Cloud computing and virtualization are just two technologies that cybercriminals are anxious to exploit, forecasts a report released Wednesday by security vendor Trend Micro.
The year ahead offers new opportunities for cybercrooks as they hunt for more targets and new challenges as people try to protect themselves, says Trend Micro’s 2010 Future Threat Report (PDF).
Cloud computing and virtualization can be cost effective. But since they’re beyond the confines of a company’s own firewall, they could be potentially open areas for cybercriminals to attack. October’s Sidekick data outage highlighted the vulnerabilities of the cloud, which cybercrooks are likely to abuse, according to Trend Micro.
Social networks have proved to be an appealing area for bad guys, a shift that Trend Micro thinks will increase through the use of social engineering. Cybercrooks will try to enter people’s communities and circles of friends at sites like Facebook in an attempt to steal personal information.
Malware outbreaks will shift from the global landscape to more local, targeted attacks, similar to the strategy employed by Conficker, which Trend Micro calls a “carefully orchestrated and architected attack.”
Trend Micro also believes the move toward international domain names orchestrated by ICANN will open up the playing field for more phishing attacks as crooks create look-alike domains names using the Cyrillic alphabet instead of Latin characters.
A few other trends for 2010 and beyond to keep us all on the alert:
Windows 7 will have an impact since it is less secure than Vista in the default configuration (presumably because User Access Control (UAC) in Win 7 is not set to its most restrictive level by default).
Drive-by infections are the norm–one Web visit is enough to get infected.
Malware is changing its shape–every few hours.
To protect yourself, Trend Micro dispenses the usual advice we’ve all heard before. But it bears repeating–keep your PC patched and updated, don’t click on strange e-mail attachments, make sure the online stores you shop at are secure (https vs http), and don’t use the same password for all Web sites.

Exploit code for a critical (remotely exploitable) vulnerability in Microsoft’s Internet Explorer 7 browser has been released on the Internet, prompting a new round “upgrade now!” warnings from computer security experts.

The vulnerability could be used in malware attacks to take complete control of a Windows machine running IE 6 or IE 7, according to an advisory issued over the weekend.

Here’s the gist of the problem:

A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by attackers to compromise a vulnerable system. This issue is caused by a dangling pointer in the Microsoft HTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE objects via the “getElementsByTagName()” method, which could allow attackers to crash an affected browser or execute arbitrary code by tricking a user into visiting a malicious web page.

The vulnerability was confirmed on fully patched Windows XP SP3 systems with Internet Explorer 6 and 6.

For IE users unable (or unwilling) to upgrade to IE 8, you can disable Active Scripting in the Internet and Local intranet security zones.

Security researchers at Symantec have tested the published exploit and warned that a fully-functional reliable exploit will be available in the near future.

When this happens, attackers will have the ability to insert the exploit into Web sites, infecting potential visitors. For an attacker to launch a successful attack, they must lure victims to their malicious Web page or a Web site they have compromised. In both cases, the attack requires JavaScript to exploit Internet Explorer.

Microsoft has not yet issued an advisory with mitigation guidance.

November 18th, 2009

Posted by Mary Jo Foley @ 11:20 am

Categories: Corporate strategy, Development tools, Internet Explorer, PDC 2009, Silverlight (wpf/e), Windows client

Tags: Microsoft Silverlight, Microsoft Internet Explorer, Microsoft Corp., Web Browsers, Internet, Mary Jo Foley

Microsoft shared some information about what’s coming in Internet Explorer 9 and Silverlight 4 during its November 18 Professional Developers Conference (PDC) keynotes.

If you want to see a real example of the difference in disclosure policies between Microsoft’s Windows unit and its Developer Division, the level of information provided by execs with each division today made that quite clear.

As expected, Microsoft Windows President Steven Sinofsky shared a few tidbits about Internet Explorer (IE) 9. Sinofsky emphasized that Microsoft will continue to play up privacy, user choice and responsible development with the next IE release. But he offered no information on when the team is planning to release a test build or the final version of the browser.

