Saturday, June 30, 2007
Beware of emails "You've received a postcard from a family member!"
Web-based attack poses as greeting card, tries three exploits
A new round of greeting-card spam that draws users to visit attack sites relies on a sophisticated multipronged, multiexploit strike force to infect machines, security professionals said late today.
Captured samples of the unsolicited e-mail have all borne the same subject line -- "You've received a postcard from a family member!" -- and contain links to a malicious Web site, where JavaScript determines whether the victim's browser has scripting enabled or turned off.
"If JavaScript is disabled, then they provide you a handy link to click on to exploit yourself," said an alert posted Thursday afternoon by SANS Institute's Internet Storm Center (ISC). Some users turn off scripting because it is a frequent attack vector; browsers with JavaScript enabled are simply fed a two-part package of downloader and malware.
The quick browser status exam in this attack is somewhat similar to one used in a different exploit tracked by Symantec Corp. since Tuesday, but the two are not connected, said Oliver Friedrichs, director of Symantec's security response group. "They're using two different tool kits, but they're both prime examples that exploits against browsers are more and more prevalent," he said.
Today's greeting-card gambit tries a trio of exploits, moving on to the second if the machine is not vulnerable to the first, then on to the third if necessary. The first is an exploit against a QuickTime vulnerability; the second is an attack on the popular WinZip compression utility; and the third, dubbed "the Hail Mary" by the ISC, is an exploit for the WebViewFolderIcon vulnerability in Windows that Microsoft Corp. patched last October.
The ISC said several antivirus vendors had tentatively pegged the executable file, which is offered to users whose browsers have JavaScript disabled, as a variation of the Storm Trojan horse, an aggressive piece of malware that has been hijacking computers to serve as attacker bots since early this year. According to the ISC's warning, computers already compromised by Storm -- a.k.a. Peacom -- are hosting the malware, and the attackers are rotating those machines' IP addresses in the spam they're sending.
"Every Storm-infected system is potentially capable of hosting the malware and sending the spam, but only a few will be used in any given run," said the alert, "depending on how many e-mails they want sent and how many Web hits they're expecting."
Hackers haven't abandoned the practice of attaching malware to e-mail, then counting on naive users to open the file, said Friedrichs. But malware-hosting sites are the trend. "It's much more difficult to send a full malicious file," he said, because of users' learned reluctance to open suspicious files and filtering and blocking tactics by security software.
"This is widespread, and leads the user to multiple IP addresses," said Shimon Gruper, vice president at Aladdin Knowledge Systems Inc., a security company known for its eSafe antivirus software. "There's not a single server, there are multiple exploits, [and the e-mail] has no attachments. This will be very difficult to detect."
Two days ago, a Symantec honeypot captured a similar Web site-hosted attack that had an arsenal of exploits at its disposal. That attack, however, featured an unusual, if rudimentary, browser detector that sniffed out whether the target computer is running Microsoft's Internet Explorer (IE) or Mozilla Corp.'s Firefox. If the attack detects IE, it feeds the machine a Windows animated cursor exploit. If it finds Firefox, however, the sites spit out a QuickTime exploit.
Thursday, June 28, 2007
Iphone set to hit shelves tomorrow
After five months of increasing hype, tomorrow marks the day for the consumers to find out if the Iphone is really "all that". Sink or swim? Best damn piece of consumer electronics gear ever or just another phone? We'll have to wait and see, but in the mean time we can read up on the reasons not to have Iphone envy
Iphone Drawbacks:
From a slow data network to a sealed battery, here are some of the drawbacks to consider before you buy the season's hot phone.
Limited network speeds: iPhone will not run over AT&T Inc.'s highest-speed 3G network based on high-speed downlink packet access (HSDPA) technology. The iPhone will only run over AT&T's 2.5G enhanced data rate for GSM evolution (EDGE) network. HSDPA supports download speeds of 400Kbit/sec. to 700Kbit/sec. and bursts up to 1Mbit/sec. However the
EDGE network only averages download speeds of 70Kbit/sec. to 135Kbit/sec.
AT&T has acknowledged this potential problem by announcing upgrades to its EDGE network in anticipation of the iPhone launch. And of course, the iPhone will support Wi-Fi, which will make Web page downloads much more feasible if you're in range of a hotspot.
Limited third-party apps: Lots of cell phone power users get more value out of the applications they've loaded on their handsets themselves than the often lame or expensive offerings from their carriers. When the iPhone was first announced, third-party apps seemed shut out entirely, a move that prompted one online petition of protest. Now Apple says that developers can create iPhone apps that run in Safari. Only two problems with that: First, those apps may be fairly poky given the iPhone's slower EDGE network connection. Second, many developers seem to hate writing for Safari. As PC World forums member dazeddan said, "As a developer, we have more problems designing around Safari than any other platform. I wish it would just go away."
