Hackers are adding honeypot refused to run in VMware," said Lenny Zeltser, an analyst at SANS Institute's Internet Storm Center (ISC) in an online note Sunday.
Malware writers use a variety of techniques to detect virtualization, including sniffing out the presence of VMware-specific processes and hardware characteristics, said Zeltser. "More reliable techniques rely on assembly-level code that behaves differently on a virtual machine than on a physical host," he added.
Researchers can fight back, Zeltser said, by patching the malicious code so that the virtual machine routine(s) never executes, or by modifying the virtual machine to make it more difficult for malware to detect that it's running in a virtual environment.
Two other ISC researchers, Tom Liston and Ed Skoudis, spelled out anti-detection techniques at a recent SANS conference. The paper can be downloaded from the ISC site as a PDF file.
Written by Gregg Keizer TechWeb
Tuesday, November 21, 2006
California court expands immunity for bloggers
SAN FRANCISCO (Reuters) - Individuals who use the Internet to distribute information from another source may not be held to account if the material is considered defamatory, the California Supreme Court ruled on Monday in a reversal of a lower court decision.
The ruling supports federal law that clears individuals of liability if they transmit, but are not the source of, defamatory information. It expands protections the law gives to Internet service providers to include bloggers and activist Web sites.
"We acknowledge that recognizing broad immunity for defamatory republication on the Internet has some troubling consequences," California's high court justices said in their opinion.
"Until Congress chooses to revise the settled law in this area, however, plaintiffs who contend they were defamed in an Internet posting may only seek recovery from the original source of the statement," the decision stated.
The opinion, written by Associate Justice Carol Corrigan, addressed a lawsuit by two doctors who claimed defendant Ilena Rosenthal and others distributed e-mails and Internet postings that republished statements the doctors said impugned their character and competence.
Rosenthal operates a San Diego-based Web site known as the Humantics Foundation (http://www.humanticsfoundation.com), which is critical of silicone breast implants.
Rosenthal had countered that her statements were protected speech and immune under the Communications Decency Act of 1996. It holds that: "No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider."
A California appeals court had ruled that Internet service providers and users could be held liable if they republish a statement if it is known to be defamatory.
California's high court took that decision up for review because the lawsuit against Rosenthal involved an individual instead of a service provider, and opted for a broad view of immunity under the Communications Decency Act.
"Requiring providers, users, and courts to account for the nuances of common law defamation, and all the various ways they might play out in the Internet environment, is a Herculean assignment that we are reluctant to impose," the court's justices held in their opinion.
"By declaring that no 'user' may be treated as a 'publisher' of third party content, Congress has comprehensively immunized republication by individual Internet users," they added.
Mark Goldowitz, the defense counsel who represented Rosenthal, said in a statement that the ruling offers protection against those who would chill free speech on the Internet.
"The soapbox is not liable for what the speaker has said," said Kurt Opsahl, a staff attorney with the Electronic Frontier Foundation who filed a brief arguing free speech protections should cover individuals, not just Internet service providers.
(Additional reporting by Eric Auchard in San Francisco)
The ruling supports federal law that clears individuals of liability if they transmit, but are not the source of, defamatory information. It expands protections the law gives to Internet service providers to include bloggers and activist Web sites.
"We acknowledge that recognizing broad immunity for defamatory republication on the Internet has some troubling consequences," California's high court justices said in their opinion.
"Until Congress chooses to revise the settled law in this area, however, plaintiffs who contend they were defamed in an Internet posting may only seek recovery from the original source of the statement," the decision stated.
The opinion, written by Associate Justice Carol Corrigan, addressed a lawsuit by two doctors who claimed defendant Ilena Rosenthal and others distributed e-mails and Internet postings that republished statements the doctors said impugned their character and competence.
Rosenthal operates a San Diego-based Web site known as the Humantics Foundation (http://www.humanticsfoundation.com), which is critical of silicone breast implants.
Rosenthal had countered that her statements were protected speech and immune under the Communications Decency Act of 1996. It holds that: "No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider."
A California appeals court had ruled that Internet service providers and users could be held liable if they republish a statement if it is known to be defamatory.
California's high court took that decision up for review because the lawsuit against Rosenthal involved an individual instead of a service provider, and opted for a broad view of immunity under the Communications Decency Act.
"Requiring providers, users, and courts to account for the nuances of common law defamation, and all the various ways they might play out in the Internet environment, is a Herculean assignment that we are reluctant to impose," the court's justices held in their opinion.
"By declaring that no 'user' may be treated as a 'publisher' of third party content, Congress has comprehensively immunized republication by individual Internet users," they added.
Mark Goldowitz, the defense counsel who represented Rosenthal, said in a statement that the ruling offers protection against those who would chill free speech on the Internet.
"The soapbox is not liable for what the speaker has said," said Kurt Opsahl, a staff attorney with the Electronic Frontier Foundation who filed a brief arguing free speech protections should cover individuals, not just Internet service providers.
(Additional reporting by Eric Auchard in San Francisco)
Monday, November 20, 2006
As far as PC security, Goldilocks got it just right
SAN FRANCISCO - When Jud Fink decided to protect his PC, he treated it like a glorified science project. With a zeal that would put TV's resident obsessive Monk to shame, Fink evaluated every conceivable software and hardware program to come up with the best options for security and ease of use.
During the weeks-long process, Fink, 52, who does regulatory-compliance work for a health insurer near Philadelphia, left no technology stone unturned.
He looked at three browsers and chose Opera because he judged it faster and more secure than Microsoft's Internet Explorer and Mozilla Firefox. He appraised free and for-charge firewalls before opting for a hardware router.
Fink relies on e-mail services from Opera and FastMail, a local Internet service provider with advanced spam and virus-protection features. And he is thinking about adding the Macintosh OS to his Intel-based PC. He occasionally uses Linux, Unix and a beta version of Windows Vista as secondary operating systems. Oh, and he assiduously updates his system.
From all indications, Fink's approach has worked: He has never been victimized by a virus or spyware. Folks are so impressed with Fink's setup, they ask him for security tips.
"I've seen, and helped, lots of friends who are stuck in one of two situations: Either their computers are full of viruses and spyware, or they are unusable because they have so much (security) stuff and their systems slow to a crawl," he says.
Computing at home has never been so powerful - and treacherous. Just as millions of Americans are buying new PCs and signing up for blur-fast Internet connections, cybercrooks are hatching schemes to take control of their machines.
Consumers' 3 approaches
Americans, in turn, are beefing up their PC defenses to varying degrees. You might compare them to Goldilocks and the Three Bears.
Consumers are taking three distinct paths to the way they manage computer security. There are those of the fortress mentality, ever-vigilant taskmasters who overload their machines with every newfangled device. There are those who have it just right, with the proper mix of hardware and software. And there are those who simply plug in their machines with a wing and a prayer.
"Most people give careful consideration to security on their car or house, but when it comes to computers, most are not well educated," says Ed Rose, 59, a safety trainer in Orlando who attentively guards his personal computer at home. "It is not just the contents of your computer that must be safeguarded, but the possibility of someone entering your system and causing malicious damage."
Wave upon wave of infectious programs are scouring the Internet, allowing hackers to hijack millions of PCs and turn them into so-called bots - mostly in homes, at small businesses and on college campuses. The bots heed the orders of cybercrooks to spread spam, phishing e-mail and other nasty things.
If bots don't bite consumers, scores of other digital gremlins just might. They come in the form of virus-infected e-mails, Web pages crawling with contagious computer code or dozens of network worms - voracious, self-replicating programs that bounce around the Web, searching for security holes in Windows PCs.
The dangers have rattled consumers: 94% cite identity theft as a serious problem, according to a May report by the Cyber Security Industry Alliance and Pineda Consulting.
There are no studies available on the various degrees to which people protect their PCs. But security experts agree most fall somewhere in the vulnerable category. Indeed, 81% of home PCs lack fundamental protection in the guise of updated anti-virus software, a firewall and spyware defenses, according to a survey of 354 homes by AOL/National Cyber Security Alliance (AOL/NCSA) in late 2005. More than half lacked current virus protection.
The well-protected tend to be computer-literate and from safety-related fields. The defenseless tend to be novice or first-time users.
"Users should have to complete a driver's exam before they go on the Internet. They're that dangerous," says Toby Lucas, 49, a Web master in Newfoundland.
How PC users stack up:
Fortress mentality
There are cautious folks, and then there is Bruce Purcell.
Purcell is as overprotective of his home PC network as a mother bear of her cubs. His PCs are barricaded behind a phalanx of DSL routers that act as a sentinel to incoming Internet traffic. The second line of defense is
Windows XP's built-in firewall, McAfee's anti-virus software and Windows Defender for malware and spyware removal. Within Internet Explorer, Purcell uses the maximum setting on the pop-up blocker.
His e-mail is Google's ultra-secure Gmail system, which he deems less prone to spam and phishing e-mail than AOL and Microsoft MSN. Just to be extra careful, Purcell often creates temporary e-mail addresses when he shops online so he can delete them later.
Purcell, 48, also backs up photos, music and important documents to a disk in the event of a security mishap.
"All in all, it works," says Purcell, 48, the registrar at California State University, East Bay in Hayward, who also manages a tech team at the university.
Using the same concepts, his department of 100 people has endured only one virus in four years.
There is a limit to Purcell's caution, however. He does not overload his PCs with security accessories out of fear of dragging their performance. "Ironically, that's what happens when your PC gets hit by a virus," he says.
Purcell is among the technophiles who have made it their personal mission not to fall prey to cybercrooks. But in their zest, some overdo it with too many security programs, rendering their machines slower and - in isolated cases - disabling their firewalls, says Ross Brown, CEO of eEye Digital Security.
Another large group in the fortress category are those who have been burned by cybercrooks and are justly paranoid, Brown says. "They go belts and suspenders so, figuratively, their pants don't fall down," Brown says.
Somewhere between the obsessive and the indifferent are computer users with a healthy balance of hardware and software security tools. They often configure their system and heavily self-police their e-mail.
Just right!
Rick Kiphut, a 33-year-old firefighter in Memphis, typifies the middle-of-road approach. A self-taught PC user, Kiphut has read about computer security and, as a safety professional, is naturally cautious. His three laptops at home require encryption to log on. "People bring (a PC) home from Best Buy, plug it in and expect that's all they have to do," Kiphut says. "Me, I've always been pretty safe."
Thomas Gasque, 36, director of e-learning at a major retailer in Alabama, ascribes to a sensible approach. He keeps his McAfee Internet Security Suite - a combination of firewall, virus protection, spam filter and spyware detector, among other things - up to date. He uses a secure router. And he also backs up important files, photos and music.
"The generally prudent person does not do foolish things, like download unfamiliar applications or attachments from e-mail," Gasque says.
A wing and a prayer
Then there is the open gate, or laissez-faire, approach. Despite the inherent risks of computing and dire warnings from security experts, a large swath of consumers have little or no protection. Most aren't aware of the problem, while others take calculated risks.
Many of them, ironically, buy PCs preinstalled with security programs that last anywhere from 30 days to one year. Though it is their responsibility to maintain that security through paid subscriptions after the license of the preinstalled software expires, few do, says Brian Trombley, a product manager at McAfee.
"It's a case of not caring, knowing, or both," Trombley says. "Most consumers need simple programs that update themselves. Otherwise, they're in trouble."
Consumers, in general, remain blissfully unaware of computer security, based on the AOL/NCSA survey results. While two-thirds said they kept sensitive financial or health information on their PCs, 56% said they had never heard of phishing, e-mail scams designed to trick consumers into surrendering personal information.
"Most consumers blindly have total faith in their PCs and Internet providers to provide a secure and reliable connection," says Michael Pompura, an Orlando consumer who closely follows security issues. "These people typically have no qualms about sending personal information for banking or shopping with little thought (of security)."
Rob Carli considers himself lucky.
What other explanation, then, for Carli dodging a major computer problem for five years without the aid of any discernible security?
Carli, a 23-year-old sales consultant in Salt Lake City, says he just "rolled" with basic security updates and relied on software already installed on his PCs at home and at work. "My buddies always seemed to have a problem," he says. "I take (security) for granted."
Yet it is only a matter of time before folks like Carli get burned, computer experts say.
"Once you plug a high-speed PC in, the troubles begin," says John Kaufeld, 44, a Fort Wayne, Ind.-based author of 27 how-to computer books. "The bad guys are constantly seeking those connections to wreak havoc - and it's up to consumers to protect themselves."
Written by Jon Swartz, USA TODAY Mon Nov 20, 6:41 AM ET
During the weeks-long process, Fink, 52, who does regulatory-compliance work for a health insurer near Philadelphia, left no technology stone unturned.
He looked at three browsers and chose Opera because he judged it faster and more secure than Microsoft's Internet Explorer and Mozilla Firefox. He appraised free and for-charge firewalls before opting for a hardware router.
Fink relies on e-mail services from Opera and FastMail, a local Internet service provider with advanced spam and virus-protection features. And he is thinking about adding the Macintosh OS to his Intel-based PC. He occasionally uses Linux, Unix and a beta version of Windows Vista as secondary operating systems. Oh, and he assiduously updates his system.
From all indications, Fink's approach has worked: He has never been victimized by a virus or spyware. Folks are so impressed with Fink's setup, they ask him for security tips.
"I've seen, and helped, lots of friends who are stuck in one of two situations: Either their computers are full of viruses and spyware, or they are unusable because they have so much (security) stuff and their systems slow to a crawl," he says.
Computing at home has never been so powerful - and treacherous. Just as millions of Americans are buying new PCs and signing up for blur-fast Internet connections, cybercrooks are hatching schemes to take control of their machines.
Consumers' 3 approaches
Americans, in turn, are beefing up their PC defenses to varying degrees. You might compare them to Goldilocks and the Three Bears.
