sci/tech sensation news magazine

Security news dominated this week, and that will undoubtedly be the case next week as well, with the Black Hat and Defcon conferences under way in Las Vegas. In other news, Yahoo shareholders met Friday for their annual meeting, with fewer fireworks than expected.

1. DNS patches cause problems, developers admit: Patches for the DNS (Domain Name System) vulnerability that has generated so much buzz have led to performance problems for servers running BIND (Berkeley Internet Name Domain) software. BIND is the most popular DNS software. Administrators shouldn't roll back the patch released July 8, said Paul Vixie, head of the Internet Systems Consortium, which oversees BIND. "The vulnerability is of more concern than a slow server," he said. An updated patch is in the offing. Meanwhile, hackers are actively exploiting the DNS vulnerability, and...

2. Apple finally patches dangerous DNS flaw and Opinion: Apple's unforgivable DNS delay: Apple issued a patch-- finally-- for its implementation of the BIND server software in various Mac OS releases. The delay in the patch release has caused considerable consternation among Mac fans.

3. A photo that can steal your online credentials and Black Hat/Defcon: Welcome to the funhouse: Among other things, researchers at Black Hat next week will demonstrate software they've developed that can circumvent security and take over accounts on popular sites such as Facebook, Google and eBay. The malicious software looks like image files to Web servers. The researchers will leave out details of how the attack works so that it won't be immediately used. We expect a lot of news out of Black Hat and Defcon, both in Las Vegas next week.

4. After facing shareholders, Yang must fulfill promises and Yahoo on defensive at shareholder meeting: Yahoo CEO Jerry Yang has made a lot of promises about how he's going to get Yahoo back in its financial and technology grooves. Shareholders at Friday's annual meeting served up some criticism, and one even suggested that Chairman Roy Bostock "do the honorable thing" and quit, but the get-together overall wasn't as heated as had been expected. Even so, with Microsoft's attempts to buy all or part of Yahoo now presumably behind the company, and having made peace with investor Carl Icahn, Yang and other company leaders will be expected to deliver.

5. FBI warns of new Storm worm attacks: The U.S. Federal Bureau of Investigation has warned that spam e-mails making the rounds on the Internet are spreading the dreaded Storm worm. Watch out for e-mail containing the phrase "F.B.I. vs. Facebook" and don't click on links in unsolicited e-mail, especially when you don't know the sender.

6. FCC rules against Comcast P-to-P throttling: Comcast must stop interfering with peer-to-peer traffic on its broadband network, the U.S. Federal Communications Commission ordered. The FCC decided in a 3-2 vote that Comcast has to stop slowing down P-to-P traffic by the end of the year and develop a new network management plan or face an injunction and possible other penalties.

7. Cuil stumbles out of the gate and What's in a name? Better not ask Cuil: The Cuil (pronounced "cool") search engine launched with promises to take a whack at Google. But an inauspicious start led to a flurry of criticisms about search results returned by the engine. It didn't help that Cuil's servers were overwhelmed on launch day. Started by a former Google employee and her husband, Cuil was said to be named after the Irish word for "knowledge." But it didn't take much searching on the Internet to discover that isn't actually what "cuil" means.

8. Sun releases preview of JavaFX SDK: Sun got into the hot rich Internet application market, releasing a preview software developer kit for JavaFX. Support for some features is missing from the preview SDK, but will be rolled out in later releases.

9. IBM invests big in two new cloud-computing centers and Update: Yahoo, Intel and HP form cloud-computing labs: IBM is investing US$360 million in a cloud-computing data center that it says will be the most sophisticated ever. The center will be housed in an existing building IBM will renovate in Research Triangle Park, North Carolina. The company also plans a new center in Tokyo where customers will be able to develop their own cloud infrastructures and applications. In other cloud-computing news this week, Yahoo, Intel and Hewlett-Packard announced they will work together on research and education in that area.

10. IOC caves to China Internet censorship: The International Olympic Committee cut a deal with the Chinese government to allow censorship of Internet sites during the Olympics. The censorship was noticed by journalists working in the Olympics newsroom, who immediately cried foul.

Source link: Yahoo news

See also:

LAS VEGAS - A newly discovered flaw in the Internet's core infrastructure not only permits hackers to force people to visit Web sites they didn't want to, it also allows them to intercept e-mail messages, the researcher who discovered the bug said Wednesday.

Considering the silent nature of the attack and the sensitive nature of a lot of electronic correspondence, the potential for damage from this second security flaw is high. But there's no evidence yet that this method of targeting e-mail has been used in a successful attack.

Dan Kaminsky of Seattle-based security consultant IOActive Inc. exposed a giant vulnerability in the Internet's design that, in one case, allowed hackers to reroute some computer users in Texas to a fake Google.com site loaded with automated advertisement-clicking programs, a scam to generate profits for the hackers from those clicks.