Sinofsky said during the Wednesday morning keynote that the IE team is about three weeks into the IE 9 project. (I’ve been getting tips that there already is a build of the product out there that is being used inside Microsoft, but it’s not available to external testers yet.)

Sinofsky noted that Microsoft is fully aware that it needs to keep pushing on the standards front. He noted that IE 9 is currently passing 32 of 100 Acid3 tests (compared to Firefox at more than 70 and Opera at 100). He also made it clear that Microsoft is aware it needs to continue to do work to improve JavaScript performance with IE.

Sinofsky said IE 9 will support hardware-accelerated rendering and rounded borders, but didn’t say a whole lot more about it. There are a (very) few more specifics about IE 9 on the IE Team blog today.

Scott Guthrie, Microsoft’s Corporate Vice President for .Net, had lots more to say about Silverlight 4, the next version of Microsoft’s browser plug-in that competes with Adobe Flash.

Microsoft is making a public beta of Silverlight 4 available for download today, November 18. A single, near-final Release Candidate will follow and then the final version of Silverlight 4 will be out in the first half of 2010, according to Guthrie.

Guthrie said Silverlight 4 will be a major new release of the plug-in. He said the upcoming version will incorporate nine of the ten most requested features by developers.

Guthrie itemized and demonstrated some of the new features of Silverlight 4 — which include everything from its support for webcam and microphone access, to the ability to run Silverlight inside the Google Chrome browser. Silverlight 4 also will include full support for Visual Studio 2010, native multicast support and improved printing, networking and reporting capabilities, company officials said. Silverlight Program Manager Tim Heuer has a full list of those Silverlight 4 features on his blog.

I’m interested in hearing from anyone who manages to download Silverlight 4 (servers are crawling, I hear) about what you think of the new beta of the product. Feel free to chime in in the talkbacks….

November 19th, 2009

Posted by Larry Dignan @ 6:32 am

Categories: General, Government, Hardware Infrastructure, IT Management, Telecommunications

Tags: FAA, Network, Flight Plan, Federal Aviation Authority, FTI, Networking, Larry Dignan

Updated: The Federal Aviation Authority is looking into a networking problem that threatens to delay flights across the U.S.

FAA spokesman Les Dorr said that there’s a “problem with the telecommunications network that’s affecting automated processing system” for things like flight plans.

“Anything controllers normally have done automatically have to be done manually,” said Dorr. Indeed, the FAA has a ground stop. Atlanta is the hub that appears to be most affected, reports CBS News.

According to the FAA, the problems reside in the FAA Telecommunications Infrastructure, or FTI for short. FTI provides the voice, data, and video communications that support operations and mission support functions at more than 4,000 FAA and Department of Defense (DoD) facilities. Add it up and the network provides for more than 20,000 services such as switching and routing, network monitoring and control.

The FAA is currently investigating the problem. Dorr reiterated that the FAA can track planes with radar and have communication with pilots, but there’s an efficiency issue: You can only keep tabs on so many planes manually.

The manual process for flight plans and other essential is that these documents are emailed or faxed and then entered to the processing system.

The outage started between 5:15 a.m. and 5:30 a.m. and Dorr said it’s impossible to predict the impact on delays Thursday because it’s still early in the day.

You can track the flight delays across the country at the FAA site. Here’s the snapshot as of 9:43 a.m. EST.

Update: The FAA said it fixed the issue at 9 a.m. EST. In a statement, the FAA also shot down theories that a cyberattack was to blame. The statement in full:

At approximately 5:00 am EST a router problem disrupted a number of air traffic management services including flight plan processing. The problem was resolved at approximately 9:00 am EST. Air traffic control radar and communication with aircraft were not affected during this time and critical safety systems remained up and running.