Consumers are taking three distinct paths to the way they manage computer security. There are those of the fortress mentality, ever-vigilant taskmasters who overload their machines with every newfangled device. There are those who have it just right, with the proper mix of hardware and software. And there are those who simply plug in their machines with a wing and a prayer.
"Most people give careful consideration to security on their car or house, but when it comes to computers, most are not well educated," says Ed Rose, 59, a safety trainer in Orlando who attentively guards his personal computer at home. "It is not just the contents of your computer that must be safeguarded, but the possibility of someone entering your system and causing malicious damage."
Wave upon wave of infectious programs are scouring the Internet, allowing hackers to hijack millions of PCs and turn them into so-called bots - mostly in homes, at small businesses and on college campuses. The bots heed the orders of cybercrooks to spread spam, phishing e-mail and other nasty things.
If bots don't bite consumers, scores of other digital gremlins just might. They come in the form of virus-infected e-mails, Web pages crawling with contagious computer code or dozens of network worms - voracious, self-replicating programs that bounce around the Web, searching for security holes in Windows PCs.
The dangers have rattled consumers: 94% cite identity theft as a serious problem, according to a May report by the Cyber Security Industry Alliance and Pineda Consulting.
There are no studies available on the various degrees to which people protect their PCs. But security experts agree most fall somewhere in the vulnerable category. Indeed, 81% of home PCs lack fundamental protection in the guise of updated anti-virus software, a firewall and spyware defenses, according to a survey of 354 homes by AOL/National Cyber Security Alliance (AOL/NCSA) in late 2005. More than half lacked current virus protection.
The well-protected tend to be computer-literate and from safety-related fields. The defenseless tend to be novice or first-time users.
"Users should have to complete a driver's exam before they go on the Internet. They're that dangerous," says Toby Lucas, 49, a Web master in Newfoundland.
How PC users stack up:
Fortress mentality
There are cautious folks, and then there is Bruce Purcell.
Purcell is as overprotective of his home PC network as a mother bear of her cubs. His PCs are barricaded behind a phalanx of DSL routers that act as a sentinel to incoming Internet traffic. The second line of defense is
Windows XP's built-in firewall, McAfee's anti-virus software and Windows Defender for malware and spyware removal. Within Internet Explorer, Purcell uses the maximum setting on the pop-up blocker.
His e-mail is Google's ultra-secure Gmail system, which he deems less prone to spam and phishing e-mail than AOL and Microsoft MSN. Just to be extra careful, Purcell often creates temporary e-mail addresses when he shops online so he can delete them later.
Purcell, 48, also backs up photos, music and important documents to a disk in the event of a security mishap.
"All in all, it works," says Purcell, 48, the registrar at California State University, East Bay in Hayward, who also manages a tech team at the university.
Using the same concepts, his department of 100 people has endured only one virus in four years.
There is a limit to Purcell's caution, however. He does not overload his PCs with security accessories out of fear of dragging their performance. "Ironically, that's what happens when your PC gets hit by a virus," he says.
Purcell is among the technophiles who have made it their personal mission not to fall prey to cybercrooks. But in their zest, some overdo it with too many security programs, rendering their machines slower and - in isolated cases - disabling their firewalls, says Ross Brown, CEO of eEye Digital Security.
Another large group in the fortress category are those who have been burned by cybercrooks and are justly paranoid, Brown says. "They go belts and suspenders so, figuratively, their pants don't fall down," Brown says.
Somewhere between the obsessive and the indifferent are computer users with a healthy balance of hardware and software security tools. They often configure their system and heavily self-police their e-mail.
Just right!
Rick Kiphut, a 33-year-old firefighter in Memphis, typifies the middle-of-road approach. A self-taught PC user, Kiphut has read about computer security and, as a safety professional, is naturally cautious. His three laptops at home require encryption to log on. "People bring (a PC) home from Best Buy, plug it in and expect that's all they have to do," Kiphut says. "Me, I've always been pretty safe."
Thomas Gasque, 36, director of e-learning at a major retailer in Alabama, ascribes to a sensible approach. He keeps his McAfee Internet Security Suite - a combination of firewall, virus protection, spam filter and spyware detector, among other things - up to date. He uses a secure router. And he also backs up important files, photos and music.
"The generally prudent person does not do foolish things, like download unfamiliar applications or attachments from e-mail," Gasque says.
A wing and a prayer
Then there is the open gate, or laissez-faire, approach. Despite the inherent risks of computing and dire warnings from security experts, a large swath of consumers have little or no protection. Most aren't aware of the problem, while others take calculated risks.
Many of them, ironically, buy PCs preinstalled with security programs that last anywhere from 30 days to one year. Though it is their responsibility to maintain that security through paid subscriptions after the license of the preinstalled software expires, few do, says Brian Trombley, a product manager at McAfee.
"It's a case of not caring, knowing, or both," Trombley says. "Most consumers need simple programs that update themselves. Otherwise, they're in trouble."
Consumers, in general, remain blissfully unaware of computer security, based on the AOL/NCSA survey results. While two-thirds said they kept sensitive financial or health information on their PCs, 56% said they had never heard of phishing, e-mail scams designed to trick consumers into surrendering personal information.
"Most consumers blindly have total faith in their PCs and Internet providers to provide a secure and reliable connection," says Michael Pompura, an Orlando consumer who closely follows security issues. "These people typically have no qualms about sending personal information for banking or shopping with little thought (of security)."
Rob Carli considers himself lucky.
What other explanation, then, for Carli dodging a major computer problem for five years without the aid of any discernible security?
Carli, a 23-year-old sales consultant in Salt Lake City, says he just "rolled" with basic security updates and relied on software already installed on his PCs at home and at work. "My buddies always seemed to have a problem," he says. "I take (security) for granted."
Yet it is only a matter of time before folks like Carli get burned, computer experts say.
"Once you plug a high-speed PC in, the troubles begin," says John Kaufeld, 44, a Fort Wayne, Ind.-based author of 27 how-to computer books. "The bad guys are constantly seeking those connections to wreak havoc - and it's up to consumers to protect themselves."
Written by Jon Swartz, USA TODAY Mon Nov 20, 6:41 AM ET
Microsoft to face challenge over Linux licenses
BRUSSELS (Reuters) - Supporters of PC operating system Linux are preparing to counter a recent deal penned by Microsoft Corp (Nasdaq:MSFT - news) which establishes for the first time the principle of paying the software giant for the operating system, whose license requires it to be free. Microsoft signed a deal with Novell, one of the providers of Linux, in which Novell paid it a lump sum in return for a guarantee that Microsoft would not sue Novell's clients for what it calls a violation of its own patents in the Linux program.
The prospect of a drawn-out legal battle with Microsoft, an experienced litigator, could push users of Linux into the hands of Novell (Nasdaq:NOVL - news) and away from dominant Linux provider, Red Hat (Nasdaq:RHAT - news), which does not have such a deal with Microsoft.
Although Linux is free, providers of the system offer the software with packaging, documentation and -- most important -- installation and maintenance, so any client shift from Red Hat would cost it money. "Either customers desert Red Hat to go to Novell, to get safety, or Red Hat will be forced into a similar deal with Microsoft," said Eban Moglen, a professor at Columbia Law School and founding director of the Software Freedom Law Center in New York.
Moglen, one of the pioneers of free software, said Microsoft's deal skirts the requirements of the GNU General Public License, used by Linux and other free programs, which requires the software to be given away.
He and others have started work on updating the license to close the loophole by saying a promise not to sue, such as the one given by Microsoft, would be automatically applicable to everyone. That would effectively flip Microsoft's agreement on its head and guarantee that no one would face a suit from Microsoft if anyone were protected.
"A clause like that would not be difficult to get community agreement on these days," Moglen said, adding that a change could be ready in weeks or months.
LIABILITY?
Under the Novell deal, in which both companies agreed not sue each other's clients for patent violation, Microsoft agreed to pay Novell $348 million, while Novell pays Microsoft $40 million, on the basis that Novell has fewer customers.
Microsoft says it has patent rights to some of the technology in Linux, although it has never said exactly what those rights might be or what patents are involved.
Microsoft Chief Executive Steve Ballmer said if customers bought Linux from anyone but Novell, they could face trouble.
"If a customer says, 'Look, do we have liability for the use of your patented work?' Essentially, if you're using non-SUSE Linux, then I'd say the answer is yes," Ballmer told eWeek.com recently, referring to the Linux system sold by Novell.
"I suspect that (customers) will take that issue up with their distributor," Ballmer said, adding that if customers considered doing a direct download of a non-SUSE Linux version, "they'll think twice about that."
Microsoft makes the Windows operating system, for which it charges billions of dollars a year, but Linux has been a thorn in the software giant's side because it is freely available.
Linux was created, maintained and improved by volunteers working under a license requiring that it be freely available for copying, modification and improvements.
The prospect of a drawn-out legal battle with Microsoft, an experienced litigator, could push users of Linux into the hands of Novell (Nasdaq:NOVL - news) and away from dominant Linux provider, Red Hat (Nasdaq:RHAT - news), which does not have such a deal with Microsoft.
Although Linux is free, providers of the system offer the software with packaging, documentation and -- most important -- installation and maintenance, so any client shift from Red Hat would cost it money. "Either customers desert Red Hat to go to Novell, to get safety, or Red Hat will be forced into a similar deal with Microsoft," said Eban Moglen, a professor at Columbia Law School and founding director of the Software Freedom Law Center in New York.
Moglen, one of the pioneers of free software, said Microsoft's deal skirts the requirements of the GNU General Public License, used by Linux and other free programs, which requires the software to be given away.
He and others have started work on updating the license to close the loophole by saying a promise not to sue, such as the one given by Microsoft, would be automatically applicable to everyone. That would effectively flip Microsoft's agreement on its head and guarantee that no one would face a suit from Microsoft if anyone were protected.
"A clause like that would not be difficult to get community agreement on these days," Moglen said, adding that a change could be ready in weeks or months.
LIABILITY?
Under the Novell deal, in which both companies agreed not sue each other's clients for patent violation, Microsoft agreed to pay Novell $348 million, while Novell pays Microsoft $40 million, on the basis that Novell has fewer customers.
Microsoft says it has patent rights to some of the technology in Linux, although it has never said exactly what those rights might be or what patents are involved.
Microsoft Chief Executive Steve Ballmer said if customers bought Linux from anyone but Novell, they could face trouble.
"If a customer says, 'Look, do we have liability for the use of your patented work?' Essentially, if you're using non-SUSE Linux, then I'd say the answer is yes," Ballmer told eWeek.com recently, referring to the Linux system sold by Novell.
"I suspect that (customers) will take that issue up with their distributor," Ballmer said, adding that if customers considered doing a direct download of a non-SUSE Linux version, "they'll think twice about that."
Microsoft makes the Windows operating system, for which it charges billions of dollars a year, but Linux has been a thorn in the software giant's side because it is freely available.
Linux was created, maintained and improved by volunteers working under a license requiring that it be freely available for copying, modification and improvements.
Thursday, July 27, 2006
MySpace Banner Ad Infects Million Users
A banner advertisement posted on the MySpace Web site may have infected more than one million users with adware, according to security firm iDefense. The advertisement was included in user profiles on MySpace and could have been operating for about one week.
The deckoutyourdeck.com advertisement exploited a flaw in the way Microsoft's Internet Explorer (IE) browser handles Windows Metafile (WMF) image files. Users running unpatched versions of IE would never have realized that the banner ad had silently installed programs that generate pop-up ads on their system.
"This is a criminal act," said Hemanshu Nigam, chief security office at MySpace, in a statement. "This ad is being delivered by ad networks who distribute these ads to over a thousand sites across the Internet in addition to ours. We are working to have these ad networks remove this ad so that they do not appear on our site."
Banner Patch
An iDefense spyware analyst, Michael La Pilla, told The Washington Post that he discovered the attack on Sunday as he browsed the MySpace site. When he came across a page with the offending ad, he received a message from his browser asking him if he wanted to open a file named exp.wmf.
After a brief investigation, La Pilla found out that the spyware installation program contacted a Russian-language Web server in Turkey that tracks the PCs on which the program has been installed. The tally had climbed to 1.07 million machines, though La Pilla said the seven Internet addresses contacted by the downloader seem to be inactive now.
According to La Pilla, the ad also attempted to infect users of Webshots.com, a photo-sharing site. Though he cannot pinpoint the date the ads began sending out their spyware, it is believed that it coincided with the occurrence on MySpace on July 12.
The WMF vulnerability was originally discovered last December after hackers exploited the flaw using a specially created WMF image distributed via e-mail, instant message links, and Web sites. When users opened the image, the hacker could take control of the infected PC. Microsoft released a patch for the bug back in January, but many people did not install the patch.
PCs with unpatched systems can become infected simply by accessing a Web page with the deckoutyourdeck.com ad. The exp.wmf Trojan horse program could upload automatically without the warning prompt that La Pilla received.
Once installed, PCs running the Trojan horse will contact multiple Web sites and download a slew of unwanted programs such as PurityScan advertising software. PurityScan is an adware program that can cause pop-up windows containing unsolicited ads to appear. The application also keeps track of the user's online activity.
Two Wrongs
Rob Ayoub, an analyst at the research firm Frost & Sullivan, said two facts stand out regarding the MySpace infections. First, home users are clearly not as educated about the need to make sure they have up-to-date patches and other security fixes installed. Second, MySpace needs to have a better security system to identify dangers hidden in the ads they serve.
If you are a legitimate business with a legitimate Web site hosting banner ads, you have a responsibility to keep the service clean, Ayoub said. "MySpace has some problems and this is a real blunder on their part. I can't believe any business would not scan or take more caution with banner ads posted on their sites. Ad network or not, there is no excuse for them not having a checking system."
One million people is a very large number, Ayoub said, and it demonstrates that the technology industry, and security firms and software makers in particular, might not have done enough to impress upon home users the importance of downloading patches. PCs that have not been updated exponentially increase problems with viruses, spyware and adware.
"MySpace should have been checking and users should have been patching," Ayoub said. "And because of that combination you have a million downloads."
Some PC users have said their reluctance to install patches and updates centers around the fear that any changes will negatively impact their computers. However, Ayoub pointed out, unwanted changes or problems with updates is relatively rare these days.
"There was a time when you had to watch and be very careful with your patches," Ayoub said. "And some of the big ones are a problem, but there haven't been big problems with patches for ages."
Home users, Ayoub predicted, will not start to take security seriously until Internet service providers start to make antivirus and antispyware software compulsory. That may or may not be the best solution, he said, but incidents like this are a "perfect storm" for users not protecting themselves.
"That's extremely dangerous," Ayoub said. "Maybe what we need to do is run public service announcements."
MySpace is "strongly" urging all Internet users to "follow basic Internet security practices such as running the latest version of the Windows operating system, installing the latest security patches, and running the latest anti-spyware and anti-adware software."
The deckoutyourdeck.com advertisement exploited a flaw in the way Microsoft's Internet Explorer (IE) browser handles Windows Metafile (WMF) image files. Users running unpatched versions of IE would never have realized that the banner ad had silently installed programs that generate pop-up ads on their system.
"This is a criminal act," said Hemanshu Nigam, chief security office at MySpace, in a statement. "This ad is being delivered by ad networks who distribute these ads to over a thousand sites across the Internet in addition to ours. We are working to have these ad networks remove this ad so that they do not appear on our site."
Banner Patch
An iDefense spyware analyst, Michael La Pilla, told The Washington Post that he discovered the attack on Sunday as he browsed the MySpace site. When he came across a page with the offending ad, he received a message from his browser asking him if he wanted to open a file named exp.wmf.
After a brief investigation, La Pilla found out that the spyware installation program contacted a Russian-language Web server in Turkey that tracks the PCs on which the program has been installed. The tally had climbed to 1.07 million machines, though La Pilla said the seven Internet addresses contacted by the downloader seem to be inactive now.
According to La Pilla, the ad also attempted to infect users of Webshots.com, a photo-sharing site. Though he cannot pinpoint the date the ads began sending out their spyware, it is believed that it coincided with the occurrence on MySpace on July 12.
The WMF vulnerability was originally discovered last December after hackers exploited the flaw using a specially created WMF image distributed via e-mail, instant message links, and Web sites. When users opened the image, the hacker could take control of the infected PC. Microsoft released a patch for the bug back in January, but many people did not install the patch.
PCs with unpatched systems can become infected simply by accessing a Web page with the deckoutyourdeck.com ad. The exp.wmf Trojan horse program could upload automatically without the warning prompt that La Pilla received.
Once installed, PCs running the Trojan horse will contact multiple Web sites and download a slew of unwanted programs such as PurityScan advertising software. PurityScan is an adware program that can cause pop-up windows containing unsolicited ads to appear. The application also keeps track of the user's online activity.
Two Wrongs
Rob Ayoub, an analyst at the research firm Frost & Sullivan, said two facts stand out regarding the MySpace infections. First, home users are clearly not as educated about the need to make sure they have up-to-date patches and other security fixes installed. Second, MySpace needs to have a better security system to identify dangers hidden in the ads they serve.
If you are a legitimate business with a legitimate Web site hosting banner ads, you have a responsibility to keep the service clean, Ayoub said. "MySpace has some problems and this is a real blunder on their part. I can't believe any business would not scan or take more caution with banner ads posted on their sites. Ad network or not, there is no excuse for them not having a checking system."
One million people is a very large number, Ayoub said, and it demonstrates that the technology industry, and security firms and software makers in particular, might not have done enough to impress upon home users the importance of downloading patches. PCs that have not been updated exponentially increase problems with viruses, spyware and adware.
"MySpace should have been checking and users should have been patching," Ayoub said. "And because of that combination you have a million downloads."
Some PC users have said their reluctance to install patches and updates centers around the fear that any changes will negatively impact their computers. However, Ayoub pointed out, unwanted changes or problems with updates is relatively rare these days.
"There was a time when you had to watch and be very careful with your patches," Ayoub said. "And some of the big ones are a problem, but there haven't been big problems with patches for ages."
Home users, Ayoub predicted, will not start to take security seriously until Internet service providers start to make antivirus and antispyware software compulsory. That may or may not be the best solution, he said, but incidents like this are a "perfect storm" for users not protecting themselves.
"That's extremely dangerous," Ayoub said. "Maybe what we need to do is run public service announcements."
MySpace is "strongly" urging all Internet users to "follow basic Internet security practices such as running the latest version of the Windows operating system, installing the latest security patches, and running the latest anti-spyware and anti-adware software."
Companies take costly steps to secure laptops
Big U.S. companies are taking tough measures to shore up laptop security amid a rash of thefts. The actions of Ernst & Young, Fidelity Investments and other high-profile victims underscore the balancing act for executives, who must weigh the costs of additional security and customer privacy with the financial benefits of a mobile workforce.
"There is a trade-off between the cost of security and how much security you actually get," says Robert Seliger, CEO of Sentillion, a data-security company.
About 88 million Americans have been exposed to potential ID theft since February 2005 as a result of reported data breaches, says the Privacy Rights Clearinghouse. In at least 43 instances - a fourth of all reported breaches - stolen or missing laptops were involved. Few of the laptops have been recovered.
What companies are doing:
• Ernst & Young started encrypting - or scrambling - data on laptops for its 30,000-person workforce in the USA and Canada after a laptop with personal information on about 38,000 customers was stolen from an employee's car in February.
• Fidelity accelerated encryption on thousands of employee laptops. The mutual fund giant was the victim of a laptop breach in March that affected data of 196,000 current and former Hewlett-Packard workers. It also is increasing training on laptop security and protection of customer data.
• Aetna undertook several preventive measures after a laptop containing names, addresses and
Social Security' name=c1> SEARCHNews News Photos Images Web' name=c3> Social Security numbers for 59,000 members was swiped from an employee's car in April. The insurer had employees re-encrypt and recertify files. Every company PC was audited to ensure files were properly encrypted. Aetna also tightened restrictions for storage devices such as thumb drives.
Encryption can be pricey. Gartner estimates a company with 100,000 customer accounts can spend $30 to $40 per laptop on data encryption. Yet, the cost of a data breach is even higher. Companies with 100,000 customer accounts will spend at least $90 per account if data are compromised or exposed - not including fines and lawsuits, Gartner says.
Walking off with a laptop is easy. Few have alarms, and only a few have encrypted data. People also tend to leave them in unlocked cars or unattended at airports, says Keith Burt, project director of San Diego's Computer and Technology Crime High-Tech Team.
As more people store data in a mobile environment, laptops have become more attractive to identity thieves, says Bob Egner, a marketing executive at security software maker Pointsec Mobile Technologies. Personal information sells on the Internet for about $1 per stolen record, Egner says.
"There is a trade-off between the cost of security and how much security you actually get," says Robert Seliger, CEO of Sentillion, a data-security company.
About 88 million Americans have been exposed to potential ID theft since February 2005 as a result of reported data breaches, says the Privacy Rights Clearinghouse. In at least 43 instances - a fourth of all reported breaches - stolen or missing laptops were involved. Few of the laptops have been recovered.
What companies are doing:
• Ernst & Young started encrypting - or scrambling - data on laptops for its 30,000-person workforce in the USA and Canada after a laptop with personal information on about 38,000 customers was stolen from an employee's car in February.
• Fidelity accelerated encryption on thousands of employee laptops. The mutual fund giant was the victim of a laptop breach in March that affected data of 196,000 current and former Hewlett-Packard workers. It also is increasing training on laptop security and protection of customer data.
• Aetna undertook several preventive measures after a laptop containing names, addresses and
Social Security' name=c1> SEARCHNews News Photos Images Web' name=c3> Social Security numbers for 59,000 members was swiped from an employee's car in April. The insurer had employees re-encrypt and recertify files. Every company PC was audited to ensure files were properly encrypted. Aetna also tightened restrictions for storage devices such as thumb drives.
Encryption can be pricey. Gartner estimates a company with 100,000 customer accounts can spend $30 to $40 per laptop on data encryption. Yet, the cost of a data breach is even higher. Companies with 100,000 customer accounts will spend at least $90 per account if data are compromised or exposed - not including fines and lawsuits, Gartner says.
Walking off with a laptop is easy. Few have alarms, and only a few have encrypted data. People also tend to leave them in unlocked cars or unattended at airports, says Keith Burt, project director of San Diego's Computer and Technology Crime High-Tech Team.
As more people store data in a mobile environment, laptops have become more attractive to identity thieves, says Bob Egner, a marketing executive at security software maker Pointsec Mobile Technologies. Personal information sells on the Internet for about $1 per stolen record, Egner says.
Microsoft sees no reason for Vista shipment delay
REDMOND, Washington (Reuters) - Microsoft Corp. said on Thursday it sees no reason why its new Windows Vista operating system would be delayed, but it stopped short of committing to its previously stated launch target. We will ship Windows Vista when it is available," Kevin Johnson, co-president of Microsoft's platforms and services unit, said at the company's annual financial analyst meeting.
"However, we are going to ship the product when it is ready and we are just going to take it milestone by milestone," he said of the upgrade to Windows, which sits on more than 90 percent of the world's personal computers.
Microsoft has already postponed the release of its new Windows for consumers until early 2007 -- after the crucial holiday shopping season -- to improve the system's quality.
Vista is set to ship to corporate customers this November.
Uncertainty over when Microsoft will begin benefiting from the surge in revenue growth that typically accompanies a major Windows software upgrade led the company's shares to dip 43 cents or 1.8 percent to $23.94 in early afternoon Nasdaq trading.
"There was a lot of speculation that Vista will be late and they did not come out and definitely say that it is on time either," said Greg Palmer, head of equity trading at Pacific Crest Securities.
Johnson said he sees revenue from the core desktop Windows business growing 8 percent to 10 percent in the current fiscal year ending June 30, 2007. Windows, nearly a third of Microsoft's total revenue, should generate between $14.3 billion and $14.5 billion in fiscal 2007, he said.
"Explain why I'm paying 20 times for a stock that is growing at 10 with a whole lot of investments that are not really going anywhere," Palmer complained.
MANY PILLARS BEYOND WINDOWS
Chief Executive Steve Ballmer told analysts and reporters at the company's annual financial analysts' meeting here that Microsoft is confident it can build two great new businesses -- online services and entertainment -- on top of its industry-dominating desktop and server software businesses.
"We see incredible amounts of opportunity," Ballmer said.
The giant software company also reiterated that it expects to maintain its double-digit revenue growth in the coming year. Last week, Microsoft had forecast revenue in the fiscal year ending in June 2007 to grow 12 percent to 14 percent, to between $49.7 billion and $50.7 billion.
The new Microsoft is being built on "four pillars," Ballmer said.
He said upgrades to the company's two core products -- the Windows operating system and the Office applications suite -- should act as engines to drive its growth and buy it time to erect two new pillars -- its Internet and
Xbox' game businesses.
Underscoring leadership transition that is taking place at the company,
Bill Gates', the company's co-founder and chairman, is missing from the annual analysts' meeting for the first time ever. He is vacationing in Africa, Ballmer said.
In mid-June, Microsoft announced that Gates planned to move from full-time involvement to part-time in 2008. The company split Gates' technology responsibilities between Chief Software Architect Ray Ozzie and Chief Research and Strategy Officer Craig Mundie.
(Additional reporting by Chris Sanders in New York)
"However, we are going to ship the product when it is ready and we are just going to take it milestone by milestone," he said of the upgrade to Windows, which sits on more than 90 percent of the world's personal computers.
Microsoft has already postponed the release of its new Windows for consumers until early 2007 -- after the crucial holiday shopping season -- to improve the system's quality.
Vista is set to ship to corporate customers this November.
Uncertainty over when Microsoft will begin benefiting from the surge in revenue growth that typically accompanies a major Windows software upgrade led the company's shares to dip 43 cents or 1.8 percent to $23.94 in early afternoon Nasdaq trading.
"There was a lot of speculation that Vista will be late and they did not come out and definitely say that it is on time either," said Greg Palmer, head of equity trading at Pacific Crest Securities.
Johnson said he sees revenue from the core desktop Windows business growing 8 percent to 10 percent in the current fiscal year ending June 30, 2007. Windows, nearly a third of Microsoft's total revenue, should generate between $14.3 billion and $14.5 billion in fiscal 2007, he said.
"Explain why I'm paying 20 times for a stock that is growing at 10 with a whole lot of investments that are not really going anywhere," Palmer complained.
MANY PILLARS BEYOND WINDOWS
Chief Executive Steve Ballmer told analysts and reporters at the company's annual financial analysts' meeting here that Microsoft is confident it can build two great new businesses -- online services and entertainment -- on top of its industry-dominating desktop and server software businesses.
"We see incredible amounts of opportunity," Ballmer said.
The giant software company also reiterated that it expects to maintain its double-digit revenue growth in the coming year. Last week, Microsoft had forecast revenue in the fiscal year ending in June 2007 to grow 12 percent to 14 percent, to between $49.7 billion and $50.7 billion.
The new Microsoft is being built on "four pillars," Ballmer said.
He said upgrades to the company's two core products -- the Windows operating system and the Office applications suite -- should act as engines to drive its growth and buy it time to erect two new pillars -- its Internet and
Xbox' game businesses.
Underscoring leadership transition that is taking place at the company,
Bill Gates', the company's co-founder and chairman, is missing from the annual analysts' meeting for the first time ever. He is vacationing in Africa, Ballmer said.
In mid-June, Microsoft announced that Gates planned to move from full-time involvement to part-time in 2008. The company split Gates' technology responsibilities between Chief Software Architect Ray Ozzie and Chief Research and Strategy Officer Craig Mundie.
