plus a unique, one-time code generated by an electronic token such as a SecurID unit or a user’s mobile phone,” said Geoff Sweeney, CTO at security behavioural analysis firm Tier-3.

“This new Trojan, called Silentbanker, allows hackers intermediary access to the information stream from the user, allowing them to create a man in the middle type attack during an e-banking session.

fforded to users by the two-factor authentication technology,” he said.

Sweeney said updated security software should spot the Trojan, but he added that modified versions of the threat could potentially evade established security systems.


Read Full Post »

By AOIFE WHITE, AP Business Writer 

BRUSSELS, Belgium – Three out of four Europeans are worried about posting their personal information on the Internet.

Franco Frattini, the European Union‘s top law enforcement official, said Monday that an upcoming poll will show people were concerned about the security of their personal data and wondering what they could do to protect it.

“It is our intention to fully analyze and understand the feedback we have been given by Europe‘s citizens in this survey,” said Frattini, the EU’s Justice and Home Affairs Commissioner.

Europeans’ should be “a salutary lesson” for all those who handle personal data, he said. Regulators from the EU’s 27 nations are preparing a report on whether the privacy policies of Internet search engines operated by Google Inc., Yahoo Inc., Microsoft Corp. and others comply with EU privacy law.

Frattini did not reveal the number of people surveyed or the poll’s margin of error, but Eurobarometer surveys like this one usually are based on interviews with several thousand people across the EU.

While three in four people worry about the safety of posting personal data, more than half said they trusted medical services, financial institutions, employers, police, social security, tax authorities and local government to handle their data.

Frattini said people did understand the need to use private data to hunt down terror suspects and fight crime with almost 75 percent agreeing to phone tapping in certain circumstances and almost 70 percent to monitoring of their credit card use.

“Only 15 percent of respondents were against the monitoring of air traveler data in all cases,” he said.

The British government was forced to apologize in November when it managed to lose sensitive details on some 25 million people who claim child benefit payments.

And banking transfer operator SWIFT drew criticism from EU data protection officers and lawmakers last year for transferring bank data to the U.S. Treasury under a secret deal that did not give enough guarantees that the information would be kept safe.

Read Full Post »

By TED BRIDIS, Associated Press Writer 

WASHINGTON – In the middle of the biggest-ever “Cyber Storm” war game to test the nation’s hacker defenses, someone quietly targeted the very computers used to conduct the exercise.

The surprising culprit? The players themselves, the same government and corporate experts responsible for detecting and fending off attacks against vital computer systems, according to hundreds of pages of heavily censored files obtained by The Associated Press. Perplexed organizers sent everyone an urgent e-mail marked “IMPORTANT!” instructing them not to probe or attack the game’s control computers.

“Any time you get a group of (information technology) experts together, there’s always a desire, ‘Let’s show them what we can do,'” said George Foresman, a former senior Homeland Security official. “Whether its intent was embarrassment or a prank, we had to temper the enthusiasm of the players.”

The exercise was a big deal for all concerned.

The $3 million, invitation-only war game simulated what the U.S. describes as plausible attacks over five days in February 2006 against the technology industry, transportation lines and energy utilities by anti-globalization hackers. The government is organizing a multimillion-dollar “Cyber Storm 2,” to take place in early March.

Among the mock disasters confronting officials in the previous exercise: Washington’s Metro trains shut down. Seaport computers in New York went dark. Bloggers revealed locations of railcars with hazardous materials. Airport control towers were disrupted in Philadelphia and Chicago. Overseas, a mysterious liquid was found on London‘s subway.

The list of fictional catastrophes — which also included hundreds of people on “No Fly” lists suddenly arriving at airport ticket counters — is significant because it suggests what kind of real-world trouble keeps the White House awake at night. Railway switches failed. Planes flew too close to the White House. Water utilities in Los Angeles were compromised.

The Homeland Security Department ran the exercise, with help from the State Department, Pentagon, Justice Department, CIA, National Security Agency and others.

Imagined villains included hackers, bloggers and even reporters. In one scenario, after mock electronic attacks overwhelmed computers at the Port Authority of New York and New Jersey, an unspecified “major news network” airing reports about the attackers refused to reveal its sources to the government. Other simulated reporters were duped into spreading “believable but misleading” information that confused the public and financial markets, according to the government’s documents.

The upcoming “Cyber Storm 2” in March also will simulate electronic attacks against chemical plants and communication lines, and include targets in California, Colorado, Delaware, Illinois, Michigan, North Carolina, Pennsylvania, Texas and Virginia.

