Good day to you,

~Brett A. Scudder~

Posted by Mary Jo Foley @ 1:38 pm | http://blogs.zdnet.com/microsoft/?p=4160&tag=nl.e019

Windows Marketplace for Mobile, Microsoft’s equivalen to the Apple’s iPhone App Store, opened for business officially on October 6 with 246 applications.

Yes, that is nowhere near the more than 85,000 apps in the App Store. But Microsoft officials claimed not to be discouraged by the disparity. At Microsoft’s consumer-focused open-house showcase in New York City today, company officials noted that the company has 753 independent software vendors working on Windows Mobile ports.

Robbie Bach, the President of Microsoft’s Entertainment and Devices Unit, told press and analysts that he was upbeat about Microsoft’s progress.

“Apple had less than 100 applications when it first launched its marketplace,” Bach said. (I did a quick search and found a story claiming that number was actually closer to 500, when Apple launched its store in 2008.)

Bach also claimed it was “kind of goofy” to focus on the absolute numbers of applications in Microsoft’s Windows Mobile store, since the real measure of success is how many of those applications get used.

Bach told press and analysts who attended a private roundtable that there are more than 20,000 applications available for Windows Mobile 6 and 6.1 phones — and even if the applications focused on specific business verticals and IT tasks are subtracted, there are still “tens of thousands” of Windows Mobile apps out there.

The newly launched Windows Marketplace for Mobile currently only works with Windows Mobile 6.5 phones, which launched today. Microsoft officials have said that the Marketplace will also be accessible to Windows Mobile 6 and 6.1 phones before the end of the year. But that doesn’t mean the current crop of Windows Mobile 6 and 6.1 apps get an automatic berth in the Windows Marketplace; they still need to go through the certification and evaluation process.

Windows Live services – other than instant messaging — aren’t are going to be available via the Marketplace. Windows Live Hotmail will be included with all Windows Mobile phones, but the some other Windows Live services will be available preloaded on select phones, since “operators are trying to monetize this space separately,” as Aaron Woodman, Director of Product Management for Windows Mobile told me today. (Note: Corrected my misunderstandings here.)

Microsoft also officially “turned on” the commercial version of its My Phone premium service for Windows Mobile users on October 6. (My Phone is the service formerly codenamed Skybox.) The final version of the service includes several new capabilities that were not part of the beta service. These are:

• Social networking integration: Direct access to Facebook and other social-networking services is available from the My Phone cloud.
• Windows Mobile phones set to vibrate are able to be made to ring (at a high volume) via My Phone to help users locate lost phones.
• Windows Mobile phones may be locked and set to post a message via My Phone. (Example: “MJF’s phone. $50 bucks for its return. Call xxx.”)
• Windows Mobile phones may be located  on a GPS map via the service (in case they are stolen or lost)
• Windows Mobile phones may be wiped of data and reprogrammed remotely via My Phone.

Windows Mobile 6.0, 6.1 or 6.5 users can access these services, which Microsoft considers to be a “premium pack” for free until Nov. 30, 2009. After that date, seven-day access to the premium package will be available for purchase for $4.99.

Mary Jo has covered the tech industry for more than 20 years. Don’t miss a single post. Subscribe via Email or RSS. You can also follow Mary Jo on Twitter.

Got a tip? Send Mary Jo your rants, rumors, tips and tattles. For disclosure on Mary Jo’s industry affiliations, click here or to see Mary Jo’s full profile click here.

“Cybersecurity is one of our most urgent priorities,” says DHS chief Janet Napolitano

Hiring to protect U.S. computer networks will occur over the next three years

Napolitano says computer networks too crucial to be left vulnerable to attack

WASHINGTON (CNN) — The Department of Homeland Security will hire up to 1,000 cybersecurity experts over the next three years to help protect U.S. computer networks, an Obama administration official said.

“Cybersecurity is one of our most urgent priorities,” said Homeland Security Secretary Janet Napolitano in making the announcement Thursday.

She unveiled the plans at an event marking the beginning of National Cybersecurity Awareness Month.

“This new hiring authority will enable DHS to recruit the best cyberanalysts, developers and engineers in the world to serve their country by leading the nation’s defenses against cyberthreats,” according to Napolitano.

U.S. officials are mindful that both government and private sector computer sites have been targeted, and consequences can be dire. The Internet, Napolitano said, is “a critical part of our everyday lives and how our society and our economy operate.”

She added, “We rely on cybernetworks to control and manage transportation, electricity, banking.”

Department officials could not say precisely how many cyberexperts now work at DHS and its various component agencies such as the Secret Service and Immigration and Customs Enforcement. Napolitano said she doubts it will be necessary to fill all 1,000 of the authorized positions, but she is focused on making DHS a “world-class cyberorganization.”

The Obama administration has set cybersecurity as a top priority but has yet to hire a cyberczar to head up its efforts. Chris Painter, the White House National Security Staff’s acting senior director for cybersecurity, said the president remains committed to finding someone for the post.

Pounces on banking passwords

By Dan Goodin in San Francisco | http://www.theregister.co.uk/2009/09/18/zeus_evades_detection/

Posted in Anti-Virus, 18th September 2009 00:37 GMT

Watch the Application Security Regcast, right here

One of the world’s nastiest password-stealing trojans evades detection by the majority PCs running anti-virus programs, according to a study that examined 10,000 machines.

Zeus, a stealthy piece of malware that sits on a PC and waits for users to log in to bank websites, is detected just 23 per cent of time by AV programs, according to the study (PDF) (http://www.trusteer.com/files/Zeus_and_Antivirus.pdf) released by security firm Trusteer. Even AV programs with up-to-date malware signatures were unable to identify the infection a majority of the time, the authors said.

