Security

Microsoft Releases Emergency Critical Patch

Hot Off The Net – Oct. 23, 2008 2:18PM EDT

Microsoft issued an emergency critical update today addressing a malicious Internet worm that could allow attackers to infiltrate systems remotely and take control over users’ computers without any user interaction.

The critical update is one of a handful of patches released out of sequence in the past few years. Microsoft issues regularly scheduled updates on the second Tuesday of every month, which has become known in IT circles as “Patch Tuesday.”

The fact that Microsoft has released what’s known as an “out-of-band” patch indicates the vulnerability is pretty severe.

The vulnerability, which affects almost every Windows operating system, is rated critical for multiple versions of Windows 2000, XP and Server 2003, but is given the less severe rating of “important” for Vista and Server 2008.

The error, if left unpatched, allows remote attackers to infiltrate systems in order to take control of users’ computers and steal data without any user interaction or social engineering lures. What makes this bug particularly nasty for business networks is that it has the ability to rapidly spread to other vulnerable computers within the network.

Security experts confirm that an exploit is loose in the wild, meaning that there is evidence that an attacker has already used the exploit code to conduct attacks on unsuspecting users. Microsoft also suspects that the code has been used in targeted attacks.

While Microsoft has provided possible workarounds for the vulnerability, users are advised to simply apply the patch as soon as possible. Normally we like to test these updates because you don’t want to break anything with the patch but with a critical patch such as this, it’s best to just get it installed.

Security updates are available on the Microsoft Update, Windows Update and office Update sections of the Microsoft Download Center.

As additional information becomes available, I’ll update this post.

FIREFOX v3 RC1 now available

Mozilla Corp., of Mountain View California has released Version 3 of their very popular Firefox browser. This update is more secure, easier to use and more personal. Among Firefox 3’s new security features is one-click access to site info to allow users to quickly see information on who owns a given Web site and whether the connection is protected from eavesdropping.

What’s New in Firefox 3
Firefox 3 is based on the Gecko 1.9 Web rendering platform, which has been under development for the past 33 months. Building on the previous release, Gecko 1.9 has more than 14,000 updates including some major re-architecting to provide improved performance , stability, rendering correctness, and code simplification and sustainability. Firefox 3 has been built on top of this new platform resulting in a more secure , easier to use, more personal product with a lot more to offer website and Firefox add-on developers.

More Secure
• One-click site info: Click the site favicon in the location bar to see who owns the site and to check if your connection is protected from eavesdropping. Identity verification is prominently displayed and easier to understand. When a site uses Extended Validation (EV) SSL certificates, the site favicon button will turn green and show the name of the company you’re connected to. ( Try it here! )

• Malware Protection: malware protection warns users when they arrive at sites which are known to install viruses, spyware, trojans or other malware. ( Try it here! )

• New Web Forgery Protection page: the content of pages suspected as web forgeries is no longer shown. ( Try it here! )

• New SSL error pages: clearer and stricter error pages are used when Firefox encounters an invalid SSL certificate. ( Try it here! )

• Add-ons and Plugin version check: Firefox now automatically checks add-on and plugin versions and will disable older, insecure versions.

• Secure add-on updates: to improve add-on update security, add-ons that provide updates in an insecure manner will be disabled.

• Anti-virus integration: Firefox will inform anti-virus software when downloading executables.

• Vista Parental Controls: Firefox now respects the Vista system-wide parental control setting for disabling file downloads.

• Effective top-level domain (eTLD) service better restricts cookies and other restricted content to a single domain.

• Better protection against cross-site JSON data leaks .

Easier to Use
• Easier password management: an information bar replaces the old password dialog so you can now save passwords after a successful login.

• Simplified add-on installation: the add-ons whitelist has been removed making it possible to install extensions from third-party sites in fewer clicks.

• New Download Manager: the revised download manager makes it much easier to locate downloaded files, and you can see and search on the name of the website where a file came from. Your active downloads and time remaining are always shown in the status bar as your files download.

• Resumable downloading: users can now resume downloads after restarting the browser or resetting your network connection.

• Full page zoom: from the View menu and via keyboard shortcuts, the new zooming feature lets you zoom in and out of entire pages, scaling the layout, text and images, or optionally only the text size. Your settings will be remembered whenever you return to the site.