“They point out where your expectations of your capabilities may be overstated,” Homeland Security Secretary Michael Chertoff told the AP. “They may reveal to you things you haven’t thought about. It’s a good way of testing that you’re going to do the job the way you think you were. It’s the difference between doing drills and doing a scrimmage.”

The AP obtained the Cyber Storm internal records nearly two years after it requested them under the Freedom of Information Act. The government censored most of the 328 pages it turned over, marked “For Official Use Only,” citing rules against disclosing sensitive information. The government is still reviewing hundreds more documents before they can be turned over to the AP.

“Definitely a challenging scenario,” said Scott C. Algeier, who runs a cyber-defense group for leading technology companies, the Information Technology Information Sharing and Analysis Center.

For the participants — including government officials from the United States, England, Canada, Australia and New Zealand and executives from technology and transportation companies — the mock disasters came fast and furious: hacker break-ins at an airline; stolen commercial software blueprints; problems with satellite navigation systems; trouble with police radios in Montana; school closures in Washington, Miami and New York; computer failures at border checkpoints.

The incidents, designed to tax responders, were divided among categories: computer attacks, physical attacks and psychological operations.

“We want to stress these players,” said Jeffrey Wright, the former Cyber Storm director for the Homeland Security Department. “None of the players took 100 percent of the correct, right actions. If they had, we wouldn’t have done our job as planners.”

How did they do? Reviews were mixed. Companies and governments worked successfully in some cases. But key players didn’t understand the role of the premier U.S. organization responsible for fending off major cyber attacks, called the National Cyber Response Coordination Group, and it didn’t have enough technical experts. Also, the sheer number of mock attacks complicated defensive efforts.

The little-known Cyber Response group, headed by the departments of Justice and Homeland Security, represents the largest government departments, including law enforcement and intelligence agencies.

The 2006 exercise had no impact on the real Internet. Officials said they were careful to simulate attacks using only isolated computers, working from basement offices at the Secret Service‘s headquarters in downtown Washington.


On the Net:

Homeland Security Department: http://www.dhs.gov

Justice Department: http://www.usdoj.gov

Read Full Post »

Glenn Fleishman, PC World 

If you don’t like the way the e-mail program on your PC works, you can replace it with one you like better. And when you need to add a new capability to Firefox, you can simply install an extension. But such flexibility doesn’t apply to most cell phones, since cellular providers restrict how you use a device that’s in your face–or pressed to your face–for sometimes hours a day.

That’s about to change. In the coming year cell phones will start opening up, allowing users to customize their handsets’ interfaces, run any program, and, most important, gain access to underlying hardware for finding directions, making calls over Wi-Fi, and taking pictures.

Eventually, experts say, you’ll also see devices such as cameras, camcorders, and other gadgets gain access to cellular data networks, even though they’ll never be used to make a phone call.

Google Leads the Way

Sparking the move toward cell phone openness is Google, flexing its billion-dollar muscles. Google’s primary motivation, not surprisingly, appears to be putting more advertisements in front of more eyeballs. In a closed cellular world, wireless carriers can control what their subscribers see. Open up the system, and Google and other parties can dive in and begin to compete for your attention.

By mid-2007 Google and other Internet giants had convinced the Federal Communications Commission to require that any company that won a January auction for a set of national cellular wireless licenses must allow consumers to use any device and any legal application on that company’s network. Furthermore, late in the year Google, along with three dozen partners, unveiled plans to construct an open-source cellular phone platform known as Android.

At least initially, Android is probably what you’ll hear most about when the topic of cell-phone openness arises. Because Android is open source, and because the Open Handset Alliance that is behind the platform has agreed to permit remarkably deep access to the OS, any two Android-based devices could be quite dissimilar.

Simple Android applications and the standard interface will be common among such devices. But Android developers can produce unique approaches to navigating through menus and options, or they can allow you to choose from, or later install, dramatically different graphical user interfaces.

The approach is deeper than the “skins” often used to put a thin interface overlay over a piece of software. Instead, the experience will be as if you could boot up Windows Vista and replace Aero with an iPhone interface while still accessing the same programs and data.

Android will also allow application developers easy access to all of the hardware that may be installed on a phone, including GPS chips, Bluetooth, Wi-Fi, and cell radios, cameras, and other less common options.

Open to the Outside World

Another advantage of an open phone platform: It enables easier interaction with remote services that store or provide information. Consider a phone with a GPS chip, a camera, and a persistent cell or Wi-Fi network connection. Flickr, for example, could release a simple program that would stamp your photos with geographic coordinates stored in the picture’s metadata, and automatically upload photos as they’re taken. Certain cameras and hacks have similar functionality today, but no cell phone supports such a mashup out of the box.