Zeus, which also goes by the name Zbot and PRG, escapes detection using sophisticated techniques such as root-kit technology, the Trusteer report said. The company is able to detect it by examining the fingerprint Zeus leaves when it penetrates an infected PC’s browser process.

A recent report estimated that Zeus is the No. 1 trojan, with 3.6 million infections in the US alone, or about 1 per cent of the installed base of PCs. Trusteer’s study, which found Zeus accounted for 44 per cent of the banking malware infections, was consistent with that finding. After sneaking onto a PC, it sits quietly in the background until a user logs on to a financial website. It then sends the login credentials to a remote server in real time, sometimes by use of instant messaging (http://www.theregister.co.uk/2009/08/27/zeus_adopts_instant_messaging/) programs.

Of Zeus-infected machines, about 31 per cent don’t run AV at all and 14 percent run AV that’s out of date. The remaining 55 per cent had AV programs that were up to date. ®

Related stories

Malvertisers slapped by Microsoft lawsuits (18 September 2009)

http://www.theregister.co.uk/2009/09/18/microsoft_legalaction_malvertising/

Malware lingers months on infected PCs (15 September 2009)

http://www.theregister.co.uk/2009/09/15/malware_persistence/

Trojan zaps banking credentials via IM (27 August 2009)

http://www.theregister.co.uk/2009/08/27/zeus_adopts_instant_messaging/

Hackers pwn Macca site with banking malware (8 April 2009)

http://www.theregister.co.uk/2009/04/08/macca_malware_attack/

Crimeware giants form botnet tag team (5 September 2008)

http://www.theregister.co.uk/2008/09/05/rock_phish_and_asprox_team_up/

Crimeware grifters scamming naive phishers (7 August 2008)

http://www.theregister.co.uk/2008/08/07/scammers_con_naive_phishermen/

Zeus virtually ports traffic manager to Windows (21 May 2007)

http://www.theregister.co.uk/2007/05/21/zxtm_4_windows/

• By Kurt Mackie | http://rcpmag.com/articles/2009/07/13/office-2010-tech-preview-unveiled-at-microsoft-partner-event.aspx
• July 13, 2009

Microsoft Office 2010 has reached the technical preview testing stage, company officials announced on Monday at the Microsoft Worldwide Partner Conference.

Attendees at the New Orleans event this week have access to the Office 2010 bits. For others wanting to test the new productivity suite, Microsoft provides a Web form to sign up for the waiting list, which can be accessed here.

Various Office 2010 productivity suite components — Excel, Word, PowerPoint, OneNote, Project, Publisher and Visio — all hit the 2010 technical preview milestone today, along with Microsoft SharePoint Server 2010. The schedule for Microsoft Exchange 2010 is slightly ahead of the pack, with a public beta announced back in April.

The main theme Microsoft emphasized with today’s announcement is that Office 2010 will be accessible by PC, phone and browser. The new enabling factor is something called “Office Web applications,” which are lightweight versions of Excel, PowerPoint and Word that can run in a Web browser. Supported browsers currently include Firefox, Internet Explorer and Safari.

The unveiling of Office Web applications represents Microsoft’s long-awaited move into the lightweight hosted applications space. Competitors, such as Google and Zoho, have offered Office-like applications that work in a browser for years.

Microsoft will offer its Office Web applications to consumer users for free. Users just have to sign up for a Windows Live account. Businesses won’t have free access, but they will be able to subscribe to Microsoft Online Services, which will host the Office Web applications and provide access to them as a service.

All Microsoft Office 2010 volume licensees will have access to Office Web apps. In addition, these licensees will have the option of running Office Web apps from their own on-premises servers.

Microsoft will incorporate the “ribbon” menu system, first introduced in Office 2007, in a number of future products. Those products include the Outlook 2010 mail and calendar solution, the SharePoint 2010 collaboration app, Project 2010 planning app and Visio 2010 diagramming solution.

Document collaboration will be a feature in Office 2010. For instance, users can edit video in PowerPoint 2010 and then share or broadcast those videos. A Microsoft Office Backstage view lets users quickly access features associated with Office 2010 files, enabling integration with other Office or SharePoint apps.

The Office 2010 announcements were part of a keynote address in New Orleans by Stephen Elop, president of Microsoft’s Business Division. Elop outlined other Microsoft initiatives of note to partners. For instance, he played up partner opportunities in Microsoft’s “Software plus Services” world, in which Microsoft or its partners will offer customers hosted and on-premises software solutions, or a combination of the two approaches.

Some products, such as Microsoft Office Communication Server, have sustained growth in tough economic times, Elop noted. He also touted Microsoft Dynamics products, saying that more than one million Dynamics seats have been sold, and that Microsoft was winning deals over Salesforce.com and Oracle’s Siebel CRM.

Elop said that Microsoft now has more than 17,000 SharePoint customers and that the company has sold about 100 million SharePoint licenses. Social computing via SharePoint is an area of rapid innovation, as well as a Microsoft partner opportunity, he added.

Elop suggested that Microsoft is making good on its “democratizing business intelligence” theme, in which business users of Microsoft products will be better able to conduct data analyses on the fly. One such feature in Excel, called “Sparklines,” lets users slice up and compose data.

About the Author

Tue Jul 14, 2009 4:52pm EDT | http://www.reuters.com/article/technologyNews/idUSTRE56D6FU20090714

By Jim Finkle

BOSTON (Reuters) – Microsoft Corp warned that cybercriminals have attacked users of its Office software for Windows PCs, exploiting a programing flaw that the software giant has yet to repair.

The world’s largest software maker issued the warning on Tuesday as it released patches to address nine other security holes in its software.

“Despite today’s fixes, Windows users continue to be under attack. Microsoft is taking two steps forward, while attackers are putting it one step back,” said Dave Marcus, McAfee Inc’s Avert Labs director of security research.