(Additional reporting by Chris Sanders in New York)
Microsoft: Internet Explorer 7 'High-Priority' Update
Microsoft has announced plans to distribute its upcoming Internet Explorer 7 Web browser as a "high priority" upgrade via its Windows Automatic Update tool. The browser, currently in its third and final beta testing phase, is scheduled for release later this year. The updated version of Microsoft's Web browser, Internet Explorer 7 (IE7), will be delivered using Automatic Updates (AU) to "help our customers become more secure and up-to-date," Tony Chor, group program manager at Microsoft, wrote on the company's IEBlog Web site.
According to Chor, advanced security features in IE7, such as ActiveX Opt-in, the Phishing Filter and Fix My Settings, will help make IE users more secure. Microsoft has designed IE7 to help protect users from malicious software and fraudulent Web sites, Chor continued, and Microsoft recommends that all Windows customers install IE7.
Consumer Considerations
IE7 is the first significant update for Microsoft's Web browser in five years. Microsoft has said that improving security in the browser was priority number one. Since the release of its predecessor, IE6, critics have very vocally berated Microsoft because of the plethora of security flaws with which that browser has been riddled.
The AU distribution strategy is seen as a fairly aggressive tactic. However, it very likely could achieve Microsoft's apparent goal to have the majority of Windows users install the new browser. However, this is not a forced installation. Consumers will be able to choose whether to accept the software or not. Prior to downloading the new browser, the AU tool will notify consumers that the update is ready and ask them whether they would like to continue with the installation.
Users who want to download the new version of IE7, don?t have to wait to be prompted by the Automatic Update utility. They can head to the Windows Update or Microsoft Update sites and download IE7 by performing an "Express" scan for high-priority updates, Chor continued. During installation, users' current settings including toolbars, home page, search engines and favorites will be preserved and will not revert to default setting in the browser.
In addition, Chor added, consumers who want "roll back" to IE6 can do so at any point by using the Add/Remove Programs functions in the Control Panel.
Business Considerations
Enterprise customers who prefer not to have Microsoft automatically install IE7 on their networks can take advantage of a tool Microsoft released on Wednesday. The special "Blocker Toolkit," available for download from Microsoft's Download Center, will allow business users to prevent the automatic distribution and installation.
The tool, according to Microsoft, is intended for companies who may not be prepared to handle the update or would like to have more hands-on management of software installed on its computers.
"I think this approach strikes a good balance across a couple of dimensions -- helping customers become more secure, giving them control, and providing options for enterprises," Chor wrote.
Web developers could be left scrambling to ensure that their sites are compatible with the changes made in IE7. Developers of some online applications will have to change their code to make sure that it will work with the new browser. While beta versions of IE7 have been available since February, many online applications are expected to encounter compatibility issues when the browser is released.
"If my lowest browser support level was IE7, then it would be a dream. However, seeing how many bugs and compatibility issues still exist with IE7, I see this as a nightmare for supporting various apps currently available, and Web sites (Web apps) too," one developer wrote on the IE blog.
Written by: Walaika K. Haskins, newsfactor.com Thu Jul 27, 12:31 PM ET
According to Chor, advanced security features in IE7, such as ActiveX Opt-in, the Phishing Filter and Fix My Settings, will help make IE users more secure. Microsoft has designed IE7 to help protect users from malicious software and fraudulent Web sites, Chor continued, and Microsoft recommends that all Windows customers install IE7.
Consumer Considerations
IE7 is the first significant update for Microsoft's Web browser in five years. Microsoft has said that improving security in the browser was priority number one. Since the release of its predecessor, IE6, critics have very vocally berated Microsoft because of the plethora of security flaws with which that browser has been riddled.
The AU distribution strategy is seen as a fairly aggressive tactic. However, it very likely could achieve Microsoft's apparent goal to have the majority of Windows users install the new browser. However, this is not a forced installation. Consumers will be able to choose whether to accept the software or not. Prior to downloading the new browser, the AU tool will notify consumers that the update is ready and ask them whether they would like to continue with the installation.
Users who want to download the new version of IE7, don?t have to wait to be prompted by the Automatic Update utility. They can head to the Windows Update or Microsoft Update sites and download IE7 by performing an "Express" scan for high-priority updates, Chor continued. During installation, users' current settings including toolbars, home page, search engines and favorites will be preserved and will not revert to default setting in the browser.
In addition, Chor added, consumers who want "roll back" to IE6 can do so at any point by using the Add/Remove Programs functions in the Control Panel.
Business Considerations
Enterprise customers who prefer not to have Microsoft automatically install IE7 on their networks can take advantage of a tool Microsoft released on Wednesday. The special "Blocker Toolkit," available for download from Microsoft's Download Center, will allow business users to prevent the automatic distribution and installation.
The tool, according to Microsoft, is intended for companies who may not be prepared to handle the update or would like to have more hands-on management of software installed on its computers.
"I think this approach strikes a good balance across a couple of dimensions -- helping customers become more secure, giving them control, and providing options for enterprises," Chor wrote.
Web developers could be left scrambling to ensure that their sites are compatible with the changes made in IE7. Developers of some online applications will have to change their code to make sure that it will work with the new browser. While beta versions of IE7 have been available since February, many online applications are expected to encounter compatibility issues when the browser is released.
"If my lowest browser support level was IE7, then it would be a dream. However, seeing how many bugs and compatibility issues still exist with IE7, I see this as a nightmare for supporting various apps currently available, and Web sites (Web apps) too," one developer wrote on the IE blog.
Written by: Walaika K. Haskins, newsfactor.com Thu Jul 27, 12:31 PM ET
Judge OKs $90M 'click fraud' settlement
TEXARKANA, Ark. - An Arkansas judge on Thursday approved a $90 million settlement between Google and its advertisers who claimed the leading Internet search company improperly billed them for fraudulent "clicks" on their ads.
Miller County Circuit Judge Joe Griffin called the settlement "fair, reasonable and adequate" and downplayed claims it hurt small advertisers. More than 70 objections were filed, with smaller companies saying they didn't have the resources to prove "click fraud" losses.
By settling claims made in the plaintiffs' class-action lawsuit, Google will give advertising credits that are the equivalent of a $4.50 refund on every $1,000 spent in its advertising network during the past 4 1/4 years.
No one will receive cash except the lawyers, who will split $30 million.
In Internet advertising, clicking on ads — typically displayed at the top and sides of Web pages — triggers sales commissions even if the activity doesn't lead to a sale. Click fraud cropped up several years ago as a way for scam artists, rivals and mischief makers to drain ad budgets or funnel illicit revenue to Web sites.
Some of the plaintiffs in the Arkansas case went before Griffin on Monday to argue that Google Inc. hadn't taken reasonable care to prevent click fraud and overstated the steps it has taken against would-be swindlers.
A Texarkana company — Lane's Gifts and Collectibles — filed the lawsuit, which Griffin certified as a class action. Google did not admit liability in the case, which also involves other Internet companies whose cases continue.
Google lawyer Nicole Wong said the company was pleased by Griffin's decision.
"We look forward to continuing to manage invalid clicks effectively and provide our advertisers with an outstanding return on their investment," she said in a statement.
In his ruling, Griffin said he based his decision on the strength of Lane's case, Google's ability to pay, the potential expense of further litigation and the limited amount of opposition.
Those who opposed the settlement said the agreement switched the burden of proof to them, and they argued they didn't have the resources to easily pursue their claims. Griffin said, however, their task wouldn't be impossible.
"The settlement class is not required ... to submit records or documents that they simply do not possess," Griffin wrote. "The settlement class is not burdened or discouraged from filing claims because they are required only to provide information to the best of their knowledge in submitting a claim form."
Daralyn Durie, an attorney representing Google, said the majority of class members have agreed to the settlement, including 19 of the company's 20 largest advertisers.
An independent report filed in court last week said while Google appears to be doing reasonably well protecting advertisers from scam artists preying upon Internet advertisers, it remains unclear how much the system is being bilked by click fraud.
Since 2001, the ads have generated $15.7 billion in revenue for Google and its partners, turning the Mountain View, Calif.-based company into one of the world's most prized businesses.
Under the settlement, if advertisers do not claim the full amount available, a portion would be made available to charitable organizations. Griffin also said 556 advertisers notified him they did not want to participate in the class-action lawsuit.
Miller County Circuit Judge Joe Griffin called the settlement "fair, reasonable and adequate" and downplayed claims it hurt small advertisers. More than 70 objections were filed, with smaller companies saying they didn't have the resources to prove "click fraud" losses.
By settling claims made in the plaintiffs' class-action lawsuit, Google will give advertising credits that are the equivalent of a $4.50 refund on every $1,000 spent in its advertising network during the past 4 1/4 years.
No one will receive cash except the lawyers, who will split $30 million.
In Internet advertising, clicking on ads — typically displayed at the top and sides of Web pages — triggers sales commissions even if the activity doesn't lead to a sale. Click fraud cropped up several years ago as a way for scam artists, rivals and mischief makers to drain ad budgets or funnel illicit revenue to Web sites.
Some of the plaintiffs in the Arkansas case went before Griffin on Monday to argue that Google Inc. hadn't taken reasonable care to prevent click fraud and overstated the steps it has taken against would-be swindlers.
A Texarkana company — Lane's Gifts and Collectibles — filed the lawsuit, which Griffin certified as a class action. Google did not admit liability in the case, which also involves other Internet companies whose cases continue.
Google lawyer Nicole Wong said the company was pleased by Griffin's decision.
"We look forward to continuing to manage invalid clicks effectively and provide our advertisers with an outstanding return on their investment," she said in a statement.
In his ruling, Griffin said he based his decision on the strength of Lane's case, Google's ability to pay, the potential expense of further litigation and the limited amount of opposition.
Those who opposed the settlement said the agreement switched the burden of proof to them, and they argued they didn't have the resources to easily pursue their claims. Griffin said, however, their task wouldn't be impossible.
"The settlement class is not required ... to submit records or documents that they simply do not possess," Griffin wrote. "The settlement class is not burdened or discouraged from filing claims because they are required only to provide information to the best of their knowledge in submitting a claim form."
Daralyn Durie, an attorney representing Google, said the majority of class members have agreed to the settlement, including 19 of the company's 20 largest advertisers.
An independent report filed in court last week said while Google appears to be doing reasonably well protecting advertisers from scam artists preying upon Internet advertisers, it remains unclear how much the system is being bilked by click fraud.
Since 2001, the ads have generated $15.7 billion in revenue for Google and its partners, turning the Mountain View, Calif.-based company into one of the world's most prized businesses.
Under the settlement, if advertisers do not claim the full amount available, a portion would be made available to charitable organizations. Griffin also said 556 advertisers notified him they did not want to participate in the class-action lawsuit.
Kazaa pays $100 mln to settle lawsuits
LONDON (Reuters) - The music and movie industries have reached a legal settlement with their longtime antagonist Kazaa, one of the world's best known file-sharing networks and a once-popular source of illicit downloads. Under the terms of the deal, Kazaa's owner Sharman Networks will pay the world's four major music companies -- Universal Music, Sony BMG, EMI and Warner Music -- more than $100 million and commit to going legitimate, according to the International Federation of the Phonographic Industry.
"There are very substantial damages being paid -- in excess of $100 million -- and Kazaa will go legal immediately. They've had time to prepare for this," said IFPI Chairman and Chief Executive John Kennedy.
The Motion Picture Association of America said Sharman "will continue operations while employing new technologies to prevent unauthorised distribution of copyrighted works on its system."
Terms of the MPAA's settlement were not immediately available.
Two suits were settled as part of the agreement: one in Australia, where a judge had already ruled that the company breached copyright; and another in California, in which Kazaa creators Niklas Zennstrom and Janus Friis were named as co-defendants.
Zennstrom and Friis, who sold Kazaa to Sharman Networks in 2002, later went on to create the popular Internet telephony software Skype, which they sold to eBay last year for an initial $2.6 billion in cash and stock.
Zennstrom declined to comment when reached by Reuters on Thursday.
The music industry has pursued an aggressive legal strategy in its attempts to curb Internet piracy, filing lawsuits against file-sharing companies like Kazaa and
Grokster', as well as individual users who uploaded copyrighted material. Their efforts were bolstered last year when the U.S Supreme Court ruled that content companies can file lawsuits against technology firms that encourage copyright infringement.
Meanwhile, legitimate music services like Apple's iTunes have become wildly popular, offering legal alternatives to illicit file-sharing.
Ovum analyst Jonathan Arber said the settlement would have a mostly symbolic importance, as Kazaa was past its prime.
"It's nowhere near as popular as it used to be. Very few people are thought to be using it anymore because better services came out," he said. "It is a big legal victory, a good symbol for them to put out, but in terms of actually reducing piracy, people migrated to other file-sharing networks a long time ago."
The IFPI said in a report on Thursday that last year there were $4.5 billion in pirated CD sales, or more than one in three CDs sold worldwide, and that there were 20 billion illegal downloads -- roughly three for every human being on Earth.
By Adam Pasick Thu Jul 27, 8:29 AM ET
"There are very substantial damages being paid -- in excess of $100 million -- and Kazaa will go legal immediately. They've had time to prepare for this," said IFPI Chairman and Chief Executive John Kennedy.
The Motion Picture Association of America said Sharman "will continue operations while employing new technologies to prevent unauthorised distribution of copyrighted works on its system."
Terms of the MPAA's settlement were not immediately available.
Two suits were settled as part of the agreement: one in Australia, where a judge had already ruled that the company breached copyright; and another in California, in which Kazaa creators Niklas Zennstrom and Janus Friis were named as co-defendants.
Zennstrom and Friis, who sold Kazaa to Sharman Networks in 2002, later went on to create the popular Internet telephony software Skype, which they sold to eBay last year for an initial $2.6 billion in cash and stock.
Zennstrom declined to comment when reached by Reuters on Thursday.
