Wednesday, February 28, 2007

Storm Worm variant targets blogs, bulletin boards

A variant of the Trojan horse attacks known as Storm Worm emerged Monday, targeting people who post blogs and notices to bulletin boards.

Storm Worm emerged in January and raged across the globe in the form of e-mails with attachments that, when opened, loaded malicious software onto victims' PCs, commandeering the machines so they could be used for further attacks.

The new Storm Worm variant attacks the machines of unsuspecting users when they open an e-mail attachment, click on a malicious e-mail link or visit a malicious site, said Dmitri Alperovitch, principal research scientist at Secure Computing.

But the twist comes when these people later post blogs or bulletin board notices. The software will insert into each of their postings a link to a malicious Web site, said Alperovitch, who rates the threat as "high."

"We haven't seen the Web channel used before," he said. "In the past, we've seen malicious links distributed to people in a user's address book and made to look like it's an instant message coming from them."

The danger in this most recent case, he added, is that the user is actually posting a legitimate blog or bulletin board notice, unaware that a malicious link has been slipped into the text of the posting.

Tuesday, February 27, 2007

Vista WGA problems confirmed

Vista WGA problems confirmed by ZDNet's Ed Bott -- I've seen Vista's new WGA problems up close and personal, and I've got the screenshots to prove it. Why are some programs able to convince Windows that the operating system has been tampered with? Why is Windows Defender allowing them to do it? And what can you do if you're caught in the crosshairs?

Monday, February 26, 2007

T.J. Maxx probe finds broader hacking

The TJX Companies, the discount retailer best known for its T.J. Maxx and Marshalls clothing stores, said Wednesday that its hacking investigation has uncovered more extensive exposure of credit and debit card data than it previously believed.

Information on millions of TJX customers may have been exposed in the long-running attack, which was made public last month. It affects customers of any of TJX store in the U.S., Canada or Puerto Rico, with the exception of its Bob's Stores chain.

The breach of credit and debit card data was initially thought to have lasted from May 2006 to January. However, TJX said Wednesday that it now believes those computer systems were first compromised in July 2005.

TJX said credit and debit card data from January 2003 through June 2004 was compromised. The company previously said that only 2003 data may have been accessed. According to TJX, however, some of the card information from September 2003 through June 2004 was masked at the time of the transactions.
The company added that names and addresses apparently were not included with the card information, that debit card PIN numbers are not believed to have been vulnerable, and that data from transactions made with debit cards issued by Canadian banks likely were not vulnerable.

TJX also found that there was evidence of intrusion into the system that handles customer transactions for its T.K. Maxx stores in the United Kingdom and Ireland, but that there has been no confirmation that anyone actually accessed that data.

In addition to these exposures, TJX said there were more breaches of driver's license information than it previously thought. These included the license numbers, names and addresses of customers making merchandise returns in the U.S. and Puerto Rico locations of T.J. Maxx, Marshalls and HomeGoods stores. That compromised data, according to TJX, is restricted to returns without receipts that took place in the last four months of 2003, as well as in May 2004 and June 2004.

TJX plans to notify customers whose driver's license data may have been accessed.

The company, which is continuing its investigation, encourages customers to check their credit-card and bank-account records and look for further updates on its Web site.

Thursday, February 22, 2007

The Great Vista/Mac Showdown: Two flavors of Bluetooth experience

The Great Vista/Mac Showdown: Two flavors of Bluetooth experience by ZDNet's Mitch Ratcliffe -- Not every confrontation between these operating systems will be won by the sheer brilliance of one OS's implementation of a technology, and so it is with the Bluetooth experience on Windows Vista and Mac OS X. Image Gallery: Follow a step-by-step comparison of the two operating systems' Bluetooth configuration and file transfer experience in this gallery [...]

Vista Hands On #6: Remove private information from a file

Vista Hands On #6: Remove private information from a file by ZDNet's Ed Bott -- Metadata within a file can tell a lot about you - maybe even more than you want the world to know. A new option in Windows Vista allows you to easily zap unwanted details stored in the properties of a file. Here's how to find this feature and use it.

Wednesday, February 21, 2007

Massive DDoS attack KOs CastleCops

Massive DDoS attack KOs CastleCops by ZDNet's Ryan Naraine -- The anti-phishing community at has been knocked out by a massive DDoS (distributed denial-of-service attack).

Microsoft set to publicize list of 800 Vista-compatible apps

Microsoft set to publicize list of 800 Vista-compatible apps by ZDNet's Mary Jo Foley -- On February 20, Microsoft announced final availabilty of six Vista deployment tools. The company also went public with its plans to publish a list of applications that have been certified by independent testers as "Vista-compatible."

Podcast: Windows Mobile 6, virtualization, SOA for the masses and more…

Podcast: Windows Mobile 6, virtualization, SOA for the masses and more… by ZDNet's Dan Farber -- This week on the Dan & David Show, David checks out Microsoft's Windows Mobile version 6 platform. We also discuss how competition in the virtualization space in heating up (always good for buyers), what Microsoft means by Vista "Ready" and Vista "Capable," and how SOA methods (mashups, assemblers, widgets, etc.) are becoming more usable by [...]

Windows Mobile 6

Windows Vista isn't the only operating system making its debut this year, as Microsoft also revamped its OS for mobile devices and formally introduced Windows Mobile 6 at 3GSM World Congress. Taking the reins from Windows Mobile 5, Windows Mobile 6 isn't a complete overhaul of the OS; instead, it offers a number of useful enhancements that makes performing tasks easier and puts more powerful tools into the hands of mobile professionals. We were particularly impressed with the new e-mail search function, Mobile Office additions, and Windows Live integration, but we think Microsoft could have done a lot more. For example, multimedia improvements are practically nonexistent and the user interface is still kludgey, requiring numerous steps to complete a simple task. Also, some of the enhanced functionality to Outlook and calendaring require that you use Exchange Server 2007. Despite these flaws, the new improvements make Windows Mobile 6 worth the upgrade.

The best news, of course, is that new OS means there will be a number of new devices coming out. There will be three editions again, but they've been renamed as Classic (formerly known as Pocket PC Edition), Standard (Smartphone Edition), and Professional (Pocket PC Phone Edition), so you can look forward to a variety of form factors. In fact, we've already seen a number of product announcements from 3GSM, including the Motorola Q q9 and the HTC Vox. For Windows Mobile 5 users, Microsoft said it will be up to carriers and device manufacturers whether they will offer upgrades, but T-Mobile has already announced that it will offer updates to current T-Mobile Dash owners and future Dash devices will ship with Windows Mobile 6.

For our review, we checked out Windows Mobile 6 Standard Edition using the HP iPaq 510 Voice Messenger, though we will continue to evaluate the OS and its variations as more devices start to arrive on the scene.


Windows Mobile 5 users won't be in for any major surprises when they see Windows Mobile 6, as the interface largely remains the same as before. Windows Mobile 6 does have more of a Vista look with its similar color scheme and bubbly, eye-pleasing icons. Along the top of the Today screen, you still get shortcuts to your most recently used apps, but the icons are slightly larger. Below that, you'll find such important information as time, date, upcoming appointments, messages, and so forth. Of course, you can customize the background image, color scheme, and backlight time.

One of the biggest complaints about Windows Mobile devices, especially when compared to Palm, is the number of steps it takes to perform a simple task, such as closing out of a program. This is still pretty much true of Windows Mobile 6, but Microsoft has taken some steps to ease the pain. For example, the company has added nine new e-mail shortcuts so you can easily reply, delete, move messages, and more. While this is a step in the right direction, there is still plenty of room for improvement.


Window Mobile 6 really doesn't offer any mind-blowing new features, but rather, it includes some nice refinements that make the devices easier to use as well as act more like your PC. However, we should warn you that a number of the enhanced PIM capabilities require Exchange Server 2007, so unfortunately, if you or your company have no plans to upgrade, you're left in the cold. We'll note such exceptions as we go through the features.

Contacts and Calendar

Starting with some of the basics, call history is now sorted to the appropriate contact page. Though you may think this isn't a big deal, it's actually quite convenient as you can easily see when you received and made calls to that specific person, the time of the call, the duration, and so forth. Also, the new OS provides a quick Send Text Message shortcut, so you can be on your way to text message heaven with just one click, rather than having to go through several steps.

The Calendar app is also more user friendly, as the upgrade provides a better view of your schedule at a glance. First, there's a new Calendar Ribbon that lines the top of the screen and shows you which times you are free and which are booked. In addition, you get a week view, and while it gives you a good overview of your schedule--complete with colored blocks for appointments--you can also get details of the event, such as meeting location, right along the bottom of your screen so you don't have to open each one. The calendaring capabilities are also more robust if you are using Exchange Server 2007. With that integration, you have the ability to not only see who is attending a meeting, but you can forward and reply to meeting requests as well. While we couldn't test this feature, we got a working demo, and we can see how it would really come in handy for the mobile professional, bringing more of that PC experience to your smart phone.


E-mail is a lot smarter on Windows Mobile 6. First, all devices will ship with Microsoft's Direct Push technology so you get real-time e-mail delivery and automatic synchronization with your Outlook calendar, tasks, and contacts via Exchange Server. Microsoft has also added nine new one-click shortcuts, as we noted above; plus, you get more of the true Outlook experience as your In-box view shows messages that are flagged, marked as high importance, and so forth. Once again, with Exchange Server 2007, you can do even more with Outlook Mobile, such as set up an Out of Office reply.

Searching for e-mails is no longer an unpleasant task, thanks to a new search function. Similar to the Smart Dial feature on Windows Mobile 5 devices, where you input a couple of letters to pull up associated contact, you can simply start typing in a word while in your Inbox, and it will automatically pull up messages with that term in the subject or contact field. It worked great for us, and it's truly a timesaver.

There is, of course, continued support for POP3 and IMAP accounts, but now you can also view e-mails in their original HTML format, regardless of account type. If there happens to be a hyperlink within a message, you can select to go to that page or if a phone number is listed, you can dial out directly from that message as well.

Windows Live for Mobile and Web browsing

If you have a Hotmail/Windows Live e-mail account, you can easily access those messages with Windows Live for Mobile. It's a simple matter of inputting your user ID and password, then you can choose to synchronize your e-mail and contacts, which integrates nicely into your phone's address book. As far as instant messenger, you get Live Messenger (formerly MSN Messenger), which boasts some improvements in its own right. Now, you can have multiperson chats and send images and voice clips via IM. While we appreciate these new capabilities, we're disappointed that there's not a more universal app included that supports other popular IM clients such as AIM and Yahoo.

Another aspect of Windows Live for Mobile is the Live Search, giving you a quick and easy way to search the Web. When you first access Windows Live, you are given the option of adding a Live Search bar, as well as Windows Live services, to the Today screen, and we recommend doing so. It's truly handy just to turn on your phone, enter a search term in the field, press OK, and instantly get results. The Live Search bar is also now part of the Internet Explorer Mobile home page, as well as new expandable Favorites and History menus.

Finally, there is also a new Internet Sharing utility, courtesy of Windows Mobile 6, that allows you to easily set up your phone as a wireless modem for your laptop via Bluetooth, or you can use a USB connection as well.

Work and play

The big news here is that Windows Mobile 6 Standard Edition (formerly Smartphone Edition) now has the full Microsoft Office Mobile Suite. Whereas Windows Mobile 5 smart phones typically came installed with the Picsel Viewer Suite for opening and viewing Word, Excel, and PowerPoint documents, Windows Mobile 6 brings the real deal so you can not only see said files but also edit them. We should note, however, that the editing capabilities are pretty light. In Word, you're pretty much restricted to adding and deleting text and formatting type (such as bold, italic, underline, and highlight); while in Excel, you can insert rows and columns, sort, perform basic functions, and so forth. PowerPoint remains pretty much view-only, although you can change playback options. For now, you can't create new documents on Standard Edition devices. It is possible with OneNote 2007, but this isn't part of the standard Windows Mobile 6 package, so you'll have to shell out $79.95 for the app. That said, we were able to transfer all three document types using a beta version of ActiveSync 4.5 and had no problems viewing or editing them. Admittedly, trying to edit manuscripts and spreadsheets without a touch screen and a QWERTY keyboard was a bit challenging on the HP iPaq 510.

Sadly, there were no notable improvements to Windows Media Player Mobile.

Service and support

Microsoft has maintained an informative and helpful support site for Windows Mobile 5 users; we hope and suspect that this will continue with Windows Mobile 6 as more devices become available. As it stands now, you can search through a number of help and how-to articles to get you through the basics, such as setting up your device, then delve into more advanced capabilities. As we noted in the beginning, it'll be up to carriers and device manufacturers to determine if they will offer Windows Mobile 6 upgrades.

The DVD-R media that destroyed my SuperDrive (photos)

The DVD-R media that destroyed my SuperDrive (photos) by ZDNet's Jason D. O'Grady -- Yesterday I inserted a blank DVD-R disc into my MacBook Pro (2.33GHz Core 2 Duo) like I've done dozens of times before. But this time was different. This time it destroyed my SuperDrive.

Monday, February 19, 2007

Price of cybercrime tools shrinks

It's becoming cheaper and easier to get hold of the tools needed to launch a cybercrime attack, according to security company RSA.

Jens Hinrichsen, the company's product marketing manager for fraud auction, said Thursday that RSA has been monitoring the Web sites and ICQ channels where malicious hackers and cybercriminals interact. These sites allow participants to share feedback and even review one another's products.

Addressing an audience at the RSA Conference 2007 here, Hinrichsen showed several screengrabs to illustrate that the prices being asked for hacking tools have been dropping, with many participants embracing volume discounts and other incentives.

One example was a post offering a "Super Trojan," which could be used to install malicious code on a victim's PC, for $600.

"What's interesting is that this is actually a reviewed vendor, who actually had a lot of good transactions. He's offering this custom piece of crimeware for only $600," said Hinrichsen, who added that he "loved the term 'Super Trojan.'"

"So, when we talk about the ever-increasing ramp-up of more sophisticated tools," he said, "the prices are coming down."

Another example was someone selling e-mail address lists and log-in details for sites such as eBay.

"For one to 10 accounts, this guy would charge you five bucks per account. But they've got discounted rates--just like any other institution would offer their customers. So if you buy 10 to 50 accounts, he'll give it to you for $4.50 each. Fifty more accounts would be $3.50 each," Hinrichsen said.

Other examples shown included a list of 15,000 e-mail addresses, which had all apparently been verified as genuine, for sale for $1,500, a hacked root server for $100 to $150, and someone offering to host a financial scam on his Web site for $20 per day, or $80 for a week.

768 cores ought to be enough for anybody

768 cores ought to be enough for anybody by ZDNet's Ed Burnette -- While Intel struggles to get their 80-core processor to work, a company you've probably never heard of has been quietly shipping systems with hundreds of cores. Last year at JavaOne I attended a presentation by Cliff Click of Azul Systems on scaling up an application that used to take weeks to run so that it could finish in minutes. After the Intel announcement, I tracked down Cliff to get his thoughts on multicore hardware and software.

Friday, February 16, 2007

U.S. 'threatened' alleged NASA hacker, defense says

The fate of Gary McKinnon, the alleged NASA hacker, is hanging in balance after his appeal against extradition to the U.S. was adjourned at the Court of Appeal in London on Wednesday evening.

Over two days in court, McKinnon's defense team presented new evidence that it said meant the judges should reject his extradition to face charges of breaking into and damaging U.S. government computers.

The Court of Appeal is the court of last resort under U.K. law, and usually it will only find for or against the appellant. But the defense argued on Tuesday and Wednesday that evidence brought to light by the McKinnon case raised serious questions about the U.S. government's case.

The defense has urged the Court of Appeal to consider referring McKinnon's case back to the U.K. government, or to allow a further appeal to the European Court of Human Rights, if it will not reject the extradition outright.

The evidence centered on what was or was not said to McKinnon when he was being offered a plea bargain. More well-known in the U.S., and now also used on an informal basis in the U.K., a plea bargain is when the prosecution offers a reduced sentence or other incentive, in return for a defendant's agreement to cooperate.

In this case, if McKinnon agreed to cooperate with them, the U.S. authorities said they would agree to a reduced sentence of three years or less. They would also let him serve the sentence in a U.K. prison and not in an American "super high-security prison," as Edmund Lawson, a lawyer appearing for McKinnon's defense, put it.

All parties appear to agree on that part of the description of what happened. But what was said next became the main source of controversy in court. According to McKinnon and his counsel, a U.S. member of the prosecution team then "threatened" McKinnon that if he did not agree to the bargain, they would push for the highest possible penalties and that he would be "turned over to New Jersey authorities to see him fry."

And the defense further alleged that the U.S. said that if McKinnon did not agree to the deal, there would be no chance of his serving his sentence in the U.K. near his friends and family.

This quickly became known as the "fry" statement. The defense said it could be taken to mean a threat on McKinnon's life, should he be handed over to New Jersey rather than Virginia, the two states where McKinnon was alleged to have damaged IT systems.

In fact, if it was a threat, it may be something of an idle one. Although both states have the death penalty, New Jersey has not executed anyone in 20 years, while Virginia is still active in executions. In any case, under European law, McKinnon cannot be extradited from the U.K. to the U.S. if there is a risk of execution.

Despite this, Lawson argued that the overt nature of the threat was an infringement on McKinnon's human rights. If so, it could be a matter for the European Court of Human Rights, as could be the threat to withdraw the possibility of serving his sentence in the U.K.

The prosecution lawyer, Max Summers, dismissed the points immediately. None of the evidence on the "frying" allegation could be allowed into court since any words spoken during the alleged offer were only done so in confidence, he said.

There is no automatic right for an extradited prisoner to serve a sentence back in his own country and the majority do not, especially those extradited from the U.K. to the U.S. As it was, the U.S. was in no position to refute the allegations over "frying," since none of the relevant American staff involved are currently in the U.K., let alone in court this week.

If this evidence was to be considered at all, Summers argued, then the U.S. government would need notice and time to get witnesses organized, and so a recess would be required.

The defense and prosecution teams and the two judges hearing the appeal discussed the legal consequences of taking the McKinnon case into new legal territory for an extradition hearing for an hour. The court was adjourned at 4:20 p.m. on Wednesday for the Appeal Court judges to consider the options.

They could find in favor of the U.S. authorities, meaning McKinnon would soon travel to the U.S., or they could uphold the appeal and allow McKinnon to go free. Alternatively, they could refer the case back to British Home Secretary John Reid, who decided in July 2006 that the extradition should go ahead, or reject McKinnon's appeal but allow a further appeal to the European Court of Human Rights. A decision is expected next week.

McKinnon himself did not attend the appeal, and saw a doctor on Wednesday following heart palpitations.

Gadget owners beware: Daylight-saving time has changed

Daylight-saving time is springing forward three weeks earlier than usual this year, but consumers may be unaware that some of their gadgets won't automatically be making the transition.

Daylight-saving time (DST) will begin at 2 a.m. Sunday, March 11, and will end a week later than usual, on Sunday, November 4. The change, thanks to a massive federal energy bill passed in 2005 (click for PDF of energy bill) adds extra hours of daylight with the hope of decreasing national energy consumption.

This small change could have big implications for a range of gadget users, from employees of multinationals relying on their devices to remind them of appointments in different time zones to average consumers who count on their smart phones to be, well, smart, and tell the time correctly.

First, the good news: don't worry, your TiVo is fine. TiVo says it sent an automatic software update to its digital video recorder customers last month that included a patch for the DST switch.

But smart-phone customers should take heed: if they don't update both the mobile device and the computer software it synchronizes information from, scheduled items will be off by an hour.

"The way to think about it is to consider any deadline requirements an application has that are more specific than midnight or close of business," Pete Lindstrom, an analyst with the Burton Group, said in an e-mail. "Of course, financial transactions are of the most obvious concern, since minutes and even seconds can matter there. In a smaller way, other deadlines (like the end of the quarter) may be affected, but remember, (it)is only a four-week period...where the impact is felt."

The problem with DST and smart phones can be fixed with a software update that will adjust the date tables that are preprogrammed to tell the device when to move the clock forward or backward by an hour.

Consumers carrying a mobile phone running on any version of Windows Mobile except the recently released Windows Mobile 6 will have to download software updates from the Microsoft Web site to the devices themselves.

Microsoft says there are several ways to perform the update--for instance, downloading the software to a PC and syncing via a cable or downloading the update directly onto the device from Microsoft's Web site. Alternatively, IT department managers can issue an e-mail containing the update, which individuals have to install themselves.

But there are already signs DST won't be a perfectly smooth transition for gadget holders. Susan Bradley, a network administrator for an accounting firm in Fresno, Calif., reported having difficulty doing automatic updates for Windows Mobile phone users.

"I've had to manually update them and I don't know how larger firms will handle this," she said. "In my early tests, one phone is syncing to the mailbox with the right time, one isn't, and I haven't a clue as to why one is working and one isn't when they have all the same patches."

Some Palm devices run Windows Mobile, but for those running Garnet OS, formerly known as Palm OS, the update is not yet available. Palm is "currently working on" a DST software update, which will be posted on the Palm Web site along with instructions once it's available, according to a company spokesperson.

All BlackBerry models will also need to be updated. Individuals can manually download the software patch or IT managers can do the same and automatically push the update to all phones connected to a BlackBerry Enterprise Server.

BlackBerry users can instead choose to manually adjust the time forward and back on the appropriate days to avoid the software update altogether.

Though Research In Motion and Microsoft are letting customers know about the problem by posting fixes on their Web sites and e-mailing some customers in advance, the update process is complex enough that many users may not know whether the problem has been fixed on their device until they've missed an appointment, said Ken Dulaney, an analyst with Gartner.

"I expect over 90 percent of users to ignore any proactive effort on their part. If their company or operator is able to fix the problem then it gets fixed. Otherwise I think they will brute-force it and rearrange the appointments to fit the schedule," he said. "I think that many users will change their signature line on their smart phones and PDAs to say 'Please note, if I (am) an hour late or an hour early for my meeting with you, please understand, its not my fault, it's my government.'"

Tuesday, February 13, 2007

2008: The Year of President 2.0?

2008: The Year of President 2.0? by ZDNet's Larry Dignan -- Barak Obama launched his presidential campaign, talked Iraq, health care costs and retooling Washington. So what gets attention in the tech world? Obama's Web site only plays video in IE, social media features stumbled on day one and you can't import previous political blog posts. Welcome to the Web Mr. Obama. ZDNet's Donna Bogatin and Steve [...]

BlackBerry patent app depicts “pickpocket mode”

BlackBerry patent app depicts “pickpocket mode” by ZDNet's Russell Shaw -- BlackBerry-maker Research In Motion has applied for a patent that would throw a stolen device into "theft mode." The patent application describes a device that "can sense its removal from a holster and take appropriate steps if the removal was unacknowledged by the owner of the portable device." Next, the app describes how this would [...]

Hacker, Microsoft duke it out over Vista design flaw

Hacker, Microsoft duke it out over Vista design flaw by ZDNet's Ryan Naraine -- Joanna Rutkowska has always been a big supporter of the Windows Vista security model. Until she stumbled upon a "very severe hole" in the design of UAC (User Account Control) and found out -- from Microsoft officials -- that the default no-admin setting isn't even a security mechanism anymore.

Friday, February 09, 2007

Corporate computer threats 'moving to Adobe'

SAN FRANCISCO--The launch of Microsoft Office 2007 is likely to turn malicious hackers' attention to other desktop applications, experts have warned.

They are likely to begin focusing more attention on looking for vulnerabilities in software such as Abobe Systems' Acrobat Reader, security experts said at the RSA Conference 2007 here on Wednesday.

Today, most spyware and other "crimeware" applications target flaws in client-side applications, explained Jeff Moss, who founded the Black Hat and Def Con hacker conventions. These attacks involve sending an employee or home user a modified file, or a hyperlink to a Web download, that will compromise their system if executed.

"Office 2007 is much better architected, and the fine-grained capabilities are much better (than Office 2003), so you're going to see a lot less application attacks against Office. And because of that you're going to see less attacks against Vista that are successful," predicted Moss.

"So, where do the attackers go? Every other app that you are running. That's going to be Acrobat, and we've already started seeing that in the last couple of months. They just go for the lowest-hanging fruit," Moss said.

Moss added that Adobe has recently begun patching more quickly, because it has become more of a target for these attacks. In January, Adobe admitted that its PDF Reader application contained a major security hole, which exposes a user's hard drive to attack.

Attendees of the RSA Conference heard that crimeware is a rapidly growing threat facing both companies and individuals. Criminals are using Trojan horses, rootkits, keyloggers and other pieces of malicious software in a concerted attempt to steal personal data, log-in codes or banking details.

Doug Camplejohn, chief executive of Mi5 Networks, which sells antispyware products, cited analyst firm Gartner's prediction that 75 percent of businesses will fall victim to a piece of financially motivated spyware in 2007. However, he wasn't sure that the recent launch of Office 2007 will have a significant effect on the problem.

"Not everyone is going to move to Vista overnight. So there's going to be a broad period of time when there's a broad user base that is going to have the existing vulnerabilities to deal with," Camplejohn said.

According to Moss, a team of malicious hackers might spend a month working on a client-side exploit before releasing it, but may devote as much as nine months perfecting a server-side attack, trying to get it exactly right before launching it. If the attack relies on a previously unknown flaw, they may only have one shot before security vendors wake up to the problem and issue protection.

Because computer crimes often rely on an individual running an application or clicking on a link, education should be a key part of a company's defense strategy, some conference attendees said. Locking down nonessential applications to limit the company's exposure to danger was also recommended.

"If I've got a user who isn't supposed to go onto the Internet, why am I allowing them Internet access?" asked Andre Gold, director of information security at Continental Airlines.

Camplejohn agreed that a more prescriptive, proactive approach may be better. "User education is nice, but I think that for the most part it falls on deaf ears," he said. "What we find most effective is to basically slap someone's hand right when they're doing something--a screen pop-up that tells them 'You can't do this' because that's confidential data that's going out that door."

"In some cases, people don't know that's something that they shouldn't be doing. And also, they know someone's watching."

Hacker leaves explosions on nuclear Web site

OTTAWA (Reuters) - Red-faced officials at Canada's nuclear safety watchdog on Thursday said they were probing how a hacker had managed to litter its official Web site with dozens of color photographs of a nuclear explosion.

The Ottawa Citizen newspaper said every media release on the Canadian Nuclear Safety Commission's Web site had been labeled as a security breach on Wednesday. When opened, each document had a headline reading "For immediate release" and underneath was a large photo of an exploding atomic bomb.

"We are in discussions with the (Internet service) provider. When we were informed the Web site had been tampered with, we immediately disabled the media module," said commission spokesman Aurel Gervais, dismissing the suggestion that the hacker had been able to access secret information.

"The external Web site was the only Web site that was tampered with. There was no internal information that was compromised," he said.

The media site at was working normally on Thursday.

The Citizen -- which published a color photograph of one of the tampered pages -- said the hacker had left a message saying "Please dont (sic) put me in jail ... oops, I divided by zero".

Thursday, February 08, 2007

Google Opens Gmail Signups Further

After opening its formerly invitation-only Gmail webmail service to anyone with a mobile phone in August 2005, Google removed that requirement Wednesday. Now, anyone can signup for a Gmail account by creating a Google Account.

The mobile phone requirement was designed to prevent Gmail accounts from being created by robots and stop spammers from signing up multiple times. As of Wednesday afternoon, the Gmail signup URL still redirected users to the SMS-based method, but a support article on Google's site says the world is now welcome without an invitation or phone.

Wednesday, February 07, 2007

Wi-Fi hacking, with a handheld PDA

Wi-Fi hacking, with a handheld PDA by ZDNet's Ryan Naraine -- The palm-sized PDA tucked away in Justine Aitel's pocketbook just might be the most scary device on display at this year's RSA security conference.

Internet backbone at center of suspected attack

There are signs that hackers attacked key parts of the backbone of the Internet on Tuesday, but no damage seems to have been done, experts said.

The attack appears to have focused on the Domain Name System, which maps text-based domain names, such as "," to the actual numeric IP addresses of servers connected to the Internet, and vice versa. Several key DNS servers saw traffic spike in the early morning on Tuesday, several experts said--a sign of an attack.

"It is an unusual large amount of traffic that is hitting DNS servers," said John Crain, chief technical officer at the Internet Corporation for Assigned Names and Numbers, which operates one of the main so-called root DNS servers. "We see large attacks on a regular basis, but this hit quite a few servers, so it was fairly large."

Yet the DNS servers were able to withstand the onslaught, Crain added. "It was irritating. It ruined my night's sleep. It was extraordinary in the fact that it happened to multiple systems at once, but this is not affecting Internet users," he said.

DNS serves as the address books for the Internet. There are 13 official root DNS servers, which sit at the top of the DNS hierarchy. These root servers get queried only if other DNS servers, like those at an internet service provider, don't have the right IP address for a specific Web site.

If part of the DNS system goes down, Web sites could become unreachable and e-mail could become undeliverable. But DNS is built to be resilient, and attacks on the system are rare. In 2002, a similar denial-of-service attack also failed.

"The main thing is that there was very little impact on the general public, the servers were able to hold up against the attacks," said Zully Ramzan, a researcher at Symantec Security Response. "The Internet in general was designed to even withstand a nuclear attack."

The barrage of data being apparently targeted at the DNS system started around 2.30 a.m. Pacific Time on Tuesday. Multiple root servers saw a traffic spike, but the "G" server, run by the U.S. Department of Defense, and "L," run by ICANN, seem to have gotten the brunt of it, Ramzan said. ICANN's Crain confirmed that impression.

While ICANN and Symantec didn't see any effect on the Internet at large, Internet service provider Neustar did see slow downs on the Net. "We would call it a brownout instead of a blackout. It was significant, but it did not take anything down," a representative for the company said.

The true cause of the traffic surge still needs to be determined, both Ramzan and Crain said.

Tuesday, February 06, 2007

Microsoft raises support fees for Windows, Office

Microsoft raises support fees for Windows, Office by ZDNet's Mary Jo Foley -- Microsoft quietly raised last week its per-incident support prices across the board for Windows and Office. Officials are attributing the changes to a desire "to provide more personalized support options based on customers’ technology usage."

Screen Gallery: When is a firewall not a firewall? When it’s Vista’s built-in firewall

Screen Gallery: When is a firewall not a firewall? When it’s Vista’s built-in firewall by ZDNet's David Berlind -- Configuring Vista's firewall isn't easy. In fact, it's so difficult that the Windows Firewall is actually worse than having no firewall at all. Mere mortals shouldn't bother configuring it.

Saturday, February 03, 2007

Windows Vista’s three killer features

Windows Vista’s three killer features by ZDNet's Ed Bott -- Should you upgrade to Windows Vista? Sorry, there's no one-size-fits-all answer to that question. But I can put to rest some myths about how well Vista runs on older hardware, and I've found three killer features that haven't received nearly the attention they deserve.

Friday, February 02, 2007

Demo 07: Wireless control of your car

Demo 07: Wireless control of your car by ZDNet's Dan Farber -- Inilex launched Kepler Advantage, which a GPS-enabled wireless device for security and monitoring that plugs into a car’s data bus. From a phone, PDA or other device, you can set alarms, start the engine, unlock doors and receive messages, such as "your vehicle has been stolen." The QuickFence service locates the vehicle and sets a [...]

Users find ways around early Vista licensing hurdles

Users find ways around early Vista licensing hurdles by ZDNet's Mary Jo Foley -- The first wave of Windows Vista users are hitting some licensing glitches that are making them none too happy.