• Podcasts and Videocasts can be associated with your media playback tools.

• Tab scrolling and quickmenu: tabs are easier to locate with the new tab scrolling and tab quickmenu.

• Save what you were doing: Firefox will prompt users to save tabs on exit.

• Optimized Open in Tabs behavior: opening a folder of bookmarks in tabs now appends the new tabs rather than overwriting.

• Location and Search bar size can now be customized with a simple resizer item.

• Text selection improvements: multiple text selections can be made with Ctrl/Cmd; double-click drag selects in “word-by-word” mode; triple-clicking selects a paragraph.

• Find toolbar: the Find toolbar now opens with the current selection.

• Plugin management: users can disable individual plugins in the Add-on Manager.

• Integration with Windows: Firefox now has improved Windows icons, and uses native user interface widgets in the browser and in web forms.

• Integration with the Mac: the new Firefox theme makes toolbars, icons, and other user interface elements look like a native OS X application. Firefox also uses OS X widgets and supports Growl for notifications of completed downloads and available updates. A combined back and forward control make it even easier to move between web pages.

• Integration with Linux: Firefox’s default icons, buttons, and menu styles now use the native GTK theme.

More Personal
• Star button: quickly add bookmarks from the location bar with a single click; a second click lets you file and tag them.

• Tags: associate keywords with your bookmarks to sort them by topic.

• Location bar & auto-complete: type in all or part of the title, tag or address of a page to see a list of matches from your history and bookmarks; a new display makes it easier to scan through the matching results and find that page you’re looking for. Results are returned according to their frecency (a combination of frequency and recency of visits to that page) ensuring that you’re seeing the most relevant matches. An adaptive learning algorithm further tunes the results to your patterns!

• Smart Bookmarks Folder: quickly access your recently bookmarked and tagged pages, as well as your more frequently visited pages with the new smart bookmarks folder on your bookmark toolbar.

• Places Organizer: view, organize and search through all of your bookmarks, tags, and browsing history with multiple views and smart folders to store your frequent searches. Create and restore full backups whenever you want.

• Web-based protocol handlers: web applications, such as your favorite webmail provider, can now be used instead of desktop applications for handling mailto: links from other sites. Similar support is available for other protocols (Web applications will have to first enable this by registering as handlers with Firefox).

• Download & Install Add-ons: the Add-ons Manager (Tools > Add-ons) can now be used to download and install a Firefox customization from the thousands of Add-ons available from our community add-ons website . When you first open the Add-ons Manager, a list of recommended Add-ons is shown.

• Easy to use Download Actions: a new Applications preferences pane provides a better UI for configuring handlers for various file types and protocol schemes.

Improved Platform for Developers
• New graphics and font handling: new graphics and text rendering architectures in Gecko 1.9 provides rendering improvements in CSS, SVG as well as improved display of fonts with ligatures and complex scripts.

• Color management: (set gfx.color_management.enabled on in about:config and restart the browser to enable.) Firefox can now adjust images with embedded color profiles.

• Offline support: enables web applications to provide offline functionality (website authors must add support for offline browsing to their site for this feature to be available to users).

• A more complete overview of Firefox 3 for developers is available for website and add-on developers.

Improved Performance
• Speed: improvements to our JavaScript engine as well as profile guided optimizations have resulted in continued improvements in performance. Compared to Firefox 2, web applications like Google Mail and Zoho Office run twice as fast in Firefox 3, and the popular SunSpider test from Apple shows improvements over previous releases.

• Memory usage: Several new technologies work together to reduce the amount of memory used by Firefox 3 over a web browsing session. Memory cycles are broken and collected by an automated cycle collector, a new memory allocator reduces fragmentation, hundreds of leaks have been fixed, and caching strategies have been tuned.

• Reliability: A user’s bookmarks, history, cookies, and preferences are now stored in a transactionally secure database format which will prevent data loss even if their system crashes.

The only caveat affecting Microsoft Windows users thus far:
• A Windows Media Player (WMP) plugin is not provided with Windows Vista and some other versions of Windows. To view Windows Media content, you must install this plugin by following these instructions . After installing you may need to check for Windows Updates before the plugin will show content properly.

Windows Operating Systems
Windows 2000
Windows XP
Windows Server 2003
Windows Vista

Minimum Hardware
Pentium 233 MHz ( Recommended: Pentium 500MHz or greater)
64 MB RAM ( Recommended: 128 MB RAM or greater)
52 MB hard drive space

Mac Operating Systems
Mac OS X 10.4 and later 

Minimum Hardware
Macintosh computer with an Intel x86 or PowerPC G3, G4, or G5 processor
128 MB RAM ( Recommended: 256 MB RAM or greater)
200 MB hard drive space 

Linux Software Requirements
Please note that Linux distributors may provide packages for your distribution which have different requirements.

Linux kernel – 2.2.14 or higher with the following libraries or packages:
glibc 2.3.2 or higher
XFree86-3.3.6 or higher
gtk+2.0 or higher
fontconfig (also known as xft)
libstdc++5

Minimum Hardware
Intel Pentium II or AMD K6-III+ 233 MHz CPU ( Recommended: 500MHz or greater)
64 MB RAM ( Recommended: 128 MB RAM or greater)
52 MB hard drive space

User Names and Passwords: How to Manage the Keys to the Kingdom

With all the sites that require sign-in passwords — and all the havoc that could be visited upon your life should some thief crack them — effective account access management is a top job for the savvy computer user.

Naturally, you should avoid the obvious choices when setting a password. However, you should also never be obvious when setting up that password reminder failsafe device that asks you for Mom’s maiden name.

Creating and remembering strong passwords — like backing up the important files on our computers’ — is something many of us know we should do, but never get around too.

Who can blame you? Having to come up with user names and passwords for virtually everything we do on a computer is enough to tempt anyone to use “Magic123” over and over. I’ve even witnessed people who keep lists of passwords taped to their computer screens.

With a little time and some discipline, you can create strong passwords and do a better job managing them. Of course, no matter how many precautions you take, no password is ever 100 percent secure. By the same token, you don’t have to follow all the advice in this column to avoid password theft.

Be Obscure, Be Weird
By now, most people know that you shouldn’t use personal information such as your name, birth date or address in a password. It’s also not a good idea to use something obvious such as “1234” or “password.” Passwords should be at least seven or eight characters in length. The longer the password, the stronger it is.Next, choose a password that would appear as nothing more than a random list of characters to someone else. Use both uppercase and lowercase letters and, if possible, use punctuation marks from all over the keyboard.

One technique is to take a phrase that means something to you or a line from a favorite song and create a password by taking the first letter of each word of that phrase or line. Make sure to add in some symbols. For instance, you could replace an “a” with “@” but use this technique sparingly in your password.

Although you should never use the same password to secure highly sensitive information on more than one site, it’s probably OK to use the same password for low-risk areas, such as news or sports Web sites.

Get Creative
You should never give out real information in the password helper sections. So for your mother’s maiden name, make up a name you can remember. Use your favorite vacation spot instead of your place of birth.  Substitute the name of a pet from a TV show or movie for your real pet.

This may seem a little extreme, but if an online vendor that’s storing your personal information gets compromised, then hackers could use that personal information to piece together details about you and access your account on another site.

Into the Vault
However, since most people need passwords to secure lots of important information, remembering more than one or two long passwords is difficult. That’s where password managers come in. These programs typically are encrypted and act as a vault to store all of your user names and passwords. You only need to remember one master password to open them up.

There are also lots of downloadable password managers, such as KeePass Password Safe, RoboForm and PassKeeper.I’ve personally tested and use KeePass, which is free and Open Source, and found it to be easy to install and use. Once you’ve set up the program, you create a database for your passwords. KeePass lets you organize passwords into groups, and it can generate secure passwords for you. Once the passwords are set, you can copy and paste them into Web sites or drag and drop them.

I’ve been told that RoboForm is also good but the problem I have with this program is I’ve found it installed by hackers on systems that have been hacked. Call me skeptical… but I’m not too comfortable using a password manager that hackers like to use in their sneaky little ways.

If you are the only one using your computer, you can have your Web browser automatically remember them for you. However, this shouldn’t be the only place you store passwords, because when data from your browser is cleared (or if your computer dies), your passwords will vanish.You can also download and install KeePass on portable media, such as a USB (Universal Serial Bus) flash drive, so you can have access to your passwords when using another computer. Make sure to copy your KeePass database from your computer to the USB drive. With KeePass Portable, I can quickly access all my regular websites from my office computer, my home computer or any public system I have access too.

KeePass Password Safe Portable
http://portableapps.com/apps/utilities/keepass_portable
http://keepass.com

RoboForm Password manager
http://www.roboform.com/php/land.php?affid=gocg0&utm_source=google&utm_medium=ppc-content&utm_campaign=roboform

Password Safe
http://passwordsafe.sourceforge.net/

PassKeeper
http://www.passkeeper.com/

Lastly, if you’ve run out of good passwords try this FREE password generator – you chose the number of characters (remember 8 should be the minimum), what characters to use in the password and how many different passwords you would like generated. We’ve used this tool on a number of occassions when we wanted to assign a really secure password for someone.
http://www.pctools.com/guides/password/

Windows XP SP3 indicates Microsoft will continue to focus on security.

Some three and half years from the general release of Windows XP Service Pack 2, and with the support of corporate IT managers waning, Microsoft is preparing to release an update to its seven year-old desktop operating system. However, Microsoft has said that Service Pack 3 will once again focus on security, and so those expecting to see features from Windows Vista will be sorely disappointed. Windows XP Service Pack 3 (SP3) includes all previously released updates for the operating system, and is designed to improve overall system performance and stability.

For IT departments, Windows XP SP3 signals a new baseline for standard operating environments (SOE), and so organizations are being encouraged to assess the suitability of this major update by downloading the code from Microsoft’s Technet website. Although not visible to the end user, SP3 does include some functionality updates. These are, however, consigned to updates such as Microsoft Management Console (MMC 3.0), Microsoft’s XML parser (MSXML6), and the Microsoft Windows Installer. In terms of useful networking and security updates, SP3 includes support for Wi-Fi Protected Access 2 (WPA2) and Network Access Protection (NAP) – one feature that has found its way from Windows Vista. However, interestingly, SP3 does not impose Internet Explorer 7 upon organizations and their users. Instead, SP3 will patch whichever version of Internet Explorer it finds on the target system, for example IE6 or IE7.Although Windows Vista Service Pack 1 (SP1) has already been released to manufacturing, Butler Group has seen little interest in Microsoft’s latest Windows desktop operating system, and so predicts that, for the most part, Windows Vista SP1 will remain something of an irrelevancy for most IT managers and their organizations.

One issue worth considering is the supposed shelf-life of Windows XP. With System Builder licenses available only until the end of January 2009 (June 2008 for the retail channel), and with demand for Windows Vista in the enterprise extremely weak, Microsoft is coming under increasing pressure to re-think its Windows lifecycle policy. Indeed, InfoWorld is asking users to register their objections to this forced migration by signing its ‘Help Save XP’ petition.

We spoke of this in an earlier report and the site is still getting plenty of action. InfoWorld, a popular website for IT professionals, has the following to say on the matter: “Microsoft plans to end most sales of Windows XP on June 30, despite a deep reluctance by many business and individuals about moving to Vista .InfoWorld believes such an expensive, time-consuming shift with problematic benefits should not be forced on Windows users, so we have decided to rally XP users to demand that XP be kept available.” With Windows Vista a year in the market and Windows XP a year or so away from its supposed retirement, Microsoft is in danger of letting its Windows lifecycle policy get out of sync with reality. In the meantime, however, Windows XP SP3 provides Microsoft with yet another opportunity to address real and significant security concerns, and so the company would do well to promote Windows XP SP3 over Windows Vista SP1. However, whether or not the company will adopt this policy remains to be seen.

 In related news: Microsoft is lowering the price of consumer versions of Windows Vista. Microsoft’s plans to lower prices on consumer versions of Windows Vista are a clear indication that Vista has not had the expected uptake in the home market. While the company is keen to point out that retail sales are only a small part of total Windows-based revenue, there has always been a correlation between home and business users, which suggests business uptake is similarly disappointing.

For the full story:
http://www.cbronline.com/article_feature.asp?guid=CB9DDCAE-49CE-4131-B594-B0F91EB98EA1

Some Digital Photo Frames Sold at Best Buy During Holidays Found To Contain A Virus!


Do you have one of these cool little gadgets on your desk?

If you bought a 10.4-inch Insignia-branded photo frame with model number NS-DPF-10A from Best Buy during the holidays, then beware: The device may come with a virus that can infect Windows-based computers.

Best Buy has taken all the remaining Insignia-branded frames off its store shelves and has discontinued producing them. According to the Insignia Web site , “this is an older virus which is easily identified and removed by current anti-virus software.”

The company is also providing telephone support for any consumers concerned they have one of the infected frames at 1-877-467-4289. (Note: Insignia is a brand name created and owned by Best Buy to create several lines of consumer electronics products for distribution through its stores. This is similar to store brands of other types that consumers typically see in everything from grocery stores to auto parts dealers.)

This isn’t the first time a consumer electronics product comes installed with a little something extra that the consumer wasn’t counting on. GPS maker TomTom found out the hard way in late 2006 that a batch of its GO 910 units were infected at the factory level with a virus. And even the beloved iPod hasn’t been immune , with an incident also in late 2006 where a collection of its 5.5-gigabyte MP3 players sprung up with a virus that was inserted at the manufacturing point. (That virus only infected Windows machines, as well.)

How does this happen? Typically, it’s not the work of some nefarious factory employee who wants to sabotage a product line. Instead, the people who work at these manufacturing points are just as susceptible as the rest of us to mistakenly downloading a virus onto their work computers. This virus then replicates itself and ultimately makes its way onto one of the computers that is tasked with setting up the consumer electronics products destined for store shelves.

Both Apple and TomTom stated at the time that they were reviewing their manufacturing processes to prevent this from happening again and issued warnings and advice to consumers, just as Best Buy and Insignia are doing now.

Best Buy has not issued a recall of the photo frames. Since the flaw is (apparently) easy to correct, we don’t think a panic is forthcoming — or necessary – but… let’s see what happens.

Insignia’s Second Notice To Consumers:
http://www.insignia-products.com/news.aspx?showarticle=14

Computer World Article:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9058638

How Companies Can Use Your Personal Data Against You

January 15 th , 2008

When you’re stacking up grocery items at the checkout line, you’re probably not worried about whether your supermarket chain is compiling a profile of you based on what you buy, and storing that information for its own use. After all, who cares if you buy one brand of tissues over another, or favor name-brand microwave pizzas over store brands?

Supermarket chains care. So does CVS. So much so that they use discount cards (referred to as “membership” or “loyalty” cards) to offer you what seem like great bargains. They use the cards to keep tabs on what you purchase, how often you shop, and what your buying preferences are.

With private companies collecting your personal data like never before, why be concerned? Because the information can hurt you. For Instance…

Loyalty Cards
Supermarkets and pharmacies offer discounts when you sign up for their loyalty cards. But every time you swipe your card, your purchases are recorded for marketing purposes. Stop and Shop now features “Shopping Buddy” which will soon identify you by your loyalty card, present you with a list of items you’ve purchased in the past and even make recommendations for items you might like based on previous purchases. Sounds like it might be a good thing??? Perhaps not.

The Problem
These buying records are now being sold to life and health insurance companies, who use them to evaluate your rates based on your food and non-prescription drug purchases. You may be buying stuff for a friend or relative, but the database still logs you as the end user. Do you really want your HMO to know your shopping habits?

Self-Defense
If possible, avoid giving your full name when you sign up for a card. Many stores let you sign up anonymously as “Store Customer”. If the person attempting to sign you up says you can’t do that, ask to speak to the manager. In many cases these folks are being paid by the number of new customers they sign up. If you can’t sign up anonymously perhaps it would be best to refuse the loyalty card altogether.

Lastly – if you’re concerned – ask for a copy of their Privacy Policy. I searched Stop and Shops website in vain, never finding their policy but CVS.com has a link to theirs from almost every page. Remember once your personal data has been collected it has a nasty habit of never going away.

Another take on loyalty cards:
http://nymag.com/news/intelligencer/16389/

In researching this piece, I was asked to report on the E-Z Pass system and the rumors surrounding it. Rumor has it that the E-Z Pass system is tracking how fast you travel between tolls in order to issue speeding tickets.

E-Z Pass was created to help speed traffic flow and decrease congestion at toll booths. The rumor mill is reporting that several states use this technology to issue speeding tickets – if you travel too quickly between tolls on the highway! In effect, you can get a speeding ticket even if you don’t get caught speeding. What’s more, E-Z Pass records have been turned over to law enforcement to track people’s whereabouts and have been subpoenaed in civil lawsuits, including divorces.

Debunking the myth
Although there are many articles and resources talking about this, let’s look at it logically.

Speeding ticket’s NOT issued be a police officer that actually saw you violating a law are worthless. There have been many attempts to set up systems to monitor speeding vehicles, record the license plate and issue a ticket but the main problem is that an individuals drivers license is personal and there is no way to detect who the actual driver is in order to give the ticket. It’s not like a parking ticket that just goes against who ever owns the car.

The system that E-Z Pass is putting into place is strictly for safety purposes at this time. If anyone ever gets one of these so called speeding tickets you can take it to court and plead not guilty. The ticket will be thrown out simply because there is no issuing officer to represent the letter of the law.

Washington Post sticks by RIAA story despite evidence it goofed…


Well, it’s late on Monday evening and the Washington Post has yet to correct a story that accused the recording industry of trying to paint law-abiding music fans as criminals.

Marc Fisher, a Post columnist, wrote on Sunday that the Recording Industry Association of America (RIAA) asserted in a legal brief that anyone who copies music from a CD onto their computer is a thief.

The document, filed last month, was part of the RIAA’s copyright suit against Jeffrey Howell, an Arizona resident accused of illegal file sharing.

Quoting from the brief, Fisher wrote that the RIAA had argued that MP3 files created from legally bought CDs are “unauthorized copies” and violate the law. If it were true, the move would represent a major shift in strategy by the RIAA, which typically hasn’t challenged an individual’s right to copy CDs for personal use.

The problem with Fisher’s story is that nowhere in the RIAA’s brief does the group call someone a criminal for simply copying music to a computer. Throughout the 21-page brief, the recording industry defines what it considers to be illegal behavior and it boils down to this: creating digital recordings from CDs and then uploading them to file-sharing networks.

A sentence on page 15 of the brief clearly spells out the RIAA’s position: “Once (Howell) converted plaintiff’s recording into the compressed MP3 format and they are in his shared folder, they are no longer the authorized copies distributed by Plaintiff.”

The key words there are “shared folder” and it’s an important distinction. It means that before the RIAA considers someone a criminal, a person has to at least appear to be distributing music.

The Post story, which followed similar pieces in Ars Technica and Wired.com, has spurred scores of other media outlets to repeat the paper’s erroneous assertion. Ironically, even typically anti-RIAA blogs, such as Engadget, Gizmodo and TechDirt have jumped in on the side of the RIAA.

“The Washington Post story is wrong,” said Jonathan Lamy, an RIAA spokesman. “As numerous commentators have since discovered after taking the time to read our brief, the record companies did not allege that ripping a lawfully acquired CD to a computer or transferring a copy to an MP3 player is infringement. This case is about the illegal distribution of copyrighted songs on a peer-to-peer network, not making copies of legally acquired music for personal use.”

After reading Lamy’s statement, Fisher didn’t back down. He responded in an e-mail to CNET News.com: “The bottom line is that there is a disconnect between RIAA’s publicly stated policy that making a personal copy of a CD is ok and the theory advanced by its lawyers that in fact, transferring music to your computer is an unauthorized act.”

He took one more shot before signing off: “Rather than suing its customers and slamming reporters, the RIAA might better spend its energies focusing on winning back the trust of an alienated consumer base.”

Still, Fisher received little support from respected and independent copyright experts. William Patry, the copyright guru at Google–not exactly known as a lackey for copyright holders–wrote on his blog that the RIAA is being “unfairly maligned” in the Post story.

Patry does, however, caution that recent statements made by the RIAA and included in Fisher’s story reflect the group’s growing tendency to use language as a means of control.

Fisher quoted Sony BMG’s chief of litigation, Jennifer Pariser, who testified recently in court that “when an individual makes a copy of a song for himself, I suppose we can say he stole a song.”

Patry disagreed.
“This new rhetoric of ‘everything anyone does without (RIAA) permission is stealing’ is well worth noting and well worth challenging at every occasion,” Patry wrote. “It is the rhetoric of copyright as an ancient property right, permitting copyright owners to control all uses as a natural right; the converse is that everyone else is an immoral thief.”

Washington Post Article
http://www.washingtonpost.com/wp-dyn/content/article/2007/12/28/AR2007122800693_pf.html

See the legal brief here:
http://www.ilrweb.com/viewILRPDF.asp?filename=atlantic_howell_071207RIAASupplementalBrief

For Millions of Windows PC's, the Perfect Storm is Gathering

November 27th, 2007

Listen To Recorded Audio:
[audio:ACTSMART1127.mp3]

A spectre is haunting the net but, outside of techie circles, nobody seems to be talking about it. The threat it represents to our security and wellbeing may be less dramatic than anything posed by global terrorism, but it has the potential to wreak much more havoc. And so far, nobody has come up with a good idea on how to counter it.

It’s called the Storm worm. It first appeared at the beginning of the year, hidden in email attachments with the subject line: ‘230 dead as storm batters Europe ‘. The PC of anyone who opened the attachment became infected and was secretly enrolled in an ever-growing network of compromised machines called a ‘botnet’. The term ‘bot’ is a derivation of ‘software robot’, which is another way of saying that an infected machine effectively becomes the obedient slave of its – illicit – owner. If your PC is compromised in this way then, while you may own the machine, someone else controls it. And they can use it to send spam, to participate in distributed denial-of-service attacks on banks, e-commerce or government websites, or for other ‘even more sinister’ purposes.

Storm has been spreading steadily since last January, gradually constructing a huge botnet. It affects only computers running Microsoft Windows, but that means that more than 90 per cent of the world’s PCs are vulnerable. Nobody knows how big the Storm botnet has become, but reputable security professionals cite estimates of between one million and 50 million computers worldwide.

To date, the botnet has been used only intermittently, which is disquieting: what it means is that someone, somewhere, is quietly building a doomsday machine that can be rented out to the highest bidder, or used for purposes that we cannot yet predict.

Of course, computer worms are an old story, which may explain why the mainstream media has paid relatively little attention to what’s been happening.

Old-style worms – the ones with names like Sasser, Slammer and Nimda – were written by vandals or hackers and designed to spread as quickly as possible. Slammer, for example, infected 75,000 computers in 10 minutes, and therefore attracted a lot of attention. The vigour of the onslaught made it easier for anti-virus firms to detect the attack and come up with countermeasures. In that sense, old-style worms were like measles – an infectious disease that shows immediate symptoms.

Storm is different. It spreads quietly, without drawing attention to itself. Symptoms don’t appear immediately, and an infected computer can lie dormant for a long time. ‘If it were a disease,’ says one expert, Bruce Schneier, ‘it would be more like syphilis, whose symptoms may be mild or disappear altogether, but which will come back years later and eat your brain.’

Schneier thinks Storm represents ‘the future of malware’ because of the technical virtuosity of its design. For example, it works rather like an ant colony, with separation of duties. Only a small fraction of infected hosts spread the worm. A much smaller fraction are command-and-control servers; the rest stand by to receive orders. By only allowing a small number of hosts to propagate the virus and act as command-and-control servers, Storm is resilient against attack because even if those hosts shut down, the network remains largely intact and other hosts can take over their duties.

More fiendishly, Storm doesn’t have any noticeable performance impact on its hosts. Like a parasite, it needs the host to be intact and healthy for its own survival. This makes it harder to detect, because users and network administrators won’t notice any abnormal behavior most of the time.

And instead of having all hosts communicate with a central server or set of servers, Storm uses a peer-to-peer networking protocol for its command-and-control servers. This makes the botnet much harder to disable because there’s no centralised control point to be identified and shut down.

It gets worse. Storm’s delivery mechanism changes regularly. It began as PDF spam, then morphed into e-cards and YouTube invites. It then started posting blog-comment spam, again trying to trick viewers into clicking infected links. Similarly, the Storm email changes all the time, with new, topical subject lines and text. And last month Storm began attacking anti-spam sites focused on identifying it. It has also attacked the personal website of a malware expert who published an analysis of how it worked.

At the moment, nobody knows who’s behind this. Is it a Russian mafia operation? An al-Qaeda scheme? The really creepy thing is that, to date, the controllers of Storm have used it for such relatively trivial purposes. The suspicion is that they are biding their time, waiting for the moment when, say, 100 million naive Windows users have clicked on an infected link and unwittingly added their machines to the botnet. Only then will we know what a perfect storm in cyberspace is like.

Check the links below to read up on the Storm worm.

How Bad Is The Storm Worm?

The Storm Worm

About The Storm Worm

Snopes is our favorite site for verifying and/or debunking internet & email gossip

Storm Worm Rages Across The GlobeStorm Worm Adds Millions Of Computers To Botnet

Brit's are always on Candid Camera

October 23, 2007

“There was, of course, no way of knowing whether you were being watched at any given moment…. You had to live-did live, from habit that became instinct-in the assumption that every sound you made was overheard, and except in darkness, every movement scrutinized.” –George Orwell, 1984

It used to be that troublemakers could lounge on the planters outside the McDonald’s there and pick apart the geraniums to their hearts’ content. A hamburger server or customer could complain, but these days, Big Brother does the job.The closed-circuit television camera lurking down the street from the fast-food restaurant bellows menacingly at the first sign of danger to the flora, or a cast-off cigarette butt or fast-food wrapper. “Pick it up,” commands a booming voice from . . . where, exactly?

The closed-circuit cameras in Gloucester and several other British towns now come equipped with speakers, meaning Big Brother is not only watching, he’s telling you what to do.

“When people hear that, they tend to react. They pick up the litter and put it in the bin,” said Mick Matthews, assistant chief police constable in this old cathedral city of 110,000 in the rolling Cotswold Hills .

For all the increased antiterrorism security measures in the United States , there is probably no society on Earth more watched than Britain . By some estimates, 4.2 million closed-circuit cameras, or one for every 14 people, quietly, and sometimes not so quietly, monitor the comings and goings of almost everyone – an average person is caught on camera up to 300 times a day.

Thanks in part to Britain ‘s history of terrorist attacks by the Irish Republican Army, some early, high-profile law enforcement successes helped imprint the potential benefits of closed-circuit television on the popular imagination.

With more than $200 million in funding since 1999, closed-circuit cameras were a fixture in British cities long before terrorist attacks began prompting other governments to step up surveillance of their populations.

Cameras are fixed on lampposts and on street corners, above sidewalks, in subways, on buses, in taxis, in stores, over the parking lots, in mobile police vans, and in some cities, even perched in the hats of police officers walking their beats.

Surprisingly clear images of Britons engaged in apparently nefarious activities have become a staple on the evening news there; few of the country’s many terrorism trials unfold without the jury being presented with multiple images of the defendants carrying alleged backpack bombs or driving up to a storehouse of explosives.

Pub patrons in one town last year had their fingerprints scanned as they walked in (bringing up their criminal records on a computer screen); some cities are talking of putting electronic chips in household trash cans to measure output; a toll-free “smoke-free compliance line” takes snitch reports on violators of the new national ban on smoking in public places.

The DNA profile of every person ever arrested – even those briefly detained for, say, loitering and released without charge – is on file in what is believed to be, per capita, the largest such database in the world, with 3.9 million samples. It includes the genetic markings of an estimated 40 percent of Britain ‘s black male population.

For the majority of Britons, polls indicate, there is nothing wrong with the monitoring.

Public acceptance of closed-circuit television skyrocketed after the murder of toddler James Bulger near Liverpool in 1993. In closed-circuit camera footage that shocked the country, the killers, a pair of 10-year-old boys, were shown leading the trusting boy away from a shopping center.

So, how do YOU feel about closed-circuit cameras? I’ve searched the web and cannot find even an estimate of how many cameras might be watching us in the USA .  Is it a good thing? Let me know your thoughts.

As reported in the Boston GLobe and many newspapers across the country.

ActSmartDentalThe Most Dental IT Experience
on the South Shore!

David’s Blog Archives
Our Clients Say:
Everybody @ ActSmart is WONDERFUL! We are very relieved to have you on our team & know that we are in great hands. ~Leslie, Glivinski & Associates
Proud To Be:
Attention Dental Practices:

We Offer:
Follow Us: