By Guy Kewney
March 17, 2008 11:15 GMT

Here's a nightmare vision of a technology-driven future: Terrorists may attack the internet and the Windows environment, bringing work to a halt globally. A virus placed by terrorists blocks the internet and operating systems worldwide or diffuses through firewalls and systematically deletes huge quantities of business and private data, gaining access through online communities.

Common safety measures turn out to be insufficient. Hundreds of businesses lose their organisational memories, intangible assets and intellectual property. The Chartered Management Institute has dreams, just like the rest of us. You don't need to be told that this nightmare is just one dream future when you read "The Desired Future" and discover: "Those organisations that maintain physical premises will be run by managers who create a sense of control and calm.

The energy that is currently expended addressing immediate issues will be channelled into more productive activities." And Dilbert will no longer be funny, and BOFH will be a quaint memory. Yeah, right. The report must have cost a fortune. You can get your copy for 200 quid - in May - but you can read the "management summary" today. And what you will learn is that probably, the world will carry on, much as it is now; but perhaps, there will be surprises: "Other versions of tomorrow initiated by unforeseen events are also possible."

The study uncovered 16 such events and developments, such as the world coming under cyber-attack, the "brain-enhanced" world and the world run by robots. No, they haven't been watching The Sarah Connor Chronicles - they've consulted literally hundreds of leading futurologists, technologists, and management experts.

By Eric Bangeman
March 16, 2008 - 11:01PM CT

Spamming can pay big bucks, but it hasn't paid off for a Seattle man who was once considered the eighth-largest spammer in the world by Spamhaus. Robert Soloway, 28, pleaded guilty to electronic mail fraud, "snail" mail fraud, and not filing a tax return in 2005—when he reportedly made over $300,000 from his spamming activities.

Soloway was originally hit with a 35-count indictment in May 2007 charging him with fraud, wire fraud, aggravated identity theft, and money laundering. He was accused of using Chinese ISPs to send out spam e-mail using a database of 157.8 million e-mail addresses, as well as operating a botnet used for spamming. He faced significant jail time and the prospect of having to forfeit all of his spam-related assets to the federal government.

Soloway is no stranger to legal actions related to his illicit e-mail activities. He was sued by Microsoft in December 2003, but argued that his subcontractors were actually responsible for the spam that used forged hotmail.com reply-to addresses. In April 2005, a judge handed down a default judgment in Microsoft's favor, much to Soloway's chagrin. A month later, Soloway formed SPAMIS: Strategic Partnership Against Microsoft Illegal Spam.

A press release archived in a USENET group announced the organization's formation to alert everyone of "Microsoft's illegal, unsolicited, unethical, and fraudulent unsolicited e-mail spamming, e-mail address harvesting and e-mail list purchasing for use in spamming and various other reckless spamming related practices that everyone from the Microsoft CEO to Microsoft employees have engaged in for over 10 years now."

by Rik Fairlie
March 13th, 2008

If you’re wondering just how secure your home network is, here’s an easy way to find out. Pure Networks, makers of the popular Network Magic management tool for home networks, has a free diagnostic scan that will deliver a scorecard on your network’s security status. The Pure Networks Security Scan tool, which works only with Internet Explorer 6 or later, is clearly bait for Network Magic.

But it’s a fun download that can provide insight into your network security in just a few minutes. Run the scan, and the resulting scorecard provides a summary status of network devices, the router and network, wireless security, and the computer on which you ran the scan. It advises you of the number of issues tested for each category, alerts you to any worrisome issues found. Click View and it gives you a detailed look within each category.

Some of the items it tests under Router and Network include whether you are running a hardware firewall, if your password is strong (and, of course, changed from the factory default), and whether your router firmware is up to date. Under the Wireless Security tab, the scan checks to ensure that you have changed the factory SSID, tells you what kind of wireless security you’re using, and whether there are any SSID name conflicts.

The Network Devices tab lists all devices connected to your WLAN, while the This Computer tab tells you whether your PC contains malware that redirects Web sites, as well as whether file and printer sharing are correctly activated, what kind of software firewall (if any) you’re running, and if your antivirus software is up to date.

