Yahoo Spreading Malware?

Some advertisements on Yahoo Inc’s European websites last week spread malicious software, Yahoo said on Sunday, potentially infecting the computers of thousands of users.

Last Friday, Fox-IT, a Delft, Netherlands-based computer security firm, wrote in a blog that attackers had inserted malicious ads served by ads.yahoo.com.

In a recently released statement, a Yahoo spokesman, said: “On Friday, January 3 on our European sites, we served some advertisements that did not meet our editorial guidelines, specifically they spread malware.” Yahoo said it promptly removed the bad ads, and that users of Mac computers and mobile devices were not affected.

Malware is software used to disrupt a computer’s operations, gather sensitive information, or gain access to private computer systems.

Fox-IT estimated that on Friday, the malware was being delivered to approximately 300,000 users per hour, leading to about 27,000 infections per hour. The countries with the most affected users were Romania, Britain, and France.

“It is unclear which specific group is behind this attack, but the attackers are clearly financially motivated and seem to offer services to other actors,” Fox-IT wrote in the January 3 blog post.

Source

Mozilla Delays Touch Browser

Mozilla has again delayed the release date for a touch-enabled version of Firefox that will run in Windows 8′s “Modern” user interface (UI), with the new target in mid-March.

Ship estimates for the browser have been fluid, to put it mildly. In August, the open-source developer pegged December 2013 as the target for the “Metro-ized” version of Firefox. In September, Mozilla said it was hoping to bundle Firefox Metro with the Windows edition of Firefox 27, slated for release on Feb. 4.

Metro was the name Microsoft once applied to the radical UI of Windows 8, but the company ditched the moniker in 2012 over a trademark dispute with a German retailer.

The newest information from Mozilla, however, has tapped March 18, when Firefox 28 is to ship, as the projected release of the browser.

Although a preview of Firefox Metro was bundled with the Aurora build of Firefox more than three months ago — and is currently in Aurora for Firefox 28 — it has not yet been promoted to the next channel, Beta, which is the precursor to Release. Mozilla has set a Jan. 31 deadline for deciding whether the touch browser is ready to add to Firefox 28 Beta.

Mozilla started work on a Metro edition of Firefox in March 2012. It shipped a rough preview in October 2012, several weeks before Microsoft launched Windows 8. At that time, Mozilla’s schedule said the Firefox app might appear as early as January 2013. In May 2013, however, the company said its developers would complete Firefox for Modern between Oct. 2, 2013, and March 20, 2014, with mid-November the likeliest date.

If Mozilla makes the targeted March 18 release, it will have spent two years crafting the browser, which will have shipped 17 months after the retail debut of Windows 8.

Although Mozilla has said it’s important that it have a Metro-ready browser to remain competitive — and Windows 8′s and Windows 8.1′s user share has climbed above the 10% mark– it’s unclear what percentage of those PC and tablet owners spend serious time in the UI, as opposed to the traditional Windows desktop.

Mozilla is also discussing a name for the browser, which was code named “Firefox Metro” during development and later was saddled with the label “Windows 8-style Firefox.”

One suggestion, forwarded by a Mozilla user experience designer, has been “Firefox Touch,” which got nods of approval from others in a Mozilla planning message forum.

“‘Windows 8-style Firefox’ is too long and already doesn’t make perfect sense with Windows 8.1 released, but will make less sense when Windows 9 comes out,” noted Brian Bondy, a Firefox platform engineer who has led the work on the Metro version. “I like Firefox Touch and I think we should go with that. It’s a product designed above all else for touch.”

Some, however, objected to labeling the browser as “Firefox Touch,” pointing out that that would downplay the Android browser Mozilla maintains, which is also touch-enabled.

“I agree with Jim that it should be simply Firefox, and that differentiation happens at the point of download,” countered Peter Scanlon, Mozilla’s acting chief marketing officer, in another message to the same discussion forum.

Source

NSA Developing System To Crack Encryption

The U.S. National Security Agency is working to develop a computer that could ultimately break most encryption programs, whether they are used to protect other nations’ spying programs or consumers’ bank accounts, according to a report by the Washington Post.

The report, which the newspaper said was based on documents leaked by former NSA contractor Edward Snowden, comes amid continuing controversy over the spy agency’s program to collect the phone records Internet communications of private citizens.

In its report, The Washington Post said that the NSA is trying to develop a so-called “quantum computer” that could be used to break encryption codes used to cloak sensitive information.

Such a computer, which would be able to perform several calculations at once instead of in a single stream, could take years to develop, the newspaper said. In addition to being able to break through the cloaks meant to protect private data, such a computer would have implications for such fields as medicine, the newspaper reported.

The research is part of a $79.7 million research program called “Penetrating Hard Targets,” the newspaper said. Other, non-governmental researchers are also trying to develop quantum computers, and it is not clear whether the NSA program lags the private efforts or is ahead of them.

Snowden, living in Russia with temporary asylum, last year leaked documents he collected while working for the NSA. The United States has charged him with espionage, and more charges could follow.

His disclosures have sparked a debate over how much leeway to give the U.S. government in gathering information to protect Americans from terrorism, and have prompted numerous lawsuits.

Last week, a federal judge ruled that the NSA’s collection of phone call records is lawful, while another judge earlier in December questioned the program’s constitutionality. The issue is now more likely to move before the U.S. Supreme Court.

On Thursday, the editorial board of the New York Times said that the U.S. government should grant Snowden clemency or a plea bargain, given the public value of revelations over the National Security Agency’s vast spying programs.

Source

NSA Spies With Tracking Cookies

The browser cookies that online businesses use to track Internet customers for targeted advertising are also used by the National Security Agency to track surveillance targets and break into their systems.

The agency’s use of browser cookies is restricted to tracking specific suspects rather than sifting through vast amounts of user data, theWashington Post reported Tuesday, citing internal documents obtained from former NSA contractor Edward Snowden.

Google’s PREF (for preference) cookies, which the company uses to personalize webpages for Internet users based on their previous browsing habits and preferences, appears to be a particular favorite of the NSA, the Post noted.

PREF cookies don’t store any user identifying information such as user name or email address. But they contain information on a user’s general location, language preference, search engine settings, number of search results to display per page and other data that lets advertisers uniquely identify an individual’s browser.

The Google cookie, and those used by other online companies, can be used by the NSA to track a target user’s browsing habits and to enable remote exploitation of their computers, the Post said.

Documents made available by Snowden do not describe the specific exploits used by the NSA to break into a surveillance target’s computers. Neither do they say how the NSA gains access to the tracking cookies, the Post reported.

It is theorized that one way the NSA could get access to the tracking cookies is to simply ask the companies for them under the authority granted to the agency by the Foreign Intelligence Surveillance Act (FISA).

Separately, the documents leaked by Snowden show that the NSA is also tapping into cell-phone location data gathered and transmitted by makers of mobile applications and operating systems. Google and other Internet companies use the geo-location data transmitted by mobile apps and operating systems to deliver location-aware advertisements and services to mobile users.

However, the NSA is using the same data to track surveillance targets with more precision than was possible with data gathered directly from wireless carriers, the Post noted. The mobile app data, gathered by the NSA under a program codenamed “Happyfoot,” allows the agency to tie Internet addresses to physical locations more precisely than was possible with cell-phone location data.

An NSA division called Tailored Access Operations uses the data gathered from tracking cookies and mobile applications to launch offensive hacking operations against specific target computers, the Post said.

An NSA spokeswoman Wednesday did not comment on the specific details in the Post story but reiterated the agency’s commitment to fulfill its mission of protecting the country against those seeking to do it harm.

“As we’ve said before, NSA, within its lawful mission to collect foreign intelligence to protect the United States, uses intelligence tools to understand the intent of foreign adversaries and prevent them from bringing harm to innocent Americans and allies,” the spokeswoman said.

The Post’s latest revelations are likely to shine a much-needed spotlight on the extensive tracking and monitoring activities carried out by major Internet companies in order to deliver targeted advertisements to users.

Privacy rights groups have protested such tracking for several years and have sought legislation that would give users more visibility and control over the data that is collected on them by online companies.

Source

IBM To Become Cloud Broker

IBM is in the throes of developing software that will allow organizations to use multiple cloud storage services interchangeably, reducing dependence on any single cloud vendor and ensuring that data remains available even during service outages.

Although the software, called InterCloud Storage (ICStore), is still in development, IBM is inviting its customers to test it. Over time, the company will fold the software into its enterprise storage portfolio, where it can back up data to the cloud. The current test iteration requires an IBM Storewize storage system to operate.

ICStore was developed in response to customer inquiries, said Thomas Weigold, who leads the IBM storage systems research team in IBM’s Zurich, Switzerland, research facility, where the software was created. Customers are interested in cloud storage services but are worried about trusting data with third party providers, both in terms of security and the reliability of the service, he said.

The software provides a single interface that administrators can use to spread data across multiple cloud vendors. Administrators can specify which cloud providers to use through a point-and-click interface. Both file and block storage is supported, though not object storage. The software contains mechanisms for encrypting data so that it remains secure as it crosses the network and resides on the external storage services.

A number of software vendors offer similar cloud storage broker capabilities, all in various stages of completion, notably Red Hat’s DeltaCloud and Hewlett Packard’s Public Cloud.

ICStore is more “flexible,” than other approaches, said Alessandro Sorniotti, an IBM security and cloud system researcher who also worked on the project. “We give customers the ability to select what goes where, depending on the sensitivity and relevance of data,” he said. Customers can store one copy of their data on one provider and a backup copy on another provider.

ICStore supports a number of cloud storage providers, including IBM’s SoftLayer, Amazon S3 (Simple Storage Service), Rackspace, Microsoft Windows Azure and private instances of the OpenStack Swift storage service. More storage providers will be added as the software goes into production mode.

“Say, you are using SoftLayer and Amazon, and if Amazon suffers an outage, then the backup cloud provider kicks in and allows you to retrieve data,” from SoftLayer, Sorniotti said.

ICStore will also allow multiple copies of the software to work together within an enterprise, using a set of IBM patent-pending algorithms developed for data sharing. This ensures that the organization will not run into any upper limits on how much data can be stored.

IBM has about 1,400 patents that relate to cloud computing, according to the company.

Source

HP Retakes Server Lead

Hewlett-Packard reclaimed its server crown from IBM last quarter as the overall market contracted and Taiwanese vendors made big gains selling directly to Internet giants like Google and Facebook, according to an IDC report.

HP expanded its share of the market only modestly from a year earlier but IBM’s portion declined 4.5 points despite solid mainframe sales, to leave HP in the top spot. HP finished the third quarter with 28.1% of worldwide server revenue to IBM’s 23.4%, IDC said.

But the strongest growth was for the “ODM direct” segment which IDC broke out for the first time this quarter. It stands for original design manufacturers, which are Taiwanese firms like Quanta Computer, Wistron Group, Inventec and Compal, which sell partial and fully-built servers to the big cloud providers.

It’s a growing segment and one that threatens the incumbents. ODM’s accounted for 6.5% of server revenue last quarter, up 45.2% from a year earlier, IDC said. If the ODM category were a single vendor, it would be the third largest ahead of Dell.

Almost 80% of the ODM’s server revenue came from the U.S., primarily from sales to Google, Amazon, Facebook and Rackspace.

Overall, the server market declined 3.7% from a year earlier to $12.1 billion. It was the third consecutive quarter of declining revenue but IDC predicts improvement with a refresh cycle early next year. In terms of units shipped, volumes were about flat year over year, meaning average selling prices dropped.

Volume systems — mostly x86 servers — picked up slightly from last year, with 3.5% revenue growth. But sales of midrange and high-end systems dropped 17.8% and 22.5%, respectively, IDC said.

IBM fared worst of the top 5 vendors, with revenue down 19.4% due to “soft demand for System x and Power Systems,” IDC said. Dell retained third place with 16.2% of revenue, about flat from last year, while Cisco Systems and Oracle tied for fourth.

Cisco saw the most growth of the top vendors, with a nearly 43% revenue jump, IDC said.

Source

App Stores For Supercomputers Enroute

A major problem facing supercomputing is that the firms that could benefit most from the technology, aren’t using it. It is a dilemma.

Supercomputer-based visualization and simulation tools could allow a company to create, test and prototype products in virtual environments. Couple this virtualization capability with a 3-D printer, and a company would revolutionize its manufacturing.

But licensing fees for the software needed to simulate wind tunnels, ovens, welds and other processes are expensive, and the tools require large multicore systems and skilled engineers to use them.

One possible solution: taking an HPC process and converting it into an app.

This is how it might work: A manufacturer designing a part to reduce drag on an 18-wheel truck could upload a CAD file, plug in some parameters, hit start and let it use 128 cores of the Ohio Supercomputer Center’s (OSC) 8,500 core system. The cost would likely be anywhere from $200 to $500 for a 6,000 CPU hour run, or about 48 hours, to simulate the process and package the results up in a report.

Testing that 18-wheeler in a physical wind tunnel could cost as much $100,000.

Alan Chalker, the director of the OSC’s AweSim program, uses that example to explain what his organization is trying to do. The new group has some $6.5 million from government and private groups, including consumer products giant Procter & Gamble, to find ways to bring HPC to manufacturers via an app store.

The app store is slated to open at the end of the first quarter of next year, with one app and several tools that have been ported for the Web. The plan is to eventually spin-off AweSim into a private firm, and populate the app store with thousands of apps.

Tom Lange, director of modeling and simulation in P&G’s corporate R&D group, said he hopes that AweSim’s tools will be used for the company’s supply chain.

The software industry model is based on selling licenses, which for an HPC application can cost $50,000 a year, said Lange. That price is well out of the reach of small manufacturers interested in fixing just one problem. “What they really want is an app,” he said.

Lange said P&G has worked with supply chain partners on HPC issues, but it can be difficult because of the complexities of the relationship.

“The small supplier doesn’t want to be beholden to P&G,” said Lange. “They have an independent business and they want to be independent and they should be.”

That’s one of the reasons he likes AweSim.

AweSim will use some open source HPC tools in its apps, and are also working on agreements with major HPC software vendors to make parts of their tools available through an app.

Chalker said software vendors are interested in working with AweSim because it’s a way to get to a market that’s inaccessible today. The vendors could get some licensing fees for an app and a potential customer for larger, more expensive apps in the future.

AweSim is an outgrowth of the Blue Collar Computing initiative that started at OSC in the mid-2000s with goals similar to AweSim’s. But that program required that users purchase a lot of costly consulting work. The app store’s approach is to minimize cost, and the need for consulting help, as much as possible.

Chalker has a half dozen apps already built, including one used in the truck example. The OSC is building a software development kit to make it possible for others to build them as well. One goal is to eventually enable other supercomputing centers to provide compute capacity for the apps.

AweSim will charge users a fixed rate for CPUs, covering just the costs, and will provide consulting expertise where it is needed. Consulting fees may raise the bill for users, but Chalker said it usually wouldn’t be more than a few thousand dollars, a lot less than hiring a full-time computer scientist.

The AweSim team expects that many app users, a mechanical engineer for instance, will know enough to work with an app without the help of a computational fluid dynamics expert.

Lange says that manufacturers understand that producing domestically rather than overseas requires making products better, being innovative and not wasting resources. “You have to be committed to innovate what you make, and you have to commit to innovating how you make it,” said Lange, who sees HPC as a path to get there.

Source

3D Printer Goes Retail

MakerBot, a 3D printer maker which opened two new retail stores last week, is among the companies trying to bring the cutting-edge digital manufacturing technology to Main Street consumers, but skeptics say the debut may be premature.

MakerBot, a unit of Stratasys Ltd, opened retail stores this week in Boston and in Greenwich, Connecticut, both of which are twice the size of MakerBot’s first store, 1,500 square feet in downtown Manhattan.

The company offers designs for more than 100,000 items through its “Thingiverse” online user community. The products range from knick-knacks like zombie sculptures to jewelry, sink drains and even medical devices. They are printed using its line of corn-based plastic fibers in more than a dozen colors.

“For most people 3D printing is futuristic science fiction. We’re here to make it real,” said CEO Bre Pettis, who cut the ribbon at the store on Boston’s fashionable Newbury Street using scissors made on one of MakerBot’s Replicator printers which start at $2,199.

Pettis, who has purchased splashy magazine ads to promote 3D printers as holiday gifts, believes there could soon be a 3D printer on every block in America.

Yet some technology experts say 3D printers may not be ready for prime time because they are still much less user friendly than most modern consumer electronics.

“There is so much hype,” said Pete Basiliere, an analyst at technology research firm Gartner. “People are getting a little bit misled as to how easy it is,” he said.

Some investors also are skeptical of 3D printing’s readiness for the market. Short-seller Citron this week published an article questioning the earnings of Germany’s voxeljet AG’s, and shares in the sector fell, including those of MakerBot parent Stratasys and rivals 3D Systems Corp and ExOne Co.

Source

Twitter Tightens Security

Twitter Inc said it has put in place a security technology that makes it harder to spy on its users and called on other Internet firms to do the same, as Web providers look to thwart spying by government intelligence agencies.

The online messaging service, which began scrambling communications in 2011 using traditional HTTPS encryption, said on Friday it has added an advanced layer of protection for HTTPS known as “forward secrecy.”

“A year and a half ago, Twitter was first served completely over HTTPS,” the company said in a blog posting. “Since then, it has become clearer and clearer how important that step was to protecting our users’ privacy.”

Twitter’s move is the latest response from U.S. Internet firms following disclosures by former spy agency contractor Edward Snowden about widespread, classified U.S. government surveillance programs.

Facebook Inc, Google Inc, Microsoft Corp and Yahoo Inc have publicly complained that the government does not let them disclose data collection efforts. Some have adopted new privacy technologies to better secure user data.

Forward secrecy prevents attackers from exploiting one potential weakness in HTTPS, which is that large quantities of data can be unscrambled if spies are able to steal a single private “key” that is then used to encrypt all the data, said Dan Kaminsky, a well-known Internet security expert.

The more advanced technique repeatedly creates individual keys as new communications sessions are opened, making it impossible to use a master key to decrypt them, Kaminsky said.

“It is a good thing to do,” he said. “I’m glad this is the direction the industry is taking.”

Source

Adobe Data Found Online

A computer security firm has discovered data it says belongs to some 152 million Adobe Systems Inc user accounts, suggesting that a breach reported a month ago is much larger than Adobe has so far disclosed and is one of the largest on record.

LastPass, a password security firm, said that it has found email addresses, encrypted passwords and password hints stored in clear text from Adobe user accounts on an underground website frequented by cyber criminals.

Adobe said last week that attackers had stolen data on more than 38 million customer accounts, on top of the theft of information on nearly 3 million accounts that it disclosed nearly a month earlier.

The maker of Photoshop and Acrobat software confirmed that LastPass had found records stolen from its data center, but downplayed the significance of the security firm’s findings.

While the new findings from LastPass indicate that the Adobe breach is far bigger than previously known, company spokeswoman Heather Edell said it was not accurate to say 152 million customer accounts had been compromised because the database attacked was a backup system about to be decommissioned.

She said the records include some 25 million records containing invalid email addresses, 18 million with invalid passwords. She added that “a large percentage” of the accounts were fictitious, having been set up for one-time use so that their creators could get free software or other perks.

She also said that the company is continuing to work with law enforcement and outside investigators to determine the cost and scope of the breach, which resulted in the theft of customer data as well as source code to several software titles.

The company has notified some 38 million active Adobe ID users and is now contacting holders of inactive accounts, she said.

Paul Stephens, director of policy and advocacy for the non-profit Privacy Rights Clearinghouse, said information in an inactive database is often useful to criminals.

He said they might use it to engage in “phishing” scams or attempt to figure out passwords using the hints provided for some of the accounts in the database. In some cases, people whose data was exposed might not be aware of it because they have not accessed the out-of-date accounts, he said.

“Potentially it’s the website you’ve forgotten about that poses the greater risk,” he said. “What if somebody set up an account with Adobe ten years ago and forgot about it and they use the same password there that they use on other sites?”

Source

« Previous Page — Next Page »