Sign up for our Technology Newsletter 
Yahoo Wins Major Lawsuit
December 17, 2011 by admin
Filed under Around The Net
Comments Off on Yahoo Wins Major Lawsuit
Yahoo has achieved a big victory against spammers, a legal victory that also includes a default judgment of $610 million.
In the lawsuit, filed in May 2008, Yahoo targeted a variety of individuals and companies, accusing them of trying to defraud people via a spam campaign that falsely informed email recipients that they had won prizes in a non-existent Yahoo-sponsored lottery.
Yahoo alleged that the defendants’ goal was to trick email recipients into providing them with personal and financial information that could be used to commit fraud by raiding victims’ bank accounts, using their credit cards and applying for loans on their behalf.
Judge Laura Taylor Swain from the U.S. District Court for the Southern District of New York ruled that Yahoo’s allegations are “uncontroverted” and said the company is entitled to $27 million in statutory damages for trademark infringement and $583 million in statutory damages for violation of the CAN-SPAM Act.
It’s not clear whether Yahoo will be able to collect the money. A default judgment is rendered when defendants in a case fail to plead or defend an action, as happened in this case, in which the defendants never responded to Yahoo’s complaint.
Yahoo Messenger Flaw Exposed
December 10, 2011 by admin
Filed under Around The Net
Comments Off on Yahoo Messenger Flaw Exposed
An unpatched Yahoo Messenger vulnerability that allows hackers to change people’s status messages and possibly perform other unauthorized functons can be exploited to spam malicious links to a large number of users.
The flaw was discovered in the wild by security researchers from antivirus vendor BitDefender while investigating a customer’s report about unusual Yahoo Messenger behavior.
The flaw appears to be located in the application’s file transfer API (application programming interface) and allows attackers to send malformed requests that result in the execution of commands without any interaction from victims.
“An attacker can write a script in less than 50 lines of code to malform the message sent via the YIM protocol to the attacker,” said Bogdan Botezatu, an e-threats analysis & communication specialist at BitDefender.
“Status changing appears to be only one of the things the attacker can abuse. We’re currently investigating what other things they may achieve,” he added.
Victims are unlikely to realize that their status messages have changed and if they use version 11.5 of Yahoo Messenger, which supports tabbed conversations, they might not even spot the rogue requests, Botezatu said.
This vulnerability can be leveraged by attackers to earn money through affiliate marketing schemes by driving traffic to certain websites or to spam malicious links that point to drive-by download pages.
Apple Has A Hole In MAC OS X
Apple has failed to fix a bug in its Mac OS X operating system that allows processes to bypass the sandbox protection in place.
The flaw was discovered by Anibal Sacco and Matias Eissler from Core Security Technologies. They let Apple know about the problem on 20 September, and while Apple acknowledged their submission, it said that it did not see any security threat, forcing the Core Security Technologies team to publish the report to the public this month.
The problem appears to be with the use of Apple events in several default profiles, including the no-network and no-internet ones. When Apple events are dispatched a process can escape the sandbox, which could be exploited by hackers.
The vulnerability could lead to a compromised application restricted by the use of the no-network profile gaining access to network resources through the use of Apple events to execute other applications that are not restricted by the sandbox, making it a significant security threat.
Only the more recent versions of Mac OS X are vulnerable to this bug, including 10.5.x, 10.6.x, and 10.7.x. Those using 10.4.x are safe from the exploit.
DoJ Charges Clickjacking Perpetrators
Comments Off on DoJ Charges Clickjacking Perpetrators
The U.S. Department of Justice is charging seven individuals with 27 counts of wire fraud and other computer-related crimes, accusing the group of hijacking 4 million computers across 100 countries in a sophisticated clickjacking scam.
According to the indictment, the defendants had set up a fake Internet advertising agency, entering into agreements with online ad providers that would pay the group whenever its ads where clicked on by users. The group’s malware, which it had planted on millions of user computers, would redirect the computers’ browsers to its advertisements, thereby generating illicit revenue.
The malware worked by capturing and altering the results of a user’s search engine query. A user would search for a popular site, such as ones for Netflix, the Wall Street Journal, Amazon, Apple iTunes and the U.S. Internal Revenue Service. Whenever the user would click on the provided link, however, the browser would be redirected to another website, one that the group was paid to generate traffic for.
The malware the group used also blocked antivirus software updates, which left users vulnerable to other attacks as well, according to the DOJ.
White House Threatens Net Veto
The executive office of U.S. President Barack Obama stated Tuesday that the White House strongly opposes passage in the Senate of a resolution that could impact the equal availability of the Internet to all classes of users.
The resolution introduced in the Senate disapproves a rule submitted by the Federal Communications Commission in December on the net neutrality issue, and states that it should have “no force or effect”.
If the President is presented with the resolution, S.J. Res. 6, which would not safeguard the free and open Internet, his senior advisers would recommend that he veto it, the administration said.
The FCC Report and Order adopted the rule that fixed broadband providers may not unreasonably discriminate in transmitting lawful network traffic”. A “no blocking” rule states that fixed broadband providers may not block lawful content, applications, services, or non-harmful devices. Mobile broadband providers are also prohibited from blocking lawful websites, or block applications that compete with their voice or video telephony services.
The U.S. House of Representatives has already passed in April a Republican-backed resolution disapproving the FCC rules, and asking for their roll back.
Hackers Plan To Go After Fox
Anonymous plans to take out the Fox news network because of its coverage of the Wall Street Protests.
Dubbed “Operation Fox Hunt”, Anonymous announced the plans on YouTube to attack the Fox News website on the anniversary of Guy Fawkes Day. Anonymous is also planning to target former Fox News personality Glenn Beck as well as current Fox News representative Sean Hannity and Bill O’Reilly during “Operation Fox Hunt”.
Anonymous said that it has had a gutsful of “right wing conservative propaganda” and “belittling the occupiers” of the Occupy Wall Street demonstrations. Anonymous recently a distributed denial-of-service attack against the Oakland police department’s website after a 24-year-old wounded Marine home from serving two tours in Iraq was critically injured in the Occupy Oakland protest. Police allegedly threw an object that fractured the marine’s skull landing him in the hospital.
Google Search To Add Default Encryption
October 25, 2011 by admin
Filed under Around The Net
Comments Off on Google Search To Add Default Encryption
Google is implementing over the next few weeks default encryption using SSL on searches for users signing in with their accounts, the company said Tuesday.
The move comes over a year after Google made SSL the default setting for Gmail, and also unveiled an encrypted search service.
“As search becomes an increasingly customized experience, we recognize the growing importance of protecting the personalized search results we deliver,” Google’s product manager, Evelyn Kao said in a blog post on Tuesday.
The encryption is expected to be particularly useful for people using an unsecured Internet connection, such as a Wi-Fi hotspot in an Internet cafe, Kao added.
With Google search over SSL, users get an end-to-end encrypted search channel between their computer and Google. The secured channel helps protect search terms and search results pages from being intercepted by a third party, Google said in a description of SSL search.
Over the next few weeks, users will be redirected to a secure search site when they are signed in with their Google Account. The change encrypts search queries and Google’s
results page.
Users can also navigate directly to the secure search site if they are signed out or don’t have a Google Account.
Websites ‘Leaking’ User Info To Other Firms
October 19, 2011 by admin
Filed under Around The Net
Comments Off on Websites ‘Leaking’ User Info To Other Firms
Many top websites share their visitors’ names, usernames or other personal information with their partners without alerting users and, in some cases, without knowing they’re doing it, according to a new study from Stanford University.
Many websites “leak” usernames to third-party advertising networks by including usernames in URLs that the ad networks can see in referrer headers, said the study, released Tuesday by Stanford Law School’s Center for Internet and Society. While there’s a debate in legal circles whether usernames are personal information, there’s a growing consensus among computer scientists that Web-based companies can use usernames to identify their owners, said Jonathan Mayer, a Stanford graduate student who led the study.
“The vast majority of usernames are unique,” he said. “Given the prevalence of social networking, often times, once you have a username for a social network, you then also have a person’s real name, possibly a photo, possibly more.”
Other websites share first names, email addresses and other information with advertising or other partners, Mayer said at a privacy conference in Washington. Those identifiers “get associated not just with what you’re doing right now, but get associated with what you’ve done in the past, and what Web browsing activity you may have in the future,” he said.
Google Acquires Zagat
Google has purchased the prestigious restaurant ratings publisher, Zagat to boost its online maps and local business listings with trustworthy reviews and recommendations, which Web surfers increasingly seek and value.
“Zagat will be a cornerstone of our local offering — delighting people with their impressive array of reviews, ratings and insights, while enabling people everywhere to find extraordinary (and ordinary) experiences around the corner and around the world,” wrote Marissa Mayer, Google’s vice president of local, maps and location services, in a blog post.
Google acquired Zagat, which was founded in 1979, because of its brand, reputation and quality of its surveys and reviews, which it publishes in print guides and online. Terms of the deal were not disclosed.
Best known for its restaurant ratings, Zagat also surveys consumers about the quality of hotels, nightclubs and other leisure-themed businesses.
Apple Blasted For Not Blocking Stolen Certificates
Comments Off on Apple Blasted For Not Blocking Stolen Certificates
A security researcher blasted Apple for what he called “foot dragging” over the DigiNotar certificate fiasco, and urged the company to act fast to update Mac OS X to protect users.
“We’re looking at some very serious issues [about trust on the Web] and it doesn’t help matters when Apple is dragging its feet,” said Paul Henry, a security and forensics analyst with Arizona-based Lumension.
Unlike Microsoft, which updated Windows Tuesday to block all SSL (secure socket layer) certificates issued by DigiNotar, Apple has not updated Mac OS X to do the same.
DigiNotar, one of hundreds of firms authorized to issue digital certificates that authenticate a website’s identity, admitted on Aug. 30 that its servers were compromised weeks earlier. A report made public Monday said that hackers had acquired 531 certificates, including many used by the Dutch government, and that DigiNotar was unaware of the intrusion for weeks.
Because almost all the people who were routed to a site secured with one of the stolen certificates were from Iran, many experts suspect that the DigiNotar hack was sponsored or encouraged by the Iranian government, which could use them to spy on its citizens.
Microsoft isn’t the only software maker to block all DigiNotar certificates: Google, Mozilla and Opera have also issued new versions of their browsers — Chrome, Firefox and Opera — to completely, or in Opera’s case, partially prevent users from reaching websites secured with a DigiNotar certificate.
Users of Safari on Mac OS X, however, remain at risk to possible “man-in-the-middle” attacks based on the fraudulently obtained certificates.
Because Safari relies on the underlying operating system to tell it which certificates have been revoked or banned entirely, Apple must update Mac OS X. The Windows edition of Safari, which has a negligible share of the browser market, taps Windows’ certificate list: That version is safe to use once Microsoft’s Tuesday patch is applied.