By David Chartier
March 11, 2008 - 09:20PM CT

Thanks to Parallels and VMware, Mac users have powerful virtualization tools for running operating systems in addition to the one Apple installs on the factory floor. Since Windows is one of the most popular virtualized OSes on Apple's computers, security giant Norton felt it was time to try a new two-punch strategy on the Mac security market with Norton AntiVirus Dual Protection.

Featuring both Norton AntiVirus 2008 for Windows and Norton AntiVirus 11 for Mac OS X, as well as the typical one-year subscription for virus updates, the company believes it's the right time for some users to take another look at security on the Mac. There are some decent reasons behind Norton's targeting of the Mac virtualization crowd. For example, both Parallels' and VMware's virtualization products can enable Windows VMs to access a Home folder in Mac OS X, a directory that stores much of a user's data like contacts, personal data, passwords (encrypted, of course), and more.

While we haven't heard any reports of a virus striking a Windows VM and taking advantage of this Mac OS X directory access, it certainly is theoretically possible. There are also products like MacDrive which can grant read/write access of an entire Mac-formatted volume to versions of Windows from 98 on. Both of these situations could bring a Mac's OS X boot volume into the sights of a malicious application. Beyond users of virtualization apps, however, there is a case to be made for Mac users to at least consider looking at security products.

There haven't been any wide-spread, run-for-the-hills cases of viruses or self-perpetuating trojans for Mac OS X yet, but Mac users should think about discarding the "What, me worry?" attitude towards security they have cultivated. Past events like the 9805 AutoStart worm that overwrote system data, the Word 2004 demo trojan that wiped out a user's entire Home folder with (ironically) a legitimate Terminal command, last year's Month of Apple Bugs, and the recent trojan disguised as a QuickTime codec download are arguably neglected reminders of the less-than-bulletproof reputation of Mac OS X.

By Joel Hruska
March 11, 2008 - 01:35PM CT

As the largest online auction company, eBay has been a lucrative target to fraudsters and phishers for years. The company has doggedly fought back against these attacks via user education and increased security, but such methods have done little to stem the tide of attackers. As of early 2007, approximately 47 percent of all phishing attacks were being launched at either eBay or PayPal, an eBay-owned company.

The auction giant has scored significant victories against its would-be fraudsters in the past. Last summer, eBay successfully disrupted a significant Romanian criminal ring. In that case, fraudsters would monitor auctions, take note of who had the second or third-place bid and attempt to contact them by pairing an eBay user ID with common e-mail domains. The potential buyer would then be contacted by a fraudster, who would offer them a supposed "second chance" purchase. Alternatively, the fraudster might pretend to have a similar item available for auction and would represent his contact as an attempt to secure an immediate sale.

eBay's success last summer was the culmination of years of work and research, but ultimately resembled a proverbial drop of water in a very large bucket. eBay is still on the warpath against these criminal organizations and is pursuing a multipronged strategy of engagement. eBay struck out at Russia, China, and particularly Romania as nations with no interest in cybercrime enforcement last week, while company CEO Meg Whitman discussed particular antifraud initiatives and technologies the auction giant is developing.

In her keynote at the Visa Security conference last week, Whitman discussed how eBay is working with Microsoft to develop a blacklist of phishing sites. These sites will be automatically blacklisted by IE7's phishing filter, in a move the company hopes will help prevent users from stumbling into them. eBay also now signs all of its e-mails with domain key signing, and is preparing to launch a PayPal key fob that will offer all PayPal users a chance to adopt a two-factor authentication system.

March 11th, 2008
by Larry Dignan

Microsoft on Tuesday delivered several patches to fix critical vulnerabilities in Office including a well-publicized Excel flaw. In the first bulletin (MS08-014), Microsoft addressed “several privately reported and publicly reported vulnerabilities in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file.” This vulnerability allowed a remote attacker to take control of a system, install, view and change data and create new accounts. The CVE numbers for these vulnerabilities include:

