Technology StocksOff Topic (Every Day Technology)

Previous 10 Next 10 
From: TimF4/9/2012 9:11:51 PM
   of 1455
New Mac malware epidemic exploits weaknesses in Apple ecosystem

Has Flashback malware made you consider installing antivirus on your Mac?

Share RecommendKeepReplyMark as Last Read

From: TimF4/27/2012 1:17:34 AM
   of 1455
90% of popular SSL sites vulnerable to exploits, researchers find
By Dan Goodin | Published April 26, 2012 3:15 PM

Less than 10 percent of the most popular websites offering Secure Socket Layer protection are hardened against known attacks that could allow hackers to decrypt or tamper with encrypted traffic, researchers said Thursday.

The grim figure was generated by SSL Pulse, a website that monitors the effectiveness of the 200,000 most popular websites that use SSL, also known as Transport Layer Security, to protect e-mail and other sensitive data from being snooped on while in transit. The product of a group of SSL experts from Google, Twitter, PayPal, Qualys and other firms, SSL Pulse systematically scans all subdomains of the top-ranked sites as measured by Alexa for pages that use the protocol to prevent man-in-the-middle eavesdropping. By examining the top 200,000 SSL-enabled sites, the researchers aim to give a snapshot of the overall health of SSL protection, which is offered by an estimated 1.5 million sites in total.

Out of the 200,000 sites examined, only 19,024 were configured to withstand an attack discovered in 2009 that allows attackers to inject data into encrypted traffic passing between two endpoints. The vulnerability resides in the SSL protocol itself and can be exploited by renegotiating the protected session, something that often happens to generate a new cryptographic key. Just a few weeks after the bug was discovered, a Turkish grad student showed how it allowed him to steal Twitter login credentials that passed through encrypted data streams.

Although the Internet Engineering Task Force signed off on a fix in early 2010 and major SSL packages have been updated to include it, only 72 percent of the sites examined by SSL Pulse were found to be safe from renegotiation exploits. Of the remainder, 13 percent were classified as "insecure renegotiation," one percent was classified as offering both secure and insecure renegotiation, and 14 percent offered no renegotiation at all.

"On the application layer, you can make mistakes and programming mistakes that completely subvert SSL," Qualys Director of Engineering Ivan Ristic told Ars.

What's more, just 25 percent of the sites are able to withstand an experimental attack unveiled last year that allows attackers to silently decrypt data that is passing between a webserver and an end-user browser. BEAST, short for browser exploit against SSL/TLS, isn't easily eradicated, because patches would make websites incompatible for millions of people using older browsers. But websites can block attacks by using what's known as the RC4 cipher, because it doesn't use an encryption mode known as cipher block chaining, in which information from a previously encrypted block of data is used to encode the next block.

"Many people still believe that the BEAST attack is not practical," Ristic said. "I disagree with that because attacks only get better and never worse. If somebody is motivated enough, that someone will make the attack work."

Ristic said BEAST attacks would most likely be carried out in espionage campaigns sponsored by wealthy nation states.

He also said that SSL Pulse uncovered 19 private keys generated with 512-bit encryption, making them susceptible to brute forcing attacks that allow man-in-the-middle hackers to decrypt the protected traffic. The service also found 9 keys that were generated on systems running now-patched versions of Debian Linux that were so predictable attackers could guess them in a matter of hours.

On an Internet where packets often pass over open networks that can be passively monitored, SSL is frequently the only protection preventing passwords and other sensitive data from being intercepted by online criminals and state-sponsored spies. Last year, Google warned Gmail users in Iran to change their passwords after someone used fraudulently issued SSL certificates to impersonate the popular e-mail service. The attack, which stemmed from the breach of the now-defunct DigiNotar certificate authority in the Netherlands, was used to snoop on 300,000 Gmail users, mostly in Iran.

SSL Pulse is the brainchild of the Trustworthy Internet Movement, a recently formed group that has chosen SSL as its first project. Members include Ristic; Google Software Engineer Adam Langley; SSL researcher Moxie Marlinspike, whose company was recently acquired by Twitter; Michael Barrett, who is chief information security officer at PayPal; Taher Elgamal, founder and chief identity officer at IdentityMind and a co-creator of the SSL protocol; and Ryan Hurst, chief technology officer at GMO GlobalSign.

Share RecommendKeepReplyMark as Last Read

From: TimF4/27/2012 5:07:20 PM
   of 1455
Googling 'zerg rush' sends you to battle to save your search results

Share RecommendKeepReplyMark as Last Read

From: TimF5/1/2012 1:50:32 AM
   of 1455
TV Now is the latest Internet-based DVR service to find courtroom trouble
By Timothy B. Lee | Published April 29, 2012 6:15 PM

Consumers around the world want a hassle-free way to record free, over-the-air television and play it back on any Internet-connected device. But every time a company creates such a service, it gets sued by copyright holders. Last year we reported on ivi, an American firm that argued that it qualified for a compulsory licensing regime designed for cable companies. The courts didn't buy it. Another American company, Aereo, is still fighting in court about whether its "tiny antennas" service is legal.
A similar fight has been happening in Australia. Optus, a major Australian telecom company, created a service called TV Now. Like ivi and Aereo, it acts as a virtual DVR, recording over-the-air television programs selected by individual customers and later streaming them to those same customers. Like its American counterparts, Optus quickly found itself in court facing charges of copyright infringement. On Friday, it suffered a major setback when an appeals court ruled the service was illegal.

Australian copyright law allows consumers to record television programs for "private and domestic use." Optus argued that programs recorded on a customer's behalf by TV Now qualified for this exemption because Optus's own role was purely passive. The trial judge, Justice Steven Rares accepted that argument in February, favorably citing an American precedent that has become the legal foundation for cloud music services.

But Justice Rares' decision was overruled on Friday by a three-judge panel. "Optus is not merely making available its system to another who uses it to copy a broadcast," the judges wrote in their opinion. "Rather it captures, copies, stores, and makes available for reward, a programme for later viewing by another."

And while the viewer is authorized to make copies of television programs for personal use, a company like Optus cannot make copies without the permission of the relevant copyright holders, the judges said.

"There is nothing in the language, or the provenance, of [the home copying exemption] to suggest that it was intended to cover commercial copying on behalf of individuals," they wrote.

Judge Rares had argued for allowing TV Now to qualify for the home copying exemption on the grounds of technological neutrality, noting that it would be irrational for the law to allow home recording using a DVR but not a hosted Internet service. But the appeals court was unconvinced. "No principle of technological neutrality can overcome what is the clear and limited legislative purpose" of the law, the judges argued. "It is not for this Court to re-draft this provision to secure an assumed legislative desire for such neutrality."

Optus told the Sydney Morning Herald that it was suspending the TV Now service in response to the decision. The paper says the telecom firm has 21 days to appeal the decision to Australia's High Court.

Share RecommendKeepReplyMark as Last Read

From: TimF5/4/2012 12:34:59 PM
   of 1455
TEDxMidAtlantic 2011 - Avi Rubin - All Your Devices Can Be Hacked

Share RecommendKeepReplyMark as Last Read

From: TimF5/12/2012 12:43:26 PM
   of 1455
Siri says Nokia Lumia 900 the best smartphone ever

When iPhone 4S users ask Apple's virtual personal assistant Siri which smartphone is the best ever, the Nokia Lumia 900 takes the honor.

Apple's Siri virtual personal assistant certainly has said some rather interesting things in the past. But to diss its overlord seems a bit much, don't you think?

When iPhone 4S owners ask Siri which smartphone is the best ever made, the obviously disgruntled virtual personal assistant responds saying it's the Nokia Lumia 900 4G running on AT&T's network. It goes further, stating that the Cyan-colored Lumia 900 stands above all others.
CNET Review: Nokia Lumia 900
CNET Review: Apple iPhone 4S

Although it may seem a bit odd that Apple's own service would recommend another phone, it actually makes sense. Siri looked for the answer on Wolfram Alpha, which points to the Lumia 900 when users type in "what's the best smartphone ever?" The high rating is delivered based on "customer review average" across the Web.

The Lumia 900 is certainly no slouch. CNET's review of the device gave it four stars out of five and deemed it "excellent." CNET reviewer Jessica Dolcourt called the Lumia 900 her "favorite Windows Phone yet."

Evidently, it may be Siri's too.

Update 9:14 a.m. PT The Siri query does not appear to be delivering the same results to everyone. Two CNET staffers on the West Coast are now getting Yelp results when asking Siri which smartphone is the best ever.

Share RecommendKeepReplyMark as Last Read

From: Sr K5/16/2012 10:51:54 PM
   of 1455
Dish Runs Ads to End All Ads

Dish Network is promoting its new "Auto Hop" ad-skipping DVR with a marketing campaign that, ironically, uses a TV commercial. Some networks are refusing to run the spot.

Share RecommendKeepReplyMark as Last ReadRead Replies (1)

To: Sr K who wrote (1160)5/16/2012 11:59:05 PM
From: Stock Puppy
   of 1455
It's Two Ducks (read on :-))

Well, if you had the gizmo, presumably you wouldn't be seeing the ads.

But if you don't see the ads, you wouldn't have the gizmo.

It's just like yourself going back in time and giving yourself a time machine.

But then you wouldn't invent one because you already have one.

And then you accidentally kill your parent before you're born or something like that.

So you really don't exist.

Then there's one story were the guy is his own grandmother (What a story - don't ask - besides I regress)

Therefore it's all a ..

Paradox! (groan)

Where's the duck tape?
Thank you thank you I'll be here all week.

Share RecommendKeepReplyMark as Last Read

From: TimF5/18/2012 2:14:34 PM
1 Recommendation   of 1455
RE: And then there was one
By vol7ron on 5/17/2012 9:37:34 AM , Rating: 5

I wouldn't have a problem with limited data plans , if there was a " rollover data " or " rollover bytes " option.

Like you, I have a grandfather unlimited plan, that I hardly use. However, when I want to use it to download lots of email, movies, games, books, music, etc; I don't want to worry about approaching my data cap.

My data usage is not constant, it is sporadic; I'd rather a plan that meets that, then for them to say "some people are taking advantage, so everyone has to go back to the stressful policy we had of limited use, with an increased rate on bonus usage".

Share RecommendKeepReplyMark as Last Read

From: TimF5/21/2012 1:06:15 PM
   of 1455
Generating fraudulent ad clicks and getting paid are two different things.
by Jacqui Cheng - May 16, 2012 8:45 pm UTC

A Flashback botnet of Macs could bring in up to $10,000 per day, but it doesn't. Symantec has published a new report after having followed OSX.Flashback's advertising component for a few weeks, concluding that the creators have only garnered about $14,000 in three weeks and have yet to figure out how to get the money into their bank accounts.

Symantec's original report from the end of April said that Flashback was capable of generating up to $10,000 per day in ad clicks, primarily impacting Google and bringing in "untold sums of money for the Flashback gang." The ad-clicking component works by monitoring Web searches being performed in Safari, Chrome, and Firefox. It then bypasses Google's own advertising on the results page by substituting ads from various pay-per-click (PPC) services. When clicked, the PPC services would then pay fees to the Flashback team.

In its latest report, Symantec says that during a three-week period in April, the Flashback botnet managed to generate around 400,000 ad clicks out of roughly 10 million being displayed. That 4-percent conversion rate resulted in about $14,000 worth of payouts to the Flashback creators—if the PPCs would actually pay them, that is. In a twist of schadenfreude, Symantec points out that collecting the money has been a problem.

"Many PPC providers employ anti-fraud measures and affiliate-verification processes before paying," the company wrote on its blog. "Fortunately, the attackers in this instance appear to have been unable to complete the necessary steps to be paid."

That's not all. It turns out that Flashback's ad-clicking component was installed on "less than 2% of the entire botnet," or about 10,000 of the 600,000+ infected Macs. The discovery is certainly chuckle-worthy, but does drive home Symantec's original point that utilizing the full botnet would undoubtedly generate massive amounts of cash. "f the attackers were able to use the entire botnet, they could potentially have earned millions of dollars a year," wrote Symantec.

It has been a little over a month since the sheer size of the Flashback botnet started gaining attention. Since then, Apple has patched the Java vulnerability that made the infections possible, and issued Flashback removal tools to OS X users. Though new variations are still being spawned, it appears as if they are still targeting the same Java hole—if you've already patched and cleaned up your machine, you should be in the clear for the time being. But as many security researchers point out, Macs can't and won't stay invulnerable to malware forever, so it's no time to rest on your laurels when it comes to keeping your Mac secure. Kaspersky Lab and Symantec are in agreement: "as the market share of Mac increases, we will see more Mac-related botnets similar to this one in the future."

Share RecommendKeepReplyMark as Last Read
Previous 10 Next 10 

Copyright © 1995-2018 Knight Sac Media. All rights reserved.Stock quotes are delayed at least 15 minutes - See Terms of Use.