The failure was attributed to a software configuration problem within the FAA Telecommunications Infrastructure (FTI) in Salt Lake City. As a result FAA services used primarily for traffic flow and flight planning were unavailable electronically.

The National Airspace Data Interchange Network (NADIN), which processes flight planning, was affected because it relies on the FTI services. During the outage air traffic controllers managed flight plan data manually and safely according to FAA contingency plans.

There is no indication the outage occurred as a result of a cyber attack.

System wide delays and cancellations will continue to be assessed throughout the day.

A team of FAA technical and safety experts is already investigating the outage. FAA Administrator Randy Babbitt is meeting with representatives from Harris Corporation, the company that manages the FTI, to discuss system corrections to prevent similar outages in the future.

November 19th, 2009

Posted by Sam Diaz @ 2:30 am

Categories: AT&T, General, Legal, Mobile, Verizon

Tags: Advertisement, Verizon Communications Inc., AT&T Corp., Marketing Research, 3G, Marketing, Cellular Phones, Consumer Electronics, Personal Technology, Sam Diaz

AT&T may have lost the legal battle with Verizon Wireless over a marketing campaign that compares the 3G coverage of both carriers. But that doesn’t mean AT&T is going away quietly.

The company is airing a commercial of its own, which features actor Luke Wilson inside what appears to be a warehouse, standing in front of an orange magnet board with a checklist that compares AT&T and Verizon. (Techmeme)

When it comes to the fastest 3G network, AT&T wins, Wilson says. If you want to talk and surf at the same time, AT&T wins. Who has the most popular smartphones? AT&T, of course, home of the iPhone. Who provides access to more than 100,000 apps? You guessed it. Then, in the category, he asks which has a name that starts with the letter V.

I’ll give AT&T credit for making the attempt to even the playing field but – and maybe this is just me – the commercial felt sort of low-budget, like something thrown together in haste. Cheap set. Cheap props. Marketing messages in place of statistics. What is it telling me that’s new? I’ve been hearing that “Nation’s fastest 3G network” for some time now. As far as that “talk and surf” feature, I’m assuming that refers to tethering – mostly because Mr. Wilson doesn’t elaborate – but last time I heard, AT&T still wasn’t offering that for the iPhone.

Why would this commercial lure a potential customer to AT&T or convince an existing customer to stick around? There’s no fine print or footnotes about what sort of data these claims are based upon. No statistics. No independent analysis. There is a disclosure about 3G coverage not being available in all areas and some details about service plans, rebates and such.

There’s also a URL for a new Web site, called TruthAbout3G.com. But the site is nothing more than a place for cutesy marketing messages and some links to AT&T products and services. No statistics or hard data to be found.

It’s fun. But am I supposed to take it serious? From where I sit, Verizon launched a marketing campaign based on factual information (which AT&T didn’t dispute) and AT&T counters with… well, this. (see YouTube clip below.) If I’m a consumer (and I am), then this 30-second clip doesn’t offer the factual information that I need to be an informed customer.

What’s unfortunate is that this doesn’t help the company’s image – not by any stretch. In fact, you may recall that hole that AT&T was digging itself into. It appears the shovel has been handed from the legal department to the marketing department.

And it appears to be getting deeper.

November 19th, 2009

Posted by Sam Diaz @ 2:30 am

Categories: AT&T, General, Legal, Mobile, Verizon

Tags: Advertisement, Verizon Communications Inc., AT&T Corp., Marketing Research, 3G, Marketing, Cellular Phones, Consumer Electronics, Personal Technology, Sam Diaz

AT&T may have lost the legal battle with Verizon Wireless over a marketing campaign that compares the 3G coverage of both carriers. But that doesn’t mean AT&T is going away quietly.

The company is airing a commercial of its own, which features actor Luke Wilson inside what appears to be a warehouse, standing in front of an orange magnet board with a checklist that compares AT&T and Verizon. (Techmeme)

When it comes to the fastest 3G network, AT&T wins, Wilson says. If you want to talk and surf at the same time, AT&T wins. Who has the most popular smartphones? AT&T, of course, home of the iPhone. Who provides access to more than 100,000 apps? You guessed it. Then, in the category, he asks which has a name that starts with the letter V.