Hackers booby-trap websites with malicious code that loads onto computers running the vulnerable Office software. Infected PCs are commandeered into a botnet, a network of hijacked computers. They are used for identity theft, spamming and other cybercrimes.

Microsoft did not say how many machines were attacked. It estimates that some 500 million people use its Office suite, which includes Word, Excel and PowerPoint software.

The software maker said in a security bulletin that it has developed a temporary workaround for the problem, which users must manually install on PCs to protect them from attack.

A company spokeswoman said that program would soon be available through Microsoft’s website. Office XP, 2003 and 2007 are vulnerable to the attacks.

(Reporting by Jim Finkle; editing by Carol Bishopric)

© Thomson Reuters 2009 All rights reserved

Cuomo charges social network with identity theft

Published: July 9, 2009 – 2:56 pm | http://www.crainsnewyork.com/apps/pbcs.dll/article?AID=/20090709/FREE/907099974/1057

(AP) – New York’s attorney general says that Tagged.com stole millions of Internet users’ identities with e-mails that raided their private accounts.

Andrew Cuomo says he plans to sue the social networking Web site for deceptive e-mail marketing and invasion of privacy.

Mr. Cuomo said Thursday the company would send unsuspecting recipients e-mails, telling them to view private photos posted by friends. He says no such photos existed. Mr. Cuomo says that instead, Tagged raided recipients’ e-mail address books.
When recipients tried to access photos, Mr. Cuomo says they in effect became new members of the site.

“Consumers had their privacy invaded and were forced into the embarrassing position of having to apologize to all their e-mail contacts for Tagged’s unethical—and illegal—behavior,” Mr. Cuomo said in a statement. “This very virulent form of spam is the online equivalent of breaking into a home, stealing address books, and sending phony mail to all of an individual’s personal contacts. We would never accept this behavior in the real world, and we cannot accept it online.”

Tagged temporarily suspended its Internet campaign last month, in response to user complaints and criticism. E-mail and telephone messages sent to the company weren’t immediately returned.

©Copyright 2009 Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

Entire contents © 2009

Breaking News Alert

The New York Times

Wednesday, July 8, 2009 — 12:39 AM ET

—–

Google Plans to Introduce a PC Operating System

In a direct challenge to Microsoft, Google is expected to announce on Wednesday that it is developing an operating system for a personal computer based on its Chrome browser, according to two people briefed on Google’s plans.

The move would sharpen the already intense competition between Google and Microsoft, whose Windows operating system controls the basic functions of the vast majority of personal computers.

Read More:

http://www.nytimes.com/?emc=na

—–

Now get the New York Times Breaking News to your mobile phone. Sign up for the alerts by texting NEWSALERTS to 698698 (NYTNYT).

—–

About This E-Mail

You received this message because you are signed up to receive Breaking News Alerts from NYTimes.com.

To unsubscribe, change your e-mail address or to sign up for daily headlines or other newsletters, go to: http://www.nytimes.com/email

NYTimes.com

620 Eighth Ave.

New York, NY 10018

Copyright 2009 The New York Times Company

‘Cock-a-doodle-do’, clucks Symantec.

John E. Dunn, Techworld | http://www.techworld.com/security/news/index.cfm?RSS&NewsID=117217
09 June 2009

Security vendor Symantec is so concerned about the potential misuse of a new wireless keyboard sniffer it has put out a warning about the technology.

‘Keykeriki’ – a play on words derived from the Italian onomatopoeia for the sound made by a cockerel -is the work of the Remote-Exploit.org , a semi-commercial group that has been working on the open source project for nearly two years.

The group claims the hardware and software combination can intercept the keystrokes from all Microsoft wireless keyboards using 27Mhz wireless radio transmission frequency by analysing electromagnetic patterns, and said it was working on doing the same for rival Logitech keyboards very soon.

What this means is that pressing keystrokes entered on a wireless keyboard could be ‘sniffed’ from a distance up to around 10 metres, in theory giving criminals access to data such passwords and user names. Although the project has been in the open for some time, Symantec has only recently become concerned enough to now recommend that users in security-conscious environments return to using wired keyboards.

The apparently simple answer to the hack is encryption, but that ignores the fact that Bluetooth and radio-based keyboards already use encryption, albeit in a weak form – the sniffer is intercepting tiny electro-magnetic fluctuations as the keys are pressed, not as they are transmitted.

The principle has been understood for some time, as research released by a team at the Ecole Polytechnique Fédérale de Lausanne in Switzerland demonstrated last October.

The answer is either to introduce enough signal noise around the keyboard, use a wired keyboard (although this might also not be secure) or build in virtual keyboards for use when entering secure data. There is no sign that Windows 7 will come with such a utility, but perhaps it should.

The main component, the hardware, had yet to be finalised or put into a form that can be manufactured. The creators of Keykeriki say they will add an LCD to read keystrokes, a GPRS transmitter and even an iPhone ‘interface’.

What if the group’s motivation for producing such a system? Officially, Remote-Exploit.org describes it in the following rather disingenuous terms on its website “This open source hardware and software project enables every person to verify the security level of their own keyboard transmissions, and/or demonstrate the sniffing attacks (for educational purpose only).”

More likely, the group are demonstrating their security expertise as a way of getting other work. The chances of producing the required hardware in saleable form look (unpun), remote. Symantec’s anti-malware software is not known to have any means to block or detect such sniffing, though it is possible that an electrical ‘anti-sniffer’ could be developed to detect the Keykeriki interception.