* Excel Data Validation Record Vulnerability (CVE-2008-0111)
* Excel File Import Vulnerability (CVE-2008-0112)
* Excel Style Record Vulnerability (CVE-2008-0114)
* Excel Formula Parsing Vulnerability (CVE-2008-0115)
* Excel Rich Text Validation Vulnerability (CVE-2008-0116)
* Excel Conditional Formatting Vulnerability (CVE-2008-0117)
* Macro Validation Vulnerability (CVE-2008-0081)

These Excel flaws were discovered in January and left unpatched last month. The list of folks finding these Excel vulnerabilities is long. Mike Scott of SAIC, Matt Richard of VeriSign, Greg MacManus of iDefense Labs, Yoshiya Sasaki of JFE Systems, Bing Liu of Fortinet, Cody Pierce of TippingPoint DVLabs and Moti Joseph and Dan Hubbard of Websense Security Labs all had a hand in pointing out the various vulnerabilities.

According to Microsoft the update is critical for Microsoft Office Excel 2000 Service Pack 3 and rated Important for Excel 2002 Service Pack 3, Excel 2003 Service Pack 2, Excel Viewer 2003, Excel 2007, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, Office 2004 for Mac, and Office 2008 for Mac.

By John Leyden
March 11, 2008 11:03 GMT

Google has removed Privila sites from its index after the firm was caught attempting to hoodwink the search engine giant. Chicago-based Privila has built "portals" designed to have relatively high search engine ranking scores while presenting nothing but ads. The firm's modus operandi involves buying sites after the original owner forgets to renew a registration.

Examples in the network include wallofdove.com, previously owned by a stoner metal band called Dove; bustem.com, the one-time website of a brand-protection outfit; sailjworld.com, the former home of a Maryland sailing school; and soccerlove.com. Privila fills these bought-in sites with custom-written material, generated by unpaid interns. These articles are strangely worded affairs, distorted so as to include the maximum number of keywords. Each site on the network contains a score of "articles" each around the 600 words mark.

These sites are promoted by link exchange spam. But following a recent refinement in the technique users who visit these sites will see nothing but banner ads, created by unpaid graphics interns, unless they set their browser’s user-agent to match that of Google’s spider. By dropping the "articles", Privila was able to fit in even more ads. The ruse came to light after researchers at Cambridge University's Computer Lab received a link invitation spam email from a Privila-run site.

Steven Murdoch of Cambridge Uni discovered 329 websites in the Privila network after he investigated the business model behind spam emails unwisely sent to his colleague, Richard Clayton. "Curiously, the Windows Live Search, and Yahoo! spiders are presented with an almost empty page: just a header but neither adverts nor articles," Murdoch writes.

by Larry Dignan
March 10th, 2008

An application dubbed G-Archiver backs up your Gmail account to a hard drive with a not-so-nice twist: It swipes your user name and password. Jeff Atwood at Coding Horror outlines a chilling tale as told by Dustin Brooks, one of his readers.

I was looking for a way to back up my gmail account to a local drive. I’ve accumulated a mass of important information that I would rather not lose. During my search I came across G-Archiver, I figured what the heck I’ll give it a try. It didn’t really have the functionality I was looking for, but being a programmer myself I used Reflector to take a peek at the source code. What I came across was quite shocking. John Terry, the apparent creator, hard coded his username and password to his gmail account in source code.

All right, not the smartest thing in the world to do, but then I noticed that every time a user adds their account to the program to back up their data, it sends and email with their username and password to his personal email box! Having just entered my own information I became concerned. I opened up a browser and logged in to gmail using his account information. It still worked.

Atwood zeroed in on the ethics of Terry and how programmers need ethics too. Marshall Kirkpatrick at ReadWriteWeb says that this ditty shows why we need authentication standards. I come up with a different conclusion: You just can’t trust a lot of the software out there. What apps can you really trust? This G-Archiver thing sounds way helpful, but it isn’t by any stretch.

Microsoft previews four critical bulletins for Office; Patches on deck
by Larry Dignan
March 6th, 2008

Microsoft said it plans to address four critical bulletins for vulnerabilities in Office on its upcoming patch day March 11. In a security bulletin, Microsoft said Thursday there are four critical remote code execution flaws in Office, which is regularly under attack.