I’ll give AT&T credit for making the attempt to even the playing field but – and maybe this is just me – the commercial felt sort of low-budget, like something thrown together in haste. Cheap set. Cheap props. Marketing messages in place of statistics. What is it telling me that’s new? I’ve been hearing that “Nation’s fastest 3G network” for some time now. As far as that “talk and surf” feature, I’m assuming that refers to tethering – mostly because Mr. Wilson doesn’t elaborate – but last time I heard, AT&T still wasn’t offering that for the iPhone.

Why would this commercial lure a potential customer to AT&T or convince an existing customer to stick around? There’s no fine print or footnotes about what sort of data these claims are based upon. No statistics. No independent analysis. There is a disclosure about 3G coverage not being available in all areas and some details about service plans, rebates and such.

There’s also a URL for a new Web site, called TruthAbout3G.com. But the site is nothing more than a place for cutesy marketing messages and some links to AT&T products and services. No statistics or hard data to be found.

It’s fun. But am I supposed to take it serious? From where I sit, Verizon launched a marketing campaign based on factual information (which AT&T didn’t dispute) and AT&T counters with… well, this. (see YouTube clip below.) If I’m a consumer (and I am), then this 30-second clip doesn’t offer the factual information that I need to be an informed customer.

What’s unfortunate is that this doesn’t help the company’s image – not by any stretch. In fact, you may recall that hole that AT&T was digging itself into. It appears the shovel has been handed from the legal department to the marketing department.

And it appears to be getting deeper.

Back in September, when Google launched the Google Chrome Frame plug-in for Internet Explorer users, Microsoft immediately warned that the move would increase the attack surface and make IE users less secure.

Now comes word that a security researcher in the Microsoft Vulnerability Research (MSVR) has discovered a “high risk” security vulnerability that could allow an attacker to bypass cross-origin protections.

SEE: Microsoft says Google Chrome Frame doubles IE attack surface

• Severity: High. An attacker could have bypassed cross-origin protections. Although important, “High” severity issues do not permit persistent malware to infect a user’s machine. We’re unaware of any exploitation of this issue.

The search technology company has shipped a new version of the Google Chrome Frame (version 4.0.245.1) with a patch for the vulnerability.

The plug-in update also fixes several bugs:

• Network requests fail randomly (Issue 27401).
• Fix issues with CFInstall.js to better detect compatible OS and browser versions, allow users to cancel the installation frame, and not cache the isAvailable result (Issues 22738, 23057, and 23132).
• Don’t use Google Chrome Frame for frames or iframes (Issue 22989).
• Follow redirects properly (Issue 25643).
• IE8 freezing intermittently (Issue 24007).
• Remove data directories on uninstall (Issue 27483).

“All users should be updated automatically,” said Mark Larson, a member of the Google Chrome team.

Mozilla’s flagship Firefox browser is vulnerable to at least 11 “critical” vulnerabilities that expose users to drive-by download attacks that require no user interaction beyond normal browsing. by Ryan Naraine

READ FULL STORY

US-CERT warns about BlackBerry spyware app
Infected sites rising at alarming rate
New LoroBot locks files and holds for $100 ransom

Microsoft is blaming human error for the the critical SMB v2 vulnerability that exposed Windows users to remote code execution attacks and argues that it’s near impossible to catch these types of bugs with existing code review tools and techniques.

According to a post-mortem of the issue by Redmond security guru Michael Howard (right), the company detected the vulnerable code “very late” in the Windows 7 development process but argued that there are no static analysis tools or SDL requirements that would spot this type of human error.

“Right now there is no static analysis tool I know of that would point out the developer used the wrong variable, and our analysis tools didn’t spot the potential array bounds problem in part because it’s hard to do so with generate a very large quantity of false positives,” Howard said.