It costs how much?! You've probably already heard about the iPhone's astronomical price: $500 for a 4GB model and $600 for 8GB. But you may not have calculated all the other costs associated with buying one. You'll have to make a two-year commitment to AT&T at a per-month cost that starts at $60, recent reports say (though that includes unlimited data access, something AT&T often charges $40 for on smart phones). And unlike with pretty much every other phone in the world, making that commitment doesn't knock down the price, it's just a requirement. Plus, if you're in the midst of a prior two-year commitment with a competing carrier, your cost of iPhone ownership could be further inflated by the early termination penalty you'll pay your current carrier. And finally, AT&T doesn't always receive high marks for its service. You may be okay with the deal now, but how will you feel in a year if the iPhone is no longer the coolest handset on the planet?
Businesspeople need not apply: It's a safe bet that many professionals will want an iPhone. But BlackBerry, Windows Mobile, Palm, and Symbian smart phones offer a long list of business-related features that the iPhone apparently won't, at least upon release. For instance, while the iPhone apparently will connect with Exchange servers, it will require some security trade-offs that could make your IT department nervous. There's no word on connecting to Domino servers. And though you can open Word and Excel files on the iPhone, you can't edit them.
Don't even try to swap that battery: Like the original iPod, the iPhone has its battery enclosed in a superslim case among tightly negotiated electronics and behind a top surface of glass--reducing the chances of a DIY battery replacement to next to nil. So if your battery life dwindles to roughly 6.5 minutes per charge, or the battery malfunctions, you'll have to send your iPhone in for repair.
Read more of pcworld's list of Potential Drawbacks
So you've changed your mind and don't want an Iphone!
Well pcworld has you covered there. Read their article comparing Iphone alternatives
Thursday, June 21, 2007
Beware Harry Potter Spoilers a Phishing Scam
He has published what he claims are all of the plot points—including main characters who get killed and the final outcome of the seven-book series.
Gabriel says he used "the usual milw0rm downloaded exploit." The exploit entailed delivering to a Bloomsbury employee an e-mail with an invitation to click on a link, open a browser and click on a maliciously crafted animated icon that allowed the attacker access to the victim's system.
"It's amazing to see how much [sic] people inside the company have copies and drafts of this book," Gabriel wrote in a posting on Insecure.org. "Curiosity killed the cat." (Ed. note: Spoiler alert: Do not click on the link to read Gabriel's posting if you don't want to have the plot spoiled.)
milw0rm is a group of politically motivated "hacktivists" whose most famous exploit was penetrating the computers of the Bhabha Atomic Research Centre (BARC) in Bombay, the primary nuclear research facility of India, on June 3, 1998. They have anti-nuclear and pro-peace agendas and, in this case, anti-Harry Potter and pro-Pope Benedict XVI.
"We did it by following the precious words of the great Pope Benedict XVI when he still was Cardinal Joseph Ratzinger," Gabriel said. "He explained why Harry Potter bring the youngs [sic] of our earth to Neo Paganism faith. So we make this spoiler to make reading of the upcoming book useless and boring."
Gabriel said he did it "to protect you and your families."
This weeks hot offerings from Dell
Dimension C521 featured at $419.
AMD Athlon 64 X2 Dual-Core 3600+ 1GB Dual Channel DDR2 19 inch Samsung 941BW Widescreen LCD Monitor and more!!
Inspiron 1501 featured at $549.
AMD Athlon 64 X2 Dual-Core Mobile Technology TK-53 15.4 inch Wide Screen XGA Display 1GB DDR2 and 80 gig hard drive and more
InspironTM 1501 $499
AMD Turion X2 Dual-core Processor, Windows VistaTM or Windows® XP,15.4" Widescreen, 1GB Memory, 60GB Hard Drive, CD/DVD Burner and more
Up to $100 off select* Dell™ laser printers.
Tuesday, June 19, 2007
AT&T Launches $10 DSL
AT&T is doing little to publicize the new offering. In fact, most people looking for the low-price service have only been able to find it by clicking on the Terms and Conditions link at he bottom of AT&T's residential high-speed Internet product page. A note on AT&T Yahoo! High-Speed Internet buried six paragraphs down says that the "basic speed ($10.00)" tier is available to new customers only, those who have not subscribed to AT&T or BellSouth DSL during the past 12 months, and the service requires a one-year contract.
Customers must also order phone service to get the budget-priced DSL service; those looking for cheap, naked DSL should look elsewhere. Those living in BellSouth's former territory can get naked DSL for the next two-and-a-half years, however. The terms of the merger state AT&T is only required to offer the $10 per month tier for the next two-and-a-half years. After that, the company is free to make whatever changes it wants to the service.
While this is not a top notch deal, it is fairly good for those that haven't yet made the switch from dial-up, anyone on a tight budget or those of you that only browse the net and check emails.
Monday, June 18, 2007
Hackers compromise 10k sites, launch 'phenomenal' attack
Attackers armed with an exploit tool kit have launched massive attacks in Europe from a network of at least 10,000 hacked Web sites, with infections spreading worldwide, several security companies warned today.
As early as last Friday, analysts reported the opening salvos of a large-scale attack based on the multiexploit hacker kit dubbed "Mpack." The mechanics of the attacks are complex, but essentially attackers taint each compromised site with code that then redirects visitors to a server hosting the Mpack kit -- a professional, Russian-made collection of exploits that comes complete with a management console to detail which exploits are working and against what countries' domains.
Infected computers are fed a diet of malicious code, largely keyloggers that spy out usernames and passwords for valuable accounts such as online banking sites.
"The gang behind the attack has successfully compromised the homepages of hundreds of legitimate Italian Web sites," said Symantec Corp. researcher Elia Florio in a posting to the vendor's security response blog on Friday. "The list of compromised sites is huge and from Mpack statistics this attack is working efficiently."
Florio said that Symantec is uncertain how the sites were originally hacked but that she suspects a common vulnerability or configuration problem at the hosting level.
Paul Ferguson, a network architect at Trend Micro Inc., would only guess at how sites were hijacked but said that "how" is mostly a moot question. What's important, he said, is that "the hackers seem to be able to find a lot of sites to compromise no matter where they look."
By Friday night, Symantec had pegged the number of compromised sites feeding Mpack exploits at 6,000; by today, Websense Inc., a San Diego-based Web security company, said it had tracked more than 10,000. "That's a phenomenal number," argued Ferguson, who said that previous compromised-site attacks using hacker kits could be counted as "several hundred here, a couple hundred there."
Screenshots of the Mpack management console posted by Websense on Monday and Symantec on Friday illustrate the large numbers of computers that have surfed to the compromised sites and the high success rate of the Mpack-delivered exploits. Although the bulk of the victim PCs use Italian IP addresses, U.S.-based machines are not immune.
"The lion's share of the sites we're seeing are in Italy still," said Ferguson, "but we're seeing sites all over the world as well." For instance, Trend Micro has identified hacker-controlled sites hosted in California and Illinois. The California site is hosted by a company Ferguson called "notorious," but he wouldn't divulge the hosting vendor's name.
"The usual advice we give, 'Avoid the bad neighborhoods of the Web,' just doesn't hold water anymore," when legitimate sites have been hacked and are serving up exploits left and right, Ferguson said. "Everywhere could be a bad neighborhood now."
ComputerWorld's summer gadget guide
Some of my person favorites include:
EGO Waterproof iPod Case
IPod speaker docks and accessories abound. But how many let you take your iPod safely into the pool? Atlantic's EGO Waterproof Sound Case for iPod ($150) protects your iPod from water -- or even shock damage -- while blasting your tunes all over the backyard or boat through its built-in, waterproof speakers.
ATC2K Waterproof Action Camera
Oregon Scientific's underwater video camera is a perfect fit for today's record-everything society. Waterproof to a depth of 10 feet, the ATC2K captures moving images at 30 frames per second in VGA (640 by 480) resolution.
ATC2K Waterproof Action Camera |
Throw this gadget into the swimming pool with your kids and they'll be occupied all summer. At the very least, it could give you some great blackmail material for later in life.
Friday, June 15, 2007
Sony to cut PS3 prices?
In an interview with the Financial Times, Stringer admitted rival console the Nintendo Wii -- which is far outselling the PS3 -- was based on a good business model.
Sony fell short of its PS3 target in the 12 months to 31 March 2007 by 500,000 units. Market analysts are predicting the games division to incur a loss of around $488 million in the current year, despite Sony's claim it has sold more than a million units in Europe and Australasia since the PS3's late March launch there.
Stringer said: "[Price cuts are] what we are studying at the moment. That's what we are trying to refine." He went on to say that he expected "energy [in PS3 sales] by Christmas, and then you will begin to see break-out games".
PS3 sales have been slow -- to be honest, the world over -- owing to its high price and slow, drip-feed supply of games, most of which have been PC game re-writes anyway. Apparently, the Japanese electronics giant has a target of shipping 11 million consoles this year, and with production costs falling many believe Sony will cut prices by USD100 before the crucial Christmas sales period.
Wireless network admins wising up
Owners of wireless hot spots are doing better at securing their networks, but about a fifth of corporate access points in London, Paris, and New York remain open to all comers, RSA Security Inc. reported Thursday.
Reprising past surveys, RSA personnel drove or walked through swaths of each city, logging each wireless access point detected by a specially-equipped laptop, and recording data including the service set identifier (SSID), security protocol, signal strength, and operational mode. In New York, for example, the team covered Manhattan's Midtown and Downtown, and parts of Uptown as far north as 125th Street.
On average, survey results were encouraging, said Toffer Winslow, a vice president of product management at RSA. "Folks are securing their access points more, and more with advanced encryption such as WPA rather than plain old WEP," he said.
Wired Equivalent Privacy (WEP) is a 1999-era data encryption standard now considered inadequate, and has been supplanted by WPA, or Wi-Fi Protected Access, which requires stronger passwords and uses a 128-bit key rather than WEP's 40-bit key. However, WEP is still offered as the default security technique by most wireless hardware.
In all three cities, the percentage of hot spots that were secured by some kind of encryption was higher than last year. In London, the numbers improved from 76% to 81%, while New York climbed from 75% to 76%, and Paris moved from 78% to 80%. WPA use also grew, Winslow said, with 49% of the business wireless networks in New York locked down with tighter security. London and Paris came in second and third, with 48% and 41% WPA usage, respectively.
But a substantial percentage of business wireless networks still run without security. Eighteen percent of the detected corporate hot spots in both Paris and London were unsecured, while New York topped that at 21%. "This strikes me as very foolish," said Winslow.
Living almost as dangerously were significant minorities of hot spots that used default SSIDs and media access control (MAC) addresses. In London, 30% of the wireless networks relied on the manufacturer's SSID -- usually the name of the hardware maker, such as Linksys -- or preset MAC address. New York ranked slightly better, at 24%, but Paris beat both by a wide margin: Only 13% of the wireless access points sniffed by RSA in the city of light used defaults.
"Change the default network settings, that's No. 1," said Winslow when asked to list recommendations for wireless users. "Use [encryption] protocols stronger than WEP, and when you're at a public hot spot, VPN is essential.
"I wouldn't even call these 'best practices' anymore" he said. "They're just the reasonable practices."
Wednesday, June 06, 2007
14 Great Multimedia Utilities from PcWorld.com
Your PC is an entertainment powerhouse, just waiting to be unleashed. Its talents include recording and playing music, supporting editing of audio and video files, and burning DVDs and CDs. Unfortunately, the software that came with your PC probably won't handle these tasks with maximum effectiveness. So to help you unlock your system's multimedia power, we've gathered a group of 15 downloads--most of them free, some of them try-before-you-buy--that all do great jobs.
We've chosen software in three categories: media players and burners, video software, and audio software. For working with media players, you'll find everything from Foxy Tunes (which lets you play media from within Firefox) to several superb players to Online Radio Tuner (which tunes in to Internet radio stations) to Express Burn (the best media burner you'll find anywhere).
Our video software selections include programs for saving YouTube videos to your local hard drive, for uploading YouTube videos, for editing video, for converting video to an iPod-friendly format, and for getting TV shows into your Zune.
Finally, our audio downloads offer unique tools for performing such tasks as recording music from vinyl and cassettes to your PC, and eliminating pops, hisses, and clicks.
So if you want to unlock the entertainment power of your PC, it's time to start downloading.
Next page:Media Players and Burners
Tuesday, June 05, 2007
PcWorlds 100 Best Products of 2007
Innovative Web applications, powerful processors, spectacular HDTVs, and creative game consoles--we asked you for your favorites and added lots of our own for our annual roundup of the best hardware, software, and services. Then we looked at each product, rating and debating its design, impact, performance, and value to create our ranking of the best tech products available, from 1 to 100.
Of course, no matter when we plan our best-products story, a few hot contenders--we're looking at you, iPhone--will end up just around the corner. So this year we took time out to run down our five most anticipated products, as well as several hot and not-so-hot technologies. Read on for all that plus slide shows, video, and more.
More on the Best Products of 2007
- The Top 100 Products, in Ranked Order
- The Top 100 Products, in Alphabetical Order
- In Pictures: The Top 20 Products of the Year
- In Pictures: Readers' Picks for Best Products of the Year
- In Pictures: Most Anticipated Products of the Year
- Video: The Best Products of 2007
The Number 1 Product of the Year
Google Apps
1. Google Apps Premier Edition
(Web applications; $50 per user per year) Google is much more than just a search engine, and with its invaluable Google Apps suite, the company is well on its way to challenging Microsoft for productivity-suite supremacy. Google's Docs & Spreadsheets (soon to be joined by a PowerPoint-esque presentation application) already makes for an interesting alternative to Microsoft Office. Combine it with Gmail, Google Talk, and Google Calendar, and suddenly nearly all of your basic productivity programs and data can be available online.
For small businesses that need more than the free versions offer, Google Apps Premier Edition adds capacity, support services, and tools for integrating existing infrastructure so that all your employees can use Google's powerful Web apps--no matter where they are. Printouts may never die, but if Google has its way, the office-less office may become a reality long before the paperless one does.
Next page:The Top 100 Products, Numbers 2 to 10