But that sort of application won’t come first. The initial wave of new software will likely tie together basic components–features like contacts, calendars, notes, to-do lists, alarms, ring tones, and other media. The Android software development kit (SDK), for instance, includes standard, accessible formats for basic contacts, calendar functions, and media. Contrast that to many current phones, in which the data sits in separate and often incompatible databases or proprietary formats.

Hate the programs that ship with your Android model? You can probably install new ones while making no other data changes.

The iPhone SDK may allow such access, given that the iPhone runs a version of Apple‘s Unix-based OS X operating system that’s much like the desktop release, which lets program developers work with similar types of underlying user information, databases, and file storage.

As Charles Golvin, a wireless analyst with Forrester Research, observes, integrating tasks with today’s phones is practically impossible. “You’re listening to your voice mail, [and] you’d like to use the note-taking application on your phone to write notes to yourself, all in one standard workflow [as] if you were sitting at your desk,” he says. “But nobody, bar none, has done an implementation of that workflow that an average person could figure out and use.”

New Services

The next offerings will be new paid services. In most cases now, only your service provider–or its partners–can offer you paid cell phone services such as directions. An open platform allows any company to do so, which should lead to lower rates.

Location-based services, including navigation help, are controlled almost entirely by cell carriers. All cell phones are required to provide coordinates for E911 operators, but each carrier has chosen a different approach. Verizon built GPS chips into many of its handsets; however, only subscribers to its VZ Navigator service can access that data.

With an Android or other open phone running a GPS chip, cell-tower-based location mapping, or Wi-Fi, you could choose among several services that provide customized information. And Google, Yahoo, and other mapping and search sites will compete for your dollars.

Having decent cameras on cell phones becomes possible, too. Carriers generally include only relatively low-resolution cameras, and then downgrade the quality of images sent over their data networks. To get a full-res image, you must connect the camera via USB to your PC or swap out a memory card.

With an open platform, handset makers will be motivated to include better cameras, and to allow the user to choose the image transfer method. It’s slightly ridiculous that even a phone with Wi-Fi installed must use a USB connection to move a picture to a computer on a local network.

Finally, an open phone platform will give users access to such VoIP applications as Skype or The Gizmo Program operating natively and with few or no restrictions over either the Wi-Fi or cell data connection. Heavy callers could then avoid paying for expensive cell-calling minutes.

Many Wi-Fi-equipped phones, including a large number of Nokia models, can already make VoIP calls over Wi-Fi. Few, though, can yet use the cellular data network to make VoIP calls.

New Hardware Ahead

Such new software options sound great, but what about hardware? The “elevator pitch” on openness promises that any device will be able to access networks. That means you won’t be stuck with your service provider’s phones; if a phone doesn’t harm a network, you can use it.

In the short term, handsets from outside the United States will likely see a growing presence on U.S. airwaves. The Nokia-dominated Symbian smart-phone platform, for example, owns the market worldwide but is installed on just a small percentage of U.S. cell phones.

Handsets won’t be the only beneficiary. We will see gaming consoles, cameras, music players, and other consumer electronics being equipped with cell chips and cell access–even if they never make a phone call.

The Amazon Kindle is the first major example of such a device. The e-book reader includes a cell data modem that works only with Sprint’s network, and its service bundles in the cost of network access as part of each item purchased.

“The folks from the consumer electronics side have been pretty vocal” about the benefits of such connectivity, says Forrester’s Golvin.

Device manufacturers haven’t bothered to integrate cell chips so far because if they did so they would have to work out complicated deals with a service provider and probably have to share their profits. But in an open-access world, Microsoft could build cell data access into a Zune, for instance, and simply prepay a carrier for airtime rather than make the carrier a full partner.

With the higher bandwidths to come from WiMax and the 700-MHz band, the inclusion of a cell radio in a camcorder or digital camera makes perfect sense. Instead of your having to offload pictures or video later, your files would transfer while or after you capture them.

“You’d never have to worry about the storage on your device,” Golvin notes, and you could also become a live broadcaster “any time you felt like it.”

Of course, if you have five or ten devices with cell phone chips, you won’t want to pay $40 to $80 per month in access fees for every one of them. Network providers will have to be more flexible about the way they charge consumers.

The transition to a more open cell phone world will take a while–it’ll be late 2008, even into 2010, before most of the benefits become fully available. Still, the device in your pocket certainly won’t be like the average clamshell phone sold today. And if that phone doesn’t do exactly what you want, you can change it.

The iPhone’s Not-So-Thrilling Jailbreak

Currently the iPhone is the most famously locked cell platform, allowing no third-party programs to be installed. That should change by the time you read this, upon the release of Apple‘s iPhone software development kit (SDK).