This article was printed from Techworld : www.techworld.com
The UK’s infrastructure & network knowledge centre
© 2009 : All rights reserved

Thu Jun 11, 2009 6:42am EDT | http://www.reuters.com/article/technologyNews/idUSTRE5585IV20090611

By Jim Finkle

BOSTON (Reuters) Microsoft Corp is getting ready to unveil a long-anticipated free anti-virus service for personal computers that will compete with products sold by Symantec Corp and McAfee Inc.

A Microsoft spokesman said on Wednesday that the world’s biggest software maker is testing an early version of the product with its own employees. Microsoft would “soon” make a trial version, or product beta, available via its website, he added, but declined to provide a specific date.

Symantec shares fell 0.5 percent on Nasdaq and McAfee fell 1.3 percent on the New York Stock Exchange, while Microsoft was up 2.1 percent. The Nasdaq composite index was down 0.47 percent.

Investors are closely monitoring the free service, code-named Morro after Brazil’s Morro de Sao Paolo beach, amid concern it could hurt sales of products from Symantec and McAfee, which generate billions of dollars of revenue a year protecting Windows PCs from attacks by hackers.

“It’s a long-term competitive threat,” said Daniel Ives, an analyst with FBR Capital Markets, though he added that the near-term impact was minimal.

Microsoft has said that Morro will offer basic features for fighting a wide range of viruses, which would likely make it comparable to low-end consumer products from Symantec and McAfee that cost about $40 per year.

Their top-selling products are security suites that come with features including encryption, firewalls, password protection, parental controls and data backup.

Three years ago, Microsoft entered that market with Live OneCare, which turned out to be a commercial flop. It announced plans in November to kill that product suite, saying it would launch the free Morro service by the end of 2009.

Analysts said they are looking forward to Morro’s beta to see exactly how its features compare to those in products from competitors.

Microsoft has said it will provide protection from several types of malicious software including viruses, spyware, rootkits and trojans.

Officials with Symantec and McAfee have said they do not see Morro as a threat.

“Microsoft’s free product is basically a stripped down version of the OneCare product Microsoft pulled from the shelves,” said Symantec Consumer division president Janice Chaffin. “A full Internet security suite is what consumers require today to stay fully protected.”

Joris Evers, a spokesman for No. 2 security software maker McAfee, said his company is already enjoying strong growth despite competition from free anti-virus products that are on the market.

“On a level playing field, we are confident in our ability to compete with anyone who might enter the marketplace,” he said.

A spokeswoman for Trend Micro Inc, the No. 3 player, declined to comment.

(Reporting by Jim Finkle; Editing by Steve Orlofsky, Brian Moss, Richard Chang)

 © Thomson Reuters 2009 All rights reserved

The challenge will be to get various interests working together

Jaikumar Vijayan | http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9133687  

May 29, 2009 (Computerworld) President Obama’s plan for securing cyberspace and his creation of a new White House cybersecurity coordinator are being greeted with cautious optimism within the security industry.

Many see the strategy as a sign of the administration’s willingness to recognize cyber threats as a national security issue. But until details are fleshed out, it’s hard to know just how far it will go in bolstering the nation’s ability to deal with cyber attacks, they said.

At a White House briefing, Obama described a five-pronged cybersecurity strategy for defending government, military and private sector networks against threats from what he said is a growing number of bad actors. He noted that the new cybersecurity coordinator will be responsible for pulling together a national strategy for securing American interests in cyberspace and stressed that the government would safeguard privacy concerns. (The new office will include a privacy officer.)

Obama’s proposals had been widely expected and are based on the recommendations from a government-wide review of cybersecurity undertaken at his behest by Melissa Hathaway, a former Bush administration aide who he appointed as acting senior director for cyberspace earlier this year.

“I was encouraged see that the [Hathaway] report got presidential support today — that’s critical to the success of any program,” said Patricia Titus, the one-time chief information security officer at the Transportation Security Administration (TSA) who now holds a similar job at Unisys Corp.

The challenge for the Obama Administration is to actually implement the proposals in a meaningful way, Titus said. A lot will depend on the relationships the new cybersecurity coordinator can build and the kind of influence he or she can exert across government and the private sector, she said.

While centralizing authority for cybersecurity matters in the White House can have benefits, care needs to be taken to maintain a balance of power, she said. “We need to make sure that no one is pushing the red panic button without making sure there are other individuals in the decision-making process and at the appropriate levels to get input from,” she said.

Obama did a “great job” of summarizing the cybersecurity threats the nation faces and the approach that’s needed to resolve them, said Scott Charbo, former deputy undersecretary of the National Protection and Programs Directorate at the Department of Homeland Security (DHS).

Especially encouraging is the president’s focus on setting specific milestones and on ensuring accountability within government, said Charbo, who is currently director of cybersecurity at Accenture. Obama’s apparent plan to give the new cybersecurity coordinator a greater say in ensuring that federal agencies are investing adequate resources on cybersecurity is also a very positive step, he said. But successfully moving forward on a White House-led cybersecurity effort will require a “cultural transformation” by government agencies.

“I think everyone is anxious to understand who the cybersecurity coordinator will be,” Charbo said. “It needs to be someone who can listen to new ideas. It needs to be someone who is focused on outcomes and on metrics.”

Ensuring that all of the right players are at the table when developing a national cybersecurity strategy will be key, added Billy O’Brien, former White House director of cybersecurity and communications systems policy. O’Brien is now an analyst at Deloitte.

To date, government officials, defense organizations and the DHS have all been working on disparate missions when it comes to cybersecurity. Getting everyone working together can be a challenge, he said.

The mission of the intelligence community, for instance, is to intercept an attack using the cyber infrastructure; the DHS is supposed to protect critical infrastructure; the Department of Defense has defense-and-attack authority; and the White House has coordination authority. The question that will need to be asked is whether “all of the right players are at the table or if there is a need to add more,” O’Brien said.