The music industry has pursued an aggressive legal strategy in its attempts to curb Internet piracy, filing lawsuits against file-sharing companies like Kazaa and
Grokster', as well as individual users who uploaded copyrighted material. Their efforts were bolstered last year when the U.S Supreme Court ruled that content companies can file lawsuits against technology firms that encourage copyright infringement.
Meanwhile, legitimate music services like Apple's iTunes have become wildly popular, offering legal alternatives to illicit file-sharing.
Ovum analyst Jonathan Arber said the settlement would have a mostly symbolic importance, as Kazaa was past its prime.
"It's nowhere near as popular as it used to be. Very few people are thought to be using it anymore because better services came out," he said. "It is a big legal victory, a good symbol for them to put out, but in terms of actually reducing piracy, people migrated to other file-sharing networks a long time ago."
The IFPI said in a report on Thursday that last year there were $4.5 billion in pirated CD sales, or more than one in three CDs sold worldwide, and that there were 20 billion illegal downloads -- roughly three for every human being on Earth.
By Adam Pasick Thu Jul 27, 8:29 AM ET
Friday, June 23, 2006
Web services increasingly under attack
SAN FRANCISCO - As more people turn to Web applications for everyday tasks like e-mail, friendship and payments, cyber criminals are following them in search of bank account details and other valuable data, security researchers said. Users of Yahoo Inc. (Nasdaq:YHOO - news)'s e-mail service, Google Inc.'s Orkut social networking site and eBay Inc.'s PayPal online payment service were among the targets of attacks in recent weeks. All three companies have acknowledged and plugged the security holes.
The attacks come as Microsoft Corp., whose Windows operating system runs about 90 percent of the world's computers, has plugged many of the most easily exploited holes in its e-mail program, browser and other products following dozens of embarrassing breaches over the past several years.
They also come amid the growing popularity of online communities such as MySpace.com and of Web-based calendar, messaging and other services offered by Google, Yahoo and others.
As larger audiences flock to Web sites that run on ever more powerful programming scripts, malware writers are finding them fertile ground.
"People are just now realizing that there are a ton of scripts that are vulnerable to hacking," said Eric Sites, vice president of research and development at Sunbelt Software, which sells security products to businesses. "It's much easier to go after these applications that haven't been as exploited."
One of the latest discoveries, announced earlier this month by FaceTime Security Labs, is a worm attacking Orkut.
It tricks visitors into clicking a link that promises photos but instead loads a malicious program, which automatically logs and sends to the worm's anonymous creator data such as names and passwords along with Windows files that often store banking details.
"The bad guys are just stepping up a level and becoming a lot more malicious in what they're trying to do," said Chris Boyd, a FaceTime security research manager who discovered the worm. "Sadly, it's quite a brilliant idea, and we'll probably see a lot more of it in the months to come."
Statistics detailing the rise of Web sites as security targets are hard to come by because companies such as Secunia and Symantec Corp., which track computer attacks, generally don't break them out that way.
But anecdotal evidence isn't hard to find.
In October, MySpace.com, which now has 88 million registered users, was hit by a malicious program that allowed a single user to automatically add millions of others as friends. The attack caused performance problems for MySpace — and underscored for security researchers the potential risks Web applications and services face.
Security experts say that attackers are having to look for new avenues because users have become better at running security software and applying security updates.
"In some ways, we've forced them to be more clever because we've shut down the old means they had of infecting people," said Dave Cole, director of security response at Symantec. "What we see the attackers doing is trying to slide under the radar by moving into new areas where people's guards may be down."
Nick Ianelli, an Internet security analyst with the federally funded
CERT Coordination Center', said criminals who once launched broad attacks by sending malicious e-mails to millions of people are finding it more effective to target smaller groups of people who congregate in online communities.
"If you can send e-mails to those addresses and make it look like it's one of their friends, the chances they're going to do what you want them to do is better," he said.
Also spurring the attacks is the growing power and flexibility of Web programming languages that allow Web browsers to look and act more like word processors, spreadsheets and other computer programs. The recent Yahoo worm targeted faulty scripts based on a technology called Ajax, or Asynchronous JavaScript and XML.
The worm didn't require a user to click on an attachment, making it more virulent than many. An undisclosed number of users got infected simply by opening an e-mail from another infected user. The worm then sent itself to others in a person's address book and transmitted those addresses to a remote server, possibly for junk e-mail, security researchers said.
The ability of Yahoo, Google and PayPal to quickly plug this month's holes highlights one of the differences between combatting worms that target Web sites and those that go after flaws running on an individual's PC.
PayPal was able to roll out a fix almost immediately by altering several lines of code on its server, company spokeswoman Amanda Pires said. That blocked the ability to exploit a flaw that let cyber criminals intercept users who typed in a genuine PayPal Web address, security researchers say.
By contrast, companies such as Microsoft that plug holes on individual PCs have to get millions of users to download and install a patch, a process that's more time consuming.
Over time, computer security experts said, Web site designers will get better at anticipating the ways their code can be exploited, but by then criminals are likely to move on to newer targets.
"The trend is definitely for blended attacks and leveraging different kinds of vulnerabilities to take the next step," said Rick Wesson, chief executive of Support Intelligence, which tracks online abuse for corporate customers. "The arms race is going to continue."
The attacks come as Microsoft Corp., whose Windows operating system runs about 90 percent of the world's computers, has plugged many of the most easily exploited holes in its e-mail program, browser and other products following dozens of embarrassing breaches over the past several years.
They also come amid the growing popularity of online communities such as MySpace.com and of Web-based calendar, messaging and other services offered by Google, Yahoo and others.
As larger audiences flock to Web sites that run on ever more powerful programming scripts, malware writers are finding them fertile ground.
"People are just now realizing that there are a ton of scripts that are vulnerable to hacking," said Eric Sites, vice president of research and development at Sunbelt Software, which sells security products to businesses. "It's much easier to go after these applications that haven't been as exploited."
One of the latest discoveries, announced earlier this month by FaceTime Security Labs, is a worm attacking Orkut.
It tricks visitors into clicking a link that promises photos but instead loads a malicious program, which automatically logs and sends to the worm's anonymous creator data such as names and passwords along with Windows files that often store banking details.
"The bad guys are just stepping up a level and becoming a lot more malicious in what they're trying to do," said Chris Boyd, a FaceTime security research manager who discovered the worm. "Sadly, it's quite a brilliant idea, and we'll probably see a lot more of it in the months to come."
Statistics detailing the rise of Web sites as security targets are hard to come by because companies such as Secunia and Symantec Corp., which track computer attacks, generally don't break them out that way.
But anecdotal evidence isn't hard to find.
In October, MySpace.com, which now has 88 million registered users, was hit by a malicious program that allowed a single user to automatically add millions of others as friends. The attack caused performance problems for MySpace — and underscored for security researchers the potential risks Web applications and services face.
Security experts say that attackers are having to look for new avenues because users have become better at running security software and applying security updates.
"In some ways, we've forced them to be more clever because we've shut down the old means they had of infecting people," said Dave Cole, director of security response at Symantec. "What we see the attackers doing is trying to slide under the radar by moving into new areas where people's guards may be down."
Nick Ianelli, an Internet security analyst with the federally funded
CERT Coordination Center', said criminals who once launched broad attacks by sending malicious e-mails to millions of people are finding it more effective to target smaller groups of people who congregate in online communities.
"If you can send e-mails to those addresses and make it look like it's one of their friends, the chances they're going to do what you want them to do is better," he said.
Also spurring the attacks is the growing power and flexibility of Web programming languages that allow Web browsers to look and act more like word processors, spreadsheets and other computer programs. The recent Yahoo worm targeted faulty scripts based on a technology called Ajax, or Asynchronous JavaScript and XML.
The worm didn't require a user to click on an attachment, making it more virulent than many. An undisclosed number of users got infected simply by opening an e-mail from another infected user. The worm then sent itself to others in a person's address book and transmitted those addresses to a remote server, possibly for junk e-mail, security researchers said.
The ability of Yahoo, Google and PayPal to quickly plug this month's holes highlights one of the differences between combatting worms that target Web sites and those that go after flaws running on an individual's PC.
PayPal was able to roll out a fix almost immediately by altering several lines of code on its server, company spokeswoman Amanda Pires said. That blocked the ability to exploit a flaw that let cyber criminals intercept users who typed in a genuine PayPal Web address, security researchers say.
By contrast, companies such as Microsoft that plug holes on individual PCs have to get millions of users to download and install a patch, a process that's more time consuming.
Over time, computer security experts said, Web site designers will get better at anticipating the ways their code can be exploited, but by then criminals are likely to move on to newer targets.
"The trend is definitely for blended attacks and leveraging different kinds of vulnerabilities to take the next step," said Rick Wesson, chief executive of Support Intelligence, which tracks online abuse for corporate customers. "The arms race is going to continue."
Monday, May 22, 2006
SPYWARE WEBSITE
In searching for SPYWARE on my last repair I found a good website to give you info about the pesty bugs out there. Go to http://blog.spywareguide.com/ to see it.
IM Worm Installs Bogus Browser
Malware writers have created a new worm that installs a new browser and plays screeching music.
The annoyance starts with a link apparently sent by a friend in Yahoo's instant messaging program.
Instant messaging security company FaceTime Communications described the malware, which it calls "yhoo32.explr", as "insidious" in a security advisory.
When the link is clicked, a worm installs the so-called "Safety Browser," a program that leads the user to pages mined with adware and viruses, FaceTime said. The Safety Browser uses an Internet Explorer logo to make it look more legitimate.
New Type of Attack
Malware spread through instant messaging programs is on the rise. However, FaceTime said this malware appeared to be the first to install a browser without the user's permission.
The bug also hijacks Internet Explorer's home page, directing users to the Safety Browser's Web site.
After it is launched, the worm sends itself to others on the user's instant messaging contact list.
The malware is engineered to overwrite instant messages typed by a user, FaceTime said. The infected message can also be changed on-the-fly, the company said.
The screeching music, however, is blocked by Microsoft's
Windows XP Service Pack 2, FaceTime said.
FaceTime has posted screenshots of the infection process on its blog.
Written by: Jeremy Kirk, IDG News Service Mon May 22, 10:00 AM ET
The annoyance starts with a link apparently sent by a friend in Yahoo's instant messaging program.
Instant messaging security company FaceTime Communications described the malware, which it calls "yhoo32.explr", as "insidious" in a security advisory.
When the link is clicked, a worm installs the so-called "Safety Browser," a program that leads the user to pages mined with adware and viruses, FaceTime said. The Safety Browser uses an Internet Explorer logo to make it look more legitimate.
New Type of Attack
Malware spread through instant messaging programs is on the rise. However, FaceTime said this malware appeared to be the first to install a browser without the user's permission.
The bug also hijacks Internet Explorer's home page, directing users to the Safety Browser's Web site.
After it is launched, the worm sends itself to others on the user's instant messaging contact list.
The malware is engineered to overwrite instant messages typed by a user, FaceTime said. The infected message can also be changed on-the-fly, the company said.
The screeching music, however, is blocked by Microsoft's
Windows XP Service Pack 2, FaceTime said.
FaceTime has posted screenshots of the infection process on its blog.
Written by: Jeremy Kirk, IDG News Service Mon May 22, 10:00 AM ET
Thursday, May 18, 2006
Symantec sues Microsoft on storage tech
Symantec on Thursday filed a lawsuit accusing Microsoft of intellectual property theft and breach of contract related to data storage technology.
The suit, filed in U.S. District Court for the Western District of Washington in Seattle, seeks unspecified damages and an injunction barring Microsoft from using the Symantec technology, according to a copy of the lawsuit.
The complaint involves Symantec's Volume Manager product, acquired as part of the company's takeover of Veritas Software. Volume Manager allows operating systems to store and manipulate large amounts of data, according to a Symantec statement.
A Microsoft representative had no immediate comment.
Written by: By Joris Evers Staff Writer, CNET News.com -->
Published: May 18, 2006, 1:49 PM PDT
The suit, filed in U.S. District Court for the Western District of Washington in Seattle, seeks unspecified damages and an injunction barring Microsoft from using the Symantec technology, according to a copy of the lawsuit.
The complaint involves Symantec's Volume Manager product, acquired as part of the company's takeover of Veritas Software. Volume Manager allows operating systems to store and manipulate large amounts of data, according to a Symantec statement.
A Microsoft representative had no immediate comment.
Written by: By Joris Evers Staff Writer, CNET News.com -->
Published: May 18, 2006, 1:49 PM PDT
Friday, April 21, 2006
Microsoft to Reissue Buggy Security Patch
SAN FRANCISCO-- Microsoft plans to reissue a security patch for its Windows operating system that caused serious headaches for some users.
The MS06-015 security update was released last week, but Microsoft customers soon reported that it was causing applications to crash, thanks to a conflict between the patch and nVidia's video drivers and Hewlett-Packard's Share-to-Web photo-sharing software.
The revised update is being tested now, and is expected to be released April 25, the same day that Microsoft is scheduled to release its nonsecurity updates for the month.
The Solution
"What we have done is re-engineered the MS06-015 update to avoid the conflict altogether with the older Hewlett Packard and nVidia software," writes Microsoft security response center program manager Stephen Toulouse in a blog posting today. "What the new update essentially does is simply add the affected third party software to an 'exception list' so that the problem does not occur."
The update will also provide an automated way of fixing the Windows registry configuration database on affected systems, a workaround that had been previously suggested by Microsoft.
MS06-015 fixes a critical vulnerability in the way Windows Explorer handles Component Object Model objects. This vulnerability could be used by attackers to seize control of an unpatched machine, and though some users have resolved their problems by simply uninstalling the buggy update, this course of action is not advised by Microsoft.
Hewlett-Packard's (HP's) Share-to-Web software is no longer distributed, but it was included with a variety of HP products including the company's scanners, cameras, CD and DVD devices, PhotoSmart software, and DeskJet printers, Microsoft says in an article addressing the issue.