* The first bulletin is rated critical for Microsoft Office Excel 2000 and may address an Excel vulnerability discovered in January and left unpatched last month.
* The second bulletin addresses critical vulnerabilities in Microsoft Office Outlook 2000, 2002, 2003 and 2007. In other words, if you have Outlook you should pay attention.
* The third bulletin addresses remote code execution vulnerabilities in Microsoft Office 2000 (SP3).
* And finally the fourth bulletin from Microsoft covers Web components for Office 2000.

For other flavors of Office and Excel Microsoft has called its bulletins important.

ZDNET Blogs

Hackers Find Clever New Way To Hose Google Users
By Dan Goodin
March 6, 2008 03:06 GMT

Hackers have found a new way to get Google to point to malicious websites with the help of unwitting websites such as ZDNet Asia and TorrentReactor. As a result, at least 20,000 Google search results that appeared to lead to pages on the Asian version of ZDNet and the BitTorrent tracker site actually directed end users to sites that attempted to install malware.

The hack, which was first documented by Dutch researcher Dancho Danchev, takes advantage of the practice by ZDNet Asia and many other sites of caching search queries typed into their search boxes. The terms are then indexed by Google and other search engines and included in the results they return. Exploiting the weakness is as easy as typing popular search terms into a popular website along with the text of an IFRAME that points to a malicious website.

Within time, the strings will be included in results returned by Google and others. Google goes to great lengths to protect users against by warning when a website included in search results is believed to be malicious. But at time of writing, queries on Google for "jamie presley," "mari misato" and "risa coda" got one or more poisoned link in the first 10 results. More than 20,000 Google results contained such redirects, according to F-Secure, the antivirus firm .

In the second half of 2007, 51 per cent of sites hosting malware were legitimate destinations that had been compromised, as opposed to sites specifically set up by criminals, according to security firm Finjan. In the case here, neither ZDNet Asia nor TorrentReactor were compromised, although the criminals were clearly taking advantage of their strong page ranking and the trust that many end users have in them.

The Register
complete article

First spam felony conviction upheld: no free speech to spam
By David Chartier
March 02, 2008 - 09:40PM CT

Virginia's Supreme Court on Friday upheld the first US felony conviction for spamming. The spammer will serve nine years in prison for sending what authorities believe to be millions of messages over a two-month period in 2003. Jeremy Jaynes is the man who will make history.

A Raleigh, North Carolina, resident who made Spamhaus' top 10 list of spammers, Jaynes was arrested in 2003 even before the CAN SPAM act was passed by Congress. Jaynes was convicted in 2005, but his lawyers appealed the conviction. This past Friday, the Virginia Supreme Court upheld that conviction, but the vote was a narrow 4-3.

The prosecution presented evidence of over 53,000 illegal e-mails that Jaynes sent over just three days during July, 2003, but it is believed that he sent 10 million messages per day between July and August of that year. Though he is a North Carolina resident, Jaynes was charged in Virginia because the AOL servers he used for sending spam were located in Loudoun County, Virginia.

While defending Jaynes, his lawyers attempted to argue that a provision of the Virginia Computer Crimes Act violates constitutional First Amendment rights to "anonymous speech," as well as the interstate commerce clause of the US Constitution.

Ars Technica
complete article

EU’s Safer Internet plan to target content harmful to kids
By John Timmer
February 28, 2008 - 01:31PM CT

Back when the dot-com boom was first booming, the European Union created a four-year Safer Internet Action Plan, designed to limit illegal and harmful activities on the 'Net. That plan got a two-year extension, and then morphed into the four-year Safer Internet plus Programme.

With that program's term coming to a close at the end of 2008, the EU has decided to drop the plus and add a year, as they approved a new Safer Internet Programme, which will receive €55 million over the course of the next five years. Previous efforts have focused on both illegal and harmful content.

For the EU, even defining illegality can be a challenge; one of the documents describing the plan notes that "what is considered to be illegal varies from country to country, is defined by the applicable national law and is dealt with by law enforcement and other government bodies.

Despite many common features, there are significant differences of detail between the laws of Member States and of third countries where content may be produced or hosted." A definition of harmful content was also a challenge for the EU.

Ars Technica
complete article

Phishers clean up at online casinos
By John Leyden
February 28, 2008 - 11:38 GMT

Email fraudsters are increasingly targeting customers of online casinos with phishing attacks. A wave of assaults against punters betting in casinos run from Antigua and the Dutch Antilles shows that attackers are extending their range beyond targets such as online banks and eBay.

The trend was picked up by security firm Symantec, which noticed a large number of attacks on small countries and traced the attacks back to assaults on online casinos. Gambling sites are an attractive target for phishers because after tricking punters into handing over credit card details or login credentials it's easier to extract money from gaming accounts than it would be with online banking credentials.

Phishers need to employ middlemen to take money from compromised online bank accounts and wire it to them, typically using hard to trace Western Union money transfers. That's because the fraudsters behind online banking scams are typically located in a different country to their victims. Since they are unable to transfer money directly from a victim's online account in a different country, local intermediaries - or 'mules' - are hired.

That requirement is unnecessary in the case of compromised online gambling accounts. Access to gambling accounts also makes it easier to launder money. "Phishers can set up online gambling accounts sites using stolen credit card numbers and victims' identities. They can then launder dirty money by exchanging funds through the pots of games they set up amongst themselves," Symantec reports.

The Register
complete article

German court says "policeware" a violation of privacy
By Jacqui Cheng
February 27, 2008 - 12:45PM CT

Government surveillance of citizens' personal computers is a violation of privacy, Germany's highest court ruled today. Citizens' basic right to privacy is protected by Germany's constitution, the court said, a protection that extends to their stored data. "Collecting such data directly encroaches on a citizens' rights, given that fear of being observed... can prevent unselfconscious personal communication," said Judge Hans-Juergen Papier in the court's opinion.

The case began last year when officials in North Rhine-Westphalia began spying on computer-related activities using trojans and spyware (also known as "policeware"). The government apparently had few problems with this, saying that such activities were important in the fight against terrorism. Interior Minister Wolfgang Schäuble even suggested changing German law to give the government more freedom to use policeware and engage in other PC-related surveillance.

Papier disagreed, saying that the North Rhine-Westphalia law was unconstitutional and that his ruling would set a precedent for the whole country on how to treat individuals' privacy. He did rule, however, that the state could employ some surveillance services under extreme conditions, but doing so would require prior permission from a judge. Such an exception would be made when there is "clear evidence of a concrete threat," similar to what is already required to tap a suspect's phone lines under current German law.

Surprisingly, Schäuble seemed to welcome the judge's opinion, saying that he would refer to the clause allowing surveillance when preparing new legislation. "I hope that the insecurity felt by young people will be tempered by this decision; it shows that our government... protects the people's rights," Schäuble said, according to the Associated Press.

Ars Technica
complete article

Gotcha, CAPTCHA! Gmail bot detector system cracked
By Jacqui Cheng
February 26, 2008 - 01:41PM CT

The Gmail CAPTCHA has been cracked—albeit not easily—raising new concerns about spammers' ability to abuse Google's e-mail services. Websense Security Labs pointed out the security breach late last week, noting that spammers have a lot to gain by being able to use bots to automatically sign up for new accounts.

Google's free e-mail services and a highly-desirable gmail.com domain—one that is unlikely to be blacklisted by anybody's spam filters—are just two of the features that induced spammers to crack the CAPTCHA and have bots do all the work. On the upside, it apparently wasn't easy—Websense says that it required two bot hosts to crack instead of just the one that recently cracked Windows Live Mail's CAPTCHA (Websense believes that the same group was involved with both).

It also believes that the two hosts are required because the first host may fail at cracking the code the first time around (and possibly time out), but the second host may also be required to check the work of the first. Additionally, only one in every five CAPTCHA-breaking requests on Gmail succeeded. Still, a 20 percent success rate is relatively high when you consider that spambots are trying to register hundreds (or thousands) of e-mail addresses at a time.

The CAPTCHA test—Completely Automated Public Turing test to tell Computers and Humans Apart—is one we're all familiar with. When signing up for new services, we are often asked to decipher a series of letters and numbers embedded in an image that is supposed to be difficult for computers to read.

Ars Technica
complete article