Intrepid iPhone users are enjoying software released by crackers to “jailbreak” the phone–that is, install non-Apple-approved applications.

Most early jailbreak apps are free or fee-based and easy to install under Windows Mobile or on a BlackBerry. One more-sophisticated offering, the Navizon service, uses Wi-Fi access-point information and cell-tower information uploaded by users who carry GPS units to provide rough triangulation for others. It’s closer to a next-gen, open phone app, since it uses a third-party application with access to location data both on the phone and from the Navizon servers.

What will become of jailbreaks once the SDK appears? Hard to tell. Apple hasn’t detailed how it will allow programs to be installed, or to which features it will permit access.

Read Full Post »

Paul Krill 

San Francisco – In a candid discussion of his classified ads site and its business model, Craigslist founder Craig Newmark said Tuesday he has considered open-sourcing some Craiglist technology, frowns upon banner ads, and believes the site’s impact on newspaper ad sales is exaggerated.

Speaking at the WebGuild Web 2.0 Conference & Expo in Santa Clara, Calif., on Tuesday morning, Newmark detailed how the site began as a simple events list in 1995 and evolved into a real company in 1999. Now, the site has grown to one that experienced 9 billion hits per month prior to the recent holiday season. Craigslist is run on Suse Linux, Apache, and MySQL, Newmark said.

Pondering Craigslist’s open source plans, Newmark said the company has considered open-sourcing some of its caching technology but said staffing issues have prevented this from happening; the company has 25 employees.

Asked the benefit of such a contribution, Newmark cited benevolence. “I don’t know [the specific benefits], but it feels in the right neighborly spirit,” he said.

Craigslist, he said, has been successful because it has built a culture of trust working with people. The company makes money by charging for job postings in 11 cities and for apartment listings in one city. But the company has declined to do banner ads, said Newmark. He added he already makes enough money.

“Banner ads are often kind of dumb, and they slow the site down. I’m not interested,” he said.

Newmark recognized that the site has affected newspaper classified advertising, but he stressed that the impact has been greatly exaggerated. “I figure the biggest problems newspapers have these days have to do with fact-checking,” said Newmark.

Craigslist is growing, he said. “We are helping out lots of people, probably in the tens of millions. We need to be prepared for that growth,” Newmark said. The company must improve its software and get new servers, he said.

Newmark’s own role has evolved from being the founder writing code to doing customer service, he said. “I haven’t written code since the end of 1999. It makes me sad,” said Newmark.

Also at the conference, Gil Penchina, CEO of Wikia.com, which is community site supporting development of wikis, cited the company’s open source search efforts with its Wikia Search project. The project currently is in an alpha stage of development.

Read Full Post »

by Christina Mackenzie

French police at work in Paris in 2006. The French paramilitary ...

PARIS (AFP) – The French paramilitary police force said Wednesday it is ditching Microsoft for the free Linux operating system, becoming one of the biggest administrations in the world to make the break.

The move completes the gendarmerie’s severance from Microsoft which began in 2005 when it moved to open sourcing for office applications such as word processing. It switched to open source Internet browsers in 2006.

Linux is an open-source operating system, which used to be the reserve of computer geeks but is now an easy-to-use system aimed at average users.

The gendarmerie’s 70,000 desktops currently use Microsoft’s Windows XP operating system. But these will progressively change over to the Linux system distributed by Ubuntu, explained Colonel Nicolas Geraud, deputy director of the gendarmerie’s IT department.

“We will introduce Linux every time we have to replace a desktop computer,” he said, “so this year we expect to change 5,000-8,000 to Ubuntu and then 12,000-15,000 over the next four years so that every desktop uses the Linux operating system by 2013-2014.”

There are three reasons behind the move, Geraud said at the Solution Linux 2008 conference here. The first is to diversify suppliers and reduce the force’s reliance on one company, the second is to give the gendarmerie mastery of the operating system and the third is cost, he said.

He also added that “the Linux interface is ahead of other operating systems currently on the market for professional use.”

Vista, for example, Microsoft’s latest operating system, is being spurned by consumers who cite “concerns about its cost, resource requirements, and incompatibility with their existing applications,” according to InformationWeek.com.

Geraud explained that the move to an open source operating system was logical after the police switched in 2005 to open sourcing for its office applications and in 2006 for its Internet browsers and its email.

The move away from licenced products is saving the gendarmerie about seven million euros (10.3 million dollars) a year for all its PCs.

“In 2004 we had to buy 13,000 licences for office suites for our PCs,” he said, “but in the three years since then we’ve only had to buy a total of 27 licences.”

In 2005 the gendarmerie switched from Microsoft Office to OpenOffice — a collection of applications such as a word processor, spreadsheet, and presentation programme similar to Microsoft Powerpoint, all of which can be downloaded free.

A year later it abandoned Mircosoft’s Internet Explorer for the Mozilla Foundation’s browser Firefox and its email client Thunderbird.

“When we made that choice Firefox represented about 3.0 percent of Internet browsers and it’s about 20 to 25 percent now which confirms our choice,” Geraud said.

The gendarmerie with its 100,000 employees is the biggest administration to shift to open sourcing for its operating system, but it is not the first in France. That honour belongs to the National Assembly which adopted Ubuntu for its 1,200 PCs in 2007.

Although the gendarmerie is ahead of the market the market is catching up.

Dell, for example, this week started offering Ubuntu Linux 7.10 on its XPS 1330 laptops in France, Germany, Spain and Britain, while US customers will be able to order the machines within the next week or so, according to the company’s website.

Read Full Post »

by Karin Zeitvogel 

WASHINGTON (AFP) – A new breed of image-manager is emerging in the United States to take on the masked and hooded cybermobs who, bolstered by anonymity and weak laws, launch damaging attacks on other web users.

“We are seeing online mobs emerge and launch attacks… with significant consequences, both to the people online and to their reputation offline,” University of Maryland law professor Danielle Citron told AFP.

The anonymity afforded by the Internet “gives people a kind of strength to be much harsher than they would be in person,” Georgetown University sociology professor, and co-founder of International Reputation Management (IRM) Christine Schiwietz said.

Reputation managers step in where the law has failed, to provide “digital botox” to names in need of repair, as Schiwietz put it.

A group of women law students at prestigious Yale University who were attacked online, in what has come to be known as the Auto-Admit scandal, have taken on the services of reputation management group, Reputation Defender.

“Auto-Admit was ostensibly a site for getting advice about going to law school, but it degenerated into attacks on named women who were accused of having herpes, having abortions. They got rape threats, death threats,” said Citron.

In a posting made last year, and which remains on the web and AFP was able to see, one of the students was called a whore and had lewd references made to her anatomy by numerous assailants who hid behind bogus pseudonyms such as Marty Lipton King Jr.

Anonymity and strength in numbers are fueling the online attacks.

“Five years ago, you had to create a website to get information on the Internet. That site could be traced to an IP address and there was some accountability,” Nino Kader of IRM said.

“But Google owns blogs created on blogger.com. So there is a lack of accountability and that is one reason why people are getting pretty malicious out there,” he said.

Citron likened vicious cyber-mobs to the mob mentality of the Ku Klux Klan.

“If you’re in a crowd where people hold the same negative view as you, and you feel anonymous, you’re going to do things you would never dream of doing if you had no mask and hood on,” Citron said.

Reputation Defender is paying for a lawsuit filed by the women in the Auto-Admit case against their attackers, but up to now, victims of cyber-thuggery have had little redress in the courts.

“The law doesn’t allow victims to sue the site operators because they aren’t writing this stuff,” said Citron.

“The difficulty in moving against the poster is that they often write under a pseudonym, are often not required to register with a site before posting, or use anonymizing technology. They are totally masked,” she added.

Step in the reputation managers: they not only react to online maligning, as Reputation Defenders did in the Auto-Admit case, but also tout proactivity as the best tool to protect clients from online character assassination.

“It’s more and more important to know what’s out there about you,” IRM’s Kader said.

IRM concentrates on how clients appear in a Google search because “unless you are a hermit, you will be googled,” Schiwietz said.

“There are around 10,000 Google searches made each second, and googling is expected to double or triple because you will be able to do a search anywhere with a handheld device,” Kader said.

“I’ve been at meetings where people have googled the person opposite them,” he added.

One method used by IRM to buff someone’s Internet legacy is to get the good news about them as high up in Google search results as possible.

“People are increasingly basing their first impression on what they see on the Internet, but few go beyond the first five results on Google,” said Kader.

Someone who could use some digital botox is 34-year-old Michael, whose tale is recounted in “The Future of Reputation: gossip, rumor and privacy on the Internet,” by George Washington University law professor, Daniel Solove.

Michael did a stint in prison as a teen and wrote articles about it, Solove writes.

“These articles now come back to haunt him… pulled up anytime somebody does a Google search for his name.

“In one instance, Michael was interviewed several times for a job when, suddenly, the potential employer stopped calling him. His hunch: someone googled him.”

Read Full Post »

Older Posts »