“There is only one current SDL requirement or recommendation that could potentially find this, and that is fuzz testing. In fact we did find it very late in the Windows 7 development process through network fuzzing and that is why post-RC versions of Windows 7 do not have this bug,” he added.

Howard did not explain why the fix was not back-ported to Windows Vista and other vulnerable versions until it was independently discovered and released by external security researchers.

[ SEE: Microsoft security guru: Get fuzzing ]

He said the only other technique that could find this type of vulnerability — an incorrect variable in an array reference — is the process of “very slow and painstaking code review.”

This code was peer-reviewed prior to check-in into Windows Vista; but the bug was missed. Humans are fallible, after all.

Howard said the types of vulnerabilities surfacing in Windows OS code today shows that the mandatory SDL has “whittled away most of the ‘low-hanging’ bugs.”

Of course, I might be proven wrong, but looking at all the bugs over the last year in Windows, the only pattern I can spot is there is no pattern! The majority of the bugs I see in Windows are one-off bugs that can’t be found easily through static analysis or education, which leaves only manual code review, and for some bug classes, fuzz testing. But fuzz testing is hardly perfect, because the malformed data might not hit the vulnerable code path or trigger a failure in the code.

He called on software developers to spend more time on defenses against unknown vulnerabilities, as well as trying to prevent or remove vulnerabilities.

See: MS09-050, SMBv2 and the SDL, by Michael Howard.

From You National Center for Supercomputing applications (NCSA)

Blue Waters is expected to be the most powerful supercomputer in the world for open scientific research when it comes online in 2011. It will be the first system of its kind to sustain one petaflop performance on a range of science and engineering applications. The project also includes intense collaboration with dozens of teams in the development of science and engineering applications, system software, interactions with business and industry, and educational programs. This comprehensive approach will ensure that scientists and engineers across the country will be able to use Blue Waters to its fullest potential.

Scientists will create breakthroughs in nearly all fields of science using Blue Waters. They will predict the behavior of complex biological systems, understand how the cosmos evolved after the Big Bang, design new materials at the atomic level, predict the behavior of hurricanes and tornadoes, and simulate complex engineered systems like the power distribution system and airplanes and automobiles.

Blue Waters is a joint effort of the University of Illinois at Urbana-Champaign, its National Center for Supercomputing Applications, IBM, and the Great Lakes Consortium for Petascale Computation. It is supported by the National Science Foundation and the University of Illinois.

Blue Waters will be based on POWER7 hardware from IBM—makers of more than one-third of the world’s 500 fastest computers and almost all of the 40 most “green” supercomputers. It will be the first of a powerful new system design from IBM. The design includes extensive research and development in new chip technology, interconnect technology, operating systems, compiler, and programming environments.

Substantial investments will be made by the Blue Waters partnership to enhance the scalability and performance of existing science and engineering applications and to develop new applications that take full advantage of the extraordinary capabilities that Blue Waters will provide. The partnership is developing an enhanced version of IBM’s high-performance computing environment to ensure that applications achieve high sustained performance. The enhanced environment will increase the productivity of application developers, system administrators, and researchers by providing an integrated toolset to use Blue Waters and analyze and control its behavior.

The Blue Waters project also includes a far-reaching educational and workforce development program. It will impact students from K-12 through postgraduate education, reaching out to geographical areas and communities that have been historically underrepresented in supercomputing. At the undergraduate level, the program will educate the next generation of graduate students, K-12 teachers, future technical staff, and the informed public. At the graduate and postgraduate levels, the program will educate and train the next generation of researchers.

An expanded industrial partner program is an integral part of the Blue Waters project. Members of the Great Lakes Consortium for Petascale Computation will work with their business and industry partners to introduce them to the world of petascale computing, giving industrial outreach a truly national scale.

To read more visit NCSA’s Website