Also key: figuring out how to ensure that the private sector is “holding up [its] end of the deal” when it comes to the critical infrastructure in private hands, he said.

Enrique Salem, the CEO of Symantec Corp. , said in a statement that the decision to re-establish a strong White House role for cybersecurity is “gratifying.” The last executive to have a cybersecurity role in the executive offices of the president was Richard Clarke, who was special advisor on cybersecurity to President George W. Bush when he retired in 2003.

In the six years since, cyber security oversight and involvement has moved from the White House to other government agencies, even as cyber attacks have grown to the point where they are now a “full-blown threat to national security and commerce,” Salem said.

“The coordination must come from the White House level to address the situation and to provide focus on the global nature of this problem,” he said.

By Gary McGraw

Date: May 15, 2009

http://www.informit.com/articles/article.aspx?p=1350268

Article is provided courtesy of Addison-Wesley Professional.

Content issues aside, Twitter has some potentially serious security issues. Gary McGraw, author of Software Security: Building Security In, details these vulnerabilities.

Making Your Thoughts as Small and Incomplete as Possible

Just for the record, I don’t use Twitter. But if this column were a Twitter entry, it might read something like:

My biggest issue with Twitter turns out not to be a security issue, but rather a content issue. If you thought that blogging led to information chaos, half-baked ideas, and incoherent logic, Twitter ups the ante by making the constituent thoughts as small as possible. Perhaps I’m a Luddite, but I think editors play an important role in the world separating the wheat from the chaff. I’ll miss my paper copy of the Washington Post once the newspaper business finally dies. Replacing the daily newspaper with Twitter detritus seems like a lousy tradeoff.

But this is a security column, so lets spend a few minutes pondering the security ramifications of Twitter. I can think of a few right off the top of my head: it’s easy to spoof someone on Twitter, it’s a perfect vector for malicious code and phishing, Twitter allows dingbats to cash in their last remaining privacy chit, and it has a coolness factor that often overrides common sense.

Spoofing Twits

On the Internet, nobody knows you’re a dog. In fact, nobody knows who you are at all. This can be a problem.

Fake websites abound on the Web. A humorous collection of them can be found here. Spoofing an organization is as easy as buying a URL. But it gets worse. The rather largish issue of spoofing the entire Web, first described in detail in 1997 by the Princeton Team, remains a serious problem! Really.

Twitter carries on in the long tradition of Internet spoofing by allowing someone to masquerade as just about anyone they want. In fact, even lowly security guys like me apparently merit spoofers. I have no idea who FakeGaryMcGraw is, but it’s not me. The question is whether or not I should care? (Some people apparently do.) It’s really not that clever or interesting making fun of someone anonymously. Twit.

EDITOR’S NOTE

For more on how Twitter spoofing affected then President-elect Obama early in 2009, see John Traenkenschuh’s article Passwords: So Important, Yet So Misused.

Malicious Code: Koobface Targets Twitter

Putting spoofing risks to shame, Twitter makes an excellent vector for malicious code and for phishing. By embedding a URL in a Tweet (less than 140 characters please, so tinyurl may be in order), nefarious persons can cause you to surf to a website with malicious code. Or maybe they can just get you to hand over your credentials.

Lest this sound far fetched, one of the first worms to target Twitter (called Koobface and now on its second wave), used a classic phishing attack. The Tweet in question says jannawalitax.blogspot.com “has a funny video about you” or “a funny post about you” which in theory sends you back to the log-in page of Twitter. But instead of the real login page, a fake page is displayed where many Twitter users happily authenticated themselves with their real credentials (thus handing them directly over to cybercriminals). A second version appears to come from your Twitter colleagues making it even more likely to be clicked on.

Twitter is no more dangerous than any other phishing vector, of course. But it is no less dangerous either.

Privacy? What Privacy?

Finally, there is privacy. Congressman Pete Hoekstra learned the hard way that Twitter peels away yet another layer of the privacy onion. By Twittering the arrival of his Congressional delegation in Bagdad, the Michigan Republican garnered plenty of intense criticism. Did his Tweet compromise the security of the supposedly secret mission (the trip was classified and his location was not to be known)? If not, it’s probably only a matter of time before Twitter is mistakenly used to that effect.

This is not an issue exclusive to Republicans. Obama’s new CIO Vivek Kundra is a big fan of Twitter and has encouraged his staff to make use of the service. Hopefully they will take into account the public nature of Tweets.

The problem in this case is that nobody seems to realize that Twitter is a public forum. Generation Y is busy confronting this big privacy issue head on. Their Facebook, MySpace, and Twitter-laden pasts sometimes don’t help much as they trawl for work during a recession. What you say in public on the Internet is, well, public. Furthermore, what you say and the pictures you post may come back to haunt you when you’re not busy doing tequila shots. Hangover anyone?

Meet the New Boss, Same as the Old Boss

Personally, I think Twitter should be rebranded “Touretter,” transforming Tweets into “Twitches.” Then again that’s probably a disservice to poor people who are victims of Tourette’s Syndrome. There may be more actual content in tics.

A wise person once opined about writing a shorter note if only there were more time. If we equate additional thought with better quality, then the average tweet has to be electronic equivalent of exclaiming “Hey, look what I can do!” just prior to applying for a Darwin Award.

What the world needs is a large number of unemployed newspaper editors to sort through the Tweets and let us all know what stories to pay attention to. I hear there’s going to be a big supply.

© 2009 Pearson Education, Inc. Informit. All rights reserved.

800 East 96th Street Indianapolis, Indiana 46240

Obama calls for better security for computers

WASHINGTON (AP) — The United States has for too long failed to adequately protect the security of its computer networks, President Obama said Friday, announcing he will name a new cyber czar to take on the job.

Surrounded by a host of government officials, aides and corporate executives, Obama said this is a “transformational moment” for the country, where computer networks are probed and attacked millions of times a day.

“We’re not as prepared as we should be, as a government or as a country,” he said, calling cyber threats one of the most serious economic and military dangers the nation faces.

THE OVAL: Obama focuses on security in cyberspace

He said he will soon pick the person he wants to head up a new White House office of cyber security, and that person will report to the National Security Council as well as to the National Economic Council, in a nod to the importance of computers to the economy.

While the newly interconnected world offers great promise, Obama said it also presents significant peril as well. The president declared: “Cyberspace is real, and so is the risk that comes with it.”

Laying out a broad five-point plan, the president said the United States needs to provide the education required to keep pace with technology and attract and retain a cyber-savvy work force. He called for a new education campaign to raise public awareness of the challenges and threats related to cyber security.

He assured the business community, however, that the government will not dictate how private industry should tighten digital defenses.

Government officials have grown increasingly alarmed as U.S. computer networks are constantly assailed by attacks and scams, ranging from nuisance hacking to more nefarious probes and attacks, including suspicions of cyber espionage by other nations, such as China.

Obama noted that his own computer system for the presidential campaign at one point last year was compromised by hackers, but said the security of the names and financial information on contributors was intact.

Copyright 2009 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

• By Kurt Mackie | http://rcpmag.com/articles/2009/05/27/sp2-windows-vista–and-windows-server-2008.aspx
• May 27, 2009

Microsoft published Service Pack 2 (SP2) on Monday for Windows Vista and Windows Server 2008.

This “release-to-Web” version of SP2 is a more general public release than the “release-to-manufacturing” version (designed for PC hardware builders) that Microsoft announced late last month.

Those eager to get SP2 can grab it today through the Microsoft Download Center or through Windows Update. The service pack is available as both 32-bit and 64-bit versions. However, grabbing the bits directly means handling a fairly large download, ranging in size from 300 MB to 600 MB.System administrators typically might accept waiting for such a large download because they’ll be getting a complete standalone SP2 package. However, average users can get SP2 as a much smaller 43 MB download if they’ve turned on Automatic Update in Vista and are willing to wait.

Microsoft plans to begin delivering SP2 via Automatic Update in June, and it will gradually be pushed out to users over about two months’ time.

Microsoft’s business customers needing more preparation time can block Automatic Update from downloading SP2 by using the Windows Service Pack Blocker Tool Kit. They can also control the update by setting the group policy for Automatic Updates and Windows Software Update Services.

SP2 is a single installer for both Vista and Windows Server 2008. However, you need to have Service Pack 1 (SP1) installed first before installing this new service pack. Those using Windows Server 2008 already have SP1 installed, according to Microsoft’s “Notable Changes” document.

New features in SP2 include support for VIA Technologies’ 64-bit CPU, the addition of Windows Search 4.0 and updates to Wi-Fi wireless and Blu-Ray media support, among many other details described in the Notable Changes document. SP2 also contains all of the updates Microsoft has released since SP1.

The Microsoft Download Center portal provides access to the x86 version of SP2 here, while the x64 version can be accessed here.

IT pros can access the bits or an ISO file at Microsoft’s TechNet portal here.

Today I am very excited to send you a very special invitation to join us in our new home for you to benefit from what is being provided for you, and to help build on the collaboration and networking resources we’re making available for all on and about technology and IT Security. Don’t think of this as “another network”, think of it as a better network with a more targeted focus on two critical areas of our future, IT/technology and securing them. We’ve taken some of the best features of LinkedIn, Facebook and Ning and integrated them into our own with more to come.

We have put a lot of work into it and will continue to do so in order to make it more valuable as we move forward.

I know this will be of great value for us all as we are all affected by the issues and there impacts and so we must build this great place of collaboration and networking about it. Please help to share this new resource and info.

About the network.

Our Technology / IT Security Social Network is a professional place where people come together to create a vibrant, resourceful, strategic and secure social atmosphere of networking, training, education, awareness and collaboration for, on and about technology and securing them.

We invite you to participate in the full functions and features of our network as we build on it to enhance its values and mission for the future. We ask that you share the word with your associates, friends, peers and everyone that is interested in the world of security and being more comfortable and secure in it. This network is specifically geared towards technology, IT Security and everything in and about it.

The focus of this social network is to build greater training, education, awareness and provide the guidance, advise, services and support needed to maintain the secure presence and stability of all infrastructures (homes, businesses (all sizes and types), schools, churches, etc) for all. We look forward to your participation in this effort as a professional, specialist, technologist, leader, contributor, reader, advisor or just a member wanting to learn more.

Please adhere to the policies and rules of the network so that all may find it a common professional place to collaborate in.

Please join us by signing up here http://titssn.org/signup.php

Thank you and have a great day,

~Brett A. Scudder~

Windows 7 RC gets its first bug, and it’s a doozy

Posted by Ed Bott @ 9:22 am

Tags: Folder, Microsoft Windows 7, Root, Windows 7 RC, Hotfix…, Microsoft Windows, Operating Systems, Software, Ed Bott

Yesterday, Microsoft published Knowledge Base article 970789, which provides details of a problem that affects the 32-bit (x86) English-language version of Windows 7 build 7100. The problem, in short, is that the installer incorrectly sets access control lists (ACLs) on the root of the system drive. The longer version is described as follows:

In the English version of Windows 7 Release Candidate (build 7100) 32-bit Ultimate, the folder that is created as the root folder of the system drive (%SystemDrive%) is missing entries in its security descriptor. One effect of this problem is that standard users such as non-administrators cannot perform all operations to subfolders that are created directly under the root. Therefore, applications that reference folders under the root may not install successfully or may not uninstall successfully. Additionally, operations or applications that reference these folders may fail.

For example, if a folder is created under the root of the system drive from an elevated command prompt, this folder will not correctly inherit permissions from the root of the drive. Therefore, some specific operations, such as deleting the folder, will fail when they are performed from a non-elevated command prompt. Additionally, the following error message appears when the operation fails:

Access is denied.

Furthermore, the missing security descriptor entries protect non-admin file operations directly under the root.

A hotfix is available as an important update that should be delivered and installed automatically by Windows Update, assuming you have set up automatic updates. On one test system that I checked just now, the update had already been installed overnight. On two other systems, the update had been downloaded but was awaiting installation.

The hotfix package fixes the security descriptor of the root of the system drive, but it does not repair applications that are already installed, nor does it affect the permissions of folders that were created after the installation.

If you installed the x64 version of Windows 7, you are apparently unaffected by this issue.

If you haven’t yet installed the Windows 7 RC, it’s important to install this hotfix after you set up Windows and before you install any programs or restore any backed-up data.

This sounds like a pretty serious bug, and I’m surprised that it slipped through into the release candidate. I haven’t observed any deleterious effects from this issue yet but am doing further testing today. If anyone has any firsthand reports of being bitten by this bug, please leave a comment in the Talkback section with more details.

Hoax or the real thing? Virginia health agency Web site shut down but investigators mum

Jaikumar Vijayan | http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9132625

May 6, 2009 (Computerworld) Days after a hacker claimed to have broken into a database and encrypted millions of prescription records at the Virginia Department of Health Professions, it remains unclear what happened.

Whistleblower Web site Wikileaks.org last Sunday carried a report from an anonymous poster who said that the secure site for the Virginia DHP Prescription Monitoring Program (PMP) had been broken into by a hacker who made a $10 million ransom demand.

The alleged ransom note posted on the PMP site claimed that the hacker had backed up and encrypted more than 8 million patient records and 35 million prescriptions and then deleted the original data.

“Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh,” the hacker is supposed to have said in his note, a copy of which was available on Wikileaks. “For $10 million, I will gladly send along the password,” for decrypting the data, the supposed hacker wrote.

The expletive-laden note goes on to say that authorities have seven days to decide if they will “pony up” the money. If the ransom is not paid, “I’ll go ahead and put this baby out on the market and accept the highest bid,” the note says.

The hacker admits that while he is unsure about the worth of the data or who would want it, “I’m bettin’ someone will. Hell, if I can’t move the prescription data at the very least I can find a buyer for the personal data,” the hacker said pointing to the fact that the data included patients’ names, ages, addresses, Social Security and driver’s license numbers.

A call seeking comment on the incident from the Virginia PMP program office was not immediately returned. A call to the Virginia State Police department seeking confirmation on whether it is investigating the reported incident also was not immediately returned.

As of today, the main PMP Web site and all links on the site were unavailable.

The PMP was set up in the wake of a spate of drug-abuse-related crimes and some deaths in the state involving the painkiller Oxycontin. It allows pharmacists and health care professionals to track prescription drug abuse, such as incidents of patients who go “doctor-shopping” to find more than one doctor to prescribe narcotics. According to a description of the program from a cached version of the site, there were more than 31.6 million records in the PMP database as of Jan. 1. Doctors, pharmacists and other authorized users make requests for data from the PMP database via a secure Web page, the description said.

The Richmond Times-Dispatch reported Tuesday that the FBI and State Police had confirmed investigations of a hacking incident at the PMP. The story also quoted Virginia Gov. Timothy Kaine as saying the compromised data was not the same as patient files from doctors’ offices. “These were not patient records, so it’s not compromise of health-care information about particular individuals,” the governor is quoted as saying in the Times-Dispatch.

The compromise comes at a time of heightened concerns about the privacy and security of medical data. President Barack Obama’s recently passed economic stimulus package includes a health care component that initially provides $20 billion for the creation of a national health records system. The bill mandates new privacy and security controls for health care data that are seen as being long overdue.

The controls go beyond those mandated under HIPAA (the Health Insurance Portability and Accountability Act) and are expected to be more strictly enforced than HIPAA rules have been.

The breach at the Virginia health agency highlights the “overall lack of compliance” with HIPAA within the health care sector, said Peter MacKoul, president of HIPAA Solutions LC, a consulting firm in Sugar Land, Texas.

“HIPAA by and large has been ignored, not because it is unimportant, but because of a lack of will to really [enforce] it,” MacKoul said. “Much like all other regulations, if there is no real enforcement, this type of thing will continue to happen over and over again.”

The reported incident in Virginia is identical to one reported by Express Scripts, a St. Louis-based prescription drug management company in October. The company said it received an extortion letter from data thieves who threatened to release millions of patient records if the company did not pay up.

Many Twitters are quick quitters: study

Wed Apr 29, 2009 10:52am EDT | http://www.reuters.com/article/technologyNews/idUSTRE53S1A720090429

SYDNEY (Reuters) – Today’s Twitters are often tomorrow’s quitters, according to data that questions the long-term success of the latest social networking sensation used by celebrities from Oprah Winfrey to Britney Spears.

Data from Nielsen Online, which measures Internet traffic, found that more than 60 percent of Twitter users stopped using the free social networking site a month after joining.

“Twitter’s audience retention rate, or the percentage of a given month’s users who come back the following month, is currently about 40 percent,” David Martin, Nielsen Online’s vice president of primary research, said in a statement.

“For most of the past 12 months, pre-Oprah, Twitter has languished below 30 percent retention.”

San Francisco-based Twitter was created three years ago as an Internet-based service that could allow people to follow the 140-character messages or “tweets” of friends and celebrities which could be sent to computer screens or mobile devices.

But it has enjoyed a recent explosion in popularity on the back of celebrities such as actor Ashton Kutcher and U.S. talk show host Oprah Winfrey singing its praises and sending out “tweets” which can alert readers to breaking news or the sender’s sometimes mundane activities.

President Barack Obama used Twitter during last year’s campaign and other prominent celebrities on Twitter include basketballer Shaquille O’Neal and singers Britney Spears and Miley Cyrus.

Twitter, as a private company, does not disclose the number of its users but according to Nielsen Online, Twitter’s website had more than 7 million unique visitors in February this year compared to 475,000 in February a year ago.

But Martin said a retention rate of 40 percent will limit a site’s growth to a 10 percent reach figure over the longer term.

“There simply aren’t enough new users to make up for defecting ones after a certain point,” he said in a statement.

Martin said Facebook and MySpace, the more established social network sites, enjoyed retention rates that were twice as high and those rates only rose when they went through their explosive growth phases.

Both currently have retention rates of about 70 percent with Facebook having about 200 million users.

“Twitter has enjoyed a nice ride over the last few months, but it will not be able to sustain its meteoric rise without establishing a higher level of user loyalty,” said Martin.

(Writing by Belinda Goldsmith, Editing by Miral Fahmy)

© Thomson Reuters 2009 All rights reserved

New York State raises the bar for end user security training

New York State is extremely concerned about phishing in general, and more specifically spear phishing, highly targeted phishing attacks designed to penetrate organizations, government agencies and groups.

Read story about end user security training.

Beginning in 2005, the state Office of Cyber Security & Critical Infrastructure (NYS-CSCIC) along with the Anti-Phishing Working Group, AT&T, and the SANS Institute ran its first antiphishing pilot project.

The goal was to raise employee awareness of the danger of phishing scams and to provide employees with information to help protect themselves and the agency. The project was also designed to gain a better understanding of the effectiveness of security training.

Related Content

The first exercise was conducted with 10,000 end users who were unaware of the project. The first step was to distribute an informational bulletin alerting users to the perils of phishing and providing steps to take if they encounter malicious activity.

Next, the mock phishing scam exercise involved sending an e-mail to the group that appeared to be coming from a legitimate source, the agency’s Information Security Office, and contained a link to the NYS-CSCIC Web site that were instructed to visit to check the security of their password.

If they clicked on the link and attempted to type in their password they failed the test. While 17% followed the link, 15% of the e-mail recipients attempted to interact with the fake password form.

Click to see: Top 5 mistakes users make

Those individuals who passed the test received a congratulatory message; those who were duped were directed to a tutorial on how to be aware of phishing scams.

Another mock phishing exercise was conducted on the same employee audience two months later. The goal was to assess if they learned anything from the first exercise. This time, employees were sent an e-mail that appeared to come from the agency’s Help Desk with a subject line that read “Internet Connection Problems.”

The e-mail informed users of Internet connection outages because of a suspected cybersecurity event, and contained a link to a dummy NYS-CSCIC Web site where they were asked to assist the agency by answering some questions about connectivity issues.

Those who followed the link and attempted to answer questions were notified that they fell prey to the exercise and were given a feedback survey to explain their actions. Fourteen percent followed the link but only eight percent attempted to input information.

William Pelgrin, chief cybersecurity officer and director, NYS Office of Cyber Security & Critical Infrastructure Coordination, Albany, N.Y., was pleased with the results of the phishing exercise.

“Cybersecurity awareness is about cultural change, repetition of exercises like the scam phishing, help,” he says.

In early 2008, NYS-CSCIC rolled out a standalone 10 module computer-based security training program that included interactive exercises, such as the scam phishing program. The introductory, non-technical course also includes modules on security accountability, social engineering/phishing, security threats and other issues that end users need to be aware of.

Later that year, a server version of the same training program was made available to state and local governments through the Multi-State Information Sharing and Analysis Center (MS-ISAC).

Related Content

This year, NYS-CSCIC will conduct more periodic, automated, interactive exercises, in a manner similar to the phishing pilot, in its efforts to create a culture of security through experiential learning.

All contents copyright 1995-2009 Network World, Inc. http://www.networkworld.com

Mon Apr 27, 2009 9:07am EDT | http://www.reuters.com/article/internetNews/idUSTRE53N4JF20090427

ZURICH (Reuters) – A Swiss insurance worker lost her job after surfing popular social network site Facebook while off sick, her employer said on Friday.

The woman said she could not work in front of a computer as she needed to lie in the dark but was then seen to be active on Facebook, which insurer Nationale Suisse said in a statement had destroyed its trust in the employee.

“This abuse of trust, rather than the activity on Facebook, led to the ending of the work contract,” it said.

The unnamed woman told the 20 Minuten daily she had been surfing Facebook in bed on her iPhone and accused her employer of spying on her and other employees by sending a mysterious friend request which allows access to personal online activity.

Nationale Suisse rejected the accusation of spying and said the employee’s Facebook activity had been stumbled across by a colleague in November, before use of the social network site was blocked in the company.

(Reporting by Emma Thomasson, editing by Paul Casciato)

© Thomson Reuters 2009 All rights reserved

Time Warner Cable dumps Internet meter plan

Published: April 16, 2009 – 4:43 pm

(AP) – Time Warner Cable Inc. is shelving its plan to bill customers based on how much Internet traffic they generate, following mounting public and political outcry.

Time Warner Cable’s capitulation doesn’t bode well for the future of metered billing of the Internet, in which people who use more bandwidth pay more.

Frontier Communications Corp., a Time Warner Cable rival in one key test market, Rochester, N.Y., also has dropped its plans for metering Internet use.

©Copyright 2009 Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.