BlackBerry To Patch For Heartbleed

BlackBerry Ltd said it will release security updates for messaging software for Android and iOS devices by Friday to address vulnerabilities in programs related to the “Heartbleed” security threat.

Researchers last week warned they uncovered Heartbleed, a bug that targets the OpenSSL software commonly used to keep data secure, potentially allowing hackers to steal massive troves of information without leaving a trace.

Security experts initially told companies to focus on securing vulnerable websites, but have since warned about threats to technology used in data centers and on mobile devices running Google Inc’s Android software and Apple Inc’s iOS software.

Scott Totzke, BlackBerry senior vice president, told Reuters on Sunday that while the bulk of BlackBerry products do not use the vulnerable software, the company does need to update two widely used products: Secure Work Space corporate email and BBM messaging program for Android and iOS.

He said they are vulnerable to attacks by hackers if they gain access to those apps through either WiFi connections or carrier networks.

Still, he said, “The level of risk here is extremely small,” because BlackBerry’s security technology would make it difficult for a hacker to succeed in gaining data through an attack.

“It’s a very complex attack that has to be timed in a very small window,” he said, adding that it was safe to continue using those apps before an update is issued.

Google spokesman Christopher Katsaros declined comment. Officials with Apple could not be reached.

Security experts say that other mobile apps are also likely vulnerable because they use OpenSSL code.

Michael Shaulov, chief executive of Lacoon Mobile Security, said he suspects that apps that compete with BlackBerry in an area known as mobile device management are also susceptible to attack because they, too, typically use OpenSSL code.

He said mobile app developers have time to figure out which products are vulnerable and fix them.

“It will take the hackers a couple of weeks or even a month to move from ‘proof of concept’ to being able to exploit devices,” said Shaulov.

Technology firms and the U.S. government are taking the threat extremely seriously. Federal officials warned banks and other businesses on Friday to be on alert for hackers seeking to steal data exposed by the Heartbleed bug.

Companies including Cisco Systems Inc, Hewlett-Packard Co, International Business Machines Corp, Intel Corp, Juniper Networks Inc, Oracle Corp Red Hat Inc have warned customers they may be at risk. Some updates are out, while others, like BlackBerry, are rushing to get them ready.

Source

Juniper Boots Employees

Juniper Networks plans to reduce its global workforce by six percent and focus on its high-growth businesses. Juniper said most of the cuts would impact middle management positions and that it expected to incur cash charges of about $35 million in the first quarter, related to severance and other expenses. The company had 9,483 full-time employees as of December 31.

Juniper also said it would stop development of the application delivery controller technology, which helps remove excess load from servers, resulting in a non-cash intangible asset impairment charge of about $85 million. The company said it plans to consolidate its facilities, flog off of about 300,000 square feet of leased facilities.

Juniper added that it expected to record other non-cash asset write-downs of about $10 million in the first quarter and that it expects to carry out more restructuring in the second quarter.

Hedge fund Elliott recently claimed that Juniper shares were “undervalued” and could be worth $35-$40 if Juniper focused on revamping its core business of making routers and switches for mobile carriers such as Verizon and AT&T. Shares of Juniper are currently worth at $26.35.

Source

Oracle Updates NoSQL

Oracle has announced the availability of the latest edition of its NoSQL datatabase.

NoSQL is Oracle’s distributed key-value database. Now in it’s third version, the enhancements this time are heavily centred around security and business continuity.

Oracle NoSQL 3.0 features improvements in security with cluster-wide password based user authentication and integration with Oracle Wallet. Session level Secure Socket Layer (SSL) encryption and network port restriction are also included.

For disaster recovery and prevention, there’s automatic fail-over to metro-area secondary data centres, while secondary server zones can be used to offload read-only workloads to take the pressure off primary servers under stress.

For developers, there is added support for tabular data models that Oracle claims will simplify application design and improve integration with SQL based applications, while secondary indexing improves query performance.

“Oracle NoSQL 3.0 helps organisations fill the gap in skills, security and performance by delivering […] enterprise-class NoSQL database that empowers database developers and DBAs to easily, intuitively and securely build and deploy next generation applications,” said Oracle’s EVP of Database Server Technologies, Andrew Mendelsohn.

It’s already been a big week for the SQL community with NoSQL arriving on MariaDB for the first time, courtesy of a tie-up between SkySQL, Google and IBM on Tuesday, while yesterday Fusion-IO announced the use of Non-volatile memory (NVM) compression in MySQL to increase the capacity of SSD storage.

Both the community and enterprise versions of Oracle NoSQL Database 3.0 are available for download now from the Oracle Technology Network.

Source

Microsoft Issues New Policies

Microsoft Corp, under fire for accessing an employee’s private Hotmail account to prove he was illegally passing computer code to a blogger, has said it will now refer all suspicious activity on its email services to law enforcement.

The decision, announced by head lawyer Brad Smith on Friday, reverses Microsoft’s initial reaction to complaints last week, when it laid out a plan to refer such cases to an unidentified former federal judge, and proceed to open a suspect email account only if that person saw evidence to justify it.

“Effective immediately, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property from Microsoft, we will not inspect a customer’s private content ourselves,” said Smith, in a blog post on the software company’s website. “Instead, we will refer the matter to law enforcement if further action is required.”

Microsoft – which has recently cast itself as a defender of customer privacy – was harshly criticized last week by civil liberties groups after court documents made public in the prosecution of Alex Kibkalo in Seattle federal court for leaking trade secrets showed that Microsoft had accessed the defendant’s email account before taking the matter to legal authorities.

The company said last week its actions were within its legal rights under the terms of use of its email services, but has now acknowledged that its actions raised concerns about customer privacy.

The issue is poignant for Microsoft, which routinely criticizes Google Inc for serving up ads based on the content of users’ Gmail correspondence.

It has also been campaigning for more transparency in the legal process through which U.S. intelligence agencies can get access to email accounts following the revelations of former National Security Agency contractor Edward Snowden.

“While our own search was clearly within our legal rights, it seems apparent that we should apply a similar principle and rely on formal legal processes for our own investigations involving people who we suspect are stealing from us,” said Smith in his blog. “Therefore, rather than inspect the private content of customers ourselves in these instances, we should turn to law enforcement and their legal procedures.”

Source

Malware Targets Job-seekers

A new version of the Gameover computer Trojan is targeting job hunters and recruiters by attempting to steal log-in credentials for Monster.com and CareerBuilder.com accounts.

Gameover is one of several Trojan programs that are based on the infamous Zeus banking malware, whose source code was leaked on the Internet in 2011. Like Zeus, Gameover can steal log-in credentials and other sensitive information by injecting rogue Web forms into legitimate websites when accessed from infected computers.

The ability to inject content into browsing sessions in real time has traditionally been used by computer Trojans to steal online banking credentials and financial information. However, cybercriminals are increasingly using this technique to compromise other types of accounts as well.

For example, in February, researchers from security firm Adallom found a Zeus variant that stole Salesforce.com log-in credentials and scraped business data from the compromised accounts.

The latest development involves a new Gameover variant that contains a configuration file to target Monster.com accounts, one of the largest employment websites in the world, security researchers from antivirus firm F-Secure said.

“A computer infected with Gameover ZeuS will inject a new ‘Sign In’ button [into the Monster.com sign-in page], but the page looks otherwise identical,” they said.

After the victims authenticate through the rogue Web form the malware injects a second page that asks them to select and answer three security questions out of 18. The answers to these questions expose additional personal information and potentially enable attackers to bypass the identity verification process.

Targeting Monster.com is a new development, but the Gameover malware had already been targeting CareerBuilder.com, another large employment website, for some time.

Recruiters with accounts on employment websites should be wary of irregularities on log-in pages, especially if those accounts are tied to bank accounts and spending budgets, the F-Secure researchers said. “It wouldn’t be a bad idea for sites such as Monster to introduce two factor authentication beyond mere security questions.”

The authors of the Gameover Trojan program have been particularly active recently. In early February researchers from security firm Malcovery Security reported that a new variant of Gameover was being distributed as an encrypted .enc file in order to bypass network-level defenses. Later that month researchers from Sophos detected a Gameover variant with a kernel-level rootkit component that protected its files and processes, making it harder to remove.

Unlike most other Zeus spinoffs, Gameover is also using peer-to-peer technology for command-and-control instead of traditional hosted servers, which improves its resilience to takedown efforts by security researchers.

Source

IT Dissatisfaction Growing

Companies want to reduce spending on IT operations and infrastructure and shift resources to revenue-producing areas, according to two new studies. But businesses leaders and IT executives are also registering higher levels of dissatisfaction with IT as more demands are placed on technology.

The reports, by the Hackett Group and McKinsey & Co., both agree that business executives want IT to do more to improve the bottom line while companies spend less on infrastructure in the process.

The bad news for people who work in IT operations is that large businesses expect to cut IT staff positions by about 2% this year, thanks to automation and outsourcing, according the Hackett’s survey of 160 businesses with revenues above $1 billion.

One path to improved automation will likely be through adoption of software-defined infrastructures, something Bank of America plans to do.

IT budgets will grow by 1.7% this year as IT pivots, increasingly, from a service-providing operation to a revenue-generating one, the Hackett Group said in its study.

IT managers are being told that “you’ve got to grow the business, not just run the business,” said Mark Peacock, an IT transformation practice leader and principal at Hackett.

McKinsey & Co., in its online survey of more than 800 executives — with 345 having a technology focus — also found that executives want less of their budgets to go to infrastructure so more resources can be shifted to analytics and innovation.

The McKinsey survey found that business executives are less likely to say now that IT performs effectively, compared to their views two years ago.

“The IT executives are even more negative,” wrote McKinsey, with only 13% of them saying their IT organizations “are completely or very effective at introducing new technologies faster or more effectively than competitors.” That percentage was down from 22% in 2012.

The negative results “likely reflect the overall rising expectations for corporate IT,” wrote McKinsey.

When asked how to fix IT shortcomings, respondents cited improved business accountability, more funds for priority projects and a higher the level of IT talent, the report said.

The Hackett Group survey didn’t report on dissatisfaction, but it did find that the top goal for IT organizations this year is “to strengthen partnership and goal alignment between IT and the business.”

Source

Cisco Goes To The Cloud

Cisco Systems Inc will offer cloud computing services, pledging to spend $1 billion over the next two years to make a foray into a market currently dominated by the world’s biggest online retailer Amazon.com Inc, the Wall Street Journal reported.

Cisco said it will spend the amount to build data centers to help run the new service called Cisco Cloud Services, the Journal reported.

Cisco, which mainly deals in networking hardware, wants to take advantage of companies’ desire to rent computing services rather than buying and maintaining their own machines.

Enterprise hardware spending is dwindling across the globe as companies cope with shrinking budgets, slowing or uncertain economies and a fundamental migration to cloud computing, which reduces demand for equipment by outsourcing data management and computing needs.

“Everybody is realizing the cloud can be a vehicle for achieving better economics (and) lower cost,” the Journal quoted Rob Lloyd, Cisco’s president of development and sales as saying.

“It does not mean that we’re embarking on a strategy to go head-to-head with Amazon.”

Microsoft Corp last year said it was cutting prices for hosting and processing customers’ online data in an aggressive challenge to Amazon’s lead in the growing business of cloud computing.

Cisco could not be immediately reached for comment by Reuters outside regular U.S.business hours.

Source

Scientist Develop Anti-Faking PC

Scientists have developed a computer system with sophisticated pattern recognition abilities that performed more impressively than humans in differentiating between people experiencing genuine pain and people who were just pretending.

In a study published in the journal Current Biology, human subjects did no better than chance – about 50 percent – in correctly judging if a person was feigning pain after seeing videos in which some people were and some were not.

The computer was right 85 percent of the time. Why? The researchers say its pattern-recognition abilities successfully spotted distinctive aspects of facial expressions, particularly involving mouth movements, that people generally missed.

“We all know that computers are good at logic processes and they’ve long out-performed humans on things like playing chess,” said Marian Bartlett of the Institute for Neural Computation at the University of California-San Diego, one of the researchers.

“But in perceptual processes, computers lag far behind humans and have a lot of trouble with perceptual processes that humans tend to find easy, including speech recognition and visual recognition. Here’s an example of a perceptual process that the computer is able to do better than human observers,” Bartlett said in a telephone interview.

For the experiment, 25 volunteers each recorded two videos.

In the first, each of the volunteers immersed an arm in lukewarm water for a minute and were told to try to fool an expert into thinking they were in pain. In the second, the volunteers immersed an arm in a bucket of frigid ice water for a minute, a genuinely painful experience, and were given no instructions on what to do with their facial expressions.

The researchers asked 170 other volunteers to assess which people were in real discomfort and which were faking it.

After they registered a 50 percent accuracy rate, which is no better than a coin flip, the researchers gave the volunteers training in recognizing when someone was faking pain. Even after this, the volunteers managed an accuracy rate of only 55 percent.

The computer’s vision system included a video camera that took images of a person’s facial expressions and decoded them. The computer had been programmed to recognize that one kind of facial movement combinations suggested true pain and another kind suggested faked pain.

Source

AMD To Focus On China

Advanced Micro Devices has relocated its desktop chip business operations from the U.S. to the growing market of China, adding to its research lab and testing plant there.

The desktop market in China is growing at a fast pace and its shipments of desktops and laptops are equal in ratio, said Michael Silverman, an AMD spokesman, in an email. “The desktop market in China remains strong,” Silverman said.

The move of AMD’s desktop operations was first reported by technology news publication Digitimes, but the chip maker confirmed the news.

The company is also developing tailored products for users in China, Silverman said.

AMD’s move of desktop operations to China brings them closer to key customers such as Lenovo, said Dean McCarron, principal analyst at Mercury Research.

“Not that they don’t have their sales in the U.S.,” but a significant number of those PCs are made in China and then shipped internationally, McCarron said.

AMD is the world’s second-largest x86 processor maker behind Intel. Many PC makers like HP and Dell get products made in China.

Being in China also solves some desktop supply chain issues because it moves AMD closer to motherboard suppliers like Asustek and MSI, which are based in Taiwan, but get parts made in China. Chips will be shipped to customers faster and at a lower cost, which would reduce the time it takes for PCs to come to market, McCarron said.

AMD already has a plant in Suzhou, which Silverman said “represents half of our global back-end testing capacity.” AMD’s largest research and development center outside the U.S. is in Shanghai.

Some recent products released by the company have been targeted at developing countries. AMD recently starting shipping Sempron and Athlon desktop chips for the Asia-Pacific and Latin America markets, and those chips go into systems priced between $60 and $399. AMD is targeting the chips at users that typically build systems at home and shop for processors, memory and storage. The chips — built on the Jaguar microarchitecture — go into AMD’s new AM1 socket, which will be on motherboards and is designed for users to easily upgrade processors.

China is also big in gaming PCs, and remains a key market for AMD’s desktop chips, said Nathan Brookwood, principal analyst at Insight 64. “White box integrator’s play a big role in China,” he said.

Source

Zeus Attached To Cancer Email Scam

Thousands of email users have been hit by a sick cancer email hoax that aims to infect the recipients’ computers with Zeus malware.

The email has already hit thousands of inboxes across the UK, and looks like it was sent by the National Institute for Health and Care Excellence (NICE). It features the subject line “Important blood analysis result”.

However, NICE has warned that it did not send the malicious emails, and is urging users not to open them.

NICE chief executive Sir Andrew Dillon said, “A spam email purporting to come from NICE is being sent to members of the public regarding cancer test results.

“This email is likely to cause distress to recipients since it advises that ‘test results’ indicate they may have cancer. This malicious email is not from NICE and we are currently investigating its origin. We take this matter very seriously and have reported it to the police.”

The hoax message requests that users download an attachment that purportedly contains the results of the faux blood analysis.

Security analysis firm Appriver has since claimed that the scam email is carrying Zeus malware that if installed will attempt to steal users’ credentials and take over their PCs.

Appriver senior security specialist Fred Touchette warned, “If the attachment is unzipped and executed the user may see a quick error window pop up and then disappear on their screen.

“What they won’t see is the downloader then taking control of their PC. It immediately begins checking to see if it is being analysed, by making long sleep calls, and checking to see if it is running virtually or in a debugger.

“Next it begins to steal browser cookies and MS Outlook passwords from the system registry. The malware in turn posts this data to a server at 69.76.179.74 with the command /ppp/ta.php, and punches a hole in the firewall to listen for further commands on UDP ports 7263 and 4400.”

Source

« Previous Page — Next Page »