The flaw wasn't in the site itself, it was in the back-end machines responsible for guiding computers to that site.

The vulnerability Kaminsky found is especially insidious because it allows criminals to tamper with machines whose reliability and trustworthiness is critical for the Internet to function properly.

Kaminsky, who spoke Wednesday at the Black Hat hacker conference in Las Vegas, has given few details publicly about the vulnerability he found in the Domain Name System (DNS), a network of servers used to connect computers to Web sites.

He remained tightlipped so that Internet providers would have time to fix their machines. Many have done that, but others have delayed, leaving some people at risk.

Major vendors like Microsoft Corp., Cisco Systems Inc., Sun Microsystems Inc. and others have issued patches — software tweaks that cover the security hole and prevent affected machines from ingesting the bogus information hackers are trying to feed them.

"The industry has rallied like we've never seen the industry rally before," Kaminsky said.

Kaminsky's talk Wednesday at the conference was packed, with people sitting on the floor of the main speaker's hall and overflowing out the back doors. His presentation instantly became one of the Black Hat conference's most anticipated after he announced July 8 that he'd found a major weakness in DNS, a critical part of the Internet's plumbing.

While some details leaked out early — security researchers accurately guessed parts of Kaminsky's discovery — he was able to keep a few juicy bits secret until the talk.

One of those was the susceptibility of many e-mail servers to the DNS vulnerability, an opening that gives criminals a way to plant themselves in the middle of the transmission from the sender to the recipient and redirect messages to their own servers, Kaminsky said.

The result: criminals have a way not only to comb through the contents of those messages, but also to gain access to other password-protected Web sites the victims belong to.

That's because most sites have a feature that allows members to retrieve their passwords by e-mail if they've forgotten them. If a criminal has access to the account where that message is sent, he can then begin snooping on the contents of that account, from e-mail, to banking, to retailer sites.

The thrust of the DNS flaw is that it allows hackers to attach bad information to packets flowing in and out of DNS servers so they change the directions they give to certain Web sites.

It's the equivalent of turning around a street sign to send drivers down the wrong street.

So someone who innocently types in the address of a legitimate Web site can be strong-armed instead into going to a malicious site under the criminal's control. Because the attack happens at the network level, and the browser believes it's visiting the legitimate site, the attack is nearly impossible for users to detect.

Many e-mail servers are vulnerable because they also handle DNS traffic, Kaminsky said. Even if they only handle internal inquiries, if they interact with external DNS servers, that's often enough to expose them to attack.

Hackers are thus able to manipulate the packets associated with e-mail traffic the same way they manipulate the packets associated with general Web traffic.

Source: YN

See also:

Google Walking Directions: a Privacy Concern?

A Car That Drives You (to Save Gas)

Memory, Depression, Insomnia -- And Worms?

HONG KONG (Reuters) - Scientists in Japan have gained a better understanding how influenza viruses replicate, possibly opening the way for the development of drugs to hamper their reproduction.

In the latest issue of Nature, the researchers described how they zeroed in on an enzyme that flu viruses need to replicate, and managed to capture a snapshot of the enzyme.

Enzymes in influenza viruses are made up of three proteins bound tightly together.

"Scientists have been trying to study its (enzyme's) structure and no one has yet got a detailed picture of the whole thing," said Yokohama City University's Jeremy Tame, a member of the research team.

But the team managed to crystallize the proteins and get a peek at part of the structure, which involves the tip of one of the proteins coming into contact with another protein.

"This gives us some hope that we can interrupt this interface (contact point)," Tame said.

Such an interruption would "kill the virus, or slow it down sufficiently," he added.

All influenza A viruses, including the H5N1 bird flu virus, are believed to have similar structures. Theoretically, one drug could fight all of them.

"We would like to start work. We're hopeful that will lead to efforts to work on completely novel drugs," Tame said.

(Reporting by Tan Ee Lyn; Editing by David Fogarty)

Source: YN

See also:

NASA Envisions Huge Lunar Telescope

Half Boat, Half Car, All Adventure

Astronauts handle explosives on daring spacewalk

A new kind of malicious software could pose a danger to Windows users who download music files on peer-to-peer networks.

The new malware inserts links to dangerous Web pages within ASF (Advanced Systems Format) media files.

"The possibility of this has been known for a little while but this is the first time we've seen it done," said David Emm, senior technology consultant for security vendor Kaspersky Lab.

Advanced Systems Format is a Microsoft-defined container format for audio and video streams that can also hold arbitrary content such as images or links to Web resources.

If a user plays an infected music file, it will launch Internet Explorer and load a malicious Web page which asks the user to download a codec, a well-known trick to get someone to download malware.