Other Problems
Users have also reported that Sunbelt Software's Kerio Personal Firewall tries to stop the MS06-015 update from running an application called Verclsid.exe. Users who have this problem should configure Kerio so that it allows Versclid.exe to run, Microsoft says.
Those who have had problems with the patch are advised to try the workarounds suggested in the knowledge base article or to upgrade or simply uninstall affected software until the revised patch arrives, Toulouse says.
Microsoft's automatic update services will be able to detect whether or not users require the revised patch and will only offer the software to users who need it. "If you have already installed MS06-015 and are not having the problem, there's no action here for you," Toulouse says.
This is not the only Microsoft update that has given users headaches this month. ActiveX changes made in a second Internet Explorer patch, numbered MS06-013, have caused major problems with Oracle's Siebel 7 client. Microsoft has released a "compatibility patch" that undoes these ActiveX changes, and Oracle has said it will release a patch that resolves the issue sometime next month.
Robert McMillan, IDG News Service Fri Apr 21, 5:00 PM ET
The MS06-015 security update was released last week, but Microsoft customers soon reported that it was causing applications to crash, thanks to a conflict between the patch and nVidia's video drivers and Hewlett-Packard's Share-to-Web photo-sharing software.
The revised update is being tested now, and is expected to be released April 25, the same day that Microsoft is scheduled to release its nonsecurity updates for the month.
The Solution
"What we have done is re-engineered the MS06-015 update to avoid the conflict altogether with the older Hewlett Packard and nVidia software," writes Microsoft security response center program manager Stephen Toulouse in a blog posting today. "What the new update essentially does is simply add the affected third party software to an 'exception list' so that the problem does not occur."
The update will also provide an automated way of fixing the Windows registry configuration database on affected systems, a workaround that had been previously suggested by Microsoft.
MS06-015 fixes a critical vulnerability in the way Windows Explorer handles Component Object Model objects. This vulnerability could be used by attackers to seize control of an unpatched machine, and though some users have resolved their problems by simply uninstalling the buggy update, this course of action is not advised by Microsoft.
Hewlett-Packard's (HP's) Share-to-Web software is no longer distributed, but it was included with a variety of HP products including the company's scanners, cameras, CD and DVD devices, PhotoSmart software, and DeskJet printers, Microsoft says in an article addressing the issue.
Other Problems
Users have also reported that Sunbelt Software's Kerio Personal Firewall tries to stop the MS06-015 update from running an application called Verclsid.exe. Users who have this problem should configure Kerio so that it allows Versclid.exe to run, Microsoft says.
Those who have had problems with the patch are advised to try the workarounds suggested in the knowledge base article or to upgrade or simply uninstall affected software until the revised patch arrives, Toulouse says.
Microsoft's automatic update services will be able to detect whether or not users require the revised patch and will only offer the software to users who need it. "If you have already installed MS06-015 and are not having the problem, there's no action here for you," Toulouse says.
This is not the only Microsoft update that has given users headaches this month. ActiveX changes made in a second Internet Explorer patch, numbered MS06-013, have caused major problems with Oracle's Siebel 7 client. Microsoft has released a "compatibility patch" that undoes these ActiveX changes, and Oracle has said it will release a patch that resolves the issue sometime next month.
Robert McMillan, IDG News Service Fri Apr 21, 5:00 PM ET
Thursday, April 20, 2006
Vista debut hits a delay
The software maker said it will still wrap up development of the operating system this year and make it available to volume-licensing customers in November. However, Microsoft said a delay of a few weeks in Vista's schedule meant that some PC makers would be able to launch this year and others would not. As a result, Windows chief Jim Allchin said the company is delaying the broad launch of the product until January.
"We needed just a few more weeks, and that put us in a bubble...where some partners would be impacted more than others," Allchin said during a Tuesday afternoon conference call with reporters and analysts.
The delay is the latest setback for Vista. Microsoft scaled back several key features of the operating system last year in order to try to ensure a 2006 release. The operating system, which has been in development for years, was delayed by, among other things, the fact that Microsoft had to put so much time and testing effort into Windows XP Service Pack 2, a largely security-oriented upgrade to the current version of Windows.
Allchin said that although PC makers were not universal in wanting the delay, there were concerns from some companies that they could not ensure a holiday quarter launch if Microsoft pushed back its development schedule even slightly.
Analysts have been warning that Microsoft's schedule left little room for error if it was to make a fourth-quarter launch.
As recently as January, Allchin expressed confidence that Microsoft would make its deadline, although he reiterated his caveat that quality issues could lead to a postponement.
The delay would likely hurt retail PC vendors the most, said Stephen Baker, vice president of industry analysis at NPD Techworld. Dell, which sells most of its PCs directly, could probably handle a delay of a few weeks without too much trouble. Hewlett-Packard and Gateway, on the other hand, have to have their PCs ready for retail partners weeks ahead of when they will actually go on sale, and can't change gears as quickly, he said.
"It scares you," Baker said, when asked about the impact of the delay on fourth-quarter PC sales. The PC industry's largest quarter of the year always comes around the holiday shopping season, and expectations were high for that period this year, given the expected introduction of the new operating system.
Microsoft does not expect the move to affect this year's overall PC sales, Allchin said.
"There's no (change) to the PC forecast from our perspective," he said. "You can ask the partners what they think."
Allchin also said the product will still launch in the same earnings period for Microsoft, whose fiscal year runs from July to June. That means Microsoft's overall business for next year shouldn't be affected, he said.
Tweaks in the works
Allchin said some of the additional time would be used to ensure security levels, and the company is also working on ironing out usability issues.
"We're trying to crank up the security level higher than ever," Allchin said. "This came down to a few weeks. We're trying to do the responsible thing here."
Microsoft released its most recent test version of Vista in February. Late that month, the company also announced plans for six distinct editions of the operating system.
Allchin said Tuesday that Microsoft still plans next quarter to launch a broader test version of Vista, with the new version to be tested by about 2 million people.
Microsoft had hoped to have a massive marketing push around Vista and Office 2007, which is slated for the second half of this year. It is not immediately clear how the delay will affect those plans.
Allchin, whose official title is co-president of Microsoft's platform, products and services division, is slated to retire later this year.
CNET News.com's Tom Krazit contributed to this report.
Saturday, April 15, 2006
'Critical' megapatch sews up 10 holes in IE
update Microsoft on Tuesday released a "critical" Internet Explorer update that fixes 10 vulnerabilities in the Web browser, including a high-profile bug that is already being used in cyberattacks.
The Redmond, Wash., software giant sent out the IE megafix as part of its monthly Patch Tuesday cycle of bulletins. In addition, Microsoft delivered two bulletins for "critical" Windows flaws, one for an "important" vulnerability in Outlook Express and one for a "moderate" bug in a component of FrontPage and SharePoint.
"This patch release is a big one with lots of aftershocks," said Jonathan Bitle, a product manager at security company Qualys. "Three of the five updates, the IE and Windows updates, are especially critical as they take advantage of inexperienced users...Although a worm epidemic is unlikely, users can be easily enticed to visit malicious Web pages."
Eight of the 10 vulnerabilities repaired by the IE update could be abused to gain complete control over a Windows computer running vulnerable versions of the Web browser. In all instances, an attacker would have to create a malicious Web site and trick people into visiting that site to hook into a PC, Microsoft said in its Security Bulletin MS06-013.
Microsoft rates its browser update "critical" for IE 5 and IE 6, the most-used versions of the popular software. IE is vulnerable on all current versions of the Windows operating system--Windows 2000, Windows XP and Windows Server 2003--as well as on the older Windows 98 and Windows Millennium Edition, the company said.
"An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system," Microsoft said in its alert. "We recommend that customers apply the update immediately." Windows users who have automatic updates enabled for the operating system will have the fixes delivered to them.
Microsoft had been under pressure to rush the IE patch out before Tuesday because miscreants were already exploiting one of the flaws. Third parties had even provided temporary fixes for this "CreateTextRange" bug, which experts said was being used by malicious Web sites to try to drop code such as spyware on vulnerable PCs.
According to Microsoft's bulletin, three of the 10 vulnerabilities fixed by the update had been publicly disclosed. Only the CreateTextRange flaw was being exploited in attacks, the software maker said.
But Symantec has information that three of the flaws were already being exploited in attacks prior to Microsoft's patch release. More attacks are likely to follow, Oliver Friedrichs, a director at Symantec Security Response, said in a statement. "According to the latest Symantec Internet Security Threat Report, the average time between the release of a security patch and the development of an exploit is six days," he said.
Holes in Windows
In a double-whammy for Windows users, all versions of the operating system vulnerable to the IE problems are also affected by two other "critical" flaws, Microsoft said. These holes could also allow an intruder to commandeer a PC. One is related to a specific ActiveX control, a kind of Web program, (MS06-014), and the other deals with a bug in Windows Explorer (MS06-015).
In these cases also, an intruder would have to build a special Web page to take advantage of the security hole. Some of the vulnerabilities in Windows and IE could also be exploited using an HTML e-mail, which essentially is a Web page sent in an e-mail message.
Users of Outlook Express face an additional security risk, in that the e-mail application is flawed in the way it handles Windows Address Book files. Opening a specially crafted WAB file can result in execution of malicious code, giving an attacker control of the Windows PC, Microsoft said in Security Bulletin MS06-016.
The Windows bugs as well as the Outlook Express flaw were reported privately to Microsoft and have not been used in any attacks, the company said.
The last of the five security alerts issued by Microsoft, MS06-017, affects the lowest number of users and is deemed a "moderate" risk. The cross-site scripting flaw in FrontPage Web site building software and SharePoint collaboration software could lead to a system compromise, the company said.
Eolas tweaks
The IE update, in addition to security fixes, makes a change to the way IE handles ActiveX controls. These tweaks are a response to a long-running patent dispute between Microsoft and Eolas Technologies, a start-up backed by the University of California. The changes can affect how certain sites display in the browser.
People who need more time to adjust to the ActiveX changes can download a special patch that will disable them for two months. This "compatibility patch" is specifically designed for businesses that may have homegrown applications that use ActiveX, Microsoft has said.
Published: April 11, 2006, 1:19 PM PDT
Last modified: April 11, 2006, 1:57 PM PDT
Internet Agency Weighs New Domain Name
NEW YORK - Reaching out and touching someone used to be as simple as dialing a string of numbers. But now there are home, cell and work phone numbers from which to choose, and sometimes work extensions to remember.
There are also e-mail addresses — at home and at work — and instant messaging handles, perhaps separate ones for the various services, some of which now do voice and video besides text. Some people even have Web pages — through their employer or Internet service provider, or perhaps a profile or two on MySpace.
To help people manage all their contact information online, the Internet's key oversight agency is considering a ".tel" domain name. If approved, the domain could be available this year.
As proposed, individuals could use a ".tel" Web site to provide the latest contact information and perhaps even let friends initiate a call or send a text message directly from the site. Businesses could use a ".tel" site to determine customers' locations and route them automatically to the correct call center.
Its proponents also envision ".tel" as a place from which the various people-finding services on the Internet could pull the latest contact information as individuals move about. Now, data typically come from third-party sources like phone listings, which may be old or incomplete, particularly if an entire household is listed under one name.
And telephony applications and devices yet to be built could one day make use of such data, especially as wireless and wireline networks converge, according to London-based Telnic Ltd., which proposed and would run the domain if it is approved.
There's nothing inherent in ".tel" that would enable these features; rather, its aim is to create a place to which people would know to go to find contact information.
Todd Masonis, a co-founder of contact management service Plaxo Inc., is familiar with the hassles of keeping track of everyone.
His parents have had the same house and phone number for some 30 years, and "for a long time that was how they are identified," Masonis said. "But in the last two years, even they have had a couple of cell phones, a couple of e-mail addresses and Web pages and instant message IDs."
Still, he questions the need for ".tel" when companies like his already use ".com" to host services that help manage contacts. He worries that a ".tel" name would create yet another identifier for people to remember, without doing away with the others.
The board of the Internet Corporation for Assigned Names and Numbers plans to review the proposal Tuesday, although it may wait until next month or later to decide.
Telnic officials likened ".tel" to the creation of domain names decades ago as an easier-to-remember alternative to the series of numbers behind every Internet-connected computer. Instead of memorizing a friend's phone numbers, they say, just remember the ".tel" address.
But Telnic was vague on how all this would work, saying it is merely enabling developers to come up with innovative ways to use ".tel."
Nor did the company say in its application how much a ".tel" name would cost. A spokesman said Friday that officials were unavailable because of the Easter holiday.
ICANN sought bids in 2004 for new domain names. John Jeffrey, ICANN's general counsel, said the other ".tel" applicant had failed to correct deficiencies identified by an independent review panel. But that applicant, Internet telephony pioneer Jeff Pulver, blamed politics for the rejection. European Union, ".jobs" for human-resources sites, ".travel" for the travel industry, ".mobi" targeting mobile services and ".cat" for the Catalan language, bringing the number of domains to 264.The organization also is in negotiations to create ".xxx" for porn sites, ".asia" for the Asia-Pacific community and ".post" for postal services.
The few who submitted comments to ICANN on ".tel" were skeptical.
Francisco Cabanas, owner of Canadian domain registration company FineE.com, said an organization like The Associated Press could simply create an address at "tel.ap.org," rather than require an "ap.tel."
Otherwise, who would get the ".tel" name? The AP? Internet service provider AccessPort, which uses "ap.net"? Or Audio Precision Inc., at "ap.com"?
"It kind of magnifies the problem," Cabanas said. "If I'm looking for a phone number or an e-mail address or whatever and I'm getting a totally different (company), it defeats the purpose."
Also unclear is what the demand would be like, giving the popularity of ".com."
The seven domains approved in 2000 — including ".aero," ".museum," and ".info" — "just never have caught on," said Dan Tobias, a Boca Raton, Fla., computer programmer who runs a site on domain names. "Nobody's figured out how to educate the public enough to seek out a different ... domain."
Written By ANICK JESDANUN, AP Internet WriterFriday, February 03, 2006
Experts: 'Hype' May Have Mitigated Worm
Companies and individuals heeded this week's warning — some may call it "hype" — about a file-destroying computer worm known as "Kama Sutra," helping minimize its damage Friday, security experts said.
One Italian city shut down its computers as a precaution, but otherwise the worm's trigger date arrived with relatively few reports of problems.
For days, experts warned that the worm could corrupt documents using the most common file types, including ".doc," ".pdf," and ".zip." It affects most versions of Microsoft Corp.'s Windows operating system, prompting the software giant to issue a warning Tuesday.
Hundreds of thousands of computers were believed to be infected, but security vendors say many companies and individuals had time to clean up their machines following the alarm, carried by scores of media outlets including The Associated Press.
"Certainly, right now, we and our anti-virus partners are not seeing a widespread impact of this attack," said Stephen Toulouse, a Microsoft security program manager.
For Milan, Italy, though, the discovery came too late. Technicians switched off 10,000 city government computers after discovering the infection Thursday and deciding they didn't have enough time to clean the machines.
"It has spread to all our computers," said Giancarlo Martella, Milan's councilman for technological innovation and public services. "Knowing how destructive it is, we turned off all personal computers to avoid losing our data."
Only the municipality's registry office had been kept open because its "passive terminals" don't store data, Martella said, adding he hoped the computers would return to normal by Monday.
Unlike other worms generally designed to help spammers and hackers carry out attacks, Kama Sutra sets out to destroy documents by overwriting data.
The worm — called "CME-24" but nicknamed after the Hindu love manual Kama Sutra because of the pornographic come-ons in e-mails spreading it — also tries to disable anti-virus software, but vendors have generally posted updates that should protect users.
Assuming the computer's calendar settings are correct, users can also avoid the worm by leaving their machines off until Saturday, although the worm is set to trigger again on March 3.
Security vendors Trend Micro Inc. and CA Inc. both assessed the overall risk and distribution as low. The worm wasn't designed to spread any more quickly Friday. Rather, Friday was the first trigger date for the file-destroying code.
Ajit Pillai, India's manager for U.S. security firm Watchguard Technologies Inc., said about 10 percent of his customers in the country had the worm, but they "followed the remedies and managed to avoid any problem."
"We didn't have to do any firefighting today," Pillai said.
So was the public bamboozled by the warning?
Hardly, experts say.
"The importance of media attention from an awareness and educational standpoint has been a very good thing," said Marc Solomon, director of product management at security vendor management McAfee Inc. "It alerts users to what may have happened and the destruction that could have occurred."
Call it hype if you wish, but "the hype was probably what prevented the disaster from happening," said David A. Milman, chief executive of the Syracuse, N.Y.-based Rescuecom.
He said his U.S. computer-repair chain initially saw a 20 percent increase in call volume, but mostly from customers seeking reassurance.
Security experts benefited from advance warning. The worm has been circulating for weeks but is set to destroy files only on the third day of each month. That gave vendors time to update their products and warn customers.
It's possible virus writers next time will have the file destruction start immediately, but that could also blunt a worm's ability to spread, said Ken Dunham, director of the rapid response team for VeriSign Inc.'s iDefense.
If files get wiped out right away, "you would notice that immediately, and people would start mitigating it," Dunham said. "If you let it build up, there's a much (greater) chance of spreading."
___
Associated Press writers Ariel David in Rome, Sylvia Hui in Hong Kong, S. Srinivasan in Bangalore, India, and Doug Esser in Seattle contributed to this report.
One Italian city shut down its computers as a precaution, but otherwise the worm's trigger date arrived with relatively few reports of problems.
For days, experts warned that the worm could corrupt documents using the most common file types, including ".doc," ".pdf," and ".zip." It affects most versions of Microsoft Corp.'s Windows operating system, prompting the software giant to issue a warning Tuesday.
Hundreds of thousands of computers were believed to be infected, but security vendors say many companies and individuals had time to clean up their machines following the alarm, carried by scores of media outlets including The Associated Press.
"Certainly, right now, we and our anti-virus partners are not seeing a widespread impact of this attack," said Stephen Toulouse, a Microsoft security program manager.
For Milan, Italy, though, the discovery came too late. Technicians switched off 10,000 city government computers after discovering the infection Thursday and deciding they didn't have enough time to clean the machines.
"It has spread to all our computers," said Giancarlo Martella, Milan's councilman for technological innovation and public services. "Knowing how destructive it is, we turned off all personal computers to avoid losing our data."
Only the municipality's registry office had been kept open because its "passive terminals" don't store data, Martella said, adding he hoped the computers would return to normal by Monday.
Unlike other worms generally designed to help spammers and hackers carry out attacks, Kama Sutra sets out to destroy documents by overwriting data.
The worm — called "CME-24" but nicknamed after the Hindu love manual Kama Sutra because of the pornographic come-ons in e-mails spreading it — also tries to disable anti-virus software, but vendors have generally posted updates that should protect users.
Assuming the computer's calendar settings are correct, users can also avoid the worm by leaving their machines off until Saturday, although the worm is set to trigger again on March 3.
Security vendors Trend Micro Inc. and CA Inc. both assessed the overall risk and distribution as low. The worm wasn't designed to spread any more quickly Friday. Rather, Friday was the first trigger date for the file-destroying code.
Ajit Pillai, India's manager for U.S. security firm Watchguard Technologies Inc., said about 10 percent of his customers in the country had the worm, but they "followed the remedies and managed to avoid any problem."
"We didn't have to do any firefighting today," Pillai said.
So was the public bamboozled by the warning?
Hardly, experts say.
"The importance of media attention from an awareness and educational standpoint has been a very good thing," said Marc Solomon, director of product management at security vendor management McAfee Inc. "It alerts users to what may have happened and the destruction that could have occurred."
Call it hype if you wish, but "the hype was probably what prevented the disaster from happening," said David A. Milman, chief executive of the Syracuse, N.Y.-based Rescuecom.
He said his U.S. computer-repair chain initially saw a 20 percent increase in call volume, but mostly from customers seeking reassurance.
Security experts benefited from advance warning. The worm has been circulating for weeks but is set to destroy files only on the third day of each month. That gave vendors time to update their products and warn customers.
It's possible virus writers next time will have the file destruction start immediately, but that could also blunt a worm's ability to spread, said Ken Dunham, director of the rapid response team for VeriSign Inc.'s iDefense.
If files get wiped out right away, "you would notice that immediately, and people would start mitigating it," Dunham said. "If you let it build up, there's a much (greater) chance of spreading."
___
Associated Press writers Ariel David in Rome, Sylvia Hui in Hong Kong, S. Srinivasan in Bangalore, India, and Doug Esser in Seattle contributed to this report.
Wednesday, January 25, 2006
Free website to list programs with spyware
Here's a new way to attack spyware: embarrass its purveyors.
A free website (StopBadware.org) launching Wednesday plans to provide a list of programs that contain spyware and other malicious software. It will also identify companies that develop the programs and distribute them on the Internet.
Consumers can then decide if a program is safe to download.
"For too long, these companies have been able to hide in the shadows of the Internet," says John Palfrey, who heads the Berkman Center of Internet & Society at Harvard Law School and is spearheading the project. "What we're after is a more accountable Internet."
The initiative is being run by Harvard and the Oxford Institute and is backed by high-tech heavyweights including Google and Sun Microsystems. Consumer Reports' WebWatch is serving as a special adviser.
Spyware invades PCs without users' knowledge when they download applications such as music file-sharing programs or screen savers, or visit certain websites. Often, spyware tracks Web-surfing habits and bombards victims with related pop-up ads. More nefarious versions monitor keystrokes to steal Social Security numbers or passwords for identity theft.
Also on the hit list of the StopBadware coalition are malicious "adware" programs that serve up onslaughts of pop-up ads or software that contains hidden viruses and worms.
At least 60% of home PCs are infected with one or more of these "badware" programs, says Forrester Research analyst Natalie Lambert.
The prevalence of the programs has spawned a booming industry of anti-spyware and anti-virus software. Internet providers such as America Online and EarthLink include the software free with service. But such programs typically can't identify all the rogue software on a PC and might not be able to eradicate a deeply embedded program even if they do, says Ferris Research analyst Fred Berlack.
By checking StopBadware.org, its organizers say, consumers can choose, in the first place, not to download a program containing the malicious software. The coalition is encouraging consumers to visit the website to log their experiences with harmful programs.
It will then use that information to compile reports on suspect programs, websites and companies that foist the software on consumers without getting their consent. The worst offenders will be spotlighted. It will take several months to gather a significant-size database, Palfrey says.
Some websites already provide information on spyware. Others identify suspect software for a fee. But the StopBadware group says it aims to be the biggest free clearinghouse.
Berlack is skeptical that many consumers will use the service. "I don't think the average Joe has the time or inclination to check every time he opens up a new website or downloads a program," he says.
But Te Smith of consultants FFW Partners, says, "Anything that helps people be more informed is useful. I applaud these companies for using their market presence and reach to try to educate consumers."
Written by: By Paul Davidson, USA TODAY
A free website (StopBadware.org) launching Wednesday plans to provide a list of programs that contain spyware and other malicious software. It will also identify companies that develop the programs and distribute them on the Internet.
Consumers can then decide if a program is safe to download.
"For too long, these companies have been able to hide in the shadows of the Internet," says John Palfrey, who heads the Berkman Center of Internet & Society at Harvard Law School and is spearheading the project. "What we're after is a more accountable Internet."
The initiative is being run by Harvard and the Oxford Institute and is backed by high-tech heavyweights including Google and Sun Microsystems. Consumer Reports' WebWatch is serving as a special adviser.
Spyware invades PCs without users' knowledge when they download applications such as music file-sharing programs or screen savers, or visit certain websites. Often, spyware tracks Web-surfing habits and bombards victims with related pop-up ads. More nefarious versions monitor keystrokes to steal Social Security numbers or passwords for identity theft.
Also on the hit list of the StopBadware coalition are malicious "adware" programs that serve up onslaughts of pop-up ads or software that contains hidden viruses and worms.
At least 60% of home PCs are infected with one or more of these "badware" programs, says Forrester Research analyst Natalie Lambert.
The prevalence of the programs has spawned a booming industry of anti-spyware and anti-virus software. Internet providers such as America Online and EarthLink include the software free with service. But such programs typically can't identify all the rogue software on a PC and might not be able to eradicate a deeply embedded program even if they do, says Ferris Research analyst Fred Berlack.
By checking StopBadware.org, its organizers say, consumers can choose, in the first place, not to download a program containing the malicious software. The coalition is encouraging consumers to visit the website to log their experiences with harmful programs.
It will then use that information to compile reports on suspect programs, websites and companies that foist the software on consumers without getting their consent. The worst offenders will be spotlighted. It will take several months to gather a significant-size database, Palfrey says.
Some websites already provide information on spyware. Others identify suspect software for a fee. But the StopBadware group says it aims to be the biggest free clearinghouse.
Berlack is skeptical that many consumers will use the service. "I don't think the average Joe has the time or inclination to check every time he opens up a new website or downloads a program," he says.
But Te Smith of consultants FFW Partners, says, "Anything that helps people be more informed is useful. I applaud these companies for using their market presence and reach to try to educate consumers."
Written by: By Paul Davidson, USA TODAY
The Worst-Case Hack Scenario
A flurry of data breaches at major corporations late last year seemed to confirm a growing consensus among computer-security experts that 2005 was the worst year yet for such transgressions. Incidents at Marriott International, Ford Motor Company, and ABN Amro Mortgage Group served as eerie reminders to CIOs that they could be the next victims of thieves looking to poach
Social Security and credit-card numbers, or of business-process breakdowns that cause sensitive information to fall into the wrong hands.
Most CIOs will tell you that getting hacked is inevitable. But there is getting hacked, and then there is getting sacked.
As the volume of information increases and criminals grow more brazen, the chances of companies suffering a worst-case scenario seem less remote every day. Part of any CIO's duty is to convince the boss that the company is ready for the very worst security crisis imaginable.
Tales of Tech Terror
An example of just how easily a security problem can hit a company is the data breach Ford Motor Company reported in the first week of January. Ford officials reported the theft of a computer with files that have the names and Social Security numbers of approximately 70,000 current and former employees of the company.
Adding insult to significant injury, that theft had nothing to do with network intrusion or social-engineering tricks typically employed by data thieves. Neither did the disappearance in December of a box containing information on some two million customers of ABN Amro Mortgage Group, one of the nation's largest mortgage lenders.
ABM Amro's customers learned that their Social Security numbers and other personal information were lost by a DHL courier on the way to the credit bureau Experian. A month later, a DHL worker found the unlabeled carton of data in the same DHL facility where it had been lost.
Meanwhile, someone at the corporate offices of Marriott Vacation Club International, in Orlando, Florida, either misplaced or removed computer backup tapes containing data about some 206,000 associates, timeshare owners, and customers. The company reported the missing tapes in late December.
Marriott officials mailed notifications to the affected people. In an effort to quell panic about possible identity theft, corporate officials said that the tapes require specialized equipment to read their content. Marriott is investigating how the tapes went astray and will monitor for unusual activity or possible misuse of the data.
We Have a Situation
Data security is a topic most corporate CIOs are reluctant to discuss. The consensus is, the less said, the better for the corporate image. But that does not mean CIOs are sitting around with their hands in their pockets wondering how to convince their bosses that the sky is not about to fall.
"Actually, believe it or not, many CIOs do already have a worst-case scenario list," said Ed Moyle, manager of Information Security Services at CTG and an analyst at Illuminata. "The specific terminology varies from firm to firm, but a situation report is one common way that a CIO can keep an eye on how the firm's I.T. infrastructure is impacted by developments in the outside world such as worms, viruses, and fraud activity."
The situation report might be prepared by CIO staff and contain high-level information about threats in the environment and the company's position with respect to each threat. Moyle said the staff might draw on data from Web sites like the SANS Internet Storm Center, which actively monitors and warns of attacks, or they might collaborate with peers to gauge the effectiveness of their security measures.
Keeping a list of threats is only the first step in crisis management, Moyle said. Most large companies also are likely to have an incident-response plan that details how I.T. personnel will respond to particular types of threats, including information about whom to call when a threat occurs and how to make sure the right people are involved.
Opening It Up
At General Motors, the approach to crisis management is very different than it was a few years ago. Back then, responding to worst-case scenarios was much like applying triage to a catastrophe, said Eric Litt, chief information security officer for Global Information Security at GM Information Systems and Services.
"Now we try to assess threats and decide how to handle them before the crisis hits," he said.
GM is unique in that it outsources 100 percent of its I.T. By necessity, the global operation requires around-the-clock scrutiny, and that includes preparation for nightmare scenarios. "We operate 24-7 so computer security incidents and events are handled no differently than other kinds of incidents," Litt said.
GM follows a model that aligns Litt with each sector of the corporate structure while allowing him oversight of the operations and support of the I.T. department. Because the company is always functioning at multiple locations worldwide, the data security infrastructure is more expansive, and concerns over data breaches are not treated as a separate entity linked only to I.T.
Litt said that this is a big change in the way he approaches his job. "I no longer worry about what could go wrong," he said.
Assessing Risk Clearly
Today's CIOs are more keyed in than ever on the risks that hackers pose, said Paul Stamp, an analyst at Forrester Research. That focus has strengthened the defenses around company perimeters and shifted focus somewhat to threats from within.
"CIOs are now better equipped to stay ahead of the security curve," said Stamp. "The feeling now is that the perimeter holes have been licked." In fact, he said, studies have shown that most security breaches in the last two years have come fairly consistently from inside corporations.
Despite this recent success against outside threats, CIOs are still struggling with how to communicate specific threat information to the bosses, said Moyle. "That's where the situation gets tricky," he said.
Since CEOs are focused on increasing the profitability of the firm, he said, many of them regard security as an expense that draws money away from investment in the business. To win over the CEO, information officers must demonstrate how activities within their purview affect the bottom line.
"By using data from their threat-tracking efforts, the CIO can demonstrate how I.T. investment impacted the bottom line in terms of cost savings," said Moyle. In other words, if a CIO can prove that money spent resulted in money saved, it could ease the pain involved in outlining a worst-case scenario.
"Granted, it is very difficult to get anything but a rough estimate from these metrics," Moyle said, "but a rough estimate is better than no estimate at all."
As to the degree of worry that CIOs have, Moyle conceded that quite a few CIOs are worried about attacks, incidents, and other types of security threats. And to him that is not a good sign.
"Worry in a CIO reflects uncertainty in the management process," said Moyle. For example, in a well-prepared company, a CIO might have metrics to help predict how likely an incident is to occur and how much it is likely to cost the company. He or she can then look at the balance sheet and make a considered determination as to how much to spend.
But if CIOs are panicked, it's a sign that their confidence in that process is not there for one reason or another, Moyle said. "The metrics might be so skewed as to be useless. They might not have metrics at all. They might have no way of tracking threats, or they might not have a defined response process, and so on."
The Best Defense
Moyle likened the role of the CIO in handling risk management to having flood insurance. Financial officers do not stay up late at night worrying whether there will be a flood, and adequately prepared CIOs shouldn't lose any sleep either.
The CIOs who manage risks effectively have become successful in showing their bosses the need to build computer systems from the ground up rather than to bolt on fixes, according to Forrester's Stamp. "[Risk management] is now a laundry list of things to do. Security is no longer a separate department. Rather, it is integrated into business practices," he said.
That integration seems to be the key to understanding and preparing for a worst-case scenario. Instead of having a plan waiting behind a pane of glass, to be broken out only in case of emergency, CIOs would seem to be best served telling their bosses that the systems are already in place to respond to a data-security crisis.
Besides, as GM's Litt sees it, a worst-case scenario, in the truest sense of the term, is one that is not survivable. The best CIOs can do is to have a plan in place to mitigate attacks effectively and be ready to follow it whenever needed.
"That doesn't mean an attack will never have an impact on the business," Litt said. "There is no such thing as a perfect security plan."
Written by: Jack M. Germain, cio-today.com
Social Security and credit-card numbers, or of business-process breakdowns that cause sensitive information to fall into the wrong hands.
Most CIOs will tell you that getting hacked is inevitable. But there is getting hacked, and then there is getting sacked.
As the volume of information increases and criminals grow more brazen, the chances of companies suffering a worst-case scenario seem less remote every day. Part of any CIO's duty is to convince the boss that the company is ready for the very worst security crisis imaginable.
Tales of Tech Terror
An example of just how easily a security problem can hit a company is the data breach Ford Motor Company reported in the first week of January. Ford officials reported the theft of a computer with files that have the names and Social Security numbers of approximately 70,000 current and former employees of the company.
Adding insult to significant injury, that theft had nothing to do with network intrusion or social-engineering tricks typically employed by data thieves. Neither did the disappearance in December of a box containing information on some two million customers of ABN Amro Mortgage Group, one of the nation's largest mortgage lenders.
ABM Amro's customers learned that their Social Security numbers and other personal information were lost by a DHL courier on the way to the credit bureau Experian. A month later, a DHL worker found the unlabeled carton of data in the same DHL facility where it had been lost.
Meanwhile, someone at the corporate offices of Marriott Vacation Club International, in Orlando, Florida, either misplaced or removed computer backup tapes containing data about some 206,000 associates, timeshare owners, and customers. The company reported the missing tapes in late December.
Marriott officials mailed notifications to the affected people. In an effort to quell panic about possible identity theft, corporate officials said that the tapes require specialized equipment to read their content. Marriott is investigating how the tapes went astray and will monitor for unusual activity or possible misuse of the data.
We Have a Situation
Data security is a topic most corporate CIOs are reluctant to discuss. The consensus is, the less said, the better for the corporate image. But that does not mean CIOs are sitting around with their hands in their pockets wondering how to convince their bosses that the sky is not about to fall.
"Actually, believe it or not, many CIOs do already have a worst-case scenario list," said Ed Moyle, manager of Information Security Services at CTG and an analyst at Illuminata. "The specific terminology varies from firm to firm, but a situation report is one common way that a CIO can keep an eye on how the firm's I.T. infrastructure is impacted by developments in the outside world such as worms, viruses, and fraud activity."
The situation report might be prepared by CIO staff and contain high-level information about threats in the environment and the company's position with respect to each threat. Moyle said the staff might draw on data from Web sites like the SANS Internet Storm Center, which actively monitors and warns of attacks, or they might collaborate with peers to gauge the effectiveness of their security measures.
Keeping a list of threats is only the first step in crisis management, Moyle said. Most large companies also are likely to have an incident-response plan that details how I.T. personnel will respond to particular types of threats, including information about whom to call when a threat occurs and how to make sure the right people are involved.
Opening It Up
At General Motors, the approach to crisis management is very different than it was a few years ago. Back then, responding to worst-case scenarios was much like applying triage to a catastrophe, said Eric Litt, chief information security officer for Global Information Security at GM Information Systems and Services.
"Now we try to assess threats and decide how to handle them before the crisis hits," he said.
GM is unique in that it outsources 100 percent of its I.T. By necessity, the global operation requires around-the-clock scrutiny, and that includes preparation for nightmare scenarios. "We operate 24-7 so computer security incidents and events are handled no differently than other kinds of incidents," Litt said.
GM follows a model that aligns Litt with each sector of the corporate structure while allowing him oversight of the operations and support of the I.T. department. Because the company is always functioning at multiple locations worldwide, the data security infrastructure is more expansive, and concerns over data breaches are not treated as a separate entity linked only to I.T.
Litt said that this is a big change in the way he approaches his job. "I no longer worry about what could go wrong," he said.
Assessing Risk Clearly
Today's CIOs are more keyed in than ever on the risks that hackers pose, said Paul Stamp, an analyst at Forrester Research. That focus has strengthened the defenses around company perimeters and shifted focus somewhat to threats from within.
"CIOs are now better equipped to stay ahead of the security curve," said Stamp. "The feeling now is that the perimeter holes have been licked." In fact, he said, studies have shown that most security breaches in the last two years have come fairly consistently from inside corporations.
Despite this recent success against outside threats, CIOs are still struggling with how to communicate specific threat information to the bosses, said Moyle. "That's where the situation gets tricky," he said.
Since CEOs are focused on increasing the profitability of the firm, he said, many of them regard security as an expense that draws money away from investment in the business. To win over the CEO, information officers must demonstrate how activities within their purview affect the bottom line.
"By using data from their threat-tracking efforts, the CIO can demonstrate how I.T. investment impacted the bottom line in terms of cost savings," said Moyle. In other words, if a CIO can prove that money spent resulted in money saved, it could ease the pain involved in outlining a worst-case scenario.
"Granted, it is very difficult to get anything but a rough estimate from these metrics," Moyle said, "but a rough estimate is better than no estimate at all."
As to the degree of worry that CIOs have, Moyle conceded that quite a few CIOs are worried about attacks, incidents, and other types of security threats. And to him that is not a good sign.
"Worry in a CIO reflects uncertainty in the management process," said Moyle. For example, in a well-prepared company, a CIO might have metrics to help predict how likely an incident is to occur and how much it is likely to cost the company. He or she can then look at the balance sheet and make a considered determination as to how much to spend.
But if CIOs are panicked, it's a sign that their confidence in that process is not there for one reason or another, Moyle said. "The metrics might be so skewed as to be useless. They might not have metrics at all. They might have no way of tracking threats, or they might not have a defined response process, and so on."
The Best Defense
Moyle likened the role of the CIO in handling risk management to having flood insurance. Financial officers do not stay up late at night worrying whether there will be a flood, and adequately prepared CIOs shouldn't lose any sleep either.
The CIOs who manage risks effectively have become successful in showing their bosses the need to build computer systems from the ground up rather than to bolt on fixes, according to Forrester's Stamp. "[Risk management] is now a laundry list of things to do. Security is no longer a separate department. Rather, it is integrated into business practices," he said.
That integration seems to be the key to understanding and preparing for a worst-case scenario. Instead of having a plan waiting behind a pane of glass, to be broken out only in case of emergency, CIOs would seem to be best served telling their bosses that the systems are already in place to respond to a data-security crisis.
Besides, as GM's Litt sees it, a worst-case scenario, in the truest sense of the term, is one that is not survivable. The best CIOs can do is to have a plan in place to mitigate attacks effectively and be ready to follow it whenever needed.
"That doesn't mean an attack will never have an impact on the business," Litt said. "There is no such thing as a perfect security plan."
Written by: Jack M. Germain, cio-today.com
Nyxem Worm Programmed to Erase Files
Antivirus vendors are warning of a rapidly-spreading worm that is carrying a potentially destructive set of instructions. The Nyxem worm--also nicknamed the Kama Sutra worm--is programmed to overwrite all of the files on computers it infects on February 3, says Mikko Hypponen, chief research officer at F-Secure.
F-Secure researchers found the worm truncates files to 20 bytes and causes an error message when one is opened, he says.
"We are expecting to see problems in two weeks' time," Hypponen says.
The worm appears to be programmed to overwrite all files on the third day of every month, Hypponen says. So far, there's no indication where Nyxem originated.
While most antivirus vendors have issued updates for their software, Nyxem is spreading quickly, and its creators have posted a counter on a Web site that records new infections. According to F-Secure's security blog, the counter was showing around 510,000 infections as of Sunday night.
Nyxem infections may be rising because it is taking advantage of computers that have already had their antivirus software disabled by some other virus such as Bagle, Hypponen says.
Dated Technique
The worm, which is spread through e-mail, uses a dated technique to entice users by promising pornography, says Graham Cluley, senior technology consultant, at Sophos. Nyxem lacks the sophistication of recent Trojan horse-style viruses that are more targeted and less prevalent in order to evade detection, Cluley says.
Nonetheless, users appear to still be clicking, and the worm was accounting for about 35 percent of virus traffic as of Monday morning, he says.
"It's a bit of a throwback to an old trick," Cluley says.
The worm harvests e-mail addresses and then sends itself out again. The e-mail subject line may contain text that says "Miss Lebanon 2006" or "School girl fantasies gone bad," according to Sophos.
Written by: Jeremy Kirk, IDG News Service
F-Secure researchers found the worm truncates files to 20 bytes and causes an error message when one is opened, he says.
"We are expecting to see problems in two weeks' time," Hypponen says.
The worm appears to be programmed to overwrite all files on the third day of every month, Hypponen says. So far, there's no indication where Nyxem originated.
While most antivirus vendors have issued updates for their software, Nyxem is spreading quickly, and its creators have posted a counter on a Web site that records new infections. According to F-Secure's security blog, the counter was showing around 510,000 infections as of Sunday night.
Nyxem infections may be rising because it is taking advantage of computers that have already had their antivirus software disabled by some other virus such as Bagle, Hypponen says.
Dated Technique
The worm, which is spread through e-mail, uses a dated technique to entice users by promising pornography, says Graham Cluley, senior technology consultant, at Sophos. Nyxem lacks the sophistication of recent Trojan horse-style viruses that are more targeted and less prevalent in order to evade detection, Cluley says.
Nonetheless, users appear to still be clicking, and the worm was accounting for about 35 percent of virus traffic as of Monday morning, he says.
"It's a bit of a throwback to an old trick," Cluley says.
The worm harvests e-mail addresses and then sends itself out again. The e-mail subject line may contain text that says "Miss Lebanon 2006" or "School girl fantasies gone bad," according to Sophos.
Written by: Jeremy Kirk, IDG News Service
Subscribe to:
Posts (Atom)