The actual download is not a codec but a Trojan horse, which installs a proxy program on the PC, Emm said. The proxy program allows hackers to route other traffic through the compromised PC, helping the hacker essentially cover their tracks for other malicious activity, Emm said.

The malware has worm-like qualities. Once on a PC, it looks for MP3 or MP2 audio files, transcodes them to Microsoft's Windows Media Audio format, wraps them in an ASF container and adds links to further copies of the malware, in the guise of a codec, according to another security analyst, Secure Computing.

The ".mp3" extension of the files is not modified, however, so victims may not immediately notice the change, according to Kaspersky Lab.

Most savvy PC users are aware of the codec ruse, but the style of attack is still effective since many media players do need to receive updated codecs occasionally in order to play files.

"Users downloading from P2P networks need to exercise caution anyway, but should also be sensitive to pop-ups appearing upon playing a downloaded video or audio stream," Secure Computing said.

Users on a digital audio enthusiast site differed over the danger level of the malware.

"I never allow programs to choose which codecs I use to play back media," wrote JXL on the Hydrogen Audio forum "I research it and get the codec bundles off of sites I know to be trustworthy and even then I still scan them and check to make sure they are what they are. I honestly don't feel that this malware has a very good chance of spreading fast."

But most users will probably think the prompt to download a codec is just routine business, wrote a user by the nickname of Citay on the same forum.

"I think that outside a minority of users who really know about all the dangers implied with Internet use, the vast majority of people have no idea that such a codec download could lead to a Trojan infection," Citay wrote.

Trend Micro calls the malware "Troj_Medpinch.a," Secure Computing named it " "Trojan.ASF.Hijacker.gen" and Kaspersky calls it "Worm.Win32.GetCodec.a."

Via Yahoo News

See also:

Biotech - Placebo v. Placebo

Australia unveils online code of conduct

FCC chief says Comcast violated Internet rules

LONDON - Millions of security cameras throughout Britain aimed to combat terrorism and crime also catch litterbugs, parking violators and, oops, doggy doo left on the grass.

Britons complain that local officials use the cameras to prosecute petty offenses.

The latest outrage came last month when a dog owner in Bristol, England, was fined for "dog fouling" after being shown pictures of his mixed collie, Mitzy, squatting in a grassy commons area. The owner, Paul Griffiths, was fined $320 and ordered to pay $1,760 after failing to appear in court.

"We're the most monitored society in the world," says Jen Corlew, spokeswoman for Liberty, a civil liberties group in London. "And we're very concerned there's abuse of this."

Britain has 4.2 million surveillance cameras - 20% of the world's closed circuit cameras, according to the nation's independent Information Commissioners Office. There is a camera for every 14 people. An average Londoner is captured on camera 300 times a day, the office reported.

The case of Mitzy isn't the only example:

• In the Borough of Poole on England's south coast, the cameras tracked a family to see whether members had lied about their address to get a child into a preferred school in a neighboring area. They hadn't.

• London's Westminster City Council called for a review of its 250 cameras after people argued about unwarranted parking tickets and helped drive up complaints 13% against the council in the first quarter of this year.

• London's Borough of Chelsea and Kensington used the cameras to catch a man sporting his mother's disabled parking sticker to evade more than $25,000 in parking fees.

In a spring survey by the Press Association news agency, local councils acknowledged turning cameras on those who violate ordinances for cleaning up after dogs, littering, benefit fraud, dumping waste and underage alcohol sales.

Police use the cameras to help track suspects of serious crimes such as murder and assault.

Corlew says the number of local authorities who use the surveillance for minor offenses "is quite shocking."

"There's other, less-intrusive ways of stopping an individual who is a dog fouler," she says.

Simon Milton, chairman of the Local Government Association, warned councils in England and Wales last month that they risk alienating the public by "overzealous" use of cameras.

"Our advice is that save in the most unusual and extreme circumstances, it is inappropriate to use these powers for trivial matters," he wrote in a letter to council leaders.

Ken Jones, president of the Association of Chief Police Officers, issued a similar warning last week. He told police chiefs that abusing surveillance powers causes "widespread unease" in the public and needs to be stopped.

The councils have defended their usage of the cameras, as in the case of Mitzy's owner.

Griffiths, 48, told the Bristol Evening Post that his dog only urinated. Camera images showed the dog squatting and nothing else, he said.

Bristol Councilor Judith Price said in a written statement, "It may seem easier at the time to walk away from the dog mess, but if you get caught, you will be fined."

Source: Yahoo news

See also:

Einstein Was Right, Astrophysicists Say

Space probes show solar system dented, not round

Capturing DNA Molecules